Mem Configmgr Core
Mem Configmgr Core
e OVERVIEW
What's new
Technical preview
b GET STARTED
Find help
Get started
Y ARCHITECTURE
Supported configurations
Site prerequisites
` DEPLOY
Deploy clients
Migrate between hierarchies
Top tasks
c HOW-TO GUIDE
CMPivot
Enhanced HTTP
i REFERENCE
Log files
Ports
Client settings
Tools
What is Configuration Manager?
Article • 03/02/2023
The Microsoft Intune family of products is an integrated solution for managing all of
your devices. Microsoft brings together Configuration Manager and Intune, without a
complex migration, and with simplified licensing. Continue to leverage your existing
Configuration Manager investments, while taking advantage of the power of the
Microsoft cloud at your own pace.
The following Microsoft management solutions are all now part of the Microsoft Intune
brand:
Configuration Manager
Intune
Endpoint analytics
Autopilot
Introduction
Use Configuration Manager to help you with the following systems management
activities:
Increase IT productivity and efficiency by reducing manual tasks and letting you
focus on high-value projects.
Maximize hardware and software investments.
Empower user productivity by providing the right software at the right time.
Active Directory Domain Services and Azure Active Directory for security, service
location, configuration, and to discover the users and devices that you want to
manage.
Microsoft SQL Server as a distributed change management database—and
integrates with SQL Server Reporting Services (SSRS) to produce reports to
monitor and track management activities.
Site system roles that extend management functionality and use the web services
of Internet Information Services (IIS).
Delivery Optimization, Windows Low Extra Delay Background Transport (LEDBAT),
Background Intelligent Transfer Service (BITS), BranchCache, and other peer
caching technologies to help manage content on your networks and between
devices.
User interfaces
You can install the Configuration Manager console on additional computers, and restrict
access and limit what administrative users can see in the console by using Configuration
Manager role-based administration.
Software Center
Software Center is an application that's installed when you install the Configuration
Manager client on a Windows device. Users use Software Center to request and install
software that you deploy. Software Center lets users do the following actions:
Browse for and install applications, software updates, and new OS versions
View their software request history
View device compliance against your organization's policies
You can also show custom tabs in Software Center to meet additional business
requirements.
Next steps
Before you install Configuration Manager, familiarize yourself with the basic concepts
and terms:
If you're familiar with System Center 2012 Configuration Manager, see What's
changed from System Center 2012 Configuration Manager.
When you're familiar with the basic concepts, use this documentation library to help you
successfully deploy and use Configuration Manager. Start with the following articles:
Configuration Manager is part of the Microsoft Intune family of products. This article
provides answers to frequently asked questions.
The following Microsoft management solutions are all now part of the Microsoft Intune
brand:
Configuration Manager
Intune
Desktop Analytics
[Autopilot]/autopilot/enrollment-autopilot)
Most notably, the Start menu folder names changed for common components, such as
the Configuration Manager console and Software Center.
There are also some fundamental components that may never change. The main
Windows service on site servers is still SMS_Executive.
Next steps
Learn about the what's new in Configuration Manager incremental versions.
Find help for using Configuration
Manager
Article • 02/22/2023
There are several resources that you can use to find help with Configuration Manager.
Whether you're just getting started or an experienced administrator, use the following
resources when you need assistance:
To get support for co-management, tenant attach, and analytics features, see How to
get support in Microsoft Intune admin center.
Product feedback
From the Configuration Manager console, you can share feedback directly to the
Microsoft product group. In the upper right corner of the console, select the smiley face
icon. There are three types of feedback:
Product documentation
To access the most current product documentation, start at the library index.
For tips on searching, providing feedback, and more information about using the
product documentation, see How to use the docs.
Microsoft support
Next steps
Product feedback
Accessibility features
From the Configuration Manager console, you can share feedback directly to the
Microsoft product group. In the upper right corner of the console, select the feedback
icon. There are three types of feedback:
Send a smile (ALT + SHIFT + 7): Send feedback on what you liked.
Send a frown (ALT + SHIFT + 8): Send feedback on what you didn't like, and how
Microsoft can improve it.
Send a suggestion (ALT + SHIFT + 9): Open the Configuration Manager product
feedback website to share your idea. For more information, see Send a suggestion.
Contact support (ALT + SHIFT + 0): Opens the Microsoft support for business
portal .
When using the feedback wizard from the console, the following items are displayed
where needed:
This wizard is in the Configuration Manager console. Support Center has a similar
feedback experience.
1. Select Sign in and sign in with either your Azure AD user account or your Microsoft
account.
Selecting Continue without signing in will allow you to send feedback, but
we won't be able to contact you with questions or updates unless you
provide an e-mail address.
2. Once you're signed in, select Next then provide your feedback. If you need to use
a different account, you can select Sign out to start again.
Starting in Configuration Manager 2111, when you Report error to Microsoft the error
information included with the feedback can't be altered or removed. Wizards and some
property pages also include an icon to provide feedback allowing you to quickly send
feedback right from your current activity.
Starting in version 2107, error messages include a link to Report error to Microsoft. This
action opens the standard send a frown window to provide feedback. It automatically
includes details about the user interface and the error to better help Microsoft engineers
diagnose the error. Aside from making it easier to send a frown, it also includes the full
context of the error message when you share a screenshot.
Prerequisites
Update the Configuration Manager console to the latest version.
On the computer where you run the console, allow it to access the following internet
endpoints to send diagnostic data to Microsoft:
petrol.office.microsoft.com
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net
umwatsonc.events.data.microsoft.com
*-umwatsonc.events.data.microsoft.com
Send a smile
To send feedback on something that you like about Configuration Manager:
Tell us what you liked: Enter a detailed description of why you're filing this
feedback.
You can contact me about this feedback: To allow Microsoft to contact you
about this feedback if necessary, select this option and specify a valid email
address.
3. Select Next to send the feedback. You may see a progress bar as it packages the
content to send.
4. When the progress is complete, select Details to see the transaction ID or any
errors that occurred.
Send a frown
Before you file a frown, prepare your information:
If you have multiple issues, send a separate report for each issue. Don't include
multiple issues in a single report.
Provide clear details on the issue. Share any research that you've gathered so far.
More detailed information is better to help Microsoft investigate and diagnose the
issue.
Do you need immediate assistance? If so, contact Microsoft support for urgent
issues. For more information, see Support options and community resources.
Is this feedback a suggestion to improve the product? If so, share a new idea
instead. For more information, see Send a suggestion.
Is the issue with the product documentation? You can file feedback directly on the
documentation. For more information, see Doc feedback.
To send feedback on something that you didn't like about the Configuration Manager
product:
Issue category: Select a category that's most appropriate for your issue.
You can contact me about this feedback: To allow Microsoft to contact you
about this feedback if necessary, select this option and specify a valid email
address.
Include additional files: Select Attach and add log files, which can help
Microsoft better understand the issue. To remove all attached files from your
feedback, select Clear all. To remove individual files, select the delete icon to
the right of the file name.
4. Select Next to send the feedback. You may see a progress bar as it packages the
content to send.
5. When the progress is complete, select Details to see the transaction ID or any
errors that occurred.
The Provide feedback wizard still packages your feedback and files.
The final summary page shows an error that it couldn't send the feedback.
Select the option to Save a copy of feedback and attachments. For more
information on how to send it to Microsoft, see Send feedback that you saved for
later submission.
If the Provide feedback wizard successfully submits your feedback, but fails to send the
attached files, use the same instructions for no internet connectivity.
Send a suggestion
When you Send a suggestion, it opens the Feedback for Configuration Manager site.
For more information, including the different status values, see How Microsoft uses
feedback.
Status messages
When you Send a smile or Send a frown, it creates a status message when you submit
the feedback. This message provides a record of:
You can use the built-in status message query, Feedback sent to Microsoft to easily
display these status messages. You can also display status messages in the Monitoring
workspace, under System Status in the Status Message Queries node. Start with the All
Status Messages query and select your time frame. When the messages load, select
Filter messages, and filter for message ID 53900 or 53901. If you create feedback that
you save for later submission, the site doesn't create a status message.
OS build information
Configuration Manager support ID, also known as the hierarchy ID
Language information
1. At the bottom of the Provide feedback window, select Save a copy of feedback
and attachments.
2. Save the .zip file. If the local machine doesn't have internet access, copy the file to
an internet-connected machine.
3. If needed, copy the UploadOfflineFeedback folder from the site server located at
cd.latest\SMSSETUP\Tools\UploadOfflineFeedback\ .
7 Note
For more information about the cd.latest folder, see the CD.Latest folder.
30 .
-s , --silent : Don't log any output to the command prompt. You can't combine
The UploadOfflineFeedback utility supports the use of a proxy server. You can specify
the following parameters:
asterisk ( * ), the tool prompts for the password. The password isn't displayed in the
prompt. This value is recommended. Including the password in plain text on the
command line is less secure.
-i , --SkipConnectionCheck : Skips the network connection check, and just starts to
upload the feedback with the specified settings.
In the Provide feedback window from the console, it displays the feedback ID on
the final page. To copy it, select the copy icon next to the ID, or use the CTRL + C
key shortcut. This ID isn't stored on your computer, so make sure to copy it before
you close the window.
If you select Send a suggestion, you will be taken to the feedback portal. For
more information, see Send a suggestion.
3. Use the text box to explain what you liked or what you didn't like.
4. Choose if you would like to share your e-mail address and a screenshot.
When you send a frown, include the following additional information specific to
PowerShell:
The exact script or command syntax that you used so that Microsoft can try to
reproduce the issue.
The version and path of the ConfigurationManager module. For example, include
the output of the following commands:
PowerShell
If a cmdlet returns an error, use the following command to get exception details:
PowerShell
Next steps
How to use the docs
This article provides resources and tips for using the Microsoft Intune product family
documentation library. It applies to Configuration Manager, Microsoft Intune, Endpoint
analytics, and Autopilot, and covers the following areas:
How to search
Submitting doc bugs, enhancements, questions, and new ideas
How to get notified of changes
How to contribute to documentation on Microsoft Learn
Tip
Search
Use the following search tips to help you find the information that you need:
When using your preferred search engine to locate content, include a keyword
along with your search keywords. For example, ConfigMgr for Configuration
Manager and Intune for Intune.
Use search terms that match terminology in the user interface and online
documentation. Avoid unofficial terms or abbreviations that you might see in
community content. For example, search for:
"management point" rather than "MP"
"deployment type" rather than "DT"
"Intune management extension" rather than "IME"
To search within the current article, use your browser's Find feature. With most
modern web browsers, press Ctrl+F and then enter your search terms.
Search in the upper right corner. To search all articles, enter terms in this field.
Articles in this content library automatically include one of the following search
scopes: ConfigMgr , Intune , or Autopilot .
Filter by title above the left table of contents. To search the current table of
contents, enter terms in this field. This field only matches terms that appear in
the article titles for the current node. For example, Configuration Manager Core
Infrastructure ( learn.microsoft.com/mem/configmgr/core ) or Intune Apps
( https://learn.microsoft.com/mem/intune/apps/ ). The last item in the search
results gives you the option to search for the terms in the entire content library.
Having problems finding something? File feedback! When you file an issue about search
results, provide the search engine you're using, the keywords you tried, and the target
article. This feedback helps Microsoft optimize the content for better search.
3. Scroll to the bottom of the Services group and select Address bar and search.
Keyword: Specify a short term to use in the address bar to activate this search
engine. For example, memdocs .
url
https://learn.microsoft.com/search/index?search=%s&scope=ConfigMgr
7 Note
This example is specific to the ConfigMgr scope. You can remove the
scope variable to search all learn.microsoft.com or use a different
scope.
After you add this search engine, type your keyword in the browser address bar, press
Tab , then type your search terms, and press Enter . It will automatically search Microsoft
technical documentation for your specified terms using the defined scope.
About feedback
Select the Feedback link in the upper right of any article to go to the Feedback section
at the bottom. Feedback is integrated with GitHub Issues. For more information about
this integration with GitHub Issues, see the docs platform blog post.
To share feedback about the current article, select This page. A GitHub account is a
prerequisite for providing documentation feedback. Once you sign in, there's a one-time
authorization for the MicrosoftDocs organization. It then opens the GitHub new issue
form. Add a descriptive title and detailed feedback in the body, but don't modify the
document details section. Then select Submit new issue to file a new issue for the target
article in the MEMDocs GitHub repository .
To see whether there's already feedback for this article, select View all page feedback.
This action opens a GitHub issue query for this article. By default it displays both open
and closed issues. Review any existing feedback before you submit a new issue. If you
find a related issue, select the face icon to add a reaction, add a comment to the thread,
or Subscribe to receive notifications.
Types of feedback
Use GitHub Issues to submit the following types of feedback:
If you create an issue for something not related to an article, Microsoft will close the
issue and redirect you to a better feedback channel. For example:
Notifications
To receive notifications when content changes in the documentation library, use the
following steps:
Search for a single article by title, such as What's new in Microsoft Intune.
Tip
To refine the search to a single article, use the full title that displays in
the Microsoft technical documentation search results. You can also use a
string from the first paragraph, as shown in this example.
url
https://learn.microsoft.com/api/search/rss?
search=%22What%27s+new+in+microsoft+intune%22%2B%22learn+what%27s+
new%22&locale=en-
us&facet=&%24filter=scopes%2Fany%28t%3A+t+eq+%27Intune%27%29
7 Note
The above RSS feed URL example includes the &locale=en-us variable.
The locale variable is required, but you can change it to another
supported locale. For example, &locale=ja-jp .
7 Note
Use other keywords or the Microsoft Learn search filters to further refine your
search query.
2. At the bottom of the list of results, select the RSS link.
3. Use this feed in an RSS application to receive notifications when there's a change
to any of the search results. Refer to the RSS application's documentation on how
to configure and tune it.
Tip
You can also Watch the MEMDocs repository on GitHub. This method can
generate many notifications. It also doesn't include changes from the private
repository that Microsoft uses.
Contribute
The Microsoft Intune product family documentation library, like most Microsoft
technical documentation, is open-sourced on GitHub. This library accepts and
encourages community contributions. For more information on how to get started, see
our contributor guide. The only prerequisite is to create a GitHub account .
4. In the Propose file change section, enter the public commit comment describing
what you changed. Then select Propose file change.
5. Scroll down and verify the changes you made. Select Create pull request to open
the form. Describe why you made this change. Select Create pull request.
The writing team receives your pull request, and assigns it to the appropriate writer. The
author reviews the text, and does a quick edit pass on it. They'll either approve and
merge the changes, or contact you for more information about the update.
What to contribute
If you want to contribute, but don't know where to start, see the following suggestions:
Review an article for accuracy. Then update the ms.date metadata using
mm/dd/yyyy format. This contribution helps keep the content fresh.
7 Note
Contribution tips
Follow these general guidelines when you contribute:
Don't surprise us with large pull requests. Instead, file an issue and start a
discussion. Then we can agree on a direction before you invest a large amount of
time.
Read the Microsoft style guide. Know the Top 10 tips for Microsoft style and voice.
7 Note
For more information on the accessibility changes made in .NET 4.7.1 and 4.7.2, see
What's new in accessibility in the .NET Framework.
Keyboard shortcuts
Console workspaces
To access a workspace, use the following keyboard shortcuts:
Ctrl + 3 Monitoring
Ctrl + 4 Administration
Keyboard Purpose
shortcut
Ctrl + T Set the focus to the top node in the navigation pane. If the focus was already in that
pane, the focus is set to the last node you visited.
Keyboard Purpose
shortcut
Ctrl + I Set the focus to the breadcrumb bar, below the ribbon.
CMPivot shortcuts
Most web browser keyboard shortcuts will work in CMPivot.
Ctrl + W Scroll up
Ctrl + + Zoom in
Use the following keyboard shortcuts to quickly move focus to different areas of the
window:
Alt + B Back
Alt + H Home
Alt + T Filter
Keyboard navigation through the main view and the ribbon is circular.
Keyboard navigation in the details pane is circular. To return to the previous object
or pane, use Ctrl + D, then Shift + TAB.
After refreshing a Workspace view, the focus is set to the main pane of that
workspace.
To access a workspace menu, select the Tab key until the Expand/Collapse icon is in
focus. Then, select the Down arrow key to access the workspace menu.
To access different areas in the workspace, use the Tab key and Shift+Tab keys. To
navigate within an area of the workspace, such as the ribbon, use the arrow keys.
To access the address bar when your focus is in the tree node, use Shift+Tab three
times.
On a wizard or property page, you can move between the boxes with keyboard
shortcuts. Select the Alt key plus the underlined character (Alt+_) to select a
specific box.
To navigate to the different nodes of a workspace, enter the first letter of the name
of a node. Each key press moves the cursor to the next node that begins with that
letter. When you're using a screen reader, the reader reads out the name of that
node.
Next steps
For more information on the fundamentals of navigating Configuration Manager user
interfaces, see the following articles:
7 Note
The information in this article might apply only to users who license Microsoft
products in the United States. If you obtained this product outside of the United
States, you can use the subsidiary information card that came with your software
package or visit the Microsoft Accessibility website for contact information for
Microsoft support services. You can contact your subsidiary to find out whether the
type of products and services that are described in this section are available in your
area. Information about accessibility is available in other languages, including
Japanese and French.
Software Center user guide
Article • 12/19/2022
This article describes the latest features of Software Center. If your organization is
using an older but still supported version of Software Center, not all features are
available. For more information, contact your IT admin.
Your IT admin may disable some aspects of Software Center. Your specific
experience may vary.
If multiple users are using a device at the same time, the user with the lowest
session ID will be the only one to see all available deployments in Software Center.
For example, multiple users on a remote desktop environment. Users with higher
session IDs may not see some of the deployments in Software Center. For example,
the users with higher session IDs may see deployed Applications, but not deployed
Packages or Task Sequences. Meanwhile the user with the lowest session ID will see
all deployed Applications, Packages, and Task Sequences. The Users tab of
Windows Task Manager shows all users and their session IDs.
Your IT admin may change the color of Software Center, and add your
organization's logo.
best match.
To navigate the Start menu, look under the Microsoft Endpoint Manager group for the
Software Center icon.
7 Note
The above Start menu path is for versions from November 2019 (version 1910) or
later. In earlier versions, the folder name is Microsoft System Center.
If you can't find Software Center in the Start menu, contact your IT administrator.
Applications
Select the Applications tab (1) to find and install applications that your IT admin deploys
to you or this computer.
All (2): Shows all available applications that you can install.
Required (3): Your IT admin enforces these applications. If you uninstall one of
these applications, Software Center reinstalls it.
Filters (4): Your IT admin may create categories of applications. If available, select
the drop-down list to filter the view to only those applications in a specific
category. Select All to show all applications.
Sort by (5): Rearrange the list of applications. By default this list sorts by Most
recent. Recently available applications display with a New banner that's visible for
seven days.
Search (6): Still can't find what you're looking for? Enter keywords in the Search
box to find it!
Switch the view (7): Select the icons to switch the view between list view and tile
view. By default the applications list shows as graphic tiles.
Multi-select Install more than one application at a time. For more information, see
mode Install multiple applications.
List view This view displays the application icon, name, publisher, version, and status.
Tile view Your IT admin can customize the icons. Below each tile displays the
application name, publisher, and version.
Install an application
Select an application from the list to see more information about it. Select Install to
install it. If an app is already installed, you may have the option to Uninstall.
When you try to install it, you can enter a comment and then Request the app.
Software Center shows the request history, and you can cancel the request.
When an administrator approves your request, you can install the app. If you wait,
Software Center automatically installs the app during your non-business hours.
Install multiple applications
Install more than one application at a time instead of waiting for one to finish before
starting the next. The selected apps need to qualify:
2. Select two or more apps to install. Select the checkbox to the left of each app in
the list.
Share an application
To share a link to a specific app, after you select the app, select the Share icon in the
upper right corner:
Copy the string, and paste elsewhere, such as an email message. For example,
softwarecenter:SoftwareID=ScopeId_73F3BB5E-5EDC-4928-87BD-
4E75EB4BBC34/Application_b9e438aa-f5b5-432c-9b4f-6ebeeb132a5a . Anyone else in your
organization with Software Center can use the link to open the same application.
Featured Apps
Featured tab in Software Center displays featured apps. With this tab, IT admin can
mark apps as "featured" and encourage end users to use these apps.
Currently, this
feature is available only for "User Available" apps.
Also, admins can make the Featured
tab of Software Center as the default tab from Client Settings.
Updates
Select the Updates tab (1) to view and install software updates that your IT admin
deploys to this computer.
Search (5): Still can't find what you're looking for? Enter keywords in the Search
box to find it!
To only install specific updates, select the icon to enter multi-select mode (7):
Check
the updates to install, and then select Install Selected.
Operating Systems
Select the Operating Systems tab (1) to view and install versions of Windows that your
IT admin deploys to this computer.
All (2): Shows all Windows versions that you can install
Sort by (4): Rearrange the list of updates. By default this list sorts by Application
name: A to Z.
Search (5): Still can't find what you're looking for? Enter keywords in the Search
box to find it!
Installation status
Select the Installation status tab to view the status of applications. You may see the
following states:
The status can be seen in the All and the Upcoming tab.
You can install before the maintenance window time by selecting the Install
Now button.
Device compliance
Select the Device compliance tab to view the compliance status of this computer.
Select Check compliance to evaluate this device's settings against the security policies
defined by your IT admin.
Options
Select the Options tab to view additional settings for this computer.
Work information
Indicate the hours that you typically work. Your IT admin may schedule software
installations outside your business hours. Allow at least four hours each day for system
maintenance tasks. Your IT admin can still install critical applications and software
updates during business hours.
Select the earliest and latest hours that you use this computer. By default these
values are from 5:00 AM through 10:00 PM.
Select the days of the week that you typically use this computer. By default
Software Center only selects the weekdays.
Specify whether you regularly use this computer to do your work. Your administrator
might automatically install applications or make additional applications available to
primary computers. If the computer you're using is a primary computer, select I
regularly use this computer to do my work.
Power management
Your IT admin may set power management policies. These policies help your
organization conserve electricity when this computer isn't in use.
To make this computer exempt from these policies, select Do not apply power settings
from my IT department to this computer. By default this setting is disabled and the
computer applies power settings.
Computer maintenance
Specify how Software Center applies changes to software before the deadline.
7 Note
These settings are designed to be managed by end users and do not impact
deployment deadlines.
When instructed by your IT admin, select Sync Policy. This computer checks with the
servers for anything new, such as applications, software updates, or operating systems.
Remote Control
Specify remote access and remote control settings for your computer.
Use remote access settings from your IT department: By default, your IT department
defines the settings to remotely assist you. The other settings in this section show the
state of the settings that your IT department defines. To change any settings, first
disable this option.
Show the following during remote control: These visual notifications are both
enabled by default to let you know that an administrator is remotely accessing the
device.
Status icon in the notification area
A session connection bar on the desktop
Play sound: This audible notification lets you know that an administrator is
remotely accessing the device.
When session begins and ends: This setting is the default option.
Repeatedly during session
Never
Custom tabs
Your IT admin can remove the default tabs or add additional tabs to Software Center.
Custom tabs are named by your admin, and they open a web site that the admin
specifies. For instance, you might have a tab called "Help Desk" that opens your IT
organization's help desk web site.
The simplest method to open the console on a Windows computer is to go to Start and
start typing Configuration Manager console . You may not need to type the entire string
for Windows to find the best match.
If you browse the Start menu, look for the Configuration Manager console icon in the
Microsoft Endpoint Manager group.
1. Select the arrow at the top of the ribbon, and choose Connect to a New Site.
2. Type in the FQDN of the site server. If you've previously connected to site server,
select the server from the drop-down list.
3. Select Connect.
Tip
You can specify the minimum authentication level for administrators to access
Configuration Manager sites. This feature enforces administrators to sign in to
Windows with the required level. For more information, see Plan for the SMS
Provider.
Navigation
Some areas of the console may not be visible depending on your assigned security role.
For more information about roles, see Fundamentals of role-based administration.
Workspaces
The Configuration Manager console has four workspaces:
Assets and Compliance
Software Library
Monitoring
Administration
Reorder workspace buttons by selecting the down arrow and choosing Navigation Pane
Options. Select an item to Move Up or Move Down. Select Reset to restore the default
button order.
Minimize a workspace button by selecting Show Fewer Buttons. The last workspace in
the list is minimized first. Select a minimized button and choose Show More Buttons to
restore the button to its original size.
Nodes
Workspaces are a collection of nodes. One example of a node is the Software Update
Groups node in the Software Library workspace.
Once you are in the node, you can select the arrow to minimize the navigation pane.
Use the navigation bar to move around the console when you minimize the navigation
pane.
In the console, nodes are sometimes organized into folders. When you select the folder,
it usually displays a navigation index or a dashboard.
7 Note
You can use PowerShell to manage console folders with the following cmdlets:
Get-CMFolder
New-CMFolder
Remove-CMFolder
Set-CMFolder
Ribbon
The ribbon is at the top of the Configuration Manager console. The ribbon can have
more than one tab and can be minimized using the arrow on the right. The buttons on
the ribbon change based on the node. Most of the buttons in the ribbon are also
available on context menus.
Details pane
You can get additional information about items by reviewing the details pane. The
details pane can have one or more tabs. The tabs vary depending on the node.
Columns
You can add, remove, reorder, and resize columns. These actions allow you to display
the data you prefer. Available columns vary depending on the node. To add or remove a
column from your view, right-click on an existing column heading and select an item.
Reorder columns by dragging the column heading where you would like it to be.
At the bottom of the column context menu, you can sort or group by a column.
Additionally, you can sort by a column by selecting its header.
You can clear your lock on any object in the Configuration Manager console. This action
only applies to your user account that has the lock, and on the same device from which
the site granted the lock. When you attempt to access a locked object, you can now
Discard Changes, and continue editing the object. These changes would be lost anyway
when the lock expired.
View recently connected consoles
You can view the most recent connections for the Configuration Manager console. The
view includes active connections and those connections that recently connected. You'll
always see your current console connection in the list and you only see connections
from the Configuration Manager console. You won't see PowerShell or other SDK-based
connections to the SMS Provider. The site removes instances from the list that are older
than 30 days.
Configure the administration service REST API. For more information, see What is
the administration service?.
User name
Machine name
Connected site code
Console version
Last connected time: When the user last opened the console
An open console in the foreground sends a heartbeat every 10 minutes,
which shows in the Last Console Heartbeat column.
Start Microsoft Teams Chat from Console
Connections
You can message other Configuration Manager administrators from the Console
Connections node using Microsoft Teams. When you choose to Start Microsoft Teams
Chat with an administrator, Microsoft Teams is launched and a chat is opened with the
user.
Prerequisites
For starting a chat with an administrator, the account you want to chat with needs
to have been discovered with Azure AD or AD User Discovery.
Microsoft Teams installed on the device from which you run the console.
note
All prerequisites to view connected consoles
If the User Principal Name isn't found for the selected administrator, Start
Microsoft Teams Chat is grayed out.
An error message, including a download link, appears if Microsoft Teams isn't
installed on the device from which you run the console.
If Microsoft Teams is installed on the device from which you run the console,
it will open a chat with the user.
Known issues
The error message notifying you that Microsoft Teams isn't installed won't be displayed
if the following Registry key doesn't exist:
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Unins
tall
Starting in version 2203, the Configuration Manager console offers a dark theme. To use
the theme, select the arrow from the top left of the ribbon, then choose Switch console
theme. Select Switch console theme again to return to the light theme. As of version
2303, the main screen of the console and delete secondary site wizards adhere to the
dark theme.
Known issue
Console restart is required on doing the theme switch, as the node navigation
pane might not properly render when you move to a new workspace.
Currently, there are locations in the console that may not display the dark theme
correctly. We are continuosly working to improve the dark theme.
For more information, see Get started with Configuration Manager cmdlets.
Command-line options
The Configuration Manager console has the following command-line options:
Option Description
/sms:ResetSettings The console ignores user-persisted connection and view states. The
window size isn't reset.
/server=[ServerName] Connect to a CAS or Primary site server by specifying the fully qualified
domain name (FQDN) or server name for that site.
Next steps
Console notifications
Console tips
Accessibility features
Task sequence editor
Configuration Manager console
notifications
Article • 10/04/2022
The Configuration Manager console notifies you for specific events that occur. You can
configure some of the event notifications for your Configuration Manager sites.
This notification is a bar at the top of the console window below the ribbon. It replaces
the previous experience when Configuration Manager updates are available. These in-
console notifications still display critical information, but don't interfere with your work
in the console. You can't dismiss critical notifications. The console displays all
notifications in a new notification area of the title bar.
Some notifications have a related action. For example, if the console version doesn't
match the site version, select Install the new console version. This action launches the
console installer.
The following notifications are most applicable to the technical preview branch:
Most console notifications are per session. The console evaluates queries when a user
launches it. To see changes in the notifications, restart the console. If a user dismisses a
non-critical notification, it notifies again when the console restarts if it's still applicable.
Right-click or select ... on the notification to take one of the following actions:
To help you manage security risk in your environment, you'll be notified in-console
about devices with operating systems that are past the end of support date and that are
no longer eligible to receive security updates.
Environments with the following operating systems installed on client devices receive a
notification:
Windows 7, Windows Server 2008 (non-Azure), and Windows Server 2008 R2 (non-
Azure) without ESU.
Selecting More info takes you to the Management insights Security group to
review the Update clients running Windows 7 and Windows Server 2008 rule.
You can also view the Product Lifecycle Dashboard to see information about which
operating systems are out of support. This information (such as the support lifecycle for
Windows 10 versions) is provided for your convenience and only for use internally within
your company. You should not solely rely on this information to confirm update
compliance. Be sure to verify the accuracy of the information provided to you.
) Important
When you use an imported Azure AD app, you aren't notified of an upcoming
expiration date from console notifications.
1. In the Administration workspace, expand Site Configuration, then select the Sites
node.
2. Select the site you want to configure for non-critical notifications.
3. In the ribbon, select Properties.
4. On the Alerts tab, select the option to Enable console notifications for non-
critical site health changes.
If you enable this setting, all console users see critical, warning, and
information notifications. This setting is enabled by default.
If you disable this setting, console users only see critical notifications.
7 Note
For push notifications from Microsoft to show in the console, the service
connection point needs access to configmgrbits.azureedge.net . It also needs
access to this endpoint for updates and servicing, so you may have already
allowed it.
3. In the Alerts tab, enable the notifications by selecting Receive messages from
Microsoft. You can deselect any of the following notifications if you prefer not to
receive them:
Prevent/fix: Known issues affecting your organization that may require you to
take action.
Plan for change: Changes to Configuration Manager that may require you to
take action.
Stay informed: Informs you of new or updated features that are available.
Users are notified when console extensions are approved for installation. These
notifications occur for users in the following scenarios:
1. In the upper-right corner of the console, select the bell icon to display
Configuration Manager console notifications.
2. The notification will say New custom console extensions are available.
3. Select the link Install custom console extensions to launch the install.
4. When the install completes, select Close to restart the console and enable the new
extension.
7 Note
When you upgrade to Configuration Manager 2107, you will be prompted to install
the WebView2 console extension again. For more information about the WebView2
installation, see the WebView2 installation section if the Community hub article.
Log files
For more information and troubleshooting assistance, see the SmsAdminUI.log file on
the console computer. By default, this log file is at the following path: C:\Program Files
(x86)\Microsoft Endpoint Manager\AdminConsole\AdminUILog\SmsAdminUI.log .
Next steps
Use the console
Console tips
Accessibility features
Manage Configuration Manager console
extensions
Article • 10/04/2022
Starting in Configuration Manager 2103, the Console extensions node allows you to
start managing the approval and installation of console extensions used in your
environment. Having extensions in the console doesn't make them immediately
available. From a high level, the steps are:
After you approve an extension, when you open the console, you'll see a console
notification. From the notification, you can start the extension installer, or use the Install
option from the Console extensions node. After the installer completes, the console
restarts automatically, and you can use the extension.
The old style of console extensions will start being phased out in favor of the new style
since they're more secure and centrally managed. The new style of console extensions
has the following benefits:
) Important
If this setting is used, your old style extensions that aren't approved through
the Console Extensions node will no longer be able to be used. The setting,
Only allow console extensions that are approved for the hierarchy, is
enabled by default if you installed from the 2103 baseline image. The setting
remains disabled by default, if you upgraded from a version prior to 2103. If
the setting was enabled in error, disabling the setting allows the old style
extensions to be used again.
Prerequisites
The Configuration Manager console needs to be able to connect to the administration
service and the administration service needs to be functional.
The Console Extensions node is located under Administration > Overview > Updates
and Servicing. Actions for console extensions are grouped in the ribbon and the right-
click menu. Console extensions downloaded from Community hub will be shown here.
Approve Installation: Approves the console extension for installation across all
sites. An extension must be approved before notifications are enabled.
Revoke Approval:
Revokes the ability to install the extension from the Console Extensions node.
Notifies then uninstalls existing instances of the extension across the hierarchy
at the next launch of a locally installed console.
Allows for reapproval of the extension at a later date.
Enable Notifications: Upon next launch of the console, notifies users within the
security scope that the extension can be installed.
Disable Notifications: Disables the console notification messages for the
extension. Users within the security scope can still install approved extensions from
the Console Extensions node.
Require Extension (added in 2111): Automatically installs the extension for users
within the security scope on the next launch before connecting to the site. The
user launching the console needs local administrator privileges for the extension
installation.
Make Optional (added in 2111): Removes the requirement for an extension.
Console users can still install the extension locally from the Console Extensions
node.
Delete:
Revokes the ability to install the extension from the Console Extensions node.
Notifies then uninstalls existing instances of the extension across the hierarchy
at the next launch of a locally installed console.
Removes the extension from the Console Extensions node so it can't be
reapproved later.
Classify group:
Set Security Scopes: Set the security scopes to secure the object and limit access.
Install: Installs the selected extension for the current local console
Uninstall: Uninstalls the selected extension from the current local console
7 Note
2 Warning
If this setting is enabled , your old style extensions that aren't approved through the
Console Extensions node will no longer be able to be used. The setting, Only allow
console extensions that are approved for the hierarchy, is enabled by default if
you installed from the 2103 baseline image. The setting remains disabled by
default, if you upgraded from a version prior to 2103. If the setting was enabled in
error, disabling the setting allows the old style extensions to be used again.
2. Approve the extension by selecting Approve Installation from the ribbon or right-
click menu.
If the extension isn't approved, you won't be able to install it or enable in-
console notifications for it.
If you restart your console at this point, a notification about the available
extension won't occur since you haven't enabled the option yet.
Starting in Configuration Manager version 2107, you can choose to allow unsigned
hierarchy approved console extensions. It's a best practice to always used signed
extensions to minimize security risks and to confirm the authenticity of a console
extension. However, in some cases you may need to allow unsigned console extensions
due to an unsigned internally developed extension, or for testing your own custom
extension in a lab. To allow import and install of unsigned hierarchy approved console
extensions, you'll enable a hierarchy setting.
7 Note
Currently, when an unsigned extension isn't enabled for user notification, in the
Console Extensions node, the Required column remains blank instead of
populating a value of No.
Starting in Configuration Manager version 2111, you can require a console extension to
be installed before it connects to the site. After you require an extension, it
automatically installs for the local console the next time an admin launches it. To require
the installation of a console extension:
4. The next time the console is launched by a user within the extension's security
scope, installation starts automatically.
The user launching the console needs local administrator privileges for the
extension installation.
1. In the upper-right corner of the console, select the bell icon to display
Configuration Manager console notifications.
2. The notification will say New custom console extensions are available.
3. Select the link Install custom console extensions to launch the install.
4. When the install completes, select Close to restart the console and enable the new
extension.
7 Note
When you upgrade to Configuration Manager 2107, you will be prompted to install
the WebView2 console extension again. For more information about the WebView2
installation, see the WebView2 installation section if the Community hub article.
Required or optional
Approve or disapprove
Enable or disable
Tombstone or untombstone
For example, the description of status message ID 54201 is User "%1" made console
extension with ID "%2" and version "%3" required.
Next steps
Console extensions from Community hub
Import console extensions
Configuration Manager console notifications
Console tips
Import Configuration Manager console
extensions
Article • 10/04/2022
Starting in Configuration Manager 2103, you can import console extensions to be used
in your environment. These extensions show up under the Console extensions node.
Importing and just having extensions in the console doesn't make them immediately
available. An administrator still has to approve the extension for the site and enable
notifications. Then console users can install the extension to their local console. For
more information about managing and installing console extensions, see Manage
Configuration Manager console extensions.
Based on the version of Configuration Manager you're running, different import options
are available. Initially, only signed extensions could be imported through the
administration service. Support for importing unsigned extensions was added later. Then
a wizard that could import both signed and unsigned extensions for you without having
to run a script was introduced in version 2111.
Import a signed console extension with a script (version 2103 and later)
Import an unsigned console extension with a script (version 2107 and later)
Use the Import Console Extension wizard (version 2111 and later)
Starting in Configuration Manager version 2107, you can choose to allow unsigned
hierarchy approved console extensions. It's a best practice to always used signed
extensions to minimize security risks and to confirm the authenticity of a console
extension. However, in some cases you may need to allow unsigned console extensions
due to an unsigned internally developed extension, or for testing your own custom
extension in a lab. To allow import and install of unsigned hierarchy approved console
extensions, you'll enable a hierarchy setting.
7 Note
Currently, when an unsigned extension isn't enabled for user notification, in the
Console Extensions node, the Required column remains blank instead of
populating a value of No.
When you have an extension packaged in a signed .cab file, you can import it into
Configuration Manager. You'll do this by posting it through the administration service
using a PowerShell script. Once the extension is inserted into the site, you can approve
and install it locally from the Console Extensions node. To import, run the following
PowerShell script after editing the $adminServiceProvider and $cabFilePath :
PowerShell
$adminServiceProvider = "SMSProviderServer.contoso.com"
$cabFilePath = "C:\Testing\MyExtension.cab"
$adminServiceURL =
"https://$adminServiceProvider/AdminService/v1/ConsoleExtensionMetadata/Admi
nService.UploadExtension"
$Bytes = [System.IO.File]::ReadAllBytes($cabFilePath)
$base64Content = [Convert]::ToBase64String($Bytes)
$Headers = @{
"Content-Type" = "Application/json"
$Body = @{
CabFile = @{
FileName = $cabFileName
FileContent = $base64Content
} | ConvertTo-Json
Starting in Configuration Manager version 2107, you can choose to allow unsigned
hierarchy approved console extensions. It's a best practice to always used signed
extensions to minimize security risks and to confirm the authenticity of a console
extension. However, in some cases you may need to allow unsigned console extensions
due to an unsigned internally developed extension, or for testing your own custom
extension in a lab.
When you have the .cab file for an extension, you can test it in a Configuration
Manager lab environment. You'll do this by posting it through the administration
service. Once the extension is inserted into the site, you can approve it and install it
locally from the Console Extensions node. To import, run the following PowerShell script
after editing the $adminServiceProvider and $cabFilePath :
PowerShell
$adminServiceProvider = "SMSProviderServer.contoso.com"
$cabFilePath = "C:\Testing\MyExtension.cab"
$adminServiceURL =
"https://$adminServiceProvider/AdminService/v1/ConsoleExtensionMetadata/Admi
nService.UploadExtension"
$Bytes = [System.IO.File]::ReadAllBytes($cabFilePath)
$base64Content = [Convert]::ToBase64String($Bytes)
$Headers = @{
"Content-Type" = "Application/json"
$Body = @{
CabFile = @{
FileName = $cabFileName
FileContent = $base64Content
AllowUnsigned = $true
} | ConvertTo-Json
7 Note
Currently, when an unsigned extension isn't enabled for user notification, in the
Console Extensions node, the Required column remains blank instead of
populating a value of No.
Import console extensions wizard
(Applies to Configuration Manager version 2111 or later)
Starting in version 2111, you can use the Import Console Extension wizard to import
console extensions that are managed for the hierarchy. You no longer need to use a
PowerShell script to import a signed or unsigned console extension. To import a console
extension using the wizard:
1. From the Administration workspace, expand Updates and Servicing, then select
the Console Extensions node.
2. Select Import Console Extension from either the ribbon or the right-click menu.
3. When the wizard launches, select Browse and navigate to the extension's cab file.
4. If needed, select the option for Allow extension to be unsigned.
5. Select Next to review the import summary, then complete the wizard to import the
extension.
7 Note
2. Approve the extension by selecting Approve Installation from the ribbon or right-
click menu.
If the extension isn't approved, you won't be able to install it or enable in-
console notifications for it.
If you restart your console at this point, a notification about the available
extension won't occur since you haven't enabled the option yet.
3. Install the extension on the local console by choosing Install.
4. Once the extension is installed, verify it displays and you can use it from the local
console.
Next steps
Manage console extensions
Console extensions from Community hub
Develop custom console extensions
Configuration Manager console changes
and tips
Article • 10/04/2022
Use the information below to find out about changes to the Configuration Manager
console and tips for using the console:
General tips
The following improvements were made to the console and user experience:
When using the search bar, the Path criteria is added whenever subfolders are
included in the search. The Path criteria is informational and can't be edited.
The following improvements were made to the console and user experience:
When using temporary device nodes, device actions like Run Scripts are now
available to make the experience in the console consistent.
Additional Management Insights rules now have click-through actions
Copy/paste is available for more objects from details panes.
Added the Name property in the details pane for configuration items,
configuration item related policies, and applications.
Software update search results and the search criteria are now cached when you
navigate to another node. When you navigate back to the All Software Updates
node, your search criteria and results are preserved from your last query. Closing
the console will clear the cached query.
Added a search filter to the Products and Classifications tabs in the Software
Update Point Component Properties.
You can now exclude subcontainers when doing Active Directory System
Discovery and Active Directory User Discovery in untrusted domains.
Added a Cloud Sync column to collections to indicate if the collection is
synchronizing with Azure Active Directory.
Added the Collection ID to the collection summary details tab
Increased the size of the Membership Rules pane in the Properties page for
collections.
Added a View Script option for Run PowerShell Script steps when using the View
action for a task sequence.
The console now offers a dark theme. For more information, see How to use the
console.
Export to CSV
(Introduced in version 2111)
Starting in Configuration Manager 2111, you can export the contents of a grid view in
the console along with the column headers to a comma-separated values (CSV) file that
can be used to import to Excel or other applications. While you could previously cut and
paste from a grid view, exporting to CSV makes extracting a large number of rows faster
and easier. You can export either all or selected items from the following nodes:
Device Collections
User Collections
Devices
Users
To export the information, select Export to CSV file from either the ribbon or the right-
click menu. Choose Export selected items to only export items you've already selected,
or you can choose to Export all items.
Enhanced code editor
(Introduced in version 2107)
Starting in Configuration Manager 2107, you can edit scripts in an enhanced editor. The
new editor supports syntax highlighting, code folding, word wrap, line numbers, and
find and replace. The new editor is available in the console wherever scripts and queries
can be viewed or edited. The enhanced editor improves the syntax highlighting and
code folding that was first introduced in version 2010.
Open the new code editor to view or edit scripts and queries from the following
locations:
Configuration item
Scripts
SQL and WQL queries
Detection methods
Application detection scripts
Query statement properties
Create script wizard
Script properties
Orchestration group
pre-installation scripts
post-installation scripts
Task sequence
PowerShell scripts
Query WMI option
To assist you when creating scripts and queries in the Configuration Manager console,
you'll now see syntax highlighting and code folding, where available.
Various areas in the Configuration Manager console now use the fixed-width font
Consolas. This font provides consistent spacing and makes it easier to read. You'll see
the Consolas font in the following places:
Application scripts
Configuration item scripts
WMI-based collection membership queries
CMPivot queries
Scripts
Run PowerShell Script
Run Command Line
You now have an easier way to view status messages for the following objects:
Devices
Users
Content
Deployments
Monitoring workspace
Phased deployments (select Show Deployments from the Phased
Deployments node)
Deployments tab in the details pane for:
Packages
Task sequences
Select one of these objects in the Configuration Manager console, and then select Show
Status Messages from the ribbon. Set the viewing period, and then the status message
viewer opens. The viewer filters the results to the object you selected.
The default search will now include all subfolders. That is when you navigate to any
node in the console, by default, search results will include items from that node as
well as from all subfolders.
If you want to search only current node, select the Current Node button in the
ribbon. The search results will then include items from current node only.
If you want to search all subfolders, select the All Subfolders button in the ribbon.
The search results will then include items from current node as well as from all
subfolders.
You can use the All Subfolders search option from the Driver Packages and
Queries nodes. Starting in version 2002, also use this option from the
Configuration Items and Configuration Baselines nodes.
When a search returns more than 1,000 results, select the OK button on the notice
bar to view more results.
Tip
The default limit on search results is 1,000. You can change this default value.
In the Configuration Manager console, go to the Search tab of the ribbon. In
the Options group, select Search Settings. Change the Search Results value.
A larger number of search results might take longer to display.
By default, the upper maximum limit is 100,000. To change this limit, set the
DWORD value QueryResultCountMaximum in the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\ConfigMgr10\AdminUI
You can set security scopes on folders. If you have access to an object in the folder but
don't have access to the folder, you'll be unable to see the object. Similarly, if you have
access to a folder but not an object within it, you won't see that object. Right-click a
folder, choose Set Security Scopes, then choose the security scopes you want to apply.
Number Errors
Number In Progress
Number Other
Number Success
Number Unknown
Configuration Manager returned a large number of results. You can narrow your
results by using search. Or, click here to view a maximum of 100000 results.
There's now additional blank space in between this warning and the search field. This
move helps to prevent inadvertently selecting the warning to display more results.
Send feedback
Submit product feedback from the console.
Send a suggestion: Takes you to the product feedback site to share your idea
There's a new built-in device collection for Co-management Eligible Devices. The Co-
management Eligible Devices collection uses incremental updates and a daily full
update to keep the collection up to date.
Collections tab
(Introduced in version 2111)
When you show the members of a device collection, and select a device in the list,
switch to the Collections tab in the details pane. This new view shows the list of
collections of which the selected device is a member. It makes it easier for you to see
this information.
Navigate to collection
(Introduced in version 2107)
You can now navigate to a collection from the Collections tab in the Devices node.
Select View Collection from either the ribbon or the right-click menu in the tab.
Added maintenance window column
(Introduced in version 2107)
A Maintenance window column was added to the Collections tab in the Devices node.
If a collection deletion fails due to scope assignment, the assigned users are displayed.
Copy discovery data from devices and users in the console. Copy the details to the
clipboard, or export them all to a file. These actions make it easier for you to quickly get
this data from the console. For example, copy the MAC address of a device before you
reimage it.
1. In the Configuration Manager console, go to the Assets and Compliance
workspace. Open the properties for a user or device.
2. On the General tab, in the Discovery data list, select one or more properties.
Copy value: Copies just the value. You can also use the keyboard shortcut Ctrl
+ C.
Copy property and value: Copies both the property name and the
corresponding value. You can also use the keyboard shortcut Ctrl + Shift + C.
Select all: Selects all properties and values. You can also use the keyboard
shortcut Ctrl + A.
Save results as: Saves all properties and values to a comma-separated values
(CSV) file that you specify.
There are various ways to display a list of devices under the Devices node in the Assets
and Compliance workspace.
In the Assets and Compliance workspace, select the Device Collections node.
Select a device collection, and choose the action to Show members. This action
opens a subnode of the Devices node with a device list for that collection.
When you select the collection subnode, you can now start CMPivot from the
Collection group of the ribbon.
In the Assets and Compliance workspace, go to the Devices node, and select a device.
In the details pane, switch to the new Collections tab. This tab lists the collections that
include this device.
7 Note
This tab currently isn't available from a devices subnode under the Device
Collections node. For example, when you select the option to Show Members on a
collection.
This tab may not populate as expected for some users. To see the complete list of
collections a device belongs to, you must have the Full Administrator security role.
This is a known issue.
In both the Devices and Device Collections nodes, you can now add a new column for
SMBIOS GUID. This value is the same as the BIOS GUID property of the System
Resource class. It's a unique identifier for the device hardware.
Primary user(s)
7 Note
Viewing the currently logged on user requires user discovery and user device
affinity.
For more information on how to show a non-default column, see How to use the admin
console.
Name
Primary user(s)
Currently logged on user
Last logon user name
This behavior significantly improves the time it takes to search by name, especially in a
large environment. Custom searches by specific criteria are unaffected by this change.
You can organize software update groups and packages by using folders. This change
allows for better categorization and management of software updates. For more
information, see Deploy software updates.
You can use the All Subfolders search option for the following nodes:
You can right-click and notify devices to run a software updates evaluation cycle from
the software update deployment status. You can target a single device under the Asset
Details pane or select a group of devices based on their deployment status.
1. In the Configuration Manager console, navigate to Monitoring > Overview >
Deployments.
2. Select the software update group or software update for which you want to
monitor the deployment status.
3. On the Home tab, in the Deployment group, select View Status.
4. Right-click on either a specific deployment status for the devices, or on a single
device under Asset Details pane.
5. Select Evaluate Software Update Deployments to send a notification to the
selected devices to run an evaluation cycle for software update deployments.
When you import an object in the Configuration Manager console, it now imports to the
current folder. Previously, Configuration Manager always put imported objects in the
root node. This new behavior applies to applications, packages, driver packages, and
task sequences.
When you view the list of task sequences in the Configuration Manager console, add the
Size (KB) column. Use this column to identify large task sequences that can cause
problems. For more information, see Reduce the size of task sequence policy.
In the Software Library workspace, expand Operating Systems, and select the Task
Sequences node. Edit a task sequence, and select or add the Install Package step. If a
package has more than one program, the drop-down list now sorts the programs
alphabetically.
3. Look at the Summary tab and find the pie chart under Statistics.
4. Select the View Required hyperlink next to the pie chart to drill down into the
device list.
5. This action takes you to a temporary node under Devices where you can see the
devices requiring the update. You can also take actions for the node such as
creating a new collection from the list.
7 Note
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365
Apps for enterprise. For more information, see Name change for Office 365
ProPlus. You may still see references to the old name in the Configuration Manager
console and supporting documentation while the console is being updated.
This action is also available from the right-click context menu on the
deployment in this view.
Monitoring workspace
When viewing a collection, you could previously see the amount of time the site took to
evaluate the collection membership. This data is now also available in the Monitoring
workspace. When you select a collection in either subnode of the Collection Evaluation
node, the details pane displays this collection evaluation time data.
In the Monitoring workspace, select Client Operations. The operation to Switch to next
Software Update Point is now properly named.
In the Monitoring workspace, select the Script Status node. It now lists the Collection
Name and the ID.
Deployment Status
Administration workspace
Shortcuts to status messages were added to the Administrative Users node and the
Accounts node. Select an account, then select Show Status Messages.
Next steps
Use the console
Console notifications
Accessibility features
Fundamentals of Configuration
Manager
Article • 10/04/2022
If you're new to Configuration Manager current branch, start with the fundamentals.
Before you run setup to install your first site, learn about the basic concepts of
Configuration Manager. If you're already familiar with System Center 2012 Configuration
Manager, then start with What's changed from System Center 2012 Configuration
Manager.
See the following articles to learn about fundamental concepts for Configuration
Manager:
Fundamentals of security
Hierarchies of sites
When you install Configuration Manager for the first time, the first Configuration
Manager site that you install determines the scope of your hierarchy. The first
Configuration Manager site is the foundation from which you will manage devices and
users in your enterprise. This first site must be either a central administration site or a
stand-alone primary site.
A stand-alone primary site is suitable for smaller deployments, and can be used to
manage devices without having to install additional sites. Although a stand-alone
primary site can limit the size of your deployment, it does support a scenario to expand
your hierarchy at a later time by installing a new central administration site. With this
site expansion scenario, your stand-alone primary site becomes a child-primary site, and
you can then install additional child-primary sites below your new central administration
site. You can then expand your initial deployment for future growth of your enterprise.
Tip
A stand-alone primary site and a child-primary site are really the same type of site:
a primary site. The difference in name is based on the hierarchy relationship that is
created when you also use a central administration site. This hierarchy relationship
can also limit the installation of certain site system roles that extend Configuration
Manager functionality. This limitation of roles occurs because certain site system
roles can only be installed on the top-tier site of the hierarchy, a central
administration site, or a stand-alone primary site.
After you install your first site, you can install additional sites. If your first site was a
central administration site, then you can install one or more child-primary sites. After
you install a primary site (stand-alone, or child-primary), you can then install one or
more secondary sites.
A secondary site can only be installed as a child site below a primary site. This site type
extends the reach of a primary site to manage devices in locations that have a slow
network connection to the primary site. Even though a secondary site extends the
primary site, the primary site manages all of the clients. The secondary site provides
support for devices in the remote location. It provides support by compressing and then
managing the transfer of information across your network that you send (deploy) to
clients, and that clients send back to the site.
The site server role is assigned to the computer where you install the site.
The site database server role is assigned to the SQL Server that hosts the site
database.
Other site system roles are optional, and are only used when you want to use the
functionality that is active in a site system role. Any computer that hosts a site system
role is referred to as a site system server.
For a smaller deployment of Configuration Manager, you might initially run all of your
site system roles directly on the site server computer. Then, as your managed
environment and needs grow, you can install additional site system servers to host
additional site system roles to improve the site's efficiency in providing services to more
devices.
For information about the different site system roles, see Site system roles in Plan for
site system servers and site system roles for Configuration Manager.
Extending the Active Directory schema is done only one time for each forest, and can be
done before or after you install Configuration Manager. When you extend the schema,
you must create a new Active Directory container named System Management in each
domain. The container contains a Configuration Manager site that will publish data for
clients to find. For more information, see Prepare Active Directory for site publishing.
Publishing site data improves the security of your Configuration Manager hierarchy and
reduces administrative overhead, but is not required for basic Configuration Manager
functionality.
About upgrade, update, and install for
site and hierarchy infrastructure
Article • 10/04/2022
When managing Configuration Manager sites and hierarchy infrastructure, the terms
upgrade, update, and install are used to describe three separate concepts.
Upgrade
Upgrade or in-place upgrade, is used when converting your Configuration Manager 2012
site or hierarchy to one that runs Configuration Manager current branch.
Update
Update is used for installing in-console updates for Configuration Manager, and for out-
of-band updates which are updates that cannot be delivered from within the
Configuration Manager console. In-console updates can modify the version of your
Current Branch site (or Technical Preview site) so that it runs a higher version. For
example, if your site runs version 1806, you can install an update for version 1810.
Updates can also install fixes for a known issue, without modifying the site version.
Typically, updates add security fixes, quality improvements, and new features to your
existing deployment. If you use the Technical Preview branch, an update can install a
newer version of the Technical Preview.
You choose when to install the in-console update, starting at the top-tier site of
your hierarchy.
You can install any update that is available from within the console. For example, if
your site runs version 1802 and both 1806 and 1810 are offered, you should
consider installing version 1810 because each version includes the features that
were first made available in previously released versions.
After a new update completes installation at your top-tier site, child primary sites
automatically start the process to update. However, you can set Service Windows
to control the timing of updates.
Secondary sites do not automatically install updates. Instead, you manually start
the update from within the Configuration Manager console.
For more, see Updates for Configuration Manager, and Technical Preview for
Configuration Manager.
Install
Install is used when creating a new Configuration Manager hierarchy from scratch, or
adding additional sites to an existing hierarchy.
When you install a new primary site or central administration site, the location of
setup.exe and its related source files that you use depends on your installation scenario.
Clients are devices like workstations, laptops, servers, and mobile devices where
you install the Configuration Manager client software. Some management
functions, like hardware inventory, require this client software.
Managed devices can include clients, but typically it's a mobile device where the
Configuration Manager client software isn't installed. On this kind of device, you
manage by using the built-in on-premises mobile device management in
Configuration Manager.
You can also group and identify devices based on the user, not just the client type.
After discovering the devices that are supported to run the Configuration Manager
client software, you can use one of several methods to install the software. After the
software is installed and the client is assigned to a primary site, you can begin to
manage the device. Common installation methods include:
Group policy
Manual installation on a computer
After the client is installed, you can simplify the tasks of managing devices by using
collections. Collections are groups of devices or users that you create so that you can
manage them as a group. For example, you might want to install a mobile device
application on all mobile devices that Configuration Manager enrolls. If this is the case,
you can use the All Mobile Devices collection.
Introduction to collections
Client settings
When you first install Configuration Manager, all clients in the hierarchy are configured
by using the default client settings that you can change. The client settings include these
configuration options:
Whether the client is set up for software updates and other management
operations.
You can create custom client settings and then assign them to collections. Members of
the collection are configured to have the custom settings, and you can create multiple
custom client settings that are applied in the order that you specify (by numerical order).
If there are conflicting settings, the setting that has the lowest order number overrides
the other settings.
The following diagram shows an example of how you create and apply custom client
settings.
To learn more about client settings, see the following articles:
User-based management
Configuration Manager supports collections of Azure Active Directory and Active
Directory Domain Services users. When you use a user collection, you can install
software on all computers that members of the collection use. To make sure that the
software you deploy only installs on the devices that are specified as a user's primary
device, set up user device affinity. A user can have one or more primary devices.
One of the ways that users can control their software deployment experience is to use
the Software Center client interface. The Software Center is automatically installed on
client computers and is run from the Windows Start menu. The Software Center lets
users manage their own software and do the following tasks:
Install software
Configure the access settings for remote control, if remote control is set up in
Configuration Manager
When it's set up, specify a primary device for user device affinity
After you install the Configuration Manager clients, there are several tasks that you run
to manage the clients. Some of the tasks are run from the Configuration Manager
console. Other tasks are run from the Configuration Manager client application. The
Configuration Manager client application is installed with the Configuration Manager
client software.
Help protect computers from malware and security threats, and notify you when
problems are detected.
Define client configuration settings that you want to monitor, and remediate if
they are out of compliance.
The Configuration Manager console monitors the previous tasks in near real time.
Notification and status information for each task is available in the Configuration
Manager console. To capture data and historical trending, use the integrated reporting
capabilities of SQL Server Reporting Services. Clients submit details to the site as client
status. Client status information provides data about the health of the client and client
activity, and is viewed in the console or by using the built-in reports for Configuration
Manager. This data helps identify computers that are not responding and in some cases,
problems are automatically remediated.
For more information about management tasks for clients, see How to manage clients.
To learn about using reports, see Introduction to reporting.
View properties about the client, such as the build number, its assigned site, the
management point it is communicating with, and whether the client is using a
public key infrastructure (PKI) certificate or a self-signed certificate.
Confirm that the client has successfully downloaded a client policy after the client
is installed for the first time. Also confirm that the client settings are enabled or
disabled as expected, according to the client settings that are configured in the
Configuration Manager console.
Start client actions. For example, download the client policy if there was a recent
configuration change in the Configuration Manager console, and you do not want
to wait until the next scheduled time.
Manually assign a client to a Configuration Manager site or try to find a site. Then
specify the Domain Name System (DNS) suffix for management points that publish
to DNS.
Configure the client cache that temporarily stores files. Then delete files in the
cache if you require more disk space to install software.
View configuration baselines that were deployed to the client, initiate compliance
evaluation, and view compliance reports.
Fundamentals of security for
Configuration Manager
Article • 10/04/2022
Security layers
Role-based administration
Securing client endpoints
Configuration Manager accounts and groups
Privacy
Security layers
Security for Configuration Manager consists of the following layers:
Access Control Lists (ACLs) to help secure files and registry keys.
Network infrastructure
Network security components, like firewalls and intrusion detection, help provide
defense for the whole environment. Certificates issued by industry standard public key
infrastructure (PKI) implementations help provide authentication, signing, and
encryption.
SMS Provider
The next layer of security is based on access to the SMS Provider. The SMS Provider is a
Configuration Manager component that grants a user access to query the site database
for information. The SMS Provider primarily exposes access through Windows
Management Instrumentation (WMI), but also a REST API called the administration
service.
By default, access to the provider is restricted to members of the local SMS Admins
group. This group at first contains only the user who installed Configuration Manager.
To grant other accounts permission to the Common Information Model (CIM) repository
and the SMS Provider, add the other accounts to the SMS Admins group.
You can specify the minimum authentication level for administrators to access
Configuration Manager sites. This feature enforces administrators to sign in to Windows
with the required level. For more information, see Plan for the SMS Provider.
The combination of security roles, security scopes, and collections define the objects
that an administrative user can view and manage. Configuration Manager installs some
default security roles for typical management tasks. Create your own security roles to
support your specific business requirements.
You can configure the site system roles to which clients connect for either HTTPS or
HTTP client communication. Client computers always communicate by using the most
secure method that's available. Client computers only fall back to using the less secure
communication method if you have site systems roles that allow HTTP communication.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
Configuration Manager creates several default groups and SQL Server roles during
setup. You might have to manually add computer or user accounts to the default groups
and SQL Server roles.
Privacy
Before you implement Configuration Manager, consider your privacy requirements.
Although enterprise management products offer many advantages because they can
effectively manage lots of clients, this software might affect the privacy of users in your
organization. Configuration Manager includes many tools to collect data and monitor
devices. Some tools might raise privacy concerns in your organization.
For example, when you install the Configuration Manager client, it enables many
management settings by default. This configuration causes the client software to send
information to the Configuration Manager site. The site stores client information in the
site database. The client information isn't directly sent to Microsoft. For more
information, see Diagnostics and usage data.
Next steps
Fundamentals of role-based administration
With Configuration Manager, you use role-based administration to secure the access
that administrative users need to use Configuration Manager. You also secure access to
the objects that you manage, like collections, deployments, and sites.
Collections are used to specify groups of users and devices that the administrative
user can manage in Configuration Manager.
With the combination of roles, scopes, and collections, you segregate the administrative
assignments that meet your organization's requirements. Used together, they define the
administrative scope of a user. This administrative scope controls the objects that an
administrative user views in the Configuration Manager console, and it controls the
permissions that a user has on those objects.
Benefits
The following items are benefits of role-based administration in Configuration Manager:
You create administrative users for a hierarchy and only need to assign security to
them one time.
All security assignments are replicated and available throughout the hierarchy.
Role-based administration configurations replicate to each site in the hierarchy as
global data, and then are applied to all administrative connections.
) Important
Intersite replication delays can prevent a site from receiving changes for role-
based administration. For more information about how to monitor intersite
database replication, see Data transfers between sites.
There are built-in security roles that are used to assign the typical administration
tasks. Create your own custom security roles to support your specific business
requirements.
Administrative users see only the objects that they have permissions to manage.
Security roles
Use security roles to grant security permissions to administrative users. Security roles are
groups of security permissions that you assign to administrative users so that they can
do their administrative tasks. These security permissions define the actions that an
administrative user can do and the permissions that are granted for particular object
types. As a security best practice, assign the security roles that provide the least
permissions that are required for the task.
Configuration Manager has several built-in security roles to support typical groupings of
administrative tasks. You can create your own custom security roles to support your
specific business requirements.
Name Description
Application Combines the permissions of the Application deployment manager and the
administrator Application author roles. Administrative users in this role can also manage
queries, view site settings, manage collections, edit settings for user device
affinity, and manage App-V virtual environments.
Application Can create, modify, and retire applications. Administrative users in this role can
author also manage applications, packages, and App-V virtual environments.
Name Description
Application Can deploy applications. Administrative users in this role can view a list of
deployment applications. They can manage deployments for applications, alerts, and
manager packages. They can view collections and their members, status messages, queries,
conditional delivery rules, and App-V virtual environments.
Asset Grants permissions to manage the Asset Intelligence synchronization point, Asset
manager Intelligence reporting classes, software inventory, hardware inventory, and
metering rules.
Company Grants permissions to create, manage, and deploy company resource access
resource profiles. For example, Wi-Fi, VPN, Exchange ActiveSync email, and certificate
access profiles.
manager
Endpoint Grants permissions to create, modify, and delete endpoint protection policies.
protection They can deploy these policies to collections, create and modify alerts, and
manager monitor endpoint protection status.
Full Grants all permissions in Configuration Manager. The administrative user who
administrator installs Configuration Manager is automatically granted this security role, all
scopes, and all collections.
Infrastructure Grants permissions to create, delete, and modify the Configuration Manager
administrator server infrastructure and to run migration tasks.
Operating Grants permissions to create OS images and deploy them to computers, manage
system OS upgrade packages and images, task sequences, drivers, boot images, and
deployment state migration settings.
manager
Operations Grants permissions for all actions in Configuration Manager except for the
administrator permissions to manage security. This role can't manage administrative users,
security roles, and security scopes.
Remote tools Grants permissions to run and audit the remote administration tools that help
operator users resolve computer issues. Administrative users in this role can run remote
control, remote assistance, and remote desktop from the Configuration Manager
console.
Name Description
Security Grants permissions to add and remove administrative users and to associate
administrator administrative users with security roles, collections, and security scopes.
Administrative users in this role can also create, modify, and delete security roles
and their assigned security scopes and collections.
Software Grants permissions to define and deploy software updates. Administrative users
update in this role can manage software update groups, deployments, and deployment
manager templates.
Tip
If you have permissions, you can view the list of all security roles in the
Configuration Manager console. To view the roles, go to the Administration
workspace, expand Security, and then select the Security Roles node.
You can't modify the built-in security roles, other than add administrative users. You can
copy the role, make changes, and then save these changes as a new custom security
role. You can also import security roles that you've exported from another hierarchy like
a lab environment. For more information, see Configure role-based administration.
Review the security roles and their permissions to determine whether you'll use the
built-in security roles, or whether you have to create your own custom security roles.
Role permissions
Each security role has specific permissions for different object types. For example, the
application author role has the following permissions for applications:
Approve
Create
Delete
Modify
Modify folder
Move object
Read
Run report
Set security scope
3. If some of the administrative users do the tasks of multiple roles, assign the users
to the multiple roles. Don't create a custom role that combines the permissions.
4. If the tasks that you identified don't map to the built-in security roles, create and
test custom roles.
For more information, see Create custom security roles and Configure security roles.
Collections
Collections specify the users and devices that an administrative user can view or
manage. For example, to deploy an application to a device, the administrative user
needs to be in a security role that grants access to a collection that contains the device.
Before you configure role-based administration, decide whether you have to create new
collections for any of the following reasons:
Security scopes
Use security scopes to provide administrative users with access to securable objects. A
security scope is a named set of securable objects that are assigned to administrator
users as a group. All securable objects are assigned to one or more security scopes.
Configuration Manager has two built-in security scopes:
All: Grants access to all scopes. You can't assign objects to this security scope.
Default: This scope is used for all objects by default. When you install
Configuration Manager, it assigns all objects to this security scope.
If you want to restrict the objects that administrative users can see and manage, create
your own custom security scopes. Security scopes don't support a hierarchical structure
and can't be nested. Security scopes can contain one or more object types, which
include the following items:
Alert subscriptions
Applications and application groups
App-V virtual environments
Boot images
Boundary groups
Configuration items and baselines
Custom client settings
Distribution points and distribution point groups
Driver packages
Endpoint protection policies (all)
Folders
Global conditions
Migration jobs
OneDrive for Business profiles
OS images
OS upgrade packages
Packages
Queries
Remote connection profiles
Scripts
Sites
Software metering rules
Software update groups
Software updates packages
Task sequences
User data and profiles configuration items
Windows Update for Business policies
There are also some objects that you can't include in security scopes because they're
only secured by security roles. Administrative access to these objects can't be limited to
a subset of the available objects. For example, you might have an administrative user
who creates boundary groups that are used for a specific site. Because the boundary
object doesn't support security scopes, you can't assign this user a security scope that
provides access to only the boundaries that might be associated with that site. Because
a boundary object can't be associated to a security scope, when you assign a security
role that includes access to boundary objects to a user, that user can access every
boundary in the hierarchy.
Objects that don't support security scopes include but aren't limited to the following
items:
Create security scopes when you have to limit access to separate instances of objects.
For example:
You have a group of administrative users who need to see production applications
and not test applications. Create one security scope for production applications
and another for test applications.
Next steps
Configure role-based administration for Configuration Manager
Configuration Manager and Windows as
a service
Article • 10/04/2022
Overview of Configuration Provides a brief summary of the key points for the servicing
Manager current branch model for Configuration Manager current branch
Support lifecycle Explains the current branch support and servicing model.
Removed and deprecated Provides early notice about future changes that might affect your
items use of Configuration Manager.
Updates to Configuration Explains the easy in-console method of applying feature updates
Manager current branch to Configuration Manager.
Get available updates Explains the two modes available to get new Configuration
Manager feature updates.
Install new Configuration Explains the simple installation steps for feature updates.
Manager feature updates
Support for Windows ADK Provides a support matrix for the Windows Assessment and
Deployment Kit (Windows ADK).
Article Description
Technical Previews for Provides information about the Configuration Manager technical
Configuration Manager preview program.
Windows as a service
Article Description
Manage Windows as a service Explains how to use servicing plans to deploy Windows
feature updates.
Upgrade Windows via task sequence The details of creating a task sequence to upgrade
Windows with additional recommendations.
Optimize Windows update delivery Use Configuration Manager to manage update content
to stay current with Windows.
Use Desktop Analytics Desktop Analytics allows you to assess and analyze the
readiness of devices in your environment for an upgrade
to Windows.
Windows Update for Business Explains how to define and deploy Windows Update for
integration (optional) Business (WUfB) policies using Configuration Manager.
Product lifecycle
Another important aspect of staying current with Windows and Configuration Manager
is to monitor product lifecycles. Configuration Manager has built-in features to help:
Next steps
In-place upgrade to Configuration Manager current branch from System Center
2012 Configuration Manager
Plan for migration to Configuration Manager current branch
Use cloud services with Configuration
Manager
Article • 02/22/2023
How to scale out infrastructure when physical hardware isn't available, or isn't
logically placed to support your needs.
Provisioning cloud resources isn't something you have to do before you deploy
Configuration Manager. It can be beneficial to understand these options before
progressing too far in a hierarchy design plan. The use of cloud resources might save
you money and time, while solving business problems that on-premises infrastructure
can't.
Cloud-based resources
Each option has different requirements. Investigate each in greater depth to understand
the unique prerequisites, limitations, and potential for additional costs based on use.
Run Configuration Manager in a virtual machine and use it to manage clients that
aren't in Azure.
Run different Configuration Manager site system roles in Azure virtual machines.
Run other roles in your on-premises network. Configure appropriate network
connectivity for communications.
The same requirements for networks, operating systems, and hardware requirements
that apply to installing the Configuration Manager on your on-premises network also
apply to the installation of Configuration Manager in Azure.
An Azure subscription is required to use Azure virtual machines. You incur charges based
on the number of virtual machines you use, their configuration, and use of cloud-based
resources.
Additionally, Configuration Manager sites and clients that run in Azure virtual machines
are subject to the same license requirements as on-premises installations.
Azure services
You can connect the site to Azure for several scenarios:
Azure Active Directory authentication and discovery. For more information, see
Configure Azure services.
Cloud management gateway to manage internet-based clients. For more
information, see Cloud management gateway overview.
Deploy apps from the Microsoft Store for Business and Education. For more
information, see Manage apps from the Microsoft Store for Business and
Education.
Use Windows data to gain insights into apps and drivers to help upgrade devices
to Windows 10. For more information, see What is Desktop Analytics?.
Microsoft Intune tenant attach
These are different than using an Azure virtual machine, on which you deploy a site
system role.
An Azure subscription is required for these scenarios. You incur charges based on the
amount of data that transfers to and from the service.
These additional capabilities don't require you to have an Azure subscription. You don't
have to set up specific connections, certificates, or services in the cloud. Instead, they are
automatically managed by Configuration Manager for you. All you need to do is ensure
applicable site systems and devices can access the internet-based URLs.
For more information, see the details for the different cloud-based resource scenarios.
Also see an Introduction to Azure security.
Configuration Manager on Azure
FAQ
FAQ
General questions
Can I move on-premises Configuration Manager
servers to Azure?
Yes, this scenario is supported. For more information, see Support for virtualization
environments.
If you use a metered data plan and available bandwidth or cost is a concern, then
consider placing specific sites and site systems on-premises. Then use the bandwidth
controls built into Configuration Manager. Also consider this configuration when the
network connection between Azure and your intranet isn't fast or can be unreliable.
For more information on these factors, see the other questions below.
Networking
Should I use ExpressRoute or an Azure VPN
Gateway?
Microsoft recommends using ExpressRoute. Network speeds and latency can affect
functionality between the site server and remote site systems and between any client
communication to the site systems.
There's no limitation in Configuration Manager for using Azure VPN Gateway. You
should carefully review the following requirements from this infrastructure and then
make your decision:
Performance
Patching
Software distribution
OS deployment
Consider the following aspects for each solution:
ExpressRoute (recommended)
Natural extension to your datacenter and can link together multiple datacenters
Private connections between Azure datacenters and your infrastructure
Doesn't go over the public internet
Offers reliability, fast speeds, lower latency, high security
Offers up to 10 Gbps speeds and unlimited data plan options
VPN Gateway
You can also use them for the Configuration Manager site servers. For example, central
administration sites and primary sites can all be in the same availability set. This
configuration can help you make sure that they're not rebooted at the same time.
For more information, see Availability options for Azure Virtual Machines and High
availability options for Configuration Manager.
For high availability of the site database server, use SQL Server Always On availability
groups. For more information, see Prepare to use a SQL Server Always On availability
group with Configuration Manager.
Performance
What factors affect performance in this scenario?
The following factors are the most important to Configuration Manager performance on
Azure:
Azure VM size and type
Azure VM disks: premium storage is recommended, especially for SQL Server
Network latency and speed
For production deployments of any significant size, use S class Azure VMs. These
VMs can use premium storage disks. Non S class VMs use blob storage and in
general won't meet the performance requirements necessary for an acceptable
production experience.
Use multiple premium storage disks for higher scale, and striped in the Windows
Disk Management console for maximum IOPS.
Use better or multiple premium disks during your initial site deployment. For
example, P30 instead of P20, and two P30 disks in a striped volume, instead of a
single P30. If your site later needs to increase VM size due to additional load, you
can take advantage of the additional CPU and memory that a larger VM size
provides. You'll also already have disks in place that can take advantage of the
additional IOPS throughput that the larger VM size allows.
The following tables list the initial suggested disk counts to use at primary and central
administration sites for various size installations:
A primary or central administration site with the site database on the site server:
Example
This image shows an example disk configuration for the following VM:
Network speeds and latency are other factors to consider as well. Slow or unreliable
networks could impact functionality between the site server and remote site systems,
and client communication to the site systems. Factor in the number of managed clients
that use a given site system and the features you actively use.
As a starting point, you can use the standard guidance for site systems across WAN
links. Ideally, the network throughput that you select and receive between Azure and
your intranet will be consistent with a WAN that is well-connected with a fast network.
If you use a fast and reliable network connection between Azure and your intranet
with an unlimited data plan, hosting standard distribution points in Azure could be
an option.
7 Note
If you require PXE or multicast support, you need an on-premises distribution point
to respond to these boot requests.
Cost
Will moving Configuration Manager to Azure be
a cost-effective solution for my organization?
It's hard to say since every environment is different. To estimate the cost for your
environment, use the Azure pricing calculator .
More information
Where I can learn more about these Azure
technologies?
Fundamentals
What is Azure
Azure VM machine types
Azure machine sizes
VM pricing
Storage pricing
Premium storage
Select a disk type of IaaS VMs
Scalability and performance targets for standard storage accounts
Blog post on how premium storage works
Availability
Connectivity
ExpressRoute or Azure VPN
Azure ExpressRoute pricing
What is Azure ExpressRoute?
Frequently asked questions for
Configuration Manager branches
and licensing
FAQ
Applies to: Configuration Manager (current branch) & System Center Configuration
Manager (long-term servicing branch)
This FAQ addresses common licensing questions about Configuration Manager current
branch and the long-term servicing branch (LTSB) versions, available through Microsoft
Volume Licensing programs. This article is for informational purposes. It doesn't
supersede or replace any documentation covering Configuration Manager licensing. For
more information, see the Product Terms . The Product Terms describe the use terms
for all Microsoft products in Volume Licensing.
While SA is optional for some Microsoft products, the only way to get rights to use
Configuration Manager current branch is with SA or equivalent subscription rights.
For more information, see the Software Assurance FAQ .
If your SA expires, and you still have a license for Configuration Manager, you
can no longer use the current branch. For more information, see the FAQ If my
SA expires and I had L&SA, what do I get?
For more information about license offerings, see Ways to buy and Licensing Product
Terms .
) Important
Devices already managed by Configuration Manager that you enroll to Intune for
co-management have almost the same rights as an Intune standalone-managed
PC. If you reset Windows on this device, you can't provision it with Windows
Autopilot. Autopilot requires a full Intune license.
If you enroll a Windows device to Intune by other means, it still requires a full
Intune license. For example, you use Autopilot to provision a device, or a user
manually does self-service enrollment.
For existing Configuration Manager-managed devices to enroll into Intune for co-
management at scale without user interaction, co-management uses an Azure
Active Directory (Azure AD) feature called Windows auto-enrollment. Auto-
enrollment with co-management requires licenses for both Azure AD Premium
(AADP1) and Intune. Starting on December 1, 2019, you no longer need to assign
individual Intune licenses for this scenario. Microsoft Intune and Configuration
Manager each include the licenses for co-management. The separate AADP1
licensing requirement remains the same for this scenario to work. You still need to
assign Intune licenses for other enrollment scenarios.
If you want to use Intune for managing iOS, Android, or macOS devices, then you
need the appropriate Intune subscription through a standalone Intune license,
Enterprise Mobility + Security (EMS), or Microsoft 365.
If you use the Microsoft 365 built-in Basic Mobility and Security , you can't use
the new co-management license for a user that also has devices managed by Basic
Mobility and Security. To use the co-management license for the user's
Configuration Manager-managed device, do one of the following actions:
Assign a full Intune license to the user, and manage their devices through
Intune.
Unenroll the devices from Basic Mobility and Security.
The licensing that you previously had for System Center Configuration Manager
still applies to Microsoft Configuration Manager. If installing a new site, use
existing product keys.
Autopilot No Yes
Co-management prerequisites
Windows Autopilot requirements
Desktop analytics prerequisites
Tenant attach prerequisites
Endpoint analytics licensing prerequisites
Use conditional access with Intune
TeamViewer prerequisites
If your SA expired before October 1, 2016, and you retained a perpetual license to
Configuration Manager, then your only option for ongoing use is to install and use
System Center 2012 R2 Configuration Manager and its available service packs. You're
required to uninstall the current branch when your SA expires, and reinstall that earlier
version of the product. There's no support to migrate to or downgrade from
Configuration Manager current branch to prior versions of Configuration Manager.
If you use System Center Endpoint Protection, and your SA expires, you must uninstall it.
System Center Endpoint Protection offers no L (License) rights, and no perpetual rights.
Some developer programs like MSDN offer products like Configuration Manager
for development and test, but not production use.
For a temporary environment, you can use the evaluation version for 180 days.
For a lab environment, you can use the technical preview branch. Technical preview
has the same functionality as current branch, but has some limitations in terms of
scale and supported platforms.
If you don't have active SA, uninstall the current branch, and then install the LTSB of
Configuration Manager. The LTSB doesn't receive updates for incremental versions of
Configuration Manager, but does receive security updates based on the Support
Lifecycle.
Approved use rights for the SQL Server capabilities with Configuration Manager include:
The SQL Server license that's included with Configuration Manager supports each
instance of SQL Server that you install to host a database for Configuration Manager.
However, only databases for Configuration Manager in the preceding list can run on
that SQL Server when you use this license. If a database for any additional Microsoft or
third-party product shares the SQL Server, you must have a separate license for that SQL
Server instance.
Applies to: Configuration Manager (current branch & technical preview branch) & System
Center Configuration Manager (long-term servicing branch)
Current branch
Long-term servicing branch
Technical preview branch
Tip
All sites in a hierarchy must run the same branch. It isn't supported to have a
hierarchy with different branches at different sites.
Current branch
This branch is licensed for use in a production environment. Use this branch to get the
latest features and functionalities. If you have one of the following licenses, you can use
this branch:
For more information about Software Assurance and licensing options, see Licensing
and branches for Configuration Manager and Frequently asked questions for
Configuration Manager branches and licensing.
Microsoft plans to release updates for Configuration Manager current branch a few
times per year. Each update version remains in support for 18 months from its general
availability (GA) release date. Technical support is provided for the entire period of
support. However, our support structure is dynamic, evolving into two distinct servicing
phases that depend on the availability of the latest current branch version. (For more
information, see Support for Configuration Manager current branch versions. Updates to
newer versions are available as in-console updates.
To install the current branch as a new site, use baseline media. Also use baseline media
to upgrade from System Center 2012 Configuration Manager with Service Pack 2 or
System Center 2012 R2 Configuration Manager with Service Pack 1. Access to this media
depends on how your organization licenses Configuration Manager.
You can also use the baseline media to install a new site that is an evaluation edition of
the current branch. The evaluation edition doesn't require a license. You can use the
evaluation edition for 180 days. It supports upgrade to a licensed edition of the current
branch. To install only an evaluation edition, get it from the Evaluation Center .
Use baseline media to install sites for a new Configuration Manager hierarchy. If you
previously installed a baseline version, use in-console updates to update your sites
to a new version.
Sites that are updated using in-console updates result in sites that are the same as
the new site installed using the baseline media.
Microsoft recommends that you update to the newest version soon after its release. You
can wait up to 18 months before updating to a newer version. You can also skip an
update to install the newest version available. Because each version is cumulative, if you
skip over an update and install the newest version, you still get access to all features and
improvements from previous versions.
The LTSB is based on version 1606. This branch doesn't receive in-console updates that
deliver new features or update existing capabilities. However, critical security fixes are
provided. To install the LTSB, you must use the version 1606 baseline media that you get
with System Center 2016. Later baseline versions don't support install of the LTSB.
To install the LTSB as a new site or as an upgrade from a supported System Center 2012
Configuration Manager site, use the version 1606 baseline media that you get with
System Center 2016. You can use baseline media to install a new site that runs version
1606 of the current branch, or a new site that runs the long-term servicing branch.
Tip
To learn about System Center 2016, see System Center 2016 documentation. This
documentation also identifies how to get System Center 2016, which requires a
Microsoft license agreement or similar rights.
To find Configuration Manager version 1606 in the Volume Licensing Service Center
(VLSC), go to the Downloads and Keys tab of the VLSC , search for System Center
2016 , and then select either System Center 2016 Datacenter or System Center 2016
Standard.
You can also get an evaluation edition of System Center 2019 from the Evaluation
Center .
LTSB limitations
The LTSB is based on the current branch version 1606 and has the following limitations:
The LTSB is supported for 10 years of critical security updates after its general
availability (October 2016), after which, support for this branch expires. For more
information about the support lifecycle, see Microsoft Lifecycle Policy .
Supports a limited set list of server and client operating systems and related
technologies, like SQL Server versions. For more information, see Supported
configurations for the long-term servicing branch.
Doesn't receive updates for new features
Doesn't support the following capabilities:
Cloud-attached features like co-management or Desktop Analytics
On-premises MDM
The Windows servicing dashboard, servicing plans, or Windows release channels
Future releases of Windows 10 LTSB and Windows Server
Asset intelligence
Any pre-release features
To convert, you must have an active Software Assurance agreement with Microsoft.
For more information, see the following articles:
Upgrade the long-term servicing branch to the current branch
Licensing and branches for Configuration Manager
Baseline and update versions
There's no option to convert the LTSB to a technical preview branch. Technical
preview branches are separate installations that don't require a license.
To install a new site that runs the technical preview branch, use the latest baseline media
for the technical preview branch. After you install the technical preview branch, new
versions are available as in-console updates each month.
Features that are first introduced in a technical preview branch are often added to the
current branch in a later update. Each new technical preview branch version includes the
features from previous technical preview branches, even after those features have been
added to the current branch.
For more information, see the Technical preview for Configuration Manager.
Version
To check the version of your site, in the console go to About Configuration Manager at
the upper-left corner of the console. This dialog displays the Site version. For a list of
site versions, see Baseline and update versions.
Branch
To confirm the branch of your site, in the console go to Administration > Site
Configuration > Sites, and open Hierarchy Settings. If there's an active option to
convert to the current branch, the site runs the LTSB version. When the site runs the
current branch, the console disables this option.
For more information about the different versions of Configuration Manager, see
Baseline and update versions.
Licensing and branches for
Configuration Manager
Article • 10/04/2022
Applies to: Configuration Manager (current branch), & System Center Configuration
Manager (long-term servicing branch)
Use this article to learn about the licensing requirements for the installation options
available with Configuration Manager. These installation options include the following
branches:
Current branch
Long-term servicing branch (LTSB)
Evaluation installation of the current branch
Technical preview branch
Licensing overview
Customers with active Software Assurance (SA) on Configuration Manager licenses or
with equivalent subscription rights as of October 1, 2016 have rights to use the October
2016 version 1606 release of Configuration Manager. Customers with rights to
Configuration Manager on or after October 1, 2016 will find two licensed options upon
installation: current branch and long-term servicing branch (LTSB).
For the complete terms and conditions for the products you purchase through Microsoft
Volume Licensing programs, see Licensing Terms and Documentation .
Licensed branches
This article references the Software Assurance agreement or equivalent subscription
rights. This Microsoft licensing agreement grants rights to install and use Configuration
Manager.
Current branch
The current branch requires an active Software Assurance agreement or equivalent
rights to Configuration Manager. For more information, see Software Assurance and the
Current Branch.
This branch is supported for use in production environments that want to receive
regular quality and feature updates from Microsoft. It provides access to use all features
and improvements.
Beginning with the 1710 release, each update version remains in support for 18 months
from its general availability release date. For more information, see Support for
Configuration Manager current branch versions.
This branch is supported for use in production environments. It's intended for use by
customers that have let their Software Assurance (SA) or equivalent subscriptions rights
to Configuration Manager expire after October 1, 2016. This branch is limited when
compared to the Current Branch.
Critical security updates for Configuration Manager are made available to this branch
but no new features are made available.
You can upgrade the evaluation installation to a full installation of the current branch.
You can't upgrade an evaluation installation to the long-term servicing branch.
You can install and use the LTSB. Customers who have perpetual rights to
Configuration Manager, or who allow their SA or subscription to lapse, can install
the version of Configuration Manager LTSB that's current at the time of lapse.
LTSB is based on current branch version 1606, and has the following limitations:
There's no support to convert a current branch to the LTSB. If you currently have a
current branch site, you must install the LTSB as a new site.
LTSB doesn't support all the capabilities of the current branch. For more
information, see Introduction to the long-term servicing branch. These limitations
include a limited feature set, limited upgrade options, and a separate product
support lifecycle.
7 Note
Microsoft doesn't validate the expiration date you specify, and doesn't use this date
for license validation. Use it as a reminder of your expiration date. This value is
useful when Configuration Manager periodically checks for new software updates
offered online. Your Software Assurance license status should be current to be
eligible to use these additional updates.
Licensing resources
To learn more about product licensing details, use the following resources.
Volume license customers can get a summary of their licenses from the Volume
License Service Center . Go to the Licenses menu, and select Licenses Summary.
VLSC videos
For training videos on how VLSC works, go to Microsoft Volume Licensing Service
Center training and resources and select How-to videos.
Next steps
Frequently asked questions for Configuration Manager branches and licensing
Use the Configuration Manager client
software for extended interoperability
with future versions of a Current Branch
site
Article • 10/04/2022
Business requirements might not allow you to regularly update the Configuration
Manager client on some devices. For example, you need to follow change management
policies, or the device is mission-critical. Accommodate these needs by installing a new
client for long-term use, called the extended interoperability client (EIC). Only use the
EIC for specific devices that can't be frequently updated, like kiosk or point-of-sale
devices. Continue to use automatic client upgrade for most of your clients.
How it works
Typically, when you install a new in-console update for Configuration Manager, clients
automatically update their client software so they can use those new features. With this
scenario, you still update to the current branch receiving the new features and updates.
Most devices update the Configuration Manager client software with each version
update you install. However, on a subset of critical systems that you don't want to
receive client software updates, you install the extended interoperability client. These
clients don't install new client software until you explicitly deploy a new version of the
client software to them.
Supported versions
The following table lists the versions of the Configuration Manager client that are
supported for this scenario:
2103
April 5, 2021 No earlier than April 2023
5.00.9049
1902
March 27, 2019 March 27, 2022
5.00.8790
Tip
The EIC is supported for at least two years from the date of release. For more
information on release dates, see Support for Configuration Manager current
branch versions.
Plan to update the extended interoperability client on devices that you manage with the
current branch before support for the client expires. To do so, download a new version
of the client from Microsoft, and then deploy that updated client software to your
devices that use the current extended interoperability client.
2. Obtain a supported version of the EIC from the \SMSSETUP\Client folder of the
Configuration Manager update installation media. Make sure that you copy the
entire contents of the folder.
3. Manually install the EIC on those devices. For more information, see Manually
install the client.
Limitations
Updates for the extended interoperability client software aren't available by using
in-console updates. For more information on how to update the EIC, see How to
upgrade an excluded client.
Next steps
How to exclude clients from upgrade
To make sure that clients are installed correctly on the devices you want, see How to
monitor clients.
Introduction to the long-term servicing
branch of Configuration Manager
Article • 10/04/2022
Based on Configuration Manager version 1606, the LTSB has reduced functionality when
compared to the current branch of Configuration Manager.
Tip
The Configuration Manager LTSB isn't related to the System Center suite long-term
servicing channel (LTSC). For more information, see Overview of System Center
release options.
Although support for these features isn't available with the LTSB, some features remain
visible in the Configuration Manager console, but can't be selected or used.
Cloud integrations, as well as any features included with Configuration Manager current
branch version 1610 or later, aren't available to the LTSB. These features include, but
aren't limited to the following:
Co-management
Desktop Analytics
Cloud management gateway
Azure Active Directory integration
Apps from the Microsoft Store for Business
When you reference current branch documentation for the LTSB, details that apply to
version 1606 or earlier also apply to the LTSB. Features or details that are introduced
with version 1610 or later aren't supported by the LTSB.
Customers that have perpetual rights to System Center Configuration Manager, or that
allow SA or subscription to lapse after October 1, can install the version of System
Center Configuration Manager LTSB that is current at the time of lapse.
For more information about these licenses, see the Complete terms and conditions for
the products you purchase through Microsoft Volume Licensing programs .
For more information about licensing for Configuration Manager branches, see
Configuration Manager licensing and branches.
Next Steps
If you decide that the Configuration Manager LTSB is the correct branch for your
environment, install a new LTSB site as part of a new hierarchy, or upgrade a System
Center 2012 Configuration Manager site and hierarchy.
Supported Configurations for the Long-
Term Servicing Branch of System Center
Configuration Manager
Article • 10/04/2022
Use the information in this topic to understand what operating systems and product
dependencies are supported by the Long-Term Servicing Branch (LTSB) of Configuration
Manager.
If not stated otherwise in this or the LTSB specific topics, the same
configurations and limitations that apply to the Current Branch version 1606 apply to
the LTSB. When conflicts occur, use the information that applies to the edition you are
using. Typically, the LTSB is more limited than the Current Branch.
Additionally, products and product versions that are not listed in the following topics
are not supported unless they have been announced on the Enterprise Mobility +
Security Blog .
Windows:
SQL Server:
Only quality and security updates, or minor upgrades like service packs, is
supported for SQL Server.
No support for new major versions of SQL Server.
Client management
The following sections identify the client operating systems that you can manage with
the LTSB. The LTSB does not support the addition of new operating systems as
supported clients.
Windows computers
You can use the LTSB to manage the following Windows computer operating systems
with the Configuration Manager client software that is included with Configuration
Manager. For more information, see How to deploy clients to Windows computers.
(Note 1) Datacenter releases are supported but not certified for Configuration Manager.
(Note 2) To support client push installation, the computer that runs this operating
system version must run the File Server role service for the File and Storage Services
server role. For information about installing Windows features on a Server Core
computer, see Install Server Roles and Features on a Server Core Server.
Windows Embedded
You can use the LTSB to manage the following Windows Embedded devices by installing
the client software on the device. For more information, see Planning for client
deployment to Windows Embedded devices.
All client features are supported on supported Windows Embedded systems that
do not have write filters enabled.
Clients that use one of the following are supported for all features except power
management:
Before you can monitor detected malware on Windows Embedded devices based
on Windows XP, you must install the Microsoft Windows WMI scripting package
on the embedded device. Use Windows Embedded Target Designer to install this
package. The WBEMDISP.DLL and WBEMDISP.TLB files must exist and be registered
in the %windir%\System32\WBEM folder on the embedded device to ensure that
detected malware is reported.
7 Note
The LTSB does not support the management of devices that connect through an
online service, like Exchange Online (Microsoft 365).
Supported versions:
Supported levels:
When you run setup from the version 1606 baseline media for Configuration Manager,
you can install a long-term servicing branch site of System Center Configuration
Manager.
The baseline media is available on DVD as part of Microsoft System Center 2016, or from
the System Center Configuration Manager long-term servicing branch version 1606. To
learn about baseline media, see Baseline and update versions.
When you use the version 1606 baseline media, the site you install or upgrade to is:
A Current Branch site that is equivalent to a site that was first installed using the
1511 baseline media, and then updated to version 1606 plus the 1606 hotfix rollup
- KB3186654.
An LTSB site that is equivalent to the Current Branch site that runs version 1606
plus the 1606 hotfix rollup - KB3186654. The baseline media already includes the
hotfix rollup. But, the LTSB does not support all of the features or capabilities
available with the Current Branch, as detailed in Introduction to the Long-Term
Servicing Branch of System Center Configuration Manager.
If you are not familiar with the different branches of Configuration Manager, see Which
branch of Configuration Manager should I use.
For more information, see Licensing and branches for Configuration Manager.
Software Assurance expiration
During Setup, you have the option to enter the Software Assurance expiration date
value. This is an optional value that you can specify as a convenient reminder.
7 Note
Microsoft does not validate the expiration date you enter and will not use this date
for license validation. Instead, you can use it as a reminder of your expiration date.
This is useful because Configuration Manager periodically checks for new software
updates offered online, and your software assurance license status should be
current to be eligible to use these additional updates.
You can specify the date value on the Product Key page of the Setup Wizard when
you run Setup from the Configuration Manager version 1606 baseline media.
You can also specify this date by selecting Hierarchy Settings Properties >
Licensing in the Configuration Manager console.
For more information, see "Software Assurance agreements" in Licensing and branches
for Configuration Manager.
Uninstall the site system roles that the LTSB does not support:
When using an unattended script to install a licensed branch, you must add the
following section, key names, and values to the Options section of your script. You don't
need to use these values to script the install of an Evaluation edition of the Current
Branch:
SABranchOptions
CurrentBranch
Values: 0 or 1.
Details: 0 installs the Long-Term Servicing Branch, and 1 installs the Current
Branch.
For example, to install a licensed Current Branch edition you would use:
SAActive = 1
CurrentBranch = 1
) Important
SABranchOptions only works with Setup from the baseline media. It does not apply
when you run Setup from the CD.Latest folder of a site you previously installed
using the version 1606 baseline media.
SABranchOptions does not apply to scripted upgrades from System Center 2012
Configuration Manager and always results in the Current Branch.
For more information, see Use a command line to install Configuration Manager sites.
During Setup you must choose the branch of Configuration Manager that you
want to install, and you can specify details for your Software Assurance agreement.
All sites in the same hierarchy must run the same branch. It is not supported to
have a hierarchy with a mix of LTSB and Current Branch at different sites.
New scripted installation. For more information, see "New scripted installation
options" earlier in this article.
When installing the new central administration site you must use Setup from the
original source media you used to install the LTSB site. Running Setup from the
CD.Latest folder for this scenario is not supported.
For more information about expanding a site, see "Expand a stand-alone primary site" in
Install a site using the Setup Wizard.
During Setup, you must choose the Current Branch, and you can specify details for
your Software Assurance agreement.
New scripted installation. For more information, see "New scripted installation
options" earlier in this article.
You can also use this media to upgrade a non-licensed Evaluation edition of Current
Branch to a fully licensed version of the Current Branch.
Site recovery.
Site maintenance.
Installing additional child primary sites.
Use Configuration Manager Setup from the CD.Latest folder of the backup of your LTSB
site.
Manage the long term servicing branch
of Configuration Manager
Article • 10/04/2022
Applies to: System Center Configuration Manager (long term servicing branch)
When you use the long term servicing branch (LTSB) of Configuration Manager, there
are important changes that affect how you manage your infrastructure.
The LTSB is generally the same as current branch version 1606, with some exceptions
like cloud-attached features. Most tasks you use for planning, deployment,
configuration, and day-to-day management are the same.
For example, the LTSB supports the same number of sites, site types, clients, and general
infrastructure as the current branch. Use the same guidance for site and hierarchy
planning and design as the current branch. Some features are supported by both
branches, like software updates or OS deployment. Use the same guidance as the
current branch, with the understanding that there were feature changes since version
1606 of the current branch.
The following sections provide information about tasks that aren't similar between the
long term servicing branch and the current branch.
Regular updates for the current branch are visible in the console, but aren't made
available to the LTSB. They aren't downloaded and can't be installed.
To support in-console updates for critical security fixes, an LTSB site requires the use of
the service connection point. You can configure this site system role in offline or online
mode, the same as for the current branch. The LTSB collects and submits the same
diagnostic and usage data as the current branch.
The LTSB supports the use of the hotfix installer and the update registration tool, as
documented for the current branch.
For general information about updates and servicing, see Updates for Configuration
Manager.
Changes for site expansion and the CD.Latest
folder
When you use the LTSB, and expand a stand-alone primary site with a new central
administration site (CAS), run setup and the source files from the version 1606 baseline
media. For the current branch, you run setup and use source files from the CD.Latest
folder.
Although you don't run setup for site expansion from the CD.Latest folder, continue to
use the CD.Latest folder for the following actions:
Site recovery
Install a new child primary site when your first LTSB site was a CAS
For more information about site expansion, see Expand a stand-alone primary site. For
more information about the CD.Latest folder, see The CD.Latest folder.
Recovery
When you recover a site, you must restore the site or site database to its original branch.
You can't recover a current branch site database to an LTSB installation, or an LTSB site
to a current branch installation.
Next steps
Upgrade the long-term servicing branch to the current branch
Upgrade the long-term servicing branch
to the current branch
Article • 10/04/2022
Use this topic to learn how to upgrade (convert) a site and hierarchy that runs the Long-
Term Servicing Branch (LTSB) of Configuration Manager to the Current Branch.
When you have a current Software Assurance agreement (or similar licensing rights) that
grants you rights to use the Current Branch, you can convert your installation from the
LTSB to the Current Branch. This is a one-way conversion because there is no support for
converting a Current Branch site to the LTSB.
If you have multiple sites, you only need to convert the top-tier site of your hierarchy.
After the top-tier site is converted:
When your site has converted to the Current Branch, previously unavailable features and
capabilities will be available for use.
7 Note
Qualifying baseline media is a media that has a version that is equal to or later than
your LTSB installation.
For example, because the LTSB is based on version 1606, you cannot use the baseline
1511 media to convert to the Current Branch. Instead, you run setup from the same
version 1606 baseline media that you used to install the LTSB site, and choose the
licensing option for the Current Branch. Alternately, if a later baseline of the Current
Branch has been released, you can run setup from that baseline media.
For a list of baseline versions, see Baseline and update versions in Updates for
Configuration Manager.
1. In the console, go to Administration > Site Configuration > Sites, and then open
Hierarchy Settings.
2. In Hierarchy Settings, switch to the Licensing tab. Select the option to Convert to
Current Branch, and then choose Apply.
When your site has converted to the Current Branch, previously unavailable features and
capabilities will be available for use.
Get ready for Configuration Manager
Article • 10/04/2022
Use the information in the following topics when you're ready to start planning your
Configuration Manager deployment:
Understand how clients find site resources and services for Configuration Manager
Co-management
Co-management is one of the primary ways to attach your existing Configuration
Manager deployment to the Microsoft 365 cloud. It enables you to concurrently manage
Windows devices by using both Configuration Manager and Microsoft Intune. Co-
management lets you cloud-attach your existing investment in Configuration Manager
by adding new functionality like conditional access. For more information, see What is
co-management?
Desktop Analytics
Desktop Analytics is a cloud-based service that integrates with Configuration Manager.
The service provides insight and intelligence for you to make more informed decisions
about the update readiness of your Windows clients. It combines data from your
organization with data aggregated from millions of devices connected to Microsoft
cloud services. For more information, see What is Desktop Analytics?
Cloud-attached management
Use features like the cloud management gateway and Azure Active Directory to manage
internet-based clients.
Application management
Helps you create, manage, deploy, and monitor applications to a range of different
devices that you manage. Deploy, update, and manage Microsoft 365 Apps from the
Configuration Manager console. Additionally, Configuration Manager integrates with
the Microsoft Store for Business and Education to deliver cloud-based apps. For more
information, see Introduction to application management.
OS deployment
Deploy an in-place upgrade of Windows, or capture and deploy OS images. Image
deployment can use PXE, multicast, or bootable media. It can also help redeploy existing
devices using Windows Autopilot. For more information, see Introduction to OS
deployment.
Software updates
Manage, deploy, and monitor software updates in the organization. Integrate with
Windows Delivery Optimization and other peer caching technologies to help control
network usage. For more information, see Introduction to software updates.
Compliance settings
Helps you to assess, track, and remediate the configuration compliance of client devices
in the organization. Additionally, you can use compliance settings to configure a range
of features and security settings on devices you manage. For more information, see
Ensure device compliance.
Endpoint Protection
Provides security, antimalware, and Windows Firewall management for computers in
your organization. This area includes management and integration with the following
Windows Defender suite features:
Inventory
Helps you identify and monitor assets.
Hardware inventory
Collects detailed information about the hardware of devices in your organization. For
more information, see Introduction to hardware inventory.
Software inventory
Collects and reports information about the files that are stored on client computers in
your organization. For more information, see Introduction to software inventory.
Asset Intelligence
Provides tools to collect inventory data and monitor software license usage in your
organization. For more information, see Introduction to Asset Intelligence.
Power management
Manage and monitor the power consumption of client computers in the organization.
Configure power plans, and use Wake-on-LAN to do maintenance outside of business
hours. For more information, see Introduction to power management.
Remote control
Provides tools to remotely administer client computers from the Configuration Manager
console. For more information, see Introduction to remote control.
Reporting
Use the advanced reporting capabilities of SQL Server Reporting Services from the
Configuration Manager console. This feature provides hundreds of default reports. For
more information, see Introduction to reporting.
Software metering
Monitor and collect software usage data from Configuration Manager clients. You can
use this data to determine whether software is used after it's installed. For more
information, see Monitor app usage with software metering.
Next steps
For more information about how to plan and install Configuration Manager to support
these management capabilities in your environment, see Get ready for Configuration
Manager.
What's new in Configuration Manager
incremental versions
Article • 04/11/2023
Configuration Manager uses an in-console updates and servicing process. This update
process makes it easy to discover and install Configuration Manager updates. There are
no more service packs or cumulative update versions to track and install. You don't have
to search for the download of the most recent release or updates.
To update the product to a new version of the current branch, use the Configuration
Manager console install then. A few times each year, Microsoft releases new versions
that include product updates. Each version also introduces new features. When you
install an update with new features, you can choose to use those features. For more
information, see Prepare to install in-console updates for Configuration Manager.
Different update versions are identified by year and month. For example, version 1511
identifies November 2015 (the month when Configuration Manager current branch was
first released to manufacturing). Later updates have version names like 2107, which
indicates an update that was created in July 2021. These update versions are key to
understanding the incremental version of your Configuration Manager installation, and
what features are available to enable in your environment.
Supported versions
Use the following links to discover what's new with each supported version:
Each update version remains in support for 18 months from its initial availability date.
Stay current with the most recent update version. For more information, see Support for
Configuration Manager current branch versions.
See also
Release notes
What's new in version 2303 of
Configuration Manager current branch
Article • 04/11/2023
Always review the latest checklist for installing this update. For more information, see
Checklist for installing update 2303. After you update a site, also review the Post-update
checklist.
To take full advantage of new Configuration Manager features, after you update the site,
also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the complete
scenario isn't functional until the client version is also the latest.
Tip
Support center tool and client must be upgraded to latest version to move
program files path to new Microsoft configuration Manager start menu path.
For more information, see Synchronize collections to Azure Active Directory Group.
For more information, see Tenant attach - Create and deploy Antivirus policies from the
admin center.
Site infrastructure
The following table identifies the recommended compatibility levels for Configuration
Manager site databases:
Software updates
7 Note
A one-time 10-GB download to distribution points with your first UUP update. UUP
is becoming the default and only way to download quality updates. This means that
you should plan for an extra 10GB download to distribution points (not endpoint
clients) with the March 28th update. That's a one-time 10GB download for updates
for Windows 11, version 22H2 per architecture (AMD64 and ARM64).
Known issue
Update to the default value of supersedence age in months for software updates will
not impact existing configurations. Removing SUP role in Admin Console does not reset
the supersedence age property in WMI. As a result, while reconfiguring the role, the
previously configured value is shown in the configuration window.
To use the theme, select the arrow from the top left of the ribbon, then choose the
Switch console theme. Select Switch console theme again to return to the light theme.
For more information, see Dark theme for the console.
Deprecated features
Other updates
Display a warning message box when user triggers a sync from Microsoft Store for
Business.
Display a warning in the Create Application Wizard when user attempts to create a
new app from Store license information.
Next steps
As of April 24, 2023, version 2303 is globally available for all customers to install.
When you're ready to install this version, see Installing updates for Configuration
Manager and Checklist for installing update 2303.
Tip
Always review the latest checklist for installing this update. For more information, see
Checklist for installing update 2211. After you update a site, also review the Post-update
checklist.
To take full advantage of new Configuration Manager features, after you update the site,
also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the complete
scenario isn't functional until the client version is also the latest.
Cloud-attached management
For more information, see Synchronize collections to Azure Active Directory Group.
Site infrastructure
Software Center
In this release we've extended the dark theme to more dashboards, which previously
didn't display the dark theme correctly. For example, the O365 Updates Dashboard,
PCM Dashboard, and Health Attestation dashboard will now display according to the
dark theme, when it's enabled. Pop-ups in the Health attestation dashboard will now
adhere to the dark theme.
Other updates
The issue is fixed by propagating correct AAD device ID from ConfigMgr during Intune
enrollment. This leads to merged entities for co-managed devices in a short period of
time (30-40 mins). We no longer have to wait for discovery cycle to run.
If you're running this operating system on machines in your environment, they shouldn't
be upgraded to the 2211 version of the Configuration Manager client. For more
information on supported clients and devices, see supported-operating-systems-for-
clients-and-devices.
Next steps
As of December 19, 2022, version 2211 is globally available for all customers to install.
When you're ready to install this version, see Installing updates for Configuration
Manager and Checklist for installing update 2211.
Tip
Always review the latest checklist for installing this update. For more information, see
Checklist for installing update 2207. After you update a site, also review the Post-update
checklist.
To take full advantage of new Configuration Manager features, after you update the site,
also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the complete
scenario isn't functional until the client version is also the latest.
Cloud-attached management
For more information, see Configure Azure services for use with Configuration Manager.
For more information, see Create an app registration in Azure AD for your app service
app.
When a site is initially installed, there's a default site boundary group created for each
site, and all the clients use it by default until they're assigned to a custom boundary
group.
Starting in Configuration Manager 2207, you can add options via PowerShell to include
and prefer cloud sources. For instance, you can set the CMG as the preferred
management point for the clients in the default boundary group.
For more information, see Default site boundary group behavior supports cloud source
selection.
Client management
For more information, see the compliance settings group of client settings.
Software updates
For more information, see Process to create a folder for automatic deployment rules.
For more information, see How to use maintenance windows in Configuration Manager.
Endpoint Protection
2. The General settings page in the Microsoft Defender Application Guard now allows
you to create policies within Configuration Manager to protect your employees
using Microsoft Edge and isolated Windows environments.
3. The Application Behavior settings page allows you to enable or disable cameras
and microphones, along with certificate matching of the thumbprints to the
isolated container.
For more information, see Create and deploy Microsoft Defender Application Guard
policy.
By default, all subfolders will be searched when you perform a search in any
node that contains subfolders. You can narrow down the search by selecting the
“Current Node” option from the search toolbar.
Next steps
At this time, version 2207 is released for the early update ring. To install this update, you
need to opt in. For more information, see Early update ring.
When you're ready to install this version, see Installing updates for Configuration
Manager and Checklist for installing update 2207.
Tip
Always review the latest checklist for installing this update. For more information, see
Checklist for installing update 2203. After you update a site, also review the Post-update
checklist.
To take full advantage of new Configuration Manager features, after you update the site,
also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the complete
scenario isn't functional until the client version is also the latest.
Cloud-attached management
For more information, see Boundary groups and software update points.
Site infrastructure
You can now use Microsoft Power BI Desktop (Optimized for Power BI Report
Server) versions that were released after January 2021
Configuration Manager now correctly handles Power BI reports saved by Power BI
Desktop (optimized for Power BI Report Server) May 2021 or later.
For more information, see Exclude data warehouse reporting tables from
synchronization.
A new rule for detecting Windows Server 2012 and 2012 R2 was added to the
Proactive Maintenance group.
For more information, see Management insights for deprecated and unsupported
features and Management insights for proactive maintenance.
Client management
Collections
You can now customize the maximum run time for all other software updates, which
includes third-party updates.
For more information, see Maximum run time and Install and configure a software
update point.
OS deployment
For more information, see Manage task sequences and Packages and programs.
Application management
Community hub
When using temporary device nodes, device actions like Run Scripts are now
available to make the experience in the console consistent.
Other management insights rules now have drill-through actions.
Copy/paste is available for more objects from details panes.
The Name property is added to the details pane for configuration items,
configuration item related policies, and applications.
Software update search results and the search criteria are now cached when you
navigate to another node. When you navigate back to the All Software Updates
node, your search criteria and results are preserved from your last query.
Added a search filter to the Products and Classifications tabs in the Software
Update Point Component Properties
You can now exclude subcontainers when doing Active Directory System
Discovery and Active Directory User Discovery in untrusted domains
Added a Cloud Sync column to collections to indicate if the collection is
synchronizing with Azure Active Directory
Added the Collection ID to the collection summary details tab
Increased the size of the Membership Rules pane in the Properties page for
collections
Added a View Script option for Run PowerShell Script steps when using the View
action for a task sequence
Deprecated features
Learn about support changes before they're implemented in removed and deprecated
items.
The following features are deprecated. You can still use them now, but Microsoft plans
to end support in the future.
The Configuration Manager client for macOS and Mac client management. For
more information, see Supported clients: Mac computers
The site system roles for on-premises MDM and macOS clients: enrollment proxy
point and enrollment point
As previously announced, version 2203 drops support for the following features:
Certificate profiles and the certificate registration point site system role
VPN profiles
Wi-Fi profiles
Email profiles
For more information, see Frequently asked questions about resource access
deprecation.
Other updates
Starting with this version, the following features are no longer pre-release:
For more information on changes to the Windows PowerShell cmdlets for Configuration
Manager, see version 2203 release notes.
Aside from new features, this release also includes other changes such as bug fixes. For
more information, see Summary of changes in Configuration Manager current branch,
version 2203.
Next steps
As of April 26, 2022, version 2203 is globally available for all customers to install.-->
When you're ready to install this version, see Installing updates for Configuration
Manager and Checklist for installing update 2203.
Tip
Always review the latest checklist for installing this update. For more information, see
Checklist for installing update 2111. After you update a site, also review the Post-update
checklist.
To take full advantage of new Configuration Manager features, after you update the site,
also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the complete
scenario isn't functional until the client version is also the latest.
Application management
Tip
Starting with this release, app groups are no longer a pre-release feature.
Now when you deploy an app group as required to a device or user collection, you
can specify that it automatically uninstalls when the resource is removed from the
collection.
More app approval behaviors are now supported with app groups.
Starting in this release, this behavior also applies to deployments to user collections. If a
user is in a collection, the application installs. Then when you remove the user from the
collection, the application uninstalls.
Software updates
Tip
Starting with this release, orchestration groups are no longer a pre-release feature.
Pre and post-scripts for orchestration groups now require approval to take effect. If you
select a script from a file, author, or modify your own script, approval for the script is
required from another admin. When selecting an approved script from the Scripts
library, no other approval is needed. To assist you with script approval, the following two
tabs were added to the details pane for Orchestration Groups:
Cloud-attached management
For more information, see the Overview for cloud attach and Enable cloud attach.
Site infrastructure
This release adds support in the Configuration Manager console to create or edit a
subscription for external notifications. It supports events for status filter rules and
application approval requests.
Starting in this release, this prerequisite rule for .NET 4.6.2 is an error. Until you upgrade
.NET, you can't continue installing or updating the site to this version of Configuration
Manager.
For more information, see List of prerequisite checks for Configuration Manager.
) Important
When the Configuration Manager client updates to version 2111 or later, client
notifications are dependent upon .NET 4.6.2 or later. Until you update .NET to
version 4.6.2 or later, and restart the device, users won't see notifications from
Configuration Manager. Other client-side functionality may be affected until the
device is updated and restarted. For more information, see More details about
Microsoft .NET.
Client management
Client Status Settings: Configure the periods of time to evaluate client health
The Combined (All) and Combined (Any) scenarios are replaced by a new tile,
Clients with any failure
For more information, see About client settings: Software Center and Plan for Software
Center.
OS deployment
Starting in this release, you can create and edit these custom properties in the
Configuration Manager console. This new user interface makes it easier to view and edit
these properties. You can still use the administration service interface to automate the
process from an external system.
Export to CSV
You can now export the contents of a grid view in the console along with the column
headers to a comma-separated values (CSV) file that can be used to import to Excel or
other applications. While you could previously cut and paste from a grid view, exporting
to CSV makes extracting a large number of rows faster and easier.
For more information, see Configuration Manager console changes and tips.
Client Status
Content Status
Microsoft Edge Management
Console improvements
In this release we've made the following improvements to the Configuration Manager
console:
When you show the members of a device collection, and select a device in the list,
switch to the Collections tab in the details pane. This new view shows the list of
collections of which the selected device is a member. It makes it easier for you to
see this information. For more information about improvements to the console,
see Configuration Manager console changes and tips.
When viewing a collection, you could previously see the amount of time the site
took to evaluate the collection membership. This data is now also available in the
Monitoring workspace. When you select a collection in either subnode of the
Collection Evaluation node, the details pane displays this collection evaluation
time data. For more information about improvements to the console, see
Configuration Manager console changes and tips.
There's a new built-in device collection for Co-management Eligible Devices. The
Co-management Eligible Devices collection uses incremental updates and a daily
full update to keep the collection up to date. For more information about
improvements to the console, see Configuration Manager console changes and
tips.
Tools
For more information, see Support Center log file viewer and Support Center OneTrace.
Deprecated features
Learn about support changes before they're implemented in removed and deprecated
items.
The following features are deprecated. You can still use them now, but Microsoft plans
to end support in the future.
Managing apps from the Microsoft Store for Business and Education with
Configuration Manager
Asset intelligence
On-premises MDM
For more information, see Removed and deprecated features for Configuration
Manager.
As previously announced, version 2111 drops support for the following features:
Third-party add-ons that use Microsoft .NET Framework version 4.6.1 or earlier,
and rely on Configuration Manager libraries. Such add-ons need to use .NET 4.6.2
or later. For more information, see External dependencies require .NET 4.6.2.
Other updates
Starting with this version, the following features are no longer pre-release:
Application groups
Orchestration groups
For more information on changes to the Windows PowerShell cmdlets for Configuration
Manager, see version 2111 release notes.
Aside from new features, this release also includes other changes such as bug fixes. For
more information, see Summary of changes in Configuration Manager current branch,
version 2111.
Next steps
As of December 15, 2021, version 2111 is globally available for all customers to install.
When you're ready to install this version, see Installing updates for Configuration
Manager and Checklist for installing update 2111.
Tip
7 Note
The December 2015 release (version 1511) of Configuration Manager was the initial
release of the current Configuration Manager product from Microsoft. It's typically
referred to as Configuration Manager current branch. Current branch indicates this
version supports incremental updates to the product. It also provides a way to
distinguish between this release and previous releases of Configuration Manager.
Doesn't use a year or product identifier in the product name, unlike past versions
such as Configuration Manager 2007 or System Center 2012 Configuration
Manager.
Supports incremental, in-product updates, also called update versions. The initial
release was version 1511. Later versions are released several times a year as in-
console updates, like version 1910.
Is installed using a baseline version. While 1511 was the original baseline version,
new baseline versions are also released from time to time, like 2203. Baseline
versions can be used to install a new Configuration Manager site and hierarchy, or
to upgrade from a supported version of System Center 2012 Configuration
Manager.
In-console updates
Configuration Manager uses an in-console service method called Updates and
Servicing that makes it easy to locate and install recommended updates.
Some versions are only available as updates for existing sites from within the
Configuration Manager console. You can't use these updates to install a new
Configuration Manager site. For example, the 2111 update is only available from within
the Configuration Manager console. It's used to update a site that already runs a
supported version of Configuration Manager.
Periodically, an update version is also released as a new baseline version. For example,
update version 2203 is also a baseline. Use a baseline version to install a new site or
hierarchy. Don't start with an older baseline version like 2111, and upgrade your way to
the most current version. Always use the latest baseline.
Uploads diagnostics and usage data about your site to the Microsoft cloud
This site system role supports both online and offline modes of operation. For more
information, see About the service connection point.
For details about supported products, operating systems, and configurations, see
Supported configurations.
7 Note
Changes in functionality
The following sections summarize some of the significant changes in feature areas
between System Center 2012 R2 Configuration Manager and the version 1511 version of
Configuration Manager current branch. For more information on more recent changes
in functionality, see What's new in incremental versions.
Client deployment
Configuration Manager introduces a new feature for testing new versions of the
Configuration Manager client before upgrading the rest of site with the new software.
You can set up a pre-production collection in which to pilot a new client. Once you're
satisfied with the new client software in pre-production, you can promote the client to
automatically upgrade the rest of the site with the new version.
For more information on how to test clients, see How to test client upgrades in a pre-
production collection.
OS deployment
Be aware of the following changes to OS deployment:
In the Create Task Sequence Wizard, a new task sequence type is available:
Upgrade an operating system from upgrade package. It creates the steps to
upgrade computers from an earlier version of Windows to Windows 10 or later. For
more information, see Upgrade Windows to the latest version.
Windows PE peer cache is now available when you deploy operating systems.
Computers that run a task sequence to deploy an OS can use Windows PE peer
cache to obtain content from a peer cache source, instead of downloading content
from a distribution point. This behavior helps minimize WAN traffic in branch office
scenarios where there's no local distribution point. For more information, see
Prepare Windows PE peer cache to reduce WAN traffic.
You can now view the state of Windows as a service in your environment. You can
also create servicing plans to form deployment rings, and make sure that Windows
10 or later computers are kept up to date when new builds are released.
Additionally, you can view alerts when Windows clients are near the end of support
for their build. For more information, see Manage Windows as a service.
Application management
Be aware of the following changes to application management:
Configuration Manager lets you deploy Universal Windows Platform (UWP) apps
for devices running Windows 10 and later. For more information, see Creating
Windows applications.
Software Center has a new, modern look. User-available apps that previously only
appeared in the application catalog now appear in Software Center under the
Applications tab. This behavior makes these deployments more discoverable, and
makes it unnecessary for users to refer to the separate application catalog.
Additionally, a Silverlight-enabled browser is no longer required. For more
information, see Plan for and configure application management.
The new Windows Installer through MDM application type lets you create and
deploy Windows Installer-based apps to enrolled PCs that run Windows 10 or later.
For more information, see Creating Windows applications.
Software updates
Be aware of the following changes to software updates:
Configuration Manager can now detect the difference between software update
management methods for computers. Specifically, it can differentiate between a
Windows computer that connects to Windows Update for Business (WUfB), and a
computer connected to WSUS. The UseWUServer attribute is new, and specifies
whether the computer is managed with WUfB. You can use this setting in a
collection to remove these computers from software update management. For
more information, see Integration with Windows Update for Business.
You can now schedule and run the WSUS clean-up task from the Configuration
Manager console. In Software Update Point Component properties, when you
select to run the WSUS clean-up task, it runs at the next software updates
synchronization. The expired software updates are set to a status of declined on
the WSUS server, and the Windows Update Agent on computers no longer scans
these software updates. For more information, see Schedule and run the WSUS
clean up task.
Compliance settings
Be aware of the following changes to compliance settings:
Support for managing settings on macOS X computers that are managed without
the Configuration Manager client.
For more information, see Manage mobile devices with on-premises infrastructure.
Next steps
What's new in incremental versions
Removed and deprecated items for
Configuration Manager
Article • 10/04/2022
This article describes how to use the information about features, products, and
operating systems that are removed from support for Configuration Manager. Items
that are deprecated will be removed in a future update. These articles provide early
notice about future changes that might affect your use of Configuration Manager.
This information is subject to change with future releases, and might not include each
deprecated feature, product, or OS.
7 Note
When support is removed for a feature or OS, the feature or OS remains supported
when you use a previous version of Configuration Manager, as long as that version of
Configuration Manager remains in support. However, when you use a version of
Configuration Manager released after the date or version indicated, that version of
Configuration Manager doesn't provide support.
For example, if a feature was scheduled to have its support removed with the first
update released after September 2019, support for that feature would no longer be
included in update 1910, which released in November of 2019.
See also
Microsoft Support Lifecycle
Next steps
Items that are removed or deprecated are split between three categories:
This article lists the features that are deprecated or removed from support for
Configuration Manager. Deprecated features will be removed in a future update. These
future changes might affect your use of Configuration Manager.
This information is subject to change with future releases. It might not include each
deprecated Configuration Manager feature.
Deprecated features
The following features are deprecated. You can still use them now, but Microsoft plans
to end support in the future.
Community hub service and integration with ConfigMgr October The first
2022 release
after
March 1,
2023
Upgrade from any version of System Center 2012 Configuration April 2022 Version
Manager to current branch. For more information, see Upgrade to 2303
Configuration Manager current branch
The Configuration Manager client for macOS and Mac client January 2022 December
management. For more information, see Supported clients: Mac 31, 2022
computers. Migrate management of macOS devices to Microsoft
Intune. For more information, see Deployment guide: Manage
macOS devices in Microsoft Intune.
The site system roles for on-premises MDM and macOS clients: January 2022 December
enrollment proxy point and enrollment point. 31, 2022
Feature Deprecation Planned
first end of
announced support
The Microsoft Store for Business and Education. For more November The first
information, see Manage apps from the Microsoft Store for Business 2021 release
and Education with Configuration Manager. after
March 1,
2023
Asset intelligence. For more information, see Asset intelligence November The first
deprecation. 2021 release
after
November
1, 2022
On-premises MDM. For more information, see On-premises MDM in November The first
Configuration Manager. 2021 release
after
November
1, 2022
Azure Active Directory (Azure AD) Graph API and Azure AD July 2021 June 30,
Authentication Library (ADAL), which is used by Configuration 2022
Manager for some cloud-attached scenarios. If you use cloud-
attached features such as co-management, tenant attach, or Azure
AD discovery, starting June 30, 2022, these features may not work
correctly in Configuration Manager version 2107 or earlier. Stay
current with Configuration Manager to make sure these features
continue to work. For more information, see CMG FAQ.
The BitLocker management implementation for the recovery service March 2021 The first
has changed. The legacy MBAM-based service is replaced by the release
messaging processing engine on the management point. after May
2022
Older style of console extensions that haven't been approved in the April 2021 TBDNote 1
Console Extension node, will no longer be supported. For more
information about new console extensions, see Manage console
extensions.
Sites that allow HTTP client communication. Configure the site for March 2021 The first
HTTPS or Enhanced HTTP. For more information, see Enable the site release
for HTTPS-only or enhanced HTTP. after
November
1, 2022
Feature Deprecation Planned
first end of
announced support
The geographical view in the Site Hierarchy node of the Monitoring August 2020 The first
workspace in the Configuration Manager console. release
after
October
2023
The implementation for sharing content from Azure has changed. February The first
Use a content-enabled cloud management gateway. Starting in 2019 release
version 2107, you can't create a traditional cloud distribution point. after
October 5,
2022
Cloud management gateway and cloud distribution point November The first
deployments with Azure Service Manager using a management 2018 release
certificate. For more information, see Plan for CMG. after
October 5,
2022
Desktop Analytics. For more information, see Windows November November 30,
compatibility reports in Intune . 2021 2022
The ability to deploy a cloud management gateway (CMG) as September Version 2203
a cloud service (classic). All CMG deployments should use a 2021
virtual machine scale set.
Feature Deprecation Support removed
first
announced
The following compliance settings for Company resource March 2021 Version 2203
access: Certificate profiles, VPN profiles, Wi-Fi profiles,
Windows Hello for Business settings, and email profiles. This
deprecation includes the co-management resource access
workload. Use Microsoft Intune to deploy resource access
profiles. For more information, see Frequently asked
questions about resource access deprecation.
Desktop Analytics data for Windows 7, Windows 8, and July 2021 January 31, 2022
earlier versions of Windows 10 that don't support the
Windows diagnostic data processor configuration.
Third-party add-ons that use Microsoft .NET Framework September Version 2111
version 4.6.1 or earlier, and rely on Configuration Manager 2021
libraries. Such add-ons need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET
4.6.2.
Log Analytics connector for Azure Monitor. This feature is November Version 2107
called the OMS Connector in the Azure Services node. 2020
Microsoft Edge legacy browser profiles. For more March 2021 April 2021
information, see New Microsoft Edge to replace Microsoft
Edge Legacy with April’s Windows 10 Update Tuesday
release
The collection evaluation viewer, which was integrated in November Version 2103
version 2010. 2020
Desktop Analytics tile and page for Security Updates December March 2021
2020
Desktop Analytics option to View recent data for device May 2020 July 2020
enrollment and security updates. For more information, see
Data latency.
Windows Analytics and Upgrade Readiness integration. For October 14, January 31, 2020
more information, see KB 4521815: Windows Analytics 2019
retirement on January 31, 2020 .
Device health attestation assessment for conditional access July 3, 2019 Version 1910
compliance policies For more information, see What
happened to hybrid MDM.
The Configuration Manager Company Portal app May 21, Version 1910
2019
Feature Deprecation Support removed
first
announced
The application catalog, including both site system roles: the May 21, Version 1910
application catalog website point and web service point. For 2019
more information, see Remove the application catalog.
The Silverlight user experience for the application catalog August 11, Version 1806
website point is no longer supported. Users should use the 2017
new Software Center. For more information, see Configure
Software Center.
Task sequences:
November Version 1710
- Convert Disk to Dynamic
18, 2016
- Install Deployment Tools
Software update points with a network load balancing (NLB) February 27, Version 1702
cluster 2016
Task sequences:
June 20, Version 1606
- OSDPreserveDriveLetter
2016
Network Access Protection (NAP) - as found in System July 10, 2015 Version 1511
Center 2012 Configuration Manager
Out of Band Management - as found in System Center 2012 October 16, Version 1511
Configuration Manager 2015
System Center Configuration Manager Management Pack - October 16, Version 1511
for System Center Operations Manager is not available for 2015
download
WINS
Windows Internet Name Service (WINS) is a legacy computer name registration and
resolution service. It's a deprecated service. You should replace WINS with Domain
Name System (DNS). For more information, see Windows Internet Name Service (WINS).
Out of Band Management
With Configuration Manager, native support for AMT-based computers from within the
Configuration Manager console has been removed.
AMT-based computers remain fully managed when you use the Intel SCS Add-on
for Configuration Manager . The add-on provides you access to the latest
capabilities to manage AMT, while removing limitations introduced until
Configuration Manager could incorporate those changes.
For network access protection alternatives, see the Deprecated functionality section of
Network Policy and Access Services Overview.
See also
Removed and deprecated
Microsoft Support Lifecycle
Support for current branch versions of Configuration Manager
Removed and deprecated for
Configuration Manager site servers
Article • 10/04/2022
This article describes products and operating systems that are removed from support for
Configuration Manager site servers, or will be removed in a future update (deprecated).
It provides early notice about future changes that might affect your use of Configuration
Manager.
This information may change in the future. It might not include each deprecated feature,
product, or OS.
Server OS
Operating systems Deprecation first announced Support removed
SQL Server
SQL Server versions Deprecation first announced Support removed
SQL Server 2012 July 2021 The first release after July 1, 2022
If you need to upgrade your version of SQL Server, we recommend the following
methods, from easy to more complex:
2. Install a new version of SQL Server on a new computer. Then to point your site
server at the new SQL Server, use the database move option of Configuration
Manager setup.
Make sure to also upgrade versions of SQL Server Express at secondary sites.
Next steps
For more information, see the following articles:
This article describes products and operating systems that are removed from support for
Configuration Manager clients, or will be removed in a future update (deprecated). It
provides early notice about future changes that might affect your use of Configuration
Manager.
This information may change in the future. It might not include each deprecated feature,
product, or operating system.
The following OS versions are deprecated as a Configuration Manager client. You can
still use them now, but Microsoft plans to end support in the future.
Windows XP Embedded
July 10, 2015 Version 1702
See also
For more information, see the following articles:
This information can help you identify key configurations, requirements, and limitations.
Use it to plan, deploy, and maintain a functional Configuration Manager deployment.
This information is specific to the infrastructure for Configuration Manager sites,
hierarchies, and managed devices.
7 Note
Products and product versions that aren't listed in these articles aren't supported with
Configuration Manager unless they're announced on the Configuration Manager blog .
The content on this blog may precede an update to this documentation.
Supported operating systems for site system servers: Learn about which operating
systems you can use as a site server or site system server.
Supported operating systems for clients and devices: Learn about which operating
systems you can manage with Configuration Manager. These include Windows,
Windows Embedded, macOS, and mobile devices.
Support for Windows 11 and Support for Windows 10: Learn about the Windows
11 and Windows 10 versions that are supported as clients.
Support for the Windows ADK: Learn about the Windows Assessment and
Deployment Kit (Windows ADK) version that are supported with Configuration
Manager current branch for OS deployment.
Supported operating systems for the console: Learn about which operating
systems can host the Configuration Manager console.
Support for SQL Server versions: Learn about which versions of SQL Server can
host the site database and reporting database. It also includes required and
optional configurations that you can use with SQL Server.
High-availability options: Learn about the options you can implement when
designing your environment to help maintain a high level of available service for
Configuration Manager.
Support for Active Directory domains: Learn about the supported Active Directory
domain configurations that Configuration Manager requires and supports.
Support for Windows features and networks: Learn about supported Windows
technologies and limitations for use with Configuration Manager. For example,
Windows BranchCache and data deduplication.
Support for virtualization environments: Learn more about how to use supported
virtual machine technologies.
Use the following articles to understand Configuration Manager size, scale, and
performance:
Size and scale numbers: Learn about how many sites, roles per site, and clients are
supported in different hierarchy designs.
Recommended hardware: Learn about guidelines that can help you identify the
right hardware and configurations to host your Configuration Manager sites and
key services.
Site size and performance guidelines: Site size-related performance test results,
methodology, and guidance.
For some products, like Windows Server Update Services (WSUS) for the software
update point, you need to refer to the product documentation to identify additional
prerequisites and limitations for use. Only configurations that directly apply for use with
Configuration Manager are included here.
Each site system server must use a 64-bit OS. The only exception is the distribution
point site system role, which you can install on some 32-bit operating systems.
Site systems aren't supported on Server Core installations of any OS. An exception
is that Server Core installations are supported for the distribution point. For more
information, see Supported operating systems for Configuration Manager site
system servers.
The domain name of the domain where the site system computer is located
(also called a domain rename).
If you must change any of these items, first remove the site system role from
the computer. Then reinstall the role after the change is complete. For changes
affecting the site server, first uninstall the site. Then reinstall the site after the
change is complete.
Site system roles aren't supported on an instance of a Windows Server cluster. The
only exception is the site database server. For more information, see Use a SQL
Server Always On failover cluster instance for the site database.
The Configuration Manager setup process doesn't block installation of the site
server role on a computer with the Windows role for Failover Clustering. SQL
Server Always On availability groups require this role, so previously you couldn't
colocate the site database on the site server. With this change, you can create a
highly available site with fewer servers by using an availability group and a site
server in passive mode. For more information, see High availability options.
It's not supported to change the startup type or "Log on as" settings for any
Configuration Manager service. If you do, you might prevent key services from
running correctly.
7 Note
.NET Framework version 4.6.2 is preinstalled with Windows Server 2016. Later
versions of Windows are preinstalled with a later version of the .NET Framework.
Site server
If the site server doesn't have any collocated roles that require .NET, it still requires .NET,
but setup doesn't automatically install it. Make sure the site server itself has at least .NET
version 4.6.2. If possible, install .NET 4.8.
Site systems
) Important
During Configuration Manager setup, if site systems have a version earlier than 4.6.2,
you'll see a prerequisite check warning. This check is a warning instead of an error,
because setup will install version 4.6.2. When .NET updates, it usually requires Windows
to restart. Site systems will send status message 4979 when a restart is required.
Configuration Manager suppresses the restart; the system doesn't restart automatically.
The behavior will differ for different types of site roles that require .NET:
The following site system roles support in-place upgrade of .NET. After upgrading
.NET, if a restart is required, it sends status message 4979. The role keeps running
with the earlier .NET version. After Windows restarts, the role starts using the new
.NET version.
Asset Intelligence synchronization point
Management point
Service connection point
Data warehouse service point
The following site systems roles uninstall and reinstall when .NET is upgraded.
During site update, site component manager removes the role, and then updates
.NET. If a restart is required, it sends status message 4979. After restart, site
component manager reinstalls the role with the new .NET version. The role could
be unavailable while it waits for you to restart the server.
SMS Provider for the administration service
Certificate registration point
Enrollment point
Enrollment proxy point
Reporting services point
Software update point
7 Note
Currently, you still need to enable the Windows feature for .NET Framework 3.5 on
site systems that require it.
If site systems have at least version 4.6.2 but earlier than version 4.8, you'll also see a
prerequisite check warning. We recommend that you install the latest version of .NET
version 4.8 to get the latest performance and security improvements. Configuration
Manager setup doesn't automatically install .NET version 4.8. A later version of
Configuration Manager will require .NET version 4.8.
There's also a new management insight to recommend site systems that don't yet have
.NET version 4.8 or later.
If you need to manage the device restarts before you update the site, use the following
recommended process:
1. Install the latest baseline .NET version. For example, install .NET version 4.8.
2. Restart the server.
3. Scan for software updates and install the latest .NET cumulative update.
4. Restart the server.
5. Update the site to the latest current branch version.
When you use a software update point on a server other than the site server, install
the WSUS Administration Console on the site server.
For more information about this requirement, see Infrastructure requirements for
OS deployment.
The CAS and primary sites require both the x86 and x64 versions of the applicable
redistributable file.
Install a supported version of the .NET Framework. For more information, .NET
version requirements.
Database server
You can choose to have Configuration Manager install SQL Server Express. Make
sure that the server meets the requirements to run SQL Server Express.
For more information about this requirement, see Infrastructure requirements for
operating system deployment.
) Important
2 Warning
7 Note
When the distribution point transfers content, it transfers using the Background
Intelligent Transfer Service (BITS) built into Windows. The distribution point role
doesn't require the optional BITS IIS Server Extension feature to be installed,
because the client doesn't upload information to it.
Security:
Windows Authentication
By default, IIS uses request filtering to block several file name extensions and folder
locations from access by HTTP or HTTPS communication. On a distribution point, this
configuration prevents clients from downloading packages that have blocked extensions
or folder locations. For more information, see IIS request filtering for distribution points.
Distribution points require that IIS allows the following HTTP verbs:
GET
HEAD
PROPFIND
The version that's installed depends on the computer's platform (x86 or x64).
Install and configure the Windows Deployment Services (WDS) Windows Server
role.
7 Note
7 Note
Make sure the SQL Server Native Client is installed and up to date. For more
information, see Prerequisite checks - SQL Server Native Client.
Enrollment point
) Important
With the deprecation of on-premises MDM and the Configuration Manager client
for macOS, this site system role is also deprecated. For more information, see
Removed and deprecated features for Configuration Manager.
ASP.NET 4.5
Application Development:
Install a supported version of the .NET Framework. For more information, .NET
version requirements.
When this site system role is collocated with another site system role that has this
same requirement, this memory requirement for the computer doesn't increase,
but remains at a minimum of 5%.
) Important
With the deprecation of on-premises MDM and the Configuration Manager client
for macOS, this site system role is also deprecated. For more information, see
Removed and deprecated features for Configuration Manager.
Windows Server roles and features for the enrollment
proxy point
.NET Framework 3.5
Default Document
Static Content
Application Development:
Security:
Windows Authentication
Install a supported version of the .NET Framework. For more information, .NET
version requirements.
When this site system role is colocated with another site system role that has this
same requirement, this memory requirement for the computer doesn't increase,
but remains at a minimum of 5%.
IIS configuration
Management point
Application Development:
ISAPI Extensions
Security:
Windows Authentication
To make sure that clients can successfully communicate with a management point, make
sure IIS allows the following HTTP verbs:
GET
POST
CCM_POST
HEAD
PROPFIND
The instance that you use for SQL Server Reporting Services can be the same
instance you use for the site database.
The instance that you use can be shared with System Center products. The System
Center products can't have restrictions for sharing the instance of SQL Server.
SQL Server Native Client for the RSP
When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.
Install a supported version of the .NET Framework. For more information, .NET
version requirements.
Install a supported version of the .NET Framework. For more information, .NET
version requirements.
7 Note
When you use a software update point on a remote site system, install the WSUS
Administration Console on the site server.
ASP.NET 4.5
Application Development:
Install a supported version of the .NET Framework. For more information, .NET
version requirements.
This article details the Windows versions that you can use to host a Configuration
Manager site or site system role.
Starting in version 2107, this OS version is supported for the following servers.
Site servers:
If you're installing a new site, you can use the latest baseline version 2103 on a
Windows Server 2022 site server, and then immediately update the site to version
2107.
Site servers:
Site servers:
Central administration site
Primary site
Secondary site
Site servers:
Site servers:
Client OS versions
The following client OS versions are supported for use as a distribution point Note 1:
For more information on supported build versions and editions, see Support for
Windows 11.
For more information on supported build versions and editions, see Support for
Windows 10.
Distribution points on this OS don't support PXE or multicast with the default
Windows Deployment Services. You can PXE-enable a distribution point on this OS
with the option to Enable a PXE responder without Windows Deployment
Service. For more information, see Install and configure distribution points.
Distribution points on this OS don't support PXE or multicast with the default
Windows Deployment Services. You can PXE-enable a distribution point on this OS
with the option to Enable a PXE responder without Windows Deployment
Service. For more information, see Install and configure distribution points.
General notes
Next steps
Supported SQL Server versions
See also:
Recommended hardware
Site and site system prerequisites
Size and scale numbers
Supported OS versions for clients and
devices for Configuration Manager
Article • 03/21/2023
Changing the startup type or Log on as settings for any Configuration Manager
service isn't supported. This change can prevent key services from running
correctly.
Windows computers
To manage the following Windows OS versions, use the client that's included with
Configuration Manager. For more information, see How to deploy clients to Windows
computers.
7 Note
Windows 10
For more information on the versions of the Windows Assessment and Deployment Kit
(Windows ADK) that Configuration Manager current branch supports, see Support for
the Windows ADK.
Similar to a terminal server, some of these virtual devices allow multiple concurrent
active user sessions. To help with client performance, Configuration Manager disables
user policies on any device that allows these multiple user sessions. Even if you enable
user policies, the client disables them by default on these devices, which include
Windows Enterprise multi-session and terminal servers.
The client only disables user policy when it detects this type of device during a new
installation. For an existing client of this type that you update to this version, the
previous behavior persists. On an existing device, it configures the user policy setting
even if it detects that the device allows multiple user sessions.
If you require user policy in this scenario, and accept any potential performance impact,
use client settings to enable user policy. In the Client Policy group, configure the
following setting: Enable user policy for multiple user sessions.
7 Note
If you previously selected the top-level platform, this action automatically selected
all child platforms. New platforms aren't automatically selected. For example, if you
want to add Windows 10 Enterprise multi-session, manually select it under the
Windows 10 platform.
Server Core
The following versions specifically refer to the Server Core installation of the OS. Note 3
Windows Server semi-annual channel versions are Server Core installations, such as
Windows Server, version 1809. As a Configuration Manager client, they're supported the
same as the associated Windows 11 or Windows 10 semi-annual channel version. For
more information, see Support for Windows 11 or Support for Windows 10.
Note 1
Configuration Manager tests and supports Windows Server Datacenter editions, but isn't
officially certified for Windows Server. Configuration Manager hotfix support isn't
offered for issues that are specific to Windows Server Datacenter Edition. For more
information on the Windows Server certification program, see Windows Server
Catalog .
Note 2
To support client push installation, add the File Server service of the File and Storage
Services server role. For more information about installing Windows features on Server
Core, see Install roles, role services, and features by using Windows PowerShell cmdlets.
Note 3
The Software Center app isn't supported on any version of Windows Server Core.
Clients that use one of the following are supported for all features except power
management:
Supported OS versions
Windows 11 Enterprise
Products that are beyond their support lifecycle aren't supported for use with
Configuration Manager. This includes any products that are covered under the ESU
program. Security updates released under the ESU program will be published to
Windows Server Update Services (WSUS). These updates will appear in the
Configuration Manager console. While products that are covered under the ESU
program are no longer supported for use with Configuration Manager, the latest
released version of Configuration Manager current branch can be used to deploy and
install Windows security updates released under the program for Windows Server 2012
and 2012 R2 only. No further support is offered for computers running Windows 7 or
Windows Server 2008/ 2008 R2, including customers with an additional further year of
ESU support as noted in KB4522133
Tip
) Important
1. First, uninstall the Configuration Manager client for macOS. For more
information, see Uninstalling the Mac client.
2. Then enroll the device to Intune. For more information, see Deployment
guide: Manage macOS devices in Microsoft Intune.
Manage Apple Mac computers with the Configuration Manager client for macOS.
Supported versions
macOS Big Sur (11) (requires Configuration Manager client for macOS version
5.0.9000.1002 or later)
macOS Catalina (10.15) (requires Configuration Manager client for macOS version
5.0.8742.1000 or later)
On-premises MDM
) Important
Learn about the Windows 11 versions that Configuration Manager supports as a client.
For more information about support for the Windows Assessment and Deployment Kit
(ADK) for Windows 11, see Support for the Windows ADK.
7 Note
You can continue to use Microsoft Endpoint Manager to manage devices running
Windows 11 the same as with Windows 10. If another article doesn't explicitly
reference Windows 11, assume that feature support for Windows 10 also includes
Windows 11. This article lists some known issues.
Windows 11 versions
Configuration Manager attempts to provide support as a client for each new Windows
11 version soon after it becomes available. Because the products have separate
development and release schedules, the support that Configuration Manager provides
depends on when each becomes available.
A Configuration Manager version drops from the matrix after support for that version
ends. Similarly, Configuration Manager doesn't support Windows 11 versions when their
support lifecycle ends.
The latest version of Configuration Manager current branch receives both security
and critical updates, which can include fixes for Windows 11-specific features.
When Microsoft releases a new version of Configuration Manager current branch,
prior versions only receive security updates. For more information, see Support for
Configuration Manager current branch versions.
7 Note
The best way to stay current with Windows 11 is to stay current with
Configuration Manager. For more information, see Configuration Manager
and Windows as a Service.
This information supplements Supported operating systems for clients and devices.
The following table lists the versions of Windows 11 that you can use as a client with
different versions of Configuration Manager.
22H2
(10.0.22621)
21H2
(10.0.22000)
For more information on Windows lifecycle, see the Windows lifecycle fact sheet and
Windows release information.
Key
= Supported
= Not supported
Support notes
Support for Windows 11 versions includes the following editions: Enterprise, Pro,
Education, Pro Education, and Pro for Workstation.
OS deployment images and upgrade packages for Windows 11 show the image
name as Windows 10. For more information, see Using deployment tools with
Windows 11 images.
The 32-bit versions of Windows PE (WinPE) in the WinPE add-ons for Windows 11
and Windows Server 2022 aren't supported. The last supported version of 32-bit
WinPE is available in the WinPE add-on for Windows 10, version 2004. For more
information, see Download and install the Windows ADK.
Configuration Manager supports the use of older versions of Windows PE as boot
images, but you can't customize them in the Configuration Manager console. For
more information, see Customize boot images with Configuration Manager.
Windows 11 on ARM64
Configuration Manager version 2107 with the update rollup supports the client on
Windows 11 ARM64 devices.
The All Windows 11 (ARM64) platform is available in the list of supported OS versions
on objects with requirement rules or applicability lists.
OS deployment isn't supported, except for a feature update task sequence. You can
deploy a task sequence with a feature update to a Windows 11 on ARM64 device. For
more information, see Upgrade Windows to the latest version.
Known issues
Desktop Analytics
Desktop Analytics doesn't support Windows 11. For information about Windows 11
hardware readiness, Microsoft recommends that you enable tenant attach and Endpoint
analytics.
Software Center notifications are currently suppressed during this time. For more
information, see Turn Focus assist on or off in Windows .
When you use a Windows 11-based boot image with an OS deployment task sequence
that includes the Pre-provision BitLocker step, the step might fail. You'll see errors
similar to the following strings in the smsts.log:
log
pTpm->TakeOwnership(sOwnerAuth), HRESULT=80070002
The system cannot find the file specified. (Error: 80070002; Source:
Windows)
To work around this issue, add a Run Command Line step to the task sequence before
the Pre-provision BitLocker step. Run the following command:
/d 2 /f
For more information on this registry key, see Change the TPM owner password.
If you configure the authentication level for the site to require Windows Hello for
Business authentication, the Configuration Manager console on a Windows 11 device
can't connect to the site. The adminui.log file on the devices shows the following errors:
log
ErrorCode = 2185761792;
Update the device to Windows 11 OS build 22000.282. For more information, see
October 21, 2021—KB5006746 (OS Build 22000.282) Preview .
Add users to the authentication exclusion list. For more information, see Configure
SMS Provider authentication.
Offline servicing
) Important
This issue is resolved with the March 2022 cumulative update (KB5011493). For any
version of Windows 11, you can successfully use offline servicing with the March
2022 cumulative update.
When you apply software updates to an image for Windows 11, the process will fail.
You'll see errors similar to the following entries in the offline servicing log file,
OfflineServicingMgr.log :
log
To work around this issue, you can manually service the image:
1. Download the update directly from the Microsoft Update Catalog. For example,
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5007215
2. Use DISM to manually inject the downloaded .msu update file into the Windows
11 image. For more information, see Add updates to a Windows image.
3. Manually update the image file in the package source. Then update it on
distribution points.
Next steps
Support for the Windows ADK
Support for Windows 10 in
Configuration Manager
Article • 04/11/2023
Learn about the Windows 10 versions that Configuration Manager supports as a client.
For more information about support for later versions of Windows, see Support for
Windows 11.
For more information about support for the Windows Assessment and Deployment Kit
(ADK) for Windows 10, see Support for the Windows ADK.
Tip
Windows Server builds as a client are supported the same as the associated
Windows 10 version. For example, Windows Server 2016 is the same build version
as Windows 10 LTSB 2016, and Windows Server version 1803 is the same build
version as Windows 10, version 1803.
Windows 10 versions
Configuration Manager attempts to provide support as a client for each new Windows
10 version as soon as possible after it becomes available. Because the products have
separate development and release schedules, the support that Configuration Manager
provides depends on when each becomes available.
A Configuration Manager version drops from the matrix after support for that version
ends. Similarly, support for Windows 10 versions like the Enterprise 2015 LTSB or 1511
drops from the matrix when they're removed from support.
The latest version of Configuration Manager current branch receives both security
and critical updates, which can include fixes for issues with Windows 10 versions.
When Microsoft releases a new version of Configuration Manager current branch,
prior versions only receive security updates. For more information, see Support for
Configuration Manager current branch versions.
7 Note
The best way to stay current with Windows 10 is to stay current with
Configuration Manager. For more information, see Configuration Manager
and Windows as a Service.
This information supplements Supported operating systems for clients and devices.
The following table lists the versions of Windows 10 that you can use as a client with
different versions of Configuration Manager.
22H2
(10.0.19045)
21H2
(10.0.19044)
Enterprise LTSC
2021
(10.0.19044)
21H1
(10.0.19043)
20H2 Note
(10.0.19042)
All currently supported versions of Configuration Manager current branch support the
following Windows 10 LTSB/LTSC editions:
For more information on Windows lifecycle, see the Windows lifecycle fact sheet and
Windows 10 release information.
Key
= Supported
Key
= Not supported
Support notes
Support for Windows 10 semi-annual channel versions includes the following
editions: Enterprise, Pro, Education, Pro Education, and Pro for Workstation.
OS deployment media shows the build number from the base version. For
example, 10.0.19041 . When Windows is installed, it applies an enablement
package, which updates the build number to what's in the above table. You can
use the revision ID to distinguish the media:
Windows 10 on ARM64
Configuration Manager supports the client on Windows 10 ARM64 devices.
The All Windows 10 (ARM64) platform is available in the list of supported OS versions
on objects with requirement rules or applicability lists.
7 Note
OS deployment isn't supported, except for a feature update task sequence. Starting in
version 2103, you can deploy a task sequence with a feature update to a Windows 10 on
ARM64 device. For more information, see Deploy a feature update with a task sequence.
Support for Windows Insider
You can update and service Windows Insider builds. This ability is provided as a
convenience to our customers. While this functionality should work, the support for it is
best effort. Configuration Manager might not issue a hotfix for this functionality if it
ceases to function.
Use the default image file (install.wim) from the installation media. Use the task
sequence to apply configurations at run time.
Remove appx packages for the signed-in user before you use capture media. For
more information, see Sysprep fails after you remove or update Microsoft Store
apps that include built-in Windows images.
Manually run Sysprep, and then boot to the capture media to capture the image.
Next steps
Support for the Windows ADK
When you deploy operating systems with Configuration Manager, the Windows
Assessment and Deployment Kit (ADK) is a required external dependency. For more
information, see the following articles:
) Important
Windows 11
(10.1.22621.1)
Windows 11
(10.1.22000)
Windows Server
2022
(10.1.20348)
Windows 10,
version 2004
(10.1.19041)
Key
Key
= Supported
This table only shows Windows ADK supportability in relation to the version of Configuration
Manager. Microsoft recommends using the Windows ADK that matches the version of Windows
you're deploying. Use the latest Windows ADK version when deploying the latest Windows
version. The latest Windows ADK version may support deployment of older OS versions, such as
Windows 8.1. For more information on Windows ADK component supportability, see DISM
supported platforms, USMT requirements, and Choose the right ADK for your scenario.
= Backward compatible
This combination isn't tested but should work. We'll document any known issues or caveats.
= Not supported
Support notes
Configuration Manager only supports x86 and amd64 components of the Windows
ADK. It doesn't currently support ARM or ARM64 components.
Windows Server builds have the same Windows ADK requirement as the
associated Windows client version. For example, Windows Server 2016 is the same
build version as Windows 10 LTSB 2016.
If you're deploying both Windows 11 and Windows Server 2022, use the Windows
ADK for Windows 11, which is the latest version. If you're deploying Windows
Server 2022 and not Windows 11, you can use either Windows ADK for Windows
Server 2022 or Windows 11.
The 32-bit versions of Windows PE (WinPE) in the WinPE add-ons for Windows 11
and Windows Server 2022 aren't supported. The last supported version of 32-bit
WinPE is available in the WinPE add-on for Windows 10, version 2004. For more
information, see Download and install the Windows ADK.
Known issues
When you use a Windows 11-based boot image with an OS deployment task sequence
that includes the Pre-provision BitLocker step, the step might fail. You'll see errors
similar to the following strings in the smsts.log:
log
pTpm->TakeOwnership(sOwnerAuth), HRESULT=80070002
The system cannot find the file specified. (Error: 80070002; Source:
Windows)
To work around this issue, add a Run Command Line step to the task sequence before
the Pre-provision BitLocker step. Run the following command:
/d 2 /f
For more information on this registry key, see Change the TPM owner password.
Next steps
Support for Windows 11
For more information about the Configuration Manager console, see the following
articles:
Install consoles
Each Configuration Manager site requires a supported SQL Server version and
configuration to host the site database.
A SQL Server Always On failover cluster instance. For more information, see Use a
SQL Server Always On failover cluster instance for the site database.
A SQL Server Always On availability group. For more information, see Prepare to
use a SQL Server Always On availability group.
Secondary sites
The site database can use the default instance of a full installation of SQL Server or SQL
Server Express.
Limitations to support
The following configurations aren't supported:
Configuration Manager supports the versions of SQL Server that you use.
The SQL Server versions you use remain in support by Microsoft.
SQL Server supports replication between the two versions of SQL Server. For more
information, see SQL Server replication backward compatibility.
For SQL Server 2016 and prior, support for each SQL Server version and service pack
follows the Microsoft Lifecycle Policy. Support for a specific SQL Server service pack
includes cumulative updates unless they break backward compatibility to the base
service pack version. Starting with SQL Server 2017, service packs won't be released
since it follows a modern servicing model. The SQL Server team recommends ongoing,
proactive installation of cumulative updates as they become available.
Unless specified otherwise, the following versions of SQL Server are supported with all
active versions of Configuration Manager. If support for a new SQL Server version is
added, the Configuration Manager version that adds that support is noted. Similarly, if
support is deprecated, look for details about affected versions of Configuration
Manager.
) Important
When you use SQL Server Standard for the database at the central administration
site, you limit the total number of clients that a hierarchy can support. See Size and
scale numbers.
You can use this version of SQL Server for the following sites:
You can use this version of SQL Server for the following sites:
) Important
Starting in version 2107, support for SQL Server 2012 is deprecated. Its support
lifecycle ends in July 2022. Plan to upgrade all database servers before that time.
For more information, see SQL Server.
A secondary site
A secondary site
A secondary site
A secondary site
) Important
Starting in version 2107, support for SQL Server 2012 is deprecated. Its support
lifecycle ends in July 2022. Plan to upgrade all database servers before that time.
For more information, see SQL Server.
Database collation
At each site, both the instance of SQL Server that's used for the site and the site
database must use the following collation: SQL_Latin1_General_CP1_CI_AS.
Configuration Manager supports two exceptions to this collation for the China GB18030
standard. For more information, see International support.
When you upgrade a site database from an earlier version of SQL Server, the database
keeps its existing cardinality estimation level, if it's at the minimum allowed for that
instance of SQL Server. When you upgrade SQL Server with a database at a compatibility
level lower than the allowed level, it automatically sets the database to the lowest
compatibility level allowed by SQL Server.
The following table identifies the recommended compatibility levels for Configuration
Manager site databases:
To identify the SQL Server cardinality estimation compatibility level in use for your site
database, run the following SQL query on the site database server:
SQL
For more information on SQL Server compatibility levels and how to set them, see ALTER
DATABASE Compatibility Level (Transact-SQL).
Configuration Manager database replication doesn't require the SQL Server replication
feature. However, this SQL Server configuration is required when you use database
replicas for management points.
Windows authentication
Configuration Manager requires Windows authentication to validate connections to the
database.
For a database server that you install on the same computer as the site server:
Limit the memory for SQL Server to 50 to 80 percent of the available addressable
system memory.
For a dedicated database server that's remote from the site server: Limit the
memory for SQL Server to 80 to 90 percent of the available addressable system
memory.
For a memory reserve for the buffer pool of each SQL Server instance in use:
For a central administration site: Set a minimum of 8 GB.
For a primary site: Set a minimum of 8 GB.
For a secondary site: Set a minimum of 4 GB.
TRUSTWORTHY setting
Configuration Manager automatically enables the SQL TRUSTWORTHY database
property. This property is required by Configuration Manager to be ON.
The local system account of the computer that runs SQL Server:
Use the local system account to simplify the configuration process.
When you use the local system account, Configuration Manager automatically
registers the SPN for the SQL Server service.
Using the local system account for the SQL Server service isn't a SQL Server best
practice.
When the computer running SQL Server doesn't use its local system account to run the
SQL Server service, configure the SPN of the account that runs the SQL Server service in
Active Directory Domain Services. (When the system account is used, the SPN is
automatically registered for you.)
For information about SPNs for the site database, see Manage the SPN for the site
database server.
For information about how to change the account that is used by the SQL Server service,
see SCM Services - Change the service startup account.
) Important
After you upgrade SQL Server from a previous version, you might see the following
error: Report Builder Does Not Exist.
To resolve this error, you must reinstall the reporting services point site system role.
Intersite communications use the SQL Server Service Broker, which uses port TCP
4022 by default.
Intrasite communications between the SQL Server database engine and various
Configuration Manager site system roles use port TCP 1433 by default. The
following site system roles communicate directly with the SQL Server database:
Management point
SMS Provider computer
Reporting services point
Site server
When a computer running SQL Server hosts a database from more than one site, each
database must use a separate instance of SQL Server. Also, each instance must be
configured to use a unique set of ports.
2 Warning
Configuration Manager doesn't support dynamic ports. Because SQL Server named
instances by default use dynamic ports for connections to the database engine,
when you use a named instance, you must manually configure the static port that
you want to use for intrasite communication.
If you have a firewall enabled on the computer that is running SQL Server, make sure
that it's configured to allow the ports that are being used by your deployment and at
any locations on the network between computers that communicate with the SQL
Server.
For an example of how to configure SQL Server to use a specific port, see Configure a
server to listen on a specific TCP port.
Install a new version of SQL Server on a new computer, and then use the database
move option of Configuration Manager setup to point your site server to the new
SQL Server
Use backup and recovery. Using backup and recovery for a SQL Server upgrade
scenario is supported. You can ignore the SQL Server versioning requirement when
reviewing Considerations before recovering a site.
Support for Active Directory domains in
Configuration Manager
Article • 10/04/2022
It's not supported to change the following configurations for a computer that
hosts a site system role:
Domain membership, including if you remove a site system from the domain,
and then rejoin the same domain.
Domain name
Computer name
Before making these changes, uninstall the site system role. To make these
changes to a site server, uninstall the site first. You can also consider creating a site
server in passive mode to help manage this change on a site server.
Disjoint namespace
You can install Configuration Manager site systems and clients in a domain that has a
disjoint namespace.
In a disjoint namespace, the primary DNS suffix of a computer doesn't match the Active
Directory DNS domain name of that computer. Another disjoint namespace scenario
occurs if the NetBIOS domain name of a domain controller doesn't match the Active
Directory DNS domain name.
Disjoint scenarios
The following sections identify the supported scenarios for a disjoint namespace.
Scenario 1
The primary DNS suffix of the domain controller differs from the Active Directory DNS
domain name. Computers that are members of the domain can be either disjoint or not
disjoint.
The domain controller is disjoint in this scenario. Computers that are members of the
domain, such as site servers and computers, can have a primary DNS suffix that either
matches:
Scenario 2
A member computer in an Active Directory domain is disjoint, even though the domain
controller isn't disjoint.
In this scenario, the primary DNS suffix of a site system differs from the Active Directory
DNS domain name. The primary DNS suffix of the domain controller is the same as the
Active Directory DNS domain name. Member computers that are Configuration
Manager clients can have a primary DNS suffix that either matches:
To make sure that the DNS suffix search list contains all the DNS namespaces in the
organization, configure the search list for each computer in the disjoint domain. Include
the following suffixes in the list of namespaces:
The primary DNS suffix of the domain controller
The DNS domain name
Any additional namespaces for other servers that Configuration Manager might
communicate with
You can use group policy to configure the Domain Name System (DNS) suffix search
list.
) Important
Configure the single label domain in Active Directory Domain Services with a
disjoint DNS namespace that has a valid top-level domain.
For example: The single label domain of Contoso is configured to have a disjoint
namespace in DNS of contoso.com. When you specify the DNS suffix in
Configuration Manager for a computer in the Contoso domain, you specify
"Contoso.com" and not "Contoso".
This article identifies Configuration Manager support for common Windows and
networking features.
BranchCache
Use Windows BranchCache with Configuration Manager when you enable it on
distribution points, and configure clients to use it in distributed cache mode.
When the requirements for BranchCache are met, this feature enables clients in remote
locations to obtain content from local clients that have a current cache of the content.
For example, when the first BranchCache-enabled client requests content from a
distribution point that's configured as a BranchCache server, the client downloads and
caches the content. This content is then made available for clients on the same subnet
that requested this content.
These clients also cache the content. Other clients on the same subnet don't have to
download content from the distribution point. The content is distributed across multiple
clients for future transfers.
Configure clients
The clients that can support BranchCache must be configured for BranchCache
distributed cache mode.
The OS setting for BITS client settings must be enabled to support BranchCache.
For information, see configure clients for BranchCache in the Windows documentation.
For more information, see BranchCache for Windows in the Windows Server
documentation.
Computers in workgroups
Configuration Manager provides support for clients in workgroups.
7 Note
Although clients in workgroups are supported, all site systems must be members of
a supported Active Directory domain.
Data deduplication
Configuration Manager supports the use of data deduplication with distribution points
on Windows Server 2012 or later.
) Important
The volume that hosts package source files can't be marked for data deduplication.
This limitation is because data deduplication uses reparse points. Configuration
Manager doesn't support using a content source location with files stored on
reparse points.
DirectAccess
Configuration Manager supports the DirectAccess feature for communication between
clients and site server systems.
When all the requirements for DirectAccess are met, it enables Configuration
Manager clients on the internet to communicate with their assigned site as if they
were on the intranet.
For server-initiated actions, such as remote control and client push installation, the
initiating computer must be running IPv6. This protocol must be supported on all
intervening networking devices.
OS deployment
Dual-boot computers
Configuration Manager can't manage more than one OS on a single computer. If there's
more than one OS on a computer to manage, adjust the site's discovery and client
installation methods to ensure that the Configuration Manager client is installed only on
the OS that has to be managed.
IPv6
In addition to Internet Protocol version 4 (IPv4), Configuration Manager supports
Internet Protocol version 6 (IPv6), with the following exceptions:
Function Exception to IPv6 support
Cloud management IPv4 is required to support Microsoft Azure and the cloud
gateway management gateway.
Network Discovery IPv4 is required when you configure a DHCP server to search in
Network Discovery.
Wake-up proxy IPv4 is required to support the client wake-up proxy packets.
communication
Site server roles require NTFS, so that Configuration Manager can set directory and file
permissions. Configuration Manager assumes that it has complete ownership of a
logical drive. Site systems that run on separate computers can't share a logical partition
on any storage technology. However, each computer can use a separate logical partition
on the same physical partition of a shared storage device.
Support considerations
Storage Area Network: A Storage Area Network (SAN) is supported when a
supported Windows-based server is attached directly to the volume that's hosted
by the SAN.
Next steps
Support for virtualization environments with Configuration Manager
Support for virtualization environments
with Configuration Manager
Article • 10/04/2022
Configuration Manager supports installing the client and site system roles on supported
operating systems that run as a virtual machine (VM) in certain virtualization
environments. This support exists even when the virtual host (virtualization environment)
isn't supported as a client or site server.
For example, you use Microsoft Hyper-V Server 2016 to host a VM that runs Windows
Server 2019. You can install the client or site system roles on the VM running Windows
Server 2019. You can't install the client on the host running Microsoft Hyper-V Server
2016.
Virtualization environments
Windows Server 2022 (starting in version 2107)
Windows Server 2019
Windows Server 2016 Note 1
Microsoft Hyper-V Server 2016 Note 1
Windows Server 2012 R2
Microsoft Hyper-V Server 2012
Windows Server 2012
7 Note
Configuration Manager can't manage VMs if they're offline. The Configuration Manager
client on the host computer can't manage an offline VM image. For example, it can't
install software updates or collect hardware inventory.
Scenario 3: Run different Configuration Manager site system roles on Azure VMs.
Run other roles in your on-premises data center, properly connected to Azure.
7 Note
) Important
Configuration Manager sites and clients that run on Azure VMs are subject to the
same license requirements as on-premises installations.
Next steps
Manage Configuration Manager clients in a virtual desktop infrastructure (VDI)
Size and scale numbers for
Configuration Manager
Article • 10/04/2022
Each Configuration Manager deployment has a maximum number of sites, site system
roles, and devices that it can support. These numbers vary depending on your hierarchy
structure, what types and numbers of sites you use, and the site system roles that you
deploy. The information in this article can help you determine the number of site system
roles and sites that you need to support the devices you expect to manage.
Recommended hardware
Supported operating systems for site system servers
Supported operating systems for clients and devices
Site and site system prerequisites
These support numbers are based on using the recommended hardware for
Configuration Manager. They're also based on the default settings for all available
Configuration Manager features. When you don't use the recommended hardware or
use more aggressive custom settings, the performance of site systems can degrade. The
site systems might not meet the stated levels of support. (An example of more
aggressive client settings is running hardware or software inventory more frequently
than the defaults of once every seven days.)
Site types
Primary site
Each primary site supports up to 250 secondary sites.
For information about the number of clients and devices that a primary site can
support, see Client numbers for sites and hierarchies.
Secondary site
Secondary sites don't support child sites.
You can install multiple instances of the cloud management gateway (CMG) at
primary sites, or the central administration site (CAS).
Tip
One CMG supports up to 16 virtual machine (VM) instances in the Azure cloud
service.
Simultaneous client connections per each CMG VM instance depend upon the
deployment model and VM size. When the CMG is under high load with more than
the supported number of clients, it still handles requests but there may be delay.
) Important
The Lab (B2s) size VM is only intended for lab testing and small proof-of-
concept environments. They aren't intended for production use with the
CMG. The B2s VMs are low cost and low performing. The Configuration
Manager technical preview branch only supports 10 clients, which is why
this size supports that number of clients.
Virtual machine scale set (version 2010 and 2103 for Cloud Service Provider
(CSP) subscriptions): 2,000
) Important
You can install multiple instances of the CMG connection point at primary sites.
One CMG connection point can support a CMG with up to four VM instances. If the
CMG has more than four VM instances, add a second CMG connection point for
load balancing. A CMG with 16 VM instances should be linked with four CMG
connection points.
7 Note
When considering hardware requirements for the CMG connection point, see
Recommended hardware for remote site system servers.
Distribution point
Distribution points per site:
A pull-distribution point acts like a client when it accesses content from a source
distribution point.
Each primary site supports a combined total of up to 5,000 distribution points. This
total includes all the distribution points at the primary site and all the distribution
points that belong to the primary site's child secondary sites.
2 Warning
The actual number of clients that one distribution point can support depends on
the speed of the network and the hardware configuration of the server.
The number of pull-distribution points that one source distribution point can
support similarly depends on the speed of the network and the hardware
configuration of the source distribution point. But this number is also affected by
the amount of content that you've deployed. This effect is because, unlike clients
that typically access content at different times during a deployment, all pull-
distribution points request content at the same time. Pull-distribution points can
request all available content, not just the content that is applicable to them. When
you place a high processing load on a source distribution point, there can be
unexpected delays in distributing the content to the target distribution points.
Management point
Each primary site supports up to 15 management points.
Tip
Don't install management points on servers that are across a slow link from
the primary site server or the site database server. If the management point is
not in the same data center (also referred to as a fast link), you can experience
latency on state and status messages. If you have a requirement for a remote
management point, consider using a secondary site instead. This will avoid
backlog issues for state and status messages.
Each secondary site supports a single management point that must be installed on
the secondary site server.
For information about the number of clients and devices that a management point can
support, see the Management points section.
7 Note
7 Note
If you enable the software update point to support a cloud management gateway,
it services internet-based client requests per normal. Sizing guidance for a software
update point doesn't change whether it services on-premises or internet-based
clients.
The software update point can support up to 25,000 clients when WSUS runs on
the software update point server, and the software update point coexists with
another site system role.
The software update point can support up to 150,000 clients when a remote server
meets WSUS requirements, WSUS is used with Configuration Manager, and you
configure the following settings:
Increase the WsusPool Private Memory limit x4 times, or set to 0 (unlimited). For
example, if the default limit is 1,843,200 KB, increase it to 7,372,800. For more
information, see WSUS best practices.
For more information about hardware requirements for the software update
point, see Recommended hardware for site systems.
Also limit the number of software updates to 1000 in a configuration baseline. For
more information, see Create configuration baselines.
The administration service is a REST API on every instance of the SMS Provider. It
supports up to 5,000 requests per second, and 200 requests per client IP address.
For example, in a hierarchy you can support 700,000 desktops, up to 25,000 macOS
devices, and up to 100,000 devices managed by on-premises MDM. This hierarchy
supports a total of 825,000 devices.
) Important
In a hierarchy where the central administration site uses a Standard edition of SQL
Server, the hierarchy supports a maximum of 50,000 desktops and devices. To
support more than 50,000 desktops and devices, you must use an Enterprise
edition of SQL Server. This requirement applies only to a central administration site.
It doesn't apply to a stand-alone primary site or a child primary site. The edition of
SQL Server you use for a primary site doesn't limit its capacity to support the stated
number of clients.
The edition of SQL Server that is in use at a stand-alone primary site doesn't limit that
site's capacity to support up to the stated number of clients.
150,000 total clients and devices that aren't limited to a specific group or type, as
long as support doesn't exceed the number that is supported for the hierarchy.
Also see, support for embedded devices.
For example, a primary site supports 25,000 macOS devices. That number is the limit for
a hierarchy. This primary site can then support an additional 125,000 desktop
computers. The total number of supported devices for the child primary site is the
supported maximum limit of 150,000.
For example, a stand-alone primary site that supports 150,000 desktops and 10,000
Macs can only support an additional 15,000 mobile devices managed by on-premises
MDM.
Secondary sites
Secondary sites support the following number of devices:
Management points
Each management point can support the following number of devices:
The following recommendations are guidelines to help you scale your Configuration
Manager environment to support more than a very basic deployment of sites, site
systems, and clients. They aren't intended to cover all possible site and hierarchy
configurations.
Use the information in the following sections as a guide to help you plan for hardware.
Make sure your hardware can meet the processing loads for clients and sites that use
the available Configuration Manager features.
Site systems
This section provides recommended hardware configurations for Configuration
Manager site systems. Use these recommendations to support the maximum number of
clients and use most or all Configuration Manager features. If your environment
supports less than the maximum number of clients, and doesn't use all available
features, it might require less resources. In general, the following key factors limit
performance of the overall system:
2. Available memory
3. CPU
For best performance, use RAID 10 configurations for all data drives and a 1-Gbps
Ethernet network.
Site servers
When you install the site server and SQL Server on the same computer, the deployment
supports the maximum sizing and scale numbers for sites and clients. This configuration
can limit high availability options, like using a SQL Server Always On failover cluster
instance. If you have a larger environment, because of the higher I/O requirements to
support both roles on the same computer, consider using a remote SQL Server.
Management point 4 8 50
Site system role CPU Memory Disk space (GB)
(cores) (GB)
For the best performance, place each object on a separate, dedicated RAID volume. For
all data volumes for Configuration Manager and its database files, use RAID 10 for the
best performance.
For the Windows system disk, see sizing guidance for the installed OS version.
For content on distribution points, it depends upon your deployments. This guidance
doesn't include the disk space required for the content library on the site server or
distribution points. For more information, see The content library.
When you plan for disk space requirements, consider the following guidelines:
Each client requires about 5-10 MB of space in the database. This number depends
upon the hierarchy type, the configuration, and the number of clients. The size can
be less for larger environments. Smaller sites have greater database usage per
client.
For the primary site's temp database, plan for a combined size that is 25% to 30%
of the site database .mdf file. The actual size can be smaller or larger. It depends
on the performance of the site server and the volume of incoming data over both
short and long periods of time.
7 Note
When you have 50,000 or more clients at a site, plan to use four or more temp
database .mdf files.
The temp database size for a central administration site is typically much smaller
than for a primary site.
If you use SQL Server Express for the secondary site database, it limits the database
size to 10 GB.
Clients
This section provides recommended hardware configurations for computers that you
manage by using Configuration Manager client software.
Processor and memory: Refer to the processor and RAM requirements for the OS.
Disk space: 500 MB of available disk space, with 5 GB recommended for the
Configuration Manager client cache. If you use customized settings to install the
Configuration Manager client, less disk space is required.
Use the client.msi property SMSCACHESIZE to set a cache size smaller than the
default of 5120 MB. The minimum size is 1 MB. The following example creates a
2-MB cache: CCMSetup.exe SMSCACHESIZE=2
Tip
Installing the client with minimal disk space is useful for Windows
Embedded devices that typically have smaller disk sizes than standard
Windows computers.
2 GB of disk space
Lab deployments
Use the following minimum hardware recommendations for lab and test deployments of
Configuration Manager. These recommendations apply to all site types, up to 100
clients:
Next steps
Site size and performance guidelines
7 Note
Customer usage data allows for testing current branch builds with the most
common scenarios, configurations, and settings for most customers. The
recommendations in this article are based on these averages. Your experiences may
vary based on your environment size and configuration. In general, Configuration
Manager requires common sense when it comes to objects and intervals. Just
because you can collect every file on a system, or set the interval for a cycle to one
minute, doesn't mean you should.
The following sections highlight some key settings and configurations to use when
testing and modeling processing needs for large enterprises. These guidelines help set
basic system performance expectations for the suggested hardware sizes.
Objects
Tests should use the upper average of the objects that large enterprises tend to use with
the system. Typical values are thousands of collections and applications, which are
deployed to hundreds of thousands of users or systems. Tests should run simultaneously
on all objects in the system at these limits. Many customers use several features, but
don't generally use all features of the product at these upper limits. Testing with all
product features helps ensure the best possible system-wide performance, and allows a
buffer for features that some customers may use above average.
Loads
Tests should also run on greater than standard average day loads, by doing simulations
that generate peak usage demands on the system. One example is simulating Patch
Tuesday rollouts, to make sure the system can return update compliance data promptly
during these days of peak activity. Another example is simulating site activity during a
widespread malware outbreak, to ensure timely notification and response are possible.
Although deployed machines of the recommended size may be underused on any given
day, more extreme situations require some processing buffer.
Configurations
Run testing on a range of physical, Hyper-V, and Azure hardware, with a mixture of
supported operating systems and SQL Server versions. Always validate the worst cases
for the supported configuration. In general, Hyper-V and Azure return comparable
performance results to equivalent physical hardware when configured similarly. Current
server operating systems tend to have performance that's equal to or better than earlier
OS versions. While all supported platforms meet the minimum requirements, usually the
latest versions of supporting products like Windows and SQL Server produce even
better performance.
The largest variation comes from the SQL Server versions in use. For more information
about SQL Server versions, see What version of SQL Server should I run?.
U Caution
Hardware inventory
To test baseline performance, set hardware inventory collection to once per week, with
the default .mof file size plus approximately 20% other properties. Don't enable all
properties, and collect only properties you actually need. Pay special attention when
collecting properties, such as available virtual memory, that will always change with
every inventory cycle. Collecting these properties can cause excessive churn on every
inventory cycle from every client.
Software inventory
To test baseline performance, set software inventory collection to once per week, with
product only details. Collecting many files can place a significant strain on the inventory
subsystem. Avoid specifying filters that could end up collecting thousands of files across
many clients, such as *.exe or *.dll .
Collections
Baseline performance testing can include several thousand collections with different
kinds of scope, size, complexity, and update settings. Site performance isn't a direct
function of the sheer number of collections on a site. Performance is also a cross-
product of collections' query complexity, full and incremental updates and change
frequency, dependencies among collections, and numbers of clients in the collections.
Where possible, minimize collections that have expensive or complicated dynamic rule
queries. For collections that require these types of rules, set appropriate update intervals
and update times to minimize the affect of collection re-evaluation on the system. For
example, update at midnight instead of 8:00 AM.
When you enable incremental updates, reduce any scheduled full updates on the same
collections. They're only a backup method of evaluation, since incremental updates
should keep your collection membership updated in near real time. Best practices for
collections recommends a maximum number of total collections for incremental
updates, but as the article points out, your experience can vary based on many factors.
Collections with only direct membership rules and with a limiting collection that isn't
doing incremental updates don't need scheduled full updates. Disable update schedules
for these types of collections to prevent unnecessary load on the system. If the limiting
collection uses incremental updates, collections with only direct membership rules may
not reflect membership updates for up to 24 hours, or until a scheduled refresh takes
place.
While not a best practice, some organizations create hundreds or even thousands of
collections as part of various business processes. If you use automation to create
collections, it's important to enable any needed incremental updates correctly. Minimize
and spread out any full update schedules to avoid hot spots of collection evaluation
during a single time period. Establish a regular grooming process to delete unused
collections, especially if you automatically create collections that you no longer need
after some time.
Remember that Configuration Manager creates policies for all objects in your collections
when you target tasks like deployments to them. Membership changes, either through
scheduled refresh or incremental updates, can create much more work for the whole
system. The latest current branch builds have special policy optimizations for the All
Systems and All Users collections. When targeting your entire enterprise, use the built-in
collections instead of a clone of these built-in collections.
Discovery methods
For baseline performance testing, run server-based discovery methods once a week,
enabling delta discovery as appropriate to keep the data fresh during the week. The
tests should discover an object quantity proportional to the simulated enterprise size.
The performance baseline test for heartbeat discovery should also run once a week.
700k CAS with database 20+ 128+ 80% 1800+ 9000+ 5000+
site role on the
same server
Note 1: Cores
Configuration Manager runs many simultaneous processes, so needs a certain minimum
number of CPU cores for various site sizes. While cores get faster each year, it's
important to ensure that a certain minimum number of cores work in parallel. In general,
any server-level CPU produced after 2015 meets the basic performance needs for the
cores specified in the table. Configuration Manager takes advantage of other cores
beyond the recommendations. Once you have the minimum suggested cores, prioritize
CPU resource investment to increase the speed of existing cores. Don't add more, slower
cores. For example, Configuration Manager has better performance on key processing
tasks with 16 fast cores than with 24 slower cores. This performance assumes that there
are enough other system resources like disk IOPS.
The relationship between cores and memory is also important. In general, having less
than 3-4 GB of RAM per core reduces the total processing capability on your SQL
Servers. You need more RAM per core when SQL Server is colocated with the site server
components.
7 Note
All testing sets machine power plans to allow maximum CPU power consumption
and performance.
Use this value to configure the Maximum server memory (in MB) in the properties of
the SQL Server. It's the percentage of the total amount of memory available on the
server.
Don't configure the minimum and maximum values the same. This guidance is
specifically for the maximum memory that you should allow SQL Server to allocate.
Note 3: IOPS: Inboxes and IOPS: SQL
These values refer to the IOPS needs for the Configuration Manager and SQL Server
logical drives. The IOPS: Inboxes column shows the IOPS requirements for the logical
drive with the Configuration Manager inbox directories. The IOPS: SQL column shows
the total IOPS needs for the logical drive(s) that various SQL Server files use. These
columns are different because the two drives should have different formatting. For more
information and examples on suggested SQL Server disk configurations and file best
practices, including details on splitting files across multiple volumes, see the Site sizing
and performance FAQ.
Both of these IOPS columns use data from the industry-standard tool, Diskspd. See How
to measure disk performance for instructions on duplicating these measurements. In
general, once you meet basic CPU and memory requirements, the storage subsystem
has the largest affect on site performance, and improvements here will give the most
payback on investment.
For test results from different kinds of hardware configurations in lab environments, see
Example disk configurations. You can use the data for a rough starting point when
designing the storage subsystem for a new environment from scratch.
How to test disk IOPS
1. Download the Diskspd utility .
2. Make sure you have at least 100 GB of free disk space. Disable any apps that might
interfere or cause extra load on the disk, such as active antivirus scanning of the
directory, SQL, or SMSExec.
Run the tool twice in sequence for the volume that you want to test. The first test
at 64k size with random write operations for one minute. This test validates
controller cache loading and disk space allocation, in case the volume is
dynamically expanding. Discard the results of the first test. The second test should
immediately follow the first test, and do the same load for five minutes.
For example, use the following specific command lines to test the G: volume.
Command
del G:\\test\testfile.dat
4. Review the output from the second test to find the total IOPS in the I/O per s
column. In the following example, the total IOPS are 3929.18.
Output
Total IO
|--------|-------------|---------|--------|-----------|--------|-------
----|
The following table shows the test results across various disk subsystems, including
spindle and SSD-based hard drives, in various test lab configurations. All configurations
format the disks with 64k clusters and attach them to an enterprise class disk controller.
In addition to the RAID array disk count, they each have at least one spare disk.
Disk type Disk count, not including +1 spare disk RAID IOPS measured
The following table lists the specific devices used in this example. This information isn't a
recommendation for any specific hardware model or manufacturer.
15k RPM SAS HD HP EH0300JDYTH Smart Array P822 2 GB, 20% Read / 80% Write
SSD SATA ATA Smart Array P420i 1 GB, 20% Read / 80% Write
MK0200GCTYV
SSD SAS HP MO0800 JEFPB Smart Array P420i 1 GB, 20% Read / 80% Write
All disks are formatted NTFS 64k cluster size, and rows with more than one disk are
configured as striped volumes via the Windows Disk Management utility.
For more information on the currently available disks, see Select a disk type for Azure
IaaS VMs.
See also
Site sizing and performance FAQ
Configuration Manager on Azure frequently asked questions
Size and scale numbers
Recommended hardware
Configuration Manager site sizing
and performance FAQ
FAQ
This document addresses frequently asked questions about Configuration Manager site
sizing guidance and common performance issues.
For the volume hosting your sites server inboxes, use NTFS with 4K or 8K allocation
units. ReFS writes 64k even for small files. Configuration Manager has many small files,
so ReFS can produce unnecessary disk overhead.
For disks containing SQL Server database files, use either NTFS or ReFS formatting, with
64K allocation units.
Sizing guidelines for a colocated site server and SQL Server with 100,000 clients are 1200
IOPS for site server inboxes and 5000 IOPS for SQL Server files.
2x10k 1 - Windows -
When running your Configuration Manager site server or SQL Server inside a VM, isolate
the Hyper-V host OS drives from the VM OS and data drives.
For more information about optimizing VMs, see Performance Tuning Hyper-V Servers.
Sizing guidelines for a colocated site server and SQL Server with 150,000 clients are 1800
IOPS for site server inboxes and 7400 IOPS for SQL Server files.
Azure infrastructure as a service (IaaS) VMs that leverage Premium Storage-based disks
can have high IOPS. On these VMs, configure additional disks for anticipated disk space
needs, rather than for additional IOPS.
Azure storage is inherently redundant and doesn't require multiple disks for availability.
You can stripe disks in Disk Manager or Storage Spaces to provide additional space and
performance.
Disks guidance
Sizing guidelines for a colocated site server and SQL Server with 50,000 clients are eight
cores, 32 GB, and 1200 IOPS for site server inboxes, and 2800 IOPS for SQL Server files.
Your resulting Azure machine might be a DS13v2 (eight cores, 56 GB) with the following
disk configuration:
Azure disk throughput is limited by the size of the VM. The configuration in the
preceding Azure example may limit future expansion or additional performance. If you
add additional disks during initial deployment of your Azure VM, you can upsize your
Azure VM for increased processing power in the future, with minimal upfront
investment. It's much simpler to plan ahead to increase site performance as
requirements change, instead of later needing to do a more complicated migration.
Change the disks in the preceding Azure example to see how the IOPS change.
DS13v2
If you need more performance in future, you can upsize your VM to a DS14v2, which will
double CPU and memory. The additional disk bandwidth allowed by that VM size will
also instantly boost the available disk IOPS on your previously configured disks.
DS14v2
Drives1 RAID Format Contains Minimum Approx.
IOPS IOPS
needed supplied2
Remote SQL Server requires the upfront and operational cost of an additional server,
but is typical among the majority of large-scale customers. Benefits of this configuration
include:
Colocated SQL Server requires a single server, and is typical for most small-scale
customers. Benefits of this configuration include:
Lower costs for machines, licenses, and maintenance
Fewer points of failure in the site
Better control for planning downtime
SQL Server memory allocation should be rounded to whole GB. Also, as RAM increases
to large amounts, you can let SQL Server have a higher percentage. For example, when
256 GB or more of RAM is available, you can configure SQL Server for up to 95%, as that
still preserves plenty of memory for the OS. Monitoring the page file is a good way to
ensure there is enough memory for the OS and any Configuration Manager processes.
If you see unusual timeouts or slowness on certain SQL queries on SQL Server 2016 or
later, such as when using RBAC in the Admin Console, try changing the SQL Server
compatibility level on the Configuration Manager database to 110. Running at SQL
Server compatibility level 110 on SQL Server 2014 and newer versions of SQL Server is
fully supported. For more information, see SQL query times out or console slow on
certain Configuration Manager database queries .
As of January 2018, you should avoid the following SQL Server versions, because of
various known performance-related or other potential issues:
SQL Server 2012 SP3 CU1 to CU5
SQL Server 2014 SP1 CU6 to SP2 CU2
SQL Server 2016 RTM to CU3, SP1 CU3 to CU5
There's one situation where a full SQL Server installation might be needed. If you have a
large number of distribution points and packages or sources in your environment, it's
possible to exceed the 10-GB size limit of SQL Server Express. If the number of packages
times the number of distribution points is more than 4,000,000, such as 2,000 DPs with
2,000 pieces of content, consider using full SQL Server at your secondary sites.
On SQL Servers with greater than eight cores, start with a setting of 0, and only make
changes if you experience performance issues or excessive locking. If you need to
change MaxDOP because you are encountering performance issues at 0, start with a
new value at least greater than or equal to the minimum recommended number of
cores for that site's SQL Server sizing. Going lower than this value nearly always has
negative performance implications. For example, a remote SQL Server for a 100,000
client site needs at least 12 cores. If your SQL Server has 16 cores, start testing your
MaxDOP setting with a value of 12.
Also make sure you have the latest updates installed for the operating system running
WSUS:
Windows Server 2012: Any non "Security only" cumulative update released
October 2017 or later. (KB4041690 )
Windows Server 2012 R2: Any non "Security only" cumulative update released
August 2017 or later. (KB4039871 )
Window Server 2016: any non "Security only" cumulative update released August
2017 or later. (KB4039396 )
See also
Site sizing and performance guidelines
Configuration Manager on Azure frequently asked questions
Choose a device management solution
Article • 03/31/2023
Microsoft offers different solutions for managing PCs, servers, and devices. These
solutions are available on-premises, cloud-based, or a combination of both. Choose the
solution that's right for the business requirements of your organization. Base your
decision on the device platforms you need to manage and the management
functionality you need.
Overview
There are several Microsoft solutions that might work best for you in different scenarios.
You don't need to choose just one.
For a small organization, a tool like the Windows administration center may be a
great fit.
Approximately 75% of IT organizations use Configuration Manager to manage
their devices.
Microsoft Azure provides various solutions from the cloud or on-premises with
Azure Arc and Azure Stack that primarily target server management.
Microsoft Intune provides cloud management of clients.
You can combine Configuration Manager and Intune with co-management.
You can use Security Management for Microsoft Defender for Endpoint (MDE) to
manage security settings for devices utilizing Microsoft Defender for Endpoint.
Windows - Intune
- Intune
- Intune
Configuration
10/11 - Configuration - Configuration - Configuration Manager
Manager
Manager
Manager
For more information on the Configuration Manager and Intune solutions, continue to
the next section.
Client management
This section compares the following four client management solutions:
There are also two tables that compare the management solutions by the following
factors:
For more information, see Security Management for Microsoft Defender for Endpoint
(MDE).
For more information, see Manage mobile devices with Configuration Manager and
Exchange.
Windows Yes
Embedded
Supported operating systems for clients and devices for Configuration Manager
Intune supported configurations
Microsoft recommends using Intune to manage Android, iOS, and Windows 10/11
mobile devices. For more information, see What is Microsoft Intune?.
OS deployment Yes
Before installing the first site of a new Configuration Manager hierarchy, it's a good idea
to understand:
The types of available sites and their relationships with each other
The content management options that can reduce the number of sites you need to
install
Then plan a topology that efficiently serves your current business needs and can later
expand to manage future growth.
When planning, keep in mind limitations for adding additional sites to a hierarchy or a
stand-alone site:
Install a new primary site below a central administration site, up to the supported
number of primary sites for the hierarchy.
Install new secondary sites below a primary site, up to the supported limit for the
primary site and overall hierarchy.
You can't add a previously installed site to an existing hierarchy to merge two
standalone sites. Configuration Manager only supports installation of new sites to
an existing hierarchy of sites.
7 Note
Hierarchy topology
Hierarchy topologies range from:
Most complex: A group of connected primary and secondary sites with a central
administration site at the top-level site of the hierarchy
The key driver of the type and count of sites that you use in a hierarchy is usually the
number and type of devices you must support.
Simplified client site assignment and discovery of available resources and services
Option to expand a standalone primary site into a larger hierarchy with a central
administration site. This option enables you to then install new primary sites to
expand the scale of your deployment.
It supports up to 25 primary sites that enable you to extend the scale of your
hierarchy.
You always use the central administration site, unless you reinstall your sites. This
option is permanent. You can't detach a child primary site to make it a standalone
primary site.
The following information can help you decide when to install a central administration
site:
When you configure a hierarchy that has more than one primary site, install a
central administration site.
If you immediately need two or more primary sites, install the central
administration site first.
When you already have a primary site, and want to then install a central
administration site, expand the stand-alone primary site to install the central
administration site.
The central administration site supports only primary sites as child sites.
The central administration site doesn't support site system roles that directly
support clients, such as management points and distribution points.
Manage all clients in the hierarchy and perform all site management tasks from the
Configuration Manager console that is connected to the central administration site.
These tasks include installing management points or other site system roles at
child primary or secondary sites.
When you use a central administration site, it's the only place where you see site
data from all sites in your hierarchy. This data includes information such as
inventory data and status messages.
The following information can help you decide when to install a primary site:
A primary site can be a standalone primary site or a child primary site in a larger
hierarchy. When a primary site is a member of a hierarchy with a central
administration site, the sites use database replication to replicate data between the
sites. Unless you need to support more clients and devices than a single primary
site supports, consider installing a standalone primary site. After you install a
standalone primary site, expand it if needed in the future to report to a new central
administration site to scale up your deployment.
A primary site supports only a central administration site as a parent site.
A primary site supports only secondary sites as child sites, and supports multiple
secondary sites.
Primary sites are responsible for processing all client data from their assigned
clients.
You manage a secondary site from a central administration site or the secondary site's
direct parent primary site. Secondary sites are attached to a primary site. You can't move
them to a different parent site without uninstalling them and then reinstalling them as a
child site below the new primary site.
However, you can route content between two peer secondary sites to help manage the
file-based replication of deployment content. To transfer client data to a primary site,
the secondary site uses file-based replication. A secondary site also uses database
replication to communicate with its parent primary site.
You're required to manage the transfer of deployment content to sites lower in the
hierarchy.
You're required to manage client information that's sent to sites higher in the
hierarchy.
If you don't want to install a secondary site, and you have clients in remote locations,
consider the following options:
The following information can help you decide when to install a secondary site:
If a local instance of SQL Server isn't available, secondary site servers automatically
install SQL Server Express during site installation.
Secondary sites use a subset of the information in the site database. This behavior
reduces the amount of data that SQL Server replicates between the parent primary
site and secondary site.
Secondary sites support the routing of file-based content to other secondary sites
that have a common parent primary site.
Windows BranchCache
If any of the following conditions apply, consider deploying a distribution point instead
of installing another site:
Your network bandwidth is sufficient for client computers at the remote location to
communicate with a management point at the primary site. Clients communicate
with a management point to download client policy, send inventory, send
reporting status, and send discovery information.
Which site system roles provide services or capabilities from different sites in the
hierarchy?
The following common considerations are covered in separate articles. This information
is important to influence or be influenced by your hierarchy design:
When you're preparing to Manage computers and devices, consider whether the
devices are on-premises, in the cloud, or include user-owned devices (BYOD).
Additionally, consider how you'll manage devices that support multiple
management options. For example, manage Windows devices with Configuration
Manager or though integration with Microsoft Intune. For more information, see
Choose a device management solution.
Understand how your available network infrastructure might affect the flow of data
between remote locations. For more information, see Prepare your network
environment. Also consider the geographic location of your users and devices, and
whether they access your infrastructure through your on-premises network or the
internet.
Plan for a content infrastructure to efficiently distribute the content you deploy to
devices you manage. This content may be applications, software updates, or
operating systems. For more information, see Manage content and content
infrastructure.
Next steps
Review the following articles for site-specific configurations:
Extend the Active Directory schema and configure sites to publish site data
About
The SMS Provider is a Windows Management Instrumentation (WMI) provider that
assigns read and write access to the Configuration Manager database at a site.
Each CAS and primary site require at least one SMS Provider. You can install more
providers as needed.
The SMS Admins security group provides access to the SMS Provider.
Configuration Manager automatically creates this group on the site server, and on
each computer where you install an instance of the SMS Provider. For more
information, see SMS Admins.
The SMS Provider helps enforce Configuration Manager security. It returns only the
information that the console user is authorized to view.
The SMS Provider also provides API interoperability access over HTTPS, called the
administration service. This REST API can be used in place of a custom web service to
access information from the site. For more information, see What is the administration
service?.
) Important
When each instance of the SMS Provider for a site is offline, Configuration Manager
consoles can't connect to the site.
For more information about how to manage the SMS Provider, see Manage the SMS
Provider.
Prerequisites
The SMS Provider has the following prerequisites:
In the same domain as the site server and the site database site systems
At least 650 MB of free disk space to support the Windows ADK components. For
more information about Windows ADK and the SMS Provider, see OS deployment
requirements.
Starting in version 2107, the SMS Provider requires .NET version 4.6.2, and
version 4.8 is recommended. In version 2103 and earlier, this role requires .NET
4.5 or later. For more information, Site and site system prerequisites.
In version 2006 and earlier, enable the Windows server role Web Server (IIS).
Starting in version 2010, this role is no longer required.
7 Note
Locations
When you install a site, you automatically install the first SMS Provider for the site. You
can specify any of the following supported locations for the SMS Provider:
2. Select a site from the list, and then choose Properties in the ribbon.
3. On the General tab of the site Properties, view the SMS Provider location field.
Each SMS Provider supports simultaneous connections from multiple requests. The only
limitations on these connections are the number of server connections that are available
to Windows, and the available resources on the server to service the connection
requests.
After you install a site, you can run Configuration Manager setup on the site server
again. Use setup to change the location of an existing SMS Provider, or to install more
SMS Providers at that site. Install only one SMS Provider on a computer. A computer
can't host an SMS Provider from more than one site.
Choosing a location
The following sections describe the advantages and disadvantages of installing an SMS
Provider on each supported location:
The SMS Provider doesn't use the system resources of the site database
computer.
This location can provide better performance than an SMS Provider located on a
computer other than the site server or site database computer.
Disadvantages:
The SMS Provider uses system and network resources that could be dedicated
to site server operations.
Advantages:
The SMS Provider doesn't use system resources on the site server.
This location can provide the best performance of the three locations, if
sufficient server resources are available.
Disadvantages:
The SMS Provider uses system and network resources that could be dedicated
to site database operations.
When the site database is hosted on a clustered instance of SQL Server, you
can't use this location.
SMS Provider doesn't use site server or site database system resources.
This type of location lets you deploy more SMS Providers to provide high
availability for connections.
Disadvantages:
This server must be always accessible to the site database server, and to all
computers with the Configuration Manager console installed.
This location can use system resources that would otherwise be dedicated to
other services.
Authentication
You can specify the minimum authentication level for administrators to access
Configuration Manager sites. This feature enforces administrators to sign in to Windows
with the required level before they can access Configuration Manager. It applies to all
components that access the SMS Provider. For example, the Configuration Manager
console, SDK methods, and Windows PowerShell cmdlets.
) Important
When you select this setting, the SMS Provider and administration service
require the user's authentication token to contain a multi-factor
authentication (MFA) claim from Windows Hello for Business. In other words,
a user of the console, SDK, PowerShell, or administration service has to
authenticate to Windows with their Windows Hello for Business PIN or
biometric. Otherwise the site rejects the user's action.
This behavior is for Windows Hello for Business, not Windows Hello.
For more information on how to configure this setting, see Configure SMS Provider
authentication.
When Configuration Manager stores data for an object in the database, the available
languages depend on the following factors:
Configuration Manager stores objects that it creates by using support for multiple
languages. It stores the object in the site database by using the languages that you
configure for the site when you run setup. The Configuration Manager console
displays these objects in the display language of the requesting computer, when
that language is available for the object. If the console can't display the object in
the display language of the requesting computer, it displays the object in the
default language, which is English.
Consider installing more SMS Providers when any of the following are true:
Many administrative users need to use the Configuration Manager console and
connect to a site at the same time.
You use the Configuration Manager SDK, or other products, that might introduce
frequent calls to the SMS Provider.
You have a business requirement for high availability of the SMS Provider.
When you install multiple SMS Providers at a site, and a connection request is made, the
site randomly assigns each new connection request to use an installed SMS Provider.
You can't specify the SMS Provider to use with a specific connection session.
7 Note
Consider the advantages and disadvantages of each SMS Provider location. For
more information, see Locations. Balance these considerations with the information
that you can't control which SMS Provider is used for each new connection.
When you first connect a Configuration Manager console to a site, the connection
queries WMI on the site server. This query identifies an instance of the SMS Provider
that the console uses. This specific instance of the SMS Provider remains in use by the
console until the session ends. If the session ends because the SMS Provider server is
unavailable on the network, when you reconnect the console to the site, it repeats the
initial query. It's possible the site assigns the same SMS Provider instance that's not
available. If this behavior occurs, attempt to reconnect the console until the site returns
an available SMS Provider.
Namespace Description
OS deployment requirements
The computer where you install an instance of the SMS Provider requires a supported
version of the Windows ADK.
For more information about this requirement, see Infrastructure requirements for OS
deployment and Support for the Windows ADK.
When you manage OS deployments, the Windows ADK allows the SMS Provider to
complete various tasks, such as:
The Windows ADK installation can require up to 650 MB of free disk space on each
computer that installs the SMS Provider. This high disk space requirement is necessary
for Configuration Manager to install the Windows PE boot images.
Administration service
The SMS Provider provides API interoperability access over an HTTPS OData connection,
called the administration service. This REST API can be used in place of a custom web
service to access information from the site.
Next steps
Manage the SMS Provider
The site database server is a computer that runs a supported version of Microsoft SQL
Server. SQL Server is used to store information for Configuration Manager sites. Each
site in a Configuration Manager hierarchy contains a site database and a server that is
assigned the site database server role.
For central administration sites and primary sites, you can install SQL Server on the
site server, or you can install SQL Server on a computer other than the site server.
For secondary sites, you can use SQL Server Express instead of a full SQL Server
installation. The database server must, however, be run on the secondary site
server.
For SQL Server Always On availability groups, set the database recovery model to
FULL.
Further information on SQL Server Recovery Modes can be found in Recovery Models
(SQL Server).
The following SQL Server configurations can be used to host the site database:
To host the site database, the SQL Server must meet the requirements detailed in
Support for SQL Server versions for Configuration Manager.
Each computer that runs the SMS Provider and that connects to the site database
increases network bandwidth requirements.
The computer that runs SQL Server must be located in a domain that has two-way
trust with the site server and all computers running the SMS Provider.
You can't use a failover cluster instance of SQL Server for the site database server
when the site database is co-located with the site server.
Typically, a site system server supports site system roles from only a single Configuration
Manager site. You can, however, use different instances of SQL Server to host a database
from different Configuration Manager sites. To support databases from different sites,
configure each instance of SQL Server to use unique ports for communication.
Plan for site system servers and site
system roles in Configuration Manager
Article • 10/04/2022
Each Configuration Manager site you install includes a site server that's a site system
server. The site can also include additional site system servers on computers that are
remote from the site server. Site system servers (the site server or a remote site system
server) support site system roles.
When considering the addition of a site system server, ensure the server meets
prerequisites for the intended use. Also add it on a network location that has sufficient
bandwidth to communicate with expected endpoints. These endpoints include the site
server, domain resources, a cloud-based location, site system servers, and clients.
Additional management points so that the site can support more devices, up to
the site's supported capacity.
One or more feature-specific site system roles. For example, a software update
point lets you manage software updates for managed devices. A reporting services
point lets you run reports to monitor, understand, and share information about
your environment.
Different Configuration Manager sites can support different sets of site system roles. The
supported set of site system roles depends on the type of site. (The types of sites
include a central administration site, primary sites, or secondary sites.) The topology of
your hierarchy can limit the placement of some roles at certain site types. For example,
the service connection point is only supported at the top-tier site of the hierarchy. The
top-tier site might be a central administration site or a standalone primary site. This role
isn't supported at a child primary site or at secondary sites.
After a site installs, you can move the location of some site system roles from their
default location on the site server to another server. For example, the management
point or distribution point roles install by default on a primary or secondary site server.
Also install additional instances of some site system roles to expand the capabilities of
your site, and to meet your business requirements. Some roles are required, while others
are optional.
SMS Provider
The site assigns this role to each computer that hosts an instance of the SMS Provider.
The provider is the interface between a Configuration Manager console and the site
database. By default, this role automatically installs on the site server of a central
administration site and primary sites. Install additional instances at each site to provide
access to additional administrative users or for redundancy.
To install additional providers, run Configuration Manager setup to Manage the SMS
Provider. Then install additional providers on additional computers. Only install one
instance of the SMS Provider on a computer. That computer must be in the same
domain as the site server.
) Important
A site system role that connects to Microsoft to download information for the Asset
Intelligence catalog. This role also uploads uncategorized titles, so that Microsoft can
consider them for future inclusion in the catalog. A hierarchy supports only a single
instance of this role at the top-tier site of your hierarchy. If you expand a standalone
primary site into a larger hierarchy, uninstall this role from the primary site. Then install
it at the central administration site.
2 Warning
A site system role that communicates with a server that runs the Network Device
Enrollment Service (NDES). This role manages device certificate requests that use the
Simple Certificate Enrollment Protocol (SCEP). This role is supported only at primary sites
and the central administration site.
Although a single certificate registration point can provide functionality to an entire
hierarchy, you may want to install multiple instances of this role at a site, and at multiple
sites in the same hierarchy. This design helps with load balancing. When multiple
instances exist in a hierarchy, clients are randomly assigned to one of the certificate
registration points.
Each certificate registration point requires access to a separate NDES instance. You can't
configure two or more certificate registration points to use the same NDES instance.
Additionally, don't install the certificate registration point on the same server that runs
NDES.
Distribution point
A site system role that contains source files for clients to download, for example:
Application content
Software packages
Software updates
OS images
Boot images
By default, this role installs on the site server when you install a new primary or
secondary site. This role isn't supported at a central administration site. Install multiple
instances of this role at a supported site, and at multiple sites in the same hierarchy. For
more information, see Fundamental concepts for content management, and Manage
content and content infrastructure.
Enrollment point
) Important
With the deprecation of on-premises MDM and the Configuration Manager client
for macOS, this site system role is also deprecated. For more information, see
Removed and deprecated features for Configuration Manager.
A site system role that uses PKI certificates for Configuration Manager to enroll mobile
devices and macOS computers. Although this role is supported only at primary sites, you
can install multiple instances of this role at a site, or at multiple sites in the same
hierarchy.
If a user enrolls mobile devices by using Configuration Manager, and the user's Active
Directory account is in a forest that's untrusted by the site server's forest, install an
enrollment point in the user's forest. Then Configuration Manager can authenticate the
user.
) Important
With the deprecation of on-premises MDM and the Configuration Manager client
for macOS, this site system role is also deprecated. For more information, see
Removed and deprecated features for Configuration Manager.
A site system role that manages Configuration Manager enrollment requests from
mobile devices and macOS computers. Although this role is supported only at primary
sites, you can install multiple instances of this role at a site, or at multiple sites in the
same hierarchy.
When you support mobile devices on the internet, install an enrollment proxy point in a
perimeter network, and install one on the intranet.
Management point
A site system role that provides policy and service location information to clients. It also
receives configuration data from clients.
By default, this role installs on the site server when you install a new primary or
secondary site. Primary sites support multiple instances of this role. Secondary sites
support a single management point. Also referred to as a proxy management point, this
role at a secondary site provides a local point of contact for clients to obtain computer
and user policies.
Set up management points to support either HTTP or HTTPs. They can also support
mobile devices that you manage with Configuration Manager on-premises mobile
device management (MDM). To help reduce the processing load placed on the site
database server by management points as they service requests from clients, use
Database replicas for management points.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
Install this site system at the central administration site to synchronize with WSUS.
Set up each instance of this role at child primary sites to synchronize with the
central administration site.
When data transfer across the network is slow, consider installing a software
update point in secondary sites.
Next steps
Some Configuration Manager site system roles require connections to the internet. If
your environment requires internet traffic to use a proxy server, configure these site
system roles to use the proxy. For more information, see Proxy server support.
Fundamental concepts for content
management in Configuration Manager
Article • 10/04/2022
Tip
For more information about the content distribution process and to find help in
diagnosing and resolving general content distribution problems, see
Understanding and Troubleshooting Content Distribution in Microsoft
Configuration Manager .
The following sections are key concepts for content management. When a concept
requires additional or complex information, links are provided to direct you to those
details.
This account is also used by pull-distribution points to download content from a source
distribution point in a remote forest.
Some scenarios no longer require a network access account. You can enable the site to
use Enhanced HTTP with Azure Active Directory authentication.
BDR minimizes the network bandwidth used to send updates for distributed content. It
resends only the new or changed content instead of sending the entire set of content
source files each time you change those files.
When BDR is used, Configuration Manager identifies the changes that occur to source
files for each set of content that you previously distributed.
When files in the source content change, the site creates a new incremental version
of the content. It then replicates only the changed files to destination sites and
distribution points. A file is considered changed if you renamed or moved it, or if
you changed the contents of the file. For example, if you replace a single driver file
for a driver package that you previously distributed to several sites, only the
changed driver file is replicated.
Configuration Manager supports up to five incremental versions of a content set
before it resends the entire content set. After the fifth update, the next change to
the content set causes the site to create a new version of the content set.
Configuration Manager then distributes the new version of the content set to
replace the previous set and any of its incremental versions. After the new content
set is distributed, later incremental changes to the source files are again replicated
by BDR.
BDR is supported between each parent and child site in a hierarchy. BDR is supported
within a site between the site server and its regular distribution points. However, pull-
distribution points and content-enabled cloud management gateways don't support
BDR to transfer content. Pull-distribution points support file-level deltas, transferring
new files, but not blocks within a file.
Applications always use binary differential replication. BDR is optional for packages and
isn't enabled by default. To use BDR for packages, enable this functionality for each
package. Select the option Enable binary differential replication when you create or
edit a package.
File-level differences
On by default, not configurable
When a package changes, the site checks for changes to the individual files instead
of the entire package.
If a file changes, use BDR to do the work
If there's a new file, copy the new file
BranchCache
Delivery Optimization
Configuration Manager peer cache
Reporting Client data sources dashboard Client data sources Client data sources
dashboard dashboard
Policy control Client agent settings Client agent settings Client agent
(partial) settings
Recommendations
Modern management: If you're already using modern tools such as Intune,
implement Delivery Optimization
Configuration Manager and co-management: Use a combination of peer cache
and Delivery Optimization. Use peer cache with on-premises distribution points,
and use Delivery Optimization for cloud scenarios.
Existing BranchCache implemented: Use all three technologies in parallel. Use peer
cache and Delivery Optimization for scenarios that aren't supported by
BranchCache.
BranchCache
BranchCache is a Windows technology. Clients that support BranchCache, and have
downloaded a deployment that you configure for BranchCache, then serve as a content
source to other BranchCache-enabled clients.
For example, you have a distribution point that runs Windows Server 2012 or later, and
is configured as a BranchCache server. When the first BranchCache-enabled client
requests content from this server, the client downloads that content and caches it.
That client then makes the content available for additional BranchCache-enabled
clients on the same subnet that also cache the content.
Other clients on the same subnet don't have to download content from the
distribution point.
The content is distributed across multiple clients for future transfers.
Delivery Optimization
You use Configuration Manager boundary groups to define and regulate content
distribution across your corporate network and to remote offices. Windows Delivery
Optimization is a cloud-based, peer-to-peer technology to share content between
Windows 10 or later devices. Configure Delivery Optimization to use your boundary
groups when sharing content among peers. Client settings apply the boundary group
identifier as the Delivery Optimization group identifier on the client. When the client
communicates with the Delivery Optimization cloud service, it uses this identifier to
locate peers with the content. For more information, see delivery optimization client
settings.
7 Note
This cache server acts as an on-demand transparent cache for content downloaded by
Delivery Optimization. Use client settings to make sure this server is offered only to the
members of the local Configuration Manager boundary group.
This cache is separate from Configuration Manager's distribution point content. If you
choose the same drive as the distribution point role, it stores content separately.
Peer cache
Client peer cache helps you manage deployment of content to clients in remote
locations. Peer cache is a built-in Configuration Manager solution that enables clients to
share content with other clients directly from their local cache.
First deploy client settings that enable peer cache to a collection. Then members of that
collection can act as a peer content source for other clients in the same boundary
group.
Client peer cache sources can divide content into parts. These parts minimize the
network transfer to reduce WAN utilization. The management point provides more
detailed tracking of the content parts. It tries to eliminate more than one download of
the same content per boundary group.
For more information, see Peer cache for Configuration Manager clients.
Windows LEDBAT
Windows Low Extra Delay Background Transport (LEDBAT) is a network congestion
control feature of Windows Server to help manage background network transfers. For
distribution points running on supported versions of Windows Server, enable an option
to help adjust network traffic. Then clients only use network bandwidth when it's
available.
For more information on Windows LEDBAT in general, see the New transport
advancements blog post.
For more information on how to use Windows LEDBAT with Configuration Manager
distribution points, see the setting to Adjust the download speed to use the unused
network bandwidth (Windows LEDBAT) when you Configure the general settings of a
distribution point.
7 Note
Staring in Configuration Manager version 2203, you can use LEDBAT with your
software update points. If a site system has both the distribution point and
software update point roles, you can configure LEDBAT independently on the roles.
For more information, see the setting Adjust the download speed to use the
unused network bandwidth (Windows LEDBAT) setting for Installing software
update points.
Client locations
The following are locations that clients access content from:
Intranet (on-premises):
Internet:
Workgroup:
The following list contains all of the possible content source locations that the
Configuration Manager client can use, in the order in which it prioritizes them:
Delivery Optimization isn't applicable to this source prioritization. This list is how the
Configuration Manager client finds content. The Windows Update Agent downloads
content for Delivery Optimization. If the Windows Update Agent can't find the content,
then the Configuration Manager client uses this list to search for it.
BranchCache applies to this list only when you enable a distribution point for
BranchCache. For example, if a client gets to option #3 in the prioritization list, it first
asks the distribution point for BranchCache metadata. The BranchCache-enabled
distribution point is what provides the client information for BranchCache peer
discovery. The client will download content from a BranchCache peer if it can. If it can't
download the content via BranchCache, it then tries the distribution point itself, before
continuing down the list of content sources. This behavior applies at any point in the
priority list where the client uses a BranchCache-enabled distribution point.
The configuration of boundary group options can modify the sort order of this priority
list.
Content library
The content library is the single-instance store of content in Configuration Manager.
This library reduces the overall size of content that you distribute.
Distribution points
Configuration Manager uses distribution points to store files that are required for
software to run on client computers. Clients must have access to at least one
distribution point from which they can download the files for content that you deploy.
There are different configurations for OS deployments, such as PXE and Multicast
Cloud and pull distribution points support many of these same configurations, but have
limitations that are specific to each distribution point variation.
This value is self-tuning. It's set on each distribution point to help Configuration
Manager more quickly transfer content to more distribution points.
When you distribute content to multiple distributions points at the same time, or
to a distribution point group, the site first sends the content to the server with the
highest priority. Then it sends that same content to a distribution point with a
lower priority.
Distribution point priority doesn't replace the distribution priority for packages.
Package priority remains the deciding factor of when the site sends different
content.
For example, you have a package that has a high package priority. You distribute it to a
server with a low distribution point priority. This high priority package always transfers
before a package that has a lower priority. The package priority applies even if the site
distributes lower priority packages to servers with higher distribution point priorities.
The high priority of the package ensures that Configuration Manager distributes that
content to distribution points before it sends any packages with a lower priority.
7 Note
Pull-distribution points also use a concept of priority to order the sequence of their
source distribution points.
The distribution point priority for content transfers to the server is distinct
from the priority that pull-distribution points use. Pull-distribution points use
their priority when they search for content from a source distribution point.
For more information, see Use a pull-distribution point.
Fallback
Several things have changed with Configuration Manager current branch in the way that
clients find a distribution point that has content, including fallback.
Clients that can't find content from a distribution point that's associated with their
current boundary group fall back to use content source locations associated with
neighbor boundary groups. To be used for fallback, a neighbor boundary group must
have a defined relationship with the client's current boundary group. This relationship
includes a configured time that must pass before a client that can't find content locally
includes content sources from the neighbor boundary group as part of its search.
The concepts of preferred distribution points are no longer used, and settings for Allow
fallback source locations for content are no longer available or enforced.
Network bandwidth
To help manage the amount of network bandwidth that's used when you distribute
content, you can use the following options:
Prestaged content: Transferring content to a distribution point without distributing
the content across the network.
Scheduling and throttling: Configurations that help you control when and how
content is distributed to distribution points.
Network connection speeds that define a distribution point as Fast or Slow are no
longer used. Instead, each site system that's associated with a boundary group is treated
the same.
In the Distribution Point properties, inside the Boundary Groups tab, select :
Enable for on-demand distribution.
When you enable this option for a deployment, and a client requests that content
but the content isn't available on any of the client's preferred distribution points,
Configuration Manager automatically distributes that content to the client's
preferred distribution points.
Prestage content
Prestaging content is a process of transferring content to a distribution point without
distributing the content across the network.
When you distribute content to many distribution points, pull-distribution points help
reduce the processing load on the site server. They can also speed the content transfer
to each server. Normally the distribution manager component on the site server sends
content to each distribution point. Instead, the site offloads the process of transferring
the content to the pull-distribution points.
You configure individual distribution points to be pull-distribution points. For each pull-
distribution point, specify one or more source distribution points from which it can get
content. A pull-distribution point can only download content from a distribution point
that you specify as a source distribution point.
When you distribute content to a pull-distribution point in the console, the site server
sends it a notification. The pull-distribution point then downloads the content from a
source distribution point. A pull-distribution point manages the content transfer by
downloading from a distribution point that already has a copy of the content.
Configure a pull-distribution point when you install the distribution point. After you
create a distribution point, configure it as a pull-distribution point by editing the role
properties. For more information on how to enable a distribution point as a pull-
distribution point, see Pull-distribution point.
Remove the configuration to be a pull-distribution point by editing the properties of the
distribution point. When you remove the configuration as a pull-distribution point, it
returns to normal operation. The site server manages future content transfers to the
distribution point.
Distribution process
When you distribute content to a pull-distribution point, the following sequence of
events occurs:
Once you distribute content to a pull-distribution point in the console, the Package
Transfer Manager component on the site server checks the site database to
confirm if the content is available on a source distribution point. If it can't confirm
that the content is on a source distribution point for the pull-distribution point, it
repeats the check every 20 minutes until the content is available.
When the Package Transfer Manager confirms that the content is available, it
notifies the pull-distribution point to download the content. If this notification fails,
it retries based on the Software Distribution component Retry settings for pull-
distribution points. When the pull-distribution point receives this notification, it
tries to download the content from its source distribution points.
While the pull-distribution point downloads the content, the Package Transfer
Manager polls the status based on the Software Distribution component Status
polling settings for pull-distribution points. When the pull-distribution point
completes the download of content, it submits this status to a management point.
2. Select the site. In the ribbon, select Configure Site Components, and select
Software Distribution.
Delay before retrying (minutes): The number of minutes that the Package
Transfer Manager waits between attempts. This value is 20 by default.
Number of polls: The number of times that the Package Transfer Manager
contacts the pull-distribution point to retrieve the job status. If it tries this
number of times before the job completes, the Package Transfer Manager
cancels the transfer. This value is 72 by default.
Delay before retrying (minutes): The number of minutes that the Package
Transfer Manager waits between attempts. This value is 60 by default.
7 Note
When the Package Transfer Manager cancels a job because it exceeds the
number of polling retries, the pull-distribution point continues to download
the content. When it finishes, the pull-distribution point sends the appropriate
status message, and the console reflects the new status.
Limitations
You can't configure a content-enabled cloud management gateway as a pull-
distribution point.
You can't configure the distribution point role on a site server as a pull-distribution
point.
7 Note
The Schedule and Rate Limits tabs aren't visible in the properties of the
distribution point.
Pull-distribution points don't use the settings on the General tab of the Software
Distribution Component Properties for each site. These settings include
Concurrent distribution and Multicast retry.
To transfer content from a source distribution point in a remote forest, install the
Configuration Manager client on the pull-distribution point. Also configure a
network access account that can access the source distribution point. If you enable
the site option to Use Configuration Manager-generated certificates for HTTP
site systems, then you don't need a network access account.
The wizard only displays distribution points that qualify to be source distribution
points.
Only distribution points that support HTTP can be specified as source distribution
points when you use the Configuration Manager console.
To use a source distribution point that's configured for HTTPS, install the
Configuration Manager client on the pull-distribution point.
If your remote offices have a better connection to the internet, or to reduce load
on your WAN links, use a content-enabled cloud management gateway (CMG) in
Microsoft Azure as the source. The pull-distribution point needs internet access to
communicate with Microsoft Azure. The content must be distributed to the source
CMG.
7 Note
This feature does incur charges to your Azure subscription for data storage
and network egress. For more information, see the Cost of CMG.
Tip
Source priorities
Assign a separate priority to each source distribution point, or assign multiple
source distribution points to the same priority.
The priority determines the order in which the pull-distribution point requests
content from its source distribution points.
Pull-distribution points initially contact a source distribution point with the lowest
value for priority. If there are multiple source distribution points with the same
priority, the pull-distribution point randomly selects one of the sources with that
priority.
If the content isn't available on a selected source, the pull-distribution point then
tries to download the content from another distribution point with that same
priority.
If none of the distribution points with a given priority has the content, the pull-
distribution point tries to download the content from a source distribution point
with the next priority level. It continues this search until the content is located.
If none of the assigned source distribution points have the content, the pull-
distribution point waits for 30 minutes, and then starts the process again.
When you enable the pull-distribution point, the site installs pulldp.msi. This
installer also adds the CCMFramework component. The framework doesn't require
the Configuration Manager client.
After the pull-distribution point is installed, it primarily uses the CCMExec service
to function.
7 Note
For operational details, see the following log files on the pull-distribution point:
DataTransferService.log
PullDP.log
Tip
If you see HTTP 403 errors in the log files after you add up a pull-distribution point,
make the following change:
ClientAuthTrustMode = 2 (REG_DWORD)
Then the pull distribution point should start downloading content from the source.
For more information on this registry key, see Overview of TLS - SSL (Schannel
SSP).
See also
Fundamental concepts for content management
The content library in Configuration
Manager
Article • 10/04/2022
The site automatically creates and maintains a copy of the content library on each
site server and each distribution point.
Before Configuration Manager adds content files to the site server or copies the
files to distribution points, it verifies whether each content file is already in the
content library.
If the content file is available, Configuration Manager doesn't copy the file. It
instead associates the existing content file with the application or package.
One or more disk drives on which you want to create the content library.
Configuration Manager copies content files to the drive with the highest priority until
that drive contains less than a minimum amount of free space that you specify.
You configure the drive settings during the distribution point installation.
You can't configure the drive settings in the distribution point properties after the
installation has finished.
For more information about how to configure the drive settings for the distribution
point, see Manage content and content infrastructure.
7 Note
To move the content library to a different location on a distribution point after the
installation, use the Content Library Transfer tool in the Configuration Manager
tools. For more information, see the Content Library Transfer tool.
About the content library on the CAS
By default, Configuration Manager creates a content library on the central
administration site (CAS) when the site is installed. The content library is placed on the
drive of the site server that has the most free disk space. Because you can't install a
distribution point on the CAS, you can't prioritize the drives for use by the content
library. Similar to the content library on other site servers and on distribution points,
when the drive that contains the content library runs out of available disk space, the
content library automatically spans to the next available drive.
Configuration Manager uses the content library on the CAS in the following scenarios:
You migrate content from another Configuration Manager site, and assign the CAS
as the site that manages that content.
7 Note
When you create content at a primary site, and then distribute it to a different
primary site or a secondary site below a different primary site, the CAS temporarily
stores that content in its scheduler inbox. It doesn't add that content to its content
library.
Use the following options to manage the content library on the CAS:
To prevent the content library from being installed on a specific drive, create an
empty file named NO_SMS_ON_DRIVE.SMS. Copy it to the root of the drive before
the content library is created.
After the content library has been created, use the Content Library Transfer tool
from the Configuration Manager tools to manage the location of the content
library. For more information, see the Content Library Transfer tool.
7 Note
2 Warning
The following section is provided for informational purposes only. Don't alter, add,
or remove any files or folders in the content library. Doing so could corrupt
packages, contents, or the content library as a whole. If you suspect any missing,
corrupt, or otherwise invalid data, use the validation feature in the Configuration
Manager console to detect such issues. Then redistribute the affected content to
correct the issues.
By default, the content library is stored on the root of a drive in a folder called
SCCMContentLib. This folder is shared by default as SCCMContentLib$. The folder and
share have restricted permissions to prevent accidental damage. All changes should be
made from the Configuration Manager console. Within this folder are the following
objects:
The package library (PkgLib folder): Information about what packages are present
on the distribution point.
The data library (DataLib folder): Information about the original structure of the
packages.
The file library (FileLib folder): The original files in the package. This folder is
typically what uses the bulk of the storage.
Tip
Use the Content Library Explorer tool from the Configuration Manager tools to
browse the contents of the content library. You can't use this tool to modify the
contents. It provides insight into what's present, as well as allowing validation and
redistribution. For more information, see the Content Library Explorer.
Package library
The package library folder, PkgLib, includes one file for each package distributed to the
distribution point. The file name is the package ID, for example, ABC00001.INI . In this file
under the [Packages] section is a list of content IDs that are part of the package, as well
as other information such as the version. For example, ABC00001 is a legacy package at
version 1. The content ID in this file is ABC00001.1 .
Data library
The data library folder, DataLib, includes one file and one folder for each of the contents
in each package. For example, this file and folder are named ABC00001.1.INI and
ABC00001.1 , respectively. The file includes information for validation. The folder
The files in the data library are replaced by INI files with the name of the original file in
the package. For example, MyFile.exe.INI . These files include information about the
original file, such as the size, time modified, and the hash. Use the first four characters of
the hash to locate the original file in the file library. For example, the hash in
MyFile.exe.INI is DEF98765, and the first four characters are DEF9.
File library
If the content library spans across multiple drives, the package files could be in the file
library folder, FileLib, on any of these drives.
Locate a specific file using the first four characters from the hash found in the data
library. Inside the file library folder are many folders, each with a four-character name.
Find the folder that matches the first four characters from the hash. Once you find this
folder, it includes one or more sets of three files. These files share the same name, but
one has the extension INI, one has the extension SIG, and one has no file extension. The
original file is the one with no extension whose name is equal to the hash from the data
library.
For example, folder DEF9 includes DEF98765.INI , DEF98765.SIG , and DEF98765 . DEF98765
is the original MyFile.exe . The INI file includes a list of "users" or content IDs that share
the same file. The site doesn't remove a file unless all of these contents are also
removed.
Drive spanning
The content library can be spanned across multiple drives. You choose these drives
when creating the distribution point. By default, Configuration Manager automatically
chooses the drives when spanning the content library.
When you choose the drives, select a primary and secondary drive. The site stores all
metadata on the primary drive. It only spans the file library across to the secondary
drive. The folder's share name for secondary drives includes the drive letter. For
example, if D: and E: are secondary drives for the content library, the share names are
SCCMContentLibD$ and SCCMContentLibE$.
If you chose the Automatic option, Configuration Manager selects the drive with the
most available free space as its primary drive. It stores all of the metadata on this drive.
The site only spans the file library across to secondary drives.
You can't specify that a distribution point should use all drives except for a specific set.
Prevent this behavior by creating an empty file on the root of the drive, called
NO_SMS_ON_DRIVE.SMS . Place this file before Configuration Manager selects the drive for
use. If Configuration Manager detects this file on the root of the drive, it doesn't use the
drive for the content library.
Troubleshoot
The following tips may help you troubleshoot issues with the content library:
Review the logs on the site server (distmgr.log and PkgXferMgr.log) and the
distribution point (smsdpprov.log) for any pointers to the failures.
Check for file locks by other processes, such as antivirus software. Exclude the
content library on all drives from automatic antivirus scans, as well as the
temporary staging directory, SMS_DP$, on each drive.
To see if there are any hash mismatches, validate the package from the
Configuration Manager console.
As a last option, redistribute the content. This action should resolve most issues.
For more in-depth information, see Understand and troubleshoot content distribution.
Next steps
Configure a remote content library for the site server
To configure site server high availability or to free up hard drive space on your central
administration or primary site servers, relocate the content library to another storage
location. Move the content library to another drive on the site server, a separate server,
or fault-tolerant disks in a storage area network (SAN). A SAN is recommended, because
it's highly available, and provides elastic storage that grows or shrinks over time to meet
your changing content requirements. For more information, see High availability
options.
This action only moves the content library on the site server. It doesn't impact the
location of the content library on distribution points.
Tip
Also plan for managing package source content, which is external to the content
library. Every software object in Configuration Manager has a package source on a
network share. Consider centralizing all sources to a single share, but make sure
this location is redundant and highly available.
If you move the content library to the same storage volume as your package
sources, you can't mark this volume for data deduplication. While the content
library supports data deduplication, the package sources volume doesn't support it.
For more information, see Data deduplication.
Prerequisites
The site server computer account needs Full control permissions to the network
path to which you're moving the content library. This permission applies to both
the share and the file system. No components are installed on the remote system.
The site server can't have the distribution point role. The distribution point also
uses the content library, and this role doesn't support a remote content library.
After moving the content library, you can't add the distribution point role to the
site server.
7 Note
The Manage Content Library option isn't available if the distribution point
role exists on the site server. To enable the option, remove the distribution
point role from the site server.
The remote system for the content library needs to be in a trusted domain.
) Important
Don't reuse a shared network location between multiple sites. For example, don't
use the same path for both a central administration site and a child primary site.
This configuration has the potential to corrupt the content library, and require you
to rebuild it.
2 Warning
Don't reuse an existing folder with content. For example, don't use the same
folder as your package sources. Before copying the content library,
Configuration Manager removes any existing content from the location you
specify.
4. In the Manage Content Library window, the Current Location field shows the local
drive and path. Enter a valid network path for the New Location. This path is the
location to which the site moves the content library. It must include a folder name
that already exists on the share, for example, \\server\share\folder . Select OK.
5. Note the Status value in the Content Library column on the Summary tab of the
details pane. It updates to show the site's progress in moving the content library.
While In progress, the Move Progress (%) value displays the percentage
complete.
7 Note
If you have a large content library, you may see 0% progress in the
console for a while. For example, with a 1 TB library, it has to copy 10 GB
before it shows 1% . Review distmgr.log, which shows the number of files
and bytes copied. The log file also shows an estimated time remaining.
If there's an error state, the status displays the error. Common errors include
access denied or disk full.
See the distmgr.log for details. For more information, see Site server and site
system server logs.
7 Note
Starting in version 2010, you can enable verbose logging to troubleshoot the
content library move process. Set the following registry key on the site server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP, LibraryMoveVerboseLog = 1
(REG_DWORD) .
For more information on this process, see Flowchart - Manage content library.
The site actually copies the content library files to the remote location. This process
doesn't delete the content library files at the original location on the site server. To free
up space, an administrator must manually delete these original files.
If the original content library spans two drives, it's merged into a single folder at the
new destination.
During the copy process, the Despooler and Distribution manager components don't
process new packages. This action makes sure that content isn't added to the library
while it's moving. Regardless, schedule this change during a system maintenance.
If you need to move the content library back to the site server, repeat this process, but
enter a local drive and path for the New Location. It must include a folder name that
already exists on the drive, for example, D:\SCCMContentLib . When the original content
still exists, the process quickly moves the configuration to the location local to the site
server.
Tip
To move the content to another drive on the site server, use the Content Library
Transfer tool. For more information, see the Content Library Transfer tool.
1. On the computer that will host the distribution point role in the untrusted domain:
b. When you add the distribution point role to this computer, use this local
account as the site system installation account. For example,
COMPUTER.UNTRUSTEDDOMAIN\LocalAccount .
2. On the server that hosts the remote content library for the site, create a local user
account. This account should have the same name and password as the account in
the first step.
When the distribution manager component distributes content to the server in the
untrusted domain, it will use the local user account. During content distribution, this
component gets the files from the content library server in the context of the
distribution point's local account. Since this same account exists on the content library
server, distribution manager can authenticate to read the content files and copy to the
remote distribution point.
Next steps
Flowchart - Manage content library
Flowchart - Manage content library
Article • 10/04/2022
This flowchart diagram shows the process by which the site moves the content library to
a remote location. For more information, see the following articles:
Use the content library cleanup command-line tool to remove content that's no longer
associated with an object on a distribution point. This type of content is called orphaned
content. This tool replaces older versions of similar tools released for past Configuration
Manager products.
The tool only affects the content on the distribution point that you specify when you run
the tool. The tool can't remove content from the content library on the site server.
If you remove content from a distribution point while the site system is offline, an
orphaned record can exist in WMI. Over time, this behavior can eventually lead to a
warning status on the distribution point. To mitigate the issue in version 2006 and
earlier, you had to manually remove the orphaned entries from WMI. Making a mistake
during this process could cause more severe issues with the server. Starting in version
2010, the tool can also remove orphaned content records from the WMI provider on a
distribution point.
Requirements
Only run the tool against a single distribution point at a time.
Run it directly on the server that hosts the distribution point to clean up, or
remotely from another computer.
The tool doesn't support removing content from the site server, which has a single
content library. When the site server also has the distribution point role, if a
package isn't targeted to the server, the package is still in the single content
library.
The user account that runs the tool must have permissions the same as the Full
Administrator security role in Configuration Manager.
Modes of operation
Run the tool in the following two modes: What-if and Delete.
Tip
Start with the what-if mode. When you're satisfied with the results, then run the
tool in delete mode.
What-if mode
If you don't specify the /delete parameter, the tool runs in what-if mode. This mode
identifies the content that would be deleted from the distribution point.
When run in this mode, the tool doesn't delete any data.
The tool writes to the log file information about the content that it would delete.
You're not prompted to confirm each potential deletion.
Delete mode
When you run the tool with the /delete parameter, the tool runs in delete mode.
When run in this mode, orphaned content that it finds on the specified distribution
point can be deleted from the distribution point's content library.
Starting in version 2010, it can also remove orphaned content records from the
WMI provider on the distribution point.
Before deleting each file, confirm that the tool should delete it. Select Y for yes, N
for no, or Yes to all to skip further prompts and delete all orphaned content.
Log file
When the tool runs in either mode, it automatically creates a log file. It names the file
with the following information:
When the tool finishes, it automatically opens the log file in Windows.
By default, the tool writes the log file to the temp folder of the user account that runs
the tool. This location is on the computer where you run the tool, which isn't always the
target of the tool. Use the /log parameter to redirect the log file to another location,
including a network share.
2. Enter a command line that includes the required command-line parameters, and
any optional parameters you want to use.
Command-line parameters
Use these command-line parameters in any order.
Required parameters
Parameter Details
/dp Specify the fully qualified domain name (FQDN) of the distribution point to clean.
<distribution
point FQDN>
/ps <primary Required only when cleaning content from a distribution point at a secondary
site FQDN> site. The tool connects to the parent primary site to run queries against the SMS
Provider. These queries let the tool determine what content should be on the
distribution point. It can then identify the orphaned content to remove. This
connection to the parent primary site must be made for distribution points at a
secondary site because the required details aren't available directly from the
secondary site.
/sc <primary Required only when cleaning content from a distribution point at a secondary
site code> site. Specify the site code of the parent primary site.
ABC
Optional parameters
Parameter Details
/delete Use this parameter when you're ready to delete content from the distribution point.
It prompts you before it deletes content.
When you don't use this parameter, the tool logs results about what content it
would delete. Without this parameter, it doesn't actually delete any content from
the distribution point.
/q This parameter runs the tool in a quiet mode that suppresses all prompts. These
prompts include when it deletes content. It also doesn't automatically open the log
file.
/ps Optional only when cleaning content from a distribution point at a primary site.
<primary Specify the FQDN of the primary site that the distribution point belongs to.
site FQDN>
/sc Optional only when cleaning content from a distribution point at a primary site.
<primary Specify the site code of the primary site that the distribution point belongs to.
site code>
/log <log Specify the location where the tool writes the log file. This location can be a local
file drive or a network share.
directory>
When you don't use this parameter, the tool places the log file in the user's temp
directory on the computer where the tool runs.
C:\Users\Administrator\Desktop
Known issue
In version 2103 and earlier, when any package or deployment has failed, or is in
progress, the tool might return the following error:
To work around this issue, update the site to version 2107. The tool can't reliably identify
orphaned files, but will display a warning and continue.
Peer cache for Configuration Manager
clients
Article • 10/04/2022
Use peer cache to help manage deployment of content to clients in remote locations.
Peer cache is a built-in Configuration Manager solution that enables clients to share
content with other clients directly from their local cache.
Overview
Definitions:
Peer cache client: Any Configuration Manager client that downloads content from
a peer.
Peer cache source: A Configuration Manager client that you enable for peer cache,
and that has content to share with other clients.
Use client settings to enable clients to be peer cache sources. You don't need to enable
peer cache clients. When you enable clients as peer cache sources, the management
point includes them in the list of content location sources. For more information on this
process, see Operations.
A peer cache source must be a member of the current boundary group of the peer
cache client. The management point doesn't include peer cache sources from a
neighbor boundary group in the list of content sources it provides the client. It only
includes distribution points from a neighbor boundary group. For more information
about current and neighbor boundary groups, see Boundary groups.
The Configuration Manager client uses peer cache to serve to other clients every type of
content in the cache. This content includes:
Peer cache doesn't replace the use of other solutions like Windows BranchCache or
Delivery Optimization. Peer cache works along with other solutions. These technologies
give you more options for extending traditional content deployment solutions such as
distribution points. Peer cache is a custom solution with no reliance on BranchCache. If
you don't enable or use BranchCache, peer cache still works.
7 Note
Operations
To enable peer cache, deploy the client settings to a collection. Then members of that
collection act as a peer cache source for other clients in the same boundary group.
A client that operates as a peer content source submits a list of available cached
content to its management point using state messages. A peer content source
client also sends a state message to the management point when it removes
content from its local cache.
7 Note
For the list of applicable peer content source state messages, see State
messages in Configuration Manager. Specifically those with state message
IDs of 7200, 7201, 7202, and 7203.
Another client in the same boundary group makes a content location request to
the management point. The server returns the list of potential content sources.
This list includes each peer cache source that has the content and is online. It also
includes the distribution points and other content source locations in that
boundary group. For more information, see Content source priority.
As usual, the client that's seeking the content selects one source from the provided
list. The client then attempts to get the content.
Boundary groups include settings to give you more control over content distribution in
your environment. For more information, see Boundary group options for peer
downloads.
7 Note
If the client falls back to a neighbor boundary group for content, the management
point doesn't add the peer cache sources from the neighbor boundary group to
the list of potential content source locations.
Choose only clients best suited as peer cache sources. Evaluate client suitability based
on attributes such as chassis type, disk space, and network connectivity. For more
information that can help you select the best clients to use for peer cache, see this blog
by a Microsoft consultant .
7 Note
By default, if the first 25 peer cache sources are offline or unreachable, a peer cache
client may fail to download the content. You can configure this setting with the site
definition properties SuperPeerLocationCount and SuperPeerLocationCountMax . Their
default values are 25 and 50 . For more information, see How to read and write to
the site control file by using WMI.
You can also reduce these values, for example, 5 and 10 . This configuration causes
the client to more quickly fall back to other content locations. For more
information, see Content source priority.
Tip
Configure these settings using the client configuration server WMI class for the
peer source feature ( SMS_WinPEPeerCacheConfig ) in the Configuration Manager SDK.
When the peer cache source rejects a request for the content, the peer cache client
continues to seek content from its list of content source locations.
Requirements
Peer cache supports all Windows versions listed as supported in Supported
operating systems for clients and devices. Non-Windows operating systems aren't
supported as peer cache sources or peer cache clients.
Clients can only download content from peer cache sources in their current
boundary group.
7 Note
When required, the peer cache source uses the network access account to
authenticate download requests from peers. This account requires only domain
user permissions for this purpose.
Before attempting to download content, the management point first validates that
the peer cache source is online. This validation happens via the "fast channel" for
client notification, which uses TCP port 10123.
7 Note
For more information on configuring these settings, see How to configure client
settings.
On peer cache-enabled clients that use the Windows Firewall, Configuration Manager
configures the firewall ports that you specify in client settings.
Example scenario
Contoso has a single primary site with two boundary groups: Headquarters (HQ) and
Branch Office. There's a 30-minute fallback relationship between the boundary groups.
The management point and distribution point for the site are only in the HQ boundary.
The branch office location has no local distribution point. Two of the four clients at the
branch office are configured as peer cache sources.
1. You target a deployment with content to all four clients in the branch office. You
only distributed the content to the distribution point.
2. Client3 and Client4 don't have a local source for the deployment. The management
point instructs the clients to wait 30 minutes before falling back to the remote
boundary group.
3. Client1 (PCS1) is the first peer cache source to refresh policy with the management
point. Because this client is enabled as a peer cache source, the management point
instructs it to immediately start downloading part A from the distribution point.
8. This process continues until both client peer cache sources have all of the parts
from each other. The management point prioritizes parts from the remote
distribution point before instructing the peer cache sources to download parts
from local peers.
9. Client3 is the first to refresh policy after the 30-minute fallback period expires. It
now checks back with the management point, which informs the client of new local
sources. Instead of downloading the content in full from the distribution point
across the WAN, it downloads the content in full from one of the client peer cache
sources. Clients prioritize local peer sources.
7 Note
If the number of client peer cache sources is greater than the number of content
parts, then the management point instructs the additional peer cache sources to
wait for fallback like a normal client.
3. On the General tab, enable the option to Configure client peer cache sources to
divide content into parts.
7 Note
This functionality only works when the client downloads content in the
background, such as with a required deployment. On-demand downloads,
such as when the user installs an available deployment in Software Center,
behaves as usual.
To see them handling the download of content in parts, examine the
ContentTransferManager.log on the client peer cache source and the MP_Location.log
on the management point.
The Configuration Manager client cache isn't like the content library on a
distribution point. While you manage the content that you distribute to a
distribution point, the Configuration Manager client automatically manages the
content in its cache. There are settings and methods to help control what content
is in the cache of a peer cache source. For more information, see Configure the
client cache.
Size and maintenance of the cache applies to peer cache sources. For more
information, see Configure client cache size. Consider the size of larger content
such as OS upgrade packages or Windows express update files. Compare your
need for this content against the available disk space on peer cache sources.
The peer cache source client updates the last referenced time of content in the
cache when a peer downloads it. The client uses this timestamp when it
automatically maintains its cache, removing older content first. So it should wait to
remove content that peer cache clients more frequently download, if at all.
If necessary, when creating the following software, use the option to Persist
content in the client cache:
Applications
Packages
OS images
OS upgrade packages
Boot images
Monitoring
To help you understand the use of peer cache, view the Client Data Sources dashboard.
For more information, see Client data sources dashboard.
Also use reports to view peer cache use. In the console, go to the Monitoring
workspace, expand Reporting, and select the Reports node. The following reports all
have a type of Software Distribution Content:
Peer cache source content rejection: How often the peer cache sources in a
boundary group reject a content request.
7 Note
Peer cache source content rejection by condition: Shows rejection details for a
specified boundary group or rejection type.
7 Note
Known issue: You can't select from available parameters and instead must
enter them manually. Enter the values for Boundary Group Name and
Rejection Type as seen in the Peer cache source content rejection report. For
example, for Rejection Type you might enter MaxCPULoad or MaxDiskIO.
Peer cache source content rejection details: Show the content that the client was
requesting when rejected.
7 Note
Known issue: You can't select from available parameters and instead must
enter them manually. Enter the value for Rejection Type as displayed in the
Peer cache source content rejection report. Then enter the Resource ID for
the content source about which you want more information.
1. Find the computer name that displays as the Peer cache source in the
results of the Peer cache source content rejection by condition report.
Next steps
Microsoft Connected Cache in Configuration Manager
When you distribute content to one or more remote distribution points at a site, the
Distribution Manager creates a content transfer job. It then notifies the Package
Transfer Manager on primary and secondary site servers to transfer the content to the
remote distribution points.
Package Transfer Manager logs its actions in the pkgxfermgr.log file on the site server.
The log file is the only location where you can view the activities of the Package Transfer
Manager.
7 Note
7 Note
To copy each file in the distribution to the distribution point, even if the
files are already present in the single instance store of the distribution
point, use the Redistribute action for content.
When the content is not yet available, Package Transfer Manager does not
send a notification to the distribution point. Instead, it repeats the check
every 20 minutes until the content is available. Then, when the content is
available, Package Transfer Manager sends the notification to that pull-
distribution point.
7 Note
For the pull-distribution point to copy each file in the distribution to the
distribution point, even if the files are already present in the single
instance store of the pull-distribution point, use the Redistribute action
for content.
b. Next, the pull-distribution point checks with each of its source distribution
points, in order, until it locates a source distribution point that has the
content available. When the pull-distribution point identifies a source
distribution point with the content, it begins the download of that content.
7 Note
To help you manage network bandwidth that is used for the content management
process of Configuration Manager, you can use built-in controls for scheduling and
throttling. You can also use prestaged content. The following sections describe these
options in more detail.
You can use scheduling and throttling controls for site-to-site communication, and for
communication between a site server and a remote distribution point. If network
bandwidth is limited even after you set up the scheduling and throttling controls, you
might consider prestaging the content on the distribution point.
In Configuration Manager, you can set up a schedule and specify throttling settings on
remote distribution points that determine when and how content distribution is
performed. Each remote distribution point can have different configurations that help
address network bandwidth limitations from the site server to the remote distribution
point. The controls for scheduling and throttling to the remote distribution point are
similar to the settings for a standard sender address. In this case, the settings are used
by a new component, called Package Transfer Manager.
Package Transfer Manager distributes content from a site server, as a primary site or
secondary site, to a distribution point that is installed on a site system. The throttling
settings are specified on the Rate Limits tab, and the scheduling settings are specified
on the Schedule tab, for a distribution point that is not on a site server. The time
settings are based on the time zone from the sending site, not the distribution point.
) Important
The Rate Limits and Schedule tabs are displayed only in the properties for
distribution points that are not installed on a site server.
For more information, see Install and configure distribution points for Configuration
Manager.
Prestaged content
You can prestage content to add the content files to the content library on a site server
or distribution point, before you distribute the content. Because the content files are
already in the content library, they do not transfer over the network when you distribute
the content. You can prestage content files for applications and packages.
In the Configuration Manager console, select the content that you want to prestage, and
then use the Create Prestaged Content File Wizard. This creates a compressed,
prestaged content file that contains the files and associated metadata for the content.
Then, you can manually import the content at a site server or distribution point. Note
the following points:
When you import the prestaged content file on a site server, the content files are
added to the content library on the site server, and then registered in the site
server database.
When you import the prestaged content file on a distribution point, the content
files are added to the content library on the distribution point. A status message is
sent to the site server that informs the site that the content is available on the
distribution point.
You can optionally configure the distribution point as prestaged to help manage
content distribution. Then, when you distribute content, you can choose whether you
want to:
Prestage the initial content for the package, and then use the standard content
distribution process when there are updates to the content.
Always use the standard content distribution process for the content in the
package.
To address the issue of limited network bandwidth from the site server to a
distribution point. If scheduling and throttling aren't enough to satisfy your
concerns about bandwidth, consider prestaging the content on the distribution
point. Each distribution point has the Enable this distribution point for prestaged
content setting that you can choose in the distribution point properties. When you
enable this option, the distribution point is identified as a prestaged distribution
point, and you can choose how to manage the content on a per-package basis.
The following settings are available in the properties for an application, package,
driver package, boot image, operating system installer, and image. These settings
let you choose how content distribution is managed on remote distribution points
that are identified as prestaged:
Download only content changes to the distribution point: Use this option
when you expect future updates to the content in the package to be generally
smaller than the initial package. For example, you might prestage an application
like Microsoft 365 Apps, because the initial package size is over 700 MB and is
too large to send over the network. However, content updates to this package
might be less than 10 MB, and are acceptable to distribute over the network.
Another example might be driver packages, where the initial package size is
large, but incremental driver additions to the package might be small.
Manually copy the content in this package to the distribution point: Use this
option when you have large packages, with content such as an operating
system, and you never want to use the network to distribute the content to the
distribution point. When you select this option, you must prestage the content
on the distribution point.
) Important
The preceding options are applicable on a per-package basis, and are only
used when a distribution point is identified as prestaged. Distribution points
that have not been identified as prestaged ignore these settings. In this case,
content always is distributed over the network from the site server to the
distribution points.
To restore the content library on a site server. When a site server fails, information
about packages and applications that is contained in the content library is restored
to the site database as part of the restore process, but the content library files are
not restored as part of the process. If you do not have a file system backup to
restore the content library, you can create a prestaged content file from another
site that contains the packages and applications that you have to have. You can
then extract the prestaged content file on the recovered site server. For more
information about site server backup and recovery, see Backup and recovery for
Configuration Manager.
Security and privacy for content
management in Configuration Manager
Article • 10/04/2022
This article contains security and privacy information for content management in
Configuration Manager.
Security guidance
When you use HTTPS for a distribution point: Configuration Manager doesn't use
package access accounts to authorize access to the content. The content is
encrypted when it's transferred over the network.
When you use HTTP for a distribution point: You can use package access accounts
for authorization. The content isn't encrypted when it's transferred over the
network.
Consider enabling Enhanced HTTP for the site. This feature allows clients to use Azure
Active Directory (Azure AD) authentication to securely communicate with an HTTP
distribution point. For more information, see Enhanced HTTP.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
Protect the client authentication certificate file
If you use a PKI client authentication certificate rather than a self-signed certificate for
the distribution point, protect the certificate file (.pfx) with a strong password. If you
store the file on the network, secure the network channel when you import the file into
Configuration Manager.
When you require a password to import the client authentication certificate that the
distribution point uses to communicate with management points, this configuration
helps to protect the certificate from an attacker. To prevent an attacker from tampering
with the certificate file, use server message block (SMB) signing or IPsec between the
network location and the site server.
For more information about the role services for the web server role for distribution
points, see Site and site system prerequisites.
SMS_DP_SMSPKG$
SMS_DP_SMSSIG$
NOCERT_SMS_DP_SMSPKG$
NOCERT_SMS_DP_SMSSIG$
For more information about using a custom website, see Websites for site system
servers.
Store the certificates securely. If you browse to them over the network when you
configure the CMG, use IPsec or SMB signing between the site system server and the
source location.
Security considerations
Clients don't validate content until after it's downloaded. Configuration Manager
clients validate the hash on content only after it's downloaded to their client cache.
If an attacker tampers with the list of files to download or with the content itself,
the download process can take up considerable network bandwidth. Then the
client discards the content when it finds the invalid hash.
The management point first authenticates the client. Then the client uses a
Configuration Manager token to access cloud storage. The token is valid for
eight hours. This behavior means that if you block a client because it's no longer
trusted, it can continue to download content from cloud storage until this token
expires. The management point won't issue another token for the client because
it's blocked.
Privacy information
Configuration Manager doesn't include any user data in content files, although an
administrative user might choose to do this action.
Next steps
Fundamental concepts for content management
Types of replication
File-based replication
Configuration Manager uses file-based replication to transfer file-based data between
sites in your hierarchy. This data includes applications and packages that you want to
deploy to distribution points in child sites. It also handles unprocessed discovery data
records that the site transfers to its parent site and then processes.
Database replication
Configuration Manager database replication uses SQL Server to transfer data. It uses this
method to merge changes in its site database with the information from the database at
other sites in the hierarchy.
For help with troubleshooting SQL Server replication, see Troubleshoot SQL Server
replication.
See also
Monitor replication
File-based replication
Article • 10/04/2022
File-based communication between sites uses the server message block (SMB) protocol
on TCP/IP port 445. To control the amount of data the site transfers across the network,
specify bandwidth throttling and pulse mode. Use schedules to control when to send
data across the network.
Routes
The following information can help you set up and use file replication routes.
You can change the following settings for file replication routes:
Secondary sites always use the computer account of the secondary site server as
the File Replication Account.
Schedule
Set the schedule for each file replication route. This action restricts the type of data and
time when data can transfer to the destination site.
Rate limits
Specify rate limits for each file replication route. This action controls the network
bandwidth the site uses when it transfers data to the destination site:
Pulse mode: Specify the size of the data blocks that the site sends to the
destination site. You can also specify a time delay between sending each data
block. Use this option when you must send data across a low-bandwidth network
connection to the destination site.
For example, you have constraints to send 1 KB of data every five seconds, but not
1 KB every three seconds. This constraint is regardless of the speed of the link or
its usage at a given time.
Limited to maximum transfer rates by hour: The site sends data to a destination
site by using only the percentage of time that you specify. Configuration Manager
doesn't identify the network's available bandwidth. It divides the time it can send
data into slices of time. It then sends the data in a short block of time, which is
followed by blocks of time when it doesn't send data.
For example, you set the maximum rate to 50%. Configuration Manager transmits
data for an amount of time followed by an equal period of time when it doesn't
send any data. It doesn't manage the actual size of the data block that it sends.
The site only manages the amount of time during which it sends data.
U Caution
Configure a file replication route between two secondary sites to route file-based
content between those sites.
Sender
Each site has one sender. The sender manages the network connection from one site to
a destination site. It can establish connections to multiple sites at the same time. To
connect to a site, the sender uses the file replication route to the site and identifies the
account it uses to establish the network connection. The sender also uses this account
to write data to the destination site's SMS_Site share.
By default, the sender writes data to a destination site by using multiple concurrent
sendings, or a thread. Each thread can transfer a different file-based object to the
destination site. When the sender begins to send an object, it continues to write blocks
of data for that object until it sends the entire object. After it sends all the data for the
object, a new object can begin to send on that thread.
To manage the sender for a site, go to the Administration workspace, and expand the
Site Configuration node. Select the Sites node, and then select Properties for the site
you want to manage. Switch to the Sender tab to change the sender settings.
Retry settings
By default, each site retries a problem connection two times, with a one-minute delay
between connection attempts. You can modify the number of connection attempts the
site makes, and how long to wait between attempts.
Next steps
Database replication
Database replication
Article • 10/04/2022
Configuration Manager database replication uses SQL Server to transfer data. It uses this
method to merge changes in its site database with the information from the database at
other sites in the hierarchy.
When you add a new site to a hierarchy, Configuration Manager creates a generic
database at the new site. The parent site creates a snapshot of the relevant data in its
database. It then transfers the snapshot to the new site using file-based replication. The
new site then uses the SQL Server Bulk Copy Program (BCP) to load the information into
its local copy of the Configuration Manager database. After the snapshot loads, each
site conducts database replication with the other site.
To replicate data between sites, Configuration Manager uses its own database
replication service. The database replication service uses SQL Server change tracking to
monitor the local site database for changes. It then replicates the changes to other sites
by using SQL Server Service Broker (SSB). By default, this process uses TCP port 4022.
Replication groups
Configuration Manager groups data that replicates by database replication into different
replication groups. Each replication group has a separate, fixed replication schedule. The
site uses this schedule to determine how frequently it replicates changes to other sites.
Database replication links: Control when specific traffic traverses the network.
Distributed views: When a central administration site (CAS) requests selected site
data, it can access the data directly from the database at a child primary site.
Schedules: Specify when a replication link is used, and when different types of site
data replicate.
Summarization: Change settings for data summarization about network traffic that
traverses replication links. By default, summarization occurs every 15 minutes. It's
used in reports for database replication.
Database replication thresholds: Define when the site reports links as degraded or
failed. You can also configure when Configuration Manager raises alerts about
replication links that have a degraded or failed status.
Types of data
Configuration Manager primarily classifies the data that it replicates as either global data
or site data. When database replication occurs, the site transfers changes to global data
and site data across the database replication link. Global data replicates to a parent or
child site. Site data replicates only to a parent site. A third data type, local data, doesn't
replicate to other sites. Local data is information that other sites don't require.
Global data
Global data is administrator-created objects that replicate to all sites throughout the
hierarchy. Secondary sites only receive a subset of global data, as global proxy data. You
create global data at the CAS and primary sites. This type includes the following data:
Software deployments
Software updates
Collection definitions
Role-based administration security scopes
Site data
Site data is operational information created by Configuration Manager primary sites and
their assigned clients. Site data replicates to the CAS, but not to other primary sites. Site
data is only viewable at the CAS and at the primary site where the data originates. You
can only modify site data at the primary site where you created it. This type includes the
following data:
Hardware inventory
Status messages
Alerts
The results of query-based collections
All site data replicates to the CAS. The CAS does administration and reporting for the
entire site hierarchy.
To control the transfer of data across the replication link, change settings for each link.
Each replication link supports separate configurations. Each database replication link
includes the following controls:
Stop the replication of selected site data from a primary site to the CAS. This action
causes the CAS to access this data directly from the database of the primary site.
Schedule selected site data to transfer from a child primary site to the CAS.
Define the settings that determine when a database replication link has a
degraded or failed status.
You can edit database replication links from the Database Replication node in
either workspace. However, when you use the Database Replication node in the
Monitoring workspace, you can also view the status of database replication. It also
provides access to the Replication Link Analyzer tool. Use this tool to help
investigate problems with database replication.
For more information about how to configure replication links, see Site database
replication controls. For more information about how to monitor replication, see
Monitor database replication.
Distributed views
Through distributed views, when you make a request at the CAS for selected site data, it
directly accesses the database at the child primary site. This direct access replaces the
need to replicate site data from the primary site to the CAS. Because each replication
link is independent from other replication links, you can use distributed views on the
replication links that you choose. You can't use distributed views between a primary site
and a secondary site.
Reduce the CPU load to process database changes at the CAS and primary sites
Reduce the amount of data that transfers across the network to the CAS
Improve the performance of the SQL Server that hosts the CAS database
Consider using distributed views when a primary site is closely located to the CAS on the
network, the two sites are always on, and always connected. Distributed views replace
the replication of the selected data between the sites with direct connections between
the site database servers at each site. The CAS makes a direct connection each time you
request this data.
The site requests distributed view data in the following example scenarios:
When you view data in the Configuration Manager console or in reports, distributed
views are operationally invisible to you. When you request data that's enabled for
distributed views, the CAS site database server directly accesses the child primary site's
database to retrieve the information.
For example, you use a Configuration Manager console connected to the CAS. You
request information about hardware inventory from two primary sites: ABC and XYZ. You
only enabled hardware inventory for distributed views at site ABC. The CAS retrieves
inventory information for XYZ clients from its own database. The CAS retrieves inventory
information for ABC clients directly from the database at site ABC. This information
appears in the Configuration Manager console or in a report without identifying the
source.
If a replication link has a type of data enabled for distributed views, the child primary
site doesn't replicate that data to the CAS. When you turn off distributed views for a
type of data, the child primary site resumes normal data replication to the CAS. Before
this data is available at the CAS, the replication groups for this data must reinitialize
between the primary site and the CAS. After you uninstall a primary site that has
distributed views turned on, the CAS must complete reinitialization of its data before
you can access data that you enabled for distributed views on the CAS.
) Important
When you use distributed views on any replication link in the site hierarchy, before
you uninstall any primary site, turn off distributed views for all replication links. For
more information, see Uninstall a primary site that uses distributed views.
The CAS must use SQL Server Enterprise edition. The primary site doesn't have this
requirement.
The CAS can have only one instance of the SMS Provider. Install that single
instance on the site database server. This configuration supports Kerberos
authentication. The SQL Server at the CAS requires Kerberos to access the SQL
Server at the child primary site. There are no limitations on the SMS Provider at the
child primary site.
You can only install one reporting services point at the CAS. Install SQL Server
Reporting Services on the site database server. This configuration supports
Kerberos authentication. The SQL Server at the CAS requires Kerberos to access the
SQL Server at the child primary site.
You can host the site database on a SQL Server Always On failover cluster instance,
if it has the following configurations:
The CAS database is on a single SQL Server with a local SMS Provider.
The primary site listener is on port 1433.
The computer account of the CAS database server requires Read permissions on
the primary site database.
) Important
Distributed views and schedules for when data can replicate are mutually exclusive
settings for a database replication link.
When you configure a database replication link schedule, you can restrict the transfer of
selected site data from the primary site to the CAS. You can also configure different
times to replicate different types of site data.
) Important
Distributed views and schedules for when data can replicate are mutually exclusive
configurations for a database replication link.
Summarization of traffic
Each site periodically summarizes data about the network traffic that traverses database
replication links for the site. The site uses summarized data in reports for database
replication. Both sites on a replication link summarize the network traffic that traverses
the replication link. The site database server summarizes the data. After it summarizes
data, the information replicates to other sites as global data.
You can specify custom values for degraded or failed status. If you adjust these values,
you can more accurately monitor the health of database replication across the links.
One or more replication groups can fail to replicate while other replication groups
continue to successfully replicate. Plan to review the replication status of a link when it
first reports as degraded.
Consider modifying the retry values for the degraded or failed status of the link in the
following situations:
There are recurring delays for specific replication groups, and their delay isn't a
problem
When you increase the number of retries before the site sets the link to degraded or
failed, you can eliminate false warnings for known issues. This action lets you more
accurately track the status of the link.
To understand how frequently replication of that group occurs, consider the replication
sync interval for each replication group. To view the Synchronization Interval for
replication groups, go to the Monitoring workspace in the Configuration Manager
console. In the Database Replication node, select the Replication Detail tab of a
replication link.
For more information about how to monitor database replication, including how to view
the replication status, see Monitor database replication.
You can modify the following replication controls for each site database:
The period of time to wait before replication failures trigger the site to reinitialize
its copy of the site database.
Compress the data that a site replicates. It only compresses the data for transfer
between sites, and not for storage in the site database at either site.
To change the settings for the replication controls for a site database, in the
Configuration Manager console, on the Database Replication node, edit the properties
of the site database. This node appears under the Hierarchy Configuration node in the
Administration workspace, and also appears in the Monitoring workspace. To edit the
properties of the site database, select the replication link between the sites, and then
open either Parent Database Properties or Child Database Properties.
Tip
You can configure database replication controls from the Database Replication
node in either workspace. However, when you use the Database Replication node
in the Monitoring workspace, you can also view the status of database replication
for a replication link, and access the Replication Link Analyzer tool to help you
investigate problems with replication.
Next steps
Monitor replication
Configuration Manager clients use a process called service location to locate site system
servers. Clients can communicate with these servers and they provide services that
clients can use. To better configure your sites to successfully support client tasks, you
need to understand how and when clients use service location to find site resources.
These configurations can require the site to interact with domain and network
configurations like Active Directory Domain Services and DNS. They can also require you
to configure more complex alternatives.
Download information about other management points for the site. It then builds
a list of known management points for future service location cycles. This list is
also known as the MP list.
Request information about other site system roles that provide services that the
client can use. For example, distribution points for software that the client can
install, or a software update point for metadata about software updates.
When the ccmexec.exe service on the computer starts. This Windows service is the
core client service.
When the client needs to locate a site system role that provides a required service.
To use HTTPS, you need a public key infrastructure (PKI) and install PKI certificates
on clients and servers. For more information, see PKI certificate requirements for
Configuration Manager.
For roles that use IIS and support client communication, you configure them for
HTTP or HTTPS. If you use HTTP, also consider signing and encryption choices. For
more information, see Planning for signing and encryption.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
Tip
You can use client installation properties to set the assigned management point for
a client. For more information, see Client installation properties.
A client selects a management point to communicate with based on the client's current
network location and boundary group configurations. Even though it has an assigned
management point, this server may not be the management point that the client uses.
7 Note
A client always uses the assigned management point for registration messages and
certain policy messages. This behavior happens even when other communications
are sent to a proxy or local management point.
You can use preferred management points. Preferred management points are
management points from a client's assigned site that are associated with a boundary
group that the client uses to find site system servers. A preferred management point's
association with a boundary group is similar to how distribution points or state
migration points are associated with a boundary group. If you enable preferred
management points for the hierarchy, when a client uses a management point from its
assigned site, it tries to use a preferred management point before using other
management points from its assigned site.
Tip
You can configure management point affinity with a registry key configuration on
the client. Management point affinity overrides the default behavior for assigned
management points and lets the client use one or more specific management
points. For more information, see this blog post from a Microsoft Premier
engineer.
Each time a client needs to contact a management point, it first checks the MP list. The
client creates an initial MP list when it installs. The client then periodically updates the
list with details about each management point in the hierarchy.
When the client can't find a valid management point in its MP list, it searches the service
location sources. It uses the following sources in order, until it finds a management
point that it can use:
1. Management point
2. Active Directory Domain Services (AD DS)
3. DNS
After a client successfully locates and contacts a management point, it downloads the
current list of available management points. It then updates its own local MP list.
This process is the same for all clients. For example, when a Configuration Manager
client that's on the internet connects to an internet-based management point, the
management point sends that client a list of available internet-based management
points. A client that's not on the internet only gets a list of internal management points.
The MP list
The MP list is the preferred service location source for a client. It's a prioritized list of
management points that the client previously identified. The client sorts its MP list
based on its current network location. It stores the list locally in WMI.
Include management points specified during client installation. For example, when
you use the SMSMP property or /mp parameter.
If it doesn't get any management points from the first two rules, the client checks
DNS for published management points.
MP list categories
Clients organize their list of management points by using the following categories:
When a client belongs to more than one boundary group, it determines the list
of local management points from the union of all boundaries that include the
current network location of the client.
You can use preferred management points. Management points at a site that aren't
associated with a boundary group, or that aren't in a boundary group associated with a
client's current network location, aren't considered preferred. The client uses these
management points when it can't find an available preferred management point.
1. Proxy
2. Local
3. Assigned
The client always uses the assigned management point for registration messages and
certain policy messages. This behavior happens even when it sends other
communication to a proxy or local management point.
Within each category, the client attempts to use a management point based on
preferences, in the following order:
From the set of management points sorted by preference, the client attempts to use the
first management point on the list. This sorted list of management points is otherwise
randomized and can't be ordered any further. The order of the list can change each time
the client updates its MP list.
When a client can't contact the first management point, it tries each successive
management point on its list. It tries each preferred management point in the category
before trying the non-preferred management points. If a client can't successfully
communicate with any management point in the category, it attempts to contact a
preferred management point from the next category, until it finds a management point
to use.
The client is unable to communicate with the management point for five attempts
over a period of 10 minutes.
Active Directory
Domain-joined clients can use AD DS for service location. This behavior requires sites to
publish data to Active Directory.
A client can use AD DS for service location when all the following conditions are true:
You configured the Active Directory forest for publishing, and you configured the
Configuration Manager site to publish.
The client computer is a member of an Active Directory domain and can access a
global catalog server.
If a client can't find a management point to use for service location from AD DS, it
attempts to use DNS.
DNS
Clients on the intranet can use DNS for service location. This behavior requires at least
one site in a hierarchy to publish information about management points to DNS.
Consider using DNS for service location when any of the following conditions are true:
You have clients on workgroup computers, and you haven't configured those
clients for internet-only client management. A workgroup client configured for the
internet communicates only with internet-facing management points and won't
use DNS for service location.
When a site publishes service location records for management points to DNS:
Publishing adds a service location resource record (SRV RR) in the DNS zone of the
management point server. That server needs a corresponding host entry in DNS.
By default, domain-joined clients search DNS for management point records from the
client's local domain. You can configure a client installation property to specify another
domain suffix.
For more information, see How to configure client computers to find management
points by using DNS publishing.
Your DNS servers support service location resource records, by using a version of
BIND that's at least 8.1.2.
) Important
With default permissions, only the first management point can successfully publish to
DNS.
If only one management point can successfully publish and change its DNS record,
clients can get the full MP list from that management point. As long as that one
published management point is healthy, clients can then find their preferred
management point.
In this scenario, manually publish management points to DNS. Manually configure the
service location resource record (SRV RR). Configuration Manager supports RFC 2782 for
service location records. These records have the following format:
_Service._Protocol.Name TTL Class SRV Priority Weight Port Target
2. Select the site to configure publishing. In the ribbon, select Configure Site
Components and choose Management Point.
3. Select the management points that you want to publish. This selection applies to
publishing for AD DS and DNS.
1. In the DNS management console, select the DNS zone for the management point
computer.
2. Verify that there's a host record (A or AAAA) for the intranet FQDN of the site
system. If this record doesn't exist, create it.
3. Select New Other Records, choose Service Location (SRV), and then choose
Create Record.
Domain: If necessary, enter the DNS suffix of the management point, for
example contoso.com .
Service: _mssms_mp_<sitecode> . For example, _mssms_mp_xyz
Protocol: ._tcp
Priority: Configuration Manager doesn't use this field.
Weight: Configuration Manager doesn't use this field.
Port: Specify the port number that the management point uses. For example,
443 by default for HTTPS.
Host offering this service: Specify the intranet FQDN of the site system
server with the management point role.
Repeat these steps for each management point on the intranet that you want to publish
to DNS.
Security and privacy for site
administration in Configuration
Manager
Article • 10/04/2022
This article contains security and privacy information for Configuration Manager sites
and the hierarchy.
If you do run setup from a network location, to help prevent an attacker from tampering
with the files as they're transmitted over the network, use IPsec or SMB signing between
the source location of the setup files and the site server.
If you use the Setup Downloader to download the files that are required by setup, make
sure that you secure the location where these files are stored. Also secure the
communication channel for this location when you run setup.
If clients are in an untrusted domain, deploy the following site system roles in the
clients' domains:
Management point
Distribution point
7 Note
If you don't use additional controls to secure these server-to-server channels, attackers
can use various spoofing and man-in-the-middle attacks against site systems. Use SMB
signing when you can't use IPsec.
) Important
Secure the communication channel between the site server and the package source
server. This communication uses SMB. If you can't use IPsec to secure this
communication, use SMB signing to make sure that the files aren't tampered with
before clients download and run them.
SMS_SiteSystemToSiteServerConnection_MP_<SiteCode>
SMS_SiteSystemToSiteServerConnection_SMSProv_<SiteCode>
SMS_SiteSystemToSiteServerConnection_Stat_<SiteCode>
Configuration Manager automatically creates and manages these security groups. This
behavior includes removing computer accounts when a site system role is removed.
To make sure service continuity and least privileges, don't manually edit these groups.
If the client doesn't have a copy of the trusted root key before it contacts a
management point for the first time, it trusts the first management point it
communicates with. To reduce the risk of an attacker misdirecting clients to an
unauthorized management point, you can pre-provision the clients with the trusted root
key. For more information, see Planning for the trusted root key.
) Important
The fallback status point role is an exception. Because this site system role accepts
unauthenticated data from clients, don't assign the fallback status point role to any
other Configuration Manager site system role.
Static IP addresses also make the configuration of IPsec easier. Using IPsec is a security
best practice for securing communication between site systems in Configuration
Manager.
Periodically audit administrative user assignments and their authorization level to verify
required changes.
Use SMB signing or IPsec when you transfer this data over the network, and secure the
backup location.
Secure locations for exported objects
Whenever you export or import objects from the Configuration Manager console to a
network location, secure the location and secure the network channel.
To prevent an attacker from tampering with the exported data, use SMB signing or IPsec
between the network location and the site server. Also secure the communication
between the computer that runs the Configuration Manager console and site server. Use
IPsec to encrypt the data on the network to prevent information disclosure.
To remove the peer trust that was originally established with the site system and site
system roles, manually remove the Configuration Manager certificates for the failed
server in the Trusted People certificate store on other site system servers. This action is
important if you reuse the server without reformatting it.
By default, site systems initiate connections to the site server to transfer data. This
configuration can be a security risk when the connection initiation is from an untrusted
network to the trusted network. When site systems accept connections from the
internet, or reside in an untrusted forest, configure the site system option to Require the
site server to initiate connections to this site system. After the installation of the site
system and any roles, all connections are initiated by the site server from the trusted
network.
When you configure SSL termination at the proxy web server, packets from the internet
are subject to inspection before they're forwarded to the internal network. The proxy
web server authenticates the connection from the client, terminates it, and then opens a
new authenticated connection to the internet-based site systems.
When Configuration Manager client computers use a proxy web server to connect to
internet-based site systems, the client identity (GUID) is securely contained within the
packet payload. Then the management point doesn't consider the proxy web server to
be the client.
If your proxy web server can't support the requirements for SSL bridging, SSL tunneling
is also supported. This option is less secure. The SSL packets from the internet are
forwarded to the site systems without termination. Then they can't be inspected for
malicious content.
2 Warning
Mobile devices that are enrolled by Configuration Manager can't use SSL bridging.
They must use SSL tunneling only.
For more information about the different Wake On LAN technologies, see Planning how
to wake up clients.
If you use email notification, configure authenticated
access to the SMTP mail server
Whenever possible, use a mail server that supports authenticated access. Use the
computer account of the site server for authentication. If you must specify a user
account for authentication, use an account that has the least privileges.
This practice also lowers the attack surface on your domain controllers.
Use the following security guidance to help you secure SQL Server for Configuration
Manager.
After you install the secondary site, run Windows Update on the secondary site
server.
Before you install the secondary site, manually install SQL Server Express on the
secondary site server. Make sure that you install the latest version and any
software updates. Then install the secondary site, and select the option to use an
existing SQL Server instance.
Periodically run Windows Update for all installed versions of SQL Server. This practice
makes sure that they have the latest software updates.
The computer account of the site server must be a member of the Administrators
group on the computer that runs SQL Server. If you follow the SQL Server
recommendation of "provision administrator principals explicitly", the account that
you use to run setup on the site server must be a member of the SQL Server Users
group.
If you install SQL Server by using a domain user account, make sure that the site
server computer account is configured for a Service Principal Name (SPN) that's
published to Active Directory Domain Services. Without the SPN, Kerberos
authentication fails and Configuration Manager setup fails.
Use the following guidance to help you secure the site systems that run IIS.
The exception to this guidance might be distribution points. Package access accounts
don't work when the distribution point is configured for HTTPS. Package access
accounts provide authorization to the content, so that you can restrict which users can
access the content. For more information, see Security guidance for content
management.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
A management point that you configure for HTTPS and enable to support mobile
devices
A CTL is a defined list of trusted root certification authorities (CAs). When you use a CTL
with group policy and a public key infrastructure (PKI) deployment, a CTL enables you to
supplement the existing trusted root CAs that are configured on your network. For
example, CAs that are automatically installed with Microsoft Windows or added through
Windows enterprise root CAs. When a CTL is configured in IIS, it defines a subset of
those trusted root CAs.
This subset provides you with more control over security. The CTL restricts the client
certificates that are accepted to only those certificates that are issued from the list of
CAs in the CTL. For example, Windows comes with a number of well-known, third-party
CA certificates.
By default, the computer that runs IIS trusts certificates that chain to these well-known
CAs. When you don't configure IIS with a CTL for the listed site system roles, the site
accepts as a valid client any device that has a certificate issued from these CAs. If you
configure IIS with a CTL that didn't include these CAs, the site refuses client connections,
if the certificate chains to these CAs. For Configuration Manager clients to be accepted
for the listed site system roles, you must configure IIS with a CTL that specifies the CAs
that are used by Configuration Manager clients.
7 Note
Only the listed site system roles require you to configure a CTL in IIS. The certificate
issuers list that Configuration Manager uses for management points provides the
same functionality for client computers when they connect to HTTPS management
points.
For more information about how to configure a list of trusted CAs in IIS, see the IIS
documentation.
If you must run other web-based applications on Configuration Manager site systems,
create a custom web site for Configuration Manager site systems.
For example, remove the following virtual directories for a distribution point:
SMS_DP_SMSPKG$
SMS_DP_SMSSIG$
NOCERT_SMS_DP_SMSPKG$
NOCERT_SMS_DP_SMSSIG$
x-content-type-options: nosniff
If you migrate from an earlier version to Configuration Manager current branch, migrate
the client on the management point to the new site as soon as possible.
For more information about the security considerations when you install a fallback
status point, see Determine whether you require a fallback status point.
For security reasons, you can't assign a fallback status point to clients after they're
installed. You can only assign this role during client installation.
If you do install the fallback status point in the perimeter network or any untrusted
network, configure the site server to initiate data transfers. Don't use the default setting
that allows the fallback status point to initiate a connection to the site server.
Configure rapid polling intervals and extreme amounts of inventory. This action
creates denial of service attacks against the clients and servers.
Use one site in the hierarchy to write data to another site's Active Directory
data.
Audit all administrative user activity and routinely review the audit logs. Require all
Configuration Manager administrative users to undergo a background check
before they're hired. Require periodic rechecks as a condition of employment.
The enrollment point communicates with a CA. It can create, modify, and delete
Active Directory objects. Never install the enrollment point in the perimeter
network. Always monitor for unusual activity.
If you allow user policies for internet-based client management, you increase your
attack profile.
The Configuration Manager site server uses the Admin$ share to connect to and
do service operations on site systems. Don't disable or remove this share.
Identify and follow any security guidance for the version of DNS that you use for
name resolution.
The only discovery method that Configuration Manager enables by default is Heartbeat
Discovery. This method only discovers computers that already have the Configuration
Manager client software installed.
Discovery information isn't directly sent to Microsoft. It's stored in the Configuration
Manager database. Configuration Manager retains information in the database until it
deletes the data. This process happens every 90 days by the site maintenance task
Delete Aged Discovery Data.
Network infrastructure considerations
for Configuration Manager
Article • 10/04/2022
To prepare your network to support Configuration Manager, you may need to configure
some infrastructure components. For example, open firewall ports to pass the
communications used by Configuration Manager.
Most Configuration Manager communications use common ports like port 80 for HTTP
or 443 for HTTPS. Some site system roles support the use of custom websites and
custom ports. For more information, see Websites for site system servers.
Before you deploy Configuration Manager, identify the ports that you plan to use, and
set up firewalls as needed.
After you install Configuration Manager, if you need to change a port, don't forget to
update firewalls on devices and the network. Also change the configuration of the port
in Configuration Manager.
Proxy servers
You can specify separate proxy servers for different site system servers and clients. You
make these configurations when you install a site system role or client, or change them
later as needed.
This article lists the network ports that Configuration Manager uses. Some connections
use ports that aren't configurable, and some support custom ports that you specify. If
you use any port filtering technology, verify that the required ports are available. These
port filtering technologies include firewalls, routers, proxy servers, or IPsec.
7 Note
7 Note
You configure the ports for the reporting services point in SQL Server
Reporting Services. Configuration Manager then uses these ports during
communications to the reporting services point. Be sure to review these ports
that define the IP filter information for IPsec policies or for configuring
firewalls.
By default, the HTTP port that's used for client-to-site system communication is port 80,
and 443 for HTTPS. You can change these ports during setup or in the site properties.
Non-configurable ports
Configuration Manager doesn't allow you to configure ports for the following types of
communication:
Site to site
--> Indicates that one computer starts communication and the other computer
always responds
HTTPS -- 443
HTTP 80
HTTPS -- 443
HTTPS -- 443
HTTPS -- 443
For more information, see CMG data flow.
7 Note
Use client settings to configure the alternate port for express updates. For more
information, see Port that clients use to receive requests for delta content.
DHCP 67 and 68 --
TFTP 69 Note 4 --
) Important
If you enable a host-based firewall, make sure that the rules allow the server to
send and receive on these ports. When you enable a distribution point for PXE,
Configuration Manager can enable the inbound (receive) rules on the Windows
Firewall. It doesn't configure the outbound (send) rules.
Client notification (default communication before falling back to -- 10123 Note 2 Alternate port
HTTP or HTTPS) available
HTTPS -- 443
HTTP -- 80
The specific port required depends upon the management point configuration. For
more information, see CMG data flow.
CMG connection point --> Software update point
The specific port depends upon the software update point configuration.
HTTPS -- 443/8531
HTTP -- 80/8530
HTTP -- 80
HTTPS -- 443
The Configuration Manager console uses internet access for the following actions:
Any device that makes a call to the administration service on the SMS Provider uses
HTTPS port 443. For more information, see What is the administration service?
HTTP -- 80
HTTPS -- 443
HTTPS -- 443
HTTPS -- 443
HTTP -- 80 Note 1
HTTPS -- 443
During the installation of a site that uses a remote SQL Server to host the site database,
open the following ports between the site server and the SQL Server:
HTTP -- 80 Note 1
Tip
Configuration Manager doesn't require the SQL Server Browser, which uses port
UDP 1434.
After installation, you can change the port. You don't have to use the same port number
throughout the site hierarchy.
If the HTTP port is anything else, the HTTPS port must be 1 or higher, for example,
8530 and 8531.
7 Note
When you configure the software update point to use HTTPS, the HTTP port
must also be open. Unencrypted data, such as the EULA for specific updates,
uses the HTTP port.
The site server makes a connection to the SQL Server hosting the SUSDB when you
enable the following options for WSUS cleanup:
Add non-clustered indexes to the WSUS database to improve WSUS cleanup
performance
Remove obsolete updates from the WSUS database
If you change the default SQL Server port to an alternate port with SQL Server
Configuration Manager, make sure the site server can connect using the defined port.
Configuration Manager doesn't support dynamic ports. By default, SQL Server named
instances use dynamic ports for connections to the database engine. When you use a
named instance, manually configure the static port.
The Trivial FTP (TFTP) Daemon system service doesn't require a user name or password
and is an integral part of Windows Deployment Services (WDS). The Trivial FTP Daemon
service implements support for the TFTP protocol that's defined by the following RFCs:
TFTP is designed to support diskless boot environments. TFTP Daemons listen on UDP
port 69 but respond from a dynamically allocated high port. If you enable this port, the
TFTP service can receive incoming TFTP requests, but the selected server can't respond
to those requests. You can't enable the selected server to respond to inbound TFTP
requests unless you configure the TFTP server to respond from port 69.
The PXE-enabled distribution point and the client in Windows PE select dynamically
allocated high ports for TFTP transfers. These ports are defined by Microsoft between
49152 and 65535. For more information, see Service overview and network port
requirements for Windows.
However, during the actual PXE boot, the network card on the device selects the
dynamically allocated high port it uses during the TFTP transfer. The network card on
the device isn't bound to the dynamically allocated high ports defined by Microsoft. It's
only bound to the ports defined in RFC 1350. This port can be any from 0 to 65535. For
more information about what dynamically allocated high ports the network card uses,
contact the device hardware manufacturer.
Other ports
The following sections provide more information about ports that Configuration
Manager uses.
Endpoint Protection clients that download definition files from a UNC path
Intrasite communication between the SQL Server database engine and various
Configuration Manager site system roles defaults to port TCP 1433.
Configuration Manager uses the same ports and protocols to communicate with
each SQL Server Always On availability group replica that hosts the site database
as if the replica was a standalone SQL Server instance.
When you use Azure and the site database is behind an internal or external load
balancer, configure the following components:
2 Warning
The following site system roles communicate directly with the SQL Server database:
Certificate registration point role
Management point
Site server
SMS Provider
When a SQL Server hosts a database from more than one site, each database must use a
separate instance of SQL Server. Configure each instance with a unique set of ports.
If you enable a host-based firewall on the SQL Server, configure it to allow the correct
ports. Also configure network firewalls in between computers that communicate with
the SQL Server.
For an example of how to configure SQL Server to use a specific port, see Configure a
server to listen on a specific TCP port.
7 Note
Site server --> Site system: RPC endpoint mapper using UDP and TCP port 135
Site server <--> Site system: Server message blocks (SMB) using TCP port 445
Application and package installations on distribution points require the following RPC
ports:
Site server --> Distribution point: RPC endpoint mapper using UDP and TCP port
135
Site server --> Distribution point: RPC dynamic TCP ports
Use IPsec to help secure the traffic between the site server and site systems. If you must
restrict the dynamic ports that are used with RPC, you can use the Microsoft RPC
configuration tool (rpccfg.exe). Use the tool to configure a limited range of ports for
these RPC packets. For more information, see How to configure RPC to use certain ports
and how to help secure those ports by using IPsec .
) Important
Before you install these site systems, make sure that the remote registry service is
running on the site system server and that you have specified a site system
installation account if the site system is in a different Active Directory forest without
a trust relationship. For example, the remote registry service is used on servers
running site systems such as distribution points (both pull and standard) and
remote SQL Servers.
For a list of ports for each client deployment method, see Ports used during
Configuration Manager client deployment
For more information about how to configure Windows Firewall on the client for
client installation and post-installation communication, see Windows Firewall and
port settings for clients
DNS 53 53
Description UDP TCP
DHCP 67 and 68 --
Kerberos authentication -- 88
Diagram
The following diagram shows the connections between the main components that are in
a typical Configuration Manager site. It currently doesn't include all connections.
Next steps
Proxy server support
Internet access requirements
Proxy server support in Configuration
Manager
Article • 10/04/2022
A computer that hosts a site system server supports a single proxy server
configuration. All site system roles on that computer share this same proxy
configuration. If you need separate proxy servers for different roles or instances of
a role, place those roles on separate site system servers.
When you configure new proxy server settings for a site system server that already
has a proxy server configuration, the original configuration is overwritten.
By default, connections to the proxy use the System account of the computer that
hosts the site system role.
If the computer account can't authenticate, the site system server can store user
credentials to connect to the proxy server. These credentials are the site system
proxy server account.
) Important
7 Note
The cloud distribution point role runs in Microsoft Azure. You don't configure this site
system role to use a proxy. Set the proxy configuration on the primary site server that
manages the cloud distribution point.
Must be able to connect to Microsoft Azure to set up, monitor, and distribute
content to the cloud distribution point.
By default, uses the computer's System account to make the connection. It can
also use the site system proxy server account, if necessary.
Distribution point
If you enable a Configuration Manager distribution point for Microsoft Connected
Cache, it can communicate through an unauthenticated proxy server for internet access.
For more information, see Microsoft Connected Cache.
7 Note
While available for use, this setting isn't used by software update points at
secondary sites.
These settings are on the Proxy and Account Settings tab of the software update point
properties.
7 Note
By default, when the automatic deployment rules run, the System account on the
site server of the site on which an automatic deployment rule was created is used
to connect to the internet and download software updates. Alternatively, configure
and use the site system proxy server account.
When this account cannot access the internet, software updates fail to download.
The following entry is logged to ruleengine.log:
Failed to download the update
from internet. Error = 12007.
Other features that use the proxy
The following features use the proxy of the site system that hosts the service connection
point role:
2. Select the site system server that you want to edit. In the details pane, right-click
the Site system role, and select Properties.
3. In Site system Properties, switch to the Proxy tab. Configure the following proxy
settings:
Proxy server name: Specify the hostname or FQDN of the proxy server in
your environment.
Port: Specify the network port on which to communicate with the proxy
server. By default, it uses port 80.
Use credentials to connect to the proxy server: Many proxy servers require a
user to authenticate. By default, the site system server uses its computer
account to connect to the proxy server. If necessary, enable this option, click
Set, and then choose an Existing Account or specify a New Account. These
credentials are the site system proxy server account. For more information,
see Accounts used in Configuration Manager.
XML
<system.net>
</system.net>
For example:
XML
<system.net>
<defaultProxy useDefaultCredentials="true"><proxy
usesystemdefault="False"/></defaultProxy>
</system.net>
Next steps
If your organization restricts network communication with the internet using a firewall or
proxy device, you need to allow access to internet endpoints. For more information, see
internet access requirements.
Internet access requirements
Article • 01/13/2023
Some Configuration Manager features rely on internet connectivity for full functionality.
If your organization restricts network communication with the internet using a firewall or
proxy device, make sure to allow these endpoints.
https://aka.ms
https://go.microsoft.com
Even if they're not explicitly listed in the sections below, you should always allow these
endpoints.
These configurations apply to the server that hosts the service connection point and any
firewalls between that server and the internet. Allow communication through outgoing
HTTPS port TCP 443 to the internet locations.
The service connection point supports using a web proxy with or without authentication
to use these locations. For more information, see Proxy server support.
If the Configuration Manager site fails to connect to required endpoints for a cloud
service, it raises a critical status message ID 11488. When it can't connect to the service,
the SMS_SERVICE_CONNECTOR component status changes to critical. View detailed
status in the Component Status node of the Configuration Manager console.
Starting in version 2010, the service connection point validates important internet
endpoints for Desktop Analytics and tenant attach. These checks help make sure that
the cloud-connected services are available. It also helps you troubleshoot issues by
quickly determining if network connectivity is a problem. For more information, see
Validate internet access.
The specific URLs required by the service connection point vary by Configuration
Manager feature:
Tip
The service connection point uses the Microsoft Intune service when it connects to
go.microsoft.com or manage.microsoft.com . There's a known issue in which the
Tip
Enable these endpoints for the management insight rule, Connect the site to the
Microsoft cloud for Configuration Manager updates.
*.akamaiedge.net
*.akamaitechnologies.com
*.manage.microsoft.com
go.microsoft.com
download.microsoft.com
download.windowsupdate.com
download.visualstudio.microsoft.com
sccmconnected-a01.cloudapp.net
definitionupdates.microsoft.com
configmgrbits.azureedge.net
) Important
This Azure endpoint only supports TLS 1.2 with specific cipher suites. Make
sure your environment supports these Azure configurations. For more
information, see Azure Front Door: TLS configuration FAQ.
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net
umwatsonc.events.data.microsoft.com
*-umwatsonc.events.data.microsoft.com
Windows servicing
For more information, see Manage Windows as a service.
download.microsoft.com
https://go.microsoft.com/fwlink/?LinkID=619849
dl.delivery.mp.microsoft.com
Azure services
For more information, see Configure Azure services for use with Configuration Manager.
Delivery optimization
If you use delivery optimization, clients need to communicate with its cloud service:
*.do.dsp.mp.microsoft.com
Distribution points that support Microsoft Connected Cache also require these
endpoints.
Cloud services
For more information on the cloud management gateway (CMG), see Plan for CMG.
7 Note
The cloud-based distribution point (CDP) is deprecated. Starting in version
2107, you can't create new CDP instances. To provide content to internet-
based devices, enable the CMG to distribute content.
The following sections list the endpoints by role. Some endpoints refer to a service by
<prefix> , which is the prefix name of the CMG. For example, if your CMG is
GraniteFalls.blob.core.windows.net .
Tip
CMG service name: The common name (CN) of the CMG server authentication
certificate. Clients and the CMG connection point site system role
communicate with this service name. For example, GraniteFalls.contoso.com
or GraniteFalls.WestUS.CloudApp.Azure.Com .
CMG deployment name: The first part of the service name plus the Azure
location for the cloud service deployment. The cloud service manager
component of the service connection point uses this name when it deploys
the CMG in Azure. The deployment name is always in an Azure domain. The
Azure location depends upon the deployment method, for example:
Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
Classic deployment: GraniteFalls.CloudApp.Net
This article uses examples with a virtual machine scale set as the recommended
deployment method in version 2107 and later. If you use a classic deployment, note
the difference as you read this article and configure internet access.
Specific Azure endpoints, which are different per environment depending upon the
configuration. Configuration Manager stores these endpoints in the site database.
Query the AzureEnvironments table in SQL Server for the list of Azure endpoints.
Azure services:
management.azure.com (Azure public cloud)
The CMG connection point site system supports using a web proxy. For more
information on configuring this role for a proxy, see Proxy server support.
The CMG connection point only needs to connect to the CMG service endpoints. It
doesn't need access to other Azure endpoints.
aadcdn.msftauth.net
Software updates
Allow the active software update point to access the following endpoints so that WSUS
and Automatic Updates can communicate with the Microsoft Update cloud service:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://ntservicepack.microsoft.com
For more information on software updates, see Plan for software updates.
Intranet firewall
You might need to add endpoints to a firewall that's between two site systems in the
following cases:
7 Note
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365
Apps for enterprise. For more information, see Name change for Office 365
ProPlus. You may still see references to the old name in the Configuration Manager
console and supporting documentation while the console is being updated.
If you use Configuration Manager to deploy and update Microsoft 365 Apps for
enterprise, allow the following endpoints:
enterprise
Your top-level site server needs access to the following endpoint to download the
Microsoft Apps 365 readiness file:
7 Note
The location of this file is changing March 2, 2021 . For more information, see
Download location change for Microsoft 365 Apps readiness file .
7 Note
For push notifications from Microsoft to show in the console, the service
connection point needs access to configmgrbits.azureedge.net . It also needs
access to this endpoint for updates and servicing, so you may have already
allowed it.
In-console feedback
On the computer where you run the console, allow it to access the following internet
endpoints to send diagnostic data to Microsoft:
petrol.office.microsoft.com
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net
umwatsonc.events.data.microsoft.com
*-umwatsonc.events.data.microsoft.com
Community workspace
Documentation node
For more information on this console node, see Using the Configuration Manager
console.
https://aka.ms
https://raw.githubusercontent.com
Community hub
For more information on this feature, see Community hub.
https://github.com
https://communityhub.microsoft.com
Desktop Analytics
For more information, see Enable data sharing.
Endpoint Function
Endpoint Function
Tenant attach
For more information, see Enable tenant attach.
https://aka.ms/configmgrgateway
https://dc.services.visualstudio.com
The service connection point makes a long standing outgoing connection to the
notification service hosted on https://*.manage.microsoft.com . Verify the proxy used for
the service connection point doesn't time out outgoing connections too quickly. We
recommend 3 minutes for outgoing connections to this internet endpoint.
If your environment has proxy rules to allow only specific certificate revocation lists
(CRLs) or online certificate status protocol (OCSP) verification locations, also allow the
following CRL and OCSP URLs:
http://crl3.digicert.com
http://crl4.digicert.com
http://ocsp.digicert.com
http://www.d-trust.net
http://root-c3-ca2-2009.ocsp.d-trust.net
http://crl.microsoft.com
http://oneocsp.microsoft.com
http://ocsp.msocsp.com
http://www.microsoft.com/pkiops
Endpoint analytics
For more information, see Endpoint analytics proxy configuration.
Endpoint Function
Endpoint Function
Asset intelligence
If you use asset intelligence, allow the following endpoints for the service to
synchronize:
https://sc.microsoft.com
https://ssu2.manage.microsoft.com
Location Use
External notifications
For more information, see External notifications.
The service connection point needs to communicate with the notification service, for
example Azure Logic Apps. The access endpoint for the logic app typically has the
following format: https://*.<RegionName>.logic.azure.com:443 . For example:
https://prod1.westus2.logic.azure.com:443
To get the access endpoint for the logic app, as well as the associated IP addresses, use
the following process:
1. In the Azure portal, under Logic Apps, select the logic app for your notification. For
more information, see Manage logic apps in the Azure portal.
2. In the app's menu, in the Settings section, select Properties.
3. View or copy the values for the Access endpoint and the Access endpoint IP
addresses.
You can extend the Active Directory schema to support Configuration Manager. This
action edits a forest's Active Directory schema to add a new container and several
attributes. Configuration Manager sites use these extensions to publish key information
in Active Directory where clients can securely access it. This information can simplify the
deployment and configuration of clients. It also helps clients locate site resources like
servers with deployed content or that provide different services to clients.
Microsoft recommends that you extend your Active Directory schema for Configuration
Manager, but it's not required.
Before you extend the Active Directory schema, you should be familiar with Active
Directory Domain Services and comfortable with modifying the Active Directory schema.
Considerations
There are no new Active Directory schema extensions for Configuration Manager
current branch. They haven't changed since Configuration Manager 2007. If you
previously extended the schema an earlier version, you don't have to extend the
schema again.
Only a member of the Schema Admins group can extend the schema. It can also
be a user with delegated permissions to change the schema.
You can extend the schema before or after you install a Configuration Manager
site. However, it's best to extend the schema before you start to configure your
sites and hierarchy settings. This action can simplify many of the later
configuration steps.
After you extend the schema, the Active Directory global catalog replicates
throughout the forest. Plan to extend the schema when the replication traffic won't
adversely affect other network-dependent processes. Active Directory only
replicates the newly added attributes.
Devices and clients that don't use the Active Directory
schema
Mobile devices that are managed by the Exchange Server connector
If you don't extend the schema, use one of the following options to provide
configuration details:
Use client push installation. This method uses the client installation properties that
you configure in the Configuration Manager console.
Use manual installation. Provide at least the following client installation properties
on the command line:
Specify a management point or source path from which the computer can
download the installation files. Use the CCMSetup property /mp or /source .
Specify a list of initial management points for the client to use. It uses this initial
management point to assign to the site and download client policy and site
settings. Use the CCMSetup Client.msi property SMSMP .
For more information, see About client installation parameters and properties.
Publish the management point in DNS. Configure clients to use this service
location method.
Port configuration for client-to-server communication
When a client installs, it uses the port information from Active Directory. If you later
change the client-to-server communication port for a site, clients get this new port
setting from Active Directory.
If you don't extend the schema, use one of the following options to provide new port
configurations to existing clients:
Deploy a custom script to clients that updates the communication port. If clients
can't communicate with a site because of a port change, you can't use
Configuration Manager to deploy this script. For example, you could use group
policy.
If you don't extend the schema, use the hierarchy maintenance tool, preinst.exe, to
exchange the secure key information between sites.
For example, you plan to create content at a primary site and then deploy that content
to a secondary site below a different primary site. If you extend the Active Directory
schema, the secondary site automatically gets the source primary site's public key.
Otherwise, use preinst.exe to share keys between the two sites directly.
Attributes Classes
Attributes Classes
cn=mS-SMS-Assignment-Site-Code
cn=MS-SMS-Management-Point
cn=mS-SMS-Capabilities
cn=MS-SMS-Roaming-Boundary-Range
cn=MS-SMS-Default-MP
cn=MS-SMS-Server-Locator-Point
cn=mS-SMS-Device-Management-Point
cn=MS-SMS-Site
cn=mS-SMS-Health-State
cn=MS-SMS-MP-Address
cn=MS-SMS-MP-Name
cn=MS-SMS-Ranged-IP-High
cn=MS-SMS-Ranged-IP-Low
cn=MS-SMS-Roaming-Boundaries
cn=MS-SMS-Site-Boundaries
cn=MS-SMS-Site-Code
cn=mS-SMS-Source-Forest
cn=mS-SMS-Version
7 Note
The schema extensions might include attributes and classes from previous versions
of the product but not used by the latest version. For example:
Attribute: cn=MS-SMS-Site-Boundaries
Class: cn=MS-SMS-Server-Locator-Point
You can view these settings in the ConfigMgr_ad_schema.LDF file from the
\SMSSETUP\BIN\x64 folder of the Configuration Manager installation media.
Next steps
Prepare Active Directory for site publishing
Prepare Active Directory for site
publishing
Article • 10/04/2022
When you extend the Active Directory schema for Configuration Manager, you
introduce new structures to Active Directory. Configuration Manager sites use these new
structures to publish key information in a secure location where clients can easily access
it.
When you manage on-premises clients, you should extend the Active Directory schema
for Configuration Manager. An extended schema can simplify the process of deploying
and setting up clients. An extended schema also lets clients efficiently locate resources
like content servers. Extending the schema is a one-time action for any forest.
If you're not familiar with the benefits of an extended schema for Configuration
Manager, see Schema extensions for Configuration Manager.
When you don't use an extended schema, you can set up other methods like DNS to
locate services and site system servers. These methods of service location require other
configurations and aren't the preferred method for service location by clients. For more
information, see Understand how clients find site resources and services for
Configuration Manager.
If your Active Directory schema was extended for Configuration Manager 2007 or
System Center 2012 Configuration Manager, then you don't need to do more. The
schema extensions are unchanged and are already in place.
Then use one of the following options to add the new classes and attributes to the
Active Directory schema.
Tip
Run this tool from a command line to view feedback while it runs.
2. To verify that the schema extension was successful, review extadsch.log in the root
of the system drive.
3. To verify that the schema extension was successful, review the ldifde log file.
2. Run ADSI Edit (adsiedit.msc), and connect to the site server's domain.
a. Expand the fully qualified domain name, and expand the distinguished name.
Right-click CN=System, choose New, and then select Object.
b. In the Create Object window, select Container, and then select Next.
c. In the Value box, enter System Management , and then select Next.
4. Assign permissions:
7 Note
If you prefer, you can use other tools like the Active Directory Users and
Computers administrative tool (dsa.msc) to add permissions to the container.
b. Switch to the Security tab. Select Add, and then add the site server's computer
account with the Full Control permission.
Add the computer account for each Configuration Manager site server in this
domain. If you use site server high availability, make sure to include the
computer account of the site server in passive mode.
c. Select Advanced, select the site server's computer account, and then select Edit.
d. In the Apply onto list, select This object and all descendant objects.
Next steps
After you create the container and grant permissions, configure the Configuration
Manager site to publish data to Active Directory.
Before you can use a Windows computer as a site system server for Configuration
Manager, it must meet the prerequisites for its intended use. These prerequisites often
include one or more Windows features or roles. Because the method to enable Windows
features and roles differs among OS versions, refer to the documentation for your OS
version for detailed information.
Features
The following Windows features are required on certain site system servers. Set them up
before you install a site system role on that computer.
.NET Framework: Different site system roles require different versions of .NET
Framework.
Data Deduplication: Distribution points can be set up with and benefit from data
deduplication.
Remote Differential Compression (RDC): Each computer that hosts a site server or
a distribution point requires RDC. RDC is used to generate package signatures and
compare digital signatures.
Roles
The following Windows roles are required to support specific functionality, like software
updates and OS deployments. IIS is required by the most common site system roles.
Web server (IIS): The following site system roles use IIS:
Distribution point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Software update point
State migration point
The minimum version of IIS that's required is the version that's supplied with the
OS of the site server.
Windows Server Update Services: This role is required for software updates.
When your package source files have extensions that are blocked in IIS by your request
filtering configuration, set up request filtering to allow them. Use the IIS Manager to edit
the request filtering feature on your distribution point computers.
Additionally, the following file name extensions are used by Configuration Manager for
packages and applications. Make sure that your request filtering configurations don't
block these file extensions:
.PCK
.PKG
.STA
.TAR
For example, source files for a software deployment might include a folder named bin or
have a file that has the .mdb file name extension.
By default, IIS request filtering blocks access to these elements. Bin is blocked as a
Hidden Segment and .mdb is blocked as a file name extension.
When you use the default IIS configuration on a distribution point, clients that use
BITS fail to download this software deployment from the distribution point and
indicate that they're waiting for content.
To let the clients download this content, on each applicable distribution point, edit
Request Filtering in IIS Manager. Allow access to the file extensions and folders
that are in the packages and applications that you deploy.
) Important
Edits to the request filter can increase the attack surface of the computer.
Edits that you make at the server level apply to all websites on the server.
Edits that you make to individual websites apply to only that website.
For best security, run Configuration Manager on a dedicated web server. If you
need to run other applications on the web server, use a custom website for
Configuration Manager. For information, see Websites for site system servers.
HTTP verbs
For more information, see Configure request filtering in IIS.
Management points
To make sure that clients can successfully communicate with a management point, on
the management point server make sure IIS allows the following HTTP verbs:
GET
POST
CCM_POST
HEAD
PROPFIND
Distribution points
Distribution points require that IIS allows the following HTTP verbs:
GET
HEAD
PROPFIND
Websites for site system servers in
Configuration Manager
Article • 10/04/2022
Several Configuration Manager site system roles require the use of Internet Information
Services (IIS). By default, they use the default IIS website to host site system services.
When you run other web applications on the same server, and settings aren't
compatible with Configuration Manager, consider using a custom website for
Configuration Manager.
Tip
For improved security, dedicate a server for the Configuration Manager site
systems that require IIS. When you run other applications on a Configuration
Manager site system, you increase the attack surface of that computer.
They're enabled for the entire site instead of for individual site system servers or
roles.
At primary sites, for each computer that will host an applicable site system role,
configure it with a custom website named SMSWEB. Until you create this website,
and set up site system roles on that computer to use the custom website, clients
can't communicate with site system roles on that computer.
Secondary sites are automatically set up to use a custom website when their
primary parent site uses it. Create custom websites in IIS on each secondary site
system server that requires IIS.
Create a custom website named SMSWEB in IIS on each site system server that
requires IIS. Set this configuration at the primary site and at any child secondary
sites.
Set up the custom website to respond to the same port that you set up for
Configuration Manager client communication. This port is known as the client
request port.
For each custom or default website that uses a custom folder, place a copy of the
default document type that you use in the root folder that hosts the website. For
example, with the typical default configuration, iisstart.htm is one of several
default document types that are available. You can find this file in the root of the
default website. Place a copy of this file or other default document in the root
folder that hosts the SMSWEB custom website. For more information about default
document types, see Default Document for IIS.
Distribution point
Enrollment point
Management point
Other considerations:
When a primary site has custom websites enabled, clients that are assigned to that
site are directed to communicate with the custom websites instead of the default
websites.
If you use custom websites for one primary site, consider custom websites for all
primary sites in your hierarchy. This configuration makes sure that clients can
successfully roam within the hierarchy. Roaming is when a client computer moves
to a new network segment that is managed by a different site. Roaming can affect
resources that a client can access locally instead of across a WAN link.
Site system roles that use IIS but don't accept client connections also use the
SMSWEB website instead of the default website. For example, the reporting
services point.
Custom websites require you to assign port numbers that differ from the
computer's default website. A default website and custom website can't run at the
same time if both websites try to use the same TCP/IP ports.
The TCP/IP ports that you set up in IIS for the custom website must match the
client request ports for the site.
Management point
Distribution point
Enrollment point
When you change from the default website to use a custom website, Configuration
Manager doesn't remove the old virtual directories. If you want to remove the files that
Configuration Manager used, manually delete the virtual directories that were created
under the default website.
If you change the site to use custom websites, clients that are already assigned to the
site need to be reconfigured to use the new client request ports for the custom
websites. For more information, see How to configure client communication ports.
When you set up HTTPS, specify a PKI certificate before you can save the
configuration.
After you create the custom website, remove the custom website ports that you
use from other websites in IIS:
1. Edit the Bindings of the other websites to remove ports that match the ports
that are assigned to the SMSWEB website.
Next steps
To configure the site to use a custom web site, enable the setting Use custom web site
on the Ports tab of the site properties. For more information, see Configure client
communication ports.
Diagnostics and usage data for
Configuration Manager
Article • 10/04/2022
Configuration Manager collects diagnostics and usage data about itself, which is used
by Microsoft to improve the installation experience, quality, and security of future
releases.
Each Configuration Manager hierarchy enables diagnostics and usage data. It consists of
SQL Server queries that run on a weekly basis on each primary site and at the central
administration site (CAS). When the hierarchy uses a CAS, child primary sites replicate
their data to that CAS. At the top-level site of your hierarchy, the service connection
point submits this information when it checks for updates. If the service connection
point is in offline mode, you transfer the information by using the service connection
tool.
7 Note
Configuration Manager collects data only from the site's SQL Server database, and
it doesn't collect data directly from clients or site servers.
Next, learn about how Microsoft uses the diagnostics and usage data that Configuration
Manager collects:
Tip
The ConfigurationManager PowerShell module also collects usage data. For more
information, see Configuration Manager cmdlet library privacy statement.
Some of the tools that are included with Configuration Manager collect usage data.
For more information, see Diagnostic usage data for tools.
How Microsoft uses Configuration
Manager diagnostics and usage data
Article • 10/04/2022
Diagnostic and usage data that Configuration Manager collects provides Microsoft
nearly immediate feedback about how the product is working and is used to adjust
future updates. Microsoft can also see configuration data that helps them engineer and
test the configurations that you use in production. For example:
The delta of the SQL Server schema against the product default
This data helps the engineering team plan future tests to make sure you have the best
experience with the most common configurations. This data is crucial to quickly adjust
and adapt with a frequent release cycle.
Equally important is how the diagnostics and usage data isn't used. Microsoft doesn't
use this data for:
The initial support offered by the current branch of Configuration Manager limited
the support timeline for Windows Server 2008 R2. Microsoft examined the usage
data from customers who had upgraded to the Configuration Manager current
branch. They then identified the need to revise and extend this timeline to support
customers who still use this OS.
Microsoft improved the prerequisite checks for installing an update. They removed
obsolete rules, accounted for additional cases, and automatically remediated some
issues.
Next, learn about how Configuration Manager collects diagnostics and usage data
about itself:
To collect diagnostics and usage data for Configuration Manager, each primary site runs
SQL Server queries on a weekly basis. In a multi-site hierarchy, the data is replicated to
the central administration site.
At the top-level site of a hierarchy, the service connection point submits this information
when it checks for updates. The mode of the service connection point determines how
the data is transferred:
Online: Once a week, the service connection point automatically sends diagnostics
and usage data to the cloud service.
Offline: You manually transfer diagnostics and usage data with the service
connection tool.
Next, you can view diagnostic and usage data to confirm that your Configuration
Manager hierarchy contains no sensitive information:
Tip
The ConfigurationManager PowerShell module also collects usage data. For more
information, see Configuration Manager cmdlet library privacy statement.
Some of the tools that are included with Configuration Manager collect usage data.
For more information, see Diagnostic usage data for tools.
How to view diagnostics and usage data
for Configuration Manager
Article • 10/04/2022
You can view diagnostic and usage data from your Configuration Manager hierarchy to
confirm that it includes no sensitive or identifiable information. The site summarizes and
stores its diagnostic data in the TEL_TelemetryResults table of the site database. It
formats the data to be programmatically usable and efficient.
The information in this article gives you a view of the exact data sent to Microsoft. It's
not intended to be used for other purposes, like data analysis.
SQL
One-way hashes
Some data consists of strings of random alphanumeric characters. Configuration
Manager uses the SHA-256 algorithm to create one-way hashes. This process makes
sure that Microsoft doesn't collect potentially sensitive data. The hashed data can still be
used for correlation and comparison purposes.
For example, instead of collecting the names of tables in the site database, it captures
the one-way hash for each table name. This behavior makes sure that any custom table
names aren't visible. Microsoft then does the same one-way hash process of the default
SQL Server table names. Comparing the results of the two queries determines the
deviation of your database schema from the product default. This information is then
used to improve updates that require changes to the SQL Server schema.
When you view the raw data, a common hashed value appears in each row of data. This
hash is the support ID, also known as the hierarchy ID. It's used to correlate data with
the same hierarchy without identifying the customer or source.
2. Use the following Windows PowerShell script to do the one-way hash of your
support ID.
PowerShell
$guid = [System.Guid]::NewGuid()
$bytesToHash = $guid.ToByteArray()
} else {
$bytesToHash = $ue.GetBytes($value)
$hashAlgorithm = [System.Security.Cryptography.SHA256Cng]::Create()
$hashedBytes = $hashAlgorithm.ComputeHash($bytesToHash)
$result = [Convert]::ToBase64String($hashedBytes)
return $result
3. Compare the script output against the GUID in the raw data. This process shows
how the data is obscured.
Next steps
Next, learn about the levels of diagnostics and usage data that Configuration Manager
collects:
Some of the tools that are included with Configuration Manager collect usage data.
Microsoft uses this data to improve the quality of these tools, and better understand
customer usage. Microsoft collects data for the following Configuration Manager tools:
Client tools
Server tools
Support Center
CMTrace
For more general information about these tools, see Configuration Manager Tools.
7 Note
The ConfigurationManager PowerShell module also collects usage data. For more
information, see Configuration Manager cmdlet library privacy statement.
Version
Start and stop times to calculate duration of use
Because these tools can run on any Windows device, they all use the Windows
diagnostic data channel. They don't rely on Configuration Manager diagnostic data
collection. The device on which the tool runs needs to be configured for at least
Optional diagnostic data. If you configure the device for any other setting, Windows
won't collect data for these Configuration Manager tools. For more information on these
Windows diagnostic data levels, see the following articles:
Next, see the frequently asked questions about diagnostic and usage data for
Configuration Manager:
Configuration Manager collects three levels of diagnostics and usage data: Basic,
Enhanced, and Full. By default, this feature is set at the Enhanced level.
) Important
Configuration Manager doesn't collect site codes, sites names, IP addresses, user
names, computer names, physical addresses, or email addresses on the Basic or
Enhanced levels. Any collection of this information on the Full level isn't purposeful.
It's potentially included in advanced diagnostic information like log files or memory
snapshots. Microsoft doesn't use this information to identify you, contact you, or
develop advertising.
Levels
Basic
The Basic level includes data about your hierarchy. It's required to help improve your
installation or upgrade experience. This data also helps determine the Configuration
Manager updates that are applicable for your hierarchy.
Enhanced
The Enhanced level is the default after setup finishes. This level includes data that's
collected in the Basic level and feature-specific data. It shows frequency and duration of
use of different features. It also includes Configuration Manager client settings data:
component name, state, and certain settings like polling intervals. Information about
software updates is basic on feature usage, it doesn't include data about update
compliance at this level.
Microsoft recommends this level because it provides the minimum data to make
product and service improvements.
Full
The Full level includes all data in the Basic and Enhanced levels. It also includes
additional information about Endpoint Protection, update compliance percentages, and
software update information. This level can also include advanced diagnostic
information like system files and memory snapshots. This advanced data might include
personal information exists in memory or log files at the time of capture.
3. Switch to the Diagnostic and Usage Data tab, then choose the data level.
Version-specific details
The following articles detail the specific data that Configuration Manager collects at
each level with each supported version:
Next steps
Next, learn about the diagnostics and usage data that Configuration Manager collects
for its tools:
The following sections provide additional detail about data collected at each level. For
more information on the levels and how to change them, see Levels of diagnostic usage
data.
Changes from previous versions are noted with [New], [Updated], [Removed], or
[Moved].
) Important
Level 1 - Basic
For Configuration Manager version 2303, this level includes the following data:
Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions
Count of Windows 10 and later devices by branch, build, and unique Active
Directory forest
Count of clients by identity source and registration method. For example, Active
Directory, Azure AD, or PKI client authentication certificate.
Count of clients by OS type and version that are joined to Azure AD or hybrid-
joined
Statistics for the number of collections and machines with power configuration
management settings assigned
Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions
Setup (Level 1)
Build, install type, language packs, features that you enabled
Update pack deployment status and errors, download progress, and prerequisite
errors
Use of early update ring
SQL Server version, service pack level, edition, collation ID, and character set
Hashed list of top SQL queries by memory usage and lock count
SQL Server Always On availability group replica information, usage, and health
status
Basic Configuration Manager site hierarchy data: site list, type, version, status,
client count, time zone, and health status
Basic site system server information: site system roles used, internet and SSL status,
OS, processors, physical or virtual machine, and usage of site server high
availability
Configured level for diagnostics and usage data, online or offline mode, and fast
update configuration
Count and processing rates of key Configuration Manager objects: data discovery
records (DDR), state messages, status messages, hardware inventory, software
inventory, and overall count of files in inboxes
Uptime and memory usage information for Configuration Manager site server
processes
Count of crashes for Configuration Manager site server processes, and Watson
signature ID, if available
[Updated] Hash of key site attributes (site ID, site codes, sites names, SQL Server
broker ID, and site exchange key)
Miscellaneous (Level 1)
Basic OS deployment counts of images
Count of operating systems for managed devices and policies set by the Exchange
Connector
Level 2 - Enhanced
For Configuration Manager version 2303, this level includes the following data:
File count, content size, services count, and custom action count of MSIs in
application catalog
Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and
counts of clients with Microsoft 365 Apps
Aggregated statistics on Office add-in health
Client (Level 2)
Active Management Technology (AMT) client version
Client health statistics and top issue summary by client version, component, OS,
and workload
Client notification operation action status: how many times each is run, max
number of targeted clients, and average success rate
Deployment methods used for client and count of clients per deployment method
OS age in months
CMPivot (Level 2)
CMPivot usage statistics
Co-management (Level 2)
Enrollment schedule and historical statistics
Collections (Level 2)
Collection ID usage (not running out of IDs)
Count of rules and deployments created for custom settings, including remediate
setting
Count of compliance settings deployed by category, OS, and source (cloud vs on-
premises)
25 most common actions, wizards, property sheets, and tree nodes accessed in the
console
Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and
fallback relationships
Boundary group information: count of boundaries and site systems that are
assigned to each boundary group
Count of peer cache clients, usage statistic, and partial download statistics
Count and type of operations on the SMSDPProvider service for distribution points
Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender
for Endpoint): count of policies, and whether policies are deployed.
Migration (Level 2)
Count of migrated objects (use of migration wizard)
Count of mobile devices Configuration Manager manages, and how you enrolled
them (bulk, user-based)
Mobile device polling schedule and statistics for mobile device check-in duration
OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution
points, PXE-enabled distribution points, and task sequences
Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded
from PXE and client registration
Count of updates that are created and deployed with System Center Update
Publisher
Aggregated statistics on the number of UUP updates that are required, deployed,
expired, superseded, and downloaded
SQL Server change tracking performance issues, retention period, and autocleanup
state
State and status message performance statistics including most common and most
expensive message types
Management point traffic statistics (total bytes sent and received by endpoint)
Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule,
average time, and use of customized tables feature
Aggregated system boot time statistics by OS, form-factor, and drive type
Summary of how many site systems have the proxy enabled and how many are
authenticated proxy, including configuration, usage patterns, and traffic patterns
Usage information for the last seven days of in-console product feedback
Level 3 - Full
For Configuration Manager version 2303, this level includes the following data:
The following sections provide additional detail about data collected at each level. For
more information on the levels and how to change them, see Levels of diagnostic usage
data.
Changes from previous versions are noted with [New], [Updated], [Removed], or
[Moved].
) Important
Level 1 - Basic
For Configuration Manager version 2211, this level includes the following data:
Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions
Count of Windows 10 and later devices by branch, build, and unique Active
Directory forest
Count of clients by identity source and registration method. For example, Active
Directory, Azure AD, or PKI client authentication certificate.
Count of clients by OS type and version that are joined to Azure AD or hybrid-
joined
Statistics for the number of collections and machines with power configuration
management settings assigned
Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions
Setup (Level 1)
Build, install type, language packs, features that you enabled
Update pack deployment status and errors, download progress, and prerequisite
errors
SQL Server version, service pack level, edition, collation ID, and character set
Hashed list of top SQL queries by memory usage and lock count
SQL Server Always On availability group replica information, usage, and health
status
Basic site system server information: site system roles used, internet and SSL status,
OS, processors, physical or virtual machine, and usage of site server high
availability
Configured level for diagnostics and usage data, online or offline mode, and fast
update configuration
Count and processing rates of key Configuration Manager objects: data discovery
records (DDR), state messages, status messages, hardware inventory, software
inventory, and overall count of files in inboxes
Uptime and memory usage information for Configuration Manager site server
processes
Count of crashes for Configuration Manager site server processes, and Watson
signature ID, if available
[Updated] Hash of key site attributes (site ID, site codes, sites names, SQL Server
broker ID, and site exchange key)
Miscellaneous (Level 1)
Basic OS deployment counts of images
Count of operating systems for managed devices and policies set by the Exchange
Connector
Level 2 - Enhanced
For Configuration Manager version 2211, this level includes the following data:
Application management (Level 2)
App requirements: count of built-in conditions referenced by deployment
technology
Count of Microsoft Store for Business apps and sync statistics: summarized types
of apps, licensed app status, and number of online and offline licensed apps
File count, content size, services count, and custom action count of MSIs in
application catalog
Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and
counts of clients with Microsoft 365 Apps
Client health statistics and top issue summary by client version, component, OS,
and workload
Client notification operation action status: how many times each is run, max
number of targeted clients, and average success rate
Deployment methods used for client and count of clients per deployment method
OS age in months
Statistics for device health attestation: most common error codes, number of on-
premises servers, and counts of devices in various states
CMPivot (Level 2)
CMPivot usage statistics
Co-management (Level 2)
Enrollment schedule and historical statistics
Collections (Level 2)
Collection ID usage (not running out of IDs)
Count of rules and deployments created for custom settings, including remediate
setting
Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy
deployments by platform
25 most common actions, wizards, property sheets, and tree nodes accessed in the
console
Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and
fallback relationships
Boundary group information: count of boundaries and site systems that are
assigned to each boundary group
Count of peer cache clients, usage statistic, and partial download statistics
Count and type of operations on the SMSDPProvider service for distribution points
Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender
for Endpoint): count of policies, and whether policies are deployed.
Migration (Level 2)
Count of migrated objects (use of migration wizard)
Mobile device management (MDM) (Level 2)
Count of issued mobile device actions: lock, pin rest, wipe, retire, and sync now
commands
Count of mobile devices Configuration Manager manages, and how you enrolled
them (bulk, user-based)
Mobile device polling schedule and statistics for mobile device check-in duration
OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution
points, PXE-enabled distribution points, and task sequences
Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded
from PXE and client registration
Aggregated statistics on the number of UUP updates that are required, deployed,
expired, superseded, and downloaded
Count of clients that have deployed at least one UUP quality update or UUP
feature update
SQL Server change tracking performance issues, retention period, and autocleanup
state
State and status message performance statistics including most common and most
expensive message types
Management point traffic statistics (total bytes sent and received by endpoint)
Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule,
average time, and use of customized tables feature
Aggregated system boot time statistics by OS, form-factor, and drive type
Summary of how many site systems have the proxy enabled and how many are
authenticated proxy, including configuration, usage patterns, and traffic patterns
Usage information for the last seven days of in-console product feedback
Level 3 - Full
For Configuration Manager version 2211, this level includes the following data:
The following sections provide additional detail about data collected at each level. For
more information on the levels and how to change them, see Levels of diagnostic usage
data.
Changes from previous versions are noted with [New], [Updated], [Removed], or
[Moved].
) Important
Configuration Manager doesn't collect site codes, sites names, IP addresses, user
names, computer names, physical addresses, or email addresses on the Basic or
Enhanced levels. Any collection of this information on the Full level is not
purposeful. It is potentially included in advanced diagnostic information like log
files or memory snapshots. Microsoft doesn't use this information to identify you,
contact you, or develop advertising.
Level 1 - Basic
For Configuration Manager version 2207, this level includes the following data:
Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions
Count of Windows 10 and later devices by branch, build, and unique Active
Directory forest
Count of clients by identity source and registration method. For example, Active
Directory, Azure AD, or PKI client authentication certificate.
Count of clients by OS type and version that are joined to Azure AD or hybrid-
joined
[New] Statistics for the number of collections and machines with power
configuration management settings assigned
Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions
Setup (Level 1)
Build, install type, language packs, features that you enabled
Update pack deployment status and errors, download progress, and prerequisite
errors
SQL Server version, service pack level, edition, collation ID, and character set
Hashed list of top SQL queries by memory usage and lock count
SQL Server Always On availability group replica information, usage, and health
status
Basic site system server information: site system roles used, internet and SSL status,
OS, processors, physical or virtual machine, and usage of site server high
availability
Configured level for diagnostics and usage data, online or offline mode, and fast
update configuration
Count and processing rates of key Configuration Manager objects: data discovery
records (DDR), state messages, status messages, hardware inventory, software
inventory, and overall count of files in inboxes
Uptime and memory usage information for Configuration Manager site server
processes
Count of crashes for Configuration Manager site server processes, and Watson
signature ID, if available
Hash of key site attributes (site ID, SQL Server broker ID, and site exchange key)
Miscellaneous (Level 1)
Basic OS deployment counts of images
Count of operating systems for managed devices and policies set by the Exchange
Connector
Level 2 - Enhanced
For Configuration Manager version 2207, this level includes the following data:
Application management (Level 2)
App requirements: count of built-in conditions referenced by deployment
technology
Count of Microsoft Store for Business apps and sync statistics: summarized types
of apps, licensed app status, and number of online and offline licensed apps
File count, content size, services count, and custom action count of MSIs in
application catalog
Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and
counts of clients with Microsoft 365 Apps
Client health statistics and top issue summary by client version, component, OS,
and workload
Client notification operation action status: how many times each is run, max
number of targeted clients, and average success rate
Deployment methods used for client and count of clients per deployment method
OS age in months
Statistics for device health attestation: most common error codes, number of on-
premises servers, and counts of devices in various states
[New] Power plans with their peak and non-peak usage statistics
CMPivot (Level 2)
CMPivot usage statistics
Co-management (Level 2)
Enrollment schedule and historical statistics
Collections (Level 2)
Collection ID usage (not running out of IDs)
[New] Statistics for collection member counts and collection rule counts
[New] Statistics about the collection rule WMI class query dependencies
Count of rules and deployments created for custom settings, including remediate
setting
Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy
deployments by platform
25 most common actions, wizards, property sheets, and tree nodes accessed in the
console
Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and
fallback relationships
Boundary group information: count of boundaries and site systems that are
assigned to each boundary group
Count of peer cache clients, usage statistic, and partial download statistics
Count and type of operations on the SMSDPProvider service for distribution points
Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender
for Endpoint): count of policies, and whether policies are deployed.
Migration (Level 2)
Count of migrated objects (use of migration wizard)
Mobile device polling schedule and statistics for mobile device check-in duration
OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution
points, PXE-enabled distribution points, and task sequences
Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded
from PXE and client registration
Count of updates that are created and deployed with System Center Update
Publisher
Aggregated statistics on the number of UUP updates that are required, deployed,
expired, superseded, and downloaded
Count of clients that have deployed at least one UUP quality update or UUP
feature update
SQL Server change tracking performance issues, retention period, and autocleanup
state
State and status message performance statistics including most common and most
expensive message types
Management point traffic statistics (total bytes sent and received by endpoint)
Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule,
average time, and use of customized tables feature
Summary of how many site systems have the proxy enabled and how many are
authenticated proxy, including configuration, usage patterns, and traffic patterns
Usage information for the last seven days of in-console product feedback
Level 3 - Full
For Configuration Manager version 2207, this level includes the following data:
The following sections provide additional detail about data collected at each level. For
more information on the levels and how to change them, see Levels of diagnostic usage
data.
Changes from previous versions are noted with [New], [Updated], [Removed], or
[Moved].
) Important
Configuration Manager doesn't collect site codes, sites names, IP addresses, user
names, computer names, physical addresses, or email addresses on the Basic or
Enhanced levels. Any collection of this information on the Full level is not
purposeful. It is potentially included in advanced diagnostic information like log
files or memory snapshots. Microsoft doesn't use this information to identify you,
contact you, or develop advertising.
Level 1 - Basic
For Configuration Manager version 2203, this level includes the following data:
Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions
Count of Windows 10 and later devices by branch, build, and unique Active
Directory forest
Count of clients by identity source and registration method. For example, Active
Directory, Azure AD, or PKI client authentication certificate.
Count of clients by OS type and version that are joined to Azure AD or hybrid-
joined
Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions
Setup (Level 1)
Build, install type, language packs, features that you enabled
Update pack deployment status and errors, download progress, and prerequisite
errors
SQL Server version, service pack level, edition, collation ID, and character set
Hashed list of top SQL queries by memory usage and lock count
SQL Server Always On availability group replica information, usage, and health
status
Basic site system server information: site system roles used, internet and SSL status,
OS, processors, physical or virtual machine, and usage of site server high
availability
Configured level for diagnostics and usage data, online or offline mode, and fast
update configuration
Count and processing rates of key Configuration Manager objects: data discovery
records (DDR), state messages, status messages, hardware inventory, software
inventory, and overall count of files in inboxes
Count of crashes for Configuration Manager site server processes, and Watson
signature ID, if available
Hash of key site attributes (site ID, SQL Server broker ID, and site exchange key)
Miscellaneous (Level 1)
Basic OS deployment counts of images
Count of operating systems for managed devices and policies set by the Exchange
Connector
Level 2 - Enhanced
For Configuration Manager version 2203, this level includes the following data:
Count of Microsoft Store for Business apps and sync statistics: summarized types
of apps, licensed app status, and number of online and offline licensed apps
File count, content size, services count, and custom action count of MSIs in
application catalog
Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and
counts of clients with Microsoft 365 Apps
Client (Level 2)
Active Management Technology (AMT) client version
Client health statistics and top issue summary by client version, component, OS,
and workload
Client notification operation action status: how many times each is run, max
number of targeted clients, and average success rate
Deployment methods used for client and count of clients per deployment method
OS age in months
Statistics for device health attestation: most common error codes, number of on-
premises servers, and counts of devices in various states
CMPivot (Level 2)
CMPivot usage statistics
Co-management (Level 2)
Enrollment schedule and historical statistics
Collections (Level 2)
Collection ID usage (not running out of IDs)
[Updated] Count of collections synchronized to Azure AD, including type and size
Count of rules and deployments created for custom settings, including remediate
setting
Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy
deployments by platform
Count of compliance settings deployed by category, OS, and source (cloud vs on-
premises)
Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and
fallback relationships
Boundary group information: count of boundaries and site systems that are
assigned to each boundary group
Count of peer cache clients, usage statistic, and partial download statistics
[New] Count and type of operations on the SMSDPProvider service for distribution
points
Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender
for Endpoint): count of policies, and whether policies are deployed.
Migration (Level 2)
Count of migrated objects (use of migration wizard)
Count of mobile devices Configuration Manager manages, and how you enrolled
them (bulk, user-based)
Mobile device polling schedule and statistics for mobile device check-in duration
OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution
points, PXE-enabled distribution points, and task sequences
Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded
from PXE and client registration
[New] Count of task sequences and legacy packages with custom icons
Count of updates that are created and deployed with System Center Update
Publisher
Aggregated statistics on the number of UUP updates that are required, deployed,
expired, superseded, and downloaded
Count of clients that have deployed at least one UUP quality update or UUP
feature update
SQL Server change tracking performance issues, retention period, and autocleanup
state
Management point traffic statistics (total bytes sent and received by endpoint)
Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule,
average time, and use of customized tables feature
Aggregated system boot time statistics by OS, form-factor, and drive type
Summary of how many site systems have the proxy enabled and how many are
authenticated proxy, including configuration, usage patterns, and traffic patterns
Usage information for the last seven days of in-console product feedback
The following sections provide additional detail about data collected at each level. For
more information on the levels and how to change them, see Levels of diagnostic usage
data.
Changes from previous versions are noted with [New], [Updated], [Removed], or
[Moved].
) Important
Configuration Manager doesn't collect site codes, sites names, IP addresses, user
names, computer names, physical addresses, or email addresses on the Basic or
Enhanced levels. Any collection of this information on the Full level is not
purposeful. It is potentially included in advanced diagnostic information like log
files or memory snapshots. Microsoft doesn't use this information to identify you,
contact you, or develop advertising.
Level 1 - Basic
For Configuration Manager version 2111, this level includes the following data:
Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions
Count of Windows 10 and later devices by branch, build, and unique Active
Directory forest
Count of clients by identity source and registration method. For example, Active
Directory, Azure AD, or PKI client authentication certificate.
[New] Count of clients by OS type and version that are joined to Azure AD or
hybrid-joined
[New] Count of clients by OS type and version that are co-managed, cloud-
attached, or both
Configuration Manager console (Level 1)
Statistics about Configuration Manager console connections: OS version, language,
SKU and architecture, system memory, logical processor count, connect site ID,
installed .NET versions, console language packs, and capable authentication level
Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions
Setup (Level 1)
Build, install type, language packs, features that you enabled
Update pack deployment status and errors, download progress, and prerequisite
errors
SQL Server version, service pack level, edition, collation ID, and character set
Hashed list of top SQL queries by memory usage and lock count
SQL Server Always On availability group replica information, usage, and health
status
Basic site system server information: site system roles used, internet and SSL status,
OS, processors, physical or virtual machine, and usage of site server high
availability
Configured level for diagnostics and usage data, online or offline mode, and fast
update configuration
Count and processing rates of key Configuration Manager objects: data discovery
records (DDR), state messages, status messages, hardware inventory, software
inventory, and overall count of files in inboxes
Uptime and memory usage information for Configuration Manager site server
processes
Count of crashes for Configuration Manager site server processes, and Watson
signature ID, if available
Hash of key site attributes (site ID, SQL Server broker ID, and site exchange key)
Miscellaneous (Level 1)
Basic OS deployment counts of images
Count of operating systems for managed devices and policies set by the Exchange
Connector
Level 2 - Enhanced
For Configuration Manager version 2111, this level includes the following data:
Count of Microsoft Store for Business apps and sync statistics: summarized types
of apps, licensed app status, and number of online and offline licensed apps
File count, content size, services count, and custom action count of MSIs in
application catalog
Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and
counts of clients with Microsoft 365 Apps
Client (Level 2)
Active Management Technology (AMT) client version
Client health statistics and top issue summary by client version, component, OS,
and workload
Client notification operation action status: how many times each is run, max
number of targeted clients, and average success rate
Deployment methods used for client and count of clients per deployment method
OS age in months
Statistics for device health attestation: most common error codes, number of on-
premises servers, and counts of devices in various states
CMPivot (Level 2)
CMPivot usage statistics
Co-management (Level 2)
Enrollment schedule and historical statistics
Collections (Level 2)
Collection ID usage (not running out of IDs)
Count of rules and deployments created for custom settings, including remediate
setting
Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy
deployments by platform
Count of compliance settings deployed by category, OS, and source (cloud vs on-
premises)
Count of folders
25 most common actions, wizards, property sheets, and tree nodes accessed in the
console
Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and
fallback relationships
Boundary group information: count of boundaries and site systems that are
assigned to each boundary group
Count of peer cache clients, usage statistic, and partial download statistics
Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender
for Endpoint): count of policies, and whether policies are deployed.
Migration (Level 2)
Count of migrated objects (use of migration wizard)
Count of mobile devices Configuration Manager manages, and how you enrolled
them (bulk, user-based)
Mobile device polling schedule and statistics for mobile device check-in duration
OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution
points, PXE-enabled distribution points, and task sequences
Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded
from PXE and client registration
Count of updates that are created and deployed with System Center Update
Publisher
Aggregated statistics on the number of UUP updates that are required, deployed,
expired, superseded, and downloaded
Use of UUP product categories
Count of clients that have deployed at least one UUP quality update or UUP
feature update
SQL Server change tracking performance issues, retention period, and autocleanup
state
State and status message performance statistics including most common and most
expensive message types
Management point traffic statistics (total bytes sent and received by endpoint)
Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule,
average time, and use of customized tables feature
Aggregated system boot time statistics by OS, form-factor, and drive type
[Updated] Summary of how many site systems have the proxy enabled and how
many are authenticated proxy, including configuration, usage patterns, and traffic
patterns
Usage information for the last seven days of in-console product feedback
Level 3 - Full
For Configuration Manager version 2111, this level includes the following data:
This article provides answers to frequently asked questions about diagnostic and usage
data in Configuration Manager.
To support new versions of Windows and cloud services like Microsoft Intune, you need
to update the current branch of Configuration Manager on a regular basis. Microsoft
requires at least the basic level of diagnostic and usage data. This data is used to keep
the product up to date, improve the update experience, and improve the quality and
security of the product.
No data is sent to the service when the service connection point is in offline mode.
When you switch to online mode or use the service connection tool, it sends data to the
service to check for updates.
You can also choose the level of data that Configuration Manager collects. For more
information, see Levels of diagnostic usage data.
In online mode, the service connection point uploads the data after the queries
run.
In offline mode, you use the service connection tool to upload the data. (The data
isn't initially available for offline use until seven days after you install the site.)
The data does include time zone information from each site. This information can
provide insight into the broad geolocation and global dispersion of sites in a hierarchy.
For example, the following cloud services are a part of Microsoft Intune family of
products:
For more information about Configuration Manager data, see Levels of diagnostic usage
data.
Plan for security in Configuration
Manager
Article • 10/04/2022
This article describes the following concepts for you to consider when planning for
security with your Configuration Manager implementation:
Role-based administration
Before you start, make sure you're familiar with the fundamentals of security in
Configuration Manager.
Certificates
Configuration Manager uses a combination of self-signed and public key infrastructure
(PKI) digital certificates. Use PKI certificates whenever possible. Some scenarios require
PKI certificates. When PKI certificates aren't available, the site automatically generates
self-signed certificates. Some scenarios always use self-signed certificates.
The function of the trusted root key in Configuration Manager resembles a root
certificate in a public key infrastructure. Anything signed by the private key of the
trusted root key is trusted further down the hierarchy. Clients store a copy of the site's
trusted root key in the root\ccm\locationservices WMI namespace.
For example, the site issues a certificate to the management point, which it signs with
the private key of the trusted root key. The site shares with clients the public key of its
trusted root key. Then clients can differentiate between management points that are in
their hierarchy and management points that aren't in their hierarchy.
Clients automatically get the public copy of the trusted root key by using two
mechanisms:
You extend the Active Directory schema for Configuration Manager, and publish
the site to Active Directory Domain Services. Then clients retrieve this site
information from a global catalog server. For more information, see Prepare Active
Directory for site publishing.
When you install clients using the client push installation method. For more
information, see Client push installation.
If clients can't get the trusted root key by using one of these mechanisms, they trust the
trusted root key that's provided by the first management point that they communicate
with. In this scenario, a client might be misdirected to an attacker's management point
where it would receive policy from the rogue management point. This action requires a
sophisticated attacker. This attack is limited to the short time before the client retrieves
the trusted root key from a valid management point. To reduce this risk of an attacker
misdirecting clients to a rogue management point, pre-provision the clients with the
trusted root key.
For more information and procedures to manage the trusted root key, see Configure
security.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
To help protect the data that clients send to management points, you can require clients
to sign the data. You can also require the SHA-256 algorithm for signing. This
configuration is more secure, but don't require SHA-256 unless all clients support it.
Many operating systems natively support this algorithm, but older operating systems
might require an update or hotfix.
While signing helps protect the data from tampering, encryption helps protect the data
from information disclosure. You can enable encryption for the inventory data and state
messages that clients send to management points in the site. You don't have to install
any updates on clients to support this option. Clients and management points require
more CPU usage for encryption and decryption.
7 Note
To encrypt the data, the client uses the public key of the management point's
encryption certificate. Only the management point has the corresponding private
key, so only it can decrypt the data.
The client bootstraps this certificate with the management point's signing
certificate, which it bootstraps with the site's trusted root key. Make sure to
securely provision the trusted root key on clients. For more information, see The
trusted root key.
For more information about how to configure the settings for signing and encryption,
see Configure signing and encryption.
For more information on the cryptographic algorithms used for signing and encryption,
see Cryptographic controls technical reference.
Role-based administration
With Configuration Manager, you use role-based administration to secure the access
that administrative users need to use Configuration Manager. You also secure access to
the objects that you manage, like collections, deployments, and sites.
With the combination of security roles, security scopes, and collections, you segregate
the administrative assignments that meet your organization's requirements. Used
together, they define the administrative scope of a user. This administrative scope
controls the objects that an administrative user views in the Configuration Manager
console, and it controls the permissions that a user has on those objects.
For more information about Azure AD, see Azure Active Directory documentation.
Onboarding your site with Azure AD supports the following Configuration Manager
scenarios:
Client scenarios
Manage clients on the internet via cloud management gateway
Co-management
Server scenarios
Desktop Analytics
Tenant attach
Endpoint analytics
Community Hub
User discovery
) Important
When you select this setting, the SMS Provider and administration service
require the user's authentication token to contain a multi-factor
authentication (MFA) claim from Windows Hello for Business. In other words,
a user of the console, SDK, PowerShell, or administration service has to
authenticate to Windows with their Windows Hello for Business PIN or
biometric. Otherwise the site rejects the user's action.
This behavior is for Windows Hello for Business, not Windows Hello.
For more information on how to configure this setting, see Configure SMS Provider
authentication.
Next steps
Certificates in Configuration Manager
Configure security
Use the information in this article to help you set up security-related options for
Configuration Manager. Before you start, make sure you have a Plan for security.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
2. In the ribbon, choose Properties. Then switch to the Communication Security tab.
HTTPS only: Clients that are assigned to the site always use a client PKI
certificate when they connect to site systems that use IIS. For example, a
management point and distribution point.
When more than one valid PKI client certificate is available on a client, select
Modify to configure the client certificate selection methods. For more
information about the client certificate selection method, see Planning for PKI
client certificate selection.
Clients check the certificate revocation list (CRL) for site systems: Enable
this setting for clients to check your organization's CRL for revoked
certificates. For more information about CRL checking for clients, see
Planning for PKI certificate revocation.
5. To import, view, and delete the certificates for trusted root certification authorities,
select Set. For more information, see Planning for the PKI trusted root certificates
and the certificate issuers List.
7 Note
If clients can get the trusted root key from Active Directory Domain Services or
client push, you don't have to pre-provision it.
When clients use HTTPS communication to management points, you don't have to
pre-provision the trusted root key. They establish trust by the PKI certificates.
For more information on the trusted root key, see Plan for security.
2. Locate the entry, SMSPublicRootKey . Copy the value from that line, and close the
file without saving any changes.
3. Create a new text file, and paste the key value that you copied from the
mobileclient.tcf file.
4. Save the file in a location where all computers can access it, but where the file is
safe from tampering.
5. Install the client by using any installation method that accepts client.msi properties.
Specify the following property: SMSROOTKEYPATH=<full path and file name>
) Important
When you specify the trusted root key during client installation, also specify
the site code. Use the following client.msi property: SMSSITECODE=<site code>
2. Locate the entry, SMSPublicRootKey . Copy the value from that line, and close the
file without saving any changes.
3. Install the client by using any installation method that accepts client.msi properties.
Specify the following client.msi property: SMSPublicRootKey=<key> where <key> is
the string that you copied from mobileclient.tcf.
) Important
When you specify the trusted root key during client installation, also specify
the site code. Use the following client.msi property: SMSSITECODE=<site code>
Verify the trusted root key on a client
1. Open a Windows PowerShell console as an administrator.
PowerShell
The returned string is the trusted root key. Verify that it matches the SMSPublicRootKey
value in the mobileclient.tcf file on the site server.
To replace the trusted root key, reinstall the client together with the new trusted root
key. For example, use client push, or specify the client.msi property SMSPublicRootKey.
For more information on these installation properties, see About client installation
parameters and properties.
2. In the ribbon, select Properties, and then switch to the Signing and Encryption
tab.
This tab is available on a primary site only. If you don't see the Signing and
Encryption tab, make sure that you're not connected to a central administration
site or a secondary site.
3. Configure the signing and encryption options for clients to communicate with the
site.
Require signing: Clients sign data before sending to the management point.
Require SHA-256: Clients use the SHA-256 algorithm when signing data.
2 Warning
Don't Require SHA-256 without first confirming that all clients support
this hash algorithm. These clients include ones that might be assigned to
the site in the future.
If you choose this option, and clients with self-signed certificates can't
support SHA-256, Configuration Manager rejects them. The
SMS_MP_CONTROL_MANAGER component logs the message ID 5443.
Use encryption: Clients encrypt client inventory data and status messages
before sending to the management point.
Role-based administration
Role-based administration combines security roles, security scopes, and assigned
collections to define the administrative scope for each administrative user. A scope
includes the objects that a user can view in the console, and the tasks related to those
objects that they have permission to do. Role-based administration configurations are
applied at each site in a hierarchy.
For more information, see Configure role-based administration. This article details the
following actions:
Your own administrative scope defines the objects and settings that you can assign
when you configure role-based administration for another administrative user. For
information about planning for role-based administration, see Fundamentals of
role-based administration.
Manage accounts
Configuration Manager supports Windows accounts for many different tasks and uses.
To view accounts that are configured for different tasks, and to manage the password
that Configuration Manager uses for each account, use the following procedure:
2. To change the password for an account, select the account in the list. Then choose
Properties in the ribbon.
3. Choose Set to open the Windows User Account dialog box. Specify the new
password for Configuration Manager to use for this account.
7 Note
The password that you specify must match this account's password in Active
Directory.
For more information, see the Cloud Management service in Configure Azure services.
) Important
This configuration is a hierarchy-wide setting. Before you change this setting, make
sure that all Configuration Manager administrators can sign in to Windows with the
required authentication level.
4. Switch to the Authentication tab. Select the desired authentication level, and then
select OK.
Only when necessary, select Add to exclude specific users or groups. For
more information, see Exclusions.
Exclusions
From the Authentication tab of Hierarchy Settings, you can also exclude certain users or
groups. Use this option sparingly. For example, when specific users require access to the
Configuration Manager console, but can't authenticate to Windows at the required level.
It may also be necessary for automation or services that run under the context of a
system account.
Next steps
How to enable TLS 1.2
Configuration Manager uses signing and encryption to help protect the management of
the devices in the Configuration Manager hierarchy. With signing, if data has been
altered in transit, it's discarded. Encryption helps prevent an attacker from reading the
data by using a network protocol analyzer.
The primary hashing algorithm that Configuration Manager uses for signing is SHA-256.
When two Configuration Manager sites communicate with each other, they sign their
communications with SHA-256.
Starting in version 2107, the primary encryption algorithm that Configuration Manager
uses is AES-256. Encryption mainly happens in the following two areas:
If you enable the site to Use encryption, the client encrypts its inventory data and
state messages that it sends to the management point.
When the client downloads secret policies, the management point always encrypts
these policies. For example, an OS deployment task sequence that includes
passwords.
For clients on version 2103 and earlier, the primary encryption algorithm is 3DES.
7 Note
If you configure HTTPS communication, these messages are encrypted twice. The
message is encrypted with AES, then the HTTPS transport is encrypted with AES.
When you use client communication over HTTPS, configure your public key
infrastructure (PKI) to use certificates with the maximum hashing algorithms and key
lengths. When using CNG v3 certificates, Configuration Manager clients only support
certificates that use the RSA cryptographic algorithm. For more information, see PKI
certificate requirements and CNG v3 certificates overview.
For transport security, anything that uses TLS supports AES. This support includes when
you configure the site for enhanced HTTP or HTTPS. For on-premises site systems, you
can control the TLS cipher suites. For cloud-based roles like the cloud management
gateway (CMG), if you enable TLS 1.2, Configuration Manager configures the cipher
suites.
Site operations
Information in Configuration Manager can be signed and encrypted. It supports these
operations with or without PKI certificates.
When policy contains sensitive data, starting in version 2107, the management point
encrypts it with AES-256. In version 2103 and earlier, it uses 3DES. Policy that contains
sensitive data is only sent to authorized clients. The site doesn't encrypt policy that
doesn't have sensitive data.
When a client stores policy, it encrypts the policy using the Windows data protection
application programming interface (DPAPI).
Policy hashing
When a client requests policy, it first gets a policy assignment. Then it knows which
policies apply to it, and it can request only those policy bodies. Each policy assignment
contains the calculated hash for the corresponding policy body. The client downloads
the applicable policy bodies and then calculates the hash for each policy body. If the
hash on the policy body doesn't match the hash in the policy assignment, the client
discards the policy body.
Content hashing
The distribution manager service on the site server hashes the content files for all
packages. The policy provider includes the hash in the software distribution policy.
When the Configuration Manager client downloads the content, the client regenerates
the hash locally and compares it to the one supplied in the policy. If the hashes match,
the content isn't altered, and the client installs it. If a single byte of the content is
altered, the hashes won't match, and the client doesn't install the software. This check
helps to make sure that the correct software is installed because the actual content is
compared with the policy.
Not all devices can support content hashing. The exceptions include:
Windows Mobile clients, though these clients verify the signature of an application
that's signed by a trusted source.
When the client connects to the multicast session, the key exchange occurs over an
encrypted channel. If the client uses HTTPS, it uses the PKI-issued client authentication
certificate. If the client uses HTTP, it uses the self-signed certificate. The client only
stores the encryption key in memory during the multicast session.
When you publish software updates with System Center Updates Publisher, a digital
certificate signs the software updates. You can either specify a PKI certificate or
configure Updates Publisher to generate a self-signed certificate to sign the software
update. If you use a self-signed certificate to publish the updates catalog, such as WSUS
Publishers Self-signed, the certificate must also be in the Trusted Root Certification
Authorities certificate store on the local computer. WUA also checks whether the Allow
signed content from intranet Microsoft update service location group policy setting is
enabled on the local computer. This policy setting must be enabled for WUA to scan for
the updates that were created and published with System Center Updates Publisher.
Certificates
For a list of the public key infrastructure (PKI) certificates that can be used by
Configuration Manager, any special requirements or limitations, and how the certificates
are used, see PKI certificate requirements. This list includes the supported hash
algorithms and key lengths. Most certificates support SHA-256 and 2048-bits key
length.
Most Configuration Manager operations that use certificates also support v3 certificates.
For more information, see CNG v3 certificates overview.
7 Note
All certificates that Configuration Manager uses must contain only single-byte
characters in the subject name or subject alternative name.
For most other communication that requires certificates for authentication, signing, or
encryption, Configuration Manager automatically uses PKI certificates if available. If they
aren't available, Configuration Manager generates self-signed certificates.
Configuration Manager doesn't use PKI certificates when it manages mobile devices by
using the Exchange Server connector.
If you enable hardware inventory for mobile devices, Configuration Manager also
inventories the certificates that are installed on the mobile device.
If you create bootable media, you import the client authentication certificate when you
create the bootable media. To help protect the private key and other sensitive data
configured in the task sequence, configure a password on the bootable media. Every
computer that boots from the bootable media uses the same certificate with the
management point as required for client functions such as requesting client policy.
If you use PXE, import the client authentication certificate to the PXE-enabled
distribution point. It uses the same certificate for every client that boots from that PXE-
enabled distribution point. To help protect the private key and other sensitive data in
the task sequences, require a password for PXE.
After Configuration Manager deploys the OS installs the client, the client requires its
own PKI client authentication certificate for HTTPS client communication.
If the ISV certificate is compromised, block the certificate in the Certificates node in the
Administration workspace, Security node.
Clients require another type of authentication to communicate with a CMG and the on-
premises management point. They can use Azure Active Directory, a PKI certificate, or a
site token. For more information, see Configure client authentication for cloud
management gateway.
Clients don't require a client PKI certificate to use cloud-based storage. After they
authenticate to the management point, the management point issues a Configuration
Manager access token to the client. The client presents this token to the CMG to access
the content. The token is valid for eight hours.
IIS enables CRL checking by default. If you use a CRL with your PKI deployment, you
don't need to configure most site systems that run IIS. The exception is for software
updates, which requires a manual step to enable CRL checking to verify the signatures
on software update files.
When a client uses HTTPS, it enables CRL checking by default. For macOS clients, you
can't disable CRL checking.
Server-to-server connections
Server communication
Configuration Manager uses the following cryptographic controls for server
communication.
When Configuration Manager uses a certificate for this communication, if there's a PKI
certificate available with server authentication capability, Configuration Manager
automatically uses it. If not, Configuration Manager generates a self-signed certificate.
This self-signed certificate has server authentication capability, uses SHA-256, and has a
key length of 2048 bits. Configuration Manager copies the certificate to the Trusted
People store on other site system servers that might need to trust the site system. Site
systems can then trust one another by using these certificates and PeerTrust.
In addition to this certificate for each site system server, Configuration Manager
generates a self-signed certificate for most site system roles. When there is more than
one instance of the site system role in the same site, they share the same certificate. For
example, you might have multiple management points in the same site. This self-signed
certificate uses SHA-256 and has a key length of 2048 bits. It's copied to the Trusted
People Store on site system servers that might need to trust it. The following site system
roles generate this certificate:
Enrollment point
Management point
To send status messages from the distribution point to the management point,
Configuration Manager uses a client authentication certificate. When you configure the
management point for HTTPS, it requires a PKI certificate. If the management point
accepts HTTP connections, you can use a PKI certificate. It can also use a self-signed
certificate with client authentication capability, uses SHA-256, and has a key length of
2048 bits.
Site servers establish site-to-site communication by using a secure key exchange that
happens automatically. The sending site server generates a hash and signs it with its
private key. The receiving site server checks the signature by using the public key and
compares the hash with a locally generated value. If they match, the receiving site
accepts the replicated data. If the values don't match, Configuration Manager rejects the
replication data.
Database replication in Configuration Manager uses the SQL Server Service Broker to
transfer data between sites. It uses the following mechanisms:
SQL Server to SQL Server: This connection uses Windows credentials for server
authentication and self-signed certificates with 1024 bits to sign and encrypt the
data with the AES algorithm. If available, it uses PKI certificates with server
authentication capability. It only uses certificates in the computer's Personal
certificate store.
SQL Service Broker: This service uses self-signed certificates with 2048 bits for
authentication and to sign and encrypt the data with the AES algorithm. It only
uses certificates in the SQL Server master database.
File-based replication uses the server message block (SMB) protocol. It uses SHA-256 to
sign data that isn't encrypted and doesn't contain any sensitive data. To encrypt this
data, use IPsec, which you implement independently from Configuration Manager.
Client connections over HTTPS offer a higher level of security by integrating with a
public key infrastructure (PKI) to help protect client-to-server communication. However,
configuring HTTPS client connections without a thorough understanding of PKI
planning, deployment, and operations could still leave you vulnerable. For example, if
you don't secure your root certificate authority (CA), attackers could compromise the
trust of your entire PKI infrastructure. Failing to deploy and manage the PKI certificates
by using controlled and secured processes might result in unmanaged clients that can't
receive critical software updates or packages.
) Important
The PKI certificates that Configuration Manager uses for client communication
protect the communication only between the client and some site systems. They
don't protect the communication channel between the site server and site systems
or between site servers.
Client fails to make an HTTPS connection on the intranet and falls back to using
HTTP when site systems allow this configuration.
You configure reporting services points to use HTTP or HTTPS independently from the
client communication mode.
When a management point first authenticates a client by using the self-signed client
certificate, this mechanism provides minimal security because any computer can
generate a self-signed certificate. Use client approval to enhance this process. Only
approve trusted computers, either automatically by Configuration Manager, or manually
by an administrative user. For more information, see Manage clients.
Enable TLS 1.2 across all devices and services. To enable TLS 1.2 for Configuration
Manager, see How to enable TLS 1.2 for Configuration Manager.
Disable SSL 3.0, TLS 1.0, and TLS 1.1.
7 Note
Use PKI certificates whenever possible. For more information, see PKI certificate
requirements. When Configuration Manager requests PKI certificates during enrollment
for mobile devices, use Active Directory Domain Services and an enterprise certification
authority. For all other PKI certificates, deploy and manage them independently from
Configuration Manager.
PKI certificates are required when client computers connect to internet-based site
systems. The cloud management gateway also requires certificates. For more
information, see Manage clients on the internet.
When you use a PKI, you can also use IPsec to help secure the server-to-server
communication between site systems in a site, between sites, and for other data transfer
between computers. Implementation of IPsec is independent from Configuration
Manager.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
CNG v3 certificates
Configuration Manager supports Cryptography: Next Generation (CNG) v3 certificates.
Configuration Manager clients can use a PKI client authentication certificate with private
key in a CNG Key Storage Provider (KSP). With KSP support, Configuration Manager
clients support hardware-based private keys, such as a TPM KSP for PKI client
authentication certificates.
Enhanced HTTP
Using HTTPS communication is recommended for all Configuration Manager
communication paths, but is challenging for some customers because of the overhead
of managing PKI certificates. The introduction of Azure Active Directory (Azure AD)
integration reduces some but not all of the certificate requirements. You can instead
enable the site to use enhanced HTTP. This configuration supports HTTPS on site
systems by using self-signed certificates, along with Azure AD for some scenarios. It
doesn't require PKI.
7 Note
For more information about certificates for a CDP, see Certificates for the cloud
distribution point.
Clients can securely get a copy of the site server signing certificate from Active Directory
Domain Services and from client push installation. If clients can't get a copy of this
certificate by one of these mechanisms, install it when you install the client. This process
is especially important if the client's first communication with the site is with an internet-
based management point. Because this server is connected to an untrusted network, it's
more vulnerable to attack. If you don't take this other step, clients automatically
download a copy of the site server signing certificate from the management point.
Clients can't securely get a copy of the site server certificate in the following scenarios:
You haven't extended the Active Directory schema for Configuration Manager.
You haven't published the client's site to Active Directory Domain Services.
You're using internet-based client management and you install the client when it's
on the internet.
For more information on how to install clients with a copy of the site server signing
certificate, use the SMSSIGNCERT command-line property. For more information, see
About client installation parameters and properties.
If the client also has a PKI-based certificate, it continues to use that certificate for TLS
HTTPS communication. It uses its self-signed certificate for signing messages with the
site. For more information, see PKI certificate requirements.
7 Note
For clients that also have a PKI certificate, the Configuration Manager console
displays the Client certificate property as Self-signed. The client control panel
Client certificate property shows PKI.
When you update to version 2107 or later, clients with PKI certificates will recreate self-
signed certificates, but don't reregister with the site. Clients without a PKI certificate will
reregister with the site, which can cause extra processing at the site. Make sure that your
process to update clients allows for randomization. If you simultaneously update lots of
clients, it may cause a backlog on the site server.
Configuration Manager doesn't use TPMs that are known vulnerable. For example, the
TPM version is earlier than 2.0. If a device has a vulnerable TPM, the client falls back to
using a software-based KSP. The certificate is still not exportable.
Next steps
Plan for PKI certificates in Configuration Manager
Configure security
This article provides information about PKI certificates in Configuration Manager to help
you plan your implementation. For more general information about the use of
certificates in Configuration Manager, see Certificates in Configuration Manager.
) Important
Because the location of the CRL is added to a certificate when a CA issues it, make
sure that you plan for the CRL before you deploy any PKI certificates that
Configuration Manager uses.
IIS always checks the CRL for client certificates, and you can't change this configuration
in Configuration Manager. By default, Configuration Manager clients always check the
CRL for site systems. Disable this setting by specifying a site property and by specifying
a CCMSetup property.
Computers that use certificate revocation checking but can't locate the CRL behave as if
all certificates in the certification chain are revoked. This behavior is because they can't
verify if the certificates are in the certificate revocation list. In this scenario, all
connections fail that require certificates and include CRL checking. When validating that
your CRL is accessible by browsing to its HTTP location, it's important to note that the
Configuration Manager client runs as LOCAL SYSTEM. Testing CRL accessibility with a
web browser under a user context may succeed, but the computer account may be
blocked when attempting to make an HTTP connection to the same CRL URL. For
example, it can be blocked because of an internal web filtering solution like a proxy. Add
the CRL URL to the approved list for any web filtering solutions.
Checking the CRL every time that a certificate is used offers more security against using
a certificate that's revoked. It does introduce a connection delay and more processing
on the client. Your organization may require this security check for clients on the
internet or an untrusted network.
Consult your PKI administrators before you decide whether Configuration Manager
clients need to check the CRL. When both of the following conditions are true, consider
keeping this option enabled in Configuration Manager:
Your PKI infrastructure supports a CRL, and it's published where all Configuration
Manager clients can locate it. These clients might include devices on the internet,
and ones in untrusted forests.
The requirement to check the CRL for each connection to a site system that's
configured to use a PKI certificate is greater than the following requirements:
Faster connections
Efficient processing on the client
The risk of clients failing to connect to servers if they can't locate the CRL
You use PKI client certificates that don't chain to a root certificate that the
management points trust.
7 Note
When you issue client PKI certificates from the same CA hierarchy that issues
the server certificates that you use for management points, you don't have to
specify this root CA certificate. However, if you use multiple CA hierarchies
and you aren't sure whether they trust each other, import the root CA for the
clients' CA hierarchy.
If you need to import root CA certificates for Configuration Manager, export them from
the issuing CA or from the client computer. If you export the certificate from the issuing
CA that's also the root CA, don't export the private key. Store the exported certificate file
in a secure location to prevent tampering. You need access to the file when you set up
the site. If you access the file over the network, make sure the communication is
protected from tampering by using IPsec.
If any root CA certificate that you import are renewed, import the renewed certificate.
These imported root CA certificates and the root CA certificate of each management
point create the certificate issuers list. Configuration Manager computers use this list in
the following ways:
When clients connect to management points, the management point verifies that
the client certificate is chained to a trusted root certificate in the site's certificate
issuers list. If it doesn't, the certificate is rejected, and the PKI connection fails.
When clients select a PKI certificate and have a certificate issuers list, they select a
certificate that chains to a trusted root certificate in the certificate issuers list. If
there's no match, the client doesn't select a PKI certificate. For more information,
see PKI client certificate selection.
7 Note
In many cases, the default configuration and behavior are sufficient. The Configuration
Manager client on Windows computers filters multiple certificates by using these criteria
in this order:
1. The certificate issuers list: The certificate chains to a root CA that's trusted by the
management point.
3. The certificate is valid, not revoked, and not expired. The validity check also verifies
that the private key is accessible.
5. The certificate Subject Name contains the local computer name as a substring.
Configure clients to use the certificate issuers list by using the following mechanisms:
Clients download it from the management point after they're successfully assigned
to their site.
If clients don't have the certificate issuers list when they're first installed, and aren't yet
assigned to the site, they skip this check. When clients do have the certificate issuers list,
and don't have a PKI certificate that chains to a trusted root certificate in the certificate
issuers list, certificate selection fails. Clients don't continue with the other certificate
selection criteria.
In most cases, the Configuration Manager client correctly identifies a unique and
appropriate PKI certificate. When this behavior isn't the case, instead of selecting the
certificate based on the client authentication capability, you can set up two alternative
selection methods:
A partial string match on the client certificate subject name. This method is a case-
insensitive match. It's appropriate if you're using the fully qualified domain name
(FQDN) of a computer in the subject field and want the certificate selection to be
based on the domain suffix, for example contoso.com. You can use this selection
method to identify any string of sequential characters in the certificate subject
name that differentiates the certificate from others in the client certificate store.
7 Note
You can't use the partial string match with the subject alternative name (SAN)
as a site setting. Although you can specify a partial string match for the SAN
by using CCMSetup, it'll be overwritten by the site properties in the following
scenarios:
Clients retrieve site information that's published to Active Directory
Domain Services.
Clients are installed by using client push installation.
Use a partial string match in the SAN only when you install clients manually
and when they don't retrieve site information from Active Directory Domain
Services. For example, these conditions apply to internet-only clients.
A match on the client certificate subject name attribute values or the subject
alternative name (SAN) attribute values. This method is a case-sensitive match. It's
appropriate if you're using an X500 distinguished name or equivalent object
identifiers (OIDs) in compliance with RFC 3280, and you want the certificate
selection to be based on the attribute values. You can specify only the attributes
and their values that you require to uniquely identify or validate the certificate and
differentiate the certificate from others in the certificate store.
The following table shows the attribute values that Configuration Manager supports for
the client certificate selection criteria:
2.5.4.7 L Locality
7 Note
If you configure either of the above alternate certificate selection methods, the
certificate Subject Name doesn't need to contain the local computer name.
If more than one appropriate certificate is located after the selection criteria are applied,
you can override the default configuration to select the certificate that has the longest
validity period. Instead, you can specify that no certificate is selected. In this scenario,
the client can't communicate with IIS site systems with a PKI certificate. The client sends
an error message to its assigned fallback status point to alert you to the certificate
selection failure. Then you can change or refine your certificate selection criteria.
The client behavior then depends on whether the failed connection was over HTTPS or
HTTP:
If the failed connection was over HTTPS: The client tries to connect over HTTP and
uses the client self-signed certificate.
If the failed connection was over HTTP: The client tries to connect again over HTTP
by using the self-signed client certificate.
To help identify a unique PKI client certificate, you can also specify a custom store other
than the default of Personal in the Computer store. Create a custom certificate store
outside of Configuration Manager. You need to be able to deploy certificates to this
custom store and renew them before the validity period expires.
For more information, see Configure settings for client PKI certificates.
This plan first introduces PKI certificates for authentication only over HTTP, and then for
authentication and encryption over HTTPS. When you follow this plan to gradually
introduce these certificates, you reduce the risk that clients become unmanaged. You'll
also benefit from the highest security that Configuration Manager supports.
1. Install the Configuration Manager site and configure it so that site systems accept
client connections over HTTPS and HTTP.
2. Configure the Communication Security tab in the site properties. Set Site System
Settings to HTTP or HTTPS and select Use PKI client certificate (client
authentication capability) when available. For more information, see Configure
settings for client PKI certificates.
3. Pilot a PKI rollout for client certificates. For an example deployment, see Deploy
the client certificate for Windows computers.
4. Install clients by using the client push installation method. For more information,
see the How to install Configuration Manager clients by using client push.
5. Monitor client deployment and status by using the reports and information in the
Configuration Manager console.
6. Track how many clients are using a client PKI certificate by viewing the Client
Certificate column in the Assets and Compliance workspace, Devices node.
7 Note
For clients that also have a PKI certificate, the Configuration Manager console
displays the Client certificate property as Self-signed. The client control panel
Client certificate property shows PKI.
You can also deploy the Configuration Manager HTTPS Readiness Assessment Tool
(CMHttpsReadiness.exe) to computers. Then use the reports to view how many
computers can use a client PKI certificate with Configuration Manager.
7 Note
client.msi property
/Criteria:<Selection criteria> : This option is the same as the
client.msi property
7. When you're confident that enough clients are successfully using their client PKI
certificate for authentication over HTTP, follow these steps:
a. Deploy a PKI web server certificate to a member server that runs another
management point for the site, and configure that certificate in IIS. For more
information, see Deploy the web server certificate for site systems that run IIS.
b. Install the management point role on this server. Configure the Client
connections option in the management point properties for HTTPS.
8. Monitor and verify that clients that have a PKI certificate use the new management
point by using HTTPS. You can use IIS logging or performance counters to verify.
9. Reconfigure other site system roles to use HTTPS client connections. If you want to
manage clients on the internet, make sure that site systems have an internet
FQDN. Configure individual management points and distribution points to accept
client connections from the internet.
) Important
Before you set up site system roles to accept connections from the internet,
review the planning information and prerequisites for internet-based client
management. For more information, see Communications between
endpoints.
10. Extend the PKI certificate rollout for clients and for site systems that run IIS. Set up
the site system roles for HTTPS client connections and internet connections, as
required.
11. For the highest security: When you're confident that all clients are using a client
PKI certificate for authentication and encryption, change the site properties to use
HTTPS only.
Next steps
Configure security
7 Note
Supported scenarios
You can use Cryptography API: Next Generation (CNG) v3 certificate templates for the
following scenarios:
Also use CNG v3 certificates for the following HTTPS-enabled server roles:
Management point
Distribution point
Software update point
State migration point
Certificate registration point, including the NDES server with the Configuration
Manager policy module
7 Note
CNG is backward compatible with Crypto API (CAPI). CAPI certificates continue to
be supported even when CNG support is enabled on the client.
Unsupported scenarios
The following scenarios currently aren't supported:
The following server roles aren't operational when installed in HTTPS mode with a
CNG v3 certificate bound to the web site in Internet Information Services (IIS):
Enrollment point
Enrollment proxy point
Compatibility tab
Cryptography tab
Request must use one of the following providers: must be Microsoft Software
Key Storage Provider.
7 Note
For best results, we recommend building the Subject Name from Active Directory
information. Use the DNS Name for Subject name format and include the DNS name in
the alternate subject name. Otherwise, you must provide this information when the
device enrolls into the certificate profile.
PKI certificate requirements for
Configuration Manager
Article • 03/22/2023
The public key infrastructure (PKI) certificates that you might require for Configuration
Manager are listed in the following tables. This information assumes basic knowledge of
PKI certificates.
You can use any PKI to create, deploy, and manage most certificates in Configuration
Manager. For client certificates that Configuration Manager enrolls on mobile devices
and Mac computers, they require use of Active Directory Certificate Services.
When you use Active Directory Certificate Services and certificate templates, this
Microsoft PKI solution can ease the management of certificates. Use the Microsoft
certificate template reference in the sections below to identify the certificate template
that most closely matches the certificate requirements. Only an enterprise certification
authority (CA) that runs on the Enterprise or Datacenter editions of Windows server can
use template-based certificates.
Windows doesn't trust certificates signed with SHA-1. For more information, see
Windows Enforcement of SHA1 certificates .
CNG v3 certificates
Configuration Manager supports Cryptography: Next Generation (CNG) v3 certificates.
Configuration Manager clients can use a PKI client authentication certificate with private
key in a CNG Key Storage Provider (KSP). With KSP support, Configuration Manager
clients support hardware-based private keys, such as a TPM KSP for PKI client
authentication certificates.
Applies to:
Management point
Distribution point
Software update point
State migration point
Enrollment point
Enrollment proxy point
Certificate registration point
Certificate requirements:
Subject Name:
If the site system accepts connections from the internet, the Subject Name or
Subject Alternative Name must contain the internet fully qualified domain
name (FQDN).
If the site system accepts connections from the intranet, the Subject Name or
Subject Alternative Name must contain either the intranet FQDN
(recommended) or the computer's name, depending on how the site system is
set up.
If the site system accepts connections from both the internet and the intranet,
both the internet FQDN and the intranet FQDN (or computer name) must be
specified. Use the ampersand ( & ) symbol delimiter between the two names.
7 Note
When the software update point accepts client connections from the internet
only, the certificate must contain both the internet FQDN and the intranet
FQDN.
Most site system roles support key storage providers for certificate private keys (v3). For
more information, see CNG v3 certificates overview.
This certificate must be in the Personal store in the Computer certificate store.
Export this certificate in a Public Key Certificate Standard (PKCS #12) format. You need to
know the password, so that you can import the certificate when you create the CMG.
Certificate requirements:
The Subject Name must contain a customer-defined service name as the Common
Name for the specific instance of the cloud management gateway.
This certificate supports key storage providers for certificate private keys (v3).
Certificate requirements:
The Subject Name must contain the intranet fully qualified domain name (FQDN)
This certificate must be in the Personal store in the Computer certificate store.
Configuration Manager automatically copies it to the Trusted People Store for servers in
the Configuration Manager hierarchy that might have to establish trust with the server.
Certificate requirements:
The Subject Name must contain the intranet fully qualified domain name (FQDN)
of the cluster
The certificate must have a validity period of at least two years when you configure
Configuration Manager to use the failover cluster instance
Request and install this certificate on one node in the cluster. Then export the certificate
and import it to the other nodes.
This certificate must be in the Personal store in the Computer certificate store.
Configuration Manager automatically copies it to the Trusted People Store for servers in
the Configuration Manager hierarchy that might have to establish trust with the server.
Management point
State migration point
Certificate requirements:
Computers must have a unique value in the Subject Name field or in the Subject
Alternative Name field.
7 Note
If you use multiple values for the Subject Alternative Name, it only uses the
first value.
Maximum supported key length is 2,048 bits.
This certificate is required on the listed site system servers, even if the Configuration
Manager client isn't installed. This configuration allows the site to monitor and report on
the health of these site system roles.
The certificate for these site systems must be in the Personal store of the Computer
certificate store.
There are no specific requirements for the certificate Subject Name or Subject
Alternative Name (SAN). You can use the same certificate for multiple servers
running the Network Device Enrollment Service.
7 Note
When you configure all management points for HTTPS, then HTTPS-enabled
distribution points must use a PKI-issued certificate. Don't use self-signed
certificates on distribution points when management points use certificates.
Issues may occur otherwise. For example, distribution points won't sent state
messages.
A PXE-enabled distribution point sends this certificate to computers. If the task
sequence includes client actions like client policy retrieval or sending inventory
information, the computer can connect to an HTTPS-enabled management point
during the OS deployment process.
7 Note
For this PXE scenario, this certificate is only used during the OS deployment
process. It isn't installed on the client. Because of this temporary use, you can
use the same certificate for every OS deployment if you don't want to use
multiple client certificates.
The requirements for this certificate are the same as the client certificate for
task sequence media. Because the requirements are the same, you can use the
same certificate file.
Certificate requirements:
There are no specific requirements for the certificate Subject Name or Subject
Alternative Name (SAN). It's recommended to use a different certificate for each
distribution point, but you can use the same certificate.
Export this certificate in a Public Key Certificate Standard (PKCS #12) format. You need to
know the password, so that you can import the certificate to the distribution point
properties.
7 Note
If you use a proxy web server without SSL termination (tunneling), no additional
certificates are required on the proxy web server.
Certificate requirements:
Internet FQDN in the Subject Name or Subject Alternative Name field. If you use
Microsoft certificate templates, the Subject Alternative Name is only available with
the workstation template.
This certificate is used to authenticate the following servers to internet clients and to
encrypt all data transferred between the client and this server with TLS:
The client authentication is used to bridge client connections between the Configuration
Manager clients and the internet-based site systems.
Certificate requirements:
The Key Usage value must contain Digital Signature, Key Encipherment (a0)
Client computers must have a unique value in the Subject Name or Subject
Alternative Name field. If used, the Subject Name field must contain the local
computer name unless an alternative certificate selection criteria is specified. For
more information, see Plan for PKI client certificate selection.
7 Note
If you use multiple values for the Subject Alternative Name, it only uses the
first value.
By default, Configuration Manager looks for computer certificates in the Personal store
in the Computer certificate store.
This certificate is only used during the OS deployment process. It isn't used as part of
the client installation properties when the the client is installed during the Setup
Windows and ConfigMgr task nor is it installed on the device. Because of this
temporary use, you can use the same certificate for every OS deployment if you don't
want to use multiple client certificates.
When you have an environment that's HTTPS-only, the task sequence media must have
a valid certificate. This certificate allows the device to communicate with the site and for
the deployment to continue. After the task sequence completes, when the device is
joined to Active Directory, the client can automatically generate a PKI certificate via a
GPO, or you can install a PKI certificate by using another method.
7 Note
The requirements for this certificate are the same as the server certificate for site
systems with the distribution point role. Because the requirements are the same,
you can use the same certificate file.
Certificate requirements:
There are no specific requirements for the certificate Subject Name or Subject
Alternative Name (SAN) fields. You can use the same certificate for all task
sequence media.
Export this certificate in a Public Key Certificate Standard (PKCS #12) format. You need to
know the password, so that you can import the certificate when creating the task
sequence media.
) Important
Boot images don't contain PKI certificates to communicate with the site. Instead,
boot images use the PKI certificate added to the task sequence media to
communicate with the site.
For more information on adding a PKI certificate to task sequence media, see Create
bootable media and Create prestaged media.
Certificate requirements:
Subject Name:
For Configuration Manager that creates a User certificate, the certificate Subject
value is automatically populated with the user name of the person who enrolls
the macOS computer.
For certificate installation that doesn't use Configuration Manager enrollment,
but deploys a Computer certificate independently from Configuration Manager,
the certificate Subject value must be unique. For example, specify the FQDN of
the computer.
The Subject Alternative Name field isn't supported.
Certificate requirements:
These certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509
format. Base64 encoded X.509 format isn't supported.
Applies to:
OS deployment
Client certificate authentication
Mobile device enrollment
The root CA certificate must be provided when clients have to chain the certificates of
the communicating server to a trusted source. The root CA certificate for clients must be
provided if the client certificates are issued by a different CA hierarchy than the CA
hierarchy that issued the management point certificate.
Step-by-step example deployment of
the PKI certificates for Configuration
Manager: Windows Server 2008
certification authority
Article • 10/04/2022
This step-by-step example deployment, which uses a Windows Server 2008 certification
authority (CA), has procedures that show you how to create and deploy the public key
infrastructure (PKI) certificates that Configuration Manager uses. These procedures use
an enterprise certification authority (CA) and certificate templates. The steps are
appropriate for a test network only, as a proof of concept.
Because there's no single method of deployment for the required certificates, consult
your particular PKI deployment documentation for the required procedures and best
practices to deploy the required certificates for a production environment. For more
about the certificate requirements, see PKI certificate requirements for Configuration
Manager.
Tip
You can adapt the instructions in this topic for operating systems that aren't
documented in the Test Network Requirements section. However, if you are
running the issuing CA on Windows Server 2012, you're not prompted for the
certificate template version. Instead, specify this on the Compatibility tab of the
template properties:
The test network is running Active Directory Domain Services with Windows Server
2008, and it is installed as a single domain, single forest.
You have a member server running Windows Server 2008 Enterprise Edition, which
has the Active Directory Certificate Services role installed on it, and it is set up as
an enterprise root certification authority (CA).
You have one computer that has Windows Server 2008 (Standard Edition or
Enterprise Edition, R2 or later) installed on it, that computer is designated as a
member server, and Internet Information Services (IIS) is installed on it. This
computer will be the Configuration Manager site system server that you will
configure with an intranet fully qualified domain name (FQDN) to support client
connections on the intranet and an internet FQDN if you must support mobile
devices that are enrolled by Configuration Manager and clients on the internet.
You have one Windows Vista client that has the latest service pack installed, and
this computer is set up with a computer name that comprises ASCII characters and
is joined to the domain. This computer will be a Configuration Manager client
computer.
You can sign in with a root domain administrator account or an enterprise domain
administrator account and use this account for all procedures in this example
deployment.
Web server This certificate is used to encrypt data and authenticate the server to clients. It
certificate for must be installed externally from Configuration Manager on site systems
site systems servers that run Internet Information Services (IIS) and that are set up in
that run IIS Configuration Manager to use HTTPS.
For the steps to set up and install this certificate, see Deploy the web server
certificate for site systems that run IIS in this topic.
Service For the steps to configure and install this certificate, see Deploy the service
certificate for certificate for cloud-based distribution points in this topic.
clients to
connect to Important: This certificate is used in conjunction with the Windows Azure
cloud-based management certificate. For more about the management certificate, see How
distribution to Create a Management Certificate and How to Add a Management Certificate
points to a Windows Azure Subscription.
Certificate Certificate Description
Requirement
For the steps to set up and install this certificate, see Deploy the client
certificate for Windows computers in this topic.
certificate for
distribution The certificate is used to authenticate the distribution point to an HTTPS-
points enabled management point before the distribution point sends status
messages.
When the Enable PXE support for clients distribution point option is selected,
the certificate is sent to computers that PXE boot so that they can connect to a
HTTPS-enabled management point during the deployment of the operating
system.
For the steps to set up and install this certificate, see Deploy the client
certificate for distribution points in this topic.
For the steps to set up this certificate, see Deploy the enrollment certificate for
mobile devices in this topic.
Client You can request and install this certificate from a Mac computer when you use
certificate for Configuration Manager enrollment and choose the configured certificate
Mac computers template as a mobile device client setting.
For the steps to set up this certificate, see Deploy the client certificate for Mac
computers in this topic.
Create and issue the web server certificate template on the certification authority
Request the web server certificate
1. Create a security group named ConfigMgr IIS Servers that has the member servers
to install Configuration Manager site systems that will run IIS.
2. On the member server that has Certificate Services installed, in the Certification
Authority console, right-click Certificate Templates and then choose Manage to
load the Certificate Templates console.
3. In the results pane, right-click the entry that has Web Server in the Template
Display Name column, and then choose Duplicate Template.
4. In the Duplicate Template dialog box, ensure that Windows 2003 Server,
Enterprise Edition is selected, and then choose OK.
) Important
5. In the Properties of New Template dialog box, on the General tab, enter a
template name, like ConfigMgr Web Server Certificate, to generate the web
certificates that will be used on Configuration Manager site systems.
6. Choose the Subject Name tab, and make sure that Supply in the request is
selected.
7. Choose the Security tab, and then remove the Enroll permission from the Domain
Admins and Enterprise Admins security groups.
8. Choose Add, enter ConfigMgr IIS Servers in the text box, and then choose OK.
9. Choose the Enroll permission for this group, and do not clear the Read permission.
10. Choose OK, and then close the Certificate Templates Console.
12. In the Enable Certificate Templates dialog box, choose the new template that you
just created, ConfigMgr Web Server Certificate, and then choose OK.
13. If you do not need to create and issue more certificates, close Certification
Authority.
1. Restart the member server that runs IIS to ensure that the computer can access the
certificate template that you created by using the Read and Enroll permissions that
you configured.
2. Choose Start, choose Run, and then type mmc.exe. In the empty console, choose
File, and then choose Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, choose Certificates from the list of
Available snap-ins, and then choose Add.
4. In the Certificate snap-in dialog box, choose Computer account, and then choose
Next.
5. In the Select Computer dialog box, ensure that Local computer: (the computer
this console is running on) is selected, and then choose Finish.
7. In the console, expand Certificates (Local Computer), and then choose Personal.
8. Right-click Certificates, choose All Tasks, and then choose Request New
Certificate.
10. If you see the Select Certificate Enrollment Policy page, choose Next.
11. On the Request Certificates page, identify the ConfigMgr Web Server Certificate
from the list of available certificates, and then choose More information is
required to enroll for this certificate. Click here to configure settings.
12. In the Certificate Properties dialog box, in the Subject tab, do not make any
changes to Subject name. This means that the Value box for the Subject name
section remains blank. Instead, from the Alternative name section, choose the
Type drop-down list, and then choose DNS.
13. In the Value box, specify the FQDN values that you will specify in the Configuration
Manager site system properties, and then choose OK to close the Certificate
Properties dialog box.
Examples:
If the site system will only accept client connections from the intranet, and
the intranet FQDN of the site system server is server1.internal.contoso.com,
enter server1.internal.contoso.com, and then choose Add.
If the site system will accept client connections from the intranet and the
internet, and the intranet FQDN of the site system server is
server1.internal.contoso.com and the internet FQDN of the site system server
is server.contoso.com:
7 Note
You can specify the FQDNs for Configuration Manager in any order.
However, check that all devices that will use the certificate, such as
mobile devices and proxy web servers, can use a certificate subject
alternative name (SAN) and multiple values in the SAN. If devices have
limited support for SAN values in certificates, you might have to change
the order of the FQDNs or use the Subject value instead.
14. On the Request Certificates page, choose ConfigMgr Web Server Certificate from
the list of available certificates, and then choose Enroll.
15. On the Certificates Installation Results page, wait until the certificate is installed,
and then choose Finish.
1. On the member server that has IIS installed, choose Start, choose Programs,
choose Administrative Tools, and then choose Internet Information Services (IIS)
Manager.
2. Expand Sites, right-click Default Web Site, and then choose Edit Bindings.
4. In the Edit Site Binding dialog box, select the certificate that you requested by
using the ConfigMgr Web Server Certificates template, and then choose OK.
7 Note
If you are not sure which is the correct certificate, choose one, and then
choose View. This lets you compare the selected certificate details to the
certificates in the Certificates snap-in. For example, the Certificates snap-in
shows the certificate template that was used to request the certificate. You
can then compare the certificate thumbprint of the certificate that was
requested by using the ConfigMgr Web Server Certificates template to the
certificate thumbprint of the certificate currently selected in the Edit Site
Binding dialog box.
5. Choose OK in the Edit Site Binding dialog box, and then choose Close.
The member server is now set up with a Configuration Manager web server
certificate.
) Important
When you install the Configuration Manager site system server on this computer,
make sure that you specify the same FQDNs in the site system properties as you
specified when you requested the certificate.
Deploy the service certificate for cloud-based
distribution points
This certificate deployment has the following procedures:
Create and issue a custom web server certificate template on the certification
authority
Export the custom web server certificate for cloud-based distribution points
7 Note
This procedure uses a different certificate template from the web server certificate
template that you created for site systems that run IIS. Although both certificates
require server authentication capability, the certificate for cloud-based distribution
points requires you to enter a custom-defined value for the Subject Name and the
private key must be exported. As a security best practice, do not set up certificate
templates so that the private key can be exported unless this configuration is
required. The cloud-based distribution point requires this configuration because
you must import the certificate as a file, rather than choose it from the certificate
store.
When you create a new certificate template for this certificate, you can restrict the
computers that can request a certificate whose private key can be exported. On a
production network, you might also consider adding the following changes for this
certificate:
1. Create a security group named ConfigMgr Site Servers that has the member
servers to install Configuration Manager primary site servers that will manage
cloud-based distribution points.
2. On the member server that is running the Certification Authority console, right-
click Certificate Templates, and then choose Manage to load the Certificate
Templates management console.
3. In the results pane, right-click the entry that has Web Server in the Template
Display Name column, and then choose Duplicate Template.
4. In the Duplicate Template dialog box, ensure that Windows 2003 Server,
Enterprise Edition is selected, and then choose OK.
) Important
5. In the Properties of New Template dialog box, on the General tab, enter a
template name, like ConfigMgr Cloud-Based Distribution Point Certificate, to
generate the web server certificate for cloud-based distribution points.
6. Choose the Request Handling tab, and then choose Allow private key to be
exported.
7. Choose the Security tab, and then remove the Enroll permission from the
Enterprise Admins security group.
8. Choose Add, enter ConfigMgr Site Servers in the text box, and then choose OK.
9. Select the Enroll permission for this group, and do not clear the Read permission.
10. Choose the Cryptography tab and ensure that Minimum key size has been set to
2048.
13. In the Enable Certificate Templates dialog box, choose the new template that you
just created, ConfigMgr Cloud-Based Distribution Point Certificate, and then
choose OK.
14. If you do not have to create and issue more certificates, close Certification
Authority.
1. Restart the member server after you create and configure the ConfigMgr Site
Servers security group to ensure that the computer can access the certificate
template that you created by using the Read and Enroll permissions that you
configured.
2. Choose Start, choose Run, and then enter mmc.exe. In the empty console, choose
File, and then choose Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, choose Certificates from the list of
Available snap-ins, and then choose Add.
4. In the Certificate snap-in dialog box, choose Computer account, and then choose
Next.
5. In the Select Computer dialog box, ensure that Local computer: (the computer
this console is running on) is selected, and then choose Finish.
7. In the console, expand Certificates (Local Computer), and then choose Personal.
8. Right-click Certificates, choose All Tasks, and then choose Request New
Certificate.
9. On the Before You Begin page, choose Next.
10. If you see the Select Certificate Enrollment Policy page, choose Next.
12. In the Certificate Properties dialog box, in the Subject tab, for the Subject name,
choose Common name as the Type.
13. In the Value box, specify your choice of service name and your domain name by
using an FQDN format. For example: clouddp1.contoso.com.
7 Note
Make the service name unique in your namespace. You will use DNS to create
an alias (CNAME record) to map this service name to an automatically
generated identifier (GUID) and an IP address from Windows Azure.
14. Choose Add, and then choose OK to close the Certificate Properties dialog box.
16. On the Certificates Installation Results page, wait until the certificate is installed,
and then choose Finish.
1. In the Certificates (Local Computer) console, right-click the certificate that you just
installed, choose All Tasks, and then choose Export.
2. In the Certificates Export Wizard, choose Next.
3. On the Export Private Key page, choose Yes, export the private key, and then
choose Next.
7 Note
If this option is not available, the certificate has been created without the
option to export the private key. In this scenario, you cannot export the
certificate in the required format. You must set up the certificate template so
that the private key can be exported, and then request the certificate again.
4. On the Export File Format page, ensure that the Personal Information Exchange -
PKCS #12 (.PFX) option is selected.
6. On the File to Export page, specify the name of the file that you want to export,
and then choose Next.
7. To close the wizard, choose Finish in the Certificate Export Wizard page, and then
choose OK in the confirmation dialog box.
9. Store the file securely and ensure that you can access it from the Configuration
Manager console.
1. On the member server that is running the Certification Authority console, right-
click Certificate Templates, and then choose Manage to load the Certificate
Templates management console.
2. In the results pane, right-click the entry that has Workstation Authentication in
the Template Display Name column, and then choose Duplicate Template.
3. In the Duplicate Template dialog box, ensure that Windows 2003 Server,
Enterprise Edition is selected, and then choose OK.
) Important
4. In the Properties of New Template dialog box, on the General tab, enter a
template name, like ConfigMgr Client Certificate, to generate the client certificates
that will be used on Configuration Manager client computers.
5. Choose the Security tab, select the Domain Computers group, and then select the
additional permissions of Read and Autoenroll. Do not clear Enroll.
8. In the Enable Certificate Templates dialog box, choose the new template that you
just created, ConfigMgr Client Certificate, and then choose OK.
9. If you do not need to create and issue more certificates, close Certification
Authority.
Configure autoenrollment of the Workstation
Authentication template by using Group Policy
This procedure sets up Group Policy to autoenroll the client certificate on computers.
1. On the domain controller, choose Start, choose Administrative Tools, and then
choose Group Policy Management.
2. Go to your domain, right-click the domain, and then choose Create a GPO in this
domain, and Link it here.
7 Note
This step uses the best practice of creating a new Group Policy for custom
settings rather than editing the Default Domain Policy that is installed with
Active Directory Domain Services. When you assign this Group Policy at the
domain level, you will apply it to all computers in the domain. In a production
environment, you can restrict the autoenrollment so that it enrolls on only
selected computers. You can assign the Group Policy at an organizational unit
level, or you can filter the domain Group Policy with a security group so that it
applies only to the computers in the group. If you restrict autoenrollment,
remember to include the server that is set up as the management point.
3. In the New GPO dialog box, enter a name, like Autoenroll Certificates, for the new
Group Policy, and then choose OK.
4. In the results pane, on the Linked Group Policy Objects tab, right-click the new
Group Policy, and then choose Edit.
7. From the Configuration Model drop-down list, choose Enabled, choose Renew
expired certificates, update pending certificates, remove revoked certificates,
choose Update certificates that use certificate templates, and then choose OK.
8. Close Group Policy Management.
1. Restart the workstation computer, and wait a few minutes before you sign in.
7 Note
4. In the empty management console, choose File, and then choose Add/Remove
Snap-in.
5. In the Add or Remove Snap-ins dialog box, choose Certificates from the list of
Available snap-ins, and then choose Add.
6. In the Certificate snap-in dialog box, choose Computer account, and then choose
Next.
7. In the Select Computer dialog box, ensure that Local computer: (the computer
this console is running on) is selected, and then choose Finish.
9. In the console, expand Certificates (Local Computer), expand Personal, and then
choose Certificates.
10. In the results pane, confirm that a certificate has Client Authentication in the
Intended Purpose column, and that ConfigMgr Client Certificate is in the
Certificate Template column.
7 Note
This certificate can also be used for media images that do not use PXE boot,
because the certificate requirements are the same.
7 Note
This procedure uses a different certificate template from the certificate template
that you created for client computers. Although both certificates require client
authentication capability, the certificate for distribution points requires that the
private key is exported. As a security best practice, do not set up certificate
templates so the private key can be exported unless this configuration is required.
The distribution point requires this configuration because you must import the
certificate as a file rather than choose it from the certificate store.
When you create a new certificate template for this certificate, you can restrict the
computers that can request a certificate whose private key can be exported. In our
example deployment, this will be the security group that you previously created for
Configuration Manager site system servers that run IIS. On a production network
that distributes the IIS site system roles, consider creating a new security group for
the servers that run distribution points so that you can restrict the certificate to just
these site system servers. You might also consider adding the following
modifications for this certificate:
1. On the member server that is running the Certification Authority console, right-
click Certificate Templates, and then choose Manage to load the Certificate
Templates management console.
2. In the results pane, right-click the entry that has Workstation Authentication in
the Template Display Name column, and then choose Duplicate Template.
3. In the Duplicate Template dialog box, ensure that Windows 2003 Server,
Enterprise Edition is selected, and then choose OK.
) Important
4. In the Properties of New Template dialog box, on the General tab, enter a
template name, like ConfigMgr Client Distribution Point Certificate, to generate
the client authentication certificate for distribution points.
5. Choose the Request Handling tab, and then choose Allow private key to be
exported.
6. Choose the Security tab, and then remove the Enroll permission from the
Enterprise Admins security group.
7. Choose Add, enter ConfigMgr IIS Servers in the text box, and then choose OK.
8. Select the Enroll permission for this group, and do not clear the Read permission.
11. In the Enable Certificate Templates dialog box, choose the new template that you
just created, ConfigMgr Client Distribution Point Certificate, and then choose OK.
12. If you do not have to create and issue more certificates, close Certification
Authority.
1. Choose Start, choose Run, and then enter mmc.exe. In the empty console, choose
File, and then choose Add/Remove Snap-in.
2. In the Add or Remove Snap-ins dialog box, choose Certificates from the list of
Available snap-ins, and then choose Add.
3. In the Certificate snap-in dialog box, choose Computer account, and then choose
Next.
4. In the Select Computer dialog box, ensure that Local computer: (the computer
this console is running on) is selected, and then choose Finish.
6. In the console, expand Certificates (Local Computer), and then choose Personal.
7. Right-click Certificates, choose All Tasks, and then choose Request New
Certificate.
9. If you see the Select Certificate Enrollment Policy page, choose Next.
10. On the Request Certificates page, choose ConfigMgr Client Distribution Point
Certificate from the list of available certificates, and then choose Enroll.
11. On the Certificates Installation Results page, wait until the certificate is installed,
and then choose Finish.
12. In the results pane, confirm that a certificate has Client Authentication in the
Intended Purpose column and that ConfigMgr Client Distribution Point
Certificate is in the Certificate Template column.
1. In the Certificates (Local Computer) console, right-click the certificate that you just
installed, choose All Tasks, and then choose Export.
3. On the Export Private Key page, choose Yes, export the private key, and then
choose Next.
7 Note
If this option is not available, the certificate has been created without the
option to export the private key. In this scenario, you cannot export the
certificate in the required format. You must set up the certificate template so
that the private key can be exported and then request the certificate again.
4. On the Export File Format page, ensure that the Personal Information Exchange -
PKCS #12 (.PFX) option is selected.
5. On the Password page, specify a strong password to protect the exported
certificate with its private key, and then choose Next.
6. On the File to Export page, specify the name of the file that you want to export,
and then choose Next.
7. To close the wizard, choose Finish on the Certificate Export Wizard page, and
choose OK in the confirmation dialog box.
9. Store the file securely and ensure that you can access it from the Configuration
Manager console.
The certificate is now ready to be imported when you set up the distribution point.
Tip
You can use the same certificate file when you set up media images for an
operating system deployment that does not use PXE boot, and the task sequence
to install the image must contact a management point that requires HTTPS client
connections.
1. Create a security group that has users who will enroll mobile devices in
Configuration Manager.
2. On the member server that has Certificate Services installed, in the Certification
Authority console, right-click Certificate Templates, and then choose Manage to
load the Certificate Templates management console.
3. In the results pane, right-click the entry that has Authenticated Session in the
Template Display Name column, and then choose Duplicate Template.
4. In the Duplicate Template dialog box, ensure that Windows 2003 Server,
Enterprise Edition is selected, and then choose OK.
) Important
5. In the Properties of New Template dialog box, on the General tab, enter a
template name, like ConfigMgr Mobile Device Enrollment Certificate, to generate
the enrollment certificates for the mobile devices to be managed by Configuration
Manager.
6. Choose the Subject Name tab, make sure that Build from this Active Directory
information is selected, select Common name for the Subject name format:, and
then clear User principal name (UPN) from Include this information in alternate
subject name.
7. Choose the Security tab, choose the security group that has users who have
mobile devices to enroll, and then choose the additional permission of Enroll. Do
not clear Read.
10. In the Enable Certificate Templates dialog box, choose the new template that you
just created, ConfigMgr Mobile Device Enrollment Certificate, and then choose
OK.
11. If you do not need to create and issue more certificates, close the Certification
Authority console.
7 Note
This procedure uses a different certificate template from the certificate template
that you might have created for Windows client computers or for distribution
points.
When you create a new certificate template for this certificate, you can restrict the
certificate request to authorized users.
1. Create a security group that has user accounts for administrative users who will
enroll the certificate on the Mac computer by using Configuration Manager.
2. On the member server that is running the Certification Authority console, right-
click Certificate Templates, and then choose Manage to load the Certificate
Templates management console.
3. In the results pane, right-click the entry that displays Authenticated Session in the
Template Display Name column, and then choose Duplicate Template.
4. In the Duplicate Template dialog box, ensure that Windows 2003 Server,
Enterprise Edition is selected, and then choose OK.
) Important
6. Choose the Subject Name tab, make sure that Build from this Active Directory
information is selected, choose Common name for the Subject name format:, and
then clear User principal name (UPN) from Include this information in alternate
subject name.
7. Choose the Security tab, and then remove the Enroll permission from the Domain
Admins and Enterprise Admins security groups.
8. Choose Add, specify the security group that you created in step one, and then
choose OK.
9. Choose the Enroll permission for this group, and do not clear the Read permission.
12. In the Enable Certificate Templates dialog box, choose the new template that you
just created, ConfigMgr Mac Client Certificate, and then choose OK.
13. If you do not have to create and issue more certificates, close Certification
Authority.
The Mac client certificate template is now ready to be selected when you set up
client settings for enrollment.
Additional information about privacy
for Configuration Manager
Article • 10/04/2022
For more information about collected information and how it's used, see Usage data.
Usage data
Configuration Manager collects diagnostics and usage data about itself, which Microsoft
uses to improve the installation experience, quality, and security of future releases.
Diagnostics and usage data is enabled for each Configuration Manager hierarchy. It
consists of SQL Server queries that run on a weekly basis on each primary site and at the
central administration site. When the hierarchy uses a central administration site, the
data from primary sites is then replicated to that site. At the top-level site of your
hierarchy, the service connection point submits this information when it checks for
updates. If the service connection point is in offline mode, the information is transferred
by using the service connection tool.
Configuration Manager collects data only from the site's SQL Server database, and it
doesn't collect data directly from clients or site servers.
Administrators can change the level of data that's collected by going to the Usage Data
section of the Configuration Manager console.
For more information about usage data levels and settings, see Diagnostics and usage
data.
For more information about the information that Log Analytics collects, see Log
analytics data security.
Asset Intelligence
Asset Intelligence lets administrators define, track, and proactively manage conformity
with configuration standards. Metering and reporting on the deployment and use of
both physical and virtual applications helps organizations make better business
decisions about software licensing and maintain compliance with licensing agreements.
After collecting usage data from Configuration Manager clients, you can use different
features to view the data, including collections, queries, and reporting.
After a software title is uploaded, Microsoft researchers identify, categorize, and then
make that knowledge available to all other customers who use this feature and other
consumers of the catalog. Any uploaded software title becomes public. The application
and its categorization become part of the catalog and then can be downloaded to other
consumers of the catalog. Before you configure Asset Intelligence data collection and
decide whether to submit information to Microsoft, consider the privacy requirements of
your organization.
Endpoint Protection
Microsoft Cloud Protection Service was formerly known as Microsoft Active Protection
Service or MAPS.
The applicable products are System Center Endpoint Protection and the Endpoint
Protection feature of Configuration Manager (to manage System Center Endpoint
Protection and Windows Defender for Windows 10 or later).
Microsoft Cloud Protection Service reports include information about potential malware
files, like file names, cryptographic hash, vendor, size, and date stamps. In addition,
Microsoft Cloud Protection Service might collect full URLs to indicate the origin of the
file. These URLs might occasionally have personal information like search terms or data
that was entered in forms. Reports might also include actions that you took when
Endpoint Protection notified you about unwanted software. Microsoft Cloud Protection
Service reports include this information to help Microsoft gauge how effectively
Endpoint Protection can detect and remove malware and potentially unwanted software
and to attempt to identify new malware.
You can join Microsoft Cloud Protection Service if you have a basic or advanced
membership. Basic member reports have the information described previously.
Advanced member reports are more comprehensive and may include additional details
about the software that Endpoint Protection detects, like the location of such software,
file names, how the software operates, and how it has affected your computer. These
reports and reports from other Endpoint Protection users who participate in Microsoft
Cloud Protection Service help Microsoft researchers discover new threats more rapidly.
Malware definitions are then created for programs that meet the analysis criteria, and
the updated definitions are made available to all users through Microsoft Update.
To help detect and fix certain kinds of malware infections, the product regularly sends
Microsoft Cloud Protection Service information about the security state of your PC. This
information includes information about your PC's security settings and log files that
describe the drivers and other software that load while your PC boots.
A number that uniquely identifies your PC is also sent. Also, Microsoft Cloud Protection
Service may collect the IP addresses that the potential malware files connect to.
Microsoft Cloud Protection Service reports are used to improve Microsoft software and
services. The reports might also be used for statistical or other testing or analytical
purposes and to generate definitions. Only Microsoft employees, contractors, partners,
and vendors who have a business need to use the reports can access them.
Microsoft Cloud Protection Service does not intentionally collect personal information.
To the extent that Microsoft Cloud Protection Service collects any personal information,
Microsoft does not use the information to identify you or contact you.
) Important
Starting in August 2020, this feature is deprecated. Use the Hierarchy Diagram
option.
In the Configuration Manager console, go to the Monitoring workspace, select the Site
Hierarchy node, and switch to the Geographical View. This view lets you use maps that
Microsoft Bing Maps provides to view your Configuration Manager physical server
topology. To enable this feature, location information that you provide is sent from your
server to the Bing Maps Web service.
Microsoft uses the information to operate and improve Microsoft Bing Maps and other
Microsoft sites and services. For more information, see the Microsoft Privacy
Statement .
You can choose not to use the Geographical View for the Site Hierarchy. The default
Hierarchy Diagram view lets you see the hierarchy and doesn't use the Bing Maps
service.
How to enable TLS 1.2
Article • 10/04/2022
Transport Layer Security (TLS), like Secure Sockets Layer (SSL), is an encryption protocol
intended to keep data secure when being transferred over a network. These articles
describe steps required to ensure that Configuration Manager secure communication
uses the TLS 1.2 protocol. These articles also describe update requirements for
commonly used components and troubleshooting common problems.
) Important
Start this process with the clients, especially previous versions of Windows. Before
enabling TLS 1.2 and disabling the older protocols on the Configuration Manager
servers, make sure that all clients support TLS 1.2. Otherwise, the clients can't
communicate with the servers and can be orphaned.
Secondary site Update SQL Server and its client components to a compliant version of SQL
servers Server Express
Site system roles - Update .NET Framework and verify strong cryptography settings
- Update SQL Server and its client components on roles that require it,
including the SQL Server Native Client
Reporting - Update .NET Framework on the site server, the SQL Server Reporting
services point Services servers, and any computer with the console
Windows 7 Before you enable TLS 1.2 on any server components, update Windows to
clients support TLS 1.2 for client-server communications by using WinHTTP. If you
enable TLS 1.2 on server components first, you can orphan earlier versions of
clients.
Client communications to IIS-based site server roles when the role is configured to
use HTTPS. Examples of these roles include distribution points, software update
points, and management points.
Management point, SMS Executive, and SMS Provider communications with SQL.
Configuration Manager always encrypts SQL Server communications.
Site Server to WSUS communications if WSUS is configured to use HTTPS.
The Configuration Manager console to SQL Server Reporting Services (SSRS) if
SSRS is configured to use HTTPS.
Any connections to internet-based services. Examples include the cloud
management gateway (CMG), the service connection point sync, and sync of
update metadata from Microsoft Update.
Additional resources
Cryptographic controls technical reference
Transport layer security (TLS) best practices with the .NET Framework
KB 3135244: TLS 1.2 support for Microsoft SQL Server
Next steps
Enable TLS 1.2 on clients
Enable TLS 1.2 on the site servers
How to enable TLS 1.2 on clients
Article • 10/04/2022
When enabling TLS 1.2 for your Configuration Manager environment, start by ensuring
the clients are capable and properly configured to use TLS 1.2 before enabling TLS 1.2
and disabling the older protocols on the site servers and remote site systems. There are
three tasks for enabling TLS 1.2 on clients:
For more information about dependencies for specific Configuration Manager features
and scenarios, see About enabling TLS 1.2.
Earlier versions of Windows, such as Windows 7 or Windows Server 2012, don't enable
TLS 1.1 or TLS 1.2 by default for secure communications using WinHTTP. For these
earlier versions of Windows, install Update 3140245 to enable the registry value
below, which can be set to add TLS 1.1 and TLS 1.2 to the default secure protocols list
for WinHTTP. With the patch installed, create the following registry values:
) Important
Enable these settings on all clients running earlier versions of Windows before
enabling TLS 1.2 and disabling the older protocols on the Configuration Manager
servers. Otherwise, you can inadvertently orphan them.
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\WinHttp\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Int
ernet Settings\WinHttp\
The example above shows the value of 0xAA0 for the WinHTTP DefaultSecureProtocols
setting. Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in
Windows lists the hexadecimal value for each protocol. By default in Windows, this
value is 0x0A0 to enable SSL 3.0 and TLS 1.0 for WinHTTP. The above example keeps
these defaults, and also enables TLS 1.1 and TLS 1.2 for WinHTTP. This configuration
ensures that the change doesn't break any other application that might still rely on SSL
3.0 or TLS 1.0. You can use the value of 0xA00 to only enable TLS 1.1 and TLS 1.2.
Configuration Manager supports the most secure protocol that Windows negotiates
between both devices.
If you want to completely disable SSL 3.0 and TLS 1.0, use the SChannel disabled
protocols setting in Windows. For more information, see Restrict the use of certain
cryptographic algorithms and protocols in Schannel.dll.
NET Framework 4.6.2 and later supports TLS 1.1 and TLS 1.2. Confirm the registry
settings, but no additional changes are required.
7 Note
Update NET Framework 4.6 and earlier versions to support TLS 1.1 and TLS 1.2. For
more information, see .NET Framework versions and dependencies.
If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows Server
2012 R2, or Windows Server 2012, it's highly recommended that you install the
latest security updates for the .Net Framework 4.5.1 and 4.5.2 to ensure TLS 1.2 can
be enabled properly.
For your reference, TLS 1.2 was first introduced into .Net Framework 4.5.1 and 4.5.2
with the following hotfix rollups:
For Windows 8.1 and Server 2012 R2: Hotfix rollup 3099842
For Windows Server 2012: Hotfix rollup 3099844
Make sure to set the following registry keys on any computer that communicates across
the network with a TLS 1.2-enabled system. For example, Configuration Manager clients,
remote site system roles not installed on the site server, and the site server itself.
For 32-bit applications that are running on 32-bit OSs and for 64-bit applications that
are running on 64-bit OSs, update the following subkey values:
Registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
For 32-bit applications that are running on 64-bit OSs, update the following subkey
values:
Registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
7 Note
The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The
SystemDefaultTlsVersions setting allows .NET to use the OS configuration. For
more information, see TLS best practices with the .NET Framework.
Next steps
Enable TLS 1.2 on the site servers and remote site systems
Common issues when enabling TLS 1.2
How to enable TLS 1.2 on the site
servers and remote site systems
Article • 01/30/2023
When enabling TLS 1.2 for your Configuration Manager environment, start with enabling
TLS 1.2 for the clients first. Then, enable TLS 1.2 on the site servers and remote site
systems second. Finally, test client to site system communications before potentially
disabling the older protocols on the server side. The following tasks are needed for
enabling TLS 1.2 on the site servers and remote site systems:
Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system
level
Update and configure the .NET Framework to support TLS 1.2
Update SQL Server and client components
Update Windows Server Update Services (WSUS)
For more information about dependencies for specific Configuration Manager features
and scenarios, see About enabling TLS 1.2.
NET Framework 4.6.2 and later supports TLS 1.1 and TLS 1.2. Confirm the registry
settings, but no additional changes are required.
7 Note
Update NET Framework 4.6 and earlier versions to support TLS 1.1 and TLS 1.2. For
more information, see .NET Framework versions and dependencies.
If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows Server
2012 R2, or Windows Server 2012, it's highly recommended that you install the
latest security updates for the .Net Framework 4.5.1 and 4.5.2 to ensure TLS 1.2 can
be enabled properly.
For your reference, TLS 1.2 was first introduced into .Net Framework 4.5.1 and 4.5.2
with the following hotfix rollups:
For Windows 8.1 and Server 2012 R2: Hotfix rollup 3099842
For Windows Server 2012: Hotfix rollup 3099844
Make sure to set the following registry keys on any computer that communicates across
the network with a TLS 1.2-enabled system. For example, Configuration Manager clients,
remote site system roles not installed on the site server, and the site server itself.
For 32-bit applications that are running on 32-bit OSs and for 64-bit applications that
are running on 64-bit OSs, update the following subkey values:
Registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
For 32-bit applications that are running on 64-bit OSs, update the following subkey
values:
Registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
7 Note
The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The
SystemDefaultTlsVersions setting allows .NET to use the OS configuration. For
more information, see TLS best practices with the .NET Framework.
Secondary site servers need to use at least SQL Server 2016 Express with Service Pack 2
(13.2.50.26) or later.
7 Note
KB 3135244 also describes requirements for SQL Server client components.
Make sure to also update the SQL Server Native Client to at least version SQL Server
2012 SP4 (11.*.7001.0). This requirement is a prerequisite check (warning).
Configuration Manager uses SQL Server Native Client on the following site system roles:
After the configuration has been assigned, the compliance status of your resources can
be viewed in detail by navigating to the Guest Assignments page and scoping down to
the impacted resources.
For a detailed, step-by-step tutorial, see Consistently upgrade your server TLS protocol
using Azure Arc and Automanage Machine Configuration .
For WSUS server that's running Windows Server 2012, install update 4022721 or
a later rollup update.
For WSUS server that's running Windows Server 2012 R2, install update 4022720
or a later rollup update.
Starting in Windows Server 2016, TLS 1.2 is supported by default for WSUS. TLS 1.2
updates are only needed on Windows Server 2012 and Windows Server 2012 R2 WSUS
servers.
Next steps
Common issues when enabling TLS 1.2
Common issues when enabling TLS 1.2
Article • 02/22/2023
This article provides advice for common issues that occur when you enable TLS 1.2
support in Configuration Manager.
Unsupported platforms
The following client platforms are supported by Configuration Manager but aren't
supported in a TLS 1.2 environment:
Apple OS X
Windows devices managed with on-premises MDM
To investigate, enable Secure Channel event logging, and then review Schannel events in
the system log. For more information, see Restrict the use of certain cryptographic
algorithms and protocols in Schannel.dll.
Log
Microsoft.ConfigurationManager.CloudBase.AAD.AADAuthenticationException
at
Microsoft.ConfigurationManager.CloudBase.AAD.AADAuthenticationContext.GetAAD
AuthResultObject
...
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException
at
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsy
ncTask
...
System.Net.WebException
at System.Net.HttpWebRequest.GetResponse
In the System EventLog, SChannel EventID 36874 may be logged with the following
description: An TLS 1.2 connection request was received from a remote client
application, but none of the cipher suites supported by the client application are
Additional resources
Transport layer security (TLS) best practices with the .NET Framework
KB 3135244: TLS 1.2 support for Microsoft SQL Server
Cryptographic controls technical reference
Next steps
Enable TLS 1.2 on clients
Enable TLS 1.2 on the site servers and remote site systems
Security documentation
Configuration Manager is secure by default. Learn more about how to configure and use
features to help keep your environment secure.
Fundamentals
e OVERVIEW
Role-based administration
Plan
b GET STARTED
Certificates overview
Configure security
Resources
i REFERENCE
Accounts
Ports
Feature guidance
p CONCEPT
OS deployment
App management
Learn how to create a lab environment to evaluate Configuration Manager for use in
your organization.
Configuration Manager is a complex and powerful tool to manage your users, devices,
and software. It's a good idea to thoroughly evaluate Configuration Manager before full
deployment, so that you can marry conceptual understanding with hands-on exercises.
This guide is primarily meant for admins who are evaluating the use of Configuration
Manager in corporate environments:
Admins who want a solution to fully manage PCs, servers, and mobile devices
One that hosts Active Directory, the domain controller, and the DNS server
One that hosts Configuration Manager and all associated SQL Server components
Client machines are installed within Hyper-V. The lab itself can also be run as a fully
virtualized system on a single server.
When you build this lab, you will have a functional environment to work in. But this
environment will not be optimized for factors like system performance, hard disk space
management, and SQL Server storage.
Learn core concepts about the Configuration Manager console, end-user portals,
and example scenarios in Introduction to Configuration Manager.
Following the guidance in this topic will enable you to set up a lab for evaluating
Configuration Manager with simulated real-life activities.
7 Note
Core components
Setting up your environment for Configuration Manager requires some core
components to support the installation of Configuration Manager.
The lab environment uses Windows Server 2012 R2, into which we will install
Configuration Manager.
You can download an evaluation version of Windows Server 2012 R2 from the
Evaluation Center .
The lab environment uses SQL Server 2012 SP2 for the site database.
You can download an evaluation version of SQL Server 2012 from the Microsoft
Download Center .
SQL Server has Supported versions of SQL Server that must be met for use with
Configuration Manager.
Configuration Manager requires a 64-bit version of SQL Server to host the site
database.
Configure the SQL Server service account to run using a low rights domain user
account.
Intersite communications use the SQL Server Service Broker on default port
TCP 4022.
Intrasite communications between the SQL Server database engine and select
Configuration Manager site system roles use default port TCP 1433.
The domain controller uses Windows Server 2008 R2 with Active Directory
Domain Services installed. The domain controller also functions as the host for the
DHCP and the DNS servers for use with a fully qualified domain name.
Hyper-V is used with a few virtual machines to verify that the management steps
taken in these exercises are functioning as expected. A minimum of three virtual
machines is recommended, with Windows 10 installed.
Though not required for this lab, you can review Supported configurations for
Configuration Manager for additional information on requirements for implementing
Configuration Manager. Refer to documentation for software versions other than those
referenced here.
Once you have installed all of these components, there are additional steps you must
take to configure your Windows environment for Configuration Manager:
Prepare Active Directory content for the lab
For this lab, you will create a security group, then add a domain user to it.
Under normal circumstances, you wouldn't grant universal access to all users
within your environment. You are doing so with this user in order to streamline
bringing your lab online.
The next steps required to enable Configuration Manager clients to query Active
Directory Domain Services to locate site resources are listed over the next procedures.
Ensure that you are logged on as an account that has Create All Child Objects
permission on the System Container in Active Directory Domain Services.
3. In the Create Object dialog box, select Container, and then click Next.
4. In the Value box, type System Management, and then click Next.
) Important
Confirm that you are connected to the site server's domain prior to beginning the
following procedure.
2. In the CN=System Management Properties dialog box, click the Security tab, and
then click Add to add the site server computer account. Grant the account Full
Control permissions.
3. Click Advanced, select the site server's computer account, and then click Edit.
4. In the Apply onto list, select This object and all descendant objects.
5. Click OK to close the ADSI Edit console and complete the procedure.
For more information, see Extend the Active Directory schema for Configuration
Manager
) Important
Ensure that you are logged on to the schema master domain controller with an
account that is a member of the Schema Admins security group. Attempting to use
alternate credentials will fail.
3. Run extadsch.exe.
4. Verify that the schema extension was successful by reviewing the extadsch.log
located in the root folder of the system drive.
For more information, see Extend the Active Directory schema for Configuration
Manager.
There will be multiple downloads required for components of the installation media
throughout this exercise. Before beginning any installation procedures, determine a
location that will not require you to move these files until you wish to decommission
your lab. A single folder with separate subfolders to store these downloads is
recommended.
You will need to install two .NET Frameworks: first, .NET 3.5.1 and then .NET 4.5.2+. You
will also need to activate Windows Communication Foundation (WCF). WCF is designed
to offer a manageable approach to distributed computing, broad interoperability, and
direct support for service orientation, and simplifies development of connected
applications through a service-oriented programming model. For more information, see
What Is Windows Communication Foundation?.
2. Review the information provided in the Before You Begin panel, then click Next.
4. Select your server from the Server Pool, then click Next.
ASP.NET 4.5
WCF Services
HTTP Activation
7. Review the Web Server Role (IIS) and Role Services screen, then click Next.
9. Click Install and verify that the installation completed properly in the Notifications
pane of Server Manager.
10. After the base installation of .NET completes, navigate to the Microsoft Download
Center to obtain the web installer for the .NET Framework 4.5.2. Click the
Download button, then Run the installer. It will automatically detect and install the
required components in your selected language.
The Background Intelligent Transfer Service (BITS) is used for applications that need to
transfer files asynchronously between a client and a server. By metering the flow of the
transfers in the foreground and background, BITS preserves the responsiveness of other
network applications. It will also automatically resume file transfers if a transfer session
is interrupted.
You will install BITS for this lab, as this site server will also be used as a management
point.
Internet Information Services (IIS) is a flexible, scalable web server that can be used to
host anything on the web. It is used by Configuration Manager for a number of site
system roles. For additional information on IIS, review Websites for site system servers.
Remote Differential Compression (RDC) is a set of APIs that applications can use to
determine if any changes have been made to a set of files. RDC enables the application
to replicate only the changed portions of a file, keeping network traffic to a minimum.
2. Review the information provided in the Before You Begin panel, then click Next.
4. Select your server from the Server Pool, then click Next.
5. Add the following Server Roles by selecting them from the list:
Default Document
Directory Browsing
HTTP Errors
Static Content
HTTP Redirection
HTTP Logging
Logging Tools
Request Monitor
Tracing
Performance
Security
Request Filtering
Basic Authentication
URL Authorization
Windows Authentication
Application Development
ASP
ASP.NET 3.5
ASP.NET 4.5
ISAPI Extensions
ISAPI Filters
FTP Server
FTP Service
Management Tools
Management Service
7. Click Install and verify that the installation completed properly in the Notifications
pane of Server Manager.
By default, IIS blocks several types of file extensions and locations from access by HTTP
or HTTPS communication. To enable these files to be distributed to client systems, you
will need to configure request filtering for IIS on your distribution point. For more
information, see IIS Request Filtering for distribution points.
1. Open IIS Manager and select the name of your server in the sidebar. This will take
you to the Home screen.
2. Verify that Features View is selected at the bottom of the Home screen. Navigate
to IIS and open Request Filtering.
During this process, you will also install the Configuration Manager console, which will
be used to manage your evaluation devices going forward.
Before you begin the installation, launch the Prerequisite Checker on the server using
Windows Server 2012 to confirm that all settings have been correctly enabled.
3. Follow the installation procedure listed at Install a site using the Configuration
Manager Setup Wizard. Within that procedure, you will input the following:
Step 7: Select Download required files and specify your predefined location.
Prerequisite
Downloads
Step 11: Primary Select Install the primary site as a stand-alone site, then click Next.
Site Installation
Step 12: Database - SQL Server name (FQDN): input your FQDN here.
Installation - Instance name: leave this blank, as you will use the default instance
of SQL Server that you previously installed.
Step 15: Client Confirm that All site system roles accept only HTTPS communication
Communication from clients is not selected
Settings
Step 16: Site Input your FQDN and confirm that your selection of All site system
System Roles roles accept only HTTPS communication from clients is still
deselected.
4. In the Properties dialog box, select Enable Active Directory Forest Discovery.
Once this is active, select Automatically create Active Directory site boundaries
when they are discovered. A dialog box will appear that states Do you want to
run full discovery as soon as possible? Click Yes.
5. In the Discovery Method group at the top of the screen, click Run Forest
Discovery Now, then navigate to Active Directory Forests in the sidebar. Your
Active Directory forest should be shown in the list of discovered forests.
2. You will configure a new forest that has not yet been discovered.
4. On the Publishing tab of the site properties, select your connected forest, then
click Ok to save the configuration.
Create a Configuration Manager lab in
Azure
Article • 10/04/2022
Configuration Manager technical preview Azure template installs the latest version
of the Configuration Manager technical preview branch.
Configuration Manager current branch Azure template installs the evaluation of
the latest version of Configuration Manager current branch.
Prerequisites
This process requires an Azure subscription in which you can create the following
objects:
Two Standard_B2s virtual machines for domain controller, management point, and
distribution point.
Zero to three virtual machines for client devices.
One Standard_B2ms virtual machine for the primary site server and the SQL Server
database server
If you choose to create a hierarchy, one other Standard_B2ms virtual machine for
the central administration site.
Standard_LRS storage account.
Tip
Process
1. Go to the Configuration Manager technical preview template or Configuration
Manager current branch template .
2. Select Deploy to Azure, which opens the Azure portal.
Basics
Settings
Prefix: The prefix name of the machines. For more information, see Azure
VM info.
) Important
The following settings are required by Azure. Use the default values. Don't
change these values.
7 Note
If you edited the Azure template before you deployed it, then you need to
change the _artifactsLocation value.
For the technical preview template, the value is
https://raw.githubusercontent.com/Azure/azure-quickstart-
templates/master/application-workloads/sccm/sccm-
technicalpreview/azuredeploy.json
templates/master/application-workloads/sccm/sccm-
currentbranch/azuredeploy.json
4. Read the terms and conditions. If you agree, select I agree to the terms and
conditions stated above. Then select Purchase to continue.
Azure validates the settings, and then begins the deployment. Check the status of the
deployment in the Azure portal.
7 Note
The process can take 2-4 hours. Even when the Azure portal shows successful
deployment, configuration scripts continue to run. Don't restart the VMs during the
process.
To see the status of the configuration scripts, connect to the <prefix>PS01 server, and
view the following file: %windir%\TEMP\ProvisionScript\PS01.json . If it shows all steps as
complete, the process is done.
7 Note
When you use the current branch template, it uses the CAS.json file at the same
location on the <prefix>CS01 server.
To connect to the VMs, first get from the Azure portal the public IP addresses for each
VM. When you connect to the VM, the domain name is contoso.com . Use the credentials
that you specified in the deployment template. For more information, see How to
connect and log on to an Azure virtual machine running Windows.
Azure VM info
All VMs have the following specifications:
150 GB of disk space
Both a public and private IP address. The public IPs are in a network security group
that only allows remote desktop connections on TCP port 3389.
The prefix that you specified in the deployment template is the VM name prefix. For
example, if you set "contoso" as the prefix, then the domain controller machine name is
contosoDC .
<prefix>DC01
<prefix>PS01
<prefix>DPMP01
<prefix>CL01
This article provides details about the monthly technical preview branch of
Configuration Manager. The technical preview introduces new functionality that
Microsoft is working on. It introduces new features that aren't yet included in the
current branch of Configuration Manager. These features might eventually be included
in an update to the current branch. Before we finalize the features, we want you to try
them out and give us feedback.
Because this release is a technical preview, details and functionality are subject to
change.
This information applies to all versions of the Configuration Manager technical preview
branch. This article lists each new feature along with the technical preview version in
which it first appears. For example, version 2201 for January ( 01 ) of 2022 ( 22 ). Separate
articles dedicated to each preview version detail the individual features.
For information about what's new in the current branch of Configuration Manager, see
What's new in Configuration Manager incremental versions.
Tip
You can use RSS to be notified when this page is updated. For more information,
see How to use the docs.
) Important
The technical preview is licensed for use only in a lab environment. Microsoft may
not provide support services and certain features may not be available in technical
previews. Additionally, technical preview software may have reduced or different
security, privacy, accessibility, availability, and reliability standards relative to
commercially provided software.
For most product prerequisites, use the information in the Supported configurations.
The following exceptions apply to the technical preview branch:
The service connection point installs to online mode. It doesn't support offline
mode.
7 Note
You may need to allow specific internet URLs, some of which are specific to
the technical preview branch. For more information, see Internet access
requirements.
The separate articles for each specific version of the technical preview include
additional limitations or requirements, as applicable.
The following features aren't supported with the technical preview branch:
There's no support for updating to current branch from this preview branch.
7 Note
When updates are available for a preview version, you still find and install
them from the Updates and Servicing node of the Configuration Manager
console. For a video of the in-console upgrade process, see Installing
Configuration Manager update packages on youtube.com.
Unless otherwise noted, the technical preview branch supports the same versions
of SQL Server as the current branch. For more information, see Supported SQL
Server versions.
The site supports up to 10 clients, which can run any supported client OS version.
7 Note
First install a baseline version of the technical preview branch. After installing a baseline
version, then use in-console updates to bring your installation up to date with the most
recent preview version. Typically, new versions of the technical preview are available
each month.
Microsoft supports each technical preview version up until three successive versions are
available. For example, when version 1908 released, version 1904 was no longer in
support. Versions 1905, 1906, and 1907 remained in support. When a baseline falls out
of support, it's still supported for installing a new technical preview site, assuming you
immediately update to a supported version. The older baseline is supported until a new
baseline version is available. Update to the latest available version from the baseline,
and then repeat the update process until you install the latest technical preview version.
Tip
When you install an update to the technical preview, you update your preview
installation to that new technical preview version. A technical preview installation
never has the option to upgrade to a current branch installation. It also never
receives updates from the current branch release.
Several times throughout the year, there are technical preview branch and current
branch versions with the same version number. For example, there is a technical
preview version 2006 and a current branch version 2006.
Providing feedback
We love to hear your feedback about the new features in the technical preview. For
more information, see Product feedback.
If you have ideas about new features you would like to see, let us know! Submit new
ideas and vote on the ideas by others: Feedback for Configuration Manager .
7 Note
Features that were available in a previous version of the technical preview remain
available in later versions. Similarly, features that are added to the Configuration
Manager current branch remain available in the technical preview branch.
Tip
When a new current branch version is available, features that are available in that
version are listed in the latest What's new article. For more information, see What's
new in incremental versions.
Next steps
For more information, see the following articles:
Evaluate Configuration Manager in a lab
What's new in Configuration Manager incremental versions
Introduction to Configuration Manager
Tip
For more information on current branch features that require consent to enable,
see pre-release features.
For more information on current branch features that you must enable first, see
Enable optional features from updates.
Features in Configuration Manager
technical preview version 2307
Article • 07/28/2023
This article introduces the features that are available in the technical preview for
Configuration Manager, version 2307. Install this version to update and add new
features to your technical preview site.
Review the technical preview article before installing this update. That article familiarizes
you with the general requirements and limitations for using a technical preview, how to
update between versions, and how to provide feedback.
The following sections describe the new features to try out in this version:
7 Note
To use this feature a valid Azure AD web app is required. Please deploy the Azure
services for Administration service management under
\Administration\Overview\Cloud Services\Azure Services. If the service is already
deployed, admin can use the existing web application to view Run details from
Azure logic app.
Known issue :- An unexpected error can occur while configuring the Azure service
web app for Administration service management which can be ignored as it does
not affect the service creation.
Reboot Notification
Next steps
For more information about installing or updating the technical preview branch, see
Technical preview.
For more information about the different branches of Configuration Manager, see
Which branch of Configuration Manager should I use?.
Features in Configuration Manager
technical preview version 2305
Article • 05/25/2023
This article introduces the features that are available in the technical preview for
Configuration Manager, version 2305. Install this version to update and add new
features to your technical preview site.
Review the technical preview article before installing this update. That article familiarizes
you with the general requirements and limitations for using a technical preview, how to
update between versions, and how to provide feedback.
The following sections describe the new features to try out in this version:
To update the server app, you can navigate to Azure Active Directory Tenants node -->
select the tenant --> select the server app --> click on "update application settings".
If you're utilizing the existing Azure AD server app, when existing (nonupdated) Azure
AD server app is used, ensure that the server app has RedirectUrl="http://localhost”
added in Azure portal and in TableAAD_Application_EX in Database.
If you try to create the CMG before updating RedirectUrl, you get an error
"Your server Application needs to be updated".
Run this PowerShell command: Set-
UpdateServerApplication to update your App, and then try again to create CMG.
7 Note
For new customers, before creating CMG, create Azure AD server app that contains
the RedirectUrl="http://localhost” in your App. Once redirect URL and database
settings are complete, you can execute the new PowerShell commandlet script.
Next steps
For more information about installing or updating the technical preview branch, see
Technical preview.
For more information about the different branches of Configuration Manager, see
Which branch of Configuration Manager should I use?.
Features in Configuration Manager
technical preview version 2303
Article • 03/28/2023
This article introduces the features that are available in the technical preview for
Configuration Manager, version 2303. Install this version to update and add new
features to your technical preview site.
Review the technical preview article before installing this update. That article familiarizes
you with the general requirements and limitations for using a technical preview, how to
update between versions, and how to provide feedback.
The following sections describe the new features to try out in this version:
You can use this version of SQL Server for the following sites:
The following table identifies the recommended compatibility levels for Configuration
Manager site databases:
To use the theme, select the arrow from the top left of the ribbon, then choose Switch
console theme. Select Switch console theme again to return to the light theme.
Known issue
Console restart is required on doing the theme switch, as the node navigation pane
might not properly render when you move to a new workspace.
Configuration Manager doesn't manage the updates for the ODBC driver. Ensure that
this component is up to date.
Next steps
For more information about installing or updating the technical preview branch, see
Technical preview.
For more information about the different branches of Configuration Manager, see
Which branch of Configuration Manager should I use?.
Features in Configuration Manager
technical preview version 2302
Article • 02/22/2023
This article introduces the features that are available in the technical preview for
Configuration Manager, version 2302. Install this version to update and add new
features to your technical preview site.
Review the technical preview article before installing this update. That article familiarizes
you with the general requirements and limitations for using a technical preview, how to
update between versions, and how to provide feedback.
The following sections describe the new features to try out in this version:
Known issue
Console restart is required on doing the theme switch, as the node navigation pane
might not properly render when you move to a new workspace.
The Windows features that the policy will control will be released in later part of 2023.
This ConfigMgr Technical Preview feature is for awareness and not for testing in
February 2023.
Next steps
For more information about installing or updating the technical preview branch, see
Technical preview.
For more information about the different branches of Configuration Manager, see
Which branch of Configuration Manager should I use?.
Migrate data between hierarchies in
Configuration Manager
Article • 10/04/2022
Use migration to transfer data from a supported source hierarchy to your Configuration
Manager (current branch) destination hierarchy. When you migrate data from a source
hierarchy:
You access data from the site databases in the source infrastructure, and then
transfer that data to your current environment.
Migration doesn't change the data in the source hierarchy. Instead it discovers the
data and stores a copy in the database of the destination hierarchy.
Consider the following points when you plan your migration strategy:
You can migrate some or all of the supported data from a source site.
You can migrate the data from a single source site to several different sites in the
destination hierarchy.
You can move data from multiple source sites to a single site in the destination
hierarchy.
The following video discusses and demonstrates two common migration scenarios. It
also includes options for including Microsoft Azure in migration plans.
https://www.youtube-nocookie.com/embed/6_0EwW-5b4E
Concepts
Configuration Manager uses the following concepts and terms during migration.
Source hierarchy
A hierarchy that runs a supported version of Configuration Manager and has data that
you want to migrate. When you set up migration, you identify the source hierarchy
when you specify the top-level site of a source hierarchy. After you specify a source
hierarchy, the top-level site of the destination hierarchy gathers data from the database
of the designated source site to identify the data that you can migrate.
Source sites
The sites in the source hierarchy that have data that you can migrate to your destination
hierarchy.
Destination hierarchy
A Configuration Manager (current branch) hierarchy where migration runs to import
data from a source hierarchy.
Data gathering
The ongoing process of identifying the information in a source hierarchy that you can
migrate to your destination hierarchy. Configuration Manager checks the source
hierarchy on a schedule. This process identifies any changes to information in the source
hierarchy that you previously migrated and that you might want to update in the
destination hierarchy.
Migration jobs
The process of configuring the specific objects to migrate, and then managing the
migration of those objects to the destination hierarchy.
Client migration
The process of transferring information that clients use from the database of the source
site to the database of the destination hierarchy. This migration of data is then followed
by an upgrade of client software on devices to the client software version from the
destination hierarchy.
During the migration period, clients assigned to sites in the destination hierarchy can
get content from shared distribution points.
For more information, see Share distribution points between source and destination
hierarchies.
Monitoring migration
The process of monitoring migration activities. You monitor migration progress and
success from the Migration node in the Administration workspace.
The process of stopping data gathering from source sites. When you no longer have
data to migrate from a source hierarchy, or if you want to pause migration-related
activities, you can configure the destination hierarchy to stop gathering data from the
source hierarchy.
Typical workflow
To set up a workflow for migration:
3. Create migration jobs to migrate data between the source and destination
hierarchy.
4. You can stop the data gathering process at any time by using the Stop Gathering
Data action. When you stop data gathering, Configuration Manager no longer
identifies changes to data in the source hierarchy and can no longer share
distribution points. Typically, you use this action when you no longer plan to
migrate data or share distribution points from the source hierarchy.
5. Optionally, after data gathering has stopped at all sites for the source hierarchy,
you can clean up the migration data by using the Clean Up Migration Data action.
This action deletes the historical data about migration from a source hierarchy
from the database of the destination hierarchy.
After you migrate data, and you no longer need the source hierarchy to manage devices
in your environment, you can decommission that source hierarchy and infrastructure.
Scenarios
Configuration Manager supports the following migration scenarios:
7 Note
The expansion of a hierarchy that has a standalone site into a hierarchy that has a
central administration site isn't categorized as a migration. For information about
hierarchy expansion, see Expand a stand-alone primary site.
User-centric management
Users are the focus of management tasks in Configuration Manager (current branch).
For example, you can distribute software to a user even if you don't know the device
name for that user. Additionally, Configuration Manager gives users much more control
over what software is installed on their devices and when that software is installed.
Hierarchy simplification
Configuration Manager (current branch) lets you build a simpler site hierarchy. This
improvement is due to the introduction of the central administration site type and
changes to the behavior of primary and secondary sites. Configuration Manager (current
branch) uses less network bandwidth and requires fewer servers than previous versions.
Role-based administration
This central security model in Configuration Manager (current branch) offers hierarchy-
wide security and management that corresponds to your administrative and business
requirements.
7 Note
Because of design changes that were first introduced in System Center 2012
Configuration Manager, you can't upgrade Configuration Manager 2007 to
Configuration Manager (current branch). In-place upgrade is supported from
System Center 2012 Configuration Manager to Configuration Manager (current
branch).
Migration from Configuration Manager 2012 or another
Configuration Manager hierarchy
The process of migrating data from a System Center 2012 Configuration Manager or
Configuration Manager hierarchy is the same. This process includes migrating data from
multiple source hierarchies into a single destination hierarchy. You might use this
process when your company gets additional resources that are already managed by
Configuration Manager. Additionally, you can migrate data from a test environment to
your Configuration Manager production environment. This process lets you maintain
your investment in the Configuration Manager test environment.
See also
Planning for migration to Configuration Manager
After you install the destination hierarchy, set up the management features and
functions that you want to use in your destination hierarchy before you start to migrate
data.
Additionally, you might have to plan for overlap between the source hierarchy and your
destination hierarchy. For example, you might set up the source hierarchy to use the
same network locations or boundaries as your destination hierarchy, and you then install
new clients to your destination hierarchy and use automatic site assignment. In this
scenario, because a newly installed Configuration Manager client can select a site to join
from either hierarchy, the client might incorrectly assign to your source hierarchy.
Therefore, plan to assign each new client in the destination hierarchy to a specific site in
that hierarchy instead of using automatic site assignment.
For more about site assignments, see Client site assignment considerations in
Interoperability between different versions of Configuration Manager.
Use the following articles to help you plan how to migrate a supported source hierarchy
to a Configuration Manager destination hierarchy:
To migrate from a supported source hierarchy, you must have access to each applicable
Configuration Manager source site, and permissions within the Configuration Manager
destination site to configure and run migration operations.
Use the information in the following sections to help you understand the versions of
Configuration Manager that are supported for migration, and the required
configurations.
Tip
In addition to migration, you can use an in-place upgrade of sites that run
System Center 2012 Configuration Manager to Configuration Manager current
branch.
A Configuration Manager hierarchy of the same or lesser version of Configuration
Manager.
For example, if you have a destination hierarchy that runs Configuration Manager
current branch 1606, you could use migration to copy data from a source hierarchy
that runs version 1606 or 1602. However you could not migrate data from a source
hierarchy that runs 1610.
English
French
German
Japanese
Korean
Russian
Simplified Chinese
Traditional Chinese
When you migrate data from a System Center 2012 Configuration Manager or
Configuration Manager current branch hierarchy, there are no source site language
limitations. Objects in the source site database are already in a language neutral format.
Data Gathering:
To enable the destination site to gather data, you must configure the following two
source site access accounts for use with each source site:
Source Site Account: This account is used to access the SMS Provider of the
source site.
For a Configuration Manager 2007 SP2 source site, this account requires
Read permission to all source site objects.
Source Site Database Account: This account is used to access the SQL Server
database of the source site and requires Connect, Execute, and Select
permissions to the source site database.
You can configure these accounts when you configure a new source hierarchy, data
gathering for an additional source site, or when you reconfigure the credentials for
a source site. These accounts can use a domain user account, or you can specify
the computer account of the top-level site of the destination hierarchy.
) Important
If you use the Configuration Manager computer account for either access
account, ensure that this account is a member of the security group
Distributed COM Users in the domain where the source site resides.
When gathering data, the following network protocols and ports are used:
SQL Server - The TCP ports in use by both the source and destination site
databases.
Before you migrate software updates, you must configure the destination hierarchy
with a software update point. For more information, see Planning to migrate
software updates.
To successfully share any distribution points from a source site, at least one
primary site or the central administration site in the destination hierarchy must use
the same port numbers for client requests as the source site. For information about
client request ports, see How to configure client communication ports
For each source site, only the distribution points that are installed on site system
servers that are configured with a FQDN are shared.
The Source Site Access Account configured to gather data from the SMS Provider
of the source site must have the following permissions:
Use the following administrator checklists to help you plan your migration strategy to
Configuration Manager current branch.
Identify existing business requirements that are met by the source hierarchy and
develop plans to continue to meet those requirements in the destination hierarchy.
Review the functionality and changes that are available with the version of
Configuration Manager that you use, and use this information to help you
design your destination hierarchy:
Map your hierarchy to the computers that you will use for sites and site servers
in the destination hierarchy:
Identify the computers that sites and site system servers will use in the destination
hierarchy, and then ensure that they have sufficient capacity to meet existing and
future operational requirements.
Plan to use the available migration jobs to migrate different objects, including site
boundaries, collections, advertisements, and deployments. For more information,
see Types of migration jobs in Planning a migration job strategy
Configuration Manager migrates only the objects that you select. Any objects that
are not migrated and that are required in the destination hierarchy must be re-
created in the destination hierarchy.
Objects that can migrate are displayed when you configure migration jobs.
Plan to migrate clients by using a controlled approach that limits the network
bandwidth and server processing requirements when you migrate clients to the
destination hierarchy. For more about planning a client migration strategy, see
Planning a client migration strategy.
Instead, after the client migrates to its new site in the destination hierarchy and
receives policy for these configurations, the client submits this information to its
assigned site. This action populates the destination site database with current
inventory and compliance data.
Decide when objects and clients will be migrated. After migration completes, you
can plan to decommission the site servers in the source hierarchy.
Similarly, when you migrate from another Configuration Manager hierarchy, you
must install a new destination hierarchy that is a side-by-side deployment to your
source hierarchy.
Install a central administration site and then install at least one child primary.
You must configure and synchronize software updates in the destination hierarchy
before you can migrate software updates information from the source hierarchy.
Install and configure additional site system roles in the destination hierarchy:
Configure additional site system roles and site systems that you require.
Check that the Configuration Manager clients you install to the destination
hierarchy can communicate successfully with their assigned site.
When the source hierarchy runs Configuration Manager 2007 SP2, select and
configure additional sites in the source hierarchy:
For each additional site in the Configuration Manager 2007 SP2 source hierarchy
that you want to collect data from, you must configure credentials for data
gathering. When you configure each source site, the data-gathering process
begins immediately and continues throughout the migration period until you stop
data gathering for that site. Data gathering ensures that you can migrate objects
from the source hierarchy that are updated or added after a previous data-
gathering process.
7 Note
When the source hierarchy runs System Center 2012 Configuration Manager
or later, you do not need to configure additional source sites.
You can share distribution points between the two hierarchies to make content for
objects that you migrate available to clients in the destination hierarchy. This
ensures that the same content remains available for clients in both hierarchies and
that you can maintain this content until you stop gathering data and finish the
migration.
For information about shared distribution points, see Share distribution points
between source and destination hierarchies in Planning a content deployment
migration strategy.
Create and run migration jobs to migrate objects associated with the clients in
the source hierarchy:
For more information, see Create and edit migration jobs for Configuration
Manager in Operations for migrating to Configuration Manager current branch.
When you migrate clients that have a client version that is not the same as the
destination hierarchy, you must upgrade the client software. Upgrade requires
the removal of the current Configuration Manager client, followed by the
installation of the new client version that matches the destination site.
When you migrate clients that have a client version that matches the version of
the destination hierarchy, the client does not upgrade or reinstall. Instead, the
client reassigns to a primary site in the destination hierarchy.
When you migrate a client to the destination hierarchy, the client is associated with
its data that you previously migrated to that destination hierarchy.
When you no longer have to support clients in your source hierarchy, you can
upgrade shared distribution points from a Configuration Manager 2007 source
site, or reassign shared distribution points from a System Center 2012
Configuration Manager or Configuration Manager current branch source site.
When you upgrade or reassign a distribution point, the site system role transfers to
a primary site in the destination hierarchy and the distribution point is removed
from the source site in the source hierarchy. When you upgrade or reassign a
shared distribution point, the content remains on the distribution point computer
and you do not have to redeploy the content to new distribution points in the
destination hierarchy.
Finish migration:
After you have migrated data and clients from all sites in the source hierarchy and
you have upgraded applicable distribution points, you can finish migration. To
finish migration you stop gathering data for each source site in the source
hierarchy. You can then remove migration information that you do not need and
decommission your source hierarchy infrastructure. For more information, see
Planning to complete migration.
Determine whether to migrate data to
Configuration Manager current branch
Article • 10/04/2022
Move data and configurations from a lab deployment into your production
deployment.
Move data and configuration from a prior version of Configuration Manager, like
Configuration Manager 2007, which has no upgrade path to Configuration
Manager current branch, or from System Center 2012 Configuration Manager
(which does support an upgrade path to Configuration Manager current branch).
With the exception of the distribution point site system role and the computers that
host distribution points, no infrastructure (which includes sites, site system roles, or
computers that host a site system role), migrates, transfers, or can be shared between
hierarchies.
Although you cannot migrate server infrastructure, you can migrate Configuration
Manager clients between hierarchies. Client migration involves migrating the data that
clients use from the source hierarchy to the destination hierarchy, and then installing or
reassigning the client software so that the client then reports to the new hierarchy.
After you install a client to the new hierarchy and the client submits its data, its unique
Configuration Manager ID helps Configuration Manager associate the data that you
previously migrated with each client computer.
The functionality that's provided by migration helps you maintain investments that you
have made in configurations and deployments while letting you take full advantage of
core changes in the product first (which was first introduced in System Center 2012
Configuration Manager and then continued in Configuration Manager). These changes
include a simplified Configuration Manager hierarchy that uses fewer sites and
resources, and the improved processing that comes from using native 64-bit code that
runs on 64-bit hardware.
For information about the versions of Configuration Manager that migration supports,
see Prerequisites for migration.
These modifications don't affect the data in the source site database. Objects that are
migrated from a supported version of System Center 2012 Configuration Manager or
Configuration Manager current branch don't require modification.
The following are objects that can migrate based on the version of Configuration
Manager in the source hierarchy. Some objects, like queries, do not migrate. If you want
to continue to use these objects that do not migrate you must recreate them in the new
hierarchy. Other objects, including some client data, are automatically recreated in the
new hierarchy when you manage clients in that hierarchy.
App-V Virtual Environment from System Center 2012 Configuration Manager and
later versions
Boundaries
Compliance settings:
Configuration baselines
Configuration items
Deployments
Boot images
Driver packages
Drivers
Images
Packages
Task sequences
Software updates:
Deployments
Deployment packages
Templates
Applications for System Center 2012 Configuration Manager and later versions
App-V Virtual Environment from System Center 2012 Configuration Manager and
later versions
Boundaries
Collections: You migrate collections from a supported version of Configuration
Manager 2007 by using a collection migration job.
Configuration baselines
Configuration items
Boot images
Driver packages
Drivers
Images
Packages
Task sequences
Software updates:
Deployments
Deployment packages
Templates
Queries
Configuration Manager 2007 security rights and instances for the site and objects
Security roles
Security scopes
Plan a source hierarchy strategy in
Configuration Manager
Article • 10/04/2022
Before you set up a migration job in your Configuration Manager environment, you
must configure a source hierarchy and gather data from at least one source site in that
hierarchy. Use the following sections to help you plan for configuring source hierarchies,
configuring source sites, and determining how Configuration Manager gathers
information from the source sites in the source hierarchy.
Source hierarchies
A source hierarchy is a Configuration Manager hierarchy that has data that you want to
migrate. When you set up migration and specify a source hierarchy, you specify the top-
level site of the source hierarchy. This site is also called a source site. Additional sites
that you can migrate data from in the source hierarchy are also called source sites.
When you set up a migration job to migrate data from a Configuration Manager
2007 source hierarchy, you configure it to migrate data from one or more specific
source sites in the source hierarchy.
When you set up a migration job to migrate data from a source hierarchy that runs
System Center 2012 Configuration Manager or later, you only need to specify the
top-level site.
If you set up a new source hierarchy, that hierarchy automatically becomes the
current source hierarchy replacing the previous source hierarchy.
When you set up a source hierarchy, you must specify the top-level site of the
source hierarchy and specify credentials for Configuration Manager to use to
connect to the SMS Provider and site database of that source site.
As part of the data gathering process, child sites in the source hierarchy are
identified.
If the source hierarchy is a Configuration Manager 2007 hierarchy, you can set up
those additional sites as source sites with separate credentials for each source site.
Although you can set up multiple source hierarchies in succession, migration is active for
only one source hierarchy at a time.
If you set up an additional source hierarchy before you complete migration from
the current source hierarchy, Configuration Manager cancels any active migration
jobs and postpones any scheduled migration jobs for the current source hierarchy.
The newly configured source hierarchy then becomes the current source hierarchy,
and the original source hierarchy is now inactive.
You can then set up connection credentials, additional source sites, and migration
jobs for the new source hierarchy.
If you restore an inactive source hierarchy and have not previously used Cleanup
Migration Data, you can view the previously configured migration jobs for that source
hierarchy. However, before you can continue migration from that hierarchy, you must
reconfigure the credentials to connect to applicable source sites in the hierarchy, and
then reschedule any migration jobs that did not finish.
U Caution
If you migrate data from more than a single source hierarchy, each additional
source hierarchy must contain a unique set of site codes.
Source and destination hierarchies also requires different set of site codes.
For more about configuring a source hierarchy, see Configuring source hierarchies and
source sites for migration to Configuration Manager current branch
Source sites
Source sites are the sites in the source hierarchy that have the data that you want to
migrate. The top-level site of the source hierarchy is always the first source site. When
migration collects data from the first source site of a new source hierarchy, it discovers
information about additional sites in that hierarchy.
After data gathering completes for the initial source site, the actions you take next
depend on the product version of the source hierarchy.
To gather data from additional sites, you individually set up each site as a source site.
This requires you to specify the credentials for Configuration Manager to connect to the
SMS Provider and site database of each source site. After you set up the credentials for
a source site, the data gathering process for that site begins.
When you set up additional source sites in a Configuration Manager 2007 SP2 source
hierarchy, you must set up source sites from the top down, which means you set up the
bottom-tier sites last. You can configure source sites in a branch of the hierarchy at any
time, but you must set up a site as a source site before you set up any of its child sites
as source sites.
7 Note
Only primary sites in a Configuration Manager 2007 SP2 hierarchy are supported
for migration.
When you set up the access accounts to gather data, you might need to grant the
Source Site SMS Provider Account access to multiple computers in the source
hierarchy. This might be needed when the source site supports multiple instances of the
SMS Provider, each on a different computer. When data gathering begins, the top-level
site of the destination hierarchy contacts the top-level site in the source hierarchy to
identify the locations of the SMS Provider for that site. Only the first instance of the SMS
provider is identified. If the data gathering process cannot access the SMS Provider at
the location it identifies, the process fails and does not try to connect to additional
computers that run an instance of SMS Provider for that site.
Data gathering
Immediately after you specify a source hierarchy, set up credentials for each additional
source site in a source hierarchy, or share the distribution points for a source site,
Configuration Manager starts to gather data from the source site.
The data gathering process then repeats itself on a simple schedule to maintain
synchronization with any changes to data in the source site. By default, the process
repeats every four hours. You can change the schedule for this cycle by editing the
Properties of the source site. The initial data gathering process must review all objects
in the Configuration Manager database and can take a long time to finish. Subsequent
data gathering processes identify only changes to the data and require less time to
finish.
To gather data, the top-level site in the destination hierarchy connects to the SMS
Provider and the site database of the source site to retrieve a list of objects and
distribution points. These connections use the source site access accounts. For
information about required configurations for gathering data, see Prerequisites for
migration.
You can start and stop the data gathering process by using Gather Data Now and Stop
Gathering Data in the Configuration Manager console.
After you use Stop Gathering Data for a source site for any reason, you must
reconfigure credentials for the site before you can gather data from that site again. Until
you reconfigure the source site, Configuration Manager cannot identify new objects or
changes to previously migrated objects at that site.
7 Note
Before you expand a standalone primary site into a hierarchy with a central
administration site, you must stop all data gathering. You can reconfigure data
gathering after the site expansion completes.
To stop gathering data from each source site, you must run Stop Gathering Data on the
bottom-tier source sites, and then repeat the process at each parent site. The top-level
site of the source hierarchy must be the last site on which you stop gathering data. You
must stop data gathering at each child site before performing this action at a parent
site. Typically, you only stop gathering data when you are ready to complete the
migration process.
After you stop gathering data for a source site, information previously gathered about
objects and collections from that site remain available to use when you set up new
migration jobs. However, you do not see any new objects or collections, nor do you see
changes that were made to existing objects. If you reconfigure the source site and begin
gathering data again, you will see information and status about previously migrated
objects.
Plan a migration job strategy in
Configuration Manager
Article • 10/04/2022
Use migration jobs to configure the specific data that you want to migrate to your
Configuration Manager current branch environment. Migration jobs identify the objects
that you plan to migrate, and they run at the top-level site in your destination hierarchy.
You can set up one or more migration jobs per source site. This lets you migrate all
objects at one time or limited subsets of data with each job.
You can create migration jobs after Configuration Manager has successfully gathered
data from one or more sites from the source hierarchy. You can migrate data in any
sequence from the source sites that have gathered data. With a Configuration Manager
2007 source site, you can migrate data only from the site where an object was created.
With source sites that run System Center 2012 Configuration Manager or later, all data
that you can migrate is available at the top-level site of the source hierarchy.
Before you migrate clients between hierarchies, ensure that the objects that clients use
have migrated and that these objects are available in the destination hierarchy. For
example, when you migrate from a Configuration Manager 2007 SP2 source hierarchy,
you might have an advertisement for content that is deployed to a custom collection
that has a client. In this scenario, we recommend that you migrate the collection, the
advertisement, and the associated content before you migrate the client. This data
cannot be associated with the client in the destination hierarchy if the content,
collection, and advertisement are not migrated before the client migrates. If a client is
not associated with the data related to a previously run advertisement and content, the
client can be offered the content for installation in the destination hierarchy, which
might be unnecessary. When the client migrates after the data has migrated, the client is
associated with this content and advertisement, and unless the advertisement is
recurring, is not offered this content for the migrated advertisement again.
Some objects require more than the migration of data from the source hierarchy to the
destination hierarchy. For example, to successfully migrate software updates for your
clients to your destination hierarchy, you must deploy an active software update point,
configure the catalog of products, and synchronize the software update point with
Windows Server Update Services (WSUS) in the destination hierarchy.
Object migration: Migrate individual objects that you select. You select only the specific
data that you want to migrate.
Previously migrated object migration: Migrate objects that you previously migrated
when they have updated in the source hierarchy after they were last migrated.
7 Note
Collection migration jobs are available only when you migrate objects from a
Configuration Manager 2007 SP2 source hierarchy.
Object migration
Object migration
Boundaries
Object migration
Configuration baselines
Collection migration
Object migration
Configuration items
Collection migration
Object migration
Maintenance windows
Collection migration
Collection migration
Object migration
Collection migration
Object migration
Collection migration
Object migration
Collection migration
Object migration
Collection migration
Object migration
Collection migration
Object migration
Object migration
Collection migration
Object migration
Collection migration
Object migration
Object migration
Task sequences
Collection migration
Object migration
Collection migration
Object migration
) Important
After a migration job runs successfully, its status is listed as Completed and it cannot be
run again. However, you can create a new migration job to migrate any of the objects
that were migrated by the original job, and the new migration job can include additional
objects as well. When you create additional migration jobs, the objects that have been
previously migrated show the state of Migrated. You can select these objects to migrate
them again, but unless the object has been updated in the source hierarchy, migrating
these objects again is not necessary. If the object has been updated in the source
hierarchy after it was originally migrated, you can identify that object when you use the
migration job type of Objects modified after migration.
You can delete a migration job before it runs. However, after a migration job finishes, it
remains visible in the Configuration Manager console and cannot be deleted. Each
migration job that has finished or has not yet run remains visible in the Configuration
Manager console until you finish the migration process and clean up migration data.
7 Note
After you have finished migration by using the Clean Up Migration Data action,
you can reconfigure the same hierarchy as the current source hierarchy to restore
visibility to the objects you previously migrated.
You can view the objects contained in any migration job in the Configuration Manager
console by selecting the migration job and then choosing the Objects in Job tab.
Use the information in the following sections to help you plan for all migration jobs.
Data selection
When you create a collection migration job, you must select one or more collections.
After you select the collections, the Create Migration Job wizard shows the objects that
are associated with the collections. By default, all objects associated with the selected
collections are migrated, but you can uncheck the objects that you do not want to
migrate with that job. When you uncheck an object that has dependent objects, those
dependent objects are also unchecked. All unchecked objects are added to an exclusion
list. Objects on an exclusion list are removed from automatic selection for future
migration jobs. You must manually edit the exclusion list to remove objects that you
want to have automatically selected for migration in migration jobs you create in the
future.
Information about content is shared to all sites in the destination hierarchy by using
database replication. However, any content that you assign to a primary site and then
deploy to distribution points at other primary sites transfers by using file-based
replication. This transfer is routed through the central administration site and then to
each additional primary site. By centralizing packages that you plan to distribute to
multiple primary sites before or during migration when you assign a site as the content
owner, you can reduce data transfers across low-bandwidth networks.
Before you set up a migration job, review how role-based administration works in
Configuration Manager. If necessary, set up one or more security scopes for the data
that you migrate to control who will have access to the migrated objects in the
destination hierarchy.
For more about security scopes and role-based administration, see Fundamentals of
role-based administration for Configuration Manager.
When you migrate a collection, Configuration Manager also migrates collection settings,
including maintenance windows and collection variables, but it cannot migrate
collection settings for AMT client provisioning.
Use the information in the following sections to learn about additional configurations
that can apply to collection-based migration jobs.
You can edit the exclusion list to remove objects that you have previously excluded.
After you remove an object from the exclusion list, it is then automatically selected when
an associated collection is specified during the creation of a new migration job.
Unsupported collections
Configuration Manager can migrate any of the default user collections, device
collections, and most custom collections from a Configuration Manager 2007 source
hierarchy. However, Configuration Manager cannot migrate collections that contain
users and devices in the same collection.
Empty collections
An empty collection is a collection that has no resources associated with it. When
Configuration Manager migrates an empty collection, it converts the collection to an
organizational folder that has no users or devices. This folder is created with the name
of the empty collection under the User Collections or Device Collections node in the
Assets and Compliance workspace in the Configuration Manager console.
For example: You select a collection for devices that run Windows 10 and is named
Win_10. This collection is limited to a collection that has all your client operating systems
and is named All_Clients. The collection All_Clients will be automatically selected for
migration.
Collection limiting
With Configuration Manager current branch, collections are global data and are
evaluated at each site in the hierarchy. Therefore, plan how to limit the scope of a
collection after it is migrated. During migration, you can identify a collection from the
destination hierarchy to use to limit the scope of the collection that you are migrating
so that the migrated collection does not include unanticipated members.
For example, in Configuration Manager 2007, collections are evaluated at the site that
creates them and at child sites. An advertisement might be deployed to only a child site,
and this would limit the scope for that advertisement to that child site. In comparison,
with Configuration Manager current branch, collections are evaluated at each site and
associated advertisements are then evaluated for each site. Collection limiting lets you
refine the collection members based on another collection to avoid the addition of
unexpected collection members.
7 Note
You see the Enable programs for deployment in Configuration Manager after an
advertisement is migrated option only when you are creating a collection-based
migration job and the migration job contains advertisements.
To enable a program after migration, clear Disable this program on computers where it
is advertised on the Advanced tab of the program properties.
Object-based migration jobs do not have any additional configurations to plan for
beyond those applicable to all migration jobs.
This job type is similar to the object migration type except that when you select objects
to migrate, you can only select from objects that have been updated after they were
migrated by a previous migration job.
When you select this job type, the conflict resolution behavior on the Settings page of
the Create Migration Job wizard is configured to overwrite previously migrated objects.
This setting cannot be changed.
7 Note
This migration job can identify objects that are automatically updated by the source
hierarchy and objects that an administrative user updates.
Plan a client migration strategy in
Configuration Manager
Article • 10/04/2022
To migrate clients from the source hierarchy to a Configuration Manager current branch
destination hierarchy, you must do two tasks. You must migrate the objects that are
associated with the client and you must then reinstall or reassign the clients from the
source hierarchy to the destination hierarchy. You migrate the objects first so that they
are available when the clients are migrated. The objects associated with the client are
migrated by using migration jobs. For information about how to migrate the objects
that are associated with the client, see Planning a migration job strategy.
Use the following sections to help you plan to migrate clients to the destination
hierarchy.
A Configuration Manager 2007 source hierarchy: When you migrate clients from
a source hierarchy that runs a supported version of Configuration Manager, the
client software upgrades to the client version for the destination hierarchy.
7 Note
When the product version of a hierarchy is not supported for migration to
your destination hierarchy, upgrade all sites and clients in the source hierarchy
to a compatible product version. After the source hierarchy upgrades to a
supported product version, you can migrate between the hierarchies. For
more information, see Versions of Configuration Manager that are
supported for migration in Prerequisites for migration.
Use the following information to help you plan the client migration:
To upgrade or reassign clients from a source site to a destination site, you can use
any client deployment method that is supported for deploying clients in the
destination hierarchy. Typical client deployment methods include client push
installation, software distribution, Group Policy, and software update-based client
installation. For more information, see Client installation methods.
Ensure that the device that runs the client software in the source hierarchy meets
the minimum hardware requirements and runs an operating system that is
supported by the version of Configuration Manager in the destination hierarchy.
Before you migrate a client, run a migration job to migrate the information that
the client will use in the destination hierarchy.
Clients that upgrade retain their run history for deployments. This prevents
deployments from rerunning unnecessarily in the destination hierarchy.
You can migrate clients from sites in the source hierarchy in any order that you
choose. However, consider migrating limited numbers of clients in phases rather
than migrating large numbers of clients at a single time. A phased migration
reduces the network bandwidth requirements and server processing when each
newly upgraded client submits its initial full inventory and compliance data to its
assigned site.
When you migrate Configuration Manager 2007 clients, the existing client software
is uninstalled from the client computer and the new client software is installed.
After you migrate the client to the destination hierarchy, you can no longer manage that
device by using your source hierarchy, and you should consider removing the client
from the source hierarchy. Although this is not a requirement when you migrate
hierarchies, it can help prevent identification of a migrated client in a source hierarchy
report, or an incorrect count of resources between the two hierarchies during the
migration. For example, when a migrated client remains in the source site database, you
might run a software updates report that incorrectly identifies the computer as an
unmanaged resource when it is now managed by the destination hierarchy.
The unique identifier (GUID), which associates a client with its information in the
Configuration Manager database.
The files in the client cache. If the client requires these files to install software, the
client downloads them again from the destination hierarchy.
Information about inventory. The client resends this information to its assigned site
in the destination hierarchy after the client migrates and the new client data has
been generated.
Compliance data. The client resends this information to its assigned site in the
destination hierarchy after the client migrates and the new client data has been
generated.
When a client migrates, information that is stored in the Configuration Manager client
registry and file path is not retained. After migration, reapply these settings. Typical
settings include the following:
Power schemes
Logging settings
Additionally, you cannot migrate customizations for hardware inventory from a source
hierarchy. You must introduce these to the destination hierarchy independently from
migration. For information about how to extend hardware inventory, see How to
configure hardware inventory.
Plan a content deployment migration
strategy in Configuration Manager
Article • 10/04/2022
While you actively migrate data to a Configuration Manager current branch destination
hierarchy, Configuration Manager clients in both the source and destination hierarchies
can maintain access to content that you deployed in the source hierarchy. You can also
use migration to upgrade or reassign distribution points from the source hierarchy to
become distribution points in the destination hierarchy. When you share and upgrade or
reassign distribution points, this strategy can help you avoid having to redeploy content
to new servers in the destination hierarchy for the clients that you migrate.
Although you can recreate and distribute content in the destination hierarchy, you can
also use the following options to manage this content:
Share distribution points in the source hierarchy with clients in the destination
hierarchy.
In addition to being a valid content location for clients in the destination hierarchy while
migration from the source hierarchy remains active, it is possible to upgrade or reassign
a distribution point to the destination hierarchy. You can upgrade Configuration
Manager 2007 shared distribution points and reassign System Center 2012
Configuration Manager shared distribution points. When you upgrade or reassign a
shared distribution point, the distribution point is removed from the source hierarchy
and becomes a distribution point in the destination hierarchy. After you upgrade or
reassign a shared distribution point, you can continue to use the distribution point in
the destination hierarchy after migration from the source hierarchy is finished. For more
about how to upgrade a shared distribution point, see Plan to upgrade Configuration
Manager 2007 shared distribution points. For more about how to reassign a shared
distribution point, see Plan to reassign Configuration Manager distribution points.
You can choose to share distribution points from any source site in your source
hierarchy. When you share distribution points for a source site, child secondary sites are
shared at each qualifying distribution point at that primary site and at each of the
primary sites. To qualify to be a shared distribution point, the site system server that
hosts the distribution point must be set up with a fully qualified domain name (FQDN).
Any distribution points that are set up with a NetBIOS name are disregarded.
Tip
Configuration Manager 2007 does not require you to set up an FQDN for site
system servers.
Use the following information to help you plan for shared distribution points:
Distribution points that you share must meet the prerequisites for shared
distribution points. For more about these prerequisites, see Required
configurations for migration in Prerequisites for migration.
The share distribution point action is a site-wide setting that shares all qualifying
distribution points at a source site and at any direct child secondary sites. You
cannot select individual distribution points to share when you enable distribution
point sharing.
Clients in the destination hierarchy can receive content location information for
packages that are distributed to distribution points that are shared from the source
hierarchy. For distribution points from a Configuration Manager 2007 source
hierarchy, this includes branch distribution points, distribution points on server
shares, and standard distribution points.
2 Warning
If you change the source hierarchy, shared distribution points from the
original source hierarchy are no longer available and cannot be offered as
content locations to clients in the destination hierarchy. If you reconfigure
migration to use the original source hierarchy, the previously shared
distribution points are restored as valid content location servers.
When you migrate a package that is hosted on a shared distribution point, the
package version must remain the same in the source and destination hierarchies.
When a package version is not the same in the source and destination hierarchy,
clients in the destination hierarchy cannot retrieve that content from the shared
distribution point. Therefore, if you update a package in the source hierarchy, you
must re-migrate the package data before clients in the destination hierarchy can
retrieve that content from a shared distribution point.
7 Note
When you view details for a package that is hosted on a shared distribution
point, the number of packages that display as Hosted Migrated Packages on
the source site's Shared Distribution Points tab is not updated until the next
data gathering cycle is finished.
You can view shared distribution points and their properties in the Source
Hierarchy node of the Administration workspace in the Configuration Manager
console that connects to the destination hierarchy.
You cannot use a shared distribution point from a Configuration Manager 2007
source hierarchy to host packages for Microsoft Application Virtualization (App-V).
App-V packages must migrate and be converted for use by clients in the
destination hierarchy. However, you can use a shared distribution point from a
System Center 2012 Configuration Manager or Configuration Manager current
branch source hierarchy to host App-V packages for clients in a destination
hierarchy.
When you share a protected distribution point from a Configuration Manager 2007
source hierarchy, the destination hierarchy creates a boundary group that includes
the protected network locations of that distribution point. You cannot change this
boundary group in the destination hierarchy. However, if you change the protected
boundary information for the distribution point in the Configuration Manager 2007
source hierarchy, that change is reflected in the destination hierarchy after the next
data gathering cycle finishes.
7 Note
The eligible distribution points are not visible in the Configuration Manager console
before you share distribution points from a source site. After you share distribution
points, only the distribution points that are successfully shared are listed.
After you have shared distribution points, you can change the configuration of any
shared distribution point in the source hierarchy. Changes that you make to the
configuration of a distribution point are reflected in the destination hierarchy after the
next data gathering cycle. Distribution points that you updated to qualify for sharing are
shared automatically, while those that no longer qualify stop sharing distribution points.
For example, you might have a distribution point that is not set up with an intranet
FQDN and was not initially shared with the destination hierarchy. After you set up the
FQDN for that distribution point, the next data gathering cycle identifies this
configuration, and the distribution point is then shared with the destination hierarchy.
After Configuration Manager converts the content to the single instance store,
Configuration Manager deletes the original source content on the distribution point
computer to free up disk space. Configuration Manager does not use the original source
content location.
Not all Configuration Manager 2007 distribution points that you can share are eligible
for upgrade to Configuration Manager current branch. To be eligible for upgrade, a
Configuration Manager 2007 distribution point must meet the conditions for upgrade.
These conditions include the site system server on which the distribution point is
installed and the type of Configuration Manager 2007 distribution point that is installed.
For example, you cannot upgrade any type of distribution point that is installed on the
site server computer at a primary site, but you can upgrade a standard distribution point
that is installed on the site server computer at a secondary site.
7 Note
You can upgrade only those Configuration Manager 2007 shared distribution points
that are on a computer that runs an operating system version that is supported for
distribution points in the destination hierarchy. For example, although you can
share a Configuration Manager 2007 distribution point that is on a computer that
runs Windows Vista, you cannot upgrade this shared distribution point because the
operating system is not supported by Configuration Manager current branch for
use as a distribution point.
The following table lists the supported locations for each type of Configuration Manager
2007 distribution point that you can upgrade.
Distribution Yes No No
point on
server
shares1
Branch Yes No No
distribution
point
1
Configuration Manager current branch does not support server shares for site systems,
but it does support the upgrade of a Configuration Manager 2007 distribution point
that is on a server share. When you upgrade a Configuration Manager 2007 distribution
point that is on a server share, the distribution point type is automatically converted to a
server, and you must select the drive on the distribution point computer that will store
the single instance content store.
2 Warning
To identify distribution points that are eligible for upgrade in the Configuration Manager
console in the Source Hierarchy node, select a source site, and then select the Shared
Distribution Points tab. Eligible distribution points display Yes in the Eligible for
Upgrade column.
To upgrade the distribution point, Configuration Manager uses the Source Site Access
Account that is set up to gather data from the SMS Provider of the source site. Although
this account requires only Read permission for site objects to gather data from the
source site, it must also have Delete and Modify permission to the Site class to
successfully remove the distribution point from the Configuration Manager 2007 site
during the upgrade.
7 Note
Configuration Manager can convert content to the single instance store on only
one distribution point at a time. When you set up multiple distribution point
upgrades, the distribution points are queued for upgrade and processed one at a
time.
Before you upgrade a shared distribution point, ensure that all content that is deployed
to the distribution point is migrated. Content that you do not migrate before you
upgrade the distribution point is not available in the destination hierarchy after the
upgrade. When you upgrade a distribution point, the content in the migrated packages
is converted into a format that is compatible with the single instance store of the
destination hierarchy.
To upgrade a distribution point from within the Configuration Manager console, the
Configuration Manager 2007 site system server must meet the following conditions:
The distribution point configuration and location must be eligible for upgrade.
The distribution point computer must have sufficient disk space for the content to
be converted from the Configuration Manager 2007 content storage format to the
single instance store format. This conversion requires available free disk space
equal to the size of the largest package that is stored on the distribution point.
The distribution point computer must run an operating system version that is
supported as a distribution point in the destination hierarchy.
7 Note
When you upgrade a shared distribution point, you must assign the distribution point to
a primary or secondary site of your choice in the destination hierarchy. After the
distribution point is upgraded, manage the distribution point as a distribution point in
the destination hierarchy like any other distribution point.
You can monitor the progress of a distribution point upgrade in the Configuration
Manager console by selecting the Distribution Point Migration node under the
Migration node of the Administration workspace. You can also view information in the
Migmctrl.log on the central administration site server of the destination hierarchy, or in
the distmgr.log on the site server in the destination hierarchy that manages the
upgraded distribution point.
7 Note
If you decide not to upgrade a shared distribution point, you can still install a
distribution point from the destination hierarchy on a former Configuration Manager
2007 distribution point. Before you can install the new distribution point, you must first
uninstall all Configuration Manager 2007 site system roles from the distribution point
computer. This includes the Configuration Manager 2007 site if it is the site server
computer. When you uninstall a Configuration Manager 2007 distribution point, content
that was deployed to the distribution point is not deleted from the computer.
For a distribution point on the site server computer to be eligible for upgrade,
Configuration Manager must be able to uninstall the secondary site and each of the site
system roles on that computer. Typically, a shared distribution point on a Configuration
Manager 2007 server share is eligible for upgrade. However, when a server share exists
on the secondary site server, the secondary site and any shared distribution points on
that computer are not eligible for upgrade. This is because the server share is treated as
an additional site system object when the process attempts to uninstall the secondary
site, and this process cannot uninstall this object. In this scenario, you can enable a
standard distribution point on the secondary site server and then redistribute the
content to that standard distribution point. This process does not use network
bandwidth, and when finished, you can uninstall the distribution point on the server
share, remove the server share, and then upgrade the distribution point and secondary
site.
Before you upgrade a shared distribution point, review the distribution point
configuration in Configuration Manager 2007 to avoid upgrading a distribution point on
a secondary site that you still want to use with Configuration Manager 2007. This is a
good practice, because after you upgrade a shared distribution point that is on a
secondary site server, the site system server is removed from the Configuration Manager
2007 hierarchy and is no longer available for use with that hierarchy. When the
secondary site is removed, any remaining distribution points at that secondary site are
orphaned. This means they become unmanaged from Configuration Manager 2007 and
are no longer shared or eligible for upgrade.
2 Warning
When you view shared distribution points in the Configuration Manager console,
there is no visible indication that a shared distribution point is on a remote site
system server or on the secondary site server.
When you have a secondary site in a remote network location that is used primarily to
control the deployment of content to that remote location, consider upgrading
secondary sites that have a shared distribution point. Because you can set up bandwidth
control for when you distribute content to a Configuration Manager current branch
distribution point, you can often upgrade a secondary site to a distribution point, set up
the distribution point for bandwidth controls, and avoid installing a secondary site in
that network location in the destination hierarchy.
The process to upgrade a shared distribution point on a secondary site server is the
same as any other shared distribution point upgrade. Content is copied and converted
to the single instance store in use by the destination hierarchy. However, when you
upgrade a shared distribution point that is on a secondary site server, the upgrade
process also uninstalls the management point (if present) and then uninstalls the
secondary site from the server. The result is that the secondary site is removed from the
Configuration Manager 2007 hierarchy. To uninstall the secondary site, Configuration
Manager uses the account that is set up to gather data from the source site.
During the upgrade, there is a delay between when the Configuration Manager 2007
secondary site is uninstalled and the when the installation of the distribution point in the
destination hierarchy begins. The data-gathering cycle determines this delay of up to
four hours. The delay is intended to provide time for the secondary site to uninstall
before the new distribution point installation begins.
For more about how to upgrade a shared distribution point, see Plan to upgrade
Configuration Manager 2007 shared distribution points.
When you reassign a distribution point, you do not have to redistribute migrated
content that was hosted on the source site distribution point. Additionally, unlike the
upgrade of a Configuration Manager 2007 distribution point, reassignment of a
distribution point does not require additional disk space on the distribution point
computer. This is because beginning with System Center 2012 Configuration Manager,
distribution points use the single instance store format for content. The content on the
distribution point computer does not need to be converted when the distribution point
is reassigned between hierarchies.
For a System Center 2012 Configuration Manager distribution point to be eligible for
reassignment, it must meet the following criteria:
A shared distribution point must be installed on a computer other than the site
server.
A shared distribution point cannot be co-located with any additional site system
roles.
To identify distribution points that are eligible for reassignment in the Configuration
Manager console in the Source Hierarchy node, select a source site, and then select the
Shared Distribution Points tab. Eligible distribution points display Yes in the Eligible for
Reassignment column (this column is named Eligible for Upgrade prior to System
Center 2012 R2 Configuration Manager).
To reassign the distribution point, the destination hierarchy uses the Source Site Access
Account that is set up to gather data from the SMS Provider of the source site. For
information about required permissions and additional prerequisites, see Prerequisites
for migration.
When you reassign distribution points, each distribution point must qualify to be either
upgraded or reassigned. The name of the action and process involved (upgrade or
reassign) depends on which version of Configuration Manager the source site runs. The
end results for both actions are the same: the distribution point is assigned to one of
your Current Branch sites with its content in place.
Prior to version 1610, Configuration Manager could process only one distribution point
at a time. Now you can reassign as many distribution points as you want with the
following caveats:
To minimize the network bandwidth that is used when you migrate content, consider
transferring ownership of content to a site in the destination hierarchy that is close on
the network to the content location in the source hierarchy. Because information about
the content in the destination hierarchy is shared globally, it will be available at every
site.
Although information about content is shared to all sites by using database replication,
any content that you assign to a primary site and then deploy to distribution points at
other primary sites transfers by file-based replication. This transfer is routed through the
central administration site and then to the additional primary site. You can reduce data
transfers across low-bandwidth networks by centralizing packages that you plan to
distribute to multiple primary sites before or during migration when you assign a site as
the content owner.
Plan for the migration of Configuration
Manager objects to Configuration
Manager current branch
Article • 10/04/2022
With Configuration Manager current branch, you can migrate many of the different
objects that are associated with different features found at a source site.
To successfully migrate software update objects, you must first set up your destination
hierarchy with configurations that match your source hierarchy environment. This
requires the following actions:
Set up the catalog of products and languages to match the configuration of your
source hierarchy
Sync the software update point in the destination hierarchy with Windows Server
Update Services (WSUS)
Migration of software update objects can fail when you have not synced
information in your destination hierarchy to match the configuration of your
source hierarchy.
2 Warning
Configuration Manager does not support use of the WSUSutil tool to sync
data between a source and destination hierarchy.
You cannot migrate custom updates that are published by using System Center
Updates Publisher. Instead, custom updates must be republished to the
destination hierarchy.
When you migrate from a Configuration Manager 2007 source hierarchy, the migration
process modifies some software update objects to the format in use by the destination
hierarchy. Use the following table to help you plan the migration of software update
objects from Configuration Manager 2007.
Software update Software update lists are converted to software update groups.
lists
Software update Software update deployments are converted to deployments and update
deployments groups.
templates
The Duration value in Configuration Manager 2007 deployment templates
does not migrate.
When you migrate objects from a System Center 2012 Configuration Manager or
Configuration Manager current branch source hierarchy, the software updates objects
are not modified.
After you migrate a package and program to the destination hierarchy, and while
migration from the source hierarchy remains active, you can make the content available
to clients in that hierarchy by using a shared distribution point. To use a shared
distribution point, the content must remain accessible on the distribution point at the
source site. For more about shared distribution points, see Share distribution points
between source and destination hierarchies in Plan a content deployment migration
strategy.
For content that has migrated, if the content version changes in the source hierarchy or
the destination hierarchy, clients can no longer access the content from the shared
distribution point in the destination hierarchy. In this scenario, you must re-migrate the
content to restore a consistent version of the package between the source hierarchy and
the destination hierarchy. This information syncs during the data gathering cycle.
Tip
For each package that you migrate, update the package in the destination
hierarchy. This action can prevent issues with deploying the package to distribution
points in the destination hierarchy. However, when you update a package on the
distribution point in the destination hierarchy, clients in that hierarchy will no
longer be able to get that package from a shared distribution point. To update a
package in the destination hierarchy, in the Configuration Manager console, go to
the Software Library, right-click on the package, and then select Update
Distribution Points. Do this action for each package that you migrate.
Tip
Virtual applications
When you migrate App-V packages from a supported Configuration Manager 2007 site,
the migration process converts them to applications in the destination hierarchy.
Additionally, based on existing advertisements for the App-V package, the following
deployment types are created in the destination hierarchy:
If there are no advertisements, one deployment type is created that uses the
default deployment type settings.
If one advertisement exists, one deployment type is created that uses the same
settings as the Configuration Manager 2007 advertisement.
) Important
7 Note
After you migrate an App-V package, you can use the Update Content wizard to
change the source path for App-V deployment types. For more about how to
update content for a deployment type, see How to manage deployment types in
Management tasks for Configuration Manager applications.
When you migrate from a System Center 2012 Configuration Manager or Configuration
Manager current branch source hierarchy, you can migrate objects for the App-V virtual
environment in addition to App-V deployment types and applications. For more about
App-V environments, see Deploying App-V virtual applications.
Advertisements
You can migrate advertisements from a supported Configuration Manager 2007 source
site to the destination hierarchy by using collection-based migration. If you upgrade a
client, it retains the history of previously run advertisements to prevent the client from
rerunning migrated advertisements.
7 Note
You cannot migrate advertisements for virtual packages. This is an exception to the
migration of advertisements.
Applications
You can migrate applications from a supported System Center 2012 Configuration
Manager or Configuration Manager current branch source hierarchy to a destination
hierarchy. If you reassign a client from the source hierarchy to the destination hierarchy,
the client retains the history of previously installed applications to prevent the client
from rerunning a migrated application.
Migration of the collection object is not supported when you migrate from a
Configuration Manager 2007 source hierarchy.
Operating system images and packages. The source path of boot images is
updated to the default image location for the Windows Administrative Installation
Kit (Windows AIK) on the destination site. The following are requirements and
limitations to migrating operating system images and packages:
To successfully migrate image files, the computer account of the SMS Provider
server for the destination hierarchy's top-level site must have Read and Write
permission to the image source files of the source site's Windows AIK location.
When you migrate an operating system installation package, ensure that the
configuration of the package on the source site points to the folder that has the
WIM file and not to the WIM file itself. If the installation package points to the
WIM file, the migration of the installation package will fail.
When you migrate a boot image package from a Configuration Manager 2007
source site, the package ID of the package is not maintained in the destination
site. The result of this is that clients in the destination hierarchy cannot use boot
image packages that are available on shared distribution points.
Task sequences. When you migrate a task sequence that has a reference to a client
installation package, that reference is replaced with a reference to the client
installation package of the destination hierarchy.
7 Note
Drivers and driver packages. When you migrate driver packages, the computer
account of the SMS Provider in the destination hierarchy must have full control to
the package source.
7 Note
You can import Configuration Manager 2007 Configuration Packs. The import process
automatically converts the configuration packs to be compatible with Configuration
Manager current branch.
Each automatically created boundary group is enabled for content location but not for
site assignment. This prevents overlapping boundaries for site assignment between the
source and destination hierarchies. When you migrate from a Configuration Manager
2007 source site, this helps prevent new Configuration Manager 2007 clients that install
from incorrectly assigning to the destination hierarchy. By default, Configuration
Manager current branch clients do not automatically assign to Configuration Manager
2007 sites.
During migration, if you share a distribution point with the destination hierarchy, any
boundaries that are associated with that distribution automatically migrate to the
destination hierarchy. In the destination hierarchy, migration creates a new read-only
boundary group for each shared distribution point. If you change the boundaries for the
distribution point in the source hierarchy, the boundary group in the destination
hierarchy updates with these changes during the next data gathering cycle.
7 Note
Because there are schema changes for reports between Configuration Manager
2007 and Configuration Manager current branch, test each report that you import
from a Configuration Manager 2007 hierarchy to ensure that it functions as
expected.
By default, the migration process maintains your search folder and administrative folder
structures for objects and collections when you migrate. However, in the Create
Migration Job wizard, on the Settings page, you can set up a migration job to not
migrate the organizational structure for objects by unchecking the box for this option.
The organizational structures of collections are always maintained.
One exception to this is a search folder that contains virtual applications. When an App-
V package is migrated, the App-V package is transformed into an application in
Configuration Manager. After migration of the search folder, only the remaining
packages are found, and the search folder cannot locate an App-V package because of
this conversion to an application when the App-V package migrates.
When you migrate a saved search from a System Center 2012 Configuration Manager or
Configuration Manager current branch source hierarchy, you migrate the criteria for the
search, and not the information about the search results. Migration of a saved search is
not applicable from a Configuration Manager 2007 source site.
7 Note
By default, software metering rules that you migrate to a destination hierarchy are not
associated with a specific site in the destination hierarchy and instead apply to all clients
in the hierarchy. To apply a software metering rule to clients at a specific site, you must
edit the metering rule after it migrates.
Planning to monitor migration activity
in Configuration Manager
Article • 10/04/2022
With Configuration Manager, you can monitor migration in the Configuration Manager
console that connects to the destination hierarchy. In the Configuration Manager
console in the Administration workspace, you can use the Migration node to monitor
the progress and success of migration jobs. You can view summary information for each
migration job that identifies objects that have migrated, those objects that have not yet
migrated, and the number of objects that are excluded from a migration job. You will
also see details about any migration problems.
Use the Configuration Manager log files to review the migration progress or to
identify any problems. Migration Manager is the Configuration Manager process
that tracks migration actions and records these in the migmctrl.log file in the
<InstallationPath>\LOGS folder on the site server.
7 Note
If a migration job fails, review the details in the migmctrl.log file as soon as
possible. The migration log entries are continually added to the file and
overwrite old details. If the entries are overwritten, you might not be able to
identify whether any problems that you might encounter with the migrated
objects relate to migration issues. Migration activity is logged at the top-level
site of the hierarchy regardless of the site your Configuration Manager
console connects to when you configure migration.
With Configuration Manager, you can complete the process of migration when a source
hierarchy no longer has data that you want to migrate to your destination hierarchy.
Completing migration includes the following general steps:
Ensure that data you require has migrated. Before you complete migration from a
source hierarchy, make sure that you have successfully migrated all of the
resources from the source hierarchy that you require in the destination hierarchy.
This can include data and clients.
Stop gathering data from source sites. To complete migration from a source
hierarchy, you must first stop gathering data from source sites.
Clean up migration data. After you stop gathering data from all source sites in a
source hierarchy, you can remove data about the migration process and source
hierarchy from the database of the destination hierarchy.
Decommission the source hierarchy. After you complete migration from a source
hierarchy and that hierarchy no longer has resources that you manage, you can
decommission the sites in the source hierarchy and remove the related
infrastructure from your environment. For information about how to decommission
sites and source hierarchies, consult the documentation for that version of
Configuration Manager.
Use the following sections to help you plan to complete migration from a source
hierarchy by stopping data gathering and cleaning up migration data:
After you stop gathering data from a source site, shared distribution points from that
site are no longer available as content locations for clients in the destination hierarchy.
Therefore, ensure that any migrated content that the clients in the destination hierarchy
require access to remains available by using one of the following options:
Before you stop gathering data from a source site, upgrade or reassign shared
distribution points that have the required content. For more about upgrading or
reassigning shared distribution points, see the applicable sections in Planning a
content deployment migration strategy.
After you stop gathering data from each source site in the source hierarchy, you can
clean up migration data. Until you clean up migration data, each migration job that has
run or that is scheduled to run remains accessible in the Configuration Manager
console.
For more about source sites and data gathering, see Planning a source hierarchy
strategy.
When you clean up migration data, most data about the migration is removed from the
database of the destination hierarchy. However, details about migrated objects are
retained. With these details, you can use the Migration workspace to reconfigure the
source hierarchy that has the data that was migrated to resume migration from that
source hierarchy, or to review the objects and site ownership of the objects that
previously migrated.
Configure source hierarchies and source
sites for migration to Configuration
Manager current branch
Article • 10/04/2022
7 Note
Operations for migration are run at the top-level site in the destination hierarchy. If
you configure migration when you use a Configuration Manager console that is
connected to a primary child site, you must allow time for the configuration to
replicate to the central administration site, start, and then replicate status back to
the primary site to which you are connected.
Use the information and procedures in the following sections to specify the source
hierarchy and add additional source sites. After you finish these procedures, you can
create migration jobs and start to migrate data from the source hierarchy to the
destination hierarchy.
Use the following procedures to specify a source hierarchy for migration and to identify
additional source sites in a Configuration Manager 2007 hierarchy.
Run this procedure with a Configuration Manager console that is connected to the
destination hierarchy:
3. On the Home tab, in the Migration group, click Specify Source Hierarchy.
4. In the Specify Source Hierarchy dialog box, for Source Hierarchy, select New
source hierarchy.
5. For Top-level Configuration Manager site server, enter the name or IP address of
the top-level site of a supported source hierarchy.
6. Specify source site access accounts that have the following permissions:
Source Site Account: Read permission to the SMS Provider for the specified
top-level site in the source hierarchy. Distribution point sharing and upgrades
require Modify and Delete permissions to the site in the source hierarchy.
Source Site Database Account: Read and Execute permission to the SQL
Server database for the specified top-level site in the source hierarchy.
If you specify the use of the computer account, Configuration Manager uses
the computer account of the top-level site of the destination hierarchy. For
this option, ensure that this account is a member of the security group
Distributed COM Users in the domain where the top-level site of the source
hierarchy resides.
7. To share distribution points between the source and destination hierarchies, select
the Enable distribution point sharing for the source site server check box. If you
do not enable distribution point sharing at this time, you can do so by editing the
credentials of the source site after data gathering has finished.
8. Click OK to save the configuration. This opens the Data Gathering Status dialog
box, and data gathering starts automatically.
9. When data gathering finishes, click Close to close the Data Gathering Status
dialog box and complete the configuration.
For a Configuration Manager 2007 source hierarchy, you can begin migration from
that initial source site or set up additional source sites from the source hierarchy
after the data gathering finishes for the initial source site. To migrate data that is
only available from a child site, set up additional source sites for a Configuration
Manager 2007 hierarchy. For example, you might configure additional source sites
to gather data about content that you want to migrate when it's created at a child
site in the source hierarchy and is not available at the top site of the source
hierarchy.
When you configure additional source sites for a Configuration Manager 2007 source
hierarchy, you must configure the additional source sites from the top of the source
hierarchy to the bottom. You must configure a parent site as a source site before you
configure any of its child sites as source sites.
Use the following procedure to configure additional source sites for Configuration
Manager 2007 source hierarchies:
5. In the Source Site Credentials dialog box, for the source site access accounts,
specify accounts that have the following permissions:
Source Site Account: Read permission to the SMS Provider for the specified
top-level site in the source hierarchy. Distribution point sharing and upgrades
require Modify and Delete permissions to the site in the source hierarchy.
Source Site Database Account: Read and Execute permission to the SQL
Server database for the specified top-level site in the source hierarchy.
If you specify the use of the computer account, Configuration Manager uses the
computer account of the top-level site of the destination hierarchy. For this option,
ensure that this account is a member of the security group Distributed COM Users
in the domain where the top-level site of the source hierarchy resides.
6. To share distribution points between the source and destination hierarchies, select
the Enable distribution point sharing for the source site server check box. If you
do not enable distribution point sharing at this time, you can do so by editing the
credentials for the source site after data gathering has finished.
7. Click OK to save the configuration. This opens the Data Gathering Status dialog
box, and data gathering starts automatically.
For migration in Configuration Manager, you can migrate data and clients after you
successfully gather data from a source site in a supported source hierarchy. Use the
information in the following sections to create and run migration jobs to migrate data
and clients, and then finish the migration process.
Migrate clients
Finish migration
7 Note
The following procedure for creating a migrating job that migrates by collections
applies only to source hierarchies that run a supported version of Configuration
Manager 2007. The collection-based migration job type is not available when you
migrate from a System Center 2012 Configuration Manager or Configuration
Manager current branch source hierarchy.
3. On the Home tab, in the Create group, choose Create Migration Job.
4. On the General page of the Create Migration Job wizard, set up the following and
then choose OK:
5. On the Select Collections page, set up the following and then choose Next:
If you want to migrate only collections and not the objects that are
associated with those collections, uncheck Migrate objects that are
associated with the specified collections. If you uncheck this option, no
associated objects are migrated in this job, and you can skip steps 6 and 7.
6. On the Select Objects page, uncheck any object types or specific available objects
that you do not want to migrate. By default, all associated object types and
available objects are selected. Choose Next.
7. On the Content Ownership page, assign the ownership of content from each listed
source site to a site in the destination hierarchy, and then choose Next.
8. On the Security Scope page, select one or more role-based administration security
scopes to assign to the objects to migrate in this migration job, and then choose
Next.
9. On the Collection Limiting page, set up a collection from the destination hierarchy
to limit the scope of each listed collection, and then choose Next. If no collections
are listed, choose Next.
10. On the Site Code Replacement page, assign a site code from the destination
hierarchy to replace the Configuration Manager 2007 site code for each listed
collection, and then choose Next. If no collections are listed, choose Next.
11. On the Review Information page, choose Save To File to save the displayed
information for later viewing. When you are ready to continue, choose Next.
12. On the Settings page, set up when the migration job will run, choose any
additional settings that you need for this migration job, and then choose Next.
13. Confirm the settings and finish the wizard.
3. On the Home tab, in the Create group, choose Create Migration Job.
4. On the General page of the Create Migration Job wizard, set up the following, and
then choose Next:
5. On the Select Objects page, select the object types that you want to migrate. By
default, all available objects are selected for each object type that you select.
6. On the Content Ownership page, assign the ownership of content from each listed
source site to a site in the destination hierarchy, and then choose Next. If no
source sites are listed, choose Next.
7. On the Security Scope page, select one or more role-based administration security
scopes to assign to the objects in this migration job, and then choose Next.
8. On the Review Information page, choose Save To File to save the displayed
information for later viewing. When you are ready to continue, choose Next.
9. On the Settings page, set up when the migration job will run and choose any
additional settings that you need for this migration job. Then choose Next.
3. On the Home tab, in the Create group, choose Create Migration Job.
4. On the General page of the Create Migration Job wizard, set up the following and
then choose Next:
In the Job type drop-down list, select Objects modified after migration.
5. On the Select Objects page, select the object types that you want to migrate. By
default, all available objects are selected for each object type that you select.
6. On the Content Ownership page, assign the ownership of content from each listed
source site to a site in the destination hierarchy, and then choose Next. If no
source sites are listed, choose Next.
7. On the Security Scope page, select one or more role-based administration security
scopes to assign to the objects in this migration job, and then choose Next.
8. On the Review Information page, choose Save To File to save the displayed
information for later viewing. When you are ready to continue, choose Next.
9. On the Settings page, set up when the migration job will run and choose any
additional settings that you require for this migration job. Unlike the other
migration job types, this migration job must overwrite the previously migrated
objects in the Configuration Manager database. Choose Next.
3. On the Home tab, in the Migration group, choose Edit Exclusion List.
4. In the Edit Exclusion List dialog box, select the excluded object that you want to
remove from the exclusion list, and then choose Remove.
5. Choose OK to save the changes and finish the edit. To cancel current changes and
restore all the objects that you have removed, choose Cancel, and then choose No.
This will cancel the removal of the objects, and close the Edit Exclusion List dialog
box.
Share distribution points from the source hierarchy
1. In the Configuration Manager console, choose Administration.
4. On the Source Site Credentials dialog box, select Enable distribution point
sharing for the source site server, and then choose OK.
3. Choose the migration job that you want to change. On the Home tab, in the
Properties group, choose Properties.
4. In the properties of the migration job, select the Settings tab, change the run time
for the migration job, and then choose OK.
3. Choose the migration job that you want to run. On the Home tab, in the Migration
Job group, choose Start.
) Important
Before you upgrade a Configuration Manager 2007 branch distribution point, you
must uninstall the Configuration Manager 2007 client software from the branch
distribution point computer. If the Configuration Manager 2007 client software is
installed when you attempt to upgrade the distribution point, the upgrade fails and
content that was previously deployed to the branch distribution point is removed
from the computer.
U Caution
When you upgrade or reassign a shared distribution point, the distribution point
site system role and site system computer are removed from the source site and
added as a distribution point to the site in the destination hierarchy that you select.
3. Select the site that owns the distribution point you want to upgrade, choose the
Shared Distribution Points tab, and select the eligible distribution point that you
want to upgrade or reassign.
4. On the Distribution Point tab, in the Distribution Point group, choose Reassign.
5. Specify settings in the Reassign Shared Distribution Point wizard like you are
installing a new distribution point for the destination hierarchy, with the following
addition:
On the Content Conversion page, review the guidance about the space
required to convert the existing content. Then, on the Drive Settings page of
the wizard, ensure that the drive of the distribution point computer that is
selected has the required amount of free disk space.
6. Confirm the settings and then finish the wizard.
4. View details and status about the selected migration job on the tabs for Summary
and Objects in Job.
Migrate clients
After you migrate data for clients between hierarchies but before you finish migration,
plan to migrate clients to the destination hierarchy. The migration of clients between
hierarchies involves uninstalling the Configuration Manager client software from
computers that are assigned to the source hierarchy, and then installing the
Configuration Manager client software from the destination hierarchy. When you install
the client from the destination hierarchy you also assign the client to a primary site in
that hierarchy. For more about migrating clients, see Planning a client migration
strategy.
Finish migration
Use this procedure to finish migration from the source hierarchy.
3. For a Configuration Manager 2007 source hierarchy, select a source site that is at
the bottom level of the source hierarchy. For a System Center 2012 Configuration
Manager or Configuration Manager current branch source hierarchy, select the
available source site.
4. On the Home tab, in the Clean Up group, choose Stop Gathering Data.
6. For a Configuration Manager 2007 source hierarchy, before you continue to the
next step, repeat steps 3, 4, and 5. Go through these steps at each site in the
hierarchy, from the bottom of the hierarchy to the top. For a System Center 2012
Configuration Manager or Configuration Manager current branch source hierarchy,
continue to the next step.
7. On the Home tab, in the Clean Up group, choose Clean Up Migration Data.
8. On the Clean Up Migration Data dialog box, from the Source hierarchy drop-
down list, select the site code and site server of the top-level site of the source
hierarchy, and then choose OK.
9. Choose Yes to finish the migration process for the source hierarchy.
Security and privacy for migration to
Configuration Manager current branch
Article • 10/04/2022
This topic contains security best practices and privacy information for migration to your
Configuration Manager current branch environment.
Use the computer account for If you must use a user account for migration, remove the
the Source Site SMS Provider account details when migration is completed.
Account and the Source Site SQL
Server Account rather than a
user account.
Use IPsec when you migrate Although the migrated content is hashed to detect tampering,
content from a distribution point if the data is modified while it is transferred, the migration will
in a source site to a distribution fail.
point in your destination site.
Restrict and monitor the The integrity of the database of the destination hierarchy
administrative users who can depends upon the integrity of data that the administrative
create migration jobs. user chooses to import from the source hierarchy. In addition,
this administrative user can read all data from the source
hierarchy.
Clients that are blocked from a source site might successfully assign to the
destination hierarchy before their client record is migrated.
Although Configuration Manager retains the blocked status of clients that you
migrate, the client can successfully assign to the destination hierarchy if
assignment occurs before the migration of the client record is completed.
Audit messages are not migrated.
When you migrate data from a source site to a destination site, you lose any auditing
information from the source hierarchy.
For more information about security and privacy information, see Security and privacy
for Configuration Manager.
You can migrate some or all of the supported data from a source site to a destination
hierarchy.
Migration is not enabled by default and requires several configuration steps. Migration
information is not sent to Microsoft.
Before you migrate data from a source hierarchy, consider your privacy requirements.
Deploy servers and roles
Article • 10/04/2022
After you plan out your Configuration Manager site and hierarchy topology and are
ready to get sites installed or upgraded, use the information in the following articles:
If you have Configuration Manager volume licenses with Software Assurance, or if you
have purchased licenses for Configuration Manager volume licenses, you can download
baseline source media to install Configuration Manager from the Volume Licensing
Service Center .
If you have a Configuration Manager license from EMS, Microsoft 365, or a Cloud
Solution Provider (CSP), please see the Product and Licensing FAQ.
If you would like to purchase volume licenses for Configuration Manager, contact your
preferred Microsoft Reseller or see How to purchase through Volume Licensing . You
can also download media to install an evaluation edition of Configuration Manager from
the Evaluation Center website.
To learn about baseline media for Configuration Manager, see Baseline and update
versions.
Reference for Configuration Manager
Setup
Article • 10/04/2022
Configuration Manager Setup provides links to several topics that are detailed in the
following sections. The information presented here can help you prepare to install a
Configuration Manager site or hierarchy, and help prepare you for some of the decisions
you must make during the installation.
Basic includes data about setup and upgrade, like the number of sites and which
Configuration Manager features are enabled. No personally identifiable
information is transmitted.
Enhanced includes the data in the Basic level setting, plus it transmits data about
the hierarchy, how each feature is used (frequency and duration), and enhanced
diagnostic information like the memory state of your server when a system or app
crash occurs. No personally identifiable data is transmitted.
Full includes the data in the Basic and Enhanced level settings, and it also sends
advanced diagnostic information like system files and memory snapshots. This
option might include personally identifiable information, but we won't use that
information to identify or contact you, or to target advertising to you.
For more information, including disclosure of the details collected by each level, see
Diagnostics and usage data for Configuration Manager.
Before you run Configuration Manager setup to install or upgrade a site, you can use
the setup downloader standalone tool to download updated setup files. Run the tool
from the version of Configuration Manager that you want to install. Use updated setup
files to make sure your site installation uses current versions of key installation files.
When you use setup downloader, you specify a folder to contain the files. The account
you use to run the tool must have Full Control permissions to the download folder.
When you run setup to install or upgrade a site, you can specify this local copy of files
you previously downloaded. This behavior prevents setup from connecting to Microsoft
when you start the site install or upgrade. You can use the same local copy of setup files
for other site installations or upgrades of the same version.
If your organization restricts network communication with the internet using a firewall or
proxy device, you need to allow the tool to access internet endpoints. The device where
you'll run the tool requires internet access the same as the service connection point. For
more information, see Internet access requirements.
Command-line options
You can use the following command-line options with Setupdl.exe:
/VERIFY : Verify the files in the download folder, which include language files. For
the list of outdated files, review C:\ConfigMgrSetup.log. When you use this option,
it doesn't download any files.
/VERIFYLANG : Only verify the language files in the download folder. For the list of
outdated language files, review C:\ConfigMgrSetup.log.
/NOUI : Start setup downloader without the user interface. When you use this
option, the download path is required.
Example commands
Example 1
Setup downloader verifies the files in the specified download folder, and then
downloads files.
setupdl.exe C:\Download
Example 2
Setup downloader only verifies the files in the specified download folder.
Example 3
Setup downloader verifies the files in the specified download folder, and then
downloads files. The tool doesn't show any user interface.
Example 4
Setup downloader verifies the language files in the specified download folder, and then
downloads only the language files.
2. Copy the following files to the same destination folder on the other computer:
setupdl.exe
.\<language>\setupdlres.dll
7 Note
This file is in the subfolder for the install language. For instance, English
is in the 00000409 subfolder.
The destination folders on your device should look like the following example:
C:\ConfigManInstall\setupdl.exe
C:\ConfigManInstall\00000409\setupdlres.dll
3. Run the setup downloader from the destination computer. Use either the user
interface or the command prompt.
Prerequisite Checker for Configuration
Manager
Article • 10/04/2022
Before you run Setup to install or upgrade a Configuration Manager site, or before you
install a site system role on a new server, you can use this stand-alone application
(Prereqchk.exe) from the version of Configuration Manager that you want use to verify
server readiness. Use Prerequisite Checker to identify and fix problems that would block
a site or site system role installation.
7 Note
When you run Prerequisite Checker at a command prompt and specify specific
command-line options:
Prerequisite Checker only runs the checks that are associated with the site server or
site systems that you specify in the command line.
To check a remote computer, your user account must have Administrator rights to
the remote computer.
Source folders
By default, the prerequisite checker tool is in one of the following locations:
2. Copy the following files to the destination folder on the other computer:
prereqchk.exe
prereqcore.dll
prereqchkres.dll
This file is in the subfolder for the install language. For
example, English is in the 00000409 subfolder.
basesql.dll
basesvr.dll
baseutil.dll
7 Note
Prerequisite Checker detects existing sites, and if found, runs the checks for upgrade
readiness. If no sites are found, it runs all checks. The Site Type column provides
information about the site server or site system with which the rule is associated.
Select an item in the list for details about how to resolve the problem.
Before you install the component, resolve all items in the list that have an Error
status.
To review results after you close the tool, open the ConfigMgrPrereq.log file in the
root of the system drive. The log file might contain more information that's not
displayed in the tool.
2. To start Prerequisite Checker and run all prerequisite checks on the server, run the
following command: prereqchk.exe /LOCAL
You can also run it with other command-line options. For example, to check a primary
site:
Command-line options
There are four installation scenarios. The following list summarizes all of the command-
line options for each scenario:
/SDK
/SQL
Optional
/EXPAND
/INSTALLDIR
/NOUI
/SCP
/SSBPORT
Primary site
Required
/PRI
/SDK
/SQL
Optional
/DP
/INSTALLDIR
/JOIN
/MP
/NOUI
/SCP
/SSBPORT
Secondary site
Required
/SEC
Optional
/INSTALLDIR
/INSTALLSQLEXPRESS
/NOUI
/SECUPGRADE
/SOURCEDIR
/SQLPORT
/SSBPORT
Required. This option verifies that the local computer meets the requirements for
installing the Configuration Manager console. It doesn't check any server requirements.
You can't combine this option with any other option.
/CAS
Required. This option verifies that the local server meets the requirements for the CAS.
You can't combine it with the /PRI or /SEC options.
/DP
Optional. Specify the FQDN of the server to host the distribution point role, for example:
/PRI /DP dp01.contoso.com
This option verifies that the specified server meets the requirements for the distribution
point site system role. This option can be used alone or with the /PRI option.
/Expand
Optional. Specify the FQDN of a primary site, for example: /CAS /EXPAND
cmprimary.contoso.com
This option verifies that the referenced primary site meets the requirements to expand a
hierarchy with a CAS.
/InstallDir
Optional. Specify the local installation path, for example /InstallDir C:\ConfigMgr
This option verifies the minimum disk space for site installation.
/InstallSQLExpress
Optional. This option verifies that SQL Server Express can be installed on the specified
secondary site server.
/Join
Optional. Specify the FQDN of the CAS server, for example, /PRI /JOIN cas.contoso.com
This option verifies that the local server meets the requirements for connecting to the
CAS server.
/MP
Optional. Specify the FQDN of the server to host the management point role, for
example: /PRI /MP mp01.contoso.com
This option verifies that the specified server meets the requirements for the
management point site system role. This option can be used alone or with the /PRI
option.
/NoUI
Optional. This option starts the prerequisite checker without displaying the user
interface. Specify this option before any other option in the command line.
/Pri
Required. This option verifies that the local server meets the requirements for a primary
site. You can't combine it with the /CAS or /SEC options.
/SCP
Applies to: CAS, Primary
Optional. Specify the FQDN of the server to host the service connection point. This
server may be the same as the site server.
Starting in version 2111, this option verifies that the specified computer meets the
requirements for the service connection point site system role. You can use this option
alone or with the /PRI or /CAS options.
/SDK
Required. Specify the FQDN of the server to host the SMS Provider role. This server may
be the same as the site server.
This option verifies that the specified server meets the requirements for the SMS
Provider.
/Sec
Required. Specify the FQDN of the secondary site server, for example: /SEC
sec01.contoso.com
This option verifies that the specified server meets the requirements for the secondary
site. You can't combine it with the /CAS or /PRI options.
/SecUpgrade
Optional. Specify the FQDN of the secondary site server, for example: /SECUPGRADE
sec01.contoso.com
This option verifies that the specified server meets the requirements for the secondary
site upgrade. You can't combine it with the /CAS , /PRI , or /SEC options.
/SourceDir
/SQL
Required. Specify the fully qualified domain name (FQDN) of the SQL Server, for
example /SQL sql01.contoso.com
This option verifies that the specified server meets the requirements for SQL Server to
host the Configuration Manager site database.
/SQLPort
Optional. This option verifies that a firewall exception exists to allow communication for
the SQL Server service port. It also checks that the port isn't in use by another named
instance of SQL Server. The default port is 1433.
/SSBPort
Optional. This option verifies that a firewall exception exists to allow communication on
the SQL Server Service Broker (SSB) port. The default SSB port is 4022.
List of prerequisite checks for
Configuration Manager
Article • 02/22/2023
This article details the prerequisite checks that run when you install or update
Configuration Manager. For more information, see Prerequisite checker.
Errors
Active replica MP
Applies to: Primary site
When you expand a primary site to a hierarchy, the user account that runs setup has
Administrator rights on the standalone primary site server.
The user account that runs Configuration Manager setup has Administrator rights on
the site server.
Starting in version 2107, this error happens if the site has either of the following site
system roles:
Support for the application catalog was removed in version 1910. For more information,
see Remove the application catalog.
) Important
When you expand a primary site to a hierarchy, the Asset Intelligence synchronization
point role isn't installed on the standalone primary site.
BITS enabled
Applies to: Management point
Background Intelligent Transfer Service (BITS) is installed on the management point. This
check can fail for one of the following reasons:
The IIS 6.0 WMI compatibility component for IIS 7.0 isn't installed on the server or
remote IIS host
Setup was unable to verify remote IIS settings. IIS common components aren't
installed on the site server.
When you expand a primary site to a hierarchy, the computer account of the central
administration site server has Administrator rights on the standalone primary site
server.
You're installing the management point on a server that doesn't have a different version
of the Configuration Manager client installed.
When you expand a primary site to a hierarchy, the cloud management gateway (CMG)
role isn't installed on the standalone primary site.
The user account that runs Configuration Manager setup on the primary site to join an
existing hierarchy has the sysadmin role on the SQL Server instance for the central
administration site.
Custom client agent settings have NAP enabled
Applies to: Central administration site, primary site
There are no custom client settings that enable network access protection (NAP).
When you expand a primary site to a hierarchy, the data warehouse service point role
isn't installed on the standalone primary site.
You configured a dedicated instance of SQL Server to host the Configuration Manager
site database.
If another site uses the instance, you must select a different instance for the new site.
You can also uninstall the other site, or move its database to a different instance for the
SQL Server.
The default client settings don't enable network access protection (NAP).
A site server or site system role isn't already installed on the server selected for site
installation.
The primary site you plan to expand is a standalone primary site. It has the same version
of Configuration Manager, but a different site code than the central administration site
to be installed.
The Windows Firewall is disabled or a relevant Windows Firewall exception exists for SQL
Server.
Allow Sqlservr.exe or the required TCP ports to be accessed remotely. By default, SQL
Server listens on TCP port 1433, and the SQL Server Service Broker (SSB) uses TCP port
4022.
To install the site server, it must have at least 15 GB of free disk space. If you install the
SMS Provider on the same server, it needs an additional 1 GB of free space.
During an upgrade, collections reference only other collections of the same type.
When you expand a primary site to a hierarchy, the site database for the standalone
primary site has the same collation as the site database at the central administration
site.
When using an availability group, the max text repl size setting must be properly
configured. For more information, see Prepare to use an availability group.
When you expand a primary site to a hierarchy, the Microsoft Intune Connector role isn't
installed on the standalone primary site.
When this check fails, setup wasn't able to verify the version, or the installed version
doesn't meet the minimum requirement of Windows Installer 4.5.
Starting in 2211, if you have a Microsoft Store for Business Connector configured, you
will see this warning while performing the upgrade. This is in conjunction with the
deprecation announcement made here.
.NET Framework 3.5 is installed or enabled on the Configuration Manager site server.
.NET Framework 4.0 is installed or enabled on the Configuration Manager secondary site
server. This version is required by SQL Server Express.
The replication status of the parent site is Replication active (state 125).
Before you run setup, another program requires the server to be restarted.
To see if the computer is in a pending restart state, it checks the following registry
locations:
HKLM:Software\Microsoft\Windows\CurrentVersion\Component Based
Servicing\RebootPending
HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update\RebootRequired
HKLM:SYSTEM\CurrentControlSet\Control\Session Manager,
PendingFileRenameOperations
HKLM:Software\Microsoft\ServerManager, CurrentRebootAttempts
Primary FQDN
Applies to: Central administration site, primary site, secondary site, site database server
The NetBIOS name of the computer matches the local hostname in the fully qualified
domain name (FQDN).
Site database servers and secondary site servers aren't supported on a read-only
domain controller (RODC).
For more information, see Installing SQL Server on a domain controller.
If the Configuration Manager site database is already installed, this check also applies to
the database. For information about changing your SQL Server instance and database
collations, see SQL Server collation and unicode support.
If you're using a Chinese OS and require GB18030 support, this check doesn't apply. For
more information about enabling GB18030 support, see International support.
This rule checks if the .NET Framework is at least version 4.6.2. You'll see this error if the
system has less than version 4.6.2.
7 Note
Third-party add-ons that use Microsoft .NET Framework and rely on Configuration
Manager libraries also need to use .NET 4.6.2 or later. For more information, see
External dependencies require .NET 4.6.2.
) Important
If you're upgrading from System Center 2012 Configuration Manager R2 Service
Pack 1, you need to manually verify that remote site systems have at least .NET
version 4.6.2. Configuration Manager current branch setup skips the check in this
scenario.
The computer account for the secondary site has the following permissions to the setup
source folder and share:
7 Note
If you use administrative shares, for example, C$ and D$, the secondary site
computer account must be an Administrator on the server.
The Configuration Manager version in the specified source folder for the secondary site
installation matches the Configuration Manager version of the primary site.
The specified site code isn't already in use in the Configuration Manager hierarchy.
Specify a unique site code for this site.
Site server computer account administrative rights
Applies to: Primary site, site database server
The site server computer account has Administrator rights on the SQL Server and
management point.
When you expand a primary site to a hierarchy, the site server in passive mode role isn't
installed on the standalone primary site.
Any instance of the SMS Provider is in the same domain as the site server.
The site isn't using network load balancing (NLB) with any virtual locations for active
software update points.
When using an availability group, the server must meet the minimum requirements. For
more information, see Prepare to use an availability group.
When using an availability group, check the secondary read state of the replicas.
When using an availability group, configure the replicas for manual failover.
When using an availability group, you need to configure replicas with the same seeding
mode.
The SQL Server meets the minimum requirements for site upgrade. For more
information, see Supported SQL Server versions.
Starting in version 2107, this check will fail if the amount of replicated data from the
primary site will exceed the 10-GB size limit of SQL Server Express. For more
information, see Configuration Manager site sizing and performance FAQ.
SQL Server Express can successfully install on the secondary site server.
SQL Server is installed on the secondary site server. You can't install SQL Server on a
remote site system for a secondary site.
2 Warning
This check only applies when you select to have setup use an existing instance of
SQL Server.
The sign-in account for the SQL Server service isn't a local user account or LOCAL
SERVICE.
Configure the SQL Server service to use a valid domain account, NETWORK SERVICE, or
LOCAL SYSTEM.
The user account that runs Configuration Manager setup has the sysadmin role on the
SQL Server instance that you selected for site database installation. This check also fails
when setup is unable to access the instance for the SQL Server to verify permissions.
The user account that runs Configuration Manager setup has the sysadmin role on the
SQL Server role instance that you selected as the reference site database. SQL Server
sysadmin role permissions are required to modify the site database.
TCP is enabled for the SQL Server instance, and is set to use a static port.
A supported version of SQL Server is installed on the specified site database server.
For more information, see the Supported OS versions for the Configuration Manager
console.
For more information, see Supported OS versions for Configuration Manager site system
servers.
The out of band service point site system role isn't installed.
The system health validation point site system role isn't installed.
All site servers in the hierarchy meet the Configuration Manager minimum version that's
required for upgrade.
USMT installed
Applies to: Central administration site, primary site (standalone only)
The User State Migration Tool (USMT) component of the Windows Assessment and
Deployment Kit (ADK) for Windows is installed.
The central administration site has the same version of Configuration Manager.
Server with the site server, management point, or distribution point roles aren't part of a
Windows Cluster.
The Configuration Manager setup process doesn't block installation of the site server
role on a computer with the Windows role for Failover Clustering. SQL Server Always On
availability groups require this role, so previously you couldn't colocate the site database
on the site server. With this change, you can create a highly available site with fewer
servers by using an availability group and a site server in passive mode. For more
information, see High availability options.
Windows PE installed
Applies to: SMS Provider
Warnings
The Active Directory domain and forest functional level is a minimum of Windows Server
2008 R2. For more information, see Support for Active Directory domains.
The user account running setup has Administrator rights on the distribution point.
The computer account of the site server has Administrator rights on the management
point and distribution point.
The required administrative shares are present on the site system computer.
Application compatibility
Applies to: Central administration site, primary site
Backlogged inboxes
Applies to: Central administration site, primary site
The site server is processing critical inboxes in a timely fashion. Inboxes don't contain
files older than one day.
despoolr.box\receive\*.i??
despoolr.box\receive\*.s??
despoolr.box\receive\*.nil
schedule.box\requests\*.sr?
To resolve this warning, check whether the despooler and scheduler site system
components are running.
BITS installed
Applies to: Management point
The Background Intelligent Transfer Service (BITS) is installed and enabled in IIS.
Starting in version 2203, this warning displays if you have a cloud management gateway
(CMG) deployed with the classic cloud service. The option to deploy a CMG as a cloud
service (classic) is deprecated. All CMG deployments should use a virtual machine scale
set. If you have a CMG deployed with the classic cloud service, you can convert it to a
virtual machine scale set deployment. For more information, see Convert a CMG to a
virtual machine scale set.
Starting in version 2203, this warning appears if there are site system roles installed for
deprecated features that will be removed in a future release. Remove the following site
system roles:
Enrollment point
Enrollment point proxy
The device management point is also deprecated. It's a management point that you
allow for mobile and macOS devices. You can entirely remove the role, or you can
reconfigure the management point. On the properties of the management point site
system role, disable the option to Allow mobile devices and Mac Computer to use this
management point, This option effectively turns the device management point into a
regular management point. For more information, see Configure roles for on-premises
MDM.
Starting in version 2103, this check warns about the presence of the Log Analytics
connector for Azure Monitor. (This feature is called the OMS Connector in the Azure
Services wizard.)
The Upgrade Readiness service is retired as of January 31, 2020. For more information,
see Windows Analytics retirement on January 31, 2020.
Desktop Analytics is the evolution of Windows Analytics. For more information, see
What is Desktop Analytics.
If your Configuration Manager site had a connection to Upgrade Readiness, you need to
remove it and reconfigure clients. For more information, see Remove Upgrade Readiness
connection.
Starting in version 2203, this warning displays if you have the asset intelligence
synchronization point site system role. The asset intelligence feature is deprecated and
will be removed in a future release. Remove the asset intelligence synchronization point
role. For more information, see Remove a site system role.
With some versions of Configuration Manager, you can't use an HTTP management
point with the cloud management gateway (CMG). Either configure the CMG for HTTPS,
or configure the site for enhanced HTTP. For more information, see Overview of cloud
management gateway.
SQL Server is configured for unlimited memory use. Configure SQL Server memory to
have a maximum limit.
All distribution points in the site have the latest version of software distribution
packages.
Starting in version 2103, if your site is configured to allow HTTP communication without
enhanced HTTP, you'll see this warning. To improve the security of client
communications, in the future Configuration Manager will require HTTPS
communication or enhanced HTTP.
HTTPS only: This site setting requires that all site systems that use IIS use
HTTPS. These site systems need a server authentication certificate, and clients
need a client authentication certificate. For more information, see Plan a
transition strategy for PKI certificates.
7 Note
If you see this warning when updating the central administration site, it may be
because of a child primary site.
The Windows Firewall is disabled, or a relevant Windows Firewall exception exists for
SQL Server.
Allow Sqlservr.exe or the required TCP ports to be accessed remotely. By default, SQL
Server listens on TCP port 1433, and the Server Service Broker (SSB) uses TCP port 4022.
Firewall exception for SQL Server for management point
Applies to: Management point
The Windows Firewall is disabled, or a relevant Windows Firewall exception exists for
SQL Server.
When you install site roles that require HTTPS, configure IIS site bindings on the
specified server with a valid public key infrastructure (PKI) certificate.
There are discovery records that are no longer valid. These records will be marked for
deletion.
If your site is configured with NAA account, you'll see this warning. To improve the
security of distribution points configured with NAA account, review the existing
accounts and their relevant permissions. If it has more than minimal required
permission, then remove and add a minimal permission account. Don't configure any
administrator level permission accounts on the NAA. If the site server is configured with
HTTPS / EHTTP, it recommended removing NAA account, which is unused.
The disk drive is formatted with the NTFS file system. For better security, install site
server components on disk drives formatted with the NTFS file system.
You may see this warning if you have many application deployments and at least one of
them requires approval.
Ignore the warning and continue with the update. This action causes higher
processing on the site server during the update as it processes the policies. You
may also see more processor load on the management point after the update.
Before you run setup, another program requires the server to be restarted.
To see if the computer is in a pending restart state, it checks the following registry
locations:
HKLM:Software\Microsoft\Windows\CurrentVersion\Component Based
Servicing\RebootPending
HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update\RebootRequired
HKLM:SYSTEM\CurrentControlSet\Control\Session Manager,
PendingFileRenameOperations
HKLM:Software\Microsoft\ServerManager, CurrentRebootAttempts
Windows PowerShell 2.0 or a later version is installed on the site server for the
Configuration Manager Exchange Connector.
This rule checks if the .NET Framework is at least version 4.8. You'll see this warning if
the system has at least version 4.6.2, but less than version 4.8.
Setup can establish a remote connection to WMI on the secondary site server.
In version 2107, this rule checks if the .NET Framework is at least version 4.6.2. You'll see
this warning if the system has less than version 4.6.2.
) Important
Starting in version 2111, if this check fails, it returns an error instead of a warning.
To determine the systems that need to be updated, review the
ConfigMgrPrereq.log found on the system drive of the computer.
Configuration Manager requires Microsoft .NET Framework version 4.6.2 for site servers,
specific site systems, clients, and the console. If possible in your environment, .NET
version 4.8 is recommended. A later version of Configuration Manager will require .NET
version 4.8. Before you run setup to install or update the site, first update .NET and
restart the system. For more information, Site and site system prerequisites.
Starting in version 2203, resource access policies are no longer supported. Remove the
certificate registration point site system role and all policies for company resource
access features:
Certificate profiles
VPN profiles
Wi-Fi profiles
Windows Hello for Business settings
Email profiles
The co-management resource access workload
For more information, see Frequently asked questions about resource access
deprecation.
For more information on removing the certificate registration point role, see Remove a
site system role.
Schema extensions
Applies to: Central administration site, primary site
The Active Directory schema has been extended. If it's extended, the version of the
schema extensions that were used.
Configuration Manager doesn't require Active Directory schema extensions for site
server installation. Microsoft recommends them for the full use of all Configuration
Manager features. For more information about the advantages of extending the schema,
see Prepare Active Directory for site publishing.
The account that you configured to run the SQL Server service for the site database
instance has a valid service principal name (SPN) in Active Directory Domain Services.
Register a valid SPN in Active Directory to support Kerberos authentication.
This rule warns for the presence of SQL Server 2012. The support lifecycle for SQL Server
2012 ends on July 12, 2022. Plan to upgrade database servers in your environment,
including SQL Server Express at secondary sites.
For more information, see Removed and deprecated for site servers: SQL Server.
Check if the site database has a backlog of SQL Server change tracking data.
Manually verify this check by running a diagnostic stored procedure in the site database.
First, create a diagnostic connection to your site database. The easiest method is to use
SQL Server Management Studio's Database Engine Query Editor, and connect to admin:
<instance name> .
SQL
EXEC spDiagChangeTracking
Depending upon the size of your database and the backlog size, this stored procedure
could run in a few minutes or several hours. When the query completes, you see two
sections of data related to the backlog. First look at CT_Days_Old. This value tells you
the age (days) of the oldest entry in your syscommittab table. It should be five days,
which is the Configuration Manager default value. Don't change this default value. At
times of heavy data processing or replication, the oldest entry in syscommittab could be
over five days. If this value is above seven days, run a manual cleanup of change
tracking data.
To clean up the change tracking data, run the following command in the dedicated
administration connection:
SQL
This command starts a cleanup of syscommittab and all of the associated side tables. It
can run in several minutes or several hours. To monitor its progress, query the vLogs
view. To see the current progress, run the following query:
SQL
Starting in version 2103, if you have a secondary site that uses SQL Server Express
edition, this check warns if the version is earlier than SQL Server 2016 with service pack 2
(13.0.5026.0). If Configuration Manager didn't install SQL Server Express, then setup
skips this check. Setup looks for the presence of the CONFIGMGRSEC instance.
Microsoft recommends that you keep SQL Server Express up to date. For more
information, see Security for site administration.
This check makes sure the site server has a supported version of the SQL Server Native
Client. The prerequisite check doesn't verify the version of the SQL Server Native Client
on remote site systems.
The minimum version is SQL Server 2012 SP4 ( 11.*.7001.0 ). This SQL Server Native
Client version supports TLS 1.2. For more information, see the following articles:
Configuration Manager uses SQL Server Native Client on the following site system roles:
SQL Server reserves a minimum of 8 GB of memory for the central administration site
and primary site, and a minimum of 4 GB of memory for the secondary site.
7 Note
This check isn't applicable to SQL Server Express on a secondary site. This edition is
limited to 1 GB of reserved memory.
Site system roles other than distribution points are installed on servers running
Windows Server 2012 or later.
For more information, see Supported operating systems for Configuration Manager site
system servers.
7 Note
This check can't resolve the status of site system roles installed in Azure or for the
cloud storage used by Microsoft Intune. Ignore warnings for these roles as false
positives.
The Upgrade Assessment Toolkit isn't installed. For more information, see Removed and
deprecated features.
The computer account for the site server has Full Control permissions to the System
Management container in the Active Directory domain.
For more information, see Prepare Active Directory for site publishing.
7 Note
If you manually verify the permissions, you can ignore this warning.
WinRM 1.1 is installed on the primary site server or the Configuration Manager console
computer to run the out-of-band management console.
WinRM is automatically installed with all versions of Windows currently supported. For
more information, see Installation and configuration for Windows Remote Management.
Starting in version 2203, this warning displays if you have site systems running a version
of Windows Server that will soon be out of support. The support lifecycle for Windows
Server 2012 and Windows Server 2012 R2 ends on October 10, 2023. Plan to upgrade
the OS on your site servers. For more information, see the following blog post: Know
your options for SQL Server 2012 and Windows Server 2012 end of support .
A supported version of Windows Server Update Services (WSUS) is installed on the site
server.
When you use a software update point on a server other than the site server, you must
install the WSUS Administration Console on the site server. For more information about
WSUS, see Windows Server Update Services.
Resources for installing Configuration
Manager sites
Article • 10/04/2022
The following articles can help you install Configuration Manager or add sites to your
existing Configuration Manager hierarchy.
This article offers essential information that can help you install a site to a new or
existing hierarchy. Information includes when to choose non-default source files,
limitations that apply to all sites, and optional actions you can take to help simplify
your tasks when you install more than one site.
Learn about the user rights and permissions your account must have to install a
site and related prerequisites for each type of site you can install.
This article walks you through the site installation wizard. It provides details about
options that might not be clear in the wizard user interface.
Learn how to create a site installation script, and how to use it for unattended site
installs.
This article has guidance on how to install the Configuration Manager console on a
computer on which you're not installing a site.
Read this article when you're ready to upgrade your evaluation site to a fully
licensed Configuration Manager site.
Prepare to install Configuration
Manager sites
Article • 10/04/2022
Tip
When managing Configuration Manager site and hierarchy infrastructure, the terms
upgrade, update, and install are used to describe three separate concepts. To learn
how each term is used, see About upgrade, update, and install.
Before installing a site, make sure you have planned your hierarchy, and that you
understand the type of site you want to install. For more information, see Design a
hierarchy of sites.
First site
The first site that you install in a hierarchy will be either a stand-alone primary site or a
central administration site.
Installation media:
To install a central administration site or a stand-alone primary site
as the first site in a new hierarchy, you must use a baseline version of Configuration
Manager. Do not install the first site of a new hierarchy by using updated source files
from the CD.Latest folder of any site.
Installation method: You can install either type of site by using the Configuration
Manager Setup Wizard, or you can configure a script to use with a scripted command-
line installation.
Additional sites
After the initial site is installed, you can add more sites at any time. You have the
following options for adding sites (up to supported limits):
Stand-alone Secondary site (you can expand the primary site, which converts the stand-
primary site alone primary site to a child primary site)
Installation media: When you install a central administration site to expand a stand-
alone primary site, or if you install a new child primary site in an existing hierarchy, you
must use installation media (that contains source files) that matches the version of the
existing site or sites.
) Important
If you have installed in-console updates that have changed the version of the
previously installed sites, do not use the original installation media. Instead, in that
scenario, use source files from the CD.Latest folder of an updated site.
Configuration Manager requires you to use source files that match the version of
the existing site that your new site will connect to.
A secondary site must be installed from the Configuration Manager console. This way,
secondary sites are always installed by using source files from the parent primary site.
Installation method: The method you use to install additional sites depends on the type
of site you want to install.
Add a central administration site: You can use the Configuration Manager Setup
Wizard or a scripted command line to install the new central administration site as
a parent site to your existing stand-alone primary site. For more information, see
Expanding a stand-alone primary site.
Add a child primary site: You can use the Configuration Manager Setup Wizard or
a command-line installation to add a child primary site below a central
administration site.
Add a secondary site: Use the Configuration Manager console to install a
secondary site as a child site below a primary site. Other methods are not
supported for adding secondary sites.
For more information, see Design a hierarchy of sites for Configuration Manager.
For more information, see Support for SQL Server versions for Configuration
Manager.
For more information, see Configure firewalls, ports, and domains to prepare for
Configuration Manager.
If you will use a public key infrastructure (PKI), prepare your infrastructure and
certificates
For more information, see PKI certificate requirements for Configuration Manager.
Install the latest security updates on computers you will use as site servers or
site system servers, and when necessary, restart them
AUX
CON
NUL
PRN
SMS
ENV
7 Note
Configuration Manager Setup does not verify that a site code is not already in use.
To enter the site code for a site when you're running Configuration Manager Setup, you
must enter three alphanumeric characters. Only the letters A through Z and the numbers
0 through 9, in any combination, are allowed in site codes. The sequence of letters or
numbers has no effect on the communication between sites. For example, it is not
necessary to name a primary site ABC and a secondary site DEF.
The site name is a friendly name identifier for the site. You can only use the characters A
through Z, a through z, 0 through 9, and the hyphen (-) in site names.
) Important
A change of the site code or site name after you install the site is not supported.
After running Setup, you cannot change the following site properties without
uninstalling the site and then reinstalling it by using the new values:
Program Files installation directory
Site code
Site description
When your hierarchy includes a central administration site:
Configuration Manager does not support moving a child primary site out of a
hierarchy to create a stand-alone primary site or to attach it to a different
hierarchy. Instead, uninstall the child primary site, and then reinstall it as a new
stand-alone primary site or as a child site of the central administration site of a
different hierarchy.
To download the updated Setup files for Configuration Manager, you can run Setup
Downloader. If the computer where you will run Setup is not connected to the Internet,
or if you expect to install multiple site servers, consider using Setup Downloader to
download the required updates to Setup. Here's additional information:
To identify and fix problems before you run Setup to install a site and before you install
a site system role on a server, you can run Prerequisite Checker. Prerequisite Checker
helps ensure that the computer meets the requirements to host the site or site system
role. Here's additional information:
By default, Setup runs Prerequisite Checker.
If there are any errors, Setup stops until the issue is fixed.
You can identify optional ports for site systems and clients to use. Here's additional
information:
Before you begin a site installation, learn about the prerequisites for installing the
different types of Configuration Manager sites.
If you're installing a CAS as part of a hierarchy expansion, see the section for Expanding
a stand-alone primary site.
The user account that installs the site must have the following permissions:
Sysadmin on the instance of SQL Server that hosts the site database
) Important
If you're installing a primary site, you may also need Administrator permissions on
additional servers. For example, where you install the initial management point and
distribution point, if not on the site server.
If you're installing a new child primary site below a CAS, you need the following
additional permissions:
Administrator on the SQL Server that hosts the CAS site database
Use the correct installation source files, and run setup from that location. For
information about the correct source files to use to install different types of sites,
see Prepare to install site: Options for installing different types of sites.
The site server needs access to the latest setup files from Microsoft. Use one of the
following methods:
Before you start the install, download and store a copy of these files on your
local network. For more information, see Setup Downloader.
If a local copy of these files isn't available, the site server needs access to the
internet. It downloads these files from Microsoft during the installation. For
more information, see Internet access requirements.
The site server and site database server must meet all prerequisite configurations.
Before starting Configuration Manager setup, manually run Prerequisite Checker to
identify and fix problems.
For more information about the correct source files to use to install different sites, see
Prepare to install sites: Options for installing different types of sites.
This configuration is necessary because Configuration Manager migrates data from the
top-level site of the hierarchy. When you expand a stand-alone primary site, the
configurations for migration don't transfer to the CAS.
After you expand the stand-alone primary site, if you reconfigure migration at the
primary site, the CAS runs the migration jobs.
For more information about how to configure migration, see Configure source
hierarchies and source sites for migration.
To successfully expand the stand-alone primary site, the computer account of the new
CAS needs Administrator permissions on the stand-alone primary site. This account
requires these permissions only during site expansion. When site expansion finishes, you
can remove the account from the user group on the primary site.
For more information including the complete list of required permissions, see Site
installation account.
Configuration Manager only supports these roles at the top-level site of the hierarchy.
Uninstall these site system roles before you expand the stand-alone primary site. After
you expand the site, reinstall these site system roles at the CAS.
All other site system roles can remain installed at the primary site.
Configuration Manager setup also includes a prerequisite check that the standalone
primary site doesn't include the cloud management gateway (CMG) service. Before you
expand the site to a hierarchy, remove the CMG. Then redeploy it from the new CAS.
To successfully replicate data between a CAS and a primary site, Configuration Manager
requires an open port between the two sites for SSB to use. When you install a CAS and
expand a stand-alone primary site, the prerequisite check doesn't verify that the port
you specify for the SSB is open on the primary site.
Log Analytics
Microsoft Store for Business
Tenant attach
The easiest method is to renew the Azure Active Directory tenant secret key. For more
information, see Renew secret key.
Instead of renewing the secret key, remove and then recreate the connection to that
service.
Secondary sites
The following prerequisites are for installing secondary sites:
The necessary Windows Server roles, features, and Windows components must be
installed. For more information, see Site system prerequisites.
The administrator who configures the installation of the secondary site in the
Configuration Manager console needs role-based administration permissions that
are equivalent to the security role of Infrastructure Administrator or Full
Administrator.
Add the computer account of the parent primary site to the Administrators group
on the secondary site server.
When the secondary site uses a previously installed instance of SQL Server to host
the secondary site database:
The computer account of the parent primary site needs sysadmin permissions
on the instance of SQL Server on the secondary site server.
The Local System account of the secondary site server computer needs
sysadmin permissions on the instance of SQL Server on the secondary site
server.
) Important
The secondary site server must meet all prerequisite configurations. These
configurations include SQL Server and the default site system roles of the
management point and distribution point.
Next steps
After you've confirmed the prerequisites, you're ready to run setup. For more
information, see Use the Setup Wizard to install Configuration Manager sites.
Use the Setup Wizard to install
Configuration Manager sites
Article • 10/04/2022
To install a new Configuration Manager site by using a guided user interface, use the
Configuration Manager Setup Wizard (setup.exe). The wizard supports installing a
primary site or central administration site (CAS). You also use the wizard to upgrade an
evaluation installation of Configuration Manager to a fully licensed installation. When
you don't want to use the wizard, you can instead use an installation script and run an
unattended command-line installation.
Install a secondary site from within the Configuration Manager console. Secondary sites
don't support a scripted command-line installation.
Before you install a site, be familiar with the details in the following articles:
Tip
If you need assistance with site installation, see the Support options and
community resources. For example, the Microsoft Q&A forum for Configuration
Manager site and client deployment.
When you're ready to get started, see the following articles for the specific processes:
Use this procedure to install a central administration site (CAS) or a primary site. Also
use it to upgrade an evaluation site to a fully licensed Configuration Manager site.
First, review the overview for using the setup wizard. It includes links to important
prerequisite articles.
If you're installing a CAS as part of a site expansion scenario, first read Expand a stand-
alone primary site before using the following procedure.
7 Note
3. On the Getting Started page, select the type of site that you want to install:
Primary site, as a stand-alone primary site that is the first site of a new
hierarchy, or as a child primary:
Tip
Typically, you only select the option Use typical installation options for
a stand-alone primary site when you want to install a stand-alone
primary site in a test environment. When you select this option, setup
does the following actions:
Automatically configures the site as a stand-alone primary site.
Uses a default installation path.
Uses a local installation of the default instance of SQL Server for the
site database.
Installs a management point and a distribution point on the site
server computer.
Configures the site with English and the display language of the OS
on the primary site server if it matches one of the languages that
Configuration Manager supports.
If you select a licensed edition, enter your product key, and choose Next.
You can also specify the Software Assurance expiration date of your
licensing agreement. It's a convenient reminder of that date. If you don't
enter this date during Setup, you can specify it later from within the
Configuration Manager console.
7 Note
Microsoft doesn't validate the expiration date that you entered and
doesn't use this date for license validation. You can use it as a reminder
of your expiration date. This date is useful because Configuration
Manager periodically checks for new software updates offered online.
Your software assurance license status should be current so that you're
eligible to use these additional updates.
5. On the Microsoft Software License Terms page, read and accept the license terms.
6. On the Prerequisite Licenses page, read and accept the license terms for the
prerequisite software. Setup downloads and automatically installs the software on
site systems or clients when it's required. Accept all of the terms before you
continue to the next page.
7. On the Prerequisite Downloads page, specify whether Setup must download the
latest prerequisite redistributable files from the internet or use previously
downloaded files:
If you want Setup to download the files at this time, select Download
required files. Then specify a location to store the files.
If you previously downloaded the files by using Setup Downloader, select Use
previously downloaded files. Then specify the download folder.
Tip
If you use previously downloaded files, verify that the path to the
download folder contains the most recent version of the files.
8. On the Server Language Selection page, select the languages that are available for
the Configuration Manager console and for reports. The wizard selects English by
default and you can't remove it. For more information, see Language packs.
9. On the Client Language Selection page, select the languages that are available to
client computers. Also specify whether to enable all client languages for mobile
device clients. The wizard selects English by default and you can't remove it.
) Important
When you use a CAS, make sure that client languages you configure at the
CAS include all client languages that you configure at each child primary site.
Clients that install from a distribution point have access to the client
languages from the top-tier site, while clients that install from a management
point have access to the client languages from their assigned primary site.
10. On the Site and Installation Settings page, specify the following settings for the
new site that you're installing:
Site code: Each site code in a hierarchy must be unique. Use three alpha-
numeric characters: A through Z and 0 through 9 . Because the site code is
used in folder names, don't use the following Windows-reserved names:
AUX
CON
NUL
PRN
SMS
7 Note
Setup doesn't verify whether the site code that you specify is already in
use, or if it's a reserved name.
Site name: Each site requires this friendly name, which can help you identify
the site.
7 Note
Consider whether you want to use the default installation folder. If you
use the default OS partition in a production environment, you may
experience the following issues in the future:
If Configuration Manager uses the additional free disk space on the
OS partition, neither Windows or Configuration Manager will operate
properly. If you install Configuration Manager on a separate partition,
its disk consumption won't impact the OS.
Configuration Manager performance is better with a fast disk. Some
server designs don't optimize the OS disk for speed.
You can service, restore, or reinstall the OS without impacting your
Configuration Manager installation.
11. On the Site Installation page, use the following option that matches your scenario:
The media that you use to install the new CAS must match the version of the
primary site.
On the Primary Site Installation page, select Install the primary site as a
stand-alone site, and then choose Next.
On the Primary Site Installation page, select Join the primary site to an
existing hierarchy. Then specify the FQDN for the CAS, and choose Next.
SQL Server name (FQDN): By default, this value is set to the site server
computer.
If you use a custom port, add that port to the FQDN of the SQL Server. Follow
the FQDN of the SQL Server with a comma and then the port number. For
example, for server SQLServer1.fabrikam.com, use the following string to
specify custom port 1551: SQLServer1.fabrikam.com,1551
Instance name: By default, this value is blank. It uses the default instance of
SQL Server on the site server computer.
Database name: By default, this value is set to CM_<Sitecode> . You can
customize this value.
Service Broker Port: By default, this value is set to use the default SQL Server
Service Broker (SSB) port of 4022. SQL Server uses it to communicate directly
to the site database at other sites.
13. On the second Database Information page, you can specify custom locations for
the SQL Server data file and the SQL Server log file for the site database:
When you use a SQL Server Always On failover cluster instance, the option to
specify custom file locations isn't available.
The prerequisite checker doesn't run a check for free disk space for custom
file locations.
14. On the SMS Provider Settings page, specify the FQDN for the server where you
want to install the SMS Provider.
After the site installs, you can configure more SMS Providers. For more
information, see Plan for the SMS Provider.
15. On the Client Communication Settings page, choose how clients will
communicate with site systems. The more secure option is to require all site
systems to use HTTPS. Otherwise, you individually configure the communication
method for each site system role.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced
HTTP. For more information, see Enable the site for HTTPS-only or enhanced
HTTP.
All site system roles accept only HTTPS communication from clients: When
you select this option, clients must have a valid PKI certificate for client
authentication. For more information, see PKI certificate requirements.
7 Note
This page only applies when you install a primary site. If you're installing a
CAS, skip this page.
16. On the Site System Roles page, choose whether to install a management point or
distribution point. For each role that you choose to have installed by Setup:
7 Note
This step only applies when you install a primary site. If you're installing a CAS,
skip this step.
Enter the FQDN for the server that will host the role. Then choose the client
connection method that the server will support: HTTP or HTTPS.
If you selected All site system roles accept only HTTPS communication from
clients on the previous page, the wizard automatically configures the client
connection settings for HTTPS. You can't change this setting unless you go
back to the previous page.
7 Note
To install site system roles, Setup uses the site system installation account. By
default, it uses the primary site's computer account. This account must be a
local administrator on the remote computer to install the role. If this account
lacks the required permissions, don't install the roles during Setup. After you
configure additional accounts to use as site system installation accounts,
install the roles from the Configuration Manager console. For more
information, see Accounts.
17. On the Usage Data page, review the information about data that Microsoft
collects, and then choose Next. For more information, see Diagnostics and usage
data.
18. The Service Connection Point Setup page is only available when you're installing a
stand-alone primary site or a CAS.
7 Note
If you're installing a CAS as part of a site expansion scenario, and the stand-alone
primary site already has this role, first uninstall it from the stand-alone primary site.
Configuration Manager can only have one instance of the service connection point
in a hierarchy. It's only supported at the top-tier site of the hierarchy.
After you select a configuration for the Service Connection Point, choose Next.
After Setup completes, you can change this configuration from the Configuration
Manager console. For more information, see About the service connection point.
19. On the Settings Summary page, review the setting that you've selected. When
you're ready, choose Next to start the Prerequisite Checker.
20. On the Prerequisite Installation Check page, it lists any problems that the checker
can identify.
When the Prerequisite Checker finds a problem, choose an item in the list for
details about how to resolve the problem.
Before you can continue to install the site, resolve any Failed items. Try to
resolve all Warning items, but they don't block installation.
After you resolve any issues, choose Run Check to rerun the Prerequisite
Checker.
When the Prerequisite Checker runs, and no checks receive a Failed status,
you can choose Begin Install to start the site installation.
Tip
In addition to the feedback that the wizard provides, you can find additional
information about prerequisite issues in the ConfigMgrPrereq.log file. It's in
the root of the system drive on the server. For more information, see List of
prerequisite checks.
21. On the Installation page, Setup displays the installation status. When the core site
server installation is complete, you can Close the installation wizard. When you
close the wizard, the installation and initial site configurations continue in the
background.
You can connect a Configuration Manager console to the site before Setup is
complete. This console connects as read-only, and lets you view objects and
settings, but you can't modify anything.
After Setup completes, you can connect a console to edit objects and
settings.
If setup fails, you can Report update error to Microsoft. For more
information, see Report setup and upgrade failures to Microsoft.
When you expand a stand-alone primary site, you install a new CAS that uses the
existing stand-alone primary site database as a reference. After the new CAS installs, the
stand-alone primary site functions as a child primary site.
You can only expand a stand-alone primary site into a new hierarchy.
You can only expand one stand-alone primary site into a specific hierarchy. You
can't use this option to join other stand-alone primary sites into the same
hierarchy. Instead, use the Migration Wizard to migrate data from one hierarchy
into another. For more information, see Migrate data between hierarchies.
After you expand a stand-alone site into a hierarchy with a CAS, you can install
other child primary child sites.
To remove a primary site from a hierarchy with a CAS, first uninstall the primary
site.
To expand the site, use the process to install a CAS or primary site with the following
caveats:
Install the CAS by using the same version of Configuration Manager as the stand-
alone primary site.
On the Getting Started page of the Setup Wizard, select the option to install a
CAS. At a later stage of Setup, you'll choose an option to expand an existing stand-
alone primary site.
On the Client Language Selection page for the new CAS, select the same client
languages that you configured on the original primary site.
On the Site Installation page, select the option to expand the stand-alone primary
site.
Next steps
Use the setup wizard to install a secondary site
Install consoles
Use the setup wizard to install a
secondary site
Article • 10/04/2022
Use this procedure to install a secondary site. Install a secondary site from within the
Configuration Manager console. Secondary sites don't support a scripted command-line
installation.
In a hierarchy, you don't have to connect the console to the parent primary site. If
the console isn't connected to the parent primary site for the new secondary site,
Configuration Manager replicates the command to install the secondary site to the
correct primary site.
Before you start the secondary site installation, make sure that your user account
has the prerequisite permissions. Also make sure that the server that will host the
new secondary site meets all the prerequisites for use as a secondary site server.
For more information, see Prerequisites for installing sites and Site and site system
prerequisites.
When you install the secondary site, Configuration Manager configures the new
site to use the same client communication ports as the parent primary site.
Before you start, review the overview for using the setup wizard. It includes links to
important prerequisite articles.
2. In the ribbon, select Create Secondary Site. This action starts the Create
Secondary Site Wizard.
3. On the Before You Begin page, confirm that the listed server is the primary site
that you want to be the parent of the new secondary site. Then choose Next.
NUL
PRN
SMS
7 Note
Setup doesn't verify whether the site code that you specify is already in use, or
if it's a reserved name.
Site server name: This value is the FQDN of the server for the new secondary
site.
Site name: Each site requires this friendly name, which can help you identify
the site in the console.
) Important
After you specify details on this page, you can choose Summary to skip to the
end of the wizard. This action uses the default settings for the remainder of
the secondary site options.
Only use this option when you're familiar with the default settings in this
wizard, and they're the settings you want to use.
When you use the default settings, boundary groups aren't associated
with the distribution point. Until you configure boundary groups that
include the secondary site server, clients won't use the distribution point
that's installed on this secondary site as a content source location.
5. On the Installation Source Files page, choose how the secondary site server gets
the source files to install the site.
When you use CD.Latest source files that are shared on the network or copied
locally to the target secondary site server:
The CD.Latest source file location includes a folder named Redist. Move this
Redist folder as a subfolder under the SMSSETUP folder.
Copy the following files from the Redist folder to the SMSSETUP\BIN\X64
folder:
SharedManagementObjects.msi
SQLSysClrTypes.msi
sqlncli.msi
If any of the files from Redist aren't available, Setup fails to install the
secondary site.
The computer account of the secondary site server needs Read permissions
to the source file folder and share.
6. On the SQL Server Settings page, specify the version of SQL Server to use:
7 Note
Setup doesn't validate the information that you enter on this page until it
starts the installation. Before you continue, verify these settings.
Install and configure a local copy of SQL Express on the secondary site
computer
SQL Server Service port: Specify the SQL Server service port for SQL
Server Express to use. The service port is typically configured to use TCP
port 1433, but you can configure another port.
SQL Server Broker port: Specify the SQL Server Service Broker (SSB) port
for SQL Server Express to use. The Service Broker is typically configured to
use TCP port 4022, but you can configure a different port. Specify a valid
port that no other site or service is using, and that the firewall doesn't
block.
SQL Server FQDN: Review the FQDN for the computer running SQL Server.
Use a local server running SQL Server to host the secondary site database,
and you can't modify this setting.
SQL Server instance: Specify the instance of SQL Server to use as the
secondary site database. Leave this option blank to use the default
instance.
ConfigMgr site database name: Specify the name to use for the secondary
site database.
SQL Server Broker port: Specify the SQL Server Service Broker (SSB) port
for SQL Server to use. Specify a valid port that no other site or service is
using, and that the firewall doesn't block.
Tip
For a list of the SQL Server versions that Configuration Manager supports, see
Supported SQL Server versions.
7. On the Distribution Point page, configure settings for the distribution point that
Setup will install on the secondary site server.
Required settings:
) Important
Optional settings:
Install and configure IIS if required by Configuration Manager: Select this
setting to let Configuration Manager install and configure Internet
Information Services (IIS) on the server. Configuration Manager only
installs IIS if it's not already installed on the server. IIS is required on all
distribution points.
7 Note
8. On the Drive Settings page, specify the drive settings for the secondary site
distribution point.
You can configure up to two disk drives for the content library and two disk drives
for the package share. However, Configuration Manager can use other drives when
the first two reach the configured drive space reserve. Use this Drive Settings page
to configure the priority for the disk drives and the amount of free disk space to
remain on each disk drive.
Drive space reserve (MB): The value that you configure for this setting
determines the amount of free space on a drive before Configuration
Manager chooses a different drive and continues the copy process to that
drive. Content files can span multiple drives.
Content Locations: Specify the content locations for the content library and
package share. Configuration Manager copies content to the primary content
location until the amount of free space reaches the value that's specified for
Drive space reserve (MB).
By default, the content locations are set to Automatic. The primary content
location is set to the disk drive that has the most space at installation time. The
secondary location is set to the disk drive that has the most free disk space after
the primary drive. When the primary and secondary drives reach the drive space
reserve, Configuration Manager selects another available drive with the most free
disk space and continues the copy process.
9. On the Content Validation page, specify whether to validate the integrity of
content files on the distribution point.
10. On the Boundary Groups page, manage the boundary groups for this distribution
point:
Allow fallback source location for content: This option allows clients outside
these boundary groups to fall back and use the distribution point as a source
location for content when no preferred distribution points are available.
For more information, see the Fundamental concepts for content management.
11. On the Summary page, verify the settings, and then choose Next to install the
secondary site. When the wizard shows the Completion page, you can close the
wizard. The secondary site installation continues in the background.
2. Select the new secondary site, and then choose Show Install Status in the ribbon.
Tip
When you install more than one secondary site at a time, the Prerequisite
Checker runs against a single site at a time. It finishes a site before it starts to
check the next site.
Next steps
Configure sites and hierarchies
Install consoles
Use a command line to install
Configuration Manager sites
Article • 10/04/2022
You can run Configuration Manager setup at a command prompt to automate the
installation of different kinds of site types. This article provides an overview of the
command-line methods.
Recovery a site
Tip
You can also install the Configuration Manager client and console from the
command prompt. For more information, see the following articles:
Install consoles
Deploy clients to Windows computers
7 Note
You can't use the unattended script file to upgrade an evaluation site to a licensed
installation of Configuration Manager.
To use an answer file with setup, first configure the script file with required keys and
values. For an unattended installation of a CAS or primary site, the script file requires the
following sections:
Identification
Options
SQLConfigOptions
HierarchyExpansionOption
CloudConnectorOptions
SABranchOptions
Then run setup with the command line-option /SCRIPT and specify a script file.
To recover a site, the script file also uses the RecoveryOptions section.
For a list of keys and values to use in an unattended installation script file, see
Unattended setup script file keys.
7 Note
When you run setup from the CD.Latest folder for a scripted install or recovery,
include the CDLatest key with a value of 1 . This value isn't supported with
installation media from the Microsoft Volume License site. For more information on
how to use this key name in the script file, see Command-line options.
Setup creates the script %TEMP%\ConfigMgrAutoSave.ini . You can rename this file
before you use it, but it needs the .ini file extension.
The unattended installation script contains the settings that you selected in the
wizard.
You can modify the script to install other sites in your hierarchy.
You can use this script to do an unattended setup of Configuration Manager.
This script file provides the same information as the Setup Wizard, except that there are
no default settings. Specify all values for the setup keys that are required and necessary
for your requirements.
When setup creates the unattended installation script, it includes the product key that
you entered in the Setup Wizard. This key can be a valid product key, or EVAL to install
an evaluation version of Configuration Manager. The product key value in the script is
required by the prerequisite checker. When setup starts the actual site installation, it
clears the product key value in the script. Before using the script for an unattended
installation of a new site, edit the script to provide a valid product key or to specify an
evaluation installation of Configuration Manager.
Tip
You can also manually create the script file from a plain-text editor like Notepad.
To view the full set of options, see Command-line options for setup and scripts.
Provide the full path to the file. For example, if you name the file setup.ini , and
store it in the C:\Setup folder, then use the following command line: setup.exe
/script C:\Setup\setup.ini
The account that runs setup must have Administrator rights on the computer.
When you run setup with the unattended script, open the command prompt
window with the Run as administrator option.
Modify languages
To modify the languages that are installed at a site from a command prompt:
For example, use the following command syntax: setupwpf.exe /MANAGELANGS <language
script file>
For more information values to use in the language script file, see Manage languages.
Next steps
Command-line options for setup
Run setup.exe from the \BIN\X64 directory of the Configuration Manager installation
path on the site server.
Tip
You can also use setupwpf.exe from the same folder, but it doesn't include basic
prerequisite checks.
/DEINSTALL
Uninstall the site. Run setup from the site server computer.
/DONTSTARTSITECOMP
Install a site, but prevent the Site Component Manager service from starting. Until the
Site Component Manager service starts, the site isn't active. The Site Component
Manager is responsible for installing and starting the SMS_Executive service, and for
other processes at the site. After the site install is finished, when you start the Site
Component Manager service, it installs the SMS_Executive service and other processes
that are necessary for the site to operate.
/HIDDEN
Hide the user interface during setup. Only use this option with the /SCRIPT option. The
unattended script file must provide all required options or setup fails.
/NOUSERINPUT
Disable user input during setup, but display the setup wizard. Only use this option with
the /SCRIPT option. The unattended script file must provide all required options or
setup fails.
/RESETSITE
Run a site reset. This action resets the database and service accounts for the site. For
more information, see Run a site reset.
/SQLMOVE
Move the site database. This action moves the site database to a new instance of SQL
Server on the same computer, or to a different computer that runs a supported version
of SQL Server. For more information, see Modify the site database configuration.
Provide the SQL server name, database name and instance name in the following
format:
/TESTDBUPGRADE
Run a test on a backup of the site database to make sure that the database can
upgrade.
) Important
The test upgrade is no longer a required or recommend step for most sites.
Don't run this command-line option on your production site database. Running this
command-line option on your production site database upgrades the site database
and could render your site inoperable.
Provide the instance name and database name for the site database. If you specify only
the database name, setup uses the default instance name.
/TESTDBUPGRADE <Instance name>\<Database name>
/TESTDBUPGRADE CM_ABC
/TESTDBUPGRADE Named\CM_ABC
For more information, see Test the database upgrade when installing an update.
/UPGRADE
Run an unattended upgrade of a site. Specify the product key including the dash ( - )
delimiters. Also specify the path to the previously downloaded setup prerequisite files.
For more information about setup prerequisite files, see Setup Downloader.
/SCRIPT
Run an unattended installation. Use a setup initialization file with this option. For more
information about how to run setup unattended, see Install sites using a command line.
For more information on the script file keys and values, see Unattended setup script file
keys.
/SDKINST
Install the SMS Provider on the specified server. Provide the fully qualified domain name
(FQDN) for the SMS Provider computer. For more information about the SMS Provider,
see Plan for the SMS Provider.
/SDKDEINST
Uninstall the SMS Provider on the specified computer. Provide the FQDN for the SMS
Provider computer.
Next steps
Unattended setup script file keys
Unattended setup script file keys
Article • 10/04/2022
This article defines all of the keys and values to specify in the .ini installation script file.
Use this file with the /SCRIPT command-line option to do an unattended installation or
recovery of a Configuration Manager site. The tables in this article show:
Command-line overview
Setup command-line options
Specify the section names in square brackets ( [] ): [<Section name>] . For example,
[Identification] .
When you provide values for keys, the name of the key must be followed by an equal
sign ( = ) and the value for the key: <Key name>=<Value> . For example, CDLatest=1 . Make
sure the keys are under the appropriate section.
Each section and each value needs to be unique in a single script. For example, there
can only be one [Identification] section and only one Action key.
Supported actions
A script is primarily defined by the Action key in the Identification section. The
following list includes all of the currently supported actions for running setup
unattended:
Depending upon the type of site you're installing, include the following keys with the
appropriate values in the Identification section:
CDLatest Yes 2 1 : Setup runs from When you run setup from the CD.Latest folder,
CD.Latest include this key and value. This value tells setup
that you're using media from CD.Latest .
- Eval : Install
the evaluation
version
SiteName Yes A site name The friendly name for this site to help
identify it.
Key name Required Values Details
SDKServer Yes SMS Provider The FQDN of the first server to host the
FQDN SMS Provider.
When you install a site, you can also specify the keys to manage languages, such as
AddServerLanguages or AddClientLanguages . For more information, see Options section
for languages.
The following keys in the Options section are specific to a primary site:
SQLServerName Yes FQDN of SQL The name of the server or clustered instance
Server that's running SQL Server to host the site
database.
Key name Required Values Details
SQLServerPort No Port number The port that SQL Server uses. By default, it uses
1433.
SQLSSBPort No Port number The SQL Server Service Broker (SSB) port. By
default, SSB uses TCP port 4022.
CloudConnectorServer Yes* SCP The FQDN of the server that will host the SCP
FQDN role. * Only required when CloudConnector equals
1.
ProxyName Yes* Proxy The FQDN of the proxy server that the SCP uses.
FQDN * Only required when UseProxy equals 1 .
Key name Required Values Details
ProxyPort Yes* Port The port number of the proxy server that the SCP
number uses. * Only required when UseProxy equals 1 .
SAActive Yes - 0: Specify if you have active Software Assurance (SA). For
You more information, see Product and licensing FAQ.
don't
have
SA
- 1 : SA
is
active
When you're installing a CAS to expand a standalone primary site into a hierarchy, use
the following keys in the HierarchyExpansionOption section:
CCARSiteServer No CAS The FQDN of the CAS that a primary site attaches
FQDN to when it joins the Configuration Manager
hierarchy. Specify the CAS during setup.
Key name Required Values Details
CASRetryInterval No Minutes If the connection to the CAS fails, the primary site
waits this number of minutes, and then
reattempts the connection.
-
1 : Enable
Manage languages
Action Yes ManageLanguages Manages the server, client, and mobile client language
support at a site.
Use the three-letter code for the server languages or client languages that Configuration
Manager supports. For example, to add support for German on the client, specify the
following key and value pair: AddClientLanguages=DEU
English ( ENG ) is available by default. You don't have to add it, and you can't remove it.
Recover a site
Depending upon the type of site you're recovering, include the following keys with the
appropriate values in the Identification section:
Key Required Values Details
name
CDLatest Yes 3 1 : Setup runs from When you run setup from the CD.Latest folder,
CD.Latest include this key and value. This value tells setup
that you're using media from CD.Latest.
The CDLatest key is only required when you run setup from the CD.Latest folder to
recover a site. For more information, see About the command-line script file.
- 2 : Site
server
only
- 4 : SQL
Server
only
- 20 :
Manually
recovered
- 40 :
Create
new
database
- 80 : Skip
Key name Required Values Details
ReferenceSite Yes* FQDN The reference primary site that the CAS uses
to recover global data. * Only required
when DatabaseRecoveryOptions is 40 . See
note 5
SiteServerBackupLocation No Directory The path to the site server backup set. If you
path don't specify a value, setup reinstalls the site
without restoring it from a backup set.
BackupLocation Yes* Directory The path to the site database backup set. *
path Required when ServerRecoveryOptions is 1
or 4 , and DatabaseRecoveryOptions is 10 .
4 : The BackupLocation key is required when you configure a value of 10 for the
If the database backup is older than the change-tracking retention period, or when
you recover the site without a backup, specify the reference primary site that the
CAS uses to recover global data.
When you don't specify a reference site, and the backup is older than the change-
tracking retention period, all primary sites are reinitialized with the restored data
from the CAS.
When you don't specify a reference site, and the backup is within the change-
tracking retention period, only changes that are made after the backup are
replicated from primary sites. When there are conflicting changes from different
primary sites, the CAS uses the first one that it receives.
Many of the keys in the Options section are also required for site recovery. For more
information, see Options section for site install. The following table summarizes the keys
in the Options section for site recovery:
ProductID Yes
SiteCode Yes Use the same site code that it used before the failure.
SiteName No
SMSInstallDir Yes
SDKServer Yes Use the same server that hosted this role before the failure.
PrerequisiteComp Yes
PrerequisitePath Yes
JoinCEIP Yes
Many of the keys in the SQLConfigOptions section are also required for site recovery. For
more information, see SQLConfigOptions section for site install. The following table
summarizes the keys in the SQLConfigOptions section for site recovery:
SQLServerName Yes Use the same server that hosted the site database before the
failure.
DatabaseName Yes Use the same database name that was used before the failure.
SQLSSBPort Yes Use the same port that was used before the failure.
SQLDataFilePath No
SQLLogFilePath No
Many of the keys in the CloudConnectorOptions section are also required for site
recovery. For more information, see CloudConnectorOptions section for site install. The
following table summarizes the keys in the CloudConnectorOptions section for site
recovery:
CloudConnector Yes
Many of the keys in the HierarchyExpansionOption section are also required for site
recovery. For more information, see HierarchyExpansionOption section for site install.
The following table summarizes the keys in the HierarchyExpansionOption section for
site recovery:
CCARSiteServer Yes* * Only required if the primary site was attached to a CAS before
the failure.
CASRetryInterval No
WaitForCASTimeout No
Examples
[Identification]
Action=InstallPrimarySite
CDLatest=1
[Options]
ProductID=Eval
SiteCode=XYZ
SDKServer=cmsite.contoso.com
PrerequisiteComp=0
PrerequisitePath=C:\Sources\Redist
AdminConsole=1
JoinCEIP=0
ManagementPoint=cmsite.contoso.com
ManagementPointProtocol=HTTP
DistributionPoint=cmsite.contoso.com
DistributionPointProtocol=HTTP
DistributionPointInstallIIS=1
RoleCommunicationProtocol=HTTPorHTTPS
ClientsUsePKICertificate=0
MobileDeviceLanguage=0
[SQLConfigOptions]
SQLServerName=cmsql.contoso.com
SQLServerPort=1433
DatabaseName=CM_XYZ
SQLSSBPort=4022
[CloudConnectorOptions]
CloudConnector=1
CloudConnectorServer=cmsite.contoso.com
UseProxy=0
[SABranchOptions]
SAActive=1
CurrentBranch=1
The Configuration Manager console is always installed on the site server for the CAS or
a primary site. To install the console separate from site server installation, run the
standalone installer.
Prerequisites
Supported OS versions for Configuration Manager consoles
You have local Administrator rights on the target computer for the console.
You have Read permissions to the location of the console installation files.
7 Note
.NET Framework version 4.6.2 is preinstalled with Windows Server 2016 and
Windows 10 version 1607. Later versions of Windows are preinstalled with a later
version of the .NET Framework.
.NET Framework version 4.8 isn't supported on some OS versions, such as Windows
10 2015 LTSB.
For more information, see .NET Framework system requirements.
Source paths
Decide which source path to use:
When you install a site server, it copies the console installation files and supported
language packs for the site to the Tools\ConsoleSetup subfolder. Optionally, you
can copy the ConsoleSetup folder to an alternate location to start the installation.
When you update the site, it always keeps its local version up to date.
Installing the Configuration Manager console from the installation media always
installs the English version. This behavior happens even if the site server supports
different languages, or the target computer's OS is set to a different language.
When possible, start the console installer from the ConsoleSetup folder rather than
from the source media.
) Important
Don't install the console using the CD.Latest source files. It's an unsupported
scenario, and may cause problems with the console installation. For more
information, see The CD.Latest folder.
If you create a package for installing the console on other computers, make sure the
package includes the following files:
ConsoleSetup.exe
AdminConsole.msi
ConfigMgr.AC_Extension.i386.cab
ConfigMgr.AC_Extension.amd64.cab
) Important
Always install the console by using ConsoleSetup.exe. Although you can
install the Configuration Manager console by running AdminConsole.msi, this
method doesn't run prerequisites or dependency checks. The installation
might not install correctly.
3. On the Site Server page, enter the fully qualified domain name (FQDN) of the site
server to which the Configuration Manager console connects.
4. On the Installation Folder page, enter the installation folder for the Configuration
Manager console. The folder path can't include trailing spaces or Unicode
characters.
Tip
/q
/uninstall
Uninstalls the Configuration Manager console. Specify this option first when you use it
with the /q option.
LangPackDir
Specifies the path to the folder that contains the language files. You can use Setup
Downloader to download the language files. If you don't use this option, Setup looks
for the language folder in the current folder. If the language folder isn't found, Setup
continues to install English only. For more information, see Setup Downloader.
TargetDir
Specifies the installation folder to install the Configuration Manager console. This option
is required when you use the /q option.
DefaultSiteServerName
Specifies the FQDN of the site server to which the console connects when it opens. This
option is required when you use the /q option.
Examples
Silent install
ConsoleSetup.exe /q "TargetDir=%ProgramFiles%\ConfigMgr Console"
DefaultSiteServerName=MyServer.Contoso.com
Silent uninstall
ConsoleSetup.exe /uninstall /q
Postinstallation information
The Configuration Manager console requires installation of the built-in WebView2
extension for certain features such as Community hub and dashboards. A notification to
install the extension is given to the console user when they open the console. For more
information see,the WebView2 console extension.
Next steps
An administrator sees objects in the console based on the permissions assigned to their
user account. For more information, see Fundamentals of role-based administration.
If your environment uses a proxy server, this configuration may impact the functionality
of the console. For more information, see Proxy server support - Configuration Manager
console.
Upgrade an evaluation installation of
Configuration Manager to a full
installation
Article • 10/04/2022
If you installed Configuration Manager as an evaluation version, after 180 days the
Configuration Manager console becomes read-only. You then need to activate the
product from the Site Maintenance page in Setup. At any time before or after the 180-
day period, you can upgrade to a full installation.
7 Note
You can upgrade the following sites that run an evaluation installation:
Prerequisites
To upgrade an evaluation version to a licensed version, you need the following
requirements:
Process
1. On the site server, run .\BIN\X64\Setup.exe from the Configuration Manager
installation folder. Use this copy of Setup because site maintenance options aren't
available when you run Setup from source media.
3. On the Getting Started page, select Perform site maintenance or reset the Site,
and then select Next.
5. On the Microsoft Software License Terms page, read and accept the license terms,
and then select Next.
7 Note
Until you reconnect the console to the site, the title bar might indicate that the site
is still an evaluation version.
Next steps
Configure sites and hierarchies
Upgrade to Configuration Manager
current branch
Article • 10/04/2022
) Important
Tip
When managing Configuration Manager site and hierarchy infrastructure, the terms
upgrade, update, and install are used to describe three separate concepts. To learn
how each term is used, see About upgrade, update, and install.
Tip
When you upgrade from a System Center 2012 Configuration Manager version to
current branch, you might be able to streamline your upgrade process. For more
information, see the following:
If you previously installed Configuration Manager Evaluation version, you can use the
upgrade process to convert the site to the full version. For more information, see
Upgrade an evaluation installation of Configuration Manager to a full installation.
Unsupported paths
The following paths aren't supported:
Upgrade checklists
The following checklists can help you plan a successful upgrade to Configuration
Manager.
Review required prerequisites for each computer that hosts a site system role. For
example, to deploy an OS, Configuration Manager uses the Windows Assessment
and Deployment Kit (ADK). Before you run Setup, download and install the
Windows ADK on the site server and on each computer that runs an instance of
the SMS Provider.
For more information about supported platforms and prerequisite configurations, see
Supported configurations.
For more information about using the Windows ADK with Configuration Manager, see
Infrastructure requirements for OS deployment.
Review the site and hierarchy status and verify that there are no
unresolved issues
Before you upgrade a site, resolve all operational issues for the following components:
Site server
Site database server
Site system roles on remote computers
The following site system roles are no longer used in Configuration Manager. Uninstall
them before you upgrade from System Center 2012 Configuration Manager:
If you use NLB clusters for software update points, use PowerShell to remove the NLB
cluster. (Beginning with System Center 2012 Configuration Manager SP1, there was no
option in the Configuration Manager console to configure an NLB cluster.)
Disable all site maintenance tasks at each site during its upgrade
Before you upgrade to Configuration Manager, disable any site maintenance tasks that
might run during the time the upgrade process is active. This list includes but isn't
limited to the following tasks:
If a site database maintenance task runs during the upgrade process, the site upgrade
can fail.
Before you disable a task, record the schedule of the task so you can restore its
configuration after the site upgrade completes.
For more information about site maintenance tasks, see the following articles:
The independent prerequisite check evaluates the site for upgrade to both the current
branch and the long-term servicing branch (LTSB) of Configuration Manager. Because
some features aren't supported by the LTSB, you might see entries in the
ConfigMgrPrereq.log that are like the following examples:
the LTSB edition; Error; Configuration Manager has detected that the 'Asset
Intelligence synchronization point' is installed. Asset Intelligence is not
supported on the LTSB edition. You must uninstall the Asset Intelligence
synchronization point site system role before you can continue.
If you plan to upgrade to the current branch, errors for the LTSB edition can be safely
ignored. They only apply if you plan to upgrade to the LTSB.
Later, when you run Configuration Manager setup to do the upgrade, the prerequisite
check runs again. It evaluates your site based on the branch of Configuration Manager
you choose to install (current branch, or LTSB). If you choose to upgrade to the current
branch, it doesn't run the check for features that aren't supported by the LTSB.
For more information, see the Prerequisite checker and List of prerequisite checks.
When you upgrade a site, the site upgrade installs only the language pack versions you
select during the upgrade.
Setup reviews the current language configuration of your site. It then identifies the
language packs that are available in the folder where you store previously
downloaded prerequisite files.
You can affirm the selection of the current server and client language packs, or
change the selections to add or remove support for languages.
Only language packs that are available when you run Setup can be selected.
7 Note
You can't use the language packs from System Center 2012 Configuration Manager
to enable languages for a Configuration Manager current branch site.
When you upgrade a site, some features and configurations reset to a default
configuration. To help you prepare for these and related changes, see Considerations for
upgrading.
Create a backup of the site database at the central administration
site (CAS) and primary sites
Before you upgrade a site, back up the site database to make sure that you have a
successful backup to use for disaster recovery.
Before you upgrade a Configuration Manager CAS or primary site, test the site database
upgrade process on a copy of the site database.
Test the site database upgrade process. When you upgrade a site, the site
database might be modified.
Although testing the database upgrade isn't required, it can identify problems for
the upgrade before your production database is affected.
A failed site database upgrade can render your site database inoperable and might
require a site recovery to restore functionality.
Although the site database is shared between sites in a hierarchy, plan to test the
database at each applicable site before you upgrade that site.
If you use database replicas for management points at a primary site, disable
replication before you create the backup of the site database.
Configuration Manager doesn't support the backup of secondary sites, or the test
upgrade of a secondary site database.
It's not supported to run a test database upgrade on the production site database.
Doing so upgrades the site database and could render your site inoperable.
Do this action to make sure there are no pending actions from a recent installation of
updates or from prerequisites.
Starting at the top-level site in the hierarchy, run Setup.exe from the Configuration
Manager source media.
After the top-level site upgrades, you can begin the upgrade of each child site.
Complete the upgrade of each site before you begin to upgrade the next site.
Until all sites in your hierarchy upgrade to Configuration Manager, your hierarchy
operates in a mixed version mode.
By default, when you upgrade a CAS or primary site, the installation also upgrades the
Configuration Manager console that's installed on the site server. Manually upgrade
each console that's installed on a computer other than the site server.
Tip
If you disabled database maintenance tasks at a site before the upgrade, reconfigure
those tasks at the site using the same settings that were in place before the upgrade.
Upgrade clients
After all your sites upgrade to Configuration Manager, plan to upgrade clients.
When you upgrade a client, the current client software is uninstalled and the new client
software version is installed. To upgrade clients, you can use any method that
Configuration Manager supports.
Tip
When you upgrade the top-level site of a hierarchy, the client installation package
on each distribution point in the hierarchy is also updated. When you upgrade a
primary site, the client upgrade package that's available from that primary site is
updated.
For more information, see How to upgrade clients for Windows computers.
Automatic actions
When you upgrade to Configuration Manager, the following actions occur
automatically:
A site reset. This action includes a reinstallation of all site system roles.
If the site is the top-level site of a hierarchy, it updates the client installation
package on each distribution point in the hierarchy. The site also updates the
default boot images to use the new Windows PE version for the same version of
the Windows ADK. However, the upgrade doesn't upgrade existing media for use
with image deployment.
If the site is a primary site, it updates the client upgrade package for that site.
Manual actions after an upgrade
After you upgrade a site, make sure that you do the following actions:
Make sure that clients assigned to each primary site upgrade and install the new
client version.
Upgrade each Configuration Manager console that connects to the site and that
runs on a computer that's remote from the site server.
At primary sites where you use database replicas for management points,
reconfigure the database replicas.
After the site upgrades, manually upgrade physical media like ISO files for CDs,
DVDs, or USB flash drives. It also includes prestaged media provided to hardware
vendors. The site upgrade updates the default boot images, it can't upgrade these
media files or devices used external to Configuration Manager.
Plan to update custom boot images when you don't require the older version of
Windows PE.
Software Center: The following Software Center items are reset to their default
values:
The value for Remote control is set to the value in the client settings that are
assigned to the computer.
Before you upgrade a site, test a copy of that site's database for the upgrade.
To test the database for an upgrade, you first restore a copy of the site database to an
instance of SQL Server that doesn't host a Configuration Manager site. The version of
SQL Server that you use to host the database copy must be a version of SQL Server that
Configuration Manager supports.
After you restore the site database, on the SQL Server computer, run Configuration
Manager Setup from the source media folder for Configuration Manager.
For more information including specific steps, see Test the database upgrade.
Upgrade sites
If you've completed the following tasks, you're ready to upgrade your Configuration
Manager site:
When you upgrade a site in a hierarchy, you upgrade the top-level site of the hierarchy
first. This top-level site is either a CAS or a stand-alone primary site. After you complete
the upgrade of a CAS, you can upgrade child primary sites in any order you want. After
you upgrade a primary site, you can upgrade that site's secondary sites, or upgrade
other primary sites before you upgrade any secondary sites.
Before you upgrade a site, close the Configuration Manager console on the site server
until the upgrade successfully completes. Also close all remote consoles that run on
other computers. After the site upgrade completes successfully, you can reconnect the
console. Until you upgrade a console to the new version, that console can't display
some objects and information that are available in new version.
If the site database server is remote from the site server, local Administrator
rights on it
2. On the site server, run the following program from the Configuration Manager
source media: .\SMSSETUP\BIN\X64\Setup.exe . This action starts the Configuration
Manager Setup wizard.
3. Read the information on the Before You Begin page, and then select Next.
4. On the Getting Started page, select Upgrade this Configuration Manager site,
and then select Next.
You can specify the Software Assurance expiration date of your licensing
agreement. This date is a convenient reminder for you of that date. If you don't
enter this value during setup, you can specify it later in the console.
7 Note
Microsoft doesn't validate this expiration date, and doesn't use this date for
license validation. It's a reminder to you of your expiration date. Configuration
Manager periodically checks for new software updates offered online. To be
eligible to install these updates, your license status should be current.
6. On the Microsoft Software License Terms page, read and accept the license terms,
and then select Next.
7. On the Prerequisite Licenses page, read and accept the license terms for the
prerequisite software, and then select Next. Setup downloads and automatically
installs the software on site systems or clients when it's required. Before you can
continue to the next page, agree to all terms.
8. On the Prerequisite Downloads page, specify whether Setup downloads the latest
content from the internet or uses previously downloaded files. This content
includes prerequisite redistributable files, language packs, and the latest product
updates. If you already used Setup Downloader, select Use previously downloaded
files and specify the download folder. For more information, see Setup
Downloader.
7 Note
When you use previously downloaded files, verify that the path to the
download folder contains the most recent version of the files.
9. On the Server Language Selection page, view the list of languages that are
currently installed for the site. Select other languages that are available at this site
for the Configuration Manager console and for reports. You can also clear
languages that you no longer want to support at this site. By default, English is
selected and can't be removed.
) Important
Each version of Configuration Manager can't use language packs from a prior
version. To enable support for a language at a site that you upgrade, use the
version of the language pack for the new version. For example, during
upgrade from System Center 2012 Configuration Manager to Configuration
Manager current branch, if the current branch version of a language pack isn't
available with the prerequisite files you download, you can't install support for
that language.
10. On the Client Language Selection page, view the list of languages that are
currently installed for the site. Select other languages that are available at this site
for client computers, or clear languages that you no longer want to support at this
site. Specify whether to enable all client languages for mobile device clients, and
then select Next. By default, English is selected and can't be removed.
11. On the Settings Summary page, review the configuration. When you're ready,
select Next to start the Prerequisite Checker. This tool verifies server readiness for
the upgrade of the site. For more information, see Prerequisite Checker.
12. On the Prerequisite Installation Check page, if there are no problems listed, select
Next to upgrade the site and site system roles.
If the Prerequisite Checker finds a problem, select the item on the list for details
about how to resolve it. Resolve all items in the list that have an Error status before
you continue Setup. For items with a Warning status, resolve as many as possible
in your environment. After you resolve the issues, select Run Check to restart
prerequisite checking. For more detailed information, open the
ConfigMgrPrereq.log file in the root of the system drive. The log file can contain
additional information that's not displayed in the user interface. For a list of
installation prerequisite rules and descriptions, see Prerequisite checks.
On the Upgrade page, Setup displays the overall progress status. When Setup
completes the core site server and site system installation, you can close the wizard. Site
configuration continues in the background.
System administrator (SA) rights on the site database of the secondary site
3. Select the secondary site that you want to upgrade. On the Home tab of the
ribbon, in the Site group, select Upgrade.
4. Select Yes to confirm the decision, and to start the upgrade of the secondary site.
The secondary site upgrade runs in the background. After the upgrade is complete,
confirm the status in the Configuration Manager console. Select the secondary site
server, then on the Home tab of the ribbon, in the Site group, select Show Install Status.
Post-upgrade tasks
After you upgrade a site, you might have to complete other tasks to finish the upgrade
or reconfigure the site. These tasks can include the following items:
Next steps
Scenarios to streamline your installation of Configuration Manager current branch
Scenarios to streamline your installation
of Configuration Manager
Article • 10/04/2022
With the release of update versions for Configuration Manager current branch, there are
new scenarios to streamline the install of a new hierarchy to an update version. You can
also use these techniques to upgrade from Microsoft System Center 2012 Configuration
Manager.
Install a new Configuration Manager current branch hierarchy that runs an update
version.
Install only the top-tier site with a baseline version. Then immediately install an
update to bring that site current with the update version that you'll use. Then
install others sites directly to that update version.
This process skips the installation of other sites to a baseline level, and then
updating them to the update version that you want to use.
The process also skips the installation of clients to a baseline version, and then
reinstalling them when you update to a later version.
After this step, your top-level site runs the baseline version.
2. Use in-console updates to update your top-level site to a later version. Before you
install any child sites or clients, update your top-level site to the update version
that you plan to use. For more information, see Updates for Configuration
Manager.
After this step, your top-level site runs the updated version.
3. If you intend for the first site to be a CAS, next install new child primary sites. Use
the installation media from the CD.Latest folder on the CAS server to install child
primary sites. Use this source media to make sure that new child primary sites
match the version of the CAS. For more information, see The CD.Latest folder for
Configuration Manager.
4. Add other site system roles on remote servers at the CAS and primary sites. This
action makes sure that the site systems run the updated version. For more
information, see Install site system roles.
5. If you plan to have secondary sites, at each primary site, use the in-console option
to install new secondary sites. Because you didn't install secondary sites while
primary sites were at the baseline version, you don't need to update the secondary
sites. Instead, you install new secondary sites that run the updated version. For
more information, see Install a secondary site.
6. Install new clients at the primary site. Because you didn't install clients while
primary sites were at the baseline version, you don't need to update clients.
Instead, install new clients that run the updated version. For more information, see
Deploy clients.
7. Install new consoles on remote computers. Because you didn't install consoles
while primary sites were at the baseline version, you don't need to update
consoles. Install them with the updated version. For more information, see Install
consoles.
After this step, your top-level site runs the baseline version.
2. Upgrade each child primary site in your hierarchy to the same baseline version.
When you upgrade from Microsoft System Center 2012 Configuration Manager,
manually upgrade each primary site to a baseline version of the current branch.
Don't upgrade secondary sites yet.
After this step, each primary site runs the baseline version.
3. Set service windows on child-primary sites. After you upgrade all of your primary
sites to the baseline version, configure maintenance windows to control when
those sites install infrastructure updates. For more information, see Service
windows for site servers.
Child primary sites automatically install the same updates that you install at a
CAS.
Secondary sties don't automatically install new versions. Update them
manually from the console.
After this step, child primary sites are ready to install updates during their service
window.
4. Install the update version at your top-level site. This action updates your top-level
site to the updated version. After a CAS installs the update version, each child
primary site automatically installs the same update during its service window. For
more information, see Updates for Configuration Manager.
After this step, your CAS and each primary site run the updated version.
5. Upgrade secondary sites. After a primary site installs the update, use the in-
console option to update secondary sites. This action upgrades secondary sites
directly from System Center 2012 Configuration Manager to the same update
version as the primary site. For more information about upgrading a secondary
site, see Upgrade sites.
6. Upgrade clients. This process upgrades clients directly from System Center 2012
Configuration Manager to the update version that you installed at the primary site.
For more information, see How to upgrade clients for Windows computers.
Next steps
Configure sites and hierarchies
Configure sites and hierarchies for
Configuration Manager
Article • 10/04/2022
After you install your first Configuration Manager site or add additional sites to your
hierarchy, use this checklist to ensure that you consider the most common
configurations that affect both sites and hierarchies.
Some options build upon each other, such as Active Directory Forest Discovery,
boundaries, and boundary groups.
Other configurations, like boundary groups and distribution point groups, require
you to configure them before using.
Action Details
Publish site Make it easy for clients to find services and efficiently use site resources.
data to Active
Directory First extend the Active Directory schema. Then individually configure each site to
Domain publish site data
Services
Configure a Plan to install and configure the service connection point at the top-level site of
service your hierarchy. For more information, see About the service connection point.
connection
point
Add site Install one or more additional site system roles for individual sites. For more
system roles information, see Add site system roles.
Action Details
Configure site Specify boundaries that define network locations on your intranet that can
boundaries contain devices that you want to manage. Then configure boundary groups so
and boundary that clients at those network locations can find Configuration Manager
groups resources. For more information, see Define site boundaries and boundary
groups.
Run discovery Run discovery to find resources on your network, including network
infrastructure, devices, and users.
Add Install additional SMS Providers and Configuration Manager consoles to expand
redundancy capacity for administrators to manage your infrastructure:
and capacity
for Install additional SMS providers to provide redundancy for console and API
administrators connections to the site. For more information, see Manage the SMS Provider.
Configure site Configure site components at each site to modify the behavior of site system
components roles and site status reporting. For more information, see Site components.
Create custom Using information that the site discovers about devices and users, create custom
collections collections of objects to simplify future management tasks. For more
information, see How to create collections.
Configure Configure settings at a site to warn administrators when they create a high-risk
settings to deployment. For more information, see Settings to manage high-risk
manage high- deployments.
risk
deployments
Configure Configure a database replica to reduce the processor load that's placed on the
database site database server by management points as they service requests from clients.
replicas for For more information, see Database replicas for management points.
management
points
Action Details
Modify See Data transfers between sites to learn about the following subjects:
replication
between sites Configure file-based replication between secondary sites
Configure site Starting in version 1806, configure a site server in passive mode for each primary
servers in site and the central administration site. This feature provides a highly available
passive mode site server. For more information, see Site server high availability.
Add site system roles for Configuration
Manager
Article • 10/04/2022
Each Configuration Manager site supports multiple site system roles. Each role extends
the functionality and capacity of your site to provide services to the site and to manage
devices and users. Each site system role on a site system server must be from the same
site.
Configuration Manager doesn't support site system roles for multiple sites on a single
site system server.
Tip
If you're not familiar with the basics for site system roles or the difference between
the site server, site system servers, and site system roles, see Fundamentals of
Configuration Manager.
The following articles detail procedures and related details for installing site system
roles:
Install site system roles: Basic guidance about how to use the two in-console
wizards to install new site system roles.
Set up checklist for CMG: Set up a cloud management gateway (CMG) to manage
clients on the internet.
Install site system roles for on-premises mobile device management (MDM): Set up
your site system roles to support managing modern devices by using
Configuration Manager on-premises MDM.
Configuration options for site system roles: Some site system roles support
configurations that require more details than the user interface can explain.
Remove a site system role: Guidance and procedures to remove roles from site
system servers.
Install site system roles for
Configuration Manager
Article • 10/04/2022
There are two methods in the Configuration Manager console to install site system
roles:
Add Site System Roles: Add site system roles to an existing site system server in
the site.
Create Site System Server: Specify a new server as a site system server, and then
install one or more roles. This method is the same as the Add Site System Roles,
except for the first page. You first specify the name of the server and the site in
which you want to install it.
Tip
When you install a role on a remote computer, Configuration Manager adds the
computer account of the remote computer to a local group on the site server.
When you install the site on a domain controller, the group on the site server is a
domain group instead of a local group. In this case, the remote site system role
doesn't immediately work. The site system server needs to restart, or you refresh
the Kerberos ticket for the remote server's computer account. For more
information, see Accounts used.
Before it installs the site system role, Configuration Manager checks the destination
computer to make sure it meets the prerequisites for the selected roles.
By default, when Configuration Manager installs a site system role, it installs files on the
first available NTFS-formatted disk drive that has the most available free disk space. To
prevent Configuration Manager from installing on specific drives, before you install the
site system server, create an empty file named NO_SMS_ON_DRIVE.SMS in the root of
the drive.
Configuration Manager uses the site system installation account to install roles. You
specify this account when you install the role. By default, this account is the local system
account of the site server computer. You can specify a domain user account as the site
system installation account. For more information, see Accounts - Site system
installation account.
2. In the ribbon, on the Home tab, in the Server group, select Add Site System Roles.
Tip
To access the site system role from the internet, make sure that you specify an
internet fully qualified domain name (FQDN).
4. On the Proxy page, if roles on this server require an internet proxy, then specify
settings for a proxy server. For more information, see Proxy server support.
5. On the System Role Selection page, select the site system roles that you want to
add.
6. Complete the wizard. Additional pages may appear for specific roles. For more
information, see Configuration options for site system roles.
Tip
2. In the ribbon, on the Home tab, in the Create group, select Create Site System
Server.
3. On the General page, specify the general settings for the site system.
Tip
To access the new site system role from the internet, make sure that you
specify an internet FQDN.
4. On the Proxy page, if roles on this server require an internet proxy, then specify
settings for a proxy server. For more information, see Proxy server support.
5. On the System Role Selection page, select the site system roles that you want to
add.
6. Complete the wizard. Additional pages may appear for specific roles. For more
information, see Configuration options for site system roles.
Tip
Next steps
Configuration options for site system roles
Remove role
About the service connection point in
Configuration Manager
Article • 10/04/2022
The service connection point is a site system role that provides several important
functions for the hierarchy. Before you set up the service connection point, understand
and plan for its range of uses. Planning for usage might affect how you set up this site
system role:
Upload usage data from your Configuration Manager infrastructure. You can
control the level or amount of detail that you upload. For more information, see
Usage data levels and settings.
Synchronize apps from the Microsoft Store for Business and Education
Use Desktop Analytics to gain insights on Windows 10 update and app readiness
Each hierarchy supports a single instance of this role. It can only be installed at the top-
tier site of your hierarchy, which is a central administration site (CAS) or stand-alone
primary site. If you expand a stand-alone primary site to a larger hierarchy, uninstall this
role from the primary site, and then install it at the CAS.
Modes of operation
The service connection point supports two modes of operation:
Online: The service connection point automatically checks every 24 hours for
updates. It downloads new updates that are available for your current
infrastructure and product version to make them available in the Configuration
Manager console.
Offline: The service connection point doesn't connect to the Microsoft cloud
service. To manually import available updates, use the service connection tool.
Change mode
If you change between online or offline modes after you install the service connection
point, restart the SMS_DMP_DOWNLOADER thread of the SMS_Executive service.
Restarting this thread makes the change become effective. To restart this thread, use the
Configuration Manager Service Manager.
Tip
You can also restart the SMS_Executive service for Configuration Manager, which
restarts most site components. Alternatively, wait for a scheduled task like a site
backup, which stops and restarts the SMS_Executive service for you.
2. In the service manager navigation pane, expand the site, expand Components, and
then choose the component that you want to restart: SMS_DMP_DOWNLOADER.
4. Confirm the current status of the component. Then go to the Component menu,
and choose Stop.
5. Query the component again to confirm that it stopped. Then choose the Start
component action to restart it.
The computer account of the site server must be a local admin on the computer
that hosts a remote service connection point.
or
Set up the site system server that hosts this role with a site system installation
account. The distribution manager on the site server uses the site system
installation account to transfer updates from the service connection point.
For more information, see Internet access requirements. Other Configuration Manager
features may require additional endpoints from the service connection point.
These configurations apply to the server that hosts the service connection point and any
firewalls between that server and the internet. Allow communication through outgoing
HTTPS port TCP 443 to the internet locations.
The service connection point supports using a web proxy with or without authentication
to use these locations. For more information, see Proxy server support.
If the Configuration Manager site fails to connect to required endpoints for a cloud
service, it raises a critical status message ID 11488. When it can't connect to the service,
the SMS_SERVICE_CONNECTOR component status changes to critical. View detailed
status in the Component Status node of the Configuration Manager console.
Starting in version 2010, the service connection point validates important internet
endpoints for Desktop Analytics and tenant attach. These checks help make sure that
the cloud-connected services are available. It also helps you troubleshoot issues by
quickly determining if network connectivity is a problem. For more information, see
Validate internet access.
The specific URLs required by the service connection point vary by Configuration
Manager feature:
Tip
The service connection point uses the Microsoft Intune service when it connects to
go.microsoft.com or manage.microsoft.com . There's a known issue in which the
For the list of internet endpoints, see the following sections of the Internet access
requirements article:
Desktop Analytics
Tenant attach
A failure isn't always determined by the HTTP status code, but if there's network
connectivity to an endpoint. The following scenarios can cause a check to fail:
SSL/TLS failure
598 Network read timeout Not RFC compliant, but used by some proxy servers to
error indicate a network timeout
599 Network connection Not RFC compliant, but used by some proxy servers to
timeout error indicate a network timeout
There are also the following status messages for the SMS_SERVICE_CONNECTOR
component:
Install
When you run Setup to install the top-tier site of a hierarchy, you can install the service
connection point.
After setup runs, or if you're reinstalling the role, use the Add Site System Roles wizard
or the Create Site System Server wizard. (Only install the service connection point on
the top-tier site of your hierarchy.) For more information, see Install site system roles.
Recovery
Site server high availability
Site expansion
After you move the service connection point, check all site functions. For example, you
may need to renew the secret key for any connections to Azure Active Directory (Azure
AD) tenants. For more information, see Renew secret key.
Log files
To view information about uploads to Microsoft, view the Dmpuploader.log on the
server that runs the service connection point. For download progress of updates, view
the Dmpdownloader.log. For the complete list of logs related to the service connection
point, see Log files - Service connection point.
Next steps
Use the following flowcharts to understand the process flow and key log entries. This
process includes update downloads and replication of updates to other sites.
Most configuration options for Configuration Manager site system roles are self-
explanatory or are explained in the wizard or dialog boxes when you configure them.
The following sections explain site system roles whose settings might require additional
information.
2 Warning
For more information about how to set up the certificate registration point, see
Introduction to certificate profiles.
Distribution point
For more information about how to set up the distribution point for content
deployment, see Manage content and content infrastructure.
For more information about how to set up the distribution point for PXE deployments,
see Use PXE to deploy Windows over the network.
For more information about how to set up the distribution point for multicast
deployments, see Use multicast to deploy Windows over the network.
Enrollment point
Enrollment points are used to install macOS computers and enroll devices that you
manage with on-premises mobile device management. For more information, see the
following articles:
Allowed connections
The HTTPS setting is automatically selected and requires a PKI certificate on the server
for server authentication to the enrollment proxy point, and encryption of data over SSL.
For more information, see PKI certificate requirements.
For an example deployment of the server certificate and information about how to
configure it in IIS, see Deploying the web server certificate for site systems that run IIS.
Client connections
The HTTPS setting is automatically selected. It requires the following PKI certificates on
the server:
For server authentication to mobile devices and Mac computers that you enroll
with Configuration Manager
For encryption of data over Secure Sockets Layer (SSL)
For more information about the certificate requirements, see PKI certificate
requirements.
For an example deployment of the server certificate and information about how to
configure it in IIS, see Deploying the web server certificate for site systems that run IIS.
The fallback status point accepts connections only from the intranet.
You use the fallback status point during a client deployment rollout for many
computers.
In this scenario, a continuous stream of state messages might create a backlog of state
messages that causes high processor usage on the site server for a sustained period. In
addition, you might not see up-to-date information about the client deployment in the
Configuration Manager console and in the client deployment reports.
These fallback status point settings are designed to be set up for state messages that
are generated during client deployment. The settings aren't designed to be set up for
client communication issues, like when clients on the internet can't connect to their
internet-based management point. Because the fallback status point can't apply these
settings just to the state messages that are generated during client deployment, don't
configure these settings when the fallback status point accepts connections from the
internet.
Each computer that successfully installs the Configuration Manager client sends the
following four state messages to the fallback status point:
For example, if you deploy the Configuration Manager client to 20,000 computers, the
deployment might send 80,000 state messages to the fallback status point. Because the
default throttling configuration lets 10,000 state messages to be sent to the fallback
status point each 3,600 seconds (1 hour), state messages might become backlogged on
the fallback status point. Also consider the available network bandwidth between the
fallback status point and the site server and the processing power of the site server to
process many state messages.
To help prevent these issues, consider an increase in the number of state messages and
a decrease in the throttle interval.
Reset the throttle values for the fallback status point if either of the following conditions
is true:
You calculate that the current throttle values are higher than required to process
state messages from the fallback status point.
You find that the current throttle settings create high processor usage on the site
server.
Don't change the settings for the fallback status point throttle settings unless you
understand the consequences. For example, when you increase the throttle settings to
high, the processor usage on the site server can increase to high, which slows down all
site operations.
Database replicas for management
points for Configuration Manager
Article • 10/04/2022
Configuration Manager primary sites can use a database replica to reduce the CPU load
placed on the site database server by management points as they service requests from
clients. When a management point uses a database replica, it requests data from the
SQL Server computer that hosts the database replica instead of from the site database
server.
This configuration can help reduce the CPU processing requirements on the site
database server by offloading frequent processing tasks related to clients. An example
of frequent processing tasks for clients includes sites where there are a large number of
clients that make frequent requests for client policy.
About
Replicas are a partial copy of the site database that replicates to a separate
instance of SQL Server.
Primary sites support a dedicated database replica for each management point
at the site.
A single database replica can be used by more than a one management point
from the same site.
A SQL Server can host multiple database replicas for use by different
management points so long as each runs in a separate instance of SQL Server.
Replicas synchronize a copy of the site database on a fixed schedule from data that
the site's database server publishes for this purpose.
You can configure management points to use a replica when you install it, or at a
later time. For an existing management point, reconfigure it to use the database
replica.
Regularly monitor the site database server and each database replica server to
make sure that replication occurs between them. Make sure that the performance
of the database replica server is sufficient for the site and client performance that
you require.
Prerequisites
The SQL Server service on the computer that hosts the replica database must run
as the System account.
Both the SQL Server that hosts the site database and that hosts a database replica
must have SQL Server replication installed.
The site database must publish the database replica, and each remote database
replica server must subscribe to the published data.
Configure both SQL Servers to support a max text repl size of 2 GB. For more
information and how to configure this setting for SQL Server, see Configure the
max text repl size Server Configuration Option.
Self-signed certificate
To configure a database replica, create a self-signed certificate on the database replica
server. Make this certificate available to each management point that will use that
database replica server.
To make this certificate available to remote management points, first export the
certificate. Then add it to the Trusted People certificate store on the remote
management point.
Client notification
To support client notification with a database replica for a management point, configure
communication between the site database server and the database replica server for the
SQL Server Service Broker:
Limitations
When you configure the site to publish database replicas, use the following
procedures instead of the normal guidance:
Configure
To configure a database replica, the following steps are required:
Step 1 - Configure the site database server to Publish the database replica
2. Create a local user group with the name ConfigMgr_MPReplicaAccess. For each
database replica server that you use at this site, add its computer account to this
group. This action enables those database replica servers to synchronize with the
published database replica.
7 Note
7 Note
If the SQL Server Agent uses an account other than the local system account,
replace SYSTEM with that account name in the following list.
Share permissions:
SYSTEM: Change
ConfigMgr_MPReplicaAccess: Read
NTFS permissions:
7 Note
If you're using a domain group instead of a local group, change this SQL
statement to: EXEC spCreateMPReplicaPublication
N'<DomainName>\ConfigMgr_MPReplicaAccess'
When the stored procedure completes, the site database server is configured to publish
the database replica.
2. Use SQL Server Management Studio to connect to the local server. Browse to the
Replication folder, select Local Subscriptions, and then select New Subscriptions.
This action starts the New Subscription Wizard.
a. On the Publication page, select Find SQL Server Publisher. Enter the name of
the site database server, and then select Connect.
c. On the Distribution Agent Location page, select Run each agent at its
Subscriber (pull subscriptions), and then select Next.
Select an existing database from the database replica server to use for the
database replica, and then select OK.
Select New database to create a new database for the database replica.
On the New Database page, specify a database name, and then select OK.
Tip
The properties button, (...), is in the fourth column of the display box.
Configure the account that runs the Distribution Agent process (process
account):
If the SQL Server Agent runs as local system, select Run under the SQL
Server Agent service account (This is not a recommended security best
practice.)
If the SQL Server Agent runs by using a different account, select Run
under the following Windows account, and then configure that account.
You can specify a Windows account or a SQL Server account.
) Important
Grant the account that runs the Distribution Agent permissions to the
publisher as a pull subscription. For more information about configuring
these permissions, see Distribution agent security.
After you configure the connection security settings, select OK to save them,
and then select Next.
b. On the Wizard Actions page, enable the option to Create the subscriptions(s),
and then select Next.
5. To enable common language runtime (CLR) integration for the database replica,
use SQL Server Management Studio to connect to the database replica on the
database replica server. Run the following stored procedure as a query: exec
sp_configure 'clr enabled', 1; RECONFIGURE WITH OVERRIDE
6. For each management point that uses a database replica server, add that
management points computer account to the local Administrators group on that
database replica server.
Tip
This step isn't necessary for a management point that runs on the database
replica server.
1. Open the properties page of the management point, and switch to the
Management Point Database tab.
2. Select Use a database replica, and then specify the FQDN of the computer
that hosts the database replica.
3. Next, for ConfigMgr site database name, specify the database name of the
database replica on that computer.
For each management point that uses a database replica, manually add the computer
account of the management point server to the db_datareader role for the database
replica.
In addition to configuring the management point to use the database replica server,
enable Windows Authentication in IIS on the management point:
2. Select the website used by the management point, and open Authentication.
2. Copy the following PowerShell script and save it as a file with the name
CreateMPReplicaCert.ps1. Place a copy of this file in the root folder of the system
partition of the database replica server.
) Important
If you're configuring more than one database replica on a single SQL Server,
for each subsequent replica you configure, use a modified version of this
script for this procedure. For more information, see Supplemental script for
additional database replicas on a single SQL Server.
PowerShell
Param($SQLInstance)
$computerName = "$env:computername"
#$key="HKLM:\SOFTWARE\Microsoft\SMS\MP"
#$dbValue="Database Name"
$sqlServerName = [System.Net.Dns]::GetHostByName("localhost").HostName
$sqlInstanceName = "MSSQLSERVER"
$SQLServiceName = "MSSQLSERVER"
$sqlInstanceName = $SQLInstance
$store=new-object
System.Security.Cryptography.X509Certificates.X509Store($storename,$sto
relocation)
$store.Open([Security.Cryptography.X509Certificates.OpenFlags]::ReadWri
te)
$store.Certificates
$store = new-object
System.Security.Cryptography.X509Certificates.X509Store("My","LocalMach
ine")
$store.Open([Security.Cryptography.X509Certificates.OpenFlags]::ReadWri
te)
$store.Remove($cert)
$store.Close()
$store = new-object
System.Security.Cryptography.X509Certificates.X509Store("TrustedPeople"
,"LocalMachine")
$store.Open([Security.Cryptography.X509Certificates.OpenFlags]::ReadWri
te)
$store.Remove($cert)
$store.Close()
$name.Encode("CN=" + $sqlServerName, 0)
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)
(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids.add($serverauthoid)
$ekuext.InitializeEncode($ekuoids)
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(3650)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0x1)
[Byte[]]$bytes = [System.Convert]::FromBase64String($certdata)
$trustedPeople = new-object
System.Security.Cryptography.X509certificates.X509Store
"TrustedPeople", "LocalMachine"
$trustedPeople.Open([Security.Cryptography.X509Certificates.OpenFlags]:
:ReadWrite)
$trustedPeople.Add([Security.Cryptography.X509Certificates.X509Certific
ate2]$bytes)
$trustedPeople.Close()
$sha = new-object
System.Security.Cryptography.SHA1CryptoServiceProvider
$certHash = $sha.ComputeHash($bytes)
$certHashCharArray = "";
$certThumbprint = "";
foreach($byte in $certHash)
foreach($char in $certHashCharArray)
[System.String]$myString = $char;
$certKeyName = "Certificate"
3. On the database replica server, run the following command that applies to the
configuration of your SQL Server:
For a default instance of SQL Server: Enter the following command in the
PowerShell session: .\CreateMPReplicaCert.ps1 . When the script runs, it
creates the self-signed certificate and configures SQL Server to use the
certificate.
For a named instance of SQL Server: Use PowerShell to run the following
command: .\CreateMPReplicaCert.ps1 <SQL Server instance name>
After the script completes, verify that the SQL Server Agent is running. If not,
restart the SQL Server Agent.
Do the following steps on the database replica server to export the server's self-signed
certificate:
1. Go to the Start menu, select Run, and type mmc.exe . In the empty console, select
File, and then select Add/Remove Snap-in.
2. In the Add or Remove Snap-ins dialog box, select Certificates from the list of
Available snap-ins, and then select Add.
3. In the Certificate snap-in dialog box, select Computer account, and then select
Next.
4. In the Select Computer dialog box, make sure that Local computer: (the
computer this console is running on) is selected, and then select Finish.
6. In the console, expand Certificates (Local Computer), expand Personal, and select
Certificates.
7. Right-click the certificate with the friendly name of ConfigMgr SQL Server
Identification Certificate, select All Tasks, and then select Export.
8. Complete the Certificate Export Wizard with the default options. Save the
certificate with the .cer file name extension.
Do the following steps on the management point server to add the self-signed
certificate for the database replica server to the Trusted People certificate store:
1. Repeat the preceding steps to open the Certificate snap-in MMC on the
management point computer.
3. On the File to Import page, select the saved certificate, and then select Next.
4. On the Certificate Store page, select Place all certificates in the following store,
with the Certificate store set to Trusted People, and then select Next.
5. Select Finish to close the wizard and complete the certificate configuration on the
management point.
7 Note
Before you can use the following procedure, the database replica server must
successfully complete the initial synchronization with the site database server.
The following procedure doesn't modify the Service Broker port that's configured in SQL
Server for the site database server or the database replica server. This procedure
configures each database to communicate with the other database by using the correct
Service Broker port.
Use the following procedure to configure the Service Broker for the site database server
and the database replica server:
1. Use SQL Server Management Studio to connect to the replica server database.
Then run the following query to enable the Service Broker on the database replica
server: ALTER DATABASE <Replica Database Name> SET ENABLE_BROKER,
HONOR_BROKER_PRIORITY ON WITH ROLLBACK IMMEDIATE
2. On the database replica server, configure the Service Broker for client notification
and export the Service Broker certificate. Run a SQL Server stored procedure that
configures the Service Broker and exports the certificate as a single action. When
you run the stored procedure, specify the FQDN of the database replica server, the
name of the database replicas database, and specify a location for the export of
the certificate file.
Run the following query to configure the required details on the database replica
server, and to export the certificate for the database replica server: EXEC
sp_BgbConfigSSBForReplicaDB '<Replica SQL Server FQDN>', '<Replica Database
7 Note
When the database replica server isn't on the default instance of SQL Server,
also specify the instance name with the replica database name. In the example
command, replace <Replica Database Name> with <Instance name>\<Replica
Database Name> .
After you export the certificate from the database replica server, place a copy of
the certificate on the primary site database server.
3. Use SQL Server Management Studio to connect to the primary site database. After
you connect to the primary sites database, run a query to import the certificate
and specify the Service Broker port that's in use on the database replica server, the
FQDN of the database replica server, and name of the database replicas database.
This action configures the primary sites database to use the Service Broker to
communicate to the database of the database replica server.
Run the following query to import the certificate from the database replica server
and specify the required details: EXEC sp_BgbConfigSSBForRemoteService 'REPLICA',
'<SQL Service Broker Port>', '<Certificate File Path>', '<Replica SQL Server
When the database replica server isn't on the default instance of SQL Server,
also specify the instance name with the replica database name. In the example
command, replace <Replica Database Name> with <Instance name>\<Replica
Database Name> .
4. On the site database server, run the following command to export the certificate for
the site database server: EXEC sp_BgbCreateAndBackupSQLCert '<Certificate Backup
File Path>'
After you export the certificate from the site database server, place a copy of the
certificate on the database replica server.
5. Use SQL Server Management Studio to connect to the replica server database.
After you connect to the replica server database, run a query to import the
certificate and specify the site code of the primary site and the Service Broker port
that's in use on the site database server. This action configures the database
replica server to use the Service Broker to communicate to the database of the
primary site.
Run the following query to import the certificate from the site database server:
EXEC sp_BgbConfigSSBForRemoteService '<Site Code>', '<SQL Service Broker
Port>', '<Certificate File Path>'
A few minutes after you complete the configuration of the site database and the
database replica database, the notification manager at the primary site sets up the
Service Broker conversation for client notification from the primary site database to the
database replica.
Comment out each line between the script entries # Delete existing cert if one
exists and # Create the new cert . Add a pound sign ( # ) as the first character of
each applicable line.
For each subsequent database replica you use this script to configure, update the
friendly name for the certificate. Edit the line $enrollment.CertificateFriendlyName
= "ConfigMgr SQL Server Identification Certificate" and replace ConfigMgr SQL
Server Identification Certificate with a new name. For example, ConfigMgr SQL
7 Note
After you restore a site database that was configured for database replicas, before
you can use the database replicas, reconfigure each database replica and recreate
both the publications and subscriptions.
2. In the Site System Roles pane, select the Management point role. In the ribbon,
on the Site Role tab, select Properties.
3. Switch to the Management Point Database tab. Select Use the site database to
configure the management point to use the site database instead of the database
replica. Select OK to save the configuration.
Delete the publication for the database replica from the site server database.
Delete the subscription for the database replica from the database replica
server.
After you delete the publication, subscription, the replica database, and disable
publishing on the site database server, the database replica is uninstalled.
1. Use SQL Server Management Studio to delete the database replica publication
from the site server database.
2. Use SQL Server Management Studio to delete the database replica subscription
from each remote SQL Server that hosts a database replica for this site.
1. Use SQL Server Management Studio to delete the publication for the database
replica from the site server database.
2. Use SQL Server Management Studio to delete the subscription for the database
replica from each database replica server for this site.
3. Move the database to the new SQL Server computer. For more information, see
Modify the site database configuration.
4. Recreate the publication for the database replica on the site database server. For
more information, see Step 1 - Configure the site database server to Publish the
database replica.
5. Recreate the subscriptions for the database replica on each database replica server.
For more information, see Step 2 - Configuring the database replica server.
Site components for Configuration
Manager
Article • 10/04/2022
For each Configuration Manager site, you can configure site components to modify the
behavior of site system roles and site status reporting. Site component configurations
apply to a site, and to each instance of an applicable site system role at the site.
Software distribution
Software update point
OS deployment
Management point
Status reporting
Email notification
Collection membership evaluation
7 Note
The available options for some components vary whether you select the central
administration site, a primary site, or a secondary site. Some components are not
available at all for certain types of sites.
Software distribution
Get-CMSoftwareDistributionComponent
Set-CMSoftwareDistributionComponent
To programmatically view and configure the Software update point site component, use
the following PowerShell cmdlets:
Get-CMSoftwareUpdatePointComponent
Set-CMSoftwareUpdatePointComponent
OS deployment
For more information, see Specify the drive for offline OS image servicing.
Management point
On the General tab, set up the site to publish information about its management points
to Active Directory Domain Services.
Configuration Manager clients use management points to locate services, and to find
site information such as boundary group membership and PKI certificate selection
options. Clients also use management points to find other management points in the
site, and distribution points from which to download software. Management points also
help clients to complete site assignment, and to download client policy and upload
client information.
The most secure method for clients to find management points is to publish them in
Active Directory Domain Services. This service location method requires the following to
be true:
When clients on the intranet can't use Active Directory Domain Services to find
management points, use DNS publishing. This article also describes the option to
Publish selected intranet management points in DNS.
For general information about service location, see Understand how clients find site
resources and services.
Get-CMManagementPointComponent
Set-CMManagementPointComponent
Status reporting
These settings directly set up the level of detail that's included in status reports from
sites and clients.
Email notification
Specify account and email server details to enable Configuration Manager to send email
notifications for alerts.
Get-CMEmailNotificationComponent
Set-CMEmailNotificationComponent
Get-CMCollectionMembershipEvaluationComponent
Set-CMCollectionMembershipEvaluationComponent
A Configuration Manager service runs when there's something for it to do. For example,
when a configuration file is written to a component's inbox.
2. In the Component group of the ribbon, select Start, and then choose
Configuration Manager Service Manager.
3. When the Configuration Manager Service Manager opens, connect to the site that
you want to manage.
If you don't see the site that you want to manage, go to the Site menu, and select
Connect. Then enter the name of the site server of the correct site.
5. In the right pane, select one or more components. Then on the Component menu,
select Query to update the status of your selection.
6. After it updates the status of the component, use one of the four action-based
options on the Component menu. Use these actions to modify the component's
operation. After you request an action, query the component again to display the
new status of the component.
7. Close the Configuration Manager Service Manager when you're finished modifying
the operational status of components.
Publish site data for Configuration
Manager
Article • 10/04/2022
After you extend the Active Directory schema for Configuration Manager, you can
publish Configuration Manager sites to Active Directory Domain Services (AD DS). This
lets Active Directory computers securely retrieve site information from a trusted source.
Although publishing site information to AD DS is not required for basic Configuration
Manager functionality, it can reduce administrative overhead to do so.
When a site does not publish to AD DS, clients must have an alternative
mechanism to locate their default management point.
For information about how clients find a management point, see Understand how
clients find site resources and services for Configuration Manager.
You must extend the Active Directory schema for Configuration Manager in each
forest where you will publish site data. Also ensure the System Management
container is present.
You must grant the computer account of each primary site that will publish data
full control to the System Management container, and all of its child objects.
2. In the Administration workspace, expand Site Configuration, and click Sites. Select
the site that you want to have publish its site data. Then on the Home tab, in the
Properties group, click Properties.
3. On the Publishing tab of the site's properties, select the forests to which this site
will publish site data.
To set up a previously discovered forest, select the forest in the results pane.
Then on the Home tab, in the Properties group, click Properties to open the
forest properties. Continue with step 3.
To set up a new forest that is not listed, on the Home tab, in the Create
group, click Add Forest to open the Add Forests dialog box. Continue with
step 3.
3. On the General tab, complete configurations for the forest that you want to
discover, and specify the Active Directory Forest Account.
7 Note
4. If you plan to allow sites to publish site data to this forest, on the Publishing tab,
complete configurations for publishing to this forest.
7 Note
If you enable sites to publish to a forest, you must extend the Active Directory
schema of that forest for Configuration Manager. The Active Directory Forest
Account must have Full Control permissions to the System container in that
forest.
5. When you complete the configuration of this forest for use with Active Directory
Forest Discovery, click OK to save the configuration.
Manage content and content
infrastructure for Configuration
Manager
Article • 10/04/2022
When you are ready to set up and then manage your content management
infrastructure for Configuration Manager, use the information in the following topics:
Install and configure distribution points for Configuration Manager. Before you can
deploy content, you must install and set up distribution points. Then you can set
up distribution point groups to help simplify management of content across your
infrastructure. The information in this topic can help you complete these tasks, and
details the deep and varied settings supported by individual distribution points.
Monitor content you have distributed with Configuration Manager. As you deploy
content, you can monitor its status across your infrastructure. You can also
redistribute content that fails to reach distribution points, or cancel distributions
that remain in progress. The information in this topic helps you understand how to
monitor your content, including how to fix some problems when the transfer of
content fails.
Install and configure distribution points
in Configuration Manager
Article • 10/04/2022
Install Configuration Manager distribution points to host the content files that you
deploy to devices and users. Create distribution point groups to simplify how you
manage distribution points, and how you distribute content to distribution points.
You install a new distribution point by using the installation wizard. For more
information, see Install a distribution point. To manage the properties of an existing
distribution point, edit the properties of the distribution point. For more information, see
Configure a distribution point.
Configure most of the distribution point settings with either method. A few settings are
available only when you're either installing or editing, but not both:
Settings that are available only when you're installing a distribution point:
Settings that are available only when you're editing the properties of a distribution
point:
Prerequisites
When you install a new distribution point, you use an installation wizard that walks you
through the available settings. Before you start, consider the following prerequisites:
You must have the following security permissions to create and configure a
distribution point:
Manage Certificates for Operating System Deployment for the Site object
Install Internet Information Services (IIS) on the Windows server that hosts the
distribution point. Or, when you install the site system role, Configuration Manager
can install and configure IIS for you.
Tip
Start with the general procedure to Install site system roles. Select the Distribution
point role on the System Role Selection page of the Create Site System Server wizard.
This action adds the following pages to the wizard:
Distribution point
Communication
Drive Settings
Pull Distribution Point
PXE Settings
Multicast
Content Validation
Boundary Groups
) Important
The following settings are available only when you're installing a distribution point:
For more information on the pages of the wizard specific to the distribution point role,
see the Configure a distribution point section. For example, if you want to install the
distribution point as a pull-distribution point, choose the option to Enable this
distribution point to pull content from other distribution points. Then make the other
configurations that pull-distribution points require.
After you finish the Create Site System Server wizard, the site adds the distribution point
role to the site system server.
7 Note
You can use PowerShell to automate the installation of a distribution point. For
more information, see Add-CMDistributionPoint.
To help you troubleshoot, review the following log files on the site server:
distmgr.log
SMSdpmon.log
Add one or more distribution points from any site in the hierarchy to a distribution
point group.
Associate a collection with a distribution point group. When you distribute content
to that collection, Configuration Manager determines which groups are associated
with the collection. It then distributes the content to all distribution points that are
members of those groups.
7 Note
After you distribute content to a collection, if you then associate the collection
with a new distribution point group, you must redistribute the content to the
collection before the content is distributed to the new distribution point
group.
The next sections list the procedures for the following actions to manage distribution
point groups:
3. In the Create New Distribution Point Group window, enter the Name, and
optionally a Description for the group.
5. In the Add Distribution Points window, select one or more distribution points to
add as members of the group. Then choose OK.
6. If necessary, switch to the Collections tab of the Create New Distribution Point
Group window, and select Add.
7. In the Select Collections window, select the collections to associate with the
distribution point group, and then choose OK.
8. In the Create New Distribution Point Group window, choose OK to create the
group.
7 Note
You can use PowerShell to automate this process. For more information, see New-
CMDistributionPointGroup.
2. In the ribbon, select Add Selected Items, and then select Add Selected Items to
New Distribution Point Group.
This process automatically populates the Members tab of the Create New Distribution
Point Group window with the selected servers.
3. To associate new collections with this group, switch to the Collections tab, and
choose Add. Select the collections, and then choose OK.
4. To add new distribution points to this group, switch to the Members tab, and
choose Add. Select the distribution points, and then choose OK.
7 Note
You can use PowerShell to automate this process. For more information, see Set-
CMDistributionPointGroup.
2. In the ribbon, select Add Selected Items, and then select Add Selected Items to
Existing Distribution Point Groups.
3. In the Available distribution point groups, select the groups to which the selected
distribution points are added as members. Then choose OK.
7 Note
You can use PowerShell to automate this process. For more information, see Add-
CMDistributionPointToGroup.
This feature lets you reassign a distribution point to another primary site without
redistributing the content. The distribution point's current site can be either a primary or
secondary site. This action updates the site system assignment while persisting all of the
content on the server. If you need to reassign multiple distribution points, first do this
action on a single distribution point. Then continue with other servers one at a time.
) Important
The target server can only host the distribution point role. If the site system server
hosts another Configuration Manager server role, such as the state migration point,
you can't reassign the distribution point. You can't reassign a cloud management
gateway.
Before reassigning a distribution point, add the computer account of the destination site
server to the local Administrator group on the target distribution point server.
3. Right-click the target distribution point, and select Reassign Distribution Point.
4. Select the target site server and site code to which you want to reassign this
distribution point.
Monitor the reassignment similarly as when you add a new role. The simplest method is
to refresh the console view after several minutes. Add the site code column to the view.
This value changes when Configuration Manager reassigns the server. If you try to do
another action on the target server before you refresh the console view, an "object not
found" error occurs. Ensure the process is complete and refresh the console view before
starting any other actions on the server.
After reassigning a distribution point, refresh the server's certificate. The new site server
needs to re-encrypt this certificate using its public key and store it in the site database.
For more information, see the Create a self-signed certificate or import a public key
infrastructure (PKI) client certificate for the distribution point setting on the General
tab of the distribution point properties.
For PKI certificates, you don't need to create a new certificate. Import the same
.PFX and enter the password.
For self-signed certificates, adjust the expiration date or time to update it.
If you don't refresh the certificate, the distribution point still serves content, but the
following functions fail:
Content validation messages (the distmgr.log shows that it can't decrypt the
certificate)
Tips
Do this action from the central administration site. This practice helps with
replication to the primary sites.
Don't distribute content to the target server and then attempt to reassign it.
Distribute content tasks that are in progress may fail during the reassignment
process, but it retries per normal.
If the server is also a Configuration Manager client, make sure to also reassign the
client to the new primary site. This step is especially critical for pull-distribution
points, which use client components to download content.
This process removes the distribution point from the old site's default boundary
group. You need to manually add it to the new site's default boundary group, if
necessary. All other boundary group assignments remain the same.
7 Note
You can use PowerShell to automate this process. For more information, see the
ReassignSiteCode parameter of the Set-CMDistributionPoint cmdlet.
Maintenance mode
You can set a distribution point in maintenance mode. Enable maintenance mode when
you're installing software updates, or making hardware changes to the server.
While the distribution point is in maintenance mode, it has the following behaviors:
Management points don't return the location of this distribution point to clients.
When you update the site, a distribution point in maintenance mode still updates.
The distribution point properties are read-only. For example, you can't change the
certificate or add boundary groups.
Any scheduled task, like content validation, still runs on the same schedule.
Be careful about enabling maintenance mode on more than one distribution point. This
action may cause a performance impact to your other distribution points. Depending
upon your boundary group configurations, clients may have increased download times
or be unable to download content.
Maintenance mode shouldn't be a long-term state for any distribution point. For any
actions with a long duration, consider first removing the distribution point role.
7 Note
Remove role
Reassign distribution point
3. Select the target distribution point, and choose Enable maintenance mode from
the ribbon.
To view the current state of the distribution points, add the "Maintenance mode"
column to the Distribution Points node in the console.
For more information on automating this process with the Configuration Manager SDK,
see SetDPMaintenanceMode method in class SMS_DistributionPointInfo.
The following sections describe the distribution point configurations when you're
installing a new one or editing an existing one:
General settings
Communication
Drive Settings
Firewall Settings
Pull Distribution Point
PXE Settings
Multicast
Content Validation
Boundary Groups
3. Use the information in the following sections when you're editing the properties of
the distribution point.
4. After you make the changes that you want, select OK to save your settings and
close the distribution point properties.
7 Note
You can use PowerShell to automate this process. For more information, see Set-
CMDistributionPoint.
General
The following settings are on the Distribution point page of the Create Site System
Server wizard, and the General tab of the distribution point properties window:
Install and configure IIS if required by Configuration Manager: If IIS isn't already
installed on the server, Configuration Manager installs and configures it.
Configuration Manager requires IIS on all distribution points. If you don't choose
this setting, and IIS isn't installed on the server, first install IIS before Configuration
Manager can successfully install the distribution point.
7 Note
This option is only on the Distribution point page of the Create Site System
Server wizard. It's available only when you're installing a new distribution
point.
Enable and configure BranchCache for this distribution point: Choose this setting
to let Configuration Manager configure Windows BranchCache on the distribution
point server. For more information, see BranchCache.
Adjust the download speed to use the unused network bandwidth (Windows
LEDBAT): Enable distribution points to use network congestion control. For more
information, see Windows LEDBAT. Minimum requirements for LEDBAT support:
Windows Server, version 1709 or later
Windows Server 2016 with the following updates:
Cumulative update KB4132216, released June 21, 2018, or a later cumulative
update.
Servicing stack update KB4284833, released May 18, 2018, or a later servicing
stack update.
Windows Server 2019
Enable this distribution point for prestaged content: This setting enables you to
add content to the server before you distribute software. Because the content files
are already in the content library, they don't transfer over the network when you
distribute the software. For more information, see Prestaged content.
Communication
The following settings are on the Communication page of the Create Site System Server
wizard and the distribution point properties window:
Configure how client devices communicate with the distribution point: There are
advantages and disadvantages to using HTTP or HTTPS. For more information, see
Security guidance for content management.
Allow clients to connect anonymously: This setting specifies whether the
distribution point allows anonymous connections from Configuration Manager
clients to the content library.
When you Enable PXE support for clients on the PXE Settings page, the
distribution point sends it to computers that PXE boot. These computers then
use it to connect to a management point during the OS deployment process.
When you configure all your management points in the site for HTTP, select the
option to Create self-signed certificate. When you configure the management
points for HTTPS, use the option to Import certificate from PKI. In other words,
don't use self-signed certificates on distribution points when management
points use certificates. Issues may occur otherwise. For example, distribution
points won't send state messages.
Tip
For more information about the certificate requirements, see PKI certificate
requirements.
Drive settings
7 Note
These options are available only when you're installing a new distribution point.
Specify the drive settings for the distribution point. Configure up to two disk drives for
the content library and two disk drives for the package share. Configuration Manager
can use other drives when the first two reach the configured drive space reserve. The
Drive Settings page configures the priority for the disk drives and the amount of free
disk space that remains on each disk drive.
Drive space reserve (MB): This value determines the amount of free space on a
drive before Configuration Manager chooses a different drive and continues the
copy process to that drive. Content files can span multiple drives.
Content locations: Specify the locations for the content library and package share
on this distribution point. By default, all content locations are set to Automatic.
Configuration Manager copies content to the primary content location until the
amount of free space reaches the value specified for Drive space reserve (MB).
When you select Automatic, Configuration Manager sets the primary content
locations to the disk drive with the most disk space at installation. It sets the
secondary locations to the disk drive with the second-most free disk space. When
the primary and secondary locations reach the drive space reserve, Configuration
Manager selects another available drive with the most free disk space to continue
the copy process.
Tip
Firewall Settings
The distribution point must have the following inbound rules configured in the Windows
firewall:
For each pull-distribution point that you configure, specify one or more source
distribution points from which it gets the content:
Choose Add, and then select one or more of the available distribution points to be
sources.
Use the arrow buttons to adjust the priority. When the pull-distribution point
attempts to transfer content, the priority is the order in which it contacts the
source distribution points. It first contacts distribution points with the lowest value.
PXE
Specify whether to enable PXE on the distribution point. Use PXE to start OS
deployments on clients. For more information on how to use PXE in Configuration
Manager, see Use PXE to deploy Windows over the network.
When you enable PXE, Configuration Manager installs Windows Deployment Services
(WDS) on the server, if necessary. WDS is the service that supports PXE boot to install
operating systems. After you finish the wizard to create the distribution point,
Configuration Manager installs a provider in WDS that uses the PXE boot functions.
Select the option to Enable PXE support for clients, and then configure the following
settings:
7 Note
Select Yes in the Review Required Ports for PXE dialog box to confirm that you
want to enable PXE. Configuration Manager automatically configures the default
ports on Windows firewall. If you use a different firewall, manually configure the
ports.
If you install WDS and DHCP on the same server, configure WDS to listen on a
different port. By default, DHCP listens on the same port. For more information, see
Considerations when you have WDS and DHCP on the same server.
7 Note
Require a password when computers use PXE: To provide more security for your
PXE deployments, specify a strong password.
User device affinity: Specify how you want the distribution point to associate users
with the destination computer for PXE deployments. Choose one of the following
options:
Allow user device affinity pending administrator approval: Choose this setting
to wait for approval from an administrative user before users are associated
with the destination computer.
Do not allow user device affinity: Choose this setting to specify that users
aren't associated with the destination computer. This setting is the default.
For more information about user device affinity, see Link users and devices with
user device affinity.
Network interfaces: Specify that the distribution point responds to PXE requests
from all network interfaces or from specific network interfaces. If the distribution
point responds to specific network interfaces, then provide the MAC address for
each network interface.
7 Note
When changing the network interface, restart the WDS service to make sure it
properly saves the configuration. When using the PXE responder service,
restart the ConfigMgr PXE Responder Service (SccmPxe).
Specify the PXE server response delay (seconds): When you use multiple PXE
servers, specify how long this PXE-enabled distribution point should wait before it
responds to computer requests. By default, the Configuration Manager PXE-
enabled distribution point responds immediately.
Multicast
Specify whether to enable multicast on the distribution point. Multicast deployments
conserve network bandwidth by simultaneously sending data to multiple Configuration
Manager clients. Without multicast, the server sends a copy of the data to each client
over a separate connection. For more information about using multicast for OS
deployment, see Use multicast to deploy Windows over the network.
Select the option to Enable multicast to simultaneously send data to multiple clients,
and then configure the following settings:
Multicast Connection Account: Specify the account to use when you configure
Configuration Manager database connections for multicast. For more information,
see the Multicast connection account.
Multicast address settings: Specify the IP addresses for sending data to the
destination computers. By default, it obtains the IP address from a DHCP server
that's enabled to distribute multicast addresses. Depending on the network
environment, you can specify a range of IP addresses from 239.0.0.0 through
239.255.255.255.
) Important
UDP port range for multicast: Specify the range of UDP ports that are used to
send data to the destination computers.
) Important
The UDP ports must be accessible by the destination computers that request
the OS image. Verify that routers and firewalls allow for multicast traffic
between the destination computer and the site server.
Maximum clients: Specify the maximum number of destination computers that can
download the OS image from this distribution point.
Minimum session size (clients): Specify how many requests must be received
before Configuration Manager starts to deploy the operating system.
) Important
To enable and configure multicast on the Multicast tab of the distribution point
properties, the distribution point must use Windows Deployment Service.
If you Enable PXE support for clients and Enable multicast to simultaneously
send data to multiple clients, then you can't Enable a PXE responder without
Windows Deployment Service.
If you Enable PXE support for clients and Enable a PXE responder without
Windows Deployment Service, then you can't Enable multicast to
simultaneously send data to multiple clients.
Group relationships
7 Note
These options are available only when you're editing the properties of a previously
installed distribution point.
Manage the distribution point groups in which this distribution point is a member.
To remove this distribution point from a distribution point group, select the group in the
list, and then choose Remove. Removing the distribution point from a distribution point
group doesn't remove any content from the distribution point.
Content
7 Note
These options are available only when you're editing the properties of a previously
installed distribution point.
Manage the content that you distributed to the distribution point. Select from the list of
deployment packages, and then select one of the following actions:
Validate: Start the process to validate the integrity of the content files for the
software. To view the results of the content validation process, in the Monitoring
workspace, expand Distribution Status, and then choose the Content Status node.
For more information, see Validate content.
Redistribute: Copies all of the content files for the selected software to the
distribution point, and overwrites the existing files. You typically use this action to
repair content files. For more information, see Redistribute content.
Remove: Removes the content files for the software from the distribution point.
For more information, see Remove content.
Content validation
Set a schedule to validate the integrity of content files on the distribution point. When
you enable content validation on a schedule, Configuration Manager starts the process
at the scheduled time. It verifies all content on the distribution point based on the local
SMS_PackagesInContLib SCCMDP class. You can also configure the content validation
priority. By default, the priority is set to Lowest. Increasing the priority might increase
the processor and disk utilization on the server during the validation process, but it
should complete faster.
To view the results of the content validation process, in the Monitoring workspace,
expand Distribution Status, and then choose the Content Status node. It shows the
content for each software type, for example, application, software update package, and
boot image.
2 Warning
Although you specify the content validation schedule by using the local time for
the computer, the Configuration Manager console shows the schedule in UTC.
Boundary groups
Manage the boundary groups to which you assign this distribution point. Add the
distribution point to at least one boundary group. During content deployment, clients
must be in a boundary group associated with a distribution point to use that
distribution point as a source location for content.
Configure boundary group relationships that define when and to which boundary
groups a client can fall back to find content. For more information, see Boundary
groups.
Choose Add and select an existing boundary group from the list.
To create a new boundary group for this distribution point, choose Create. For more
information on how to create and configure a boundary group, see Procedures for
boundary groups.
When you're editing the properties of a previously installed distribution point, manage
the option to Enable for on-demand distribution. This option allows Configuration
Manager to automatically distribute content to this server when a client requests it. For
more information, see On-demand content distribution.
Schedule
7 Note
These options are available only when you're editing the properties of a previously
installed distribution point.
This tab is available only when you edit the properties for a distribution point that's
remote from the site server.
Configure a schedule that restricts when Configuration Manager can transfer data to the
distribution point. Restrict data by priority or close the connection for selected time
periods.
To restrict data, select the time period in the grid, and then choose one of the following
settings for Availability:
Open for all priorities: Configuration Manager sends data to the distribution point
with no restrictions. This setting is the default for all time periods.
Allow medium and high priority: Configuration Manager sends only medium-
priority and high-priority data to the distribution point.
Allow high priority only: Configuration Manager sends only high-priority data to
the distribution point.
Closed: Configuration Manager doesn't send any data to the distribution point.
Configure the Distribution priority of software on the Distribution Settings tab of the
software's properties.
) Important
The schedule is based on the time zone from the sending site, not the distribution
point.
Rate limits
7 Note
These options are available only when you're editing the properties of a previously
installed distribution point.
This tab is available only when you edit the properties for a distribution point that's
remote from the site server.
Configure rate limits to control the network bandwidth that Configuration Manager uses
to transfer content to the distribution point. Choose from the following options:
Pulse mode: This option specifies the size of the data blocks that the site server
sends to the distribution point. You can also specify a time delay between sending
each data block. Use this option when you must send data across a very low-
bandwidth network connection to the distribution point. For example, you have
constraints to send 1 KB of data every five seconds, whatever the speed of the link
or its usage at a given time.
Limited to specified maximum transfer rates by hour: Specify this setting to have
a site send data to a distribution point by using only the percentage of time that
you configure. When you use this option, Configuration Manager doesn't identify
the network's available bandwidth. Instead it divides the time that it can send data.
The server sends data for a short period of time, which is followed by periods of
time when data isn't sent. For example, if you set Limit available bandwidth to
50%, Configuration Manager transmits data for a time period followed by an equal
period of time when no data is sent. The actual size amount of data, or size of the
data block, isn't managed. It only manages the amount of time during which it
sends data.
Deploy and manage content for
Configuration Manager
Article • 12/05/2022
After you install distribution points for Configuration Manager, you can begin to deploy
content to them. Typically, content transfers to distribution points across the network,
but other options to get content to the distribution points exists. After content transfers
to a distribution point, you can update, redistribute, remove, and validate that content
on distribution points.
There are many types of content. All of the actions in this article apply to the following
objects in the Software Library workspace in the Configuration Manager console:
Packages: Expand the Application Management node, select Packages, and then
select the specific packages.
Driver packages: Expand the Operating Systems node, select Driver Packages, and
then select the specific driver packages.
Boot Images: Expand the Operating Systems node, select Boot Images, and then
select the specific boot images.
Task Sequences: Expand the Operating Systems node, select Task Sequences, and
then select the specific task sequence. Although task sequences don't contain
content, they have associated content references.
Distribute content
Typically, you distribute content to distribution points so that it's available to clients. The
exception to this behavior is when you use on-demand content distribution for a
specific deployment. When you distribute content, Configuration Manager stores
content files in a package, and then distributes the package to the distribution point.
The content for the package is pulled from the site server's content library.
When you create a package that contains source files, the site on which you create it
becomes the site owner for the content source. Configuration Manager copies the
source files from the source file path that you specify for the object to the content
library on the site server that owns it. Then Configuration Manager replicates the
information to additional sites. For more information, see The content library.
3. On the Home tab of the ribbon, in the Deployment group, select Distribute
Content.
4. On the General page of the Distribute Content Wizard, verify that the content
listed is the content that you want to distribute. Then choose whether you want
Configuration Manager to detect content dependencies that are associated with
the selected content and add the dependencies to the distribution.
7 Note
For applications, you can also configure the Detect associated content
dependencies and add them to this distribution setting. Configuration
Manager automatically configures this setting for task sequences.
5. On the Content tab, if displayed, verify that the content listed is the content that
you want to distribute.
7 Note
The Content page displays only when you select the Detect associated
content dependencies and add them to this distribution setting on the
General page of the wizard.
6. On the Content Destination page, select Add, choose one of the following
options:
7 Note
Distribution Point: Choose an existing distribution point, and then select OK.
It doesn't display distribution points that have previously received the
content.
7. On the Summary page, review the settings for the distribution before you
continue. To distribute the content to the selected destinations, select Next.
9. The Confirmation page displays whether the content was successfully assigned to
the servers. To further monitor the content distribution, see Monitor content
you've distributed with Configuration Manager.
When you import the prestaged content file on a site server, it adds the content
files to its content library. It then registers the content in the site server database.
When you import the prestaged content file on a distribution point, the content
files are added to the content library on the distribution point. It then sends a
status message to the site server, which informs the site that the content is
available on the distribution point.
Before you can prestage content to the distribution point, create the content
library on the server. Distribute content over the network at least once to prepare
the content library. Then you can prestage content.
When you prestage content for an object with a long package source path, the
Extract Content command-line tool might fail. A long package source path is more
than 140 characters.
For more information about when to prestage content files, see Manage network
bandwidth for content management.
3. On the Home tab of the ribbon, select Create Prestage Content File.
4. On the General page of the Create Prestaged Content File Wizard, select Browse.
Choose the location for the prestaged content file, specify a name for the file, and
then select Save. You use this prestaged content file on primary site servers,
secondary site servers, or distribution points to import the content and metadata.
7. On the Content page, verify that the content listed is the content that you want to
add to the prestaged content file.
8. On the Content Locations page, specify the distribution points from which to
retrieve the content for the prestaged content file. You can select more than one
distribution point to retrieve the content. The distribution points are listed in the
Content locations section. The Content column displays how many of the selected
packages or applications are available on each distribution point.
Configuration Manager starts with the first distribution point in the list to retrieve
the selected content. It then moves down the list to retrieve the remaining content
required for the prestaged content file. To change the priority order of the
distribution points, select Move Up or Move Down.
When the distribution points in the list don't contain all of the selected content,
add distribution points to the list that contain the content. Otherwise, exit the
wizard, distribute the content to at least one distribution point, and then restart
the wizard.
9. On the Summary page, confirm the details. You can go back to previous pages and
make changes. Select Next to create the prestaged content file.
10. The Progress page displays the content that it's adding to the prestaged content
file.
11. On the Completion page, verify that it successfully created the prestaged content
file, and then select Close.
7 Note
When you use a prestaged content file to recover the content library on a site
server, and don't have to prestage the content files on a distribution point, you can
skip this procedure.
Use the following procedure to assign the content in the prestaged content file to
distribution points.
) Important
Verify that the distribution points that you want to prestage are configured as
prestaged distribution points, or that the content is distributed to the distribution
points over the network.
2. Select the same content type that you selected when you created the prestaged
content file.
4. On the General page of the Distribute Content Wizard, verify that the content
listed is the content that you prestaged. Choose whether you want Configuration
Manager to detect content dependencies that are associated with the selected
content and add the dependencies to the distribution.
7 Note
For applications, you can also configure the Detect associated content
dependencies and add them to this distribution setting. Configuration
Manager automatically configures this setting for task sequences.
5. On the Content page, if displayed, verify that the content listed is the content that
you want to distribute.
7 Note
The Content page displays only when the Detect associated content
dependencies and add them to this distribution setting is selected on the
General page of the wizard.
6. On the Content Destination page, select Add, and choose one of the following
options that includes the distribution points to be prestaged:
7 Note
It only displays the collections that are associated with a distribution
point group. For more information, see Manage distribution point
groups.
Distribution Point: Select an existing distribution point, and then select OK. It
doesn't display distribution points that already have the content.
7. On the Summary page, review the settings for the distribution before you
continue. To distribute the content to the selected destinations, select Next.
9. The Confirmation page displays whether the content was successfully assigned to
the distribution points. To monitor the content distribution, see Monitor content
you've distributed.
First, manually copy the prestaged content file to the target server. Use a portable drive
like a USB drive, or media like a DVD. Have it available at the location of the server that
requires the content.
Next, you use the Extract Content command-line tool to export the content files from
the prestaged content file.
When you run the tool, it creates a temporary file as it creates the content files.
Then it copies the file to the destination folder, and deletes the temporary file. The
server needs sufficient disk space for this temporary file.
The tool creates the temporary file in the specified destination folder for the
content files.
The user that runs the tool must have Administrator rights on the server where
you extract the content.
To extract the content files from the prestaged content file
1. Copy the prestaged content file to the server where you want to extract the
content.
3. On the target server, open the command prompt. Navigate to the folder location
of the prestaged content file and Extract Content tool.
7 Note
You can extract one or more prestaged content files on a site server,
secondary site server, or distribution point.
extractcontent /P:D:\PrestagedFiles\MyPrestagedFile.pkgx /S
The /S parameter extracts only content files that are newer than what's currently
in the content library.
When you extract the prestaged content file on a site server, the content files are
added to its content library. The site then registers the content in the site server
database. When you export the prestaged content file on a distribution point, it
adds the content files to the content library on the distribution point. The
distribution point sends a status message to the parent primary site server, which
then registers the content in the site database.
) Important
When you update content on the site to a new version, make sure to also update
content for prestaged content files. For example:
When the distribution point isn't enabled for prestaged content or when the distribution
point isn't located on a site server, see the Use Prestaged content section.
1. Verify that the distribution point isn't enabled for prestaged content.
c. On the Home tab of the ribbon, in the Properties group, select Properties.
d. On the General tab, verify that the option to Enable this distribution point for
prestaged content isn't selected.
4. On the site server, extract the content from the prestaged content file.
7 Note
When the distribution point is on a secondary site, wait for at least 10
minutes. Then in the Configuration Manager console, assign the content to
the distribution point on the secondary site.
Update content
Update content on schedule
Redistribute content
Remove content
Validate content
Update content
When you update the source file location for a deployment by adding new files or
replace existing files with a newer version, update the content files on distribution
points. Use the Update Distribution Points or Update Content actions.
The site copies the content files from the original package source location to the
content library on the site that owns the package content source.
It increments the package version.
Each instance of the content library on site servers and on distribution points
updates with only the changed files.
2 Warning
The package version for applications is always 1. When you update the content for
an application deployment type, Configuration Manager creates a new content ID
for the deployment type, and the package references the new content ID.
3. For most object types: On the Home tab of the ribbon, in the Deployment group,
select Update Distribution Points. Then select OK to confirm that you want to
update the content.
To update content for applications: Select the Deployment Types tab in the details
pane. Choose the deployment type. On the Deployment Type tab of the ribbon,
select Update Content. Then select OK to confirm that you want to refresh the
content.
When you update content for boot images: The Update Distribution Points action
opens the Manage Distribution Point Wizard. For more information, see Update
distribution points with the boot image.
3. On the Home tab of the ribbon, in the Properties group, select Properties.
4. Switch to the Data source tab. Select the option to Update distribution points on
a schedule.
5. Select Schedule and specify a custom schedule. You can also set a recurrence
pattern.
If the source content hasn't changed, then this action doesn't do anything. To
redistribute all content, use the distribute or redistribute actions.
Redistribute content
You can redistribute a package to copy all of the content files in the package to
distribution points or distribution point groups. This action overwrites the existing files.
Use this operation to repair content files in the package or resend the content when the
initial distribution fails. You can redistribute a package from:
Package properties
Distribution point properties
Distribution point group properties
3. On the Home tab of the ribbon, in the Properties group, select Properties.
4. Switch to the Content Locations tab. Select the distribution point or distribution
point group to which you want to redistribute the content, and select Redistribute.
2. In the Administration workspace, select the Distribution Points node. Then select
the distribution point to which you want to redistribute content.
3. On the Home tab of the ribbon, in the Properties group, select Properties.
4. Switch to the Content tab. Select the content to redistribute, and select
Redistribute.
2. In the Administration workspace, select the Distribution Point Groups node. Then
select the distribution point group to which you want to redistribute content.
3. On the Home tab of the ribbon, in the Properties group, select Properties.
4. Switch to the Content tab. Select the content to redistribute, and select
Redistribute.
) Important
The site redistributes the content in the package to all of the distribution
points in the group.
You can use the RetryContentReplication WMI method from the Configuration
Manager SDK to force distribution manager to copy content from the source location to
the content library.
Only use this method to force replication when you need to redistribute content after
there were issues with normal replication of content. You can typically confirm this state
in the Monitoring node of the console.
For more information about this SDK option, see RetryContentReplication method in
class SMS_CM_UpdatePackages.
There are multiple scenarios where the content of one distribution point needs to be
migrated to another distribution point.
1. Cloud distribution points (CDP) hosted on Azure classic services are getting
deprecated by mid of 2024. You need to migrate CDP content to another
distribution point.
2. Migration of cloud migration gateway v1 (CMGv1) hosted with *.cloudapp.net
domain is also getting deprecated, hence you may need to migrate CMGv1
content to another distribution point.
3. You may need to migrate local distribution point content to other local distribution
point or CMG.
Prerequisites
1. The user's security role permission should have "Copy to Distribution Point"
enabled under Distribution Point.
2. If you want to deprecate the source distribution point, make sure that the source,
and destination distribution points have the same boundary group.
3. The destination distribution point should be installed already and able to receive
the content.
7 Note
You can't currently configure this behavior from the Configuration Manager
console.
For more information on configuring this behavior with PowerShell, see the cmdlet
details in the following section.
Distribution failure status is not shown in admin console when source distribution
point is locked during migration and sending new content to source distribution
point.
Get and Stop DP migration cmdlets works only on the site server where the DP
migration is initiated.
Start-CMDistributionPointMigration
Use this cmdlet to initiate distribution point content migration. You can pass the desired
parameters such as SourceDistributionPointName and
DestinationDistributionPointName per your distribution point migration scenario.
You
can also pass the LockSourceDistributionPoint parameter to lock the source distribution
point. This parameter is used to deprecate the source distribution point scenarios (for
example: CDP Migration).
If the source DP is locked during migration, you won't be able
to distribute the new content to the source dp, but the endpoints will be able to
download the content that is already available in the source DP.
For deprecation
scenarios, you can delete the source distribution point after the distribution content
migration is completed.
Syntax
PowerShell
Examples
PowerShell
Parameters
SourceDistributionPointName: Use the parameter to specify the source
distribution point from where content will be migrated.
Get-CMDistributionPointMigrationStatus
Use this cmdlet to monitor the distribution point migration status.
Syntax
PowerShell
Get-CMDistributionPointMigrationContentStatus
Use this cmdlet to monitor the distribution point content migration status.
Syntax
PowerShell
Get-CMDistributionPointMigrationContentStatus -SourceDistributionPointName
<FQDN for source distribution point> -DestinationDistributionPointName <FQDN
for destination distribution point>
Stop-CMDistributionPointMigration
Use this cmdlet to stop the distribution point migration. In case you have mistakenly
locked the source distribution point, you can use this cmdlet to unlock the source
distribution point. Unlocking the source distribution point will stop the distribution point
migration. To restart the migration, use the Start-CMDistributionPointMigration cmdlet.
Syntax
PowerShell
Examples
PowerShell
7 Note
You can't currently configure this behavior from the Configuration Manager
console.
For more information on configuring this behavior with PowerShell, see the cmdlet
details in the following section.
Distribution failure status is not shown in admin console when source distribution
point is locked during migration and sending new content to source distribution
point.
Get and Stop DP migration cmdlets works only on the site server where the DP
migration is initiated.
Remove content
When you no longer require content on your distribution points, you can remove it.
When the content is associated with another package that was distributed to the same
distribution point, you can't remove the content.
2. Select the content type that you want to remove its content.
3. On the Home tab of the ribbon, in the Properties group, select Properties.
4. Switch to the Content Locations tab. Select the distribution point or distribution
point group from which you want to remove the content, select Remove, and then
select OK.
2. In the Administration workspace, select the Distribution Points node, and then
select the distribution point from which you want to delete the content.
3. On the Home tab of the ribbon, in the Properties group, select Properties.
4. Switch to the Content tab. Choose the content to remove, select Remove, and
then select OK.
2. In the Administration workspace, select the Distribution Point Groups node. Then
select the distribution point group from which you want to remove content.
3. On the Home tab of the ribbon, in the Properties group, select Properties.
4. Switch to the Content tab. Choose the content to remove, select Remove, and
then select OK.
Validate content
The content validation process verifies the integrity of content files on distribution
points. You enable content validation on a schedule, or you can manually start content
validation from the properties of distribution points and packages.
When the content validation process starts, Configuration Manager verifies the content
files on distribution points. If the file hash is unexpected for the files on the distribution
point, Configuration Manager creates a status message that you can review in the
Monitoring workspace.
For more information about configuring the content validation schedule, see
Distribution point configurations.
Process to validate all content on a distribution point
1. In the Configuration Manager console, select the Administration workspace.
2. Select the Distribution Points node, and then select the distribution point from
which you want to validate content.
3. On the Home tab of the ribbon, in the Properties group, select Properties.
4. Switch to the Content tab. Select the package that you want to validate. Select
Validate, and then select OK. The content validation process starts for the package
on the distribution point.
3. On the Home tab of the ribbon, in the Properties group, select Properties.
4. Switch to the Content Locations tab. Select the distribution point or distribution
point group on which to validate the content. Select Validate, and then select OK.
The content validation process starts for the content on the selected distribution
point or distribution point group.
The status for all package types for the associated distribution points.
The content validation status for the content in a package.
The status of content assigned to a specific distribution point group.
The state of content assigned to a distribution point.
The status of optional features for each distribution point (content validation, PXE,
and multicast).
Configuration Manager only monitors the content on a distribution point that's in the
content library. It doesn't monitor content stored on the distribution point in package or
custom shares.
Tip
The Power BI sample reports for Configuration Manager includes a report called
Content Status. This report can also help with monitoring content.
You also find detailed status information for any package, including:
Distribution status
The number of failures
Pending distributions
The number of installations
You can also manage distributions that remain in progress to a distribution point, or that
failed to successfully distribute content to a distribution point:
The option to either cancel or redistribute content is available when you view the
deployment status message of a distribution job to a distribution point in the
Asset Details pane. This pane can be found in either the In Progress tab or the
Error tab of the Content Status node.
Additionally, the job details display the percentage of the job that has completed
when you view the details of a job on the In Progress tab. The job details also
display the number of retries that remain for a job. When you view the details of a
job on the Error tab, it shows how long before the next retry occurs.
When you cancel a deployment that's not yet complete, the distribution job to transfer
that content stops:
The status of the deployment then updates to indicate that the distribution failed,
and that it was canceled by a user action.
This new status appears in the Error tab.
7 Note
When a deployment is near completion, it's possible the action to cancel that
distribution won't process before the distribution to the distribution point
completes. When this occurs, the action to cancel the deployment is ignored, and
the status for the deployment displays as successful.
Although you can select the option to cancel a distribution to a distribution point
that is located on a site server, this has no effect. This behavior is because the site
server and the distribution point on a site server share the same single instance
content store. There's no actual distribution job to cancel.
When you redistribute content that previously failed to transfer to a distribution point,
Configuration Manager immediately begins redeploying that content to the distribution
point. Configuration Manager updates the status of the deployment to reflect the
ongoing state of that redeployment.
3. On the Home tab of the ribbon, in the Content group, select View Status. The
console displays detailed status information for the package.
Tip
2. In the Asset Details pane, right-click the entry for the distribution that you want to
cancel, and select Cancel.
3. Select Yes to confirm the action and cancel the distribution job to that distribution
point.
2. In the Asset Details pane, right-click the entry for the distribution that you want to
redistribute, and select Redistribute.
3. Select Yes to confirm the action and start the redistribution process to that
distribution point.
2. Select the distribution point group for which you want detailed status information.
3. On the Home tab of the ribbon, select View Status. It displays detailed status
information for the distribution point group.
2 Warning
3. In the results pane, switch to the Details tab. It displays status information for the
distribution point.
The client data sources dashboard includes a selection of filters to view information
about where clients get content:
7 Note
Configuration Manager doesn't enable this optional feature by default. Before you
can use it, enable the Client Peer Cache feature. For more information, see Enable
optional features from updates.
3. Then select the single boundary group for which you want to view information.
7 Note
If there's no data available for the selected client group, the chart displays:
"This data is not yet available."
You can hover your mouse over tiles to see more details about the different content or
policy sources.
Also use the report, Client Data Sources - Summarization, to view a summary of the
client data sources for each boundary group.
Dashboard tiles
The dashboard includes the following tiles:
This tile summarizes the types of sources in your environment and how many clients use
them.
This summary tile replaces the following four tiles in prior versions:
Distribution points
Clients that used a distribution point
Peer cache sources
Clients that used a peer
Distribution point
Cloud distribution point, which includes content-enabled cloud management
gateways
BranchCache
Peer Cache
Delivery Optimization Note 1
Microsoft Update: Devices report this source when the Configuration Manager
client downloads software updates from Microsoft cloud services. These services
include Microsoft Update and Microsoft 365 Apps for enterprise.
7 Note
For more information, see Manage Express installation files for Windows updates.
This information helps you understand how often clients download content from an
alternate source.
Next steps
Visualize content distribution status
Visualize content distribution status
Article • 10/04/2022
Starting in version 2203, you can monitor content distribution path and status in a
graphical format. The graph shows distribution point type, distribution state, and
associated status messages. This visualization allows you to more easily understand the
status of your content package distribution. It helps you answer questions like:
The solid blue line from the site server to each distribution point indicates that the
rate limit is Unlimited. For more information, see Rate limits.
The green check mark on DP01 and DP02 indicates that the content was
successfully distributed to these site systems.
The red X on DP03 and both cloud distribution points indicates that there's an
error in distributing the content to these site systems.
3. Select a distributed content item. For example, the Configuration Manager client
package.
4. In the ribbon, select View Content Distribution. This action displays the
distribution graph for the selected content.
Hover over the status icon to quickly view more information. Select the path
or the status icon to view status messages for the content.
Hover over the title of the site system to quickly view more information.
Select it to drill through to the Distribution Points node.
Navigation tips
Use the following tips to navigate the relationship viewer:
Select the plus ( + ) or minus ( - ) icons next to the server name to expand or
collapse members of a node.
The style and color of the line between the servers determines the type of
distribution. If you hover over a specific line, a tooltip shows the type.
The maximum number of child nodes displayed depends upon the level of the
graph:
First level: five nodes
Second level: three nodes
Third level: two nodes
Fourth level: one node
If there are more objects than the graph can display at that level, you'll see the
More icon.
When the size of the tree is larger than the window, use the green arrows to view
more.
When a node of the tree is larger than the available space, select More to change
the view to just that node.
To navigate to a prior view, select the Back arrow. Select the Home icon to return
to the main page.
Use the Search box to locate a server in the current tree view.
Use the Navigator to zoom and pan around the tree. You can also print the current
view.
Tip
Hold the Ctrl key and scroll the mouse wheel to zoom the graph.
For more information on how to navigate the graph with a keyboard, see Accessibility
features for the collection relationship diagram.
Next steps
Deploy and manage content for Configuration Manager
Microsoft Connected Cache in
Configuration Manager
Article • 10/04/2022
You can install a Microsoft Connected Cache server on your distribution points. By
caching this content on-premises, your clients can benefit from the Delivery
Optimization feature that can help to protect WAN links.
This cache server acts as an on-demand transparent cache for content downloaded by
Delivery Optimization. Use client settings to make sure this server is offered only to the
members of the local Configuration Manager boundary group.
This cache is separate from Configuration Manager's distribution point content. If you
choose the same drive as the distribution point role, it stores content separately.
7 Note
Supported scenarios
Connected Cache supports the following three primary scenarios:
Co-managed clients that get Win32 apps from Microsoft Intune. For more
information, see Support for Intune Win32 apps.
If you enable Windows Update for Business policies: Windows feature and quality
updates
7 Note
How it works
When you configure clients to use the Connected Cache server, they no longer request
Microsoft cloud-managed content from the internet. Clients request this content from
the cache server installed on the distribution point. The on-premises server caches this
content using the IIS feature for Application Request Routing (ARR). Then the cache
server can quickly respond to any future requests for the same content. If the Connected
Cache server is unavailable, clients download the content from the internet. Clients also
use Delivery Optimization to download portions of the content from peers in their
network.
1. Client checks for updates and gets the address for the content delivery network
(CDN).
4. If the cache doesn't include the content, then the Connected Cache server gets it
from the CDN.
5. If the cache server fails to respond, the client downloads the content from the
CDN.
6. Clients will also use DO to get pieces of the content from peers, such as client B
and client C.
7 Note
Additional prerequisites apply to the scenario for co-managed clients and Intune
Win32 apps. For more information, see Support for Intune Win32 apps.
Supported clients
Connected Cache and Delivery Optimization only support clients running a supported
version of Windows 10 or later.
Licensing
You need one of the following license subscriptions for each device that gets content
from a Connected Cache-enabled distribution point:
Distribution point
Connected Cache in Configuration Manager requires an on-premises distribution point,
with the following configurations:
Microsoft .NET Framework version 4.7.2 or later. For more information, see .NET
Framework system requirements.
Don't preinstall the IIS Application Request Routing (ARR) feature. Connected
Cache installs ARR and configures its settings. Microsoft can't guarantee that the
Connected Cache's ARR configuration won't conflict with other applications on the
server that also use this feature.
The Connected Cache application can use an unauthenticated proxy server for
internet access. For more information, see Configure the proxy for a site system
server.
Don't use a distribution point that has other site roles, for example, a management
point. Enable Connected Cache on a site system server that only has the
distribution point role.
Network access requirements
The distribution point requires internet access to the Microsoft cloud. The specific
URLs can vary depending upon the specific cloud-enabled content. Make sure to
also allow the endpoints for delivery optimization. For more information, see
Internet access requirements.
For co-managed clients and Intune Win32 apps, allow the distribution point to
access the endpoints for that scenario. For more information, see Network
requirements for PowerShell scripts and Win32 apps.
Clients technically only need access to the distribution point with the Connected
Cache. Although it's best to also give clients access to the internet endpoints for
the content, in case they need to fall back to the original source.
2. Select an on-premises distribution point, and then in the ribbon select Properties.
3. In the properties of the distribution point role, on the General tab, configure the
following settings:
Review the list of required license subscriptions, and then confirm your licenses.
b. Local drive to be used: Select the disk to use for the cache. Automatic is the
default value, which uses the disk with the most free space.Note 1
7 Note
You can change this drive later. Any cached content is lost, unless you copy
it to the new drive.
7 Note
The default cache size should be sufficient for most customers. You can
adjust the cache size later.
If the cache size on disk exceeds the allocated space, ARR clears space by
removing content based on its built-in heuristics.
d. Retain cache when disabling the Connected Cache server: If you remove the
cache server, and you enable this option, the server keeps the cache's content
on the disk.
If you select a specific drive that already has the NO_SMS_ON_DRIVE.SMS file,
Configuration Manager ignores the file. Configuring Connected Cache to use that drive
is an explicit intent. For example, the distribution point has the file
F:\NO_SMS_ON_DRIVE.SMS . When you explicitly configure the distribution point properties
to use the F: drive, Configuration Manager configures Connected Cache to use the F:
drive for its cache.
Manually configure the distribution point properties to use a specific drive letter.
If set to automatic, first create the NO_SMS_ON_DRIVE.SMS file. Then make some
change to the distribution point properties to trigger a configuration change.
Automation
You can use the Configuration Manager SDK to automate the configuration of Microsoft
Connected Cache settings on a distribution point. As is the case for all site roles, use the
SMS_SCI_SysResUse WMI class. For more information, see Programming the site roles.
When you update the SMS_SCI_SysResUse instance for the distribution point, set the
following properties:
Verify
On supported versions of Windows 10 or later, verify this behavior with the Get-
DeliveryOptimizationStatus Windows PowerShell cmdlet. In the cmdlet output, review
the BytesFromCacheServer value. For more information, see Monitor Delivery
Optimization.
If the cache server returns any HTTP failure, the Delivery Optimization client falls back to
the original cloud source.
All other content that Intune-managed devices download from Microsoft with
Delivery Optimization can also be cached on Microsoft Connected Cache. This
content includes software updates for Windows, Microsoft 365 apps, and Microsoft
Edge.
Prerequisites
Client
Tip
Site
Enable Connected Cache on a distribution point.
The client and the Connected Cache-enabled distribution point need to be in the
same boundary group. If a client isn't in a boundary group with a Connected
Cache-enabled distribution point, it won't download content from a Connected
Cache-enabled distribution point in a neighbor or site default boundary group.
Enable Allow peer downloads in this boundary group option for the Boundary
Group that contains the client and the distribution point. For more information,
see Boundary Group options.
If in pilot, add the client to the pilot collection for Client Apps.
Intune
This feature only supports the Intune Win32 app type.
Create and assign (deploy) a new app in Intune for this purpose. (Apps created
before Intune version 1811 don't work.) For more information, see Win32 app
management in Microsoft Intune.
To configure the device to use the Microsoft Connected Cache, configure the
DOCacheHost policy. Set it to the FQDN or IP address of the Configuration Manager
distribution point. For more information on this policy, see Policy CSP -
DeliveryOptimization. To use Intune to configure this policy, use the Cache server host
names setting. For more information, see Delivery Optimization settings for Windows
devices in Intune.
When you enable this policy for cloud-managed devices, either type of device can
request the server to cache content, and either can download the content. If multiple
devices request the same content, no matter their management authority, they
download supported and available content from the Microsoft Connected Cache.
Next steps
Optimize Windows updates with Delivery Optimization
Troubleshoot Microsoft Connected Cache in Configuration Manager
Troubleshoot Microsoft Connected
Cache in Configuration Manager
Article • 10/04/2022
This article provides technical details about Microsoft Connected Cache in Configuration
Manager. Use it to help troubleshoot issues that you might have in your environment.
For more information on how it works and how to use it, see Microsoft Connected
Cache in Configuration Manager.
Verify
When you correctly install the Delivery Optimization cache server, and correctly
configure clients, they download from the cache server installed on your distribution
point rather than the internet.
Verify on a client
1. On a client running a supported version of Windows 10 or later, download cloud-
managed content. For more information on the types of content that Connected
Cache supports, see Supported content types.
For example:
PowerShell
PS C:\> Get-DeliveryOptimizationStatus
FileId : ec523d49c4f7c3c4444f0d9b952286ce40fdcee4
FileSize : 549064
TotalBytesDownloaded : 549064
PercentPeerCaching : 0
BytesFromPeers : 0
BytesFromHttp : 0
Status : Caching
Priority : Background
BytesFromCacheServer : 549064
BytesFromLanPeers : 0
BytesFromGroupPeers : 0
BytesFromInternetPeers : 0
BytesToLanPeers : 0
BytesToGroupPeers : 0
BytesToInternetPeers : 0
DownloadDuration : 00:00:00.0780000
HttpConnectionCount : 2
LanConnectionCount : 0
GroupConnectionCount : 0
InternetConnectionCount : 0
DownloadMode : 99
SourceURL :
http://au.download.windowsupdate.com/c/msdownload/update/software/defu/
2019/09/am_delta_p
atch_1.301.664.0_ec523d49c4f7c3c4444f0d9b952286ce40fdcee4.exe
NumPeers : 0
IsPinned : False
If the client isn't configured correctly, or the cache server isn't installed correctly, the
Delivery Optimization client falls back to the original cloud source. Then the
BytesFromCacheServer attribute will be zero.
Next, use the following method to simulate a client download request to the server with
the mandatory headers.
2. Run the following command, and replace the name or IP address of your server for
<DoincServer> :
PowerShell
StatusCode :
200
StatusDescription :
OK
Content :
{71, 73, 70, 56...}
RawContent :
HTTP/1.1 200 OK
X-HW:
1567797125.dop019.se2.t,1567797125.cds058.se2.s,1567797125.dop114.at2.r
,1567797125.cds079.at2
.p,1567797125.cds058.se2.p
X-CCC:
cdP+dRBgUCoZO1mezA9zhg2VwQ7P1JWTh9k+GhfQmu8=_SLwv...
Headers : {[X-HW,
1567797125.dop019.se2.t,1567797125.cds058.se2.s,1567797125.dop114.at2.r
,1567797125.cds079.a
t2.p,1567797125.cds058.se2.p], [X-CCC,
cdP+dRBgUCoZO1mezA9zhg2VwQ7P1JWTh9k+GhfQmu8=_SLwvtSBQdT3uPQ5ikBe1ABMbdY
IIncem+h5dtcLI6GY=],
RawContentLength : 969710
StatusCode : 200
StatusDescription : OK
Log files
Application Request Routing (ARR) setup log: %temp%\arr_setup.log
Tip
Among other uses, this log can help you identify connectivity issues with the
Microsoft cloud.
0x00000000 Success
0x00D00001 Connected Cache setup can only be run if Internet Information Services (IIS) has
been installed
0x00D00002 Connected Cache setup can only be run if a 'Default Web Site' exists on the server
0x00D00003 You can't install Connected Cache if Application Request Routing (ARR) is already
installed
0x00D00004 Connected Cache setup can only be run if Application Request Routing (ARR) was
installed by the Install.ps1 script
0x00D00006 Connected Cache setup can only be run from a 64-bit PowerShell environment
0x00D00008 Failure: The number of cache drives specified must match the number of cache
drive size percentages specified
0x00D0000B Failure: A valid cache drive size percent set must be supplied
0x00D0000C Failure: A valid cache drive size percent set or cache drive size in GB must be
supplied
0x00D0000D Failure: A valid cache drive size percent set and cache drive size in GB cannot both
be supplied
Error code Error description
0x00D0000E Failure: The number of cache drives specified must match the number of cache
drives size in GB specified
0x00D00010 Failure: Couldn't back up the Default Web Site web.config file from
$WebsiteConfigFilePath to $WebConfigDestinationName
0x00D0001E You can't install Connected Cache if the Default Web Site isn't on port 80
0x00D0001F Failure: The cache drive allocation in percentage can't exceed 100
0x00D00020 Failure: The cache drive allocation in GB can't exceed the drive's free space
0x00D00021 Failure: The cache drive allocation in percentage must be greater than 0
0x00D00025 Failure: An exception occurred setting up the rewrite rules for HTTPS farm:
$FarmName
Error code Error description
0x00D00026 Failure: An exception occurred setting up the rewrite rules for HTTP farm:
$FarmName
0x00D00027 You can't install Connected Cache because dependent software "Application
Request Routing (ARR)" failed to install. See the log file located at
%temp%\arr_setup.log
IIS configurations
The Connected Cache server installation makes several modifications to the IIS
configuration on the distribution point.
HTTP_HOST
QUERY_STRING
X-CCC
X-CID
X-DOINC-OUTBOUND
Rewrite rules
The Connected Cache server adds the following rewrite rules:
5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_swdc01.manage.microsoft.com_E77D08D0-5FEA-4315-8C95-
10D359D59294
Doinc_ForwardToFarm_swdc02.manage.microsoft.com_E77D08D0-5FEA-4315-8C95-
10D359D59294
Doinc_ForwardToFarm_dl.delivery.mp.microsoft.com_E77D08D0-5FEA-4315-8C95-
10D359D59294
Doinc_ForwardToFarm_officecdn.microsoft.com_E77D08D0-5FEA-4315-8C95-
10D359D59294
Doinc_ForwardToFarm_b1.download.windowsupdate.com_E77D08D0-5FEA-4315-8C95-
10D359D59294
Doinc_ForwardToFarm_download.windowsupdate.com_E77D08D0-5FEA-4315-8C95-
10D359D59294
Doinc_ForwardToFarm_officecdn.microsoft.com.edgesuite.net_E77D08D0-5FEA-4315-
8C95-10D359D59294
Doinc_ForwardToFarm_au.b1.download.windowsupdate.com_E77D08D0-5FEA-4315-8C95-
10D359D59294
Doinc_ForwardToFarm_assets1.xboxlive.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_au.download.windowsupdate.com_E77D08D0-5FEA-4315-8C95-
10D359D59294
Doinc_ForwardToFarm_emdl.ws.microsoft.com_E77D08D0-5FEA-4315-8C95-
10D359D59294
Doinc_ForwardToFarm_tlu.dl.delivery.mp.microsoft.com_E77D08D0-5FEA-4315-8C95-
10D359D59294
Doinc_ForwardToFarm_assets2.xboxlive.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_Outbound_SetHeader_X_CID_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_Outbound_SetHeader_X_CCC_E77D08D0-5FEA-4315-8C95-10D359D59294
A feature update
Two to three months of quality and Microsoft 365 Apps updates
Microsoft Intune apps and Windows inbox apps
The Connected Cache server shouldn't consume much system memory or processor
time. After you install the Connected Cache server, if you notice significant process or
memory resource consumption, analyze the IIS and ARR log files.
If the IIS and ARR log files take up too much space on the server, there are several
methods you can use to manage the log files. For more information, see Managing IIS
log file storage.
See also
Microsoft Connected Cache in Configuration Manager
Run discovery for Configuration
Manager
Article • 10/04/2022
You use one or more discovery methods in Configuration Manager to find device and
user resources that you can manage. You can also use discovery to identify network
infrastructure in your environment. There are several different methods you can use to
discover different things, and each method has its own configurations and limitations.
Overview of discovery
Discovery is the process by which Configuration Manager learns about the things you
can manage. The following are the available discovery methods:
Heartbeat Discovery
Network Discovery
Server Discovery
Tip
You can learn about the individual discovery methods in About discovery methods
for Configuration Manager.
For assistance in selecting which methods to use, and at which sites in your
hierarchy, see Select discovery methods to use for Configuration Manager.
To use most discovery methods, you must enable the method at a site, and set it up to
search specific network or Active Directory locations. When it runs, it queries the
specified location for information about devices or users that Configuration Manager
can manage. When a discovery method successfully finds information about a resource,
it puts that information into a file called a discovery data record (DDR). That file is then
processed by a primary or central administration site. Processing of a DDR creates a new
record in the site database for newly discovered resources, or updates existing records
with new information.
Some discovery methods can generate a large volume of network traffic, and the DDRs
they produce can result in a significant use of CPU resources during processing.
Therefore, plan to use only those discovery methods that you require to meet your
goals. You might start by using only one or two discovery methods, and then later
enable additional methods in a controlled manner to extend the level of discovery in
your environment.
After discovery information is added to the site database, the information then
replicates to each site in the hierarchy, regardless of where it was discovered or
processed. Therefore, while you can set up different schedules and settings for discovery
methods at different sites, you might run a specific discovery method at only a single
site. This reduces the use of network bandwidth through duplicate discovery actions,
and reduces the processing of redundant discovery data at multiple sites.
You can use discovery data to create custom collections and queries that logically group
resources for management tasks. For example:
DDRs for previously discovered objects are processed at primary sites. Child
primary sites do not transfer DDRs to the central administration site when the DDR
contains information about a resource that is already in the database.
Secondary sites do not process DDRs, and always transfer them by file-based
replication to their parent primary site.
DDR files are identified by the .ddr extension, and have a typical size of about 1 KB.
The following topics can build a foundation that will help you use discovery methods
successfully:
Then, when you understand the methods you want to use, find guidance to set up each
method in Configure discovery methods for Configuration Manager.
About discovery methods for
Configuration Manager
Article • 10/04/2022
Enabled by default: No
Unlike other Active Directory discovery methods, Active Directory forest discovery
doesn't discover resources that you can manage. Instead, this method discovers network
locations that are configured in Active Directory. It can convert those locations into
boundaries for use throughout your hierarchy.
When this method runs, it searches the local Active Directory forest, each trusted forest,
and other forests that you configure in the Active Directory Forests node of the
Configuration Manager console.
Discover Active Directory sites and subnets, and then create Configuration
Manager boundaries based on those network locations.
Identify supernets that are assigned to an Active Directory site. Convert each
supernet into an IP address range boundary.
Publish to Active Directory Domain Services (AD DS) in a forest when publishing to
that forest is enabled. The specified Active Directory forest account must have
permissions to that forest.
You can manage Active Directory forest discovery in the Configuration Manager console.
Go to the Administration workspace and expand Hierarchy Configuration.
Discovery Methods: Enable Active Directory forest discovery to run at the top-level
site of your hierarchy. You can also specify a schedule to run discovery. Configure it
to automatically create boundaries from the IP subnets and Active Directory sites
that it discovers. Active Directory forest discovery can't run at a child primary site
or at a secondary site.
Active Directory Forests: Configure the other forests to discover, specify each
Active Directory forest account, and configure publishing to each forest. Monitor
the discovery process. Add IP subnets and Active Directory sites as Configuration
Manager boundaries and members of boundary groups.
To configure publishing for Active Directory forests for each site in your hierarchy,
connect your Configuration Manager console to the top-level site of your hierarchy. The
Publishing tab in an Active Directory site's Properties dialog box can show only the
current site and its child sites. When publishing is enabled for a forest, and that forest's
schema is extended for Configuration Manager, the following information is published
for each site that is enabled to publish to that Active Directory forest:
SMS-Site-<site code>
7 Note
Secondary sites always use the secondary site server computer account to publish
to Active Directory. If you want secondary sites to publish to Active Directory,
ensure that the secondary site server computer account has permissions to publish
to Active Directory. A secondary site cannot publish data to an untrusted forest.
U Caution
When you uncheck the option to publish a site to an Active Directory forest, all
previously published information for that site, including available site system roles,
is removed from Active Directory.
Actions for Active Directory Forest Discovery are recorded in the following logs:
Active Directory Forest Discovery publishing actions are recorded in the hman.log
and sitecomp.log files in the <InstallationPath>\Logs folder on the site server.
For more information about how to configure this discovery method, see Configure
discovery methods.
Enabled by default: No
Tip
Limited information about a group's member computers and users, even when
another discovery method hasn't previously discovered those computers and
users.
This discovery method is intended to identify groups and the group relationships of
members of groups. By default, only security groups are discovered. If you want to also
find the membership of distribution groups, you must check the box for the option
Discover the membership of distribution groups on the Option tab in the Active
Directory Group Discovery Properties dialog box.
Active Directory group discovery doesn't support the extended Active Directory
attributes that can be identified by using Active Directory system discovery or Active
Directory user discovery. Because this discovery method isn't optimized to discover
computer and user resources, consider running this discovery method after you have
run Active Directory system discovery and Active Directory user discovery. This
suggestion is because this method creates a full discovery data record (DDR) for groups,
but only a limited DDR for computers and users that are members of groups.
You can configure the following discovery scopes that control how this method searches
for information:
Location: Use a location if you want to search one or more Active Directory
containers. This scope option supports a recursive search of the specified Active
Directory containers. This process searches each child container under the
container that you specify. It continues until no more child containers are found.
Groups: Use groups if you want to search one or more specific Active Directory
groups. You can configure Active Directory Domain to use the default domain and
forest, or limit the search to an individual domain controller. Additionally, you can
specify one or more groups to search. If you don't specify at least one group, all
groups found in the specified Active Directory Domain location are searched.
U Caution
When you configure a discovery scope, choose only the groups that you must
discover. This recommendation is because Active Directory group discovery tries to
discover each member of each group in the discovery scope. Discovery of large
groups can require extensive use of bandwidth and Active Directory resources.
7 Note
Before you can create collections that are based on extended Active Directory
attributes, and to ensure accurate discovery results for computers and users, run
Active Directory system discovery or Active Directory user discovery, depending on
what you want to discover.
Actions for Active Directory group discovery are recorded in the file adsgdis.log in the
<InstallationPath>\LOGS folder on the site server.
For more information about how to configure this discovery method, see Configure
discovery methods.
Active Directory system discovery
Configurable: Yes
Enabled by default: No
Tip
Use this discovery method to search the specified Active Directory Domain Services
locations for computer resources that can be used to create collections and queries. You
can also install the Configuration Manager client on a discovered device by using client
push installation.
By default, this method discovers basic information about the computer, including the
following attributes:
Computer name
OS and version
IP address
To successfully create a DDR for a computer, Active Directory system discovery must be
able to identify the computer account and then successfully resolve the computer name
to an IP address.
In the Active Directory System Discovery Properties dialog box, on the Active
Directory Attributes tab, you can view the full list of default object attributes that it
discovers. You can also configure the method to discover extended attributes.
Actions for Active Directory system discovery are recorded in the file adsysdis.log in the
<InstallationPath>\LOGS folder on the site server.
For more information about how to configure this discovery method, see Configure
discovery methods.
Enabled by default: No
Tip
Use this discovery method to search Active Directory Domain Services to identify user
accounts and associated attributes. By default, this method discovers basic information
about the user account, including the following attributes:
User name
Domain
In the Active Directory User Discovery Properties dialog box, on the Active Directory
Attributes tab, you can view the full default list of object attributes that it discovers. You
can also configure the method to discover extended attributes.
Actions for Active Directory User Discovery are recorded in the file adusrdis.log in the
<InstallationPath>\LOGS folder on the site server.
For more information about how to configure this discovery method, see Configure
discovery methods.
Azure AD user discovery
Use Azure Active Directory (Azure AD) user discovery to search your Azure AD
subscription for users with a modern cloud identity. Azure AD user discovery can find
the following attributes:
objectId
displayName
mail
mailNickname
onPremisesSecurityIdentifier
userPrincipalName
tenantID
onPremisesDomainName
onPremisesSamAccountName
onPremisesDistinguishedName
This method supports full and delta synchronization of user attributes from Azure AD.
This information can then be used along-side discovery data you collect from the other
discovery methods.
To configure Azure AD user discovery, see Configure Azure Services for Cloud
Management. For information about how to configure this discovery method, see
Configure Azure AD User Discovery.
objectId
displayName
mailNickname
onPremisesSecurityIdentifier
tenantID
Heartbeat discovery
Configurable: Yes
Heartbeat discovery differs from other Configuration Manager discovery methods. It's
enabled by default and runs on each computer client instead of on a site server to
create a DDR. To help maintain the database record of Configuration Manager clients,
don't disable heartbeat discovery. In addition to maintaining the database record, this
method can force discovery of a computer as a new resource record. It can also
repopulate the database record of a computer that was deleted from the database.
Heartbeat discovery runs on a schedule configured for all clients in the hierarchy. The
default schedule for heartbeat discovery is set to every seven days. If you change the
heartbeat discovery interval, make sure that it runs more frequently than the site
maintenance task Delete Aged Discovery Data. This task deletes inactive client records
from the site database. You can configure the Delete Aged Discovery Data task only for
primary sites.
You can also manually run heartbeat discovery on a specific client. Run the Discovery
Data Collection Cycle on the Action tab of a client's Configuration Manager control
panel.
When heartbeat discovery runs, it creates a DDR that has the client's current
information. The client then copies this small file to a management point so that a
primary site can process it. The file is about 1 KB in size and has the following
information:
Network location
NetBIOS name
Actions for heartbeat discovery are logged on the client in the InventoryAgent.log file
in the %Windir%\CCM\Logs folder.
For more information about how to configure this discovery method, see Configure
discovery methods.
Network discovery
Configurable: Yes
Enabled by default: No
Use this method to discover the topology of your network and to discover devices on
your network that have an IP address. Network discovery searches your network for IP-
enabled resources by querying the following sources:
Before you can use network discovery, you must specify the level of discovery to run.
You also configure one or more discovery mechanisms that enable network discovery to
query for network segments or devices. You can also configure settings that help control
discovery actions on the network. Finally, you define one or more schedules for when
network discovery runs.
For this method to successfully discover a resource, network discovery must identify the
IP address and the subnet mask of the resource. The following methods are used to
identify the subnet mask of an object:
Router ARP cache: Network discovery queries the ARP cache of a router to find
subnet information. Typically, data in a router ARP cache has a short time-to-live.
Therefore, when network discovery queries the ARP cache, the ARP cache might no
longer have information about the requested object.
DHCP: Network discovery queries each DHCP server that you specify to discover
the devices for which the DHCP server has provided a lease. Network discovery
supports only DHCP servers that run the Microsoft implementation of DHCP.
SNMP device: Network discovery can directly query an SNMP device. For network
discovery to query a device, the device must have a local SNMP agent installed.
Also configure network discovery to use the community name that the SNMP
agent is using.
When discovery identifies an IP-addressable object and can determine the object's
subnet mask, it creates a DDR for that object. Because different types of devices connect
to the network, network discovery discovers resources that don't support the
Configuration Manager client. For example, devices that can be discovered but not
managed include printers and routers.
Network discovery can return several attributes as part of the discovery record that it
creates. These attributes include:
NetBIOS name
IP addresses
Resource domain
System roles
MAC addresses
For more information about how to configure this discovery method, see Configure
discovery methods.
7 Note
Level of Details
discovery
Topology This level discovers routers and subnets but doesn't identify a subnet mask for
objects.
Topology and In addition to topology, this level discovers potential clients like computers,
client and resources like printers and routers. This level of discovery tries to identify
the subnet mask of objects that it finds.
Topology, client, In addition to topology and potential clients, this level tries to discover the
and client computer operating system name and version. This level uses Windows
operating Browser and Windows Networking calls.
system
With each incremental level, network discovery increases its activity and network
bandwidth usage. Consider the network traffic that can be generated before you enable
all aspects of network discovery.
For example, when you first use network discovery, you might start with only the
topology level to identify your network infrastructure. Then, reconfigure network
discovery to discover objects and their device operating systems. You can also configure
settings that limit network discovery to a specific range of network segments. That way,
you discover objects in network locations that you require and avoid unnecessary
network traffic. This process also allows you to discover objects from edge routers or
from outside your network.
7 Note
Network discovery runs in the context of the computer account of the site server
that runs discovery. If the computer account doesn't have permissions to an
untrusted domain, the domain and DHCP server configurations can fail to discover
resources.
DHCP
Specify each DHCP server that you want network discovery to query. Network discovery
supports only DHCP servers that run the Microsoft implementation of DHCP.
Network discovery can query both 32-bit and 64-bit DHCP servers for a list of
devices that are registered with each server.
For network discovery to successfully query a DHCP server, the computer account
of the server that runs discovery must be a member of the DHCP Users group on
the DHCP server. For example, this level of access exists when one of the following
statements is true
The specified DHCP server is the DHCP server of the server that runs discovery.
The computer that runs discovery and the DHCP server are in the same domain.
A two-way trust exists between the computer that runs discovery and the DHCP
server.
Domains
Specify each domain that you want network discovery to query.
The computer account of the site server that runs discovery must have permissions
to read the domain controllers in each specified domain.
To discover computers from the local domain, you must enable the Computer
Browser service on at least one computer. This computer must be on the same
subnet as the site server that runs network discovery.
Network discovery can discover any computer that you can view from your site
server when you browse the network.
Network discovery retrieves the IP address. It then uses an Internet Control
Message Protocol (ICMP) echo request to ping each device that it finds. The ping
command helps determine which computers are currently active.
SNMP devices
Specify each SNMP device that you want network discovery to query.
Network discovery gets the ipNetToMediaTable value from any SNMP device that
responds to the query. This value returns arrays of IP addresses that are client
computers or other resources like printers, routers, or other IP-addressable
devices.
To query a device, you must specify the IP address or NetBIOS name of the device.
Configure network discovery to use the community name of the device, or the
device rejects the SNMP-based query.
Subnets
Configure the subnets that network discovery queries when it uses the SNMP and DHCP
options. These two options search only the enabled subnets.
For example, a DHCP request can return devices from locations across your whole
network. If you want to discover only devices on a specific subnet, specify and enable
that specific subnet on the Subnets tab in the Network Discovery Properties dialog
box. When you specify and enable subnets, you limit future DHCP and SNMP discovery
tasks to those subnets.
7 Note
Subnet configurations don't limit the objects that the Domains discovery option
discovers.
SNMP community names
To enable network discovery to successfully query an SNMP device, configure network
discovery with the community name of the device. If network discovery isn't configured
by using the community name of the SNMP device, the device rejects the query.
Maximum hops
When you configure the maximum number of router hops, you limit the number of
network segments and routers that network discovery can query by using SNMP.
The number of hops that you configure limits the number of devices and network
segments that network discovery can query.
For example, a topology-only discovery with 0 (zero) router hops discovers the subnet
on which the originating server resides. It includes any routers on that subnet.
The following diagram shows what a topology-only network discovery query finds when
it runs on Server 1 with 0 router hops specified: subnet D and Router 1.
The following diagram shows what a topology and client network discovery query finds
when it runs on Server 1 with 0 router hops specified: subnet D and Router 1, and all
potential clients on subnet D.
To get a better idea of how more router hops can increase the amount of network
resources that are discovered, consider the following network:
Running a topology-only network discovery from Server 1 with one router hop discovers
the following entities:
Subnets 10.1.20.0 and 10.1.30.0, subnet A, and Router 2 (found on the first hop)
2 Warning
Each increase to the number of router hops can significantly increase the number
of discoverable resources and increase the network bandwidth that network
discovery uses.
Server discovery
Configurable: No
7 Note
The information in this section doesn't apply to Active Directory forest discovery.
These three discovery methods are similar in configuration and operation. They can
discover computers, users, and information about group memberships of resources that
are stored in Active Directory Domain Services. The discovery process is managed by a
discovery agent. The agent runs on the site server at each site where discovery is
configured to run. You can configure each of these discovery methods to search one or
more Active Directory locations as location instances in the local forest or remote
forests.
When discovery searches an untrusted forest for resources, the discovery agent must be
able to resolve the following to be successful:
For each location that you specify, you can configure individual search options, like
enabling a recursive search of the location's Active Directory child containers. You can
also configure a unique account to use when it searches that location. This account
provides flexibility in configuring a discovery method at one site to search multiple
Active Directory locations across multiple forests. You don't have to configure a single
account that has permissions to all locations.
When each of these three discovery methods runs at a specific site, the Configuration
Manager site server at that site contacts the nearest domain controller in the specified
Active Directory forest to locate Active Directory resources. The domain and forest can
be in any supported Active Directory mode. The account that you assign to each
location instance must have Read access permission to the specified Active Directory
locations.
Discovery searches the specified locations for objects and then tries to collect
information about those objects. A DDR is created when sufficient information about a
resource can be identified. The required information varies depending on the discovery
method that is being used.
If you configure the same discovery method to run at different Configuration Manager
sites to take advantage of querying local Active Directory servers, you can configure
each site with a unique set of discovery options. Because discovery data is shared with
each site in the hierarchy, avoid overlap between these configurations to efficiently
discover each resource a single time.
For smaller environments, consider running each discovery method at only one site in
your hierarchy. This configuration reduces administrative overhead and the potential for
multiple discovery actions to rediscover the same resources. When you minimize the
number of sites that run discovery, you reduce the overall network bandwidth that
discovery uses. You can also reduce the overall number of DDRs that are created and
must be processed by your site servers.
Many of the discovery method configurations are self-explanatory. Use the following
sections for more information about the discovery options that might require additional
information before you configure them.
The following options are available for use with multiple Active Directory discovery
methods:
Delta Discovery
Delta discovery
Available for:
Delta discovery isn't an independent discovery method but an option available for the
applicable discovery methods. Delta discovery searches specific Active Directory
attributes for changes that were made since the last full discovery cycle of the applicable
discovery method. The attribute changes are submitted to the Configuration Manager
database to update the discovery record of the resource.
By default, delta discovery runs on a five-minute cycle. This schedule is much more
frequent than the typical schedule for a full discovery cycle. This frequent cycle is
possible because delta discovery uses fewer site server and network resources than a full
discovery cycle. When you use delta discovery, you can reduce the frequency of the full
discovery cycle for that discovery method.
The following are the most common changes that delta discovery detects:
Although delta discovery can detect new resources and changes to group membership,
it can't detect when a resource has been deleted from Active Directory. DDRs created by
delta discovery are processed similarly to the DDRs that are created by a full discovery
cycle.
You configure delta discovery on the Polling Schedule tab in the properties for each
discovery method.
You can configure discovery to exclude computers with a stale computer record. This
exclusion is based on the last domain sign in of the computer. When this option is
enabled, Active Directory system discovery evaluates each computer that it identifies.
Active Directory group discovery evaluates each computer that is a member of a group
that's discovered.
The Active Directory domain functional level must be set to Windows Server 2003
or later.
When you're configuring the time after the last sign in that you want to use for this
setting, consider the interval for replication between domain controllers.
You configure filtering on the Option tab in the Active Directory System Discovery
Properties and Active Directory Group Discovery Properties dialog boxes. Choose to
Only discover computers that have logged on to a domain in a given period of time.
2 Warning
When you configure this filter and Filter stale records by computer password,
discovery excludes computers that meet the criteria of either filter.
You can configure discovery to exclude computers with a stale computer record. This
exclusion is based on the last computer account password update by the computer.
When this option is enabled, Active Directory system discovery evaluates each computer
that it identifies. Active Directory group discovery evaluates each computer that is a
member of a group that is discovered.
When you're configuring this option, consider the interval for updates to this attribute.
Also consider the replication interval between domain controllers.
You configure filtering on the Option tab in the Active Directory System Discovery
Properties and Active Directory Group Discovery Properties dialog boxes. Choose to
Only discover computers that have updated their computer account password in a
given period of time.
2 Warning
When you configure this filter and Filter stale records by domain logon, discovery
excludes computers that meet the criteria of either filter.
Each discovery method supports a unique list of Active Directory attributes that can be
discovered.
You can view and configure the list of customized attributes on the Active Directory
Attributes tab in the Active Directory System Discovery Properties and Active
Directory User Discovery Properties dialog boxes.
Next steps
Select discovery methods to use for Configuration Manager
To successfully and efficiently use discovery for Configuration Manager, you must
consider which methods to use and at which sites to run them.
Because discovery can generate a large volume of network traffic, and the resultant
discovery data records (DDRs) can use significant CPU resources during processing, use
only those discovery methods that you require to meet your goals. You might start by
using only one or two discovery methods, and then later enable additional methods in a
controlled manner to extend the level of discovery in your environment. The information
in this topic can help you make informed decisions.
For information about the different discovery methods, see About discovery methods
for Configuration Manager.
Discover computers
When you want to discover computers, you can use Active Directory System Discovery
or Network Discovery.
For example, if you want to discover resources that can install the Configuration
Manager client before you use client push installation, you might run Active Directory
System Discovery. Using this method, you not only discover the resource, but also
discover basic information even extended information about it from Active Directory
Domain Services. This information might be useful in building complex queries and
collections to use for the assignment of client settings or content deployment.
Alternatively, you could run Network Discovery, and use its options to discover the
operating system of resources (required to later use client push installation). Network
Discovery provides you with information about your network topology that you are not
able to acquire with other discovery methods. This method does not, however, provide
you any information about your Active Directory environment.
There is also a method called Heartbeat Discovery. It is possible to use only Heartbeat
Discovery to force the discovery of clients that you installed by methods other than
client push installation. However, unlike other discovery methods, Heartbeat Discovery
cannot discover computers that do not have an active Configuration Manager client. It
returns a limited set of information, intended to maintain an existing database record
rather than be the basis of that record. Information submitted by Heartbeat Discovery
might not be sufficient to build complex queries or collections.
If you use Active Directory Group Discovery to discover the membership of a specified
group, you can discover limited system or computer information. This does not replace
a full discovery of computers, but can provide basic information. This information is
insufficient for client push installation.
Discover users
When you want to discover information about users, use Active Directory User
Discovery. Similar to Active Directory System Discovery, this method discovers users
from Active Directory. It includes basic information, in addition to extended Active
Directory information. You can use this information to build complex queries and
collections similar to those for computers.
You can use this method to search a specific Active Directory group to identify the
members of that group, in addition to any nested groups within that group. You can
also use this method to search an Active Directory location for groups, and recursively
search each child container of that location in Active Directory Domain Services.
This discovery method can also search the membership of distribution groups. This can
identify the group relationships of both users and computers.
When you discover a group, you can also discover limited information about its
members. This does not replace the Active Directory system or user discovery methods,
though. It is usually insufficient to build complex queries and collections, or serve as the
basis of a client push installation.
Discover infrastructure
There are two methods you can use to discover network infrastructure, Active Directory
Forest Discovery and Network Discovery.
Use Active Directory Forest Discovery to search an Active Directory forest for
information about subnets and Active Directory site configurations. These
configurations can then be automatically entered into Configuration Manager as
boundary locations.
When you want to discover your network topology, use Network Discovery. While other
discovery methods return information related to Active Directory Domain Services, and
can identify the current network location of a client, they do not provide infrastructure
information based on the subnets and router topology of your network.
However, for some environments it might be useful to assign the same discovery
method to run at multiple sites, each with a separate configuration and schedule. For
example, when using Network Discovery, you might want to direct each site to discover
its local network, instead of attempting to discover all network locations across a WAN.
If you do configure multiple instances of the same discovery methods to run at different
sites, plan the configuration of each site carefully. You want to avoid having two or more
sites discover the same resources from your network or Active Directory. This can
consume additional network bandwidth and create duplicate DDRs.
The following table identifies at which sites you can set up the different discovery
methods.
Primary site
Secondary site
1
Secondary sites cannot configure Heartbeat Discovery, but can receive the Heartbeat
DDR from a client.
When secondary sites run Network Discovery, or receive Heartbeat Discovery DDRs, they
transfer the DDR by file-based replication to their parent primary site. This is because
only primary sites and central administration sites can process DDRs. For more
information about how DDRs are processed, see About discovery data records.
When you use an Active Directory discovery method for systems, users, or groups:
Run discovery at a site that has a fast network connection to your domain
controllers.
Consider the Active Directory replication topology to ensure discovery can access
the latest information.
Consider the scope of the discovery configuration, and limit discovery to only
those Active Directory locations and groups that you have to discover.
Because Heartbeat Discovery does not run at a specific site, you do not have to
consider it in general planning for where to run discovery.
Run Active Directory System Discovery and Active Directory User Discovery
before you run Active Directory Group Discovery.
When you set up Active Directory Group Discovery, only specify groups that you
use with Configuration Manager.
To help control the use of resources by Active Directory Group Discovery, specify
only those groups that you use with Configuration Manager. This is because Active
Directory Group Discovery recursively searches each group it discovers for users,
computers, and nested groups. The search of each nested group can expand the
scope of Active Directory Group Discovery, and reduce performance. Additionally,
when you set up delta discovery for Active Directory Group Discovery, the
discovery method monitors each group for changes. This further reduces
performance when the method must search unnecessary groups.
Set up discovery methods with a longer interval between full discovery, and a
more frequent period of delta discovery.
Because delta discovery uses fewer resources than a full discovery cycle, and can
identify new or modified resources in Active Directory, you can reduce the
frequency of full discovery cycles to run weekly (or less). Delta discovery for Active
Directory System Discovery, Active Directory User Discovery and Active Directory
Group Discovery identifies almost all the changes of Active Directory objects, and
can maintain accurate discovery data for resources.
Run Active Directory discovery methods at a primary site that has a network
location that is closest to your Active Directory domain controller.
To improve the performance of Active Directory discovery, it's a good idea to run
discover at a primary site that has a fast network connection to your domain
controllers. If you run the same Active Directory discovery method at multiple sites,
set up each discovery method to avoid overlap. Unlike past versions of
Configuration Manager, discovery data is shared among sites. Therefore, it is not
necessary to discover the same information at multiple sites. For more information,
see Discovery data is shared between sites.
Run Active Directory Forest Discovery at only one site when you plan to
automatically create boundaries from the discovery data.
If you run Active Directory Forest Discovery at more than one site in a hierarchy,
it's a good idea to only enable options to automatically create boundaries at a
single site. This is because when Active Directory Forest Discovery runs at each site
and creates boundaries, Configuration Manager cannot merge those boundaries
into a single boundary object. When you configure Active Directory Forest
Discovery to automatically create boundaries at multiple sites, the result can be
duplicated boundary objects in the Configuration Manager console.
Configure discovery methods for
Configuration Manager
Article • 10/04/2022
Configure discovery methods to find resources to manage from your network, Active
Directory, and Azure Active Directory (Azure AD). First enable and then configure each
method that you want to use to search your environment. You can also disable a
method by using the same procedure that you use to enable it. The only exceptions to
this process are Heartbeat Discovery and Server Discovery:
Configure settings that enable Configuration Manager sites to publish their site
information to the forest.
Assign an account to use as the Active Directory Forest Account for each forest.
Use the following procedures to enable Active Directory Forest Discovery, and to
configure individual forests for use with Active Directory Forest Discovery.
2. Select the Active Directory Forest Discovery method for the site where you want to
configure discovery.
To configure a new forest that isn't listed, on the Home tab of the ribbon, in
the Create group, select Add Forest. This action opens the Add Forests
dialog box.
2. On the General tab, finish configurations for the forest that you want to discover,
and specify the Active Directory Forest Account. For more information on this
account, see Accounts.
7 Note
3. If you plan to let sites publish site data to this forest, on the Publishing tab, finish
configurations for publishing to this forest.
7 Note
If you let sites publish to a forest, extend the Active Directory schema of that
forest for Configuration Manager. The Active Directory Forest Account must
have Full Control permissions to the System container in that forest.
2. Select the method for the site where you want to configure discovery.
4. On the General tab of the properties, select the checkbox to enable discovery. Or
you can configure discovery now, and then return to enable discovery later.
Then use the information in the following sections to configure the specific discovery
methods:
7 Note
The information in this section doesn't apply to Active Directory Forest Discovery.
Although each of these discovery methods is independent of the others, they share
similar options. For more information about these configuration options, see Shared
options for group, system, and user discovery.
2 Warning
The Active Directory polling by each of these discovery methods can generate
significant network traffic. Consider scheduling each discovery method to run at a
time when this network traffic doesn't adversely affect business uses of your
network.
c. Specify the Active Directory Group Discovery Account that the site uses to
search this discovery scope. For more information, see Accounts.
2. Repeat the previous steps for each other discovery scope that you want to define.
3. On the Polling Schedule tab, configure both the full discovery polling schedule
and delta discovery.
4. On the Options tab, configure settings to filter out or exclude stale computer
records from discovery. Also configure the discovery of the membership of
distribution groups.
7 Note
a. Type or browse to a location for the Path. This value is a valid LDAP path to a
container or organizational unit (OU). The site queries this path for resources.
For example, LDAP://CN=Computers,DC=contoso,DC=com
Discover objects within Active Directory groups: The site also looks at the
membership of groups in this path.
Tip
The list of Active Directory containers in the Active Directory
System Discovery Properties window includes a column Has
Exclusions. When you select containers to exclude, this value is Yes.
Starting in version 2203, you can exclude subcontainers in
untrusted domains for Active Directory System Discovery and
Active Directory User Discovery.
c. For each location, specify the account to use as the Active Directory Discovery
Account. For more information, see Accounts.
Tip
For each specified location, you can configure a set of discovery options
and a unique Active Directory Discovery Account.
2. On the Polling Schedule tab, configure both the full discovery polling schedule
and delta discovery.
3. On the Active Directory Attributes tab, configure other Active Directory attributes
for computers that you want to discover. This tab lists the default object attributes.
Tip
4. On the Options tab, configure settings to filter out or exclude stale computer
records from discovery.
b. For each location, specify options that change the search behavior.
c. For each location, specify the account to use as the Active Directory Discovery
Account. For more information, see Accounts.
7 Note
For each specified location, you can configure a unique set of discovery
options and a unique Active Directory Discovery Account.
2. On the Polling Schedule tab, configure both the full discovery polling schedule
and delta discovery.
3. On the Active Directory Attributes tab, configure other Active Directory attributes
for computers that you want to discover. This tab lists the default object attributes.
2. Select Active Directory User Discovery then select Properties from the ribbon.
3. On the General tab of the Active Directory User Discovery Properties window,
select the New icon to specify a new Active Directory container or Edit to change
an existing one.
4. In the Active Directory Container dialog box, locate the search option named
Select sub containers to be excluded from discovery.
Tip
Starting in version 2203, you can exclude subcontainers in untrusted domains for
Active Directory System Discovery and Active Directory User Discovery.
Azure AD User Discovery
Azure AD User Discovery isn't enabled or configured the same as other discovery
methods. Configure it when you onboard the Configuration Manager site to Azure AD.
If you use Configuration Manager to create the Azure app, it configures the app with the
necessary permissions.
If you create the app in Azure first, and then import it into Configuration Manager, you
need to manually configure the app. This configuration includes granting the server app
permission to read directory data.
1. Open the Azure portal as a user with Global Admin permissions. Go to Azure
Active Directory, and select App registrations. Switch to All applications if
necessary.
4. On the API permissions panel, in the Grant consent section, select Grant admin
consent.... Select Yes.
7 Note
Log files
Use the SMS_AZUREAD_DISCOVERY_AGENT.log for troubleshooting. This log is also
shared with Azure AD user discovery. For more information, see Log files.
1. Go to the Administration workspace, expand Cloud Services, then select the Azure
Services node.
2. Select one of your Azure services, then select Properties in the ribbon.
3. In the Discovery tab, check the box to Enable Azure Active Directory Group
Discovery, then select Settings.
4. Select Add under the Discovery Scopes tab.
You'll be prompted to sign in to Azure when you select Search the first time.
On the Discovery page of the wizard, select the option to Enable Azure Active
Directory Group Discovery.
Select Settings.
In the Azure AD Group Discovery Settings dialog box, configure your discovery
scope and a schedule for when discovery occurs.
Heartbeat Discovery
Configuration Manager enables the Heartbeat Discovery method when you install a
primary site. If you want to use the default schedule of every seven days, there's nothing
else to configure. Otherwise, you only have to configure the schedule for how often
clients send the Heartbeat Discovery data record to a management point.
7 Note
If you enable both client push installation and the site maintenance task for Clear
Install Flag at the same site, set the schedule of Heartbeat Discovery to be less than
the Client Rediscovery period of the Clear Install Flag site maintenance task. By
default, this task runs every 21 days. Heartbeat discovery should run more
frequently than the task, or clients will unnecessarily reinstall. For more information
about site maintenance tasks, see Maintenance tasks.
4. Configure the frequency with which clients submit a Heartbeat discovery data
record. Then select OK to save the configuration.
Network Discovery
Before you configure Network Discovery, understand the following topics:
The following sections provide information about common configurations for Network
Discovery. You can configure one or more of these configurations for use during the
same discovery run. If you use multiple configurations, plan for the interactions that can
affect the discovery results.
For example, you discover all Simple Network Management Protocol (SNMP) devices
that use a specific SNMP community name. For the same discovery run, you disable
discovery on a specific subnet. When discovery runs, Network Discovery doesn't
discover the SNMP devices with the specified community name on the subnet that
you've disabled.
When you're mapping your network topology, configure the Maximum hops on the
SNMP tab in the Network Discovery Properties dialog box. Just a few hops can help
control the network bandwidth that's used when discovery runs. As you discover more
of your network, increase the number of hops to gain a better understanding of your
network topology.
After you understand your network topology, configure the properties for Network
Discovery. These properties help to discover potential clients and their operating
systems. Also configure Network Discovery to limit the network segments that it can
search.
If you specify one or more subnets on the Subnets tab in the Network Discovery
Properties dialog box, it only searches the subnets that you mark as Enabled.
When you disable a subnet, the site excludes it from discovery, and the following
conditions apply:
DHCP servers don't reply with a list of resources located on the subnet.
Domain-based queries can discover resources that are located on the subnet.
You can configure Network Discovery to search a specific domain or set of domains
during a discovery run. By default, Network Discovery searches the local domain of the
server that runs discovery.
If you specify one or more domains on the Domains tab in the Network Discovery
Properties dialog box, it only searches the domains that you mark as Enabled.
When you disable a domain, the site excludes it from discovery, and the following
conditions apply:
DHCP servers can still reply with a list of resources located in the domain.
Network Discovery uses community names to gain access to routers that are SNMP
devices. A router can supply Network Discovery with information about other routers
and subnets that are linked to the first router.
7 Note
If you include more than one SNMP community on the SNMP tab in the Network
Discovery Properties dialog box, it searches them in the order in which they're shown.
Make sure that the most frequently used names are at the top of the list. This
configuration helps to minimize network traffic that the site generates when it tries to
contact a device by using different names.
7 Note
Along with using the SNMP community name, you can specify the IP address or
resolvable name of a specific SNMP device. You do this action on the SNMP
Devices tab in the Network Discovery Properties dialog box.
Network Discovery searches each DHCP server that you specify on the DHCP tab in the
Network Discovery Properties dialog box. If the server that's running discovery leases
its IP address from a DHCP server, you can configure discovery to search that DHCP
server. Enable this behavior with the option to Include the DHCP server that the site
server is configured to use.
7 Note
2. Select the Network Discovery method for the site where you want to discover
network resources.
On the General tab, select the option to Enable network discovery. Then
select Topology from the Type of discovery options.
Tip
If you know the specific subnets that constitute your network, deselect
the Search local subnets checkbox. Then select the New icon , and
add the specific subnets that you want to search. For large networks,
search only one or two subnets at a time to minimize the use of network
bandwidth.
On the SNMP tab, select an option from the Maximum hops drop-down list.
This option specifies how many router hops Network Discovery can take in
mapping your topology.
Tip
When you first map your network topology, configure just a few router
hops to minimize the use of network bandwidth.
4. On the Schedule tab, select the New icon , and set a schedule for running
discovery. The Duration is the period of time that Network Discovery has to
complete the search for resources. On smaller subnets, an hour may be enough,
but searching across an enterprise network with multiple router hops will take
longer. If Network Discovery runs out of time, a message is logged in Netdisc.log.
7 Note
2. Select the Network Discovery method for the site where you want to discover
network resources.
To run discovery on subnets that are local to the computer that runs
discovery, enable the option to Search local subnets.
To search a specific subnet, make sure that the subnet is listed in Subnets to
search and has a Search value of Enabled:
a. If the subnet isn't listed, select the New icon . In the New Subnet
Assignment dialog box, enter the Subnet and Mask information, and then
select OK. By default, a new subnet is enabled for search.
b. To change the Search value for a listed subnet, select it in the list. Then
select the Toggle icon to switch the value between Disabled and Enabled.
To run discovery on the domain of the computer that runs discovery, enable
the option to Search local domain.
To search a specific domain, make sure that the domain is listed in Domains
and has a Search value of Enabled:
a. If the domain isn't listed, select the New icon . In the Domain
Properties dialog box, enter the Domain information, and then select OK.
By default, a new domain is enabled for search.
b. To change the Search value for a listed domain, select it in the list. Then
select the Toggle icon to switch the value between Disabled and Enabled.
name from the list. Then select the Move Item Up icon or the Move Item
Down icon . When discovery runs, community names are searched in a
top-to-bottom order.
To configure the maximum number of router hops for use by SNMP searches,
select the number of hops from the Maximum hops drop-down list.
8. To configure an SNMP device, switch to the SNMP Devices tab. If the device isn't
listed, select the New icon . In the New SNMP Device dialog box, specify the IP
address or device name of the SNMP device, and then select OK.
7 Note
9. To configure discovery to query specific DHCP servers, switch to the DHCP tab.
Then configure one or more of the following options:
To query the DHCP server on the computer that is running discovery, enable
the option to Always use the site server's DHCP server.
7 Note
To use this option, the server must lease its IP address from a DHCP
server and can't use a static IP address.
To query a specific DHCP server, select the New icon . In the New DHCP
Server dialog box, specify the IP address or server name of the DHCP server,
and then select OK.
7 Note
7 Note
If the Schedule tab shows more than one schedule at the same time, Network
Discovery runs for all schedules as it's configured at the time indicated in the
schedule. This behavior is also true for recurring schedules.
The maximum number of hops that are configured to find routers in the network
Network Discovery doesn't create messages to alert you when it's finished. Use the
following procedure to verify when discovery has finished:
3. On the Home tab of the ribbon, in the Status Message Queries group, select Show
Messages.
4. In the All Status Messages window, select a value from the Select date and time
drop-down list that includes how long ago the discovery started. Then select OK to
open the Configuration Manager Status Message Viewer.
Tip
You can also use the Specify date and time option to select a given date and
time that you ran discovery. This option is useful when you ran Network
Discovery on a given date and want to retrieve messages from only that date.
5. To validate that Network Discovery has finished, search for a status message that
has the following details:
Component: SMS_NETWORK_DISCOVERY
6. To validate when Network Discovery started, search for a status message that has
the following details:
Component: SMS_NETWORK_DISCOVERY
This information verifies that Network Discovery started. If this information isn't
present, reschedule Network Discovery.
Overview of boundaries and boundary
groups
Article • 10/04/2022
IP subnet
Active Directory site name
IPv6 prefix
IP address range
VPN (starting in version 2006)
Clients on the intranet evaluate their current network location and then use that
information to identify boundary groups to which they belong.
Find an assigned site: Boundary groups enable clients to find a primary site for
client assignment. This behavior is also known as automatic site assignment.
Find certain site system roles they can use: Associate a boundary group with
certain site system roles. Then the site provides clients with that list of site systems
in the boundary group. Clients use these site systems for actions such as finding
content or a nearby management point.
Clients that are on the internet or configured as internet-only clients don't use boundary
information. These clients can't use automatic site assignment. They can download
content from an internet-based distribution point from their assigned site or a content-
enabled cloud management gateway.
During OS deployment, while a device is running Windows PE, the site can convert
Active Directory site boundary information to IP subnet information. This behavior is
only during this process, and specifically for these devices. In other words, if your site
only has Active Directory site boundaries, Windows PE clients during an OS deployment
will still be in a boundary.
Overlapping boundaries
Configuration Manager supports overlapping boundary and boundary group
configurations for content and service location requests. Overlapping occurs when a
client's location maps to multiple boundary groups. This behavior happens for one of
two reasons:
You add separate boundaries that include the client's location to different
boundary groups.
When overlapping occurs, Configuration Manager creates a list of all site systems
referenced by all boundary groups that include a client's location. Configuration
Manager sends this list to a client in response to a content or service location request.
Configuration Manager doesn't apply any precedence or deterministic ordering to this
list based on overlapping boundaries and boundary groups. Instead, the client chooses
at random from this list.
For client content requests, Configuration Manager includes only distribution points that
have the requested content in the list of site systems returned. For other service location
requests, Configuration Manager includes only site systems that host the type of role
requested which may be one of the following roles:
Management point
This behavior enables the client to select the nearest server to communicate with for
each request type.
Recommendations
Each boundary group can be associated with a different primary site for site
assignment.
For a boundary that's a member of two different boundary groups with different
site assignments, clients randomly select a site to join. This behavior might not be
for the site you want the client to join. This configuration is called overlapping
boundaries.
For more information on boundary groups and site assignment, see Site assignment.
Next steps
Define network locations as boundaries
Configuration Manager boundaries are locations on your network that contain devices
that you want to manage. You can create different types of boundaries, for example, an
Active Directory site or network IP address. When the Configuration Manager client
identifies a similar network location, that device is a part of the boundary.
IP subnet
Active Directory site
IPv6 prefix
IP address range
VPN (starting in version 2006)
You can manually create individual boundaries or use Active Directory forest discovery.
This discovery method automatically finds and creates boundaries for IP subnets and
Active Directory sites. When Active Directory forest discovery identifies a supernet for an
Active Directory site, Configuration Manager converts the supernet into an IP address
range boundary.
If a device isn't in the boundary you expect, it may because you haven't defined its
network location as a boundary. When the network location of a device is in doubt, use
the following Windows commands on the device to confirm:
IP address: ipconfig
Active Directory site: nltest /dsgetsite
VPN: ipconfig /all
Boundary types
IP subnet
The IP subnet boundary type requires a Subnet ID. For example, 169.254.0.0 . If you
provide the Network (default gateway) and Subnet mask values, Configuration Manager
automatically calculates the Subnet ID. When you save the boundary, Configuration
Manager only saves the Subnet ID value.
7 Note
When you specify an Active Directory site for a boundary, the boundary includes each IP
subnet that's a member of that Active Directory site. If the configuration of the Active
Directory site changes in Active Directory, the network locations included in this
boundary also change.
Active Directory site boundaries don't work for pure Azure Active Directory (Azure AD)
devices, also called cloud domain-joined devices. If they roam on-premises, and you
only create Active Directory site type boundaries, these devices won't be in a boundary.
Tip
Use the following Windows command to see a device's current Active Directory
site: nltest /dsgetsite .
IPv6 prefix
For the IPv6 prefix boundary type, you specify a Prefix. For example,
2001:1111:2222:3333 .
IP address range
For the IP address range boundary type, specify the Starting IP address and Ending IP
address for the range. The range can include part of an IP subnet or multiple IP subnets.
Use an IP address range boundary type to support a supernet.
You can also use this type to define a boundary for a single IP address. Set both the
starting and ending IP addresses as the same value. This configuration may be useful for
unique devices or test environments.
VPN
Starting in version 2006, to simplify managing remote clients, create a boundary type for
VPNs. When a client sends a location request, it includes additional information about
its network configuration. Based upon this information, the server determines whether
the client is on a VPN. For Configuration Manager to associate the client in the
boundary, connect the device to the VPN.
Auto detect VPN: Configuration Manager detects any VPN solution that uses the
point-to-point tunneling protocol (PPTP). If it doesn't detect your VPN, use one of
the other options. The boundary value in the console list will be Auto:On .
Connection name: Specify the name of the VPN connection on the device. It's the
name of the network adapter in Windows for the VPN connection. Configuration
Manager matches the first 250 characters of the string, but doesn't support
wildcard characters or partial strings. The boundary value in the console list will be
Name:<name> , where <name> is the connection name that you specify.
For example, you run the ipconfig command on the device, and one of the
sections starts with: PPP adapter ContosoVPN: . Use the string ContosoVPN as the
Connection name. It displays in the list as Name:CONTOSOVPN .
For example, you run the ipconfig /all command on the device, and one of the
connections includes the following line: Description . . . . . . . . . . . :
ContosoMainVPN . Use the string ContosoMainVPN as the Connection description. It
displays in the list as Description:CONTOSOMAINVPN .
) Important
To take full advantage of this feature, after you update the site, also update clients
to the latest version. New functionality appears in the Configuration Manager
console when you update the site and console. The complete scenario isn't
functional until the client version is also the latest.
To use this VPN boundary during an OS deployment, make sure to also update the
boot image to include the latest client binaries.
Starting in version 2111, you can now match the start of a connection name or
description instead of the whole string. Some third-party VPN drivers dynamically create
the connection, which starts with a consistent string but also has a unique connection
identifier. For example, Virtual network adapter #19 . When you use the Connection
name or Connection description options, also use the new Starts with option.
Create a boundary
1. In the Configuration Manager console, go to the Administration workspace,
expand Hierarchy Configuration, and select the Boundaries node.
2. On the Home tab of the ribbon, in the Create group, select Create Boundary.
3. On the General tab of the Create Boundary window, specify the following
information:
7 Note
Type: Select the type of boundary to create. Then specify the additional
information that the type requires. For more information, see Boundary types.
4. Switch to the Boundary Groups tab. If you already have boundary groups in the
site, you can immediately add this new boundary to one or more groups.
Configure a boundary
Tip
2. Select the boundary you want to modify. On the Home tab of the ribbon, in the
Properties group, select Properties.
3. In the Properties window for the boundary, on the General tab, you can configure
the following settings:
4. To view the site systems that are associated with this boundary, switch to the Site
Systems tab. You can't change this configuration from the properties of a
boundary.
Tip
5. To modify the boundary group membership for this boundary, select the Boundary
Groups tab:
To add this boundary to one or more boundary groups, select Add. Select
one or more boundary groups, and then select OK.
By default, Configuration Manager creates a default site boundary group at each site.
To configure boundary groups, associate boundaries and site system roles to the
boundary group. This configuration helps associate clients to site system servers that are
located near the clients on the network.
To increase the availability of servers to a wider range of network locations, assign the
same boundary and the same server to more than one boundary group.
7 Note
The state migration point doesn't use fallback relationships. For more
information, see Fallback.
Management points
7 Note
If you use preferred management points, enable this option for the
hierarchy, not from within the boundary group configuration. For more
information, see Enable use of preferred management points.
One or more site system roles. Clients can always use roles associated with their
current boundary group. Depending on other configurations, they can use roles in
other boundary groups.
For each boundary group you create, you can configure a one-way link to another
boundary group. The link is called a relationship. The boundary groups you link to are
called neighbor boundary groups. A boundary group can have more than one
relationship, each with a specific neighbor boundary group.
When a client fails to find an available site system in its current boundary group, the
configuration of each relationship determines when it begins to search a neighbor
boundary group. This search of other groups is called fallback.
Fallback
To prevent problems when clients can't find an available site system in their current
boundary group, define the relationship between boundary groups for fallback
behavior. Fallback lets a client expand its search to other boundary groups to find an
available site system.
Relationships are configured on a boundary group properties Relationships tab. When
you configure a relationship, you define a link to a neighbor boundary group. For each
type of supported site system role, configure independent settings for fallback to the
neighbor boundary group. For more information, see Configure fallback behavior.
For example, when you configure a relationship to a specific boundary group, set
fallback for distribution points to occur after 20 minutes. The default is 120 minutes For
a more detailed example, see Example of using boundary groups.
If a client fails to find an available site system role in its current boundary group, the
client uses the fallback time in minutes. This fallback time determines when the client
begins to search for an available site system associated with the neighbor boundary
group.
When a client can't find an available site system, it begins to search locations from
neighbor boundary groups. This behavior increases the pool of available site systems.
The configuration of boundary groups and their relationships defines the client's use of
this pool of available site systems.
A boundary group can have more than one relationship. With this configuration,
you can configure fallback for each type of site system to different neighbors to
occur after different periods of time.
Clients only fall back to a boundary group that's a direct neighbor of their current
boundary group.
When a client is a member of more than one boundary group, it defines its current
boundary group as a union of all its boundary groups. The client falls back to
neighbors of any of those original boundary groups.
7 Note
The state migration point role doesn't use fallback relationships. If you add both
the state migration point and distribution point roles to the same site system
server, don't configure fallback on its boundary group. If you need to use boundary
group fallback for the distribution point, add the state migration point role on a
different site system server.
For each boundary group you create, Configuration Manager automatically creates an
implied link to each default site boundary group in the hierarchy.
The implied link is a default fallback option from a current boundary group to the
site's default boundary group. The default fallback time is 120 minutes.
For clients not in a boundary associated with any boundary group: to identify valid
site system roles, use the default site boundary group from their assigned site.
Open the properties of the site default boundary group, and change the values on
the Default Behavior tab. Changes you make here apply to all implied links to this
boundary group. When you configure an explicit link to this default site boundary
group from another boundary group, you override these default settings.
Open the properties of a custom boundary group. Change the values for the
explicit link to a default site boundary group. When you set a new time in minutes
for fallback or block fallback, that change affects only the link you're configuring.
Configuration of the explicit link overrides the settings on the Default Behavior tab
of a default site boundary group.
Site assignment
You can configure each boundary group with an assigned site for clients.
A newly installed client that uses automatic site assignment joins the assigned site
of a boundary group that contains the client's current network location.
After assigning to a site, a client doesn't change its site assignment when it
changes its network location. For example, a client roams to a new network
location. This location is a boundary in a boundary group with a different site
assignment. The client's assigned site doesn't change.
When Active Directory System Discovery discovers a new resource, the site
evaluates network information for the resource against the boundaries in
boundary groups. This process associates the new resource with an assigned site
for use by the client push installation method.
When a boundary is a member of more than one boundary groups that have
different assigned sites, clients randomly select one of the sites.
Changes to a boundary groups assigned site only apply to new site assignment
actions. Clients that previously assigned to a site don't reevaluate their site
assignment based on changes to the configuration of a boundary group (or to
their own network location).
For more information about client site assignment, see Using automatic site assignment
for computers.
For more information on how to configure site assignment, see the following
procedures:
You can add options via PowerShell to include and prefer cloud management gateway
(CMG) management points for the default site boundary group. When a site is set up,
there's a default site boundary group created for each site and all the clients are by
default mapped to it until they're assigned to some custom boundary group.
Currently on the admin console, you can add references to default site boundary group,
but the added references don't have any effect when the client requests for
management point list. Starting with technical preview version 2206, you can use
PowerShell cmdlets to include and prefer cloud-based sources for clients in the default
site boundary group. This action is currently only for the management point role.
7 Note
You can't currently configure this behavior from the Configuration Manager
console. For more information on configuring this behavior with PowerShell, see
the cmdlet details in the following section.
Set-CMDefaultBoundaryGroup
Use this cmdlet to modify the properties of a default site boundary group. You can set
the options to include and prefer the cloud-based sources for the clients in default site
boundary group.
Syntax
PowerShell
Examples
PowerShell
Parameters
IncludeCloudBasedSources: Used to specify whether admin wants to include the
cloud-based sources in the management point list for the clients in default site
boundary group.
7 Note
You can only set this option to true if the parameter IncludeCloudBasedSources is
set to true or was already set to true by admin.
Next steps
Boundary group options
To give you more control over policy and content distribution in your environment,
boundary groups include several options to configure behaviors. These settings
primarily apply to downloading content from peer sources. There's also a setting for
clients to prefer policy and content from cloud-based sources.
For more information on how to configure these settings, see Configure a boundary
group.
If a device is in more than one boundary group, the following behaviors apply for these
settings:
Allow peer downloads in this boundary group: If it's disabled in any one
boundary group, the client won't use delivery optimization.
During peer downloads, only use peers within the same subnet: If it's enabled
in any one boundary group, this setting takes effect.
Prefer distribution points over peers within the same subnet: If it's enabled in
any one boundary group, this setting takes effect.
Prefer cloud based sources over on-premises sources: If it's enabled in any one
boundary group, this setting takes effect.
There are two common scenarios in which you should consider disabling this option:
If you use a single, large boundary group for site assignment that doesn't
reference any distribution points.
) Important
If a device is in more than one boundary group, make sure to enable this setting on
all boundary groups for the device. Otherwise the client won't use delivery
optimization. For example, it doesn't set the DOGroupID registry key.
Your boundary group design for content distribution includes one large boundary
group that overlaps other smaller boundary groups. With this new setting, the list
of content sources that the management point provides to clients only includes
peer sources from the same subnet.
You have a single large boundary group for all remote office locations. Enable this
option and clients only share content within the subnet at the remote office
location, instead of risking sharing content between locations.
Depending on the configuration of your network, you can exclude certain subnets for
matching. For example, you want to include a boundary but exclude a specific VPN
subnet. By default, Configuration Manager excludes the default Teredo subnet
( 2001:0000:% ).
7 Note
When you expand a stand-alone primary site to add a central administration site
(CAS), the subnet exclusion list reverts to the default. To work around this issue,
after site expansion, run the PowerShell script to customize the subnet exclusion list
on the CAS.
Import your subnet exclusion list as a comma-separated subnet string. Use the percent
sign ( % ) as a wildcard character. On the top-level site server, set or read the
SubnetExclusionList embedded property for the SMS_HIERARCHY_MANAGER
component in the SMS_SCI_Component class. For more information, see
SMS_SCI_Component server WMI class.
Sample PowerShell script to update the subnet exclusion
list
The following script is a sample way of changing this value. Append your subnets to the
PropertyValue variable after 2001:0000:%,172.16.16.0 . It's a comma-separated string.
Run this script on the top-level site server in your hierarchy.
PowerShell
$PropertyValue = "2001:0000:%,172.16.16.0"
$PropertyName = "SubnetExclusionList"
$providerMachine=$providerMachine[0]
$SiteCode = $providerMachine.SiteCode
$properties = $component.props
$property.value1 = $PropertyValue
break
$component.props = $properties
$component.put()
7 Note
By default, Configuration Manager includes the Teredo subnet in this list. When you
change the list, always read the existing value first. Append additional subnets to
the list, and then set the new value.
Prefer distribution points over peers within the
same subnet
By default, the management point prioritizes peer cache sources at the top of the list of
content locations. This setting reverses that priority for clients that are in the same
subnet as the peer cache source.
Tip
This behavior applies to the Configuration Manager client. It doesn't apply when
the task sequence downloads content. When the task sequence runs, it prefers peer
cache sources over distribution points.
Cloud management gateway (CMG). Clients will prefer the CMG for both policy
and content.
Starting in version 2203, this setting also applies for software update scanning.
To reduce the performance impact of this change, existing clients don't
automatically switch to a cloud-based software update point. For more
information, see Boundary groups and software update points.
Microsoft Update
You can only use Microsoft Update as a source when you enable the following
option in the software update deployment download settings: If software
updates are not available on distribution point in current, neighbor or site
boundary groups, download content from Microsoft Updates.
Next steps
Boundary groups and distribution points
During content deployment, if a client requests content that isn't available from a source
in its current boundary group, the client continues to request that content. The client
tries different content sources in its current boundary group until it reaches the fallback
period for a neighbor or the default site boundary group. If the client still hasn't found
content, it then expands its search for content sources to include the neighbor boundary
groups.
Client installation
The Configuration Manager client installer, ccmsetup, can get installation content from a
local source or via a management point. Its initial behavior depends upon the
command-line parameters you use to install the client:
If you don't use either /mp or /source parameters, ccmsetup tries to get a list of
management points from Active Directory or DNS.
If you only specify /source , it forces the installation from the specified path. It
doesn't discover management points. If it can't find ccmsetup.cab at the specified
path, ccmsetup fails.
If you specify both /mp and /source , it checks the specified management points,
and any it discovers. If it can't locate a valid management point, it falls back to the
specified source path.
For more information on these ccmsetup parameters, see Client installation parameters
and properties.
When ccmsetup contacts the management point to locate the necessary content, the
management point returns distribution points based on boundary group configuration.
If you define relationships on the boundary group, the management point returns
distribution points in the following order:
7 Note
The client setup process doesn't use the fallback time. To locate content as quickly
as possible, it immediately falls back to the next boundary group.
Configure this behavior using the following settings on the Distribution Points page of
the task sequence deployment:
When no local distribution point is available, use a remote distribution point: For
this deployment, the task sequence can fall back to distribution points in a
neighbor boundary group.
Allow clients to use distribution points from the default site boundary group: For
this deployment, the task sequence can fall back to distribution points in the
default site boundary group.
To use this new behavior, make sure to update clients to the latest version.
Location priority
The task sequence tries to acquire content in the following order:
) Important
Due to the real-time nature of task sequence processing, it doesn't wait for
the failover time on a neighbor boundary group. It uses the failover times for
prioritizing the neighbor boundary groups. For example, if the task sequence
fails to acquire content from a distribution point in its current boundary
group, it immediately tries a distribution point in a neighbor boundary group
with the shortest failover time. If that process fails, it then fails over to a
distribution point in a neighbor boundary group with a larger failover time.
For content like applications and software updates, which are downloaded by
the client and not the task sequence engine, the client behaves as normal. In
other words, if you install applications or software updates from a task
sequence, when the client tries to download the content it will wait for
boundary group failover.
The task sequence log file smsts.log shows the priority of the location sources that it
uses based on the deployment properties.
Next steps
Boundary groups and software update points
Clients use boundary groups to find a new software update point. To control which
servers a client can find, add individual software update points to different boundary
groups.
If you add all existing software update points to the default site boundary group, the
client selects a software update point from the pool of available servers. This behavior is
similar to earlier versions of Configuration Manager current branch. For controlled
selection and fallback behavior, add individual software update points to different
boundary groups.
If you install a new site, software update points aren't added to the default site
boundary group. Assign software update points to a boundary group so that clients can
find and use them.
Fallback
Configure software update point fallback like other site system roles, but with the
following caveats.
Fallback configurations
You can configure Fallback times (in minutes) for software update points to be less than
120 minutes. However, the client still tries to reach its original software update point for
120 minutes. Then it expands its search to other servers. Boundary group fallback times
start when the client first fails to reach its original server. When the client expands its
search, the site provides any boundary groups configured for less than 120 minutes.
To block fallback for a software update point to a neighbor boundary group, configure
the setting to Never fallback.
After failing to reach its original server for two hours, the client then uses a shorter cycle
to establish a connection to a new software update point. This behavior enables the
client to rapidly search through the expanding list of potential software update points.
Example
You configure software update points in boundary group A to fall back after 10 minutes.
You configure the same setting for boundary group B to 130 minutes. A client in
boundary group Z fails to reach its last known-good software update point.
For the next 120 minutes, the client tries to reach only its original server in
boundary group Z. After 10 minutes, Configuration Manager adds the software
update points from boundary group A to the pool of available servers. However,
the client doesn't try to contact them or any other server until the initial 120-
minute period elapses.
After trying to contact the original software update point for 120 minutes, the
client expands its search. It adds servers to the available pool of software update
points that are in it's current and any neighbor boundary groups configured for
120 minutes or less. This pool includes the servers in boundary group A, which
were previously added to the pool of available servers.
After 10 more minutes, the client expands the search to include software update
points from boundary group B. This period is 130 minutes of total time after the
client first failed to reach its last known-good software update point.
When you switch to a new server, the devices use fallback to find that new server.
Clients switch to the new software update point during their next software updates scan
cycle.
Review your boundary group configurations. Before you start this change, make sure
that your software update points are in the correct boundary groups.
For more information, see Manually switch clients to a new software update point.
When an internet machine connects to the VPN, it will continue to scan against the
CMG software update point over the internet.
If the only software update point for the boundary group is the CMG software
update point, then all intranet and internet devices will scan against it.
Starting in version 2203, clients prefer to scan against a cloud management gateway
(CMG) software update point (SUP) over an on-premises SUP when the boundary group
uses the Prefer cloud based source over on-premises source option. To reduce the
performance impact of this change, clients don't automatically switch their SUP to a
cloud-based SUP. The client will stay assigned to their current SUP unless their current
SUP fails or the client is manually switched to a new SUP. You won't need to manually
switch the SUP for any new clients added to the environment after the boundary group
option is set.
Use the following high-level guidance to set your clients to prefer a cloud-based
software update point:
6. To verify that clients prefer the CMG SUP, start a software update scan cycle on
some of the clients that you switched.
Next steps
Boundary groups and management points
Configure fallback relationships for management points between boundary groups. This
behavior provides greater control for the management points that clients use. On the
Relationships tab of the boundary group properties, there's a column for management
point. When you add a new fallback boundary group, the fallback time for the
management point is currently always zero (0). This behavior is the same for the Default
Behavior on the site default boundary group.
Previously, a common problem occurred when you had a protected management point
in a secure network. Clients on the main network received policy that included this
protected management point, even though they couldn't communicate with it across a
firewall. To address this problem now, use the Never fallback option to make sure that
clients only fall back to management points with which they can communicate.
7 Note
If you enable distribution points in the site default boundary group to fallback, and
a management point is collocated on a distribution point, the site also adds that
management point to the site default boundary group.
If a client is in a boundary group with no assigned management point, the site gives the
client the entire list of management points. This behavior makes sure that a client always
receives a list of management points.
Tip
If you enable the option to Prefer cloud-based sources over on-premises sources
then clients will prefer a cloud management gateway (CMG) for both policy and
content.
Management point boundary group fallback doesn't change the behavior during client
installation (ccmsetup.exe). If the command line doesn't specify the initial management
point using the /MP parameter, the new client receives the full list of available
management points. For its initial bootstrap process, the client uses the first
management point it can access. Once the client registers with the site, it receives the
management point list properly sorted with this new behavior.
For more information on the client's behavior to acquire content during installation, see
Client installation.
During client upgrade, if you don't specify the /MP command-line parameter, the client
queries sources such as Active Directory and WMI for any available management point.
Client upgrade doesn't honor the boundary group configuration.
For clients to use this capability, enable the following setting: Clients prefer to use
management points specified in boundary groups in Hierarchy Settings.
7 Note
Troubleshoot
New entries appear in the LocationServices.log. The Locality attribute identifies one of
the following states:
0: Unknown
1: The specified management point is only in the site default boundary group for
fallback.
Clients use local management points first (locality 3), remote second (locality 2), then
fallback (locality 1).
When a client receives five errors in 10 minutes and fails to communicate with a
management point in its current boundary group, it tries to contact a management
point in a neighbor or the site default boundary group. If the management point in the
current boundary group later comes back online, the client returns to the local
management point on the next refresh cycle. The refresh cycle is 24 hours, or when the
Configuration Manager agent service restarts.
7 Note
When you enable Clients prefer to use management points specified in boundary
groups, Configuration Manager uses the boundary group functionality for the
assigned management point.
A client tries to use a preferred management point from its assigned site before
using one not configured as preferred from its assigned site.
To use this option, enable Clients prefer to use management points specified in
boundary groups in Hierarchy Settings. Then configure boundary groups at
individual primary sites. Include the management points that should be associated
with that boundary group's associated boundaries. For more information, see
Enable use of preferred management points.
When you configure preferred management points, and a client organizes its list of
management points, the client places the preferred management points at the top
of its list. This list includes all management points from the client's assigned site.
7 Note
Client roaming means it changes its network locations. For example, when a laptop
travels to a remote office location. When a client roams, it might use a
management point from the local site before attempting to use a server from its
assigned site. This list of servers from its assigned site includes the preferred
management points. For more information, see Understand how clients find site
resources and services.
Next steps
Example of using boundary groups
The following example uses a client searching for content from a distribution point. This
example can be applied to other site system roles that use boundary groups.
Create three boundary groups that don't share boundaries or site system servers:
Add the network locations of your clients as boundaries to only the BG_A boundary
group. Then configure relationships from that boundary group to the other two
boundary groups:
Configure distribution points for the first neighbor group (BG_B) to be used after
10 minutes. This group contains distribution points DP_B1 and DP_B2. Both are
well connected to the first group's boundary locations.
Configure the second neighbor group (BG_C) to be used after 20 minutes. This
group contains distribution points DP_C1 and DP_C2. Both are across a WAN from
the other two boundary groups.
Also add to the default site boundary group another distribution point that's on
the site server. This server is your least preferred content source location, but it's
centrally located to all your boundary groups.
The client begins searching for content from distribution points in its current
boundary group (BG_A). It searches each distribution point for two minutes, and
then switches to the next distribution point in the boundary group. The client's
pool of valid content source locations includes DP_A1 and DP_A2.
If the client fails to find content from its current boundary group after searching for
10 minutes, it then adds the distribution points from the BG_B boundary group to
its search. It then continues to search for content from a distribution point in its
combined pool of servers. This pool now includes servers from both the BG_A and
BG_B boundary groups. The client continues to contact each distribution point for
two minutes, and then switches to the next server in its pool. The client's pool of
valid content source locations includes DP_A1, DP_A2, DP_B1, and DP_B2.
After another 10 minutes (20 minutes total), if the client still hasn't found a
distribution point with content, it expands its pool to include available servers from
the second neighbor group, boundary group BG_C. The client now has six
distribution points to search: DP_A1, DP_A2, DP_B2, DP_B2, DP_C1, and DP_C2. It
continues changing to a new distribution point every two minutes until it finds
content.
If the client hasn't found content after a total of 120 minutes, it falls back to
include the default site boundary group as part of its continued search. Now the
pool includes all distribution points from the three configured boundary groups,
and the final distribution point located on the site server. The client then continues
its search for content, changing distribution points every two minutes until content
is found.
Next steps
Procedures for boundary groups
How to configure boundary groups for
Configuration Manager
Article • 10/04/2022
This article includes procedures on how to view and configure boundary groups. Before
you begin, make sure you understand boundary group concepts. For more information,
see Boundary groups.
The data updates when the client makes a location request to the site, or at most
every 24 hours.
If a client is roaming and not a member of a boundary group, the value is blank.
7 Note
This information is site data and only available on primary sites. You won't see a
value for this column when you connect the Configuration Manager to a central
administration site (CAS). For more information, see Types of data.
2. On the Home tab, in the Create group, select Create Boundary Group.
3. In the Create Boundary Group dialog box, on the General tab, specify a Name for
this boundary group. Optionally include a Description.
4. Select OK to save the new boundary group, or continue to the next section to
configure the boundary group.
2. Select the boundary group you want to modify, and select Properties in the
ribbon. This action opens the boundary group Properties window.
To add boundaries, select Add. In the Add Boundaries window, select the check
box for one or more boundaries, and select OK.
To remove boundaries, select the boundary in the list, and select Remove.
To enable this boundary group for use by clients for site assignment, select Use
this boundary group for site assignment. Then select a site from the Assigned site
dropdown list. For more information, see Site assignment.
To associate available site system servers with this boundary group, select Add. The
Add Site Systems window only lists servers that have supported site system roles.
Select the check box for one or more servers, and select OK. It adds them as
associated site system servers for this boundary group.
7 Note
You can select any combination of available site systems from any site in the
hierarchy. Selected site systems are listed on the Site Systems tab in the
properties of each boundary that's a member of this boundary group.
To remove a server from this boundary group, select the server and then select
Remove.
7 Note
To stop use of this boundary group for associating site systems, remove all
servers listed as associated site system servers.
Select Add. In the Fallback Boundary Groups window, select the boundary
group to configure.
Distribution point
Management point
7 Note
For example, you open the Properties window for the Branch Office
boundary group. In the Fallback Boundary Groups window, you select
the Main Office boundary group. You set the distribution point fallback
time to 20 . When you save this configuration, clients in the Branch
Office boundary group will start searching for content from the
distribution points in the Main Office boundary group after 20 minutes.
To prevent fallback to a specific boundary group, select the boundary group,
and then select Never fallback for the type of site system role. This action can
include the default site boundary group.
To remove a relationship, select the boundary group in the list, and select Remove.
Allow peer downloads in this boundary group: This option is enabled by default.
The management point provides clients a list of content locations that includes
peer sources.
During peer downloads, only use peers within the same subnet: This setting is
dependent upon the one above. If you enable this option, the management
point only includes in the content location list peer sources that are in the same
subnet as the client.
Prefer distribution points over peers within the same subnet: By default, the
management point prioritizes peer cache sources at the top of the list of
content locations. This setting reverses that priority for clients in the same
subnet as a peer cache source.
7 Note
Starting in version 2203, this setting also applies for software update
scanning. To reduce the performance impact of this change, existing clients
don't automatically switch to a cloud-based software update point. For more
information, see Boundary groups and software update points.
Configure a fallback site for automatic site
assignment
If clients aren't in a boundary group with an assigned site, assign them to this site when
they're installed.
2. On the Home tab of the ribbon, in the Sites group, select Hierarchy Settings.
3. On the General tab, select the checkbox to Use a fallback site. Then select a site
from the Fallback site drop-down list.
2. On the Home tab of the ribbon, in the Sites group, select Hierarchy Settings.
3. On the General tab, select Clients prefer to use management points specified in
boundary groups.
This article describes how to deploy Configuration Manager using options that maintain
a high level of available service.
Configure any central administration or primary site with an additional site server
in passive mode.
Configure a SQL Server Always On availability group for the site database at
primary sites and the central administration site.
Sites support multiple instances of site system roles that provide important
services to clients. For example, management points and distribution points.
Central administration sites and primary sites support the backup of the site
database. The site database stores all the configurations for sites and clients. The
sites in a hierarchy share this configuration data.
Built-in site recovery options can reduce server downtime. These advanced options
simplify recovery when you have a hierarchy with a central administration site.
Sites generate alerts about clients that fail to submit recent data, which alerts
administrators to potential problems.
Configuration Manager includes several features that provide near real-time service. If
these features are critical to meet your business requirements, plan and configure your
sites and hierarchies for high availability. For example:
Scripts
CMPivot
Other features of Configuration Manager don't provide real-time service. These features
include, but aren't limited to, client settings, hardware and software inventory, software
deployments, and compliance settings. Expect them to operate with some data latency.
It's unusual for most scenarios that involve a temporary interruption of service to
become a critical problem. To minimize downtime, maintain autonomy of operations,
and provide a high level of service, configure your sites and hierarchies with high
availability in mind.
When clients can't contact the site, they cache data to be submitted until they can
contact the site.
Clients that can't contact the site continue to operate. They use the last known
schedules and cached information, until they can contact the site and receive new
policies. For example, a client may keep a previously downloaded application that
they must run or install.
The site monitors its site systems and clients for periodic status updates. It can
generate alerts when these components fail to register.
Host the site database at primary sites and the central administration site in an
availability group. For more information, see Prepare to use a SQL Server Always
On availability group.
Use a failover cluster instance for the database at a central administration site or
primary site. For more information, see Use a SQL Server Always On failover cluster
instance.
Secondary sites can't use SQL Server Always On, and don't support backup or
restoration of their site database. Recover a secondary site by reinstalling the secondary
site from its parent primary site.
Management point
To provide redundancy for reporting on sites and clients, install multiple instances of the
reporting services point.
Failover support for a software update point in a network load balancing (NLB) cluster
was deprecated in version 1702. For more information, see Removed and deprecated
features. To provide redundancy for software update points, use software update point
switching. This allows clients to connect to a new software update point server if one
fails or becomes unavailable. For more information, see Software update point switching
Built-in site backup
Configuration Manager includes a built-in backup task to help you back up your site and
critical information on a regular schedule. Additionally, the Configuration Manager
setup wizard supports site restoration actions to help you restore a site to operations.
Reconnect the console to the site. Each new connection request is randomly
assigned an instance of the SMS Provider. It's possible that the new connection is
assigned an available instance.
Connect the console to a different Configuration Manager site and manage the
configuration from that connection. This option introduces a slight delay of
configuration changes of no more than a few minutes. After the SMS Provider for
the site is online, reconnect your Configuration Manager console directly to the
site that you want to manage.
Management point
Install multiple management points at each primary site, and enable the sites to publish
site data to your Active Directory infrastructure, and to DNS.
Multiple management points help to load-balance the use of any single management
point by multiple clients. Also consider installing one or more database replicas for
management points. This configuration decreases the processor-intensive operations of
the management point. It also increases the availability of this critical site system role.
Secondary sites only support installation of one management point, which must be
located on the secondary site server. Management points at secondary sites aren't
considered to have a highly available configuration.
7 Note
If the management point that a mobile device client uses becomes unavailable, you
must resolve the problem with that management point or wipe the mobile device
and re-enroll the mobile device so that it can be assigned to an operational
management point that is enabled for mobile devices.
Distribution point
Install multiple distribution points, and deploy content to multiple distribution points.
Add more than one distribution point per boundary group to make sure clients get
several options in their content request. Configure boundary group relationships so that
they have a predicable fallback behavior to another boundary group or content-enabled
cloud management gateway. For more information, see Configure boundary groups.
Clients don't require continuous contact with any specific site system servers. They
use known configurations to perform preconfigured actions on a schedule.
Clients can use any available instance of a site system role that provides services to
clients. They attempt to contact known servers until they locate an available server.
Clients can run inventory, software deployments, and similar scheduled actions
independent of direct contact with site system servers.
Clients that are configured to use a fallback status point can submit details to the
fallback status point when they can't communicate with a management point.
Periodically, clients self-evaluate their status. They take action to remediate typical
problems by using a local cache of remediation steps and source files for repairs.
When a client fails to submit status information to its site, the site can generate an
alert. Administrative users that receive these alerts can take immediate action to
restore the normal operation of the client.
Client settings
Client schedules
When a client can't contact a management point, the clients locally cache the status,
state, and client information they report to the site. The client transfers this data after it
establishes contact with a management point.
The client source files on a computer can be uninstalled and reinstalled without
affecting the historical records for the computer where the client is installed.
Failure of a client computer doesn't affect the integrity of the information that's
stored in the database. This information can remain available for reporting.
) Important
This site system role isn't considered mission critical and provides optional functionality
in Configuration Manager. If this site system goes offline, use one of the following
options:
Uninstall the role from the current server, and install the role on a new server.
Uninstall the role from the current server, and install the role on a new server.
Uninstall the role from the current server, and install the role on a new server.
Uninstall the role from the current server, and install the role on a new server.
When you have more than one enrollment proxy server in a site, use a DNS alias for the
server name. When you use this configuration, DNS round robin provides some fault
tolerance and load balancing for when users enroll their mobile devices.
Uninstall the role from the current server, and install the role on a new server.
Because clients are assigned the fallback status point during client installation, you
need to modify existing clients to use the new site system server.
Uninstall the role from the current server, and install the role on a new server.
See also
Supported configurations
Recommended hardware
Historically, you could add redundancy to most of the roles in Configuration Manager
by having multiple instances of these roles in your environment. Except for the site
server itself. High availability for the site server role is a Configuration Manager-based
solution to install another site server in passive mode. The central administration site
(CAS) and child primary sites can have another site server in passive mode. The site
server in passive mode can be on-premises or cloud-based in Azure.
The site server in passive mode is in addition to your existing site server that is in active
mode. A site server in passive mode is available for immediate use, when needed.
Include this other site server as part of your overall design for making the Configuration
Manager service highly available.
Uses the same site database as your site server in active mode.
Doesn't write data to the site database when it's in passive mode.
Uses the same content library as your site server in active mode.
To make the site server in passive mode become active, you manually promote it. This
action switches the site server in active mode to be the site server in passive mode. The
site system roles that are available on the original active mode server remain available
so long as that computer is accessible. Only the site server role is switched between
active and passive modes.
Microsoft Core Services Engineering and Operations used this feature to migrate their
CAS to Microsoft Azure. For more information, see the Microsoft IT Showcase article .
Supported configurations
Configuration Manager supports site servers in passive mode in a hierarchy. The
CAS and child primary sites can have another site server in passive mode.
7 Note
Prerequisites
Active Directory
Both site servers must be joined to the same Active Directory domain.
If you've extended the Active Directory schema for Configuration Manager, both
site servers need Full Control permissions to Active Directory's System - System
Management container and all descendant objects.
Don't host the service connection point role on either site server configured for
high availability. If it's currently on the original site server, remove it, and install it
on another site system server. For more information, see About the service
connection point.
7 Note
Make sure to install the SQL Server Native Client. If you don't install it, the
prerequisite checker during Configuration Manager setup will report an error
about missing SQL Server permissions.
Must have its computer account in the local Administrators group on the site
server in active mode.
Must install using source files that match the version of the site server in active
mode.
Can't have a site system role from any site installed on it before you install the site
server in passive mode role.
Make sure the computer account for the site server in passive mode has the same
permissions as the site server in active mode. For example, it may need permission
to content source files, such as boot image source directories.
The more secure and recommended configuration is to use a service account for
installing the site system. The most secure configuration is to use a local service account.
If your environment uses this configuration, no change is needed.
For more information, see Site system installation account and Elevated permissions.
Content library
The site content library must be on a remote network share. Both site servers need Full
Control permissions to the share and its contents. For more information, see Configure
a remote content library for the site server.
The site server computer account needs Full control permissions to the network
path to which you're moving the content library. This permission applies to both
the share and the file system. No components are installed on the remote system.
The site server can't have the distribution point role. The distribution point also
uses the content library, and this role doesn't support a remote content library.
After moving the content library, you can't add the distribution point role to the
site server.
Site database
Both site servers must use the same site database.
The database can be remote from each site server. The Configuration Manager
setup process doesn't block installation of the site server role on a computer with
the Windows role for Failover Clustering. SQL Server Always On availability groups
require this role, so previously you couldn't colocate the site database on the site
server. With this change, you can create a highly available site with fewer servers
by using an availability group and a site server in passive mode. Only an active
server can be installed to a node in an Always On availability group. Passive servers
must be installed to standalone servers that do not have any existing site roles on
them.
The SQL Server that hosts the site database can use a default instance, named
instance, failover cluster instance, or an availability group.
Both site servers need the sysadmin security role on the instance of SQL Server
that hosts the site database. The original site server should already have these
roles, so add them for the new site server. For example, the following SQL script
adds these roles for the new site server VM2 in the Contoso domain:
SQL
USE [master]
GO
GO
GO
Both site servers need access to the site database on the instance of SQL Server.
The original site server should already have this access, so add it for the new site
server. For example, the following SQL script adds a login to the CM_ABC database
for the new site server VM2 in the Contoso domain:
SQL
USE [CM_ABC]
GO
GO
The site server in passive mode is configured to use the same site database as the
site server in active mode. The site server in passive mode only reads from the
database. It doesn't write to the database until after it's promoted to active mode.
Limitations
Only a single site server in passive mode is supported at each site.
Passive site servers cannot be installed to nodes in the Always On availability group
hosting the Configuration Manager database and must be installed on standalone
servers. Moving a passive site server into the Always On availability group after
installation is not currently supported.
7 Note
Secondary sites are still supported under a primary site with highly available
site servers.
Promotion of the site server in passive mode to active mode is manual. There's no
automatic failover.
Site system roles can't be installed on the new server before you add the site
server in passive mode.
7 Note
After it installs the site server in passive mode, you can add additional roles as
necessary. For example, a management point at a primary site.
For roles like the reporting point that use a database, host the database on a
server that's remote from both site servers.
The Configuration Manager console doesn't automatically install on the site server
in passive mode.
2. On the General page of the Create Site System Server Wizard, specify the server to
host the site server in passive mode. The server you specify can't host any site
system roles before installing a site server in passive mode.
3. On the System Role Selection page, select only Site server in passive mode.
7 Note
The wizard performs the following initial prerequisite checks on this page:
If these initial prerequisite checks fails, you can't continue past this page of
the wizard.
4. On the Site Server In Passive Mode page, provide the following information that's
used to run setup and install the site server role on the specified server:
Copy installation source files over the network from the site server in
active mode: This option creates a compressed package and sends it to
the new site server.
Use the source files at the following location on the site server in passive
mode: For example, a local path to which you already copied the source
files. Make sure this content is the same version as the site server in active
mode.
5. Complete the wizard. Configuration Manager then installs the site server in passive
mode on the specified server.
For detailed installation status, in the console go to the Monitoring workspace, and
select the Site Server Status node. The state for the site server in passive mode displays
as Installing. For more detailed information, select the server and select Show Status.
This action opens the Site Server Installation Status window. When the process is
complete, the state shows OK for both servers.
For more information on the setup process, see Flowchart - Set up a site server in
passive mode.
After you add a site server in passive mode, see both site servers on the Nodes tab in
the Sites node of the console.
All Configuration Manager site server components are in standby on the site server in
passive mode. The Windows services are still running.
Practice a planned promotion, where both site servers are online. Also practice an
unplanned failover, by forcibly disconnecting or shutting down the site server in
active mode.
Check the overall status of the site and site components. Make sure everything
is healthy as normal for your environment.
Check content status for any packages actively replicating between sites.
Reduce or remove other scheduled activities at the same time. For example,
don't plan to promote a site server immediately after updating the site to a new
version. Site update includes other tasks that can potentially conflict with the
site server promotion.
Tip
Here's an example of how other activities can conflict with site server
promotion:
Monday: Update the site to the latest version. Enable automatic client
upgrade with client piloting.
Tuesday: Promote the site server in passive mode to be the active site
server.
If you enable the pre-production client, review the known issue with site server
high availability. For more information, see Pre-production client and site server
high availability.
) Important
If all instances of the SMS Provider are offline, you can't connect to the site as no
provider is available. When you add the site server in passive mode, setup installs
an instance of the SMS Provider on this server.
The Configuration Manager console requests the list of available SMS Providers
from WMI on the site server. When you install multiple SMS Providers at a site, the
site randomly assigns each new connection request to use an installed SMS
Provider. You can't specify the SMS Provider location to use with a specific
connection session. If your console is unable to connect to the site because the
current site server is offline, specify the other site server in the Site Connection
window.
2. Refresh the console node. The Status column for the server you're promoting
displays in the Nodes tab as Promoting.
3. After the promotion is complete, the Status column shows OK for both the new
site server in active mode, and for the new site server in passive mode. The Server
Name column for the site now displays the name of the new site server in active
mode.
For detailed status, go to the Monitoring workspace, and select the Site Server Status
node. The Mode column identifies which server is Active or Passive. When you promote
a server from passive mode to active mode, select the site server that you're promoting
to active, and then choose Show Status from the ribbon. This action opens the Site
Server Promotion Status window that displays more details about the process.
When a site server in active mode switches over to passive mode, only the site system
role is made passive. All other site system roles that are installed on that computer
remain active and accessible to clients.
For more information on the planned promotion process, see Flowchart - Promote site
server (planned).
Unplanned failover
If the current site server in active mode is offline, the site server for promotion tries to
contact the current site server in active mode for 30 minutes. If the offline server comes
back before this time, it's successfully notified, and the change proceeds gracefully.
Otherwise the site server for promotion forcibly updates the site configuration for it to
be active. If the offline server comes back after this time, it first checks the current state
in the site database. It then proceeds with demoting itself to the site server in passive
mode.
During this 30-minute waiting period, the site has no site server in active mode. Clients
still communicate with client-facing roles such as management points, software update
points, and distribution points. Users can install software that's already deployed. No
site administration is possible in this time period. For more information, see Site failure
impacts.
If the offline server is damaged such that it can't return, delete this site server from the
console. Then create a new site server in passive mode to restore a highly available
service.
For more information on the unplanned failover process, see Flowchart - Promote site
server (unplanned).
If you import PKI certificates for distribution points, reimport the certificate for
affected servers. For more information, see Regenerate the certificates for
distribution points.
If you integrate Configuration Manager with the Microsoft Store for Business,
reconfigure that connection. For more information, see Manage apps from the
Microsoft Store for Business.
Daily monitoring
When you have a site server in passive mode, monitor it daily. Make sure its Status
remains OK and is ready for use. In the Configuration Manager console, go to the
Monitoring workspace, and select the Site Server Status node. View both site servers
and their current status. Also view status in the Administration workspace. Expand Site
Configuration, and select the Sites node. Select the site, and then switch to the Nodes
tab.
7 Note
When you update the site to a new version of Configuration Manager, it also
updates the site server in passive mode.
When you remove any other site system role, the site component manager ( sitecomp )
processes the request. When you remove a site server in passive mode, the failover
manager processes the request. For status, monitor the SMS_FAILOVER_MANAGER
component.
Next steps
Flowchart - Set up a site server in passive mode
Flowchart - Promote site server
(planned)
Flowchart - Promote site server (unplanned)
Flowchart - Set up a site server in
passive mode
Article • 10/04/2022
This flowchart diagram shows the process by which the site sets up a site server in
passive mode. For more information, see the following articles:
This flowchart diagram shows the process by which a site server in passive mode is
promoted to the site server in active mode. In this example, the administrator plans for
the promotion process. Both servers are online and fully functional. For more
information, see the following articles:
This flowchart diagram shows the process by which a site server in passive mode is
promoted to the site server in active mode when the current site server in active mode is
offline. In this example, the current site server in active mode isn't fully operational, for
example it is disconnected from the network or powered off. For more information, see
the following articles:
Use this article to prepare Configuration Manager to use a SQL Server Always On
availability group for the site database. This feature provides a high availability and
disaster recovery solution.
When you use availability groups in Microsoft Azure, you can further increase availability
of your site database by using Azure availability sets. For more information on Azure
availability sets, see Manage the availability of virtual machines.
) Important
Before you continue, be comfortable with configuring SQL Server and availability
groups. This article references the SQL Server documentation library with more
information and procedures.
Supported scenarios
The following scenarios are supported for using availability groups with Configuration
Manager. For more information and procedures for each scenario, see Configure
availability groups for Configuration Manager.
Installation account
The account you use to run Configuration Manager setup must be:
The computer account of the site server must be a member of the local Administrators
group on each computer that's a member of the availability group.
SQL Server
Version
Each replica in the availability group must run a version of SQL Server that's supported
by your version of Configuration Manager. When supported by SQL Server, different
nodes of an availability group can run different versions of SQL Server. For more
information, see Supported SQL Server versions for Configuration Manager.
Edition
Use an Enterprise edition of SQL Server.
Account
Each instance of SQL Server can run under a domain user account (service account) or a
non-domain account. Each replica in a group can have a different configuration.
Use an account with the lowest possible permissions. For more information, see
Security considerations for a SQL Server installation.
For more information on configuring service accounts and permissions for SQL
Server, see Configure Windows service accounts and permissions.
To use a non-domain account, you must use certificates. For more information, see
Use certificates for a database mirroring endpoint (Transact-SQL).
For more general information, see Create a database mirroring endpoint for
availability groups.
Database
SQL
GO
RECONFIGURE;
GO
GO
RECONFIGURE;
GO
SQL
Set the database owner to the SA account. You don't need to enable this account.
SQL
ALTER DATABASE [CM_xxx] SET TRUSTWORTHY ON;
SQL
7 Note
You can't enable the Service Broker option on a database that's already part of
an availability group. You have to enable that option before adding it to the
availability group.
SQL
Run the following SQL script to verify database configurations for both primary and
secondary replicas. Before you can fix an issue on a secondary replica, change that
secondary replica to be the primary replica.
SQL
SET NOCOUNT ON
GOTO Branch_Exit;
END ELSE
ELSE
name nvarchar(max),
minimum int,
maximum int,
config_value int,
run_value int )
ELSE
ELSE
ELSE
ELSE
ELSE
PRINT N'Done!'
Branch_Exit:
Replica members
The availability group must have one primary replica.
Use the same number and type of replicas in an availability group that your version
of SQL Server supports.
You can use an asynchronous commit replica to recover your synchronous replica.
For more information, see site database recovery options.
2 Warning
Configuration Manager doesn't validate the state of the asynchronous commit replica to
confirm it's current. Use of an asynchronous commit replica as the site database can put
the integrity of your site and data at risk. This replica can be out of sync by design. For
more information, see Overview of SQL Server Always On availability groups.
7 Note
Don't have a file share on the server that's the same name as the SQL Server
instance name.
7 Note
All members need the same seeding mode. Configuration Manager setup includes
a prerequisite check to verify this configuration when creating a database through
install or recovery.
7 Note
When setup creates the database, and you configure automatic seeding, the
availability group must have permissions to create the database. This
requirement applies to both a new database or recovery. For more
information, see Automatic seeding for secondary replica.
7 Note
If you're using an Azure virtual machine for the SQL Server, enable floating IP. For
more information, see Configure a load balancer for a SQL Server Always On
availability group in Azure virtual machines.
Configuration Manager setup needs to connect to each replica. When you set up an
availability group in Azure, and the group is behind an internal or external load balancer,
open the following default ports:
After setup completes, these ports must stay open for Configuration Manager and
replication link analyzer.
You can use custom ports for these configurations. Use the same custom ports by the
endpoint and on all replicas in the availability group.
For SQL Server to replicate data between sites, create a load-balancing rule for each
port in the Azure load balancer. For more information, see Configure High Availability
Ports for an internal load balancer.
Listener
The availability group must have at least one availability group listener. When you
configure Configuration Manager to use the site database in the availability group, it
uses the virtual name of this listener. Although an availability group can contain multiple
listeners, Configuration Manager can only make use of one. For more information, see
Create or configure a SQL Server availability group listener.
File paths
When you run Configuration Manager setup to configure a site to use the database in
an availability group, each secondary replica server must have a SQL Server file path
that's identical to the file path for the site database files on the current primary replica. If
an identical path doesn't exist, setup fails to add the instance for the availability group
as the new location of the site database.
The local SQL Server service account must have Full Control permission to this folder.
The secondary replica servers only require this file path while you're using Configuration
Manager setup to specify the database instance in the availability group. After it
completes configuration of the site database in the availability group, you can delete the
unused path from secondary replica severs.
Your primary replica server is a new installation of SQL Server 2014. By default, it
stores the database MDF and LDF files in C:\Program Files\Microsoft SQL
Server\MSSQL12.MSSQLSERVER\MSSQL\DATA .
You upgraded both of your secondary replica servers to SQL Server 2014 from
previous versions. With the upgrade, these servers keep the original file path to
store database files: C:\Program Files\Microsoft SQL
Server\MSSQL10.MSSQLSERVER\MSSQL\DATA .
Before moving the site database to this availability group, on each secondary
replica server, create the following file path: C:\Program Files\Microsoft SQL
Server\MSSQL12.MSSQLSERVER\MSSQL\DATA . This path is a duplicate of the path in use
on the primary replica, even if the secondary replicas won't use this file location.
You then grant the SQL Server service account on each secondary replica full
control access to the newly created file location on that server.
You can now successfully run Configuration Manager setup to configure the site to
use the site database in the availability group.
Multi-subnet failover
You can enable the MultiSubnetFailover connection string keyword in SQL Server. You
also need to manually add the following values to the Windows Registry on the site
server:
Registry
HKLM:\SOFTWARE\Microsoft\SMS\Identification
HKLM:\SOFTWARE\Microsoft\SMS\SQL Server
2 Warning
Use of site server high availability and SQL Server Always On availability groups
with multi-subnet failover doesn't provide the full capabilities of automatic failover
for disaster recovery scenarios.
If you need to create an availability group with a member in a remote location, prioritize
based on the lowest network latency. High network latency can cause replication
failures.
Failover cluster instance: Failover cluster instances aren't supported for a replica
you use with Configuration Manager. For more information, see SQL Server Always
On failover cluster instances.
Manual failover
7 Note
You run Configuration Manager setup to specify use of the site database in
the availability group.
You install any update to Configuration Manager. (Not just updates that apply
to the site database).
Reporting database
WSUS database
Pre-existing database
You can't use a new database created on the replica. When you configure an availability
group, restore a copy of an existing Configuration Manager database to the primary
replica.
Site expansion
If you configure the site database for a standalone primary site to use an availability
group, you can't expand the site to include a central administration site. If you try this
process, it fails. To expand the site, temporarily remove the primary site database from
the availability group.
You don't need to make any changes to the configuration when adding a secondary site.
You can still use the SQL Server back up, however you can't restore it directly to a SQL
Server Always On cluster. You need to restore it on a standalone server and move it back
to SQL Server Always On.
Transaction log
Set the recovery model of the site database to Full. This configuration is a requirement
for Configuration Manager use in an availability group. Plan to monitor and maintain the
size of the site database transaction log. In the full recovery model, the transactions
aren't hardened until it makes a full backup of the database or transaction log. For more
information, see Back up and restore of SQL Server databases.
Site recovery can recreate the database in an availability group. This process works with
both manual and automatic seeding.
Tip
When you run the setup/recovery wizard, the New Availability Group Database
page only applies to manual seeding configurations. With automatic seeding,
there's no shared database backup, so that page of the wizard isn't shown.
By default, the reporting services point installation sets the Site database server
name to the virtual name that's specified as the listener. Change this setting to
specify a computer name and instance of a replica in the availability group.
3. In the Report Options dialog box, select the reporting services point you want to
use.
Next steps
This article describes the prerequisites, limitations, and changes to common tasks that
Configuration Manager requires when you use availability groups. For procedures to set
up and configure your site to use availability groups, see Configure availability groups.
Configure a SQL Server Always On
availability group for Configuration
Manager
Article • 10/04/2022
Use the information in this article to configure and manage a SQL Server Always On
availability group for the Configuration Manager site database. Before you start, be
familiar with the information to Prepare to use an availability group. Also be familiar
with SQL Server documentation that covers the use of availability groups and related
procedures.
preinst.exe /stopsite
2. Change the backup model for the site database from SIMPLE to FULL:
SQL
Availability groups only support the FULL backup model. For more information, see
View or change the recovery model of a database.
3. Use SQL Server to create a full backup of your site database. Choose one of the
following options:
Will be member of your availability group: If you use this server as the initial
primary replica member of the availability group, you don't need to restore a
copy of the site database to this server or another in the group. The database
is already in place on the primary replica. SQL Server replicates the database
to the secondary replicas during a later step.
Will not be a member of the availability group: Restore a copy of the site
database to the server that will host the primary replica of the group.
For more information, see the following articles in the SQL Server documentation:
7 Note
4. On the server that will host the initial primary replica of the group, use the New
availability group wizard to create the availability group. In the wizard:
On the Select Database page, select the database for your Configuration
Manager site.
Listener: Specify the Listener DNS Name as a full DNS name, for example
<listener_server>.fabrikam.com . When you configure Configuration
Manager to use the database in the availability group, it uses this name.
On the Select Initial Data Synchronization page, select Full. After the wizard
creates the availability group, the wizard backs up the primary database and
transaction log. Then the wizard restores them on each server that hosts a
secondary replica.
7 Note
If you don't use this step, restore a copy of the site database to each
server that hosts a secondary replica. Then manually join that database
to the group.
a. Make sure the computer account of the site server is a member of the local
Administrators group on each computer that's a member of the availability
group.
b. Run the verification script to confirm that the site database on each replica is
correctly configured.
6. After all replicas meet the requirements, the availability group is ready to be used
with Configuration Manager.
If you moved an existing site database to an availability group you created and
configured, use Configuration Manager site maintenance to change the configuration
with the below instructions:
2. On the Getting Started page, select Perform site maintenance or reset this site,
and then select Next.
SQL Server name: Enter the virtual name for the availability group listener.
You configured the listener when you created the availability group. The
virtual name should be a full DNS name, like
<Listener_Server>.fabrikam.com .
Instance: To specify the default instance for the listener of the availability
group, this value must be blank. If the current site database runs on a named
instance, clear the current named instance.
Database: Leave the name as it appears. This name is the current site
database.
5. After you provide the information for the new database location, complete setup
with your normal process and configurations.
b. Watch the status in SQL Server Management Studio. Wait for the availability
group to return to full health.
2. Run Configuration Manager setup, and select the option to modify the site.
3. Specify the availability group listener name as the database name. If the listener
uses a non-standard network port, specify that as well. This action causes setup to
make sure each node is appropriately configured. It also starts a database recovery
process.
Configuration Manager setup uses the SQL Server database move operation, and makes
sure the nodes are correctly configured.
Asynchronous replicas
You can use an asynchronous replica in the availability group that you use with
Configuration Manager. You don't need to run the configuration scripts required to
configure a synchronous replica, because an asynchronous replica isn't supported for
the site database.
1. Stop the active primary site to prevent additional writes to the site database. To
stop the site, use the Hierarchy maintenance tool: preinst.exe /stopsite
2. After you stop the site, use the asynchronous replica instead of a manually
recovered database.
2. Use SQL Server to create a full backup of your site database from the primary
replica. For more information, see Create a full database backup.
3. Use SQL Server to restore the site database backup to the server that will host the
site database. For more information, see Restore a database backup using SSMS.
7 Note
If the primary replica server for the availability group will host the single
instance of the site database, skip this step.
4. On the server that will host the site database, change the backup model for the
site database from FULL to SIMPLE. For more information, see View or change the
recovery model of a database.
6. On the Getting Started page, select Perform site maintenance or reset this site,
and then select Next.
SQL Server name: Enter the name of the server that now hosts the site
database.
Instance: Specify the named instance that hosts the site database. If the
database is on the default instance, leave this field blank.
Database: Leave the name as it appears. This name is the current site
database.
9. After you provide the information for the new database location, complete setup
with your normal process and configurations. When setup completes, the site
restarts, and begins to use the new database location.
10. To clean up the servers that were members of the availability group, follow the
guidance in Remove an availability group.
Use a SQL Server Always On failover
cluster instance for the site database
Article • 10/04/2022
You can use a SQL Server Always On failover cluster instance to host the Configuration
Manager site database. Failover cluster instances provide failover support for the entire
instance of SQL Server and improve the reliability of the site database. However, it
doesn't provide additional processing or load-balancing benefits. Failover cluster
instances require the use of shared storage, which can be a single point of failure.
Degradation in performance can occur, because the site server must find the active
node of the failover cluster instance before it connects to the site database.
) Important
Before you install Configuration Manager, prepare the failover cluster instance to
support Configuration Manager. For more information, see Prepare a clustered SQL
Server instance.
During Configuration Manager setup, the Windows Volume Shadow Copy Service writer
installs on each physical computer node of the Windows Server failover cluster. This
service supports the Backup Site Server maintenance task.
After the site installs, Configuration Manager checks for changes to the cluster node
each hour. Configuration Manager automatically manages any changes it finds that
affect its component installs. For example, a node failover or the addition of a new node
to the failover cluster instance.
Supported options
Configuration Manager supports the following options for failover cluster instances
used for the site database:
Prerequisites
The site database server must be remote from the site server. The cluster can't
include the site server.
7 Note
The Configuration Manager setup process doesn't block installation of the site
server role on a computer with the Windows role for Failover Clustering. SQL
Server Always On availability groups require this role, so previously you
couldn't colocate the site database on the site server. With this change, you
can create a highly available site with fewer servers by using an availability
group and a site server in passive mode. For more information, see High
availability options.
Add the computer account of the site server to the local Administrators group of
each server in the cluster.
There are specific certificate requirements when you use a failover cluster instance
for the site database. For more information, see the following articles:
7 Note
When you specify a failover cluster instance, you can't set a custom file location for
the site database.
SMS Provider
You can't install the SMS Provider on a failover cluster instance. It's also not supported
on a computer that runs as a node participating in the failover cluster instance.
Create the failover cluster instance to host the site database on an existing
Windows Server failover cluster environment. For specific steps to install and set
up a failover cluster instance, see the documentation specific to your version of
SQL Server. For more information, see Create a new SQL Server Always On failover
cluster instance.
On each computer in the failover cluster instance, place a file in the root folder of
each drive where you don't want Configuration Manager to install site
components. Name the file NO_SMS_ON_DRIVE.SMS . By default, Configuration
Manager installs some components on each physical node, to support operations
such as backup.
Add the computer account of the site server to the local Administrators group of
each Windows Server failover cluster node.
In the failover cluster instance, assign the sysadmin SQL Server role to the user
account that runs Configuration Manager setup.
) Important
Make sure to use the name of the SQL Server Always On failover cluster instance,
not the Windows Server failover cluster. If you use the Windows Server failover
cluster name, the site database installs on the local hard drive of the active
Windows Server failover cluster node. This configuration prevents successful
failover if that node fails.
Custom locations for Configuration
Manager site database files
Article • 10/04/2022
Configuration Manager supports custom locations for SQL Server database files.
7 Note
The option to specify non-default file locations isn't available when you use a SQL
Server Always On failover cluster instance.
During setup of a new primary site or central administration site, you can:
Specify non-default file locations for the site database: Configuration Manager
setup then creates the site database using these locations.
Specify the use of a pre-created SQL Server database that uses custom file
locations: Configuration Manager setup then uses that pre-created database and
its pre-configured file locations.
After setup, you can change the location of the site database files. This requires you to
stop the site and edit the file location in SQL Server:
2. Move the database in SQL Server. For more information, see Move User Databases.
3. After you complete the database file move, restart the SMS_Executive service on
the Configuration Manager site server.
Configure role-based administration for
Configuration Manager
Article • 10/04/2022
If you're not yet familiar with these concepts, see Fundamentals of role-based
administration.
Use the information in this article to create and configure role-based administration and
related security settings.
7 Note
The procedures in this article assume that your administrative user is in a security
role with the required permissions. For example, the Full Administrator or Security
administrator roles.
Tip
Use the Role-based administration and auditing tool to help with the following
actions:
1. Select an existing security role to use as the source for the new role.
2. On the Home tab of the ribbon, in the Security Role group, select Copy. This
action creates a copy of the source security role.
3. In the Copy Security Role wizard, specify a Name for the new custom security role.
The maximum length is 256 characters.
5. Under Permissions, expand each object type to display the available permissions.
6. To change a permission, select the drop-down list, and choose either Yes or No.
U Caution
When you configure a custom security role, only grant permissions that are
required by the users assigned to this role. For example, the Modify
permission for the Security Roles object allows assigned users to edit any
accessible security role, even if they aren't assigned to that security role.
7. After you configure the permissions, select OK to save the new security role.
) Important
Only import custom security role configuration files from a trusted source. When
you export a custom security role, save it in a secure location. The XML files aren't
digitally signed.
1. On the Home tab of the ribbon, in the Create group, choose Import Security Role.
2. Specify the XML file that contains the exported security role configuration. Select
Open to complete the procedure and create the security role.
3. After you import a custom security role, open its Properties. View the permissions
to confirm they include the least required permissions for this role. Change any
permissions that aren't required in this environment.
7 Note
2. Select the custom security role that you want to modify or view.
3. On the Home tab of the ribbon, in the Properties group, select Properties.
4. On the General tab of the properties window, change the Name or Description if
necessary.
5. On the Administrative Users tab, view the users that are associated with this role.
To change the assignment, go to the properties of the administrative user.
6. On the Permissions tab, expand each object type to display the available
permissions.
7. To change a permission, select the drop-down list, and then choose either Yes or
No.
U Caution
When you configure a custom security role, only grant permissions that are
required by the users assigned to this role. For example, the Modify
permission for the Security Roles object allows assigned users to edit any
accessible security role, even if they aren't assigned to that security role.
When you create a new object in Configuration Manager, it's associated with each
security scope that's associated with the security roles of the account used to create the
object. This behavior occurs when those security roles provide the Create permission or
Set Security Scope permission. After you create an object, you can change the security
scopes and assign it to multiple scopes.
For example, you're assigned a security role that grants you permission to create a new
boundary group. That role is associated with the Admins security scope. When you
create a new boundary group, you've no option to assign specific security scopes. The
Admins security scope is automatically assigned to the new boundary group. After you
save the new boundary group, you can edit the security scopes for the boundary group.
For more information on how to add a scope for a user, see Modify the administrative
scope of an administrative user.
2. On the Home tab of the ribbon, in the Create group, select Create Security Scope.
3. In the Create Security Scope window, specify a Security scope name. The
maximum length is 256 characters.
2. On the Home tab of the ribbon, in the Classify group, select Set Security Scopes.
For a folder, go to the Folder tab of the ribbon. In the Actions group, select Set
Security Scopes.
7 Note
3. In the Set Security Scopes window, select or clear the security scopes for this
object. Select at least one security scope.
When an administrative user has permissions to a collection, they also have permissions
to collections that are limited to that collection. For example, your organization uses a
collection named All Desktops. There's also a collection named All North America
Desktops that's limited to the All Desktops collection. If an administrative user has
permissions to All Desktops, they have the same permissions to the All North America
Desktops collection.
An administrative user can't use the Delete or Modify permissions on a collection that's
directly assigned to them. They can use these permissions on the collections that are
limited to that collection. In the previous example, the administrative user can delete or
modify the All North America Desktops collection, but they can't delete or modify the
All Desktops collection.
2. On the Home tab of the ribbon, in the Create group, select Add User or Group.
3. Select Browse, and then select the user account or group to use for this new
administrative user in Configuration Manager.
7 Note
4. For the Associated security roles, select Add to open a list of the available security
roles. Select one or more security roles, and then select OK.
5. Choose one of the following options to define the securable object behavior for
the new user:
All instances of the objects that are related to the assigned security roles:
This option has the following behaviors:
Security scope: All
Collections: All Systems and All Users and User Groups
The security roles that you assign to the user define their access to objects.
New objects that this user creates are assigned to the Default security
scope.
Only the instances of objects that are assigned to the specified security
scopes and collections: This option has the following behaviors:
Security scope: Default
Collections: All Systems and All Users and User Groups
These defaults maybe different, as the actual security scopes and
collections are limited to those that are associated with the account that
you use to create the administrative user.
Add or Remove security scopes and collections to customize the
administrative scope of this user.
) Important
After you create the user, view its properties to select a third option, Associate
assigned security roles with specific security scopes and collections. For
more information, see Modify the administrative scope of an administrative
user.
When you modify an administrative user, you can change the behavior for how
securable objects are associated with the assigned security roles. The three behaviors
that you can select are as follows:
All instances of the objects that are related to the assigned security roles: This
option associates the administrative user with the All scope, and the All Systems
and All Users and User Groups collections. The security roles that are assigned to
the user define access to objects.
Only the instances of objects that are assigned to the specified security scopes
and collections: This option associates the administrative user to the same security
scopes and collections that are associated to the account you use to configure the
administrative user. This option supports the addition or removal of security roles
and collections to customize the administrative scope of the administrative user.
Associate assigned security roles with specific security scopes and collections:
This option lets you create specific associations between individual security roles
and specific security scopes and collections for the user.
7 Note
The current configuration for the securable object behavior changes the process that
you use to assign additional security roles. Use the following procedures that are based
on the different options for securable objects to help you manage an administrative
user.
Use the following procedure to view and manage the configuration for securable
objects for an administrative user.
Use the following procedure to modify an administrative user that has the securable
object behavior set to All instances of the objects that are related to the assigned
security roles.
5. Choose the Security Scopes tab to confirm that the administrative user is
configured for All instances of the objects that are related to the assigned
security roles.
6. To modify the assigned security roles, choose the Security Roles tab.
7. To modify the securable object behavior, choose the Security Scopes tab and
choose a new option for the securable object behavior. After you change this
configuration, see the appropriate procedure for further guidance to configure
security scopes and collections, and security roles for this administrative user.
7 Note
When the securable object behavior is set to All instances of the objects that
are related to the assigned security roles, you can't add or remove specific
security scopes and collections.
Use the following procedure to modify an administrative user that has the securable
object behavior set to Only the instances of objects that are assigned to the specified
security scopes and collections.
For option: Only the instances of objects that are
assigned to the specified security scopes and collections
1. In the Configuration Manager console, choose Administration.
5. Choose the Security Scopes tab to confirm that the user is configured for Only the
instances of objects that are assigned to the specified security scopes and
collections.
6. To modify the assigned security roles, choose the Security Roles tab.
To assign additional security roles to this user, choose Add, check the box for
each additional security role that you want to assign, and then choose OK.
To remove security roles, select one or more security roles from the list, and
then choose Remove.
7. To modify the security scopes and collections that are associated with security
roles, choose the Security Scopes tab.
To associate new security scopes or collections with all security roles that are
assigned to this administrative user, choose Add and select one of the four
options. If you select Security Scope or Collection, check the box for one or
more objects to complete that selection, and then choose OK.
To remove a security scope or collection, choose the object, and then choose
Remove.
Use the following procedure to modify an administrative user that has the securable
object behavior set to Associate assigned security roles with specific security scopes
and collections.
5. Choose the Security Scopes tab to confirm that the administrative user is
configured for Associate assigned security roles with specific security scopes and
collections.
6. To modify the assigned security roles, choose the Security Roles tab.
7 Note
You must configure at least one security scope before the selected
security roles can be assigned to the administrative user. When you
select multiple security roles, each security scope and collection that you
configure is associated with each of the selected security roles.
To remove security roles, select one or more security roles from the list, and
then choose Remove.
7. To modify the security scopes and collections that are associated with a specific
security role, choose the Security Scopes tab, select the security role, and then
choose Edit.
To associate new objects with this security role, choose Add, and select an
object type to associate with the selected security roles. If you select Security
Scope or Collection, check the box for one or more objects to complete that
selection, and then choose OK.
7 Note
When you have finished modifying the associated objects, choose OK.
U Caution
Next steps
Role-based administration and auditing tool
Use the Azure Services Wizard to simplify the process of configuring the Azure cloud
services you use with Configuration Manager. This wizard provides a common
configuration experience by using Azure Active Directory (Azure AD) web app
registrations. These apps provide subscription and configuration details, and
authenticate communications with Azure AD. The app replaces entering this same
information each time you set up a new Configuration Manager component or service
with Azure.
Available services
Configure the following Azure services using this wizard:
Cloud Management: This service enables the site and clients to authenticate by
using Azure AD. This authentication enables other scenarios, such as:
Tip
Log Analytics Connector: Connect to Azure Log Analytics. Sync collection data to
Log Analytics.
) Important
This article refers to the Log Analytics Connector, which was formerly called
the OMS Connector. This feature was deprecated in November 2020. It's
removed from Configuration Manager in version 2107. For more information,
see Removed and deprecated features.
Microsoft Store for Business: Connect to the Microsoft Store for Business. Get
store apps for your organization that you can deploy with Configuration Manager.
7 Note
Service details
The following table lists details about each of the services.
Tenants: The number of service instances you can configure. Each instance must be
a distinct Azure AD tenant.
Clouds: All services support the global Azure cloud, but not all services support
private clouds, such as the Azure US Government cloud.
Web app: Whether the service uses an Azure AD app of type Web app / API, also
referred to as a server app in Configuration Manager.
Native app: Whether the service uses an Azure AD app of type Native, also
referred to as a client app in Configuration Manager.
Actions: Whether you can import or create these apps in the Configuration
Manager Azure Services Wizard.
You can use a single app for more than one service. There's only one object to manage
in Configuration Manager and Azure AD. When the security key on the app expires, you
only have to refresh one key.
When you create additional Azure services in the wizard, Configuration Manager is
designed to reuse information that's common between services. This behavior helps you
from needing to input the same information more than once.
For more information about the required app permissions and configurations for each
service, see the relevant Configuration Manager article in Available services.
For more information about Azure apps, start with the following articles:
Manually create the apps in advance in the Azure portal. Then import the app
details into Configuration Manager.
Tip
Use Configuration Manager to directly create the apps in Azure AD. To collect the
necessary data from Azure AD, review the information in the other sections of this
article.
Some services require the Azure AD apps to have specific permissions. Review the
information for each service to determine any required permissions. For example, before
you can import a web app, an Azure administrator must first create it in the Azure
portal .
When configuring the Log Analytics Connector, give your newly registered web app
contributor permission on the resource group that contains the relevant workspace. This
permission allows Configuration Manager to access that workspace. When assigning the
permission, search for the name of the app registration in the Add users area of the
Azure portal. This process is the same as when providing Configuration Manager with
permissions to Log Analytics. An Azure administrator must assign these permissions
before you import the app into Configuration Manager.
2. On the Home tab of the ribbon, in the Azure Services group, select Configure
Azure Services.
c. Select the Azure service that you want to connect with Configuration Manager.
4. Select Next to continue to the Azure app properties page of the Azure Services
Wizard.
The rest of the App page varies depending upon the specific service. Refer to the table
in Service details for which type of app the service uses, and which action you can use.
If the app supports both import and creates actions, select Browse. This action
opens the Server app dialog or the Client App dialog.
If the app only supports the import action, select Import. This action opens the
Import Apps dialog (server) or the Import Apps dialog (client).
After you specify the apps on this page, select Next to continue to the Configuration or
Discovery page of the Azure Services Wizard.
Web app
This app is the Azure AD type Web app / API, also referred to as a server app in
Configuration Manager.
There are three actions you can take from the Server app dialog:
After you select, import or create a web app, select OK to close the Server app dialog.
This action returns to the App page of the Azure Services Wizard.
After entering the information, select Verify. Then select OK to close the Import apps
dialog. This action returns to either the App page of the Azure Services Wizard, or the
Server app dialog.
) Important
When you use an imported Azure AD app, you aren't notified of an upcoming
expiration date from console notifications.
When you select Create from the Server app dialog, it opens the Create Server
Application dialog. This page automates the creation of a web app in Azure AD. Specify
the following information:
HomePage URL: This value isn't used by Configuration Manager, but required by
Azure AD. By default this value is https://ConfigMgrService .
App ID URI: This value needs to be unique in your Azure AD tenant. It's in the
access token used by the Configuration Manager client to request access to the
service. By default this value is https://ConfigMgrService . Change the default to
one of the following recommended formats:
api://{tenantId}/{string} , for example, api://5e97358c-d99c-4558-af0c-
de7774091dda/ConfigMgrService
https://{verifiedCustomerDomain}/{string} , for example,
https://contoso.onmicrosoft.com/ConfigMgrService
Secret Key validity period: choose either 1 year or 2 years from the drop-down list.
One year is the default value.
7 Note
You may see an option for Never, but Azure AD no longer supports it. If you
previously selected this option, the expiration date is now set for 99 years
from the date you created it.
Select OK to create the web app in Azure AD and close the Create Server Application
dialog. This action returns to the Server app dialog.
7 Note
If you have an Azure AD Conditional Access policy defined and applies to All Cloud
apps - you must exclude the created Server Application from this policy. For more
information on how to exclude specific apps, see Azure AD Conditional Access
Documentation.
There are three actions you can take from the Client App dialog:
After you select, import or create a native app, choose OK to close the Client App
dialog. This action returns to the App page of the Azure Services Wizard.
When you select Import from the Client App dialog, it opens the Import apps dialog.
This page lets you enter information about an Azure AD native app that is already
created in the Azure portal. It imports metadata about that native app into
Configuration Manager. Specify the following information:
After entering the information, select Verify. Then select OK to close the Import apps
dialog. This action returns to the Client App dialog.
Tip
When you register the app in Azure AD, you may need to manually specify the
following Redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/<ClientID> .
Specify the app's client ID GUID, for example: ms-appx-
web://Microsoft.AAD.BrokerPlugin/a26a653e-17aa-43eb-ab36-0e36c7d29f49 .
Select OK to create the native app in Azure AD and close the Create Client Application
dialog. This action returns to the Client App dialog.
Configuration or Discovery
After specifying the web and native apps on the Apps page, the Azure Services Wizard
proceeds to either a Configuration or Discovery page, depending upon the service to
which you're connecting. The details of this page vary from service to service. For more
information, see one of the following articles:
Finally, complete the Azure Services Wizard through the Summary, Progress, and
Completion pages. You've completed the configuration of an Azure service in
Configuration Manager. Repeat this process to configure other Azure services.
Starting in version 2006, the Configuration Manager console displays notifications for
the following circumstances:
For more information on how to interact with these notifications, see Configuration
Manager console notifications.
7 Note
You need to have at least the "Cloud Application Administrator" Azure AD role
assigned to be able to renew the key.
2. On the Details pane, select the Azure AD tenant for the app.
3. In the ribbon, select Renew Secret Key. Enter the credentials of either the app
owner or an Azure AD administrator.
Save the secret key before closing the Azure application properties Key page. This
information is removed when you close the page.
Disable authentication
Starting in version 2010, you can disable Azure AD authentication for tenants not
associated with users and devices. When you onboard Configuration Manager to Azure
AD, it allows the site and clients to use modern authentication. Currently, Azure AD
device authentication is enabled for all onboarded tenants, whether or not it has
devices. For example, you have a separate tenant with a subscription that you use for
compute resources to support a cloud management gateway. If there aren't users or
devices associated with the tenant, disable Azure AD authentication.
3. Select the target connection of type Cloud Management. In the ribbon, select
Properties.
5. Select the option to Disable Azure Active Directory authentication for this tenant.
Tip
It can take up to 25 hours for this change to take effect on clients. For purposes of
testing to speed up this change in behavior, use the following steps:
If you select a service and then choose Delete in the ribbon, this action deletes the
connection in Configuration Manager. It doesn't remove the app in Azure AD. Ask your
Azure administrator to delete the app when it's no longer needed. Or run the Azure
Service Wizard to import the app.
2. Configuration Manager Azure AD user discovery method runs. The site uses the
Azure AD server app token to query Microsoft Graph for user objects.
3. The site stores data about the user objects. For more information, see Azure AD
User Discovery.
4. The Configuration Manager client requests the Azure AD user token. The client
makes the claim using the application ID of the Azure AD client app, and the server
app as the audience. For more information, see Claims in Azure AD Security
Tokens.
5. The client authenticates with the site by presenting the Azure AD token to the
cloud management gateway and on-premises HTTPS-enabled management point.
Use this article as a guide to uninstall a Configuration Manager site system role, site, or
hierarchy. You can also remove the central administration site (CAS) from a hierarchy,
but keep the primary site.
When you decide you need to remove a role, first consider your answers to the
following questions:
Do you still need the role in the site? If so, does another site system already have
the role?
Are other site systems with this role properly sized to support your business
requirements for performance and availability?
Are all clients already reconfigured to use another role? Will you rely upon default
client behaviors to fall back or discover another server?
3. In the ribbon, on the Site Role tab, in the Site Role group, select Remove Role.
Confirm that you want to remove the role.
When you have more than one software update point at a primary site, and you remove
the software update point that's the synchronization source, choose another software
update point at the site to be the new synchronization source.
Secondary site
Other than when you're decommissioning a hierarchy, the main reason to remove a
secondary site is because of a broader infrastructure change, such as network or
physical locations. Also review the reasons to choose a secondary site.
When you decide you need to remove a secondary site, first consider your answers to
the following questions:
Did you remove all site system roles from the site server?
Are any boundaries or boundary groups associated with the secondary site?
Reconfigure boundaries before removing the site.
Have you configured other content management options like peer caching?
Use this option to remove a functional secondary site that's accessible from the network.
This option uninstalls Configuration Manager from the secondary site server. It then
deletes all information about the site and its resources from the Configuration Manager
site.
If Configuration Manager installed SQL Server Express for the secondary site,
Configuration Manager uninstalls SQL Server Express as well. If you installed SQL Server
Express before you installed the secondary site, Configuration Manager doesn't uninstall
SQL Server Express.
It failed to install
After you uninstall it, the Configuration Manager console still shows the secondary
site
This option deletes all information about the site and its resources from the
Configuration Manager hierarchy, but doesn't make any changes on the site server.
Tip
You also can use the Hierarchy Maintenance Tool with the /DELSITE option to
delete a secondary site. For more information, see Hierarchy Maintenance
Tool (Preinst.exe).
If the primary site database server is remote from the primary site server, local
Administrator rights on the remote site database server for the primary site.
Infrastructure Administrator or Full Administrator security role on the parent
primary site
2. Select the secondary site server that you want to remove. In the ribbon, on the
Home tab, in the Site group, select Delete.
3. On the General page, select whether to uninstall or delete the secondary site.
Primary site
You might want to uninstall a primary site from your hierarchy for the following reasons:
Before you uninstall a child primary site that uses distributed views for its replication link
to the CAS, first turn off distributed views in your hierarchy. For more information, see
Uninstall a primary site that is configured with distributed views.
Make sure all active clients are reassigned to another primary site in the hierarchy.
Otherwise clients will be unmanaged after you uninstall the site. For more
information, see How to assign clients to a site.
Review the list of site roles to make sure the new site provides the same level of
service.
Make sure that you've properly sized the other site systems with this role in the
other site. They will need to support your business requirements for
performance and availability with the additional clients.
If this site has lots of clients, reassign them in stages. Monitor database
replication as clients refresh full inventory and other site-specific data. If you
manage software updates, clients will assign to a new software update point.
This behavior causes a full scan for update compliance.
Client reassignment may impact reports and queries that rely on inventory data,
and state-based compliance. Consider temporarily adjusting any client cycles
during the transition.
Review all client assignment methods to make sure that none refers to this
primary site.
Check if any actively used objects in the hierarchy have static references to the site
code. For example, collection queries, task sequences, or administrative scripts.
If the hierarchy uses a fallback site for automatic site assignment, make sure it
doesn't reference this primary site.
Reconfigure any client installation methods that may reference a static site code.
If this primary site has any site-specific cloud-attached services, make sure to
remove them. If you still need the cloud resources, move them to another primary
site in the hierarchy. Remove them from the primary site that you're going to
uninstall, and add them to another primary site.
If this primary site has any discovery methods for the hierarchy, move them to
another site.
Uninstall all site system roles from the site and the site server. For more
information, see Uninstall site system roles. While this preparation step isn't
required, it helps identify any additional dependencies before uninstalling the site.
Uninstall any secondary sites under this primary site. For more information, see the
Secondary site section.
If the CAS database server is remote from the site server, local Administrator rights
on the remote site database server for the CAS.
If the primary site database server is remote from the primary site server, local
Administrator rights on the remote site database server for the primary site.
Tip
If the primary site server is no longer available, use the Hierarchy Maintenance Tool
at the CAS to delete the primary site from the site database. For more information,
see Hierarchy Maintenance Tool (Preinst.exe).
1. Start Configuration Manager setup on the primary site server by using one of the
following methods:
) Important
When a secondary site is attached to the primary site, you must remove the
secondary site before you can uninstall the primary site.
4. On the Uninstall the Configuration Manager Site page, both of the following
options are enabled by default:
5. Select Yes to confirm the uninstallation of the Configuration Manager primary site.
2. After you turn off distributed views on each link, confirm that the data from the
primary site finishes reinitializing at the CAS. To monitor the initialization of data,
see Monitor replication.
3. After the data successfully reinitializes with the CAS, you can uninstall the primary
site.
4. When the primary site is uninstalled, you can reconfigure distributed views on links
from the CAS to other primary sites.
) Important
If you uninstall the primary site before you turn off distributed views at each
site, or before the data from the primary site successfully reinitializes at the
CAS, data replication might fail.
Decommission a hierarchy
Some organizations have multiple hierarchies because of mergers, acquisitions, test
environments, or other business requirements. If you consolidate management to a
single hierarchy, this action can help reduce costs and complexity. Another reason to
decommission the hierarchy is that you're migrating to a cloud-only management
service such as Microsoft Intune, and are ready to remove your on-premises
infrastructure.
To decommission a hierarchy with multiple sites, the sequence of removal is important.
Start by uninstalling the sites at the bottom of the hierarchy and then move upward:
The administrative user who runs Configuration Manager setup needs the following
security rights:
If the CAS database server is remote from the site server, local Administrator rights
on the remote site database server for the CAS.
) Important
Remove all child primary sites before you can uninstall the CAS.
4. On the Uninstall the Configuration Manager Site page, both of the following
options are enabled by default:
If the hierarchy consists of the central administration site (CAS) and a single child
primary site, you can remove the CAS. This action simplifies your Configuration Manager
infrastructure to a single, standalone primary site. It removes the complexities of site-to-
site replication, and focuses your management tasks to the single site.
7 Note
This feature was first introduced in version 2002 as a pre-release feature. Starting
in version 2103, it's no longer a pre-release feature.
Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.
Plan
The hierarchy needs to consist of the CAS and a single child primary site. The
primary site can have secondary sites. To remove other child primary sites from the
hierarchy, review the planning steps and prerequisites to Uninstall a primary site.
Make sure your child primary site meets the size and scale requirements for a
stand-alone primary site.
Make sure to upgrade all sites to the latest released version of Configuration
Manager current branch.
Move or retire any site roles at the CAS, except the service connection point and
the software update point. Configuration Manager setup handles these two roles
when you remove the CAS.
The following roles are most common at the CAS, which you need to retire or
move to the primary site:
Asset Intelligence sync point
Endpoint Protection point
Reporting services point
Data warehouse service point
Turn off distributed views
Stop any active migration jobs and remove all configurations for migration. For
more information, see Stop active migration from another hierarchy.
If you have any custom status filter rules or alerts and subscriptions, recreate them
on the child primary site. Starting in version 2107, also recreate any subscriptions
for external notifications.
If you use automatic deployment rules for software updates, recreate them on the
child primary site.
Review any third-party software that might have a dependency on the CAS.
Prerequisites
Configuration Manager version 2103 or later.
The administrative user that runs Configuration Manager setup needs the
following security rights:
If the CAS database server is remote from the site server, local Administrator
rights on the remote site database server for the CAS.
Only one child primary site in the hierarchy. For more information, see Uninstall a
primary site.
Process
1. Start Configuration Manager setup on the CAS server by using one of the following
methods:
version.
3. On the Getting Started page, select Perform site maintenance or reset this site.
Service Connection Point: Enter the fully qualified domain name of the site
system in the primary site to host this required role. For more information,
see About the service connection point.
Setup checks that the specified servers meet the prerequisites. Select Begin Install
when you're ready to continue.
If setup comes across an issue, use the wizard to retry the process.
When setup is complete, it resets the primary site. For more information, see Run a site
reset.
hman.log in the Configuration Manager logs directory on the primary site server
Use the Site Hierarchy node in the Monitoring workspace to visualize the changes to
the hierarchy. For example, the following graphic shows the before and after
comparison of the SHY CAS, HAW primary site, and VWT secondary site:
Before After
Post-setup tasks
After you remove the CAS, review the following steps as they apply to your
environment.
Manually remove the CAS server computer account from the primary site local
groups.
The trusted root key changed, which can require additional actions:
If you connect Configuration Manager with Azure Monitor, you need to reset the
connection. The first step to resolve any issues is to renew the secret key. If that
doesn't resolve the issue, recreate the connection.
) Important
The Log Analytics Connector was deprecated in November 2020. It's removed
from Configuration Manager in version 2107. For more information, see
Removed and deprecated features.
If you enable synchronization of Surface drivers, reconfigure this feature after you
remove the CAS. For more information, see Microsoft Surface drivers and firmware
updates.
1. Export the WSUS signing certificate from the software update point on the
CAS, if you haven't already.
2. Before you create any new deployments, remove the update from any
existing deployments and software update packages.
Use the following information to identify the Windows groups, accounts, and SQL Server
objects that are used in Configuration Manager, how they're used, and any
requirements.
7 Note
When Configuration Manager creates a group on a computer that's a domain
member, the group is a local security group. If the computer is a domain controller,
the group is a domain local group. This type of group is shared among all domain
controllers in the domain.
Configuration Manager_CollectedFilesAccess
Configuration Manager uses this group to grant access to view files collected by
software inventory.
When you uninstall a site, this group isn't automatically removed. Manually delete it
after uninstalling a site.
Configuration Manager_DViewAccess
This group is a local security group that Configuration Manager creates on the site
database server or database replica server for a child primary site. The site creates it
when you use distributed views for database replication between sites in a hierarchy. It
contains the site server and SQL Server computer accounts of the central administration
site.
After you disable remote tools for a client, this group isn't automatically removed.
Manually delete it after disabling remote tools.
By default, there are no members in this group. When you add users to the Permitted
Viewers list, they're automatically added to this group.
Use the Permitted Viewers list to manage the membership of this group instead of
adding users or groups directly to this group.
In addition to being a permitted viewer, an administrative user must have the Remote
Control permission to the Collection object. Assign this permission by using the Remote
Tools Operator security role.
By default, this group doesn't have permissions to any locations on the computer. It's
used only to hold the Permitted Viewers list.
SMS Admins
Configuration Manager uses this group to grant access to the SMS Provider through
WMI. Access to the SMS Provider is required to view and change objects in the
Configuration Manager console.
7 Note
This group is a local security group created on each computer that has an SMS Provider.
When you uninstall a site, this group isn't automatically removed. Manually delete it
after uninstalling a site.
When you use a remote Configuration Manager console, configure Remote Activation
DCOM permissions on both the site server computer and the SMS Provider. Grant these
rights to the SMS Admins group. This action simplifies administration instead of
granting these rights directly to users or groups. For more information, see Configure
DCOM permissions for remote Configuration Manager consoles.
SMS_SiteSystemToSiteServerConnection_MP_<sitecode>
Management points that are remote from the site server use this group to connect to
the site database. This group provides a management point access to the inbox folders
on the site server and the site database.
This group is a local security group created on each computer that has an SMS Provider.
When you uninstall a site, this group isn't automatically removed. Manually delete it
after uninstalling a site.
By default, this group has Read, Read & execute, and List folder contents permission to
the following folder on the site server: C:\Program Files\Microsoft Configuration
Manager\inboxes . This group also has Write permission to subfolders below inboxes, to
SMS_SiteSystemToSiteServerConnection_SMSProv_<sitecode>
Remote SMS Provider computers use this group to connect to the site server.
When you uninstall a site, this group isn't automatically removed. Manually delete it
after uninstalling a site.
below the inboxes. The SMS Provider requires access to these folders.
This group also has Read permission to the subfolders on the site server below
C:\Program Files\Microsoft Configuration Manager\OSD\Bin .
Read
Read & execute
List folder contents
Write
Modify
SMS_SiteSystemToSiteServerConnection_Stat_<sitecode>
The file dispatch manager component on Configuration Manager remote site system
computers uses this group to connect to the site server.
When you uninstall a site, this group isn't automatically removed. Manually delete it
after uninstalling a site.
By default, this group has Read, Read & execute, and List folder contents permission to
the following folder and its subfolders on the site server: C:\Program Files\Microsoft
Configuration Manager\inboxes .
This group also has the Write and Modify permissions to the following folder on the
site server: C:\Program Files\Microsoft Configuration Manager\inboxes\statmgr.box .
SMS_SiteToSiteConnection_<sitecode>
Configuration Manager uses this group to enable file-based replication between sites in
a hierarchy. For each remote site that directly transfers files to this site, this group has
accounts set up as a File Replication Account.
When you uninstall a site, this group isn't automatically removed. Manually delete it
after uninstalling a site.
By default, this group has Full control to the following folder: C:\Program
Files\Microsoft Configuration Manager\inboxes\despoolr.box\receive .
Tip
Don't use the percentage character ( % ) in the password for accounts that you
specify in the Configuration Manager console. The account will fail to authenticate.
This account can be a computer account of the site server that runs discovery, or a
Windows user account. It must have Read access permission to the Active Directory
locations that you specify for discovery.
This account can be a computer account of the site server that runs discovery, or a
Windows user account. It must have Read access permission to the Active Directory
locations that you specify for discovery.
This account can be a computer account of the site server that runs discovery, or a
Windows user account. It must have Read access permission to the Active Directory
locations that you specify for discovery.
7 Note
Secondary sites always use the secondary site server computer account to publish
to Active Directory.
To discover and publish to untrusted forests, the Active Directory forest account must be
a global account. If you don't use the computer account of the site server, you can select
only a global account.
This account must have Read permissions to each Active Directory forest where you
want to discover network infrastructure.
This account must have Full Control permissions to the System Management container
and all its child objects in each Active Directory forest where you want to publish site
data. For more information, see Prepare Active Directory for site publishing.
2 Warning
The certificate registration point uses the Certificate registration point account to
connect to the Configuration Manager database. It uses its computer account by
default, but you can configure a user account instead. When the certificate registration
point is in an untrusted domain from the site server, you must specify a user account.
This account requires only Read access to the site database, because the state message
system handles write tasks.
The account must have Read and Write permissions on the network share where you
store captured images.
If you change the password for the account in Windows, update the task sequence with
the new password. The Configuration Manager client receives the new password when it
next downloads the client policy.
If you need to use this account, create one domain user account. Grant it minimal
permissions to access the required network resources, and use it for all capture task
sequences.
) Important
This account must be a member of the local Administrators group on the target client
computers. This account doesn't require Domain Admin rights.
You can specify more than one client push installation account. Configuration Manager
tries each one in turn until one succeeds.
Tip
If you have a large Active Directory environment and need to change this account,
use the following process to more effectively coordinate this account update:
) Important
Use domain or local group policy to assign the Windows user right to Deny log on
locally. As a member of the Administrators group, this account will have the right
to sign in locally, which isn't needed. For better security, explicitly deny the right for
this account. The deny right supersedes the allow right.
For more information, see Install site system roles for on-premises MDM.
Create the account as a low-right local account on the computer that runs Microsoft
SQL Server.
) Important
If you need this account, create it as a low-right local account on the computer that runs
Microsoft SQL Server.
) Important
For more information, see Use multicast to deploy Windows over the network.
) Important
The network access account is never used as the security context to run programs,
install software updates, or run task sequences. It's used only for accessing
resources on the network.
A Configuration Manager client first tries to use its computer account to download the
content. If it fails, it then automatically tries the network access account.
If you configure the site for HTTPS or Enhanced HTTP, a workgroup or Azure AD-joined
client can securely access content from distribution points without the need for a
network access account. This behavior includes OS deployment scenarios with a task
sequence running from boot media, PXE, or Software Center. For more information, see
Client to management point communication.
7 Note
If you enable Enhanced HTTP to not require the network access account, the
distribution point needs to be running Windows Server 2012 or later.
Create the account in any domain that provides the necessary access to resources. The
network access account must always include a domain name. Pass-through security isn't
supported for this account. If you have distribution points in multiple domains, create
the account in a trusted domain.
Tip
) Important
Don't grant this account the right to join computers to the domain. If you must join
computers to the domain during a task sequence, use the Task sequence domain
join account.
3. Choose the Network access account tab. Set up one or more accounts, and then
choose OK.
The network access account is still required for the following actions (including eHTTP &
PKI scenarios):
Multicast. For more information, see Use multicast to deploy Windows over the
network.
Request State Store task sequence step. If the task sequence can't communicate
with the state migration point using the device's computer account, it falls back to
use the network access account. For more information, see Request State Store.
Apply OS Image task sequence step option to Access content directly from the
distribution point. This option is primarily for Windows Embedded scenarios with
low disk space where caching content to the local disk is costly. For more
information, see Access content directly from the distribution point
Task Sequence properties setting to Run another program first. This setting runs a
package and program from a network share before the task sequence starts. For
more information, see Task sequences properties: Advanced tab.
Use accounts in a domain that can access the distribution points. If you create or modify
the account after you create the package, you must redistribute the package. Updating
the package doesn't change the NTFS permissions on the package.
You don't have to add the network access account as a package access account, because
membership of the Users group adds it automatically. Restricting the package access
account to only the network access account doesn't prevent clients from accessing the
package.
2. In the Software Library workspace, determine the type of content for which you
want to manage access accounts, and follow the steps provided:
3. Right-click the selected object, and then choose Manage Access Accounts.
4. In the Add Account dialog box, specify the account type that will be granted
access to the content, and then specify the access rights associated with the
account.
7 Note
When you add a user name for the account, and Configuration Manager finds
both a local user account and a domain user account with that name,
Configuration Manager sets access rights for the domain user account.
7 Note
The account you specify must have Log on locally permissions on the computer
hosting the SQL Server Reporting Services database.
The account is automatically granted all necessary rights by being added to the
smsschm_users SQL Server Database Role on the Configuration Manager database.
Sysadmin on the instance of SQL Server that hosts the site database
Configuration Manager setup automatically adds this account to the SMS Admins
group.
After installation, this account is the only user with rights to the Configuration Manager
console. If you need to remove this account, make sure to add its rights to another user
first.
When expanding a standalone site to include a central administration site, this account
requires either Full Administrator or Infrastructure Administrator role-based
administration rights at the standalone primary site.
This account requires local administrative permissions on the target site systems.
Additionally, this account must have Access this computer from the network in the
security policy on the target site systems.
) Important
If you are specifying an account in a remote domain or forest, be sure to specify the
domain FQDN before the user name, and not just the domain NetBIOS name. For
example, specify Corp.Contoso.com\UserName instead of just Corp\UserName. This
allows Configuration Manager to use Kerberos when the account is used to
authenticate to the remote site system. Using the FQDN often fixes authentication
failures resulting from recent hardening changes around NTLM in Windows
monthly updates.
Tip
If you have many domain controllers and these accounts are used across domains,
before you set up the site system, check that Active Directory has replicated these
accounts.
When you specify a local account on each site system to be managed, this
configuration is more secure than using domain accounts. It limits the damage that
attackers can do if the account is compromised. However, domain accounts are
easier to manage. Consider the trade-off between security and effective
administration.
) Important
Specify an account that has the least possible permissions for the required proxy
server or firewall.
) Important
Specify an account that has the least possible permissions to send emails.
For more information, see Configure alerts.
Windows Server Update Services (WSUS), which sets up settings like product
definitions, classifications, and upstream settings.
The site system installation account can install components for software updates, but it
can't do software update-specific functions on the software update point. If you can't
use the site server computer account for this functionality because the software update
point is in an untrusted forest, you must specify this account along with to the site
system installation account.
This account must be a local administrator on the computer where you install WSUS. It
must also be part of the local WSUS Administrators group.
If you have Configuration Manager 2007 distribution points or secondary sites with
colocated distribution points, when you upgrade them to Configuration Manager
(current branch) distribution points, this account must also have Delete permissions to
the Site class. This permission is to successfully remove the distribution point from the
Configuration Manager 2007 site during the upgrade.
7 Note
Both the source site account and the source site database account are identified as
Migration Manager in the Accounts node of the Administration workspace in the
Configuration Manager console.
For more information, see Migrate data between hierarchies.
If you use the Configuration Manager (current branch) computer account, make sure
that all the following are true for this account:
It's a member of the Distributed COM Users security group in the same domain as
the Configuration Manager 2012 site
It's a member of the SMS Admins security group
It has the Read permission to all Configuration Manager 2012 objects
7 Note
Both the source site account and the source site database account are identified as
Migration Manager in the Accounts node of the Administration workspace in the
Configuration Manager console.
This account requires the Domain Join right in the target domain.
Tip
Create one domain user account with the minimal permissions to join the domain,
and use it for all task sequences.
) Important
Don't assign interactive sign-in permissions to this account.
This account requires permissions to access the specified shared folder. It must be a
domain user account.
Tip
Create one domain user account with minimal permissions to access the required
network resources, and use it for all task sequences.
) Important
Set up the account to have the minimum permissions required to run the command line
that you specify in the task sequence. The account requires interactive sign-in rights. It
usually requires the ability to install software and access network resources. For the Run
PowerShell Script task, this account requires local administrator permissions.
) Important
Never set up roaming profiles for this account. When the task sequence runs, it
downloads the roaming profile for the account. This leaves the profile vulnerable to
access on the local computer.
Limit the scope of the account. For example, create different task sequence run as
accounts for each task sequence. Then if one account is compromised, only the
client computers to which that account has access are compromised.
) Important
smsdbuser_ReadOnly
This object is used to run queries under the read-only context. This object is used with
several stored procedures.
smsdbuser_ReadWrite
This object is used to provide permissions for dynamic SQL statements.
smsdbuser_ReportSchema
This object is used to run SQL Server Reporting Executions. The following stored
procedure is used with this function: spSRExecQuery .
) Important
smsdbrole_AITool
Configuration Manager grants this permission to administrative user accounts based on
role-based access to import volume license information for Asset Intelligence. This
account could be added by a Full Administrator, Operations Administrator or Asset
Manager role, or any role with 'Manage Asset Intelligence' permission.
smsdbrole_AIUS
Configuration Manager grants the computer account that hosts the Asset Intelligence
synchronization point account access to get Asset Intelligence proxy data and to view
pending AI data for upload.
smsdbrole_CRP
Configuration Manager grants permission to the computer account of the site system
that supports the certificate registration point for Simple Certificate Enrollment Protocol
(SCEP) support for certificate signing and renewal.
smsdbrole_CRPPfx
Configuration Manager grants permission to the computer account of the site system
that supports the certificate registration point configured for PFX support for signing
and renewal.
smsdbrole_DMP
Configuration Manager grants this permission to computer account for a management
point that has the option Allow mobile devices and Mac computers to uses this
management point, the ability to provide support for MDM enrolled devices.
smsdbrole_DmpConnector
Configuration Manager grants this permission to the computer account that hosts the
service connection point to retrieve and provide diagnostic data, manage cloud services,
and retrieve service updates.
smsdbrole_DViewAccess
Configuration Manager grants this permission to the computer account of the primary
site servers on the CAS when the SQL Server distributed views option is selected in the
replication link properties.
smsdbrole_DWSS
Configuration Manager grants this permission to the computer account that hosts the
data warehouse role.
smsdbrole_EnrollSvr
Configuration Manager grants this permission to the computer account that hosts the
enrollment point to allow for device enrollment via MDM.
smsdbrole_extract
Provides access to all the extended schema views.
smsdbrole_HMSUser
For the hierarchy manager service. Configuration Manager grants permissions this
account to manage failover state messages and SQL Server Broker transactions between
sites within a hierarchy.
7 Note
smsdbrole_MCS
Configuration Manager grants this permission to the computer account of the
distribution point that supports multicast.
smsdbrole_MP
Configuration Manager grants this permission to the computer account that hosts the
management point role to provide support for the Configuration Manager clients.
smsdbrole_MPMBAM
Configuration Manager grants this permission to the computer account that hosts the
management point that manages BitLocker for an environment.
smsdbrole_MPUserSvc
Configuration Manager grants this permission to the computer account that hosts the
management point to support user-based application requests.
smsdbrole_siteprovider
Configuration Manager grants this permission to the computer account that hosts an
SMS Provider role.
smsdbrole_siteserver
Configuration Manager grants this permission to the computer account that hosts the
primary site or CAS.
smsdbrole_SUP
Configuration Manager grants this permission to the computer account that hosts the
software update point for working with third-party updates.
smsschm_users
Configuration Manager grants access to the account used for the reporting services
point account to allow access to the SMS reporting views to display the Configuration
Manager reporting data. The data is further restricted with the use of role-based access.
Elevated permissions
Configuration Manager requires some accounts to have elevated permissions for on-
going operations. For example, see Prerequisites for installing a primary site. The
following list summarizes these permissions and the reasons why they're needed.
The computer account of the primary site server and central administration site
server requires:
Sysadmin access to the SQL Server instance for the site database. This
permission is to configure and manage SQL Server for the site. Configuration
Manager tightly integrates with SQL, it's not just a database.
Local Administrator rights on all site servers. This permission is to view, edit,
remove, and install system services, registry keys and values, and WMI objects.
Sysadmin access to the SQL Server instance for the site database. This
permission is to install and update the database during setup or recovery. It's
also required for SQL Server maintenance and operations. For example,
reindexing and updating statistics.
7 Note
Some organizations may choose to remove sysadmin access and only grant
it when it is required. This behavior is sometimes referred to as "just-in-
time (JIT) access." In this case, users with the Full Administrator role should
still have access to read, update, and execute stored procedures on the
Configuration Manager database. These permissions allow them to
troubleshoot most issues without full sysadmin access.
Communications between endpoints in
Configuration Manager
Article • 10/04/2022
This article describes how Configuration Manager site systems and clients communicate
across your network. It includes the following sections:
HTTP
HTTPS
With the exception of communication from the site server to a distribution point, server-
to-server communications in a site can occur at any time. These communications don't
use mechanisms to control the network bandwidth. Because you can't control the
communication between site systems, make sure that you install site system servers in
locations that have fast and well-connected networks.
Site server to distribution point
To help you manage the transfer of content from the site server to distribution points,
use the following strategies:
Configure the distribution point for network bandwidth control and scheduling.
These controls resemble the configurations that are used by intersite addresses.
Use this configuration instead of installing another Configuration Manager site
when the transfer of content to remote network locations is your main bandwidth
consideration.
For more information, see Manage network bandwidth for content management.
Before a client can communicate with a site system role, the client uses service location
to find a role that supports the client's protocol (HTTP or HTTPS). By default, clients use
the most secure method that's available to them. For more information, see Understand
how clients find site resources and services.
To help secure the communication between Configuration Manager clients and site
servers, configure one of the following options:
Use a public key infrastructure (PKI) and install PKI certificates on clients and
servers. Enable site systems to communicate with clients over HTTPS. For
information about how to use certificates, see PKI certificate requirements.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
Site configuration: HTTPS only, allows HTTP or HTTPS, or allows HTTP or HTTPS
with enhanced HTTP enabled
Management point configuration: HTTPS or HTTP
Device identity for device-centric scenarios
User identity for user-centric scenarios
HTTP Anonymous
Location request: For user-centric scenarios,
With Enhanced HTTP, the Anonymous
using one of the following
site verifies the Azure AD Client package: methods to prove user
user or device token. Anonymous
identity:
- Windows-integrated
authentication
authentication
Registration, using one of - Windows-integrated
- Azure AD user or device the following methods to authentication
- Windows-integrated
authentication
- PKI certificate
Tip
For more information on the configuration of the management point for different
device identity types and with the cloud management gateway, see Enable
management point for HTTPS.
Client to distribution point communication
When a client communicates with a distribution point, it only needs to authenticate
before downloading the content. Use the following table to understand how this
process works:
DP Client authentication
type
7 Note
If you want to manage devices that are on the internet, you can install internet-
based site system roles in your perimeter network when the site system servers are
in an Active Directory forest. This scenario doesn't require two-way trust between
the perimeter network and the site server's forest.
Configure workgroup clients to use the Network Access Account so that these
computers can retrieve content from distribution points.
Configuration Manager supports installing a child site in a remote forest that has the
required two-way trust with the forest of the parent site. For example, you can place a
secondary site in a different forest from its primary parent site as long as the required
trust exists.
7 Note
A child site can be a primary site (where the central administration site is the parent
site) or a secondary site.
When a two-way forest trust exists, Configuration Manager doesn't require any
additional configuration steps.
By default, when you install a new child site, Configuration Manager configures the
following components:
An intersite file-based replication route at each site that uses the site server
computer account. Configuration Manager adds the computer account of each
computer to the SMS_SiteToSiteConnection_<sitecode> group on the destination
computer.
Intervening firewalls and network devices must allow the network packets that
Configuration Manager requires.
To install a site or site system role, you must specify an account that has local
administrator permissions on the specified computer.
Scenario 2: Communication in a site that spans forests
This scenario doesn't require a two-way forest trust.
Primary sites support the installation of site system roles on computers in remote
forests.
When a site system role accepts connections from the internet, as a security best
practice, install the site system roles in a location where the forest boundary
provides protection for the site server (for example, in a perimeter network).
Specify a Site System Installation Account, which the site uses to install the site
system role. (This account must have local administrative credentials to connect
to.) Then install site system roles on the specified computer.
Select the site system option Require the site server to initiate connections to this
site system. This setting requires the site server to establish connections to the site
system server to transfer data. This configuration prevents the computer in the
untrusted location from initiating contact with the site server that's inside your
trusted network. These connections use the Site System Installation Account.
To use a site system role that was installed in an untrusted forest, firewalls must allow
the network traffic even when the site server initiates the transfer of data.
Additionally, the following site system roles require direct access to the site database.
Therefore, firewalls must allow applicable traffic from the untrusted forest to the site's
SQL Server:
Enrollment point
Management point
You might need to configure the management point and enrollment point access to the
site database.
By default, when you install these roles, Configuration Manager configures the
computer account of the new site system server as the connection account for the
site system role. It then adds the account to the appropriate SQL Server database
role.
When you install these site system roles in an untrusted domain, configure the site
system role connection account to enable the site system role to obtain
information from the database.
If you configure a domain user account to be the connection account for these site
system roles, make sure that the domain user account has appropriate access to the SQL
Server database at that site:
Consider the following additional information when you plan for site system roles in
other forests:
If you run Windows Firewall, configure the applicable firewall profiles to pass
communications between the site database server and computers that are installed
with remote site system roles.
When the internet-based management point trusts the forest that contains the
user accounts, user policies are supported. When no trust exists, only computer
policies are supported.
There's a two-way forest trust between the forest of the client and the forest of the
site server.
The site system role server is located in the same forest as the client.
The client is on a domain computer that doesn't have a two-way forest trust with
the site server, and site system roles aren't installed in the client's forest.
Specify the forest and then enable publishing to that forest in the Active Directory
Forests node of the Administration workspace.
Configure each site to publish its data to Active Directory Domain Services. This
configuration enables clients in that forest to retrieve site information and find
management points. For clients that can't use Active Directory Domain Services for
service location, you can use DNS or the client's assigned management point.
To support this scenario, make sure that name resolution works between the forests. For
example, configure DNS forwards. When you configure the Exchange Server connector,
specify the intranet FQDN of the Exchange Server. For more information, see Manage
mobile devices with Configuration Manager and Exchange.
See also
Plan for security
You can secure sensitive client communication without the need for PKI server
authentication certificates.
Clients can securely access content from distribution points without the need for a
network access account, client PKI certificate, or Windows authentication.
All other client communication is over HTTP. Enhanced HTTP isn't the same as enabling
HTTPS for client communication or a site system.
7 Note
PKI certificates are still a valid option for customers with the following
requirements:
If you're already using PKI, site systems use the PKI certificate bound in IIS even if
you enable enhanced HTTP.
Scenarios
The following scenarios benefit from enhanced HTTP:
7 Note
This scenario doesn't require using an HTTPS-enabled management point, but it's
supported as an alternative to using enhanced HTTP. For more information on
using an HTTPS-enabled management point, see Enable management point for
HTTPS.
This behavior includes OS deployment scenarios with a task sequence running from
boot media, PXE, or Software Center. For more information, see Network access account.
Features
The following Configuration Manager features support or require enhanced HTTP:
7 Note
The software update point and related scenarios have always supported secure
HTTP traffic with clients as well as the cloud management gateway. It uses a
mechanism with the management point that's different from certificate- or token-
based authentication.
Unsupported scenarios
Enhanced HTTP doesn't currently secure all communication in Configuration Manager.
The following list summarizes some key functionality that's still HTTP.
7 Note
Prerequisites
A management point configured for HTTP client connections. Set this option on
the General tab of the management point role properties.
A distribution point configured for HTTP client connections. Set this option on the
Communication tab of the distribution point role properties. Don't enable the
option to Allow clients to connect anonymously.
For scenarios that require Azure AD authentication, onboard the site to Azure AD
for cloud management. If you don't onboard the site to Azure AD, you can still
enable enhanced HTTP.
There are no OS version requirements, other than what the Configuration Manager
client supports.
2. Switch to the Communication Security tab. Select the option for HTTPS or HTTP.
Then enable the option to Use Configuration Manager-generated certificates for
HTTP site systems.
Tip
Wait up to 30 minutes for the management point to receive and configure the new
certificate from the site.
You can also enable enhanced HTTP for the central administration site (CAS). Use this
same process, and open the properties of the CAS. This action only enables enhanced
HTTP for the SMS Provider role at the CAS. It's not a global setting that applies to all
sites in the hierarchy.
For more information on how the client communicates with the management point and
distribution point with this configuration, see Communications from clients to site
systems and services.
When you enable enhanced HTTP, the site server generates a self-signed certificate
named SMS Role SSL Certificate. This certificate is issued by the root SMS Issuing
certificate. The management point adds this certificate to the IIS default web site bound
to port 443.
To see the status of the configuration, review mpcontrol.log.
Conceptual diagram
This diagram summarizes and visualizes some of the main aspects of the enhanced
HTTP functionality in Configuration Manager.
When you enable the site option for enhanced HTTP, the site issues self-signed
certificates to site systems such as the management point and distribution point
roles.
With the site systems still configured for HTTP connections, clients communicate
with them over HTTPS.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
7 Note
Even if you don't directly use the administration service REST API, some
Configuration Manager features natively use it, including parts of the Configuration
Manager console.
From a client perspective, the management point issues each client a token. The client
uses this token to secure communication with the site systems. That behavior is OS
version agnostic, other than what the Configuration Manager client supports.
Next steps
Plan for security
Configure security
When secure key exchange is required, there are situations where you need to
manually do the initial public key exchange between sites. For more information,
see Manually exchange public keys between sites.
Delete a site server from the Configuration Manager console when you can't
uninstall it with setup. For example, if you physically remove a Configuration
Manager site without first running setup to uninstall the site. The site information
will still exist in the parent site's database, and the parent site will continue to
attempt to communicate with the child site. To resolve this issue, run the hierarchy
maintenance tool and manually delete the child site from the parent site's
database.
Stop all Configuration Manager services at a site without having to stop services
individually.
When you recover a site, use the CHILDKEYS option to distribute the public keys
from multiple child sites to the recovering site.
To run the hierarchy maintenance tool, the current user needs administrative privileges
on the local computer. Also, the user must explicitly have the Administer security right
for the Site class. It's not sufficient that the user inherits this right by being a member of
a group that has that permission.
/DELJOB <SiteCode> : Delete all jobs or commands from the current site to the
specified destination site.
data for child sites from the site database of the parent site. Typically, you use this
option if a site server computer is decommissioned before you uninstall the site
from it.
7 Note
The /DELSITE option doesn't uninstall the site on the computer specified by
the ChildSiteCodeToRemove parameter. This option only removes the site
information from the Configuration Manager site database.
/DUMP <SiteCode> : Use this option on the local site server to write site control
images to the root folder of the drive on which the site is installed. You can write a
specific site control image to the folder or write all site control files in the
hierarchy.
/DUMP <SiteCode> writes the site control image only for the specified site.
An image is a binary representation of the site control file, which is stored in the
Configuration Manager site database. The dumped site control file image is a sum
of the base image plus the pending delta images.
After dumping a site control file image with the hierarchy maintenance tool, the
file name is in the format sitectrl_<SiteCode>.ct0 .
/STOPSITE : Use this option on the local site server to start a shutdown cycle for the
Configuration Manager Site Component Manager service, which partially resets the
site. When you start this shutdown cycle, it stops some Configuration Manager
services on a site server and its remote site systems. It also flags these services for
reinstallation. As a result of this shutdown cycle, some passwords are automatically
changed when the services are reinstalled.
7 Note
If you want to see a record of shutdown, reinstallation, and password changes
for Site Component Manager, enable logging for this component before
using this command-line option.
After the shutdown cycle is started, it proceeds automatically, skipping any non-
responding components or computers. However, if the Site Component Manager
service can't access a remote site system during the shutdown cycle, the
components that are installed on the remote site system are reinstalled when the
Site Component Manager service is restarted. When it's restarted, the Site
Component Manager service repeatedly attempts reinstallation of all services that
are flagged for reinstallation until it's successful.
You can restart the Site Component Manager service using Service Manager. After
it restarts, all affected services are uninstalled, reinstalled, and restarted. After you
use the /STOPSITE option to start the shutdown cycle, you can't avoid the
reinstallation cycles after the Site Component Manager service is restarted.
The /KEYFORPARENT option places the public key of the site in the file
<SiteCode>.CT4 at the root of the program files drive. After you run preinst.exe
with this option, manually copy this file to the parent site's \Inboxes\hman.box
folder (not hman.box\pubkey ).
The /KEYFORCHILD option places the public key of the site in the file
<SiteCode>.CT5 at the root of the program files drive. After you run preinst.exe
with this option, manually copy this file to the child site's \Inboxes\hman.box folder
(not hman.box\pubkey ).
/CHILDKEYS : Use this option on the child sites of a site that you're recovering. It
distributes public keys from multiple child sites to the recovering site.
The /CHILDKEYS option places the key from the site where you run the option and
all of that sites child sites public keys into the file <SiteCode>.CT6 . After you run
preinst.exe with this option, manually copy this file to the recovering site's
\Inboxes\hman.box folder (not hman.box\pubkey ).
/PARENTKEYS : Use this option on the parent site of a site that you're recovering. It
distributes public keys from all parent sites to the recovering site.
The /PARENTKEYS option places the key from the site where you run the option and
the keys from each parent site above that site into the file <SiteCode>.CT7 . After
you run preinst.exe with this option, manually copy this file to the recovering site's
\Inboxes\hman.box folder (not hman.box\pubkey ).
If you haven't extended the Active Directory schema for Configuration Manager
You can use the hierarchy maintenance tool to export the public keys for each site. Once
exported, then manually exchange the keys between the sites.
7 Note
After the public keys are manually exchanged, review the hman.log log file on the
parent site server. This log file records site configuration changes and site
information publication to Active Directory. You can make sure that the primary site
has processed the new public key.
2. Type the following command to export the child site's public key: Preinst
/keyforparent
The /keyforparent option places the public key of the child site in the <SiteCode>.CT4
file located at the root of the system drive.
1. Move the <SiteCode>.CT4 file to the parent site's \inboxes\hman.box folder in the
Configuration Manager installation directory.
How to manually transfer the parent site public key to the
child site
1. Sign in to the parent site server, open a command prompt, and navigate to the
location of Preinst.exe.
2. Type the following command to export the parent site's public key: Preinst
/keyforchild
The /keyforchild option places the public key of the parent site in the <SiteCode>.CT5
file located at the root of the system drive.
1. Move the <SiteCode>.CT5 file to the child site's \inboxes\hman.box folder in the
Configuration Manager installation directory.
International support in Configuration
Manager
Article • 10/04/2022
The following sections provide technical details to help you make Configuration
Manager compliant with specific international requirements.
GB18030 Requirements
Configuration Manager meets the standards that are defined in GB18030 so that you
can use Configuration Manager in China. A Configuration Manager deployment must
have the following configurations to meet the GB18030 requirements:
Each site server computer and SQL Server computer that you use with
Configuration Manager must use a Chinese operating system.
Each site database and each instance of SQL Server in the hierarchy must use the
same collation, and must be one of the following:
Chinese_Simplified_Pinyin_100_CI_AI
Chinese_Simplified_Stroke_Order_100_CI_AI
7 Note
These database collations are an exception to the requirements that are noted
in Support for SQL Server versions for Configuration Manager.
You must place a file with the name GB18030.SMS in the root folder of the system
volume of each site server computer in the hierarchy. This file does not contain any
data and can be an empty text file that is named to meet this requirement.
Interoperability between different
versions of Configuration Manager
Article • 10/04/2022
You can install and operate multiple, independent hierarchies of Configuration Manager
on the same network. However, because different hierarchies of Configuration Manager
don't interoperate outside of the migration process, each hierarchy requires
configurations to prevent conflicts between them. Additionally, you can create certain
configurations to help resources that you manage interact with the site systems from
the correct hierarchy.
You can deploy a Configuration Manager current branch site and hierarchy side by side
with an existing System Center 2012 Configuration Manager site or hierarchy. Plan to
prevent clients from either version from trying to join a site from the other version.
Additionally, you can't install a client from System Center 2012 Configuration Manager
on a computer that hosts a site system role from Configuration Manager current branch.
You also can't you install a Configuration Manager current branch client on a computer
that hosts a site system role from System Center 2012 Configuration Manager.
Any System Center 2012 Configuration Manager or earlier computer client version
Any System Center 2012 Configuration Manager or earlier device management
client
You use automatic site assignment to assign clients to a site during client
installation
More than one boundary group includes the same boundary
The boundary groups have different assigned sites
Configuration Manager current branch clients check the version of the site before they
complete site assignment. If site boundaries overlap, you can't assign clients to a site
with a previous version. However, earlier System Center 2012 Configuration Manager
clients might incorrectly be assigned to a later Configuration Manager current branch
site.
To prevent clients from unintentionally being assigned to the wrong site when two
hierarchies have overlapping boundaries, configure client installation parameters to
assign clients to a specific site.
When different sites in a single hierarchy run different versions, some functionality isn't
available. This behavior can affect how you manage Configuration Manager objects in
the Configuration Manager console, and which functionality is available to clients.
Typically, functionality from the newer version of Configuration Manager isn't accessible
at sites or to clients that run a lower service pack version.
After you upgrade the primary site to the same version as the central administration site,
the account details are visible in the console.
The same behavior applies when you update between versions of Configuration
Manager.
An error occurs when you try to edit the task sequence from a site that's running a
previous version of Configuration Manager.
The task sequence doesn't run on a computer that runs a previous version of the
Configuration Manager client.
Orchestration groups
Orchestration groups can't be used in a mixed-version hierarchy.
For example, for a management point in site XYZ, assign the client installed on this site
system server to site XYZ.
It's not supported to install both the System Center 2012 Configuration Manager
console and the Configuration Manager current branch console on the same computer.
During the process of updating sites in a hierarchy to a new version, you can connect a
console to a site that runs a newer version and view information about other sites in that
hierarchy. However, this configuration isn't recommended. It's possible that differences
between the console version and Configuration Manager site version can result in data
issues. Some features that are available in the latest product version won't be available
in the console.
It's not supported to manage a site when using a console with a version that doesn't
match the site version. Doing so might cause loss of data and can put your site at risk.
For example, it's not supported to use a console from version 2103 to manage a site
that runs version 2010.
Next steps
Use the Configuration Manager client software for extended interoperability with future
versions of a Current Branch site
Language packs in Configuration
Manager
Article • 10/04/2022
This article provides technical details about language support in Configuration Manager.
Configuration Manager site servers and clients are considered language-neutral. Add
support for display languages by installing server language packs or client language
packs at a central administration site and at primary sites. You select the server and
client languages to support at a site from the available language pack files during the
site installation process.
Install multiple languages at each site. You only need to install the languages that you
use.
Add support for only the client languages that you want to support by installing
individual client language packs at each site.
When you install support for a language that matches the following components:
The display language of a computer: Both the Configuration Manager console and
the client user interface that runs on that computer display information in that
language.
When you run Configuration Manager setup, it downloads language pack files as part of
the prerequisites and redistributable files. You can also use the setup downloader to
download these files before you run setup.
Server languages
Use the following table to map a locale ID to a language that you want to support on
servers. For more information about locale IDs, see Locale IDs assigned by Microsoft.
Client languages
Use the following table to map a locale ID to a language that you want to support on
client computers. For more information about locale IDs, see Locale IDs assigned by
Microsoft.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCMSetup\InstalledLangs
Customize hardware inventory to collect this information. Then build a custom report to
view the language details. For more information about collecting custom hardware
inventory, see How to configure hardware inventory. For more information, see Create
reports.
About log files in Configuration
Manager
Article • 10/04/2022
In Configuration Manager, client and site server components record process information
in individual log files. You can use the information in these log files to help you
troubleshoot issues that might occur. By default, Configuration Manager enables
logging for client and server components.
This article provides general information about the Configuration Manager log files. It
includes tools to use, how to configure the logs, and where to find them. For more
information on specific log files, see Log files reference.
How it works
Most processes in Configuration Manager write operational information to a log file that
is dedicated to that process. The log files are identified by .log or .lo_ file extensions.
Configuration Manager writes to a .log file until that log reaches its maximum size.
When the log is full, the .log file is copied to a file of the same name but with the .lo_
extension, and the process or component continues to write to the .log file. When the
.log file again reaches its maximum size, the .lo_ file is overwritten and the process
repeats. Some components establish a log file history by appending a date and time
stamp to the log file name and by keeping the .log extension.
CMTrace
OneTrace
Support Center log file viewer
CMTrace
To view the logs, use the Configuration Manager log viewer tool CMTrace. It's located in
the \SMSSetup\Tools folder of the Configuration Manager source media. The CMTrace
tool is added to all boot images that are added to the Software Library. The CMTrace log
viewing tool is automatically installed along with the Configuration Manager client. For
more information, see CMTrace.
OneTrace
OneTrace is a log viewer with Support Center. It works similarly to CMTrace, with
improvements. For more information, see Support Center OneTrace.
7 Note
Support Center Log File Viewer and OneTrace use Windows Presentation
Foundation (WPF). This component isn't available in Windows PE. Continue to use
CMTrace in boot images with task sequence deployments.
You can also use hardware inventory to collect log settings from clients.
To modify the size of log files, change the name and location of the log file, or to force
multiple components to write to a single log file, do the following steps:
2. In the ribbon, select Start, and then select Configuration Manager Service
Manager.
3. When Configuration Manager Service Manager opens, connect to the site that you
want to manage. If the site that you want to manage isn't shown, select Site, select
Connect, and then enter the name of the site server for the correct site.
Verbose level
Maximum history
Maximum size
When troubleshooting a problem, you can enable verbose logging for Configuration
Manager to write additional details in the log files.
2 Warning
After you make changes to these registry settings, restart the component:
If you change the client settings, restart the SMS Agent Host service (CcmExec).
If you change the server settings, restart the SMS Executive service.
To configure logging options for all components on a client or management point site
system, configure these REG_DWORD values under the following Windows Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Logging\@Global
LogLevel 0 : Verbose
The level of detail to write to log files.
1 : Default
2 : Warnings and
errors
3 : Errors only
LogMaxHistory Any integer When a log file reaches the maximum size, the client
greater than or renames it as a backup and creates a new log file. Specify
equal to zero, for how many previous versions to keep.
example:
0 : No history
1 : Default
LogMaxSize Any integer The maximum log file size in bytes. When a log grows to
greater than or the specified size, the client renames it as a history file, and
equal to 10,000, creates a new file. The default value is 250,000 bytes.
for example:
250000
7 Note
Don't change other values that may exist in this registry key.
For advanced debugging, you can also add this REG_SZ value under the following
Windows Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Logging\DebugLogging
This setting causes the client to log low-level information for troubleshooting. Avoid
using this setting in production sites. Excessive logging can occur, which might make it
difficult to find relevant information in the log files. Make sure to turn off this setting
after you resolve the issue.
You can configure settings globally or for a specific component on the Configuration
Manager site server.
Configure these values under the following Windows Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing
SqlEnabled 1 : enable SQL Server REG_DWORD Add SQL Server trace logging to
tracing
all site server logs.
0 : disable SQL Server
tracing
ArchivePath A valid folder path, for REG_SZ The path to archive site server
example C:\Logs\Archive logs.
Only enable SQL Server tracing for troubleshooting purposes. Avoid using it in
production sites. Excessive logging can occur, which might make it difficult to find
relevant information in the log files. Make sure to turn off this setting after you resolve
the issue.
7 Note
Don't change other values that may exist in this registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\<ComponentName>
LoggingLevel 0 : Verbose
The level of detail to write to log files.
1 : Default
2 : Warnings and
errors
3 : Errors only
LogMaxHistory Any integer When a log file reaches the maximum size, the server
greater than or renames it as a backup and creates a new log file. Specify
equal to zero, for how many previous versions to keep.
example:
0 : No history
1 : Default
Name Values Description
MaxFileSize Any integer The maximum log file size in bytes. When a log grows to
greater than or the specified size, the client renames it as a history file, and
equal to 10,000, creates a new file. The default value is 250,000 bytes.
for example:
250000
0 : disable debug
logs
The DebugLogging setting causes the server to log low-level information for
troubleshooting. Avoid using this setting in production sites. Excessive logging can
occur, which might make it difficult to find relevant information in the log files. Make
sure to turn off this setting after you resolve the issue.
7 Note
Don't change other values that may exist in this registry key.
You can configure settings globally or for a specific component on a site system that
hosts a Configuration Manager server role.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\<ComponentName>\Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP\Logging
LogLevel 0 : Verbose
The level of detail to write to log files.
1 : Default
2 : Warnings and
errors
3 : Errors only
Name Values Description
LogMaxHistory Any integer When a log file reaches the maximum size, the server
greater than or renames it as a backup and creates a new log file. Specify
equal to zero, for how many previous versions to keep.
example:
0 : No history
1 : Default
LogMaxSize Any integer The maximum log file size in bytes. When a log grows to
greater than or the specified size, the server renames it as a history file,
equal to 10,000, and creates a new file. The default value is 250,000 bytes.
for example:
250000
7 Note
Don't change other values that may exist in this registry key.
Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe.config
2. Under the system.diagnostics > sources > source element, change the
switchValue attribute from Error to Verbose . For example:
2. In the ribbon, on the Home tab, in the Device group, select Client Diagnostics.
Choose one of the available actions.
7 Note
For more information, see Enable or disable existing hardware inventory classes.
The following locations are the defaults. If you customized the installation directories in
your environment, the actual paths may vary.
Client: C:\Windows\CCM\logs
Server: C:\Program Files\Microsoft Configuration Manager\Logs
Management point: C:\SMS_CCM\Logs
Configuration Manager console: C:\Program Files (x86)\Microsoft Endpoint
Manager\AdminConsole\AdminUILog
IIS: C:\inetpub\logs\logfiles\w3svc1
Task sequence log locations
The location of the task sequence log file smsts.log varies depending upon the phase of
the task sequence:
Tip
The read-only task sequence variable _SMSTSLogPath always contains the path of
the current log file.
Next steps
Log files reference
CMTrace
Log file reference
Article • 10/04/2022
In Configuration Manager, client and site server components record process information
in individual log files. You can use the information in these log files to help you
troubleshoot issues that might occur. By default, Configuration Manager enables
logging for client and server components.
For more general information about log files in Configuration Manager, see About log
files. That article includes information on the tools to use, how to configure the logs, and
where to find them.
The following sections provide details about the different log files available to you.
Monitor Configuration Manager client and server logs for operation details, and view
error information to troubleshoot problems.
Client operations
Client installation
Management point
Application management
Asset Intelligence
Certificate enrollment
Client notification
Content management
Desktop Analytics
Discovery
Endpoint analytics
Endpoint Protection
Extensions
Inventory
Migration
Mobile devices
OS deployment
Power management
Remote control
Reporting
Role-based administration
Software metering
Software updates
Wake On LAN
Windows servicing
Windows Update Agent
WSUS server
Client operations
The following table lists the log files located on the Configuration Manager client.
FSPStateMessage.log Records the activity for state messages that are sent
to the fallback status point by the client.
Client installation
The following table lists the log files that contain information related to the installation
of the Configuration Manager client.
ccmsetup.log Records ccmsetup.exe tasks for client setup, client upgrade, and client
removal. Can be used to troubleshoot client installation problems.
client.msi.log Records setup tasks done by client.msi. Can be used to troubleshoot client
installation or removal problems.
ClientServicing.log Records information for client deployment state messages during auto-
upgrade and client piloting.
The log file SMS_DM.log on the site system server also records communication between
Mac computers and the management point that is set up for mobile devices and Mac
computers.
Server log files
The following sections list log files that are on the site server or that are related to
specific site system roles.
ConfigMgrSetup.log Records detailed output from the site server setup. Site Server
smstsvc.log Records information about the installation, use, and Site server
removal of a Windows service. Windows uses this and site
service to test network connectivity and permissions system
between servers. It uses the computer account of the server
server that creates the connection.
FspIsapi Records details about communications to the fallback status point Site system
from mobile device legacy clients and client computers. server
fspMSI.log Records messages generated by the installation of a fallback status Site system
point. server
Log name Description Computer
with log file
fspmgr.log Records activities of the fallback status point site system role. Site system
server
Management point
The following table lists the log files that contain information related to the
management point.
MP_Relay.log Records the transfer of files that are collected from Site
the client. system
server
Application management
The following table lists the log files that contain information related to application
management.
colleval.log Records details about when collections are created, changed, and Site server
deleted by the Collection Evaluator.
execmgr.log Records details about packages and task sequences that run. Client
Asset Intelligence
The following table lists the log files that contain information related to Asset
Intelligence.
aikbmgr.log Records details about the processing of XML files from the Site server
inbox for updating the Asset Intelligence catalog.
AIUpdateSvc.log Records the interaction of the Asset Intelligence sync point Site
with the cloud service. system
server
ConfigMgrSetup.log Records information about setup and recovery tasks when Site server
Configuration Manager recovers a site from backup.
Smsbkup.log Records details about the site backup activity. Site server
smssqlbkup.log Records output from the site database backup process when Site
SQL Server is installed on a server that isn't the site server. database
server
Smswriter.log Records information about the state of the Configuration Site server
Manager VSS writer that is used by the backup process.
Certificate enrollment
The following table lists the Configuration Manager log files that contain information
related to certificate enrollment. Certificate enrollment uses the certificate registration
point and the Configuration Manager Policy Module on the server that's running the
Network Device Enrollment Service (NDES).
CertEnrollAgent.log Records client communication with NDES Windows Hello for Business
for certificate requests using the Simple client
Certificate Enrollment Protocol (SCEP).
Crpsetup.log Records details about the installation and Certificate registration point
configuration of the certificate registration
point.
Crpmsi.log Records details about the installation and Certificate registration point
configuration of the certificate registration
point.
7 Note
This file is located in the folder for the NDES account profile, for example, in
C:\Users\SCEPSvc. For more information about how to enable NDES logging,
see the Enable Logging section of the NDES wiki.
Client notification
The following table lists the log files that contain information related to client
notification.
bgbmgr.log Records details about site server activities related to Site server
client notification tasks and processing online and
task status files.
These are local Configuration Manager log files that cloud service manager syncs from
Azure storage every five minutes. The cloud management gateway pushes logs to Azure
storage every five minutes. So the maximum delay is 10 minutes. Verbose switches affect
both local and remote logs. The actual file names include the service name and role
instance identifier. For example, CMG-ServiceName-RoleInstanceID-CMGSetup.log.
These log files are synced, so you don't need to RDP to the cloud management gateway
to obtain them, and that option isn't supported.
Content management
The following table lists the log files that contain information related to content
management.
Log name Description Computer
with log file
DataTransferService.log Records all BITS communication for policy or package Computer that
access. This log also is used for content management is configured
by pull-distribution points. as a pull-
distribution
point
PullDP.log Records details about content that the pull- Computer that
distribution point transfers from source distribution is configured
points. as a pull-
distribution
point
PrestageContent.log Records the details about the use of the Site system
ExtractContent.exe tool on a remote, prestaged role
distribution point. This tool extracts content that has
been exported to a file.
smsdpusage.log Records details about the smsdpusage.exe that runs Site system
and gathers data for the distribution point usage role
summary report.
Desktop Analytics
Use the following log files to help troubleshoot issues with Desktop Analytics integrated
with Configuration Manager.
The log files on the service connection point are in the following directory:
%ProgramFiles%\Configuration Manager\Logs\M365A .
The log files on the Configuration
Manager client are in the following directory: %WinDir%\CCM\logs .
Discovery
The following table lists the log files that contain information related to discovery.
adsgdis.log Records Active Directory Security Group Discovery actions. Site server
Endpoint analytics
SensorWmiProvider.log Records the activity of the WMI provider for the Client
endpoint analytics sensor.
Endpoint Protection
The following table lists the log files that contain information related to Endpoint
Protection.
Extensions
The following table lists the log files that contain information related to extensions.
Inventory
The following table lists the log files that contain information related to processing
inventory data.
dataldr.log Records information about the processing of MIF files and Site server
hardware inventory in the Configuration Manager database.
invproc.log Records the forwarding of MIF files from a secondary site to its Secondary
parent site. site server
Log name Description Computer
with log file
sinvproc.log Records information about the processing of software inventory Site server
data to the site database.
Metering
The following table lists the log files that contain information related to metering.
swmproc.log Records the processing of metering files and settings. Site server
Migration
The following table lists the log files that contain information related to migration.
Mobile devices
The following sections list the log files that contain information related to managing
mobile devices.
Enrollment
The following table lists logs that contain information related to mobile device
enrollment.
Log name Description Computer
with log
file
dmpmsi.log Records the Windows Installer data for the configuration of Site
a management point that is enabled for mobile devices. system
server
enrollsrvMSI.log Records the Windows Installer data for the configuration of Site
an enrollment point. system
server
enrollwebMSI.log Records the Windows Installer data for the configuration of Site
an enrollment proxy point. system
server
The following logs contain information related to the Exchange Server connector.
easdisc.log Records the activities and the status of the Exchange Server Site server
connector.
DMCertResp.htm Records the HTML response from the certificate server Client
when the mobile device legacy client enroller program
requests a PKI certificate.
DmClientHealth.log Records the GUIDs of all mobile device legacy clients Site
that communicate with the management point that is system
enabled for mobile devices. server
DmClientSetup.log Records client setup data for mobile device legacy Client
clients.
DmClientXfer.log Records client transfer data for mobile device legacy Client
clients and for ActiveSync deployments.
DmpDatastore.log Records all the site database connections and queries Site
made by the management point that is enabled for system
mobile devices. server
DmpDiscovery.log Records all the discovery data from the mobile device Site
legacy clients on the management point that is enabled system
for mobile devices. server
dmpmsi.log Records the Windows Installer data for the configuration Site
of a management point that is enabled for mobile system
devices. server
DmpStatus.log Records status messages data from mobile device clients Site
on a management point that is enabled for mobile system
devices. server
OS deployment
The following table lists the log files that contain information related to OS deployment.
DriverCatalog.log Records details about device drivers that have Site system server
been imported into the driver catalog.
MCSSetup.log Records details about multicast server role Site system server
installation.
MCSMSI.log Records details about multicast server role Site system server
installation.
Smpmgr.log Records details about the results of state Site system server
migration point health checks and
configuration changes.
smspxe.log Records details about the responses to clients Site system server
that use PXE boot, and details about the
expansion of boot images and boot files.
TaskSequenceProvider.log Records details about task sequences when Site system server
they're imported, exported, or edited.
Power management
The following table lists the log files that contain information related to power
management.
pwrmgmt.log Records details about power management activities on the client Client
computer, including monitoring and the enforcement of settings by
the Power Management Client Agent.
Remote control
The following table lists the log files that contain information related to remote control.
CMRcViewer.log Records details about the activity On the computer that runs the remote
of the remote control viewer. control viewer, in the %temp% folder.
Reporting
The following table lists the Configuration Manager log files that contain information
related to reporting.
srsrp.log Records information about the activity and status of the Site system
reporting services point. server
srsrpMSI.log Records detailed results of the reporting services point Site system
installation process from the MSI output. server
srsrpsetup.log Records results of the reporting services point installation Site system
process. server
Role-based administration
The following table lists the log files that contain information related to managing role-
based administration.
hman.log Records information about site configuration changes and the Site server
publishing of site information to Active Directory Domain
Services.
SMSProv.log Records WMI provider access to the site database. Computer with
the SMS
Provider
Software metering
The following table lists the log files that contain information related to software
metering.
Software updates
The following table lists the log files that contain information related to software
updates.
Wake On LAN
The following table lists the log files that contain information related to using Wake On
LAN.
7 Note
When you supplement Wake On LAN by using wake-up proxy, this activity is
logged on the client. For example, see CcmExec.log and
SleepAgent_<domain>@SYSTEM_0.log in the Client operations section of this
article.
Log name Description Computer
with log
file
wolcmgr.log Records details about which clients need to be sent wake-up packets, Site server
the number of wake-up packets sent, and the number of wake-up
packets retried.
wolmgr.log Records details about wake-up procedures, such as when to wake up Site server
deployments that are configured for Wake On LAN.
Windows servicing
The following table lists the log files that contain information related to Windows
servicing.
Servicing uses the same infrastructure and process as software updates. For other logs
applicable to the servicing scenario, see Software updates.
CBS.log Records servicing failures related to changes for Windows Updates or Client
roles and features.
DISM.log Records all actions using DISM. If necessary, DISM.log will point to Client
CBS.log for more details.
setupact.log Primary log file for most errors that occur during the Windows Client
installation process. The log file is located in the
%windir%$Windows.~BT\sources\panther folder.
WindowsUpdate.log Records details about when the Windows Update Agent Client
connects to the WSUS server and retrieves the software
updates for compliance assessment, and whether there are
updates to the agent components.
WSUS server
The following table lists the log files that contain information related to the WSUS
server.
SoftwareDistribution.log Records details about the software updates that are WSUS
synced from the configured update source to the WSUS server
server database.
See also
About log files
CMTrace
Release notes for Configuration
Manager
Article • 04/11/2023
With Configuration Manager, product release notes are limited to urgent issues. These
issues aren't yet fixed in the product, or detailed in a troubleshooting article.
This article contains release notes for the current branch of Configuration Manager. For
information on the technical preview branch, see Technical Preview.
For information about the new features introduced with different versions, see the
following articles:
Tip
You can use RSS to be notified when this page is updated. For more information,
see How to use the docs.
The update for Configuration Manager version 2107 is available to download, but it fails
to download. The dmpdownloader.log on the service connection point has entries
similar to the following:
log
Download large file with BITs
This failure happens because the service connection point can't communicate with the
required internet endpoint, configmgrbits.azureedge.net . Confirm that the site system
that hosts the service connection point role can communicate with this internet
endpoint. It was already required, but its use is expanded in version 2107. The site
system can't download version 2107 or later unless your network allows traffic to this
URL.
For more information, see internet access requirements for the service connection point.
Software updates
Removing SUP role in Admin Console does not reset the superseding age property in
WMI. As a result, while reconfiguring the role, the previously configured value is shown
in the configuration window. This property needs to be reset to default value on role
removal. For more information, see supersedence rules for installing a software update
point.
Application Administrator
Application Deployment Manager
Software Update Manager
The App Author role may appear to have some permissions to phased deployments,
but can't create deployments.
A user with one these roles can start the Create Phased Deployment wizard, and can see
phased deployments for an application or software update. They can't complete the
wizard, or make any changes to an existing deployment.
To work around this issue, create a custom security role. Copy an existing security role,
and add the following permissions on the Phased Deployment object class:
Create
Delete
Modify
Read
[Updated]: There is a checkbox for a role-based access control (RBAC) setting in the
cloud attach configuration wizard in the console. By default, Configuration Manager
RBAC is enforced along with Intune RBAC when you're uploading your Configuration
Manager devices to the cloud service. This checkbox is selected by default.
You can now configure Intune role-based access control (RBAC) when interacting with
tenant attached devices from the Microsoft Intune admin center. For more information,
see Intune role-based access control for tenant-attached clients.
When you encounter this issue, it initially appears as a normal console extension
installation. After the extension finishes installing, you select Close to restart the
Configuration Manager console. When the console restarts, you're prompted to install
the console extension again. The extension installation will continue to loop and the
Configuration Manager console doesn't fully open.
To both prevent and work around this issue, run the below SQL script on your CAS
database and all of your primary site databases:
SQL
AS
WITH m AS(
SELECT *,
FROM ConsoleExtensionMetadata
SELECT
m.ID,
m.Name,
m.Description,
m.Author,
m.Version,
m.IsEnabled,
m.IsApproved,
m.CreatedTime,
m.CreatedBy,
m.UpdateTime,
m.IsTombstoned,
m.IsRequired,
m.IsSigned,
m.IsUnsignedAllowed,
CASE m.IsRequired
ELSE
END AS RequiredBy,
m.IsSetupDefined
FROM m
WHERE RN = 1
GO
Configuration Manager clients send state messages to the fallback status point or the
management point to report the current state of operations. You can create reports to
view state messages sent by clients.
Each Configuration Manager feature that uses state messages is identified by the topic
type of the state message. The state message topic types listed in this article can be
used to define the Configuration Manager feature that a state message relates to.
7 Note
A state message ID value of zero ( 0 ) typically indicates that the topic type is in an
unknown state.
Software updates
300 STATE_TOPICTYPE_SUM_ASSIGNMENT_COMPLIANCE
1 Compliant
2 Non-compliant
301
STATE_TOPICTYPE_SUM_ASSIGNMENT_ENFORCEMENT
1 Installing updates
State message ID State message description
8 Downloaded updates
302 STATE_TOPICTYPE_SUM_ASSIGNMENT_EVALUATION
1 Evaluation activated
2 Evaluation succeeded
3 Evaluation failed
400 STATE_TOPICTYPE_SUM_CI_DETECTION
1 Not required
2 Not detected
3 Detected
401 STATE_TOPICTYPE_SUM_CI_COMPLIANCE
1 Compliant
2 Non-compliant
3 Conflict detected
4 Error
5 Unknown
6 Partial compliance
402 STATE_TOPICTYPE_SUM_CI_ENFORCEMENT
1 Enforcement started
6 General failure
7 Pending installation
8 Installing update
12 Downloading update
13 Downloaded update
500 STATE_TOPICTYPE_SUM_UPDATE_DETECTION
State message ID State message description
2 Update is required
3 Update is installed
501 STATE_TOPICTYPE_SUM_UPDATE_SOURCE_SCAN
2 Scan is running
3 Scan complete
5 Scan failed
Client deployment
The following topic types have no state IDs:
700 STATE_TOPICTYPE_RESYNC_STATE_MSG
701 STATE_TOPICTYPE_SYSTEM_HEARTBEAT
702 STATE_TOPICTYPE_CKD_UPDATE
801 STATE_TOPICTYPE_DEVICE_CLIENT_DEPLOYMENT
800 STATE_TOPICTYPE_CLIENT_DEPLOYMENT
304 Can't install over embedded OS with File-Based Write Filter (FBWF) enabled on
the system drive
318 Can't install the client on the MP because the MP and client versions do not
match
607 Site assignment failed; client version higher than site version
608 Failed to get Site Version from Active Directory Domain Services and SLP
810 STATE_TOPICTYPE_CLIENT_COMANAGEMENT
820 STATE_TOPICTYPE_CLIENT_WUFB
Content
The following topic types have no state IDs:
901 STATE_TOPICTYPE_REMOTE_DP_MONITORING
902 STATE_TOPICTYPE_PULL_DP_MONITORING
903 STATE_TOPICTYPE_DP_USAGE
900 STATE_TOPICTYPE_BRANCH_DP
1 Disk Space
Client operations
1000 STATE_TOPICTYPE_CLIENT_FRAMEWORK_COMM
1001 STATE_TOPICTYPE_CLIENT_FRAMEWORK_LOCAL
1 Client successfully retrieved the certificate from the local certificate store
2 Client failed to retrieve the certificate from the local certificate store
1100
STATE_TOPICTYPE_CLIENT_FRAMEWORK_MODEREADINESS
1300 STATE_TOPICTYPE_CLIENT_HEALTH
1 Success
2 Not successful
1002 STATE_TOPICTYPE_DEVICE_CLIENT_FRAMEWORK_COMM
1003 STATE_TOPICTYPE_DEVICE_CLIENT_FRAMEWORK_LOCAL
Topic type Description
1004 STATE_TOPICTYPE_DEVICE_CLIENT_FRAMEWORK_CERTIFICATE
1005 STATE_TOPICTYPE_DEVICE_CLIENT_WIPE
1006 STATE_TOPICTYPE_DEVICE_CLIENT_RETIRE
1007 STATE_TOPICTYPE_DEVICE_CLIENT_WIPE_INTUNE
1008 STATE_TOPICTYPE_DEVICE_CLIENT_RETIRE_INTUNE
1009 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICELOCK
1010 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICELOCK_INTUNE
1011 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEPINRESET
1012 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEPINRESET_INTUNE
1013 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEPINRESET_ONPREM
1014 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEALBYPASS
1015 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEALBYPASS_INTUNE
Miscellaneous
The following topic types have no state IDs:
1401 STATE_TOPICTYPE_STATE_REPORT
1500 STATE_TOPICTYPE_CAL_TRACK_UT
1502 STATE_TOPICTYPE_CAL_TRACK_MT
1503 STATE_TOPICTYPE_CAL_TRACK_ML
1600 STATE_TOPICTYPE_USER_AFFINITY
1 Sensor off
2 Sensor on
Applications
The following topic types have no state IDs:
1700 STATE_TOPICTYPE_APP_CI_SCAN
1701 STATE_TOPICTYPE_APP_CI_COMPLIANCE
1703 STATE_TOPICTYPE_APP_CI_ASSIGNMENT_EVALUATION
1704 STATE_TOPICTYPE_APP_CI_LAUNCH
1702 STATE_TOPICTYPE_APP_CI_ENFORCEMENT
Events
The following topic types have no state IDs:
1800 STATE_TOPICTYPE_EVENT_INTRINSIC
1801 STATE_TOPICTYPE_EVENT_EXTRINSIC
Endpoint protection
The following topic types have no state IDs:
1900 STATE_TOPICTYPE_EP_AM_INFECTION
1901 State_Topictype_Ep_Am_Health
1902 STATE_TOPICTYPE_EP_MALWARE
1950 STATE_TOPICTYPE_ATP_HEALTH_STATUS
2001 STATE_TOPICTYPE_EP_CLIENT_DEPLOYMENT
State message ID State message description
2002 STATE_TOPICTYPE_EP_CLIENT_POLICYAPPLICATION
2003 STATE_TOPICTYPE_CLIENT_ACTION
1 Not applicable
2 Failed
3 Succeeded
Wake-up proxy
2100 STATE_TOPICTYPE_WP_CLIENT_DEPLOYMENT
2200 STATE_TOPICTYPE_FDM
2201 STATE_TOPICTYPE_CCM_CERT_BINDING
2202 STATE_TOPICTYPE_SERVER_STATISTIC
4000 STATE_TOPICTYPE_MDM_DEVICE_PROPERTY
4002 STATE_TOPICTYPE_MDM_CLIENT_IDENITITY
4003 STATE_TOPICTYPE_MDM_APPLICATION_REQUEST
4004 STATE_TOPICTYPE_MDM_APPLICATION_STATE
4005 STATE_TOPICTYPE_MDM_LICENSE_DEVICE_RELATION
4006 STATE_TOPICTYPE_MDM_LICENSE_KEYS
4007 STATE_TOPICTYPE_MDM_POLICY_ASSIGNMENT
4008 STATE_TOPICTYPE_MDM_ANDROID_COUNT
4009 STATE_TOPICTYPE_MDM_SLK_STATUS
4010 STATE_TOPICTYPE_MDM_USER_COMPANY_TERM_ACCEPTANCE
4022 STATE_TOPICTYPE_MDM_DEP_SYNCNOW_STATUS
4023 STATE_TOPICTYPE_MDM_MAM_STORE_APP_SYNC
3000 STATE_TOPICTYPE_DM_WNS_CHANNEL
Resource access
5000 STATE_TOPICTYPE_CERTIFICATE_ENROLLMENT
1 Challenge issued
7 Issue failed
8 Issue pending
9 Issued
11 Response pending
12 Enrollment succeeded
14 Revoked
16 Renew verified
17 Install failed
18 Installed
19 Delete failed
State message ID State message description
20 Deleted
21 Renewal requested
5001 STATE_TOPICTYPE_CERTIFICATE_CRP
1 Challenge issued
7 Issue failed
8 Issue pending
9 Issued
11 Response pending
12 Enrollment succeeded
14 Revoked
16 Renew verified
17 Install failed
18 Installed
19 Delete failed
20 Deleted
21 Renewal requested
5200 STATE_TOPICTYPE_RESOURCE_ACCESS_STATUS
Remote applications
The following topic types have no state IDs:
6000 STATE_TOPICTYPE_REMOTEAPP_SUBSCRIPTION_STATUS
6001 STATE_TOPICTYPE_REMOTEAPP_SUBSCRIPTION_SYNC_STATUS
6002 STATE_TOPICTYPE_REMOTEAPP_AUTHCOOKIES_SYNC_STATUS
6003 STATE_TOPICTYPE_REMOTEAPPLICATIONS_SYNC_STATUS
6004 STATE_TOPICTYPE_REMOTEAPP_LOCK_RESULT
Compliance settings
The following topic types have no state IDs:
7000 STATE_TOPICTYPE_USER_COMPANY_TERM_ACCEPTANCE
7001 STATE_TOPICTYPE_PFX_CERTIFICATE
1 Challenge issued
7 Issue failed
8 Issue pending
9 Issued
11 Response pending
12 Enrollment succeeded
14 Revoked
16 Renew verified
17 Install failed
18 Installed
19 Delete failed
20 Deleted
21 Renewal requested
7010
STATE_TOPICTYPE_CONDITIONAL_ACCESS_COMPLIANCE
1 Compliance success
2 Compliance fail at MP
Peer caching
7200
STATE_TOPICTYPE_SUPER_PEER_UPDATE_CACHE_MAP
7201 STATE_TOPICTYPE_SUPER_PEER_UPDATE_CONFIG
7202 STATE_TOPICTYPE_DOWNLOAD_AGGREGATE_DATA
7203
STATE_TOPICTYPE_PEERSOURCE_REQ_REJECTION_STATS
Proxy
The following topic types have no state IDs:
7300 STATE_TOPICTYPE_PROXY_TRAFFIC
7301 STATE_TOPICTYPE_PROXY_CONNECTION
7302 STATE_TOPICTYPE_SRS_USAGE_DATA
7303 STATE_TOPICTYPE_PROXY_TRAFFIC_IDENTITY
Health attestation
8001 STATE_TOPICTYPE_HAS_REPORT
Client actions
The following topic types have no state IDs:
8002 STATE_TOPICTYPE_DEVICE_CLIENT_EDPLOG
8003 STATE_TOPICTYPE_ENABLE_LOSTMODE
8004 STATE_TOPICTYPE_DISABLE_LOSTMODE
8005 STATE_TOPICTYPE_LOCATE_DEVICE
8006 STATE_TOPICTYPE_REBOOT_DEVICE
8007 STATE_TOPICTYPE_LOGOUTUSER
8008 STATE_TOPICTYPE_USERSLIST
8009 STATE_TOPICTYPE_DELETEUSER
8010 STATE_TOPICTYPE_CLEANPCRETAININGUSERDATA
8011 STATE_TOPICTYPE_CLEANPCWITHOUTRETAININGUSERDATA
Topic type Description
8012 STATE_TOPICTYPE_SETDEVICENAME
9000 STATE_TOPICTYPE_BOOK_CI_COMPLIANCE
9001 STATE_TOPICTYPE_BOOK_CI_ENFORCEMENT
Next steps
Description of state messaging in Configuration Manager
Unicode and ASCII support in
Configuration Manager
Article • 10/04/2022
Site code
7 Note
These accounts support ASCII characters, and RUS characters on a site that
runs in Russian.
7 Note
The accounts that you specify for role-based administration support
Unicode.
The reporting services point account supports Unicode, with the exception
of RUS characters.
Fully qualified domain name (FQDN) for site servers and site systems
Enrollment point
The folder that stores the installation source files for site setup
The folder that stores the prerequisite downloads for use by setup
IIS website
Other limitations
The following limitations are for supported character sets and language versions:
Configuration Manager doesn't support changing the locale of the site server
computer.
An enterprise certificate authority (CA) doesn't support client computer names that
use double-byte character sets (DBCS). The client computer names that you can
use are restricted by the PKI limitation of the IA5 character set. Configuration
Manager doesn't support CA names or subject name values that use DBCS.
Several Configuration Manager objects don't support Unicode. They're stored in the
database by using ASCII, or they have other language limitations. This information is
always displayed by using the ASCII character set, or in the language that was in use
when you created the object.
Next steps
Language packs in Configuration Manager
Management insights in Configuration
Manager
Article • 03/14/2023
7 Note
When you select the Management Insights node, it shows the Management
insights dashboard.
All Rules: Gives the complete list of insights for the chosen group.
In Progress: Shows insights where some, but not all, prerequisites are complete.
Action Needed: This tab lists insights that need you to take action. Select More
Details to show specific items where action is needed.
The Prerequisites pane lists any required items needed to run the selected insight.
For example, the following screenshot shows an example of the All Rules tab for the
Cloud Services group:
To see the details, select an insight, and then select More Details.
Operations
The site reevaluates the applicability of the management insights on a weekly schedule.
To manually reevaluate an insight, right-click the insight, and select Re-evaluate.
The log file for management insights is SMS_DataEngine.log on the site server.
Some insights let you take action. Select an insight, select More Details, and then if
available select Take action. Depending upon the insight, this action has one of the
following behaviors:
Automatically navigate in the console to the node where you can take further
action. For example, if the management insight recommends changing a client
setting, taking action navigates to the Client Settings node. Then take further
action by modifying the default or a custom client settings object.
Navigate to a filtered view based on a query. For example, taking action on the
empty collections insight shows just these collections in the list of collections. Then
take further action, such as deleting a collection or modifying its membership
rules.
Use the following filters at the top of the dashboard to refine the view:
Show Completed
Optional
Recommended
Critical
Top 10 applicable insight rules: A table of insights including priority and state. Use
the Filter field at the top of the table to match strings in any of the available
columns. The dashboard sorts the table in the following order:
Status: Action Needed, Completed, Unknown
Priority: Critical, Recommended, Optional
Last Changed: older dates on top
Applications
Cloud services
Collections
Configuration Manager Assessment
Deprecated and unsupported features
Optimize for remote workers
Proactive maintenance
Security
Simplified management
Software Center
Software updates
Windows 10
7 Note
Your site may not show all of the following groups and insights. Some insights
don't appear when you've already configured the site for the recommendation.
Applications
Insights for your application management.
Cloud services
Helps you integrate with many cloud services, which enable modern management of
your devices.
Assess co-management readiness: Helps you understand what steps are needed
to enable co-management. This insight has prerequisites. For more information,
see Co-management overview.
Devices not uploaded to Azure AD: This insight lists devices that the site hasn't
uploaded to Azure Active Directory (Azure AD) because you haven't configured it
for HTTPS. Configure Enhanced HTTP, or enable at least one management point
for HTTPS. If you already configured the site for HTTPS communication, this insight
doesn't appear.
Sites that don't have proper HTTPS configuration: This insight lists sites in your
hierarchy that aren't properly configured for HTTPS. This configuration prevents
the site from synchronizing collection membership results to Azure AD groups. It
may cause Azure AD sync to not upload all devices. Management of these clients
may not function properly. Configure Enhanced HTTP, or enable at least one
management point for HTTPS. If you already configured the site for HTTPS
communication, this insight doesn't appear.
Update clients to the latest Windows 10 version: Windows 10, version 1709 or
above improves and modernizes the computing experience of your users. For
more information, see Stay current with Windows as a service.
Collections
Insights that help simplify management by cleaning up and reconfiguring collections.
Collections with no query rules and no direct members: To simplify the list of
collections in your hierarchy, delete these collections.
Collections with the same re-evaluation start time: These collections have the
same re-evaluation time as other collections. Modify the re-evaluation time so they
don't conflict.
Collections with query time over 5 minutes: Review the query rules for this
collection. Consider modifying or deleting the collection.
7 Note
For more information on managing collections and collection evaluation, see the
following articles:
Active Directory User Discovery is configured to run too frequently: You typically
don't need to configure Active Directory User Discovery to occur more frequently
than every three hours. A more frequent configuration can have a negative
performance impact on Active Directory, the network, and Configuration Manager.
Enable incremental synchronization instead of using a full sync schedule. For more
information, see Active Directory user discovery.
Collections limited to All Systems or All Users: Review any collections that use the
All Systems or All Users collections as the limiting collection. Configuration
Manager updates the membership of these default collections with data from the
Active Directory discovery methods. This data may not be valid information for
Configuration Manager clients.
Heartbeat Discovery is disabled: Heartbeat discovery requires that you install the
Configuration Manager client on devices. It's the only discovery method that
clients start. All other methods occur on site servers. Heartbeat discovery is
essential to keep client activity status current. It makes sure that the site doesn't
accidentally age out the resource records from the site database. For more
information, see Heartbeat discovery.
Secondary site installation issues: The installation status of some secondary sites
is Pending or Failed. These states mean that you started the install but it didn't
complete successfully. Until the secondary site install finishes, clients may not
communicate properly with the primary site. Check the Monitoring workspace, and
retry the installation. For more information, see Retry installation of a failed update.
Update all sites to the same version: Use the same version of Configuration
Manager in a hierarchy. This configuration makes sure all sites provide the same
functionality. Sites of different versions in the same hierarchy introduce
interoperability scenarios. Later versions of Configuration Manager include new
features and resolve known issues. For more information, see Interoperability
between different versions.
For more information on these insights, see Remediation steps for Configuration
Manager management insights.
Tip
The following management insights are about features you may be using which have
been deprecated or are no longer supported. These features may be removed from the
product in a future release.
Site system roles associated with deprecated or removed features: This insight
checks for installed site system roles for deprecated features that will be removed
in a future release.
Check if the site uses the asset intelligence sync point role: This insight checks for
installation of the asset intelligence synchronization point role.
Configuration Manager client for macOS end of support: This insight lists the
clients running macOS. Support for the Configuration Manager client for macOS
and Mac client management ends on December 31, 2022.
Certificate registration point is no longer supported: This insight checks for
installation of the certificate registration point site system role. This feature is no
longer supported as of March 2022. Configuration Manager versions released
before March 2022 will still be able to install and use certificate registration points.
Company resource access policies are no longer supported: This insight checks
for company resource access policies. These features are no longer supported as of
March 2022. Company resource access includes email, certificate, VPN, Wi-Fi, and
Windows Hello for Business profiles. Configuration Manager versions released
before March 2022 will still be able to use company resource access policies.
Microsoft Store for Business deprecated: This insight checks for the presence of
Microsoft Store for Business connector. This feature has been deprecated as of
Nov 2021.
Large task sequences may contribute to exceeding maximum policy size: If you
deploy these task sequences, clients may not be able to process the large policy
objects. Reduce the size of the task sequence policy to prevent potential policy
processing issues.
Total policy size for task sequences exceeds policy limit: Clients can't process the
policy for these task sequences because it's too large. Reduce the size of the task
sequence policy to allow the deployment to run on clients.
For more information, see Reduce the size of task sequence policy.
Unused boot images: Boot images not referenced for PXE boot or task sequence
use. For more information, see Manage boot images.
Disable peer to peer content sharing for VPN connected clients: To prevent
unnecessary peer-to-peer traffic that likely doesn't benefit the remote clients,
disable the boundary group option to Allow peer downloads in this boundary
group. For more information, see Boundary group options.
Proactive maintenance
The insights in this group highlight potential configuration issues to avoid through
upkeep of Configuration Manager objects.
Boundary groups with no assigned site systems: Without assigned site systems,
boundary groups can only be used for site assignment. For more information, see
Configure boundary groups.
Boundary groups with no members: Boundary groups aren't applicable for site
assignment or content lookup if they don't have any members. For more
information, see Configure boundary groups.
Distribution points not serving content to clients: Distribution points that haven't
served content to clients in the past 30 days. This data is based on reports from
clients of their download history. For more information, see Install and configure
distribution points.
Enable WSUS Cleanup: Verifies that you've enabled the option to run WSUS
cleanup on the properties of the software update point component. This option
helps to improve WSUS performance. For more information, see Software update
maintenance.
Update servers running Windows Server 2012 and 2012 R2: Detects servers that
are running Windows Server 2012 or 2012 R2 operating systems. The support
lifecycle for these operating systems ends on October 9, 2023. For more
information, see the Product lifecycle.
Upgrade peer cache sources to the latest version of the Configuration Manager
client: Identify clients that serve as a peer cache source but haven't upgraded from
a pre-1806 client version. Pre-1806 clients can't be used as a peer cache source for
clients that run version 1806 or later. Select Take action to open a device view that
displays the list of clients.
Tip
In version 2006, the insight for Unused boot images moved to the new OS
deployment group.
Security
Insights for improving the security of your infrastructure and devices.
NTLM fallback is enabled: This insight detects if you enabled the less secure NTLM
authentication fallback method for the site. When using the client push method of
installing the Configuration Manager client, the site can require Kerberos mutual
authentication. This enhancement helps to secure the communication between the
server and the client. For more information, see How to install clients with client
push.
Unsupported antimalware client versions: More than 10% of clients are running
versions of System Center Endpoint Protection that aren't supported. For more
information, see Endpoint Protection.
Update clients running Windows 7 and Windows Server 2008: The rule shows
clients running Windows 7, Windows Server 2008 (non-Azure), and Windows
Server 2008 R2 (non-Azure) that are no longer receiving security updates. For more
information about updates for these operating systems, see Extended Security
Updates (ESU) .
Simplified management
Insights that help you simplify the day-to-day management of your environment.
Connect the site to the Microsoft cloud for Configuration Manager updates: This
insight makes sure your Configuration Manager service connection point has
connected to the Microsoft cloud within the past seven days. This connection is to
download content for regular updates. Review DMPDownloader.log and hman.log.
For more information, see Internet access requirements.
Non-CB Client Versions: Lists all clients whose versions aren't a current branch (CB)
build. For more information, see Upgrade clients.
Software Center
Insights for managing Software Center.
Use the new version of Software Center: The previous version of Software Center
is no longer supported. Set up clients to use the new Software Center by enabling
the client setting Use new Software Center in the Computer Agent group. For
more information, see About client settings.
Software updates
Client settings aren't configured to allow clients to download delta content:
Some software updates synchronized in your environment include delta content.
Enable the client setting, Allow clients to download delta content when available.
If you don't enable this setting, when you deploy these updates, client will
unnecessarily download more content than they require. For more information, see
Client settings - Software updates.
Enable the software updates product category 'Windows 10, version 1903 and
later': There's a new software updates product category for Windows 10, version
1903 and later. If you synchronize Windows 10 updates, and have Windows 10,
version 1903 or later clients, select the Windows 10, version 1903 and later
product category in the software update point component properties. For more
information, seeConfigure classifications and products to synchronize.
Configure software update points to use TLS/SSL: Detects if your software update
points are configured to use TLS/SSL. Configuring Windows Server Update Services
(WSUS) servers and their corresponding software update points (SUPs) to use
TLS/SSL may reduce the ability of a potential attacker to remotely compromise a
client and elevate privileges. This rule was added in Configuration Manager version
2107.
Windows 10
Insights related to the deployment and servicing of Windows 10. The Windows 10
management insight group is only available when more than half of clients are running
Windows 7, Windows 8, or Windows 8.1.
Configure Windows diagnostic data and commercial ID key: To use data from
Desktop Analytics, configure devices with a Commercial ID key and enable
collection of diagnostic data. Set Windows 10 devices to Enhanced (Limited) level
or higher. For more information, see Enable data sharing for Desktop Analytics.
Community hub and GitHub
Article • 10/31/2022
) Important
The IT Admin community has developed a wealth of knowledge over the years. Rather
than reinventing items like Scripts and Reports from scratch, we've built a Community
hub in Configuration Manager where IT Admins can share with each other. By
leveraging the work of others, you can save hours of work. The Community hub fosters
creativity by building on others work and having other people build on yours. GitHub
already has industry-wide processes and tools built for sharing. Now, the Community
hub can leverage those tools directly in the Configuration Manager console as
foundational pieces for driving this new community.
CMPivot queries
Applications
Task sequences
Configuration items
Configuration baselines, including child configuration items
Baselines with software updates or version-specific references aren't supported
PowerShell Scripts
Reports
Power BI report templates
For information about sharing and using Power BI report templates with
Community hub, see Integrate with Power BI Report Server.
Console extensions are available for download, but contributions are currently
limited
Content for console extensions isn't hosted by Microsoft. Currently, the source
download location displays in the verbose SmsAdminUi.log for the console that
initiates the download.
What's new
Support for downloading signed console extensions and limited contribution,
added in July 2021
Filter content when using search, added in June 2021
Support for configuration baselines including child configuration items, added in
March 2021
Support for Power BI reports, added in February 2021
Prerequisites
The device running the Configuration Manager console used to access the
Community hub needs the following items:
.NET Framework version 4.6 or later
.NET Framework version 4.6.2 or later is required starting in Configuration
Manager 2010
Starting in version 2107, the console requires .NET version 4.6.2, and version
4.8 is recommended. For more information, see Install the Configuration
Manager console.
A supported version of Windows 10 or later
Windows Server isn't supported before version 2010, so the Configuration
Manager console needs to be installed on a supported Windows client
device separate from the site server.
Starting in version 2010, install the Microsoft Edge WebView2 console
extension to support Windows Server.
A GitHub account is only required to contribute and share content from the Your
hub page. If you don't wish to share, you can use contributions from others
without having a GitHub account, For more information, see Contribute to
Community hub.
) Important
Permissions
To import a script: Create permission for SMS_Scripts class.
To import a report: Full Administrator security role.
Starting in version 2010, Full Administrators can opt in the hierarchy for
unreviewed content via hierarchy settings. Lower hierarchy administrators can't opt
in the hierarchy for unreviewed hub items. For more information, see the
Categorize Community hub content section.
Most built-in security roles will have access to the Community hub node:
Role name View the hub Contribute hub content Download hub content
4. Downloaded reports are deployed to a report folder called hub on the reporting
services point. Downloaded scripts can be seen in the Run Scripts node. Typically,
downloaded items are placed in the console node for which they're used.
5. View all items downloaded from the hub by your organization by selecting Your
downloads from the Community hub node.
Curated curated:false No
User user:<GitHubUserName> No
Organization org:<GitHubOrganizationName> No
The filtering on some items is done using like so you don't need to know the
exact name of an item you are trying to find. For instance, using type:task would
return task sequences.
You can't use the same filter twice in a search. For instance, using type:report and
type:extension would only return reports since the second filter gets ignored.
Search filtering respects the hierarchy setting for displaying Community hub
content categories.
If your hierarchy is set to Display Microsoft and curated community content,
then curated:false is ignored.
If your hierarchy is set to Display Microsoft content, then the curated: filter is
ignored.
Starting in version 2203, the console displays a list of search filters you can use in
Community hub.
You can navigate to and reference items in the Configuration Manager console
Community hub node with a direct link. Collaborate with your colleagues easily by
sharing direct links to Community hub items. These deep links are currently only for
items in the Community hub node of the console.
Share an item:
1. Open the link from a machine that has the Configuration Manager console
installed.
2. Select Launch the Community hub when prompted.
3. The console opens directly to the script in the Community hub node.
Admins can choose the types of content their environment displays from the following
options:
Display Microsoft content: Selecting this option means that only content created
by Microsoft will be shown in the Community hub. This content has had some
basic testing and scanning validation to confirm no malware and inappropriate
text.
Display Microsoft and curated community content: Show curated content from
both Microsoft and community partners with basic level of review. Selecting this
option means that only content that has been curated will be shown. The curation
process includes basic review to confirm that the content doesn’t have malware
and inappropriate text, but hasn’t necessarily been tested. It will include content
from the community, not just from Microsoft.
Display all content including unreviewed content: Selecting this option means
that all content is shown. This option includes unreviewed open-source type
samples from the community, meaning that the content hasn’t necessarily been
reviewed at all. It's provided as-is as open-source type sample content. Doing your
own inspection and testing before using is highly encouraged, which is good
practice on any content, but especially this class of content.
Since the content is open-source style content, admins should always review what is
provided before consuming it. The new curation process is intended to vet the material
to make sure there aren't obvious quality or compliance issues, but it will be somewhat
of a cursory review. All content stored within GitHub and accessed from the Community
hub isn’t supported by Microsoft. Microsoft doesn’t validate content collected from or
shared by the general community. For more information, see GitHub Terms of Service
and GitHub Privacy Statement .
The Microsoft Edge WebView2 console extension enables the full functionality for
Community hub. If WebView2 isn't installed, a banner is shown when you navigate to
the Community hub node. The WebView2 console extension:
) Important
Follow the instructions below to enable the full functionality of Community hub:
1. In the upper-right corner of the console, select the bell icon to display
Configuration Manager console notifications.
2. The notification will say New custom console extensions are available.
3. Select the link Install custom console extensions to launch the install.
4. When the install completes, select Close to restart the console.
5. Confirm that you can view the Community hub node from the machine running
the Windows Server operating system.
was created.
The files are automatically downloaded from
https://developer.microsoft.com/en-us/microsoft-
edge/webview2/#download-section with the other redistributable files.
Tip
Starting in Configuration Manager version 2103, you can also install the WebView2
extension from the Console Extensions node. For more information, see Install an
extension on a local console.
Known issues
Workaround: To work around this issue, update the .NET Framework to version 4.7.1 or
later for the machine running the Configuration Manager console.
Workaround: To work around this issue, delete the configuration item you previously
downloaded, then download the baseline with the new version of the configuration
item.
Unable to sign in when single sign on with multifactor
authentication is used
When single sign on with multifactor authentication is used, you may not be able to sign
in for the following features when using Configuration Manager 2103 and earlier:
Community hub
Community hub from CMPivot
Custom tabs in Software Center that load a website that's subject to conditional
access policies
Next steps
Contribute to the Configuration Manager Community hub
Contribute to the Community hub
Article • 10/31/2022
) Important
Community hub fosters creativity by building on others work and having other people
build on yours. GitHub already has industry-wide processes and tools built for sharing.
Now, the Community hub can leverage those tools directly in the Configuration
Manager console as foundational pieces for driving this new community. You can share
the following objects for use by others in the Configuration Manager community:
CMPivot queries
Applications
Task sequences
Configuration items
Configuration baselines, including child configuration items
Baselines with software updates or version-specific references aren't supported
PowerShell Scripts
Reports
Power BI report templates
For information about sharing and using Power BI report templates with
Community hub, see Integrate with Power BI Report Server.
Console extensions are available for download, but contributions are currently
limited
Content for console extensions isn't hosted by Microsoft. Currently, the source
download location displays in the verbose SmsAdminUi.log for the console that
initiates the download.
Prerequisites
All Community hub prerequisites and permissions
Configuration Manager version 2010 or later
Install the Microsoft Edge WebView2 extension for the Configuration Manager
console.
A GitHub account
A GitHub account is only required to contribute and share content from the
Your hub page.
If you don't already have a GitHub account, you can create one before you join.
If you don't wish to share, you can use contributions from others without having
a GitHub account.
) Important
Configuration Manager versions 2006 and earlier can’t sign into GitHub but can still
download items. Using Community hub on Windows Server requires the WebView2
console extension and Configuration Manager version 2010 or later.
Most built-in security roles will have access to the Community hub node:
Role name View the hub Contribute hub content Download hub content
2. Select Your hub and you'll be prompted to sign into GitHub. If you don't have an
account, you'll be redirected to GitHub where you can create one. A GitHub
account is only required to contribute and share content from the Your hub page.
3. Once you've signed into GitHub, select the Join button to join the Community hub.
4. After joining, you'll see your membership request is pending. Your account needs
approval by the Configuration Manager Content Curation team. Approvals are
done once a day, so it may take up to one business day for your approval to be
granted.
5. Once you're granted access, you'll get an email from GitHub. Open the link in the
email to accept the invitation.
) Important
You must accept the invitation sent in the email otherwise you won't be able
to contribute content.
Contribute content
Once you've accepted the invitation, you can contribute content.
3. Specify the Type of object you want to share from the drop-down menu. The
following object types are available:
CMPivot queries
Applications
Task sequences
Configuration items
Configuration baselines, including child configuration items
Baselines with software updates or version-specific references aren't
supported
PowerShell Scripts
Reports
Power BI report templates
For information about sharing and using Power BI report templates with
Community hub, see Integrate with Power BI Report Server.
Console extensions are available for download, but contributions are
currently limited
Content for console extensions isn't hosted by Microsoft. Currently, the
source download location displays in the verbose SmsAdminUi.log for the
console that initiates the download.
4. Select Browse to load your environment's object list for the selected type. The
object's Name and Description (if available) will automatically load in the
contribution wizard.
5. Edit the following information to reflect what the community should see for your
contribution:
6. On the Organization page, select the GitHub Organization to use for organization
branding if needed.
8. Once the contribution is complete, you'll see the GitHub pull request (PR) link. The
link is also emailed to you. You can paste the link into a browser to view the PR.
Your PR will go though the standard GitHub merge process.
10. Once the PR has been completed and merged, the new item will display in the
Community hub home page for others to see.
Method 1:
Method 2:
If the pull request was never completed (merged) into the GitHub repository, then you
can just close the pull request. Ensure that you're signed into GitHub with the same
GitHub account that you used to create the pull request.
To use branding:
The visibility of the organization membership must be set to Public from the
contributor's GitHub profile.
On the Organization page in the Contribute item wizard, select the GitHub
Organization to use for branding. For more information, see the Contribute
content section.
You can navigate to and reference items in the Configuration Manager console
Community hub node with a direct link. Collaborate with your colleagues easily by
sharing direct links to Community hub items. These deep links are currently only for
items in the Community hub node of the console.
Share an item:
1. Open the link from a machine that has the Configuration Manager console
installed.
2. Select Launch the Community hub when prompted.
3. The console opens directly to the script in the Community hub node.
Starting in version 2107, you can publish a CMPivot query to the Community hub
directly from the CMPivot window. Submitting your queries directly through CMPivot
makes contributing to the Community hub easier.
You'll need the following requirements for CMPivot and for contributing to the
Community hub:
1. Go to the Assets and Compliance workspace then select the Device Collections
node.
2. Select a target collection, target device, or group of devices then select Start
CMPivot in the ribbon to launch the tool.
3. From the CMPivot window, select the Community hub icon on the menu.
5. Create a CMPivot query, then select Run Query to verify it functions as expected.
Optionally, select the folder icon to access your favorites list to use a query
you've already created.
6. Select the Publish link at top of CMPivot's Community hub window when you're
ready to submit your query.
7. Give your query a Name and Description, then select the Publish button to send
your query to the Community hub.
8. Once the contribution is complete, you can access your query anytime from the
Me tab.
7 Note
Currently, when you publish a query through CMPivot, you can't edit or delete
it after publishing.
Community hub is only available in CMPivot when you run it from the
Configuration Manager console. Community hub isn't available from
standalone CMPivot.
Configuration baselines
When you contribute a configuration baseline, each of the child configuration items is
verified. The verification starts at the lowest nested level. This means that configuration
items that are grandchildren are verified before direct child configuration items are. You
can have up to 50 child configuration items and up to 4 nested levels. The following
process occurs to ensure the configuration baseline is usable and complete:
1. Check if the child configuration item is already in the Community hub. If the
configuration item doesn't exist, it's created.
2. If the configuration item already exists in the Community hub, verify the
contributor is the author. If the contributor isn't the author, a new configuration
item is created in Community hub.
3. If the contributor is the author, check for local updates to the configuration item. If
the configuration item changed, update the item in the Community hub.
Console extensions
You contribute extensions the same way you would any other community hub object.
However, for there are additional requirements and additional information you need to
supply for an extension. When you contribute a console extension to Community hub,
the content must be signed. Content for console extensions isn't hosted by Microsoft.
When you contribute your item, you'll be asked to provide a location to the signed .cab
file along with other information for the extension. The following items are required for
contributing extensions:
Next steps
Learn more about creating and using the following objects:
) Important
When you use Configuration Manager version 2103 or later, you can download console
extensions from the Community hub and have it applied to all consoles connected to a
hierarchy. The Console extensions node allows you to start managing the approval and
installation of console extensions used in your environment. Getting an extension from
community hub doesn't make it immediately available. First, an administrator has to
approve the extension for the site. Then console users can install the extension to their
local console.
After you approve an extension, when you open the console, you'll see a console
notification. From the notification, you can start the extension installer. After the installer
completes, the console restarts automatically, and then you can use the extension.
Curated curated:false No
User user:<GitHubUserName> No
Organization org:<GitHubOrganizationName> No
The filtering on some items is done using like so you don't need to know the
exact name of an item you are trying to find. For instance, using type:task would
return task sequences.
You can't use the same filter twice in a search. For instance, using type:report and
type:extension would only return reports since the second filter gets ignored.
Search filtering respects the hierarchy setting for displaying Community hub
content categories.
If your hierarchy is set to Display Microsoft and curated community content,
then curated:false is ignored.
If your hierarchy is set to Display Microsoft content, then the curated: filter is
ignored.
Starting in version 2203, the console displays a list of search filters you can use in
Community hub.
1. Once you've found an extension in Community hub that you want in your
environment, select Download.
2. The downloaded extension will appear in the Console Extensions node.
3. Change the security scope for the extension, approve it, then install and test it on a
local console. For more information on this process, see Install and test an
extension on a local console.
4. When testing is complete, enable user notifications for installation.
1. In the upper-right corner of the console, select the bell icon to display
Configuration Manager console notifications.
2. The notification will say New custom console extensions are available.
3. Select the link Install custom console extensions to launch the install.
4. When the install completes, select Close to restart the console and enable the new
extension.
7 Note
When you upgrade to Configuration Manager 2107, you will be prompted to install
the WebView2 console extension again. For more information about the WebView2
installation, see the WebView2 installation section if the Community hub article.
Next steps
Manage console extensions
Import console extensions
Create and contribute your own console extension
CMPivot overview
Article • 02/22/2023
CMPivot allows you to quickly assess the state of devices in your environment and take
action. When you enter a query, CMPivot will run a query in real time on all currently
connected devices in the selected collection. The data returned can then be filtered,
grouped, and refined to answer business questions, troubleshoot issues in your
environment, or respond to security threats. For more information about using CMPivot,
see Use CMPivot.
Queries
Queries can be used to search terms, identify trends, analyze patterns, and provide
many other insights based on your data. CMPivot uses a subset of the Azure Log
Analytics data flow model for the tabular expression statement. The typical structure of a
tabular expression statement is a composition of client entities and tabular data
operators (such as filters and projections). The composition is represented by the pipe
character (|), giving the statement a regular form that visually represents the flow of
tabular data from left to right. Each operator accepts a tabular data set "from the pipe",
and additional inputs (including other tabular data sets) from the body of the operator,
then emits a tabular data set to the next operator that follows:
entity | operator1 |
operator2 | ...
Entities
Entities are objects that can be queried from the client. We currently support the
following entities:
Entity Description
Entity Description
BaseBoard BaseBoard
Battery Battery
BitLocker BitLocker
CcmLog() Lines within 24 hours (by default) from a Ccm Log file
CCMRAX CCM_RAX
Desktop Desktop
DMA DMA
Environment Environment
Firmware Firmware
Keyboard Keyboard
Memory Memory
Modem Modem
Motherboard Motherboard
PhysicalDisk PhysicalDisk
Ports Ports
Processor Processor
Protocol Protocol
Services Services
Shares Shares
TPM TPM
Volume Volume
Table operators
Table operators can be used filter, summarize, and transform data streams. Currently the
following operators are supported:
Table Description
operators
count Returns a table with a single record containing the number of records
distinct Produces a table with the distinct combination of the provided columns of the
input table
join Merge the rows of two tables to form a new table by matching row for the same
device
order by Sort the rows of the input table into order by one or more columns
project Select the columns to include, rename or drop, and insert new computed
columns
Scalar Operators
The following table summarizes operators:
== Equal 1 == 1, 'aBc' ==
'AbC'
+ Add 2 + 1, now() + 1d
- Subtract 2 - 1, now() - 1h
* Multiply 2 * 2
Operators Description Example
/ Divide 2 / 1
% Modulo 2 % 1
like Left Hand Side (LHS) contains a match for Right Hand Side 'abc' like '%B%'
(RHS)
!like LHS doesn't contain a match for RHS 'abc' !like '_d_'
and True if and only if RHS and LHS are true (1 == 1) and (2 == 2)
Aggregation functions
Aggregation functions can be used with the summarize table operator to calculated
summarized values. Currently the following aggregation functions are supported:
Function Description
maxif() Starting in version 2107, you can use maxif with the summarize table operator.
Returns the maximum value across the group for which Predicate evaluates to true .
Function Description
minif() Starting in version 2107, you can use minif with the summarize table operator.
Returns the minimum value across the group for which Predicate evaluates to true .
percentile() Returns an estimate for the specified nearest-rank percentile of the population
defined by Expr
Scalar functions
Scalar functions can be used in expressions. Currently the following scalar functions are
supported:
Function Description
ago() Subtracts the given timespan from the current UTC clock time
bin() Rounds values down to a number of datetime multiple of a given bin size
case() Evaluates a list of predicates and returns the first result expression whose
predicate is satisfied
iif() Evaluates the first argument and returns the value of either the second or third
arguments depending on whether the predicate evaluated to true (second) or
false (third)
indexof() Function reports the zero-based index of the first occurrence of a specified
string within input string
isnotnull() Evaluates its sole argument and returns a Boolean value indicating if the
argument evaluates to a non-null value
isnull() Evaluates its sole argument and returns a Boolean value indicating if the
argument evaluates to a null value
substring() Extracts a substring from a source string starting from some index to the end of
the string
) Important
These items aren't supported when you run CMPivot from Microsoft Intune admin
center.
Entity RegistryKey() Returns all registry keys matching the given expression
(starting in version 2107)
Next steps
To learn more about CMPivot, see Use CMPivot.
CMPivot for real-time data in
Configuration Manager
Article • 10/04/2022
Configuration Manager has always provided a large centralized store of device data,
which customers use for reporting purposes. The site typically collects this data on a
weekly basis. Starting in version 1806, CMPivot is a new in-console utility that now
provides access to real-time state of devices in your environment. It immediately runs a
query on all currently connected devices in the target collection and returns the results.
Then filter and group this data in the tool. By providing real-time data from online
clients, you can more quickly answer business questions, troubleshoot issues, and
respond to security incidents.
) Important
Prerequisites
The following components are required to use CMPivot:
Upgrade the target devices to the latest version of the Configuration Manager
client.
CMPivot and the Microsoft Edge installer are currently signed with the Microsoft
Code Signing PCA 2011 certificate. If you set PowerShell execution policy to
AllSigned, then you need to make sure that devices trust this signing certificate.
You can export the certificate from a computer where you've installed the
Configuration Manager console. View the certificate on "C:\Program Files
(x86)\Microsoft Endpoint Manager\AdminConsole\bin\CMPivot.exe" , and then
export the code signing certificate from the certification path. Then import it to the
machine's Trusted Publishers store on managed devices. You can use the process
in the following blog, but make sure to export the code signing certificate from the
certification path: Adding a Certificate to Trusted Publishers using Intune .
Permissions
The following permissions are needed for CMPivot:
permission permission on
on SMS SMS Scripts The SMS Provider still requires Read permission on SMS Scripts
Scripts if the administration service falls back to it due to a 503 (Service
Unavailable) error, as seen in the CMPivot.log.
Limitations
CMPivot only returns data for clients connected to the current site unless it's run
from the central administration site (CAS).
If a collection contains devices from another site, CMPivot results are only from
devices in the current site unless CMPivot is run from the CAS.
In some environments, additional permissions are needed for CMPivot to run on
the CAS. For more information, see CMPivot changes for version 1902.
You can't customize entity properties, columns for results, or actions on devices.
Only one instance of CMPivot can run at the same time on a computer that is
running the Configuration Manager console.
In CMPivot standalone, you're not able to access CMPivot queries stored in the
Community hub.
When single sign on with multifactor authentication is used, you may not be able
to sign into Community hub from CMPivot when using Configuration Manager
2103 and earlier.
Start CMPivot
1. In the Configuration Manager console, connect to the primary site or the CAS. Go
to the Assets and Compliance workspace, and select the Device Collections node.
Select a target collection, and select Start CMPivot in the ribbon to launch the
tool. If you don't see this option, check the following configurations:
Confirm with a site administrator that your account has the required
permissions. For more information, see Prerequisites.
Manually enter query strings at the top, or select the links in the in-line
documentation.
The links for Table Operators, Aggregation Functions, and Scalar Functions
open language reference documentation in the web browser. CMPivot uses
the Kusto Query Language (KQL).
3. Keep the CMPivot window open to view results from clients. When you close the
CMPivot window, the session is complete.
If the query has been sent, then clients still send a state message response to
the server.
2. The pane on the left lists the Entities that are available on clients. Some entities
rely upon WMI while others use PowerShell to get data from clients.
Insert: Add the entity to the query at the current cursor position. The
query doesn't automatically run. This action is the default when you
double-click an entity. Use this action when building a query.
Query all: Run a query for this entity including all properties. Use this
action to quickly query for a single entity.
Query by device: Run a query for this entity and group the results. For
example, Disk | summarize dcount( Device ) by Name
Expand an entity to see specific properties available for each entity. Double-
click a property to add it to the query at the current cursor position.
3. The Home tab shows general information about CMPivot, including links to
sample queries and supporting documentation.
4. The Query tab displays the query pane, results pane, and status bar. The query tab
is selected in the above screenshot example.
5. The query pane is where you build or type a query to run on clients in the
collection.
By default, this pane uses IntelliSense. For example, if you start typing D ,
IntelliSense suggests all of the entities that start with that letter. Select an
option and press Tab to insert it. Type a pipe character and a space | , and
then IntelliSense suggests all of the table operators. Insert summarize and
type a space, and IntelliSense suggests all of the aggregation functions. For
more information on these operators and functions, select the Home tab in
CMPivot.
6. The results pane displays the data returned by active clients for the query.
The available columns vary based upon the entity and the query.
The color saturation of the data in the results table or chart indicates if the
data is live or from the last hardware inventory scan stored in the site
database. For example, black is real-time data from an online client whereas
grey is cached data.
Right-click on any column name to group the results by the same information
in that column, or sort the results.
Run Script: Launch the Run Script wizard to run an existing PowerShell
script on this device. For more information, see Run a script.
Show devices without: Query for devices without this value for this
property. For example, from the results of the OS query, select this option
on a cell in the Version row: OS | summarize countif( (Version ==
'10.0.17134') ) by Device | where (countif_ == 0) | project Device
Select any hyperlinked text to pivot the view on that specific information.
The results pane doesn't show more than 20,000 rows. Either adjust the query
to further filter the data, or restart CMPivot on a smaller collection.
7. The status bar shows the following information (from left to right):
The status of the current query to the target collection. This status includes:
The total number of rows in the results pane. For example, 1 objects
Tip
Starting in version 2107, use the Query devices again button, or Ctrl + F5 to force
the client to retrieve the data again for the query. Using Query devices again is
useful when you expect the data to change on the device since the last query, such
as during troubleshooting. Selecting Run query again after the initial results are
returned only parses the data CMPivot has already retrieved from the client.
Starting in version 2107, you can publish a CMPivot query to the Community hub
directly from the CMPivot window. Submitting your queries directly through CMPivot
makes contributing to the Community hub easier.
You'll need the following requirements for CMPivot and for contributing to the
Community hub:
1. Go to the Assets and Compliance workspace then select the Device Collections
node.
2. Select a target collection, target device, or group of devices then select Start
CMPivot in the ribbon to launch the tool.
3. From the CMPivot window, select the Community hub icon on the menu.
4. Select Sign in, then sign into GitHub.
5. Create a CMPivot query, then select Run Query to verify it functions as expected.
Optionally, select the folder icon to access your favorites list to use a query
you've already created.
6. Select the Publish link at top of CMPivot's Community hub window when you're
ready to submit your query.
7. Give your query a Name and Description, then select the Publish button to send
your query to the Community hub.
8. Once the contribution is complete, you can access your query anytime from the
Me tab.
9. To view the GitHub pull request (PR), go to
https://github.com/Microsoft/configmgr-hub/pulls . You can also access the PR
link from the Your hub page in the Community hub node.
7 Note
Currently, when you publish a query through CMPivot, you can't edit or delete
it after publishing.
Community hub is only available in CMPivot when you run it from the
Configuration Manager console. Community hub isn't available from
standalone CMPivot.
Service
As results appear, you right-click on the Name column and select Group by.
In the row for the Browser service, you select the hyperlinked number in the dcount_
column.
You multi-select all devices, right-click the selection, and choose Run Script. This action
launches the Run Script wizard, from which you run an existing script you have for
stopping and disabling a service. With CMPivot you quickly respond to the security
incident for all active computers, viewing results in the Run Script wizard. You then
followup to create a configuration baseline to remediate other computers in the
collection as they become active in the future.
(countif_ > 0)
CMPivot standalone
You can use CMPivot as a standalone app. CMPivot standalone is only available in
English. Run CMPivot outside of the Configuration Manager console to view the real-
time state of devices in your environment. This change enables you to use CMPivot on a
device without first installing the console.
You can share the power of CMPivot with other personas, such as helpdesk or security
admins, who don't have the console installed on their computer. These other personas
can use CMPivot to query Configuration Manager alongside the other tools that they
traditionally use. By sharing this rich management data, you can work together to
proactively solve business problems that cross roles.
1. Set up the permissions needed to run CMPivot. For more information, see
prerequisites. You can also use the Security Administrator role if the permissions
are appropriate for the user.
2. Find the CMPivot app installer in the following path: <site install
path>\tools\CMPivot\CMPivot.msi . You can run it from that path, or copy it to
another location.
3. When you run the CMPivot standalone app, you'll be asked to connect to a site.
Specify the fully qualified domain name or computer name of either the Central
Administration or primary site server.
4. Browse to the collection on which you want to run CMPivot, then run your query.
7 Note
Right-click actions, such as Run Scripts, Resource Explorer, and web search
aren't available in CMPivot standalone. CMPivot standalone's primary use is
querying independently from the Configuration Manager infrastructure. To
help security administrators, CMPivot standalone does include the ability to
connect to Microsoft Defender Security Center.
You can do local device query evaluation using CMPivot standalone.
Inside CMPivot
CMPivot sends queries to clients using the Configuration Manager "fast channel". This
communication channel from server to client is also used by other features such as client
notification actions, client status, and Endpoint Protection. Clients return results via the
similarly quick state message system. State messages are temporarily stored in the
database. For more information about the ports used for client notification, see the
Ports article.
The queries and the results are all just text. The entities InstallSoftware and Process
return some of the largest result sets. During performance testing, the largest state
message file size from one client for these queries was less than 1 KB. Scaled to a large
environment with 50,000 active clients, this one-time query would generate less than 50
MB of data across the network. All the items on the welcome page that are underlined,
will return less than 1 KB of info per client.
Starting in Configuration Manager 1810, CMPivot can query hardware inventory data,
including extended hardware inventory classes. These new entities (entities not
underlined on the welcome page) may return much larger data sets, depending on how
much data is defined for a given hardware inventory property. For example, the
"InstalledExecutable" entity might return multiple MB of data per client, depending on
the specific data you query on. Be mindful of the performance and scalability on your
systems when returning larger hardware inventory data sets from larger collections
using CMPivot.
A query times out after one hour. For example, a collection has 500 devices, and 450 of
the clients are currently online. Those active devices receive the query and return the
results almost immediately. If you leave the CMPivot window open, as the other 50
clients come online, they also receive the query, and return results.
Log files
CMPivot interactions are logged to the following log files:
Server-side:
SmsProv.log
BgbServer.log
StateSys.log
Client-side:
CcmNotificationAgent.log
Scripts.log
StateMessage.log
Use the following information to learn about changes made to CMPivot between Configuration
Manager versions:
Added maxif and minif aggregators that can be used with the summarize operator
Improvements to query autocomplete suggestions in the query editor
Added a Key value to the Registry entity
Added a new RegistryKey entity that returns all registry keys matching the given expression
To review the difference between the Registry and RegistryKey entities, you can use the following
samples:
Kusto
Registry('hklm:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\*')
RegistryKey('hklm:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\*')
RegistryKey('hklm:\SOFTWARE\Microsoft\SMS\*')
Registry('hklm:\SOFTWARE\Microsoft\SMS\*')
Warning message and export CMPivot data option when results are too large
Access the top queries shared in the Community hub from CMPivot
Your query returned a large number of results. Narrow the results by modifying the query, or
select this banner to export the results.
When more than 128 KB of data is requested to be returned from a given device.
For instance, CcmLog('ciagent', 120d) queries log results and is likely to be over the 128
KB limit.
When the results are over 128 KB, you'll get a warning, but you can't export them since
they won't be returned from the client to the server.
7 Note
These queries are available when you run CMPivot from the Configuration Manager console.
They're not yet available from standalone CMPivot.
Prerequisites:
Meet all of the CMPivot prerequisites and permissions
Enable Community hub. You don't need a GitHub account to download content.
Verify which content categories are displayed for community hub
Install the Microsoft Edge WebView2 extension from the Configuration Manager console
notification
1. Go to the Assets and Compliance workspace then select the Device Collections node.
2. Select a target collection, target device, or group of devices then select Start CMPivot in the
ribbon to launch the tool.
5. Select one of the top queries to load it into the query pane.
7. Optionally, select the folder icon to access your favorites list. Add the original query or your
edited version to your favorites list to run later. Select the community hub icon to search for
another query.
8. Keep the CMPivot window open to view results from clients. When you close the CMPivot
window, the session is complete. If the query has been sent, then clients still send a state
message response to the server.
CMPivot changes for version 2006
Starting in version 2006, the following improvements have been made for CMPivot:
CMPivot standalone and CMPivot launched from the admin console have converged. When
you launch CMPivot from the admin console, it uses the same underlying technology as
CMPivot standalone to give you scenario parity.
You can run CMPivot from an individual device or multiple devices from the devices node
without needing to select a device collection. This improvement makes it easier for people,
such as those working as the Helpdesk persona, to create CMPivot queries for specific
devices outside a pre-created collection.
Select an individual device or multi-select devices in a device collection or then select
Start CMPivot.
Upon returning devices within a query list view, you can select Device Pivot on one or more
devices and then pivot and query on just those devices to drill in further. This change allows
you to drill in without querying the larger set of devices from the original collection. Device
Pivot replaced Pivot to.
Within an existing CMPivot operation, select an individual device or multi-select devices
from the output. Right-click and pivot using the Device Pivot option. This action launches
a separate CMPivot instance scoped to just the devices you selected. This makes it easier
to pivot and just query on devices desired without needing to create a collection for
them.
When you run CMPivot for an individual device, the device name is listed at the top of the
window. For multiple devices, the number of devices selected is listed at the top of the
window.
The Create Collection option in the Query Summary tab was removed since CMPivot no
longer requires querying against a collection. Perform a Device Pivot to open a new instance
of CMPivot scoped to just the devices you want to query on. Create Collection is still
available on the main menu.
CMPivot changes for version 2002
We've made it easier to navigate CMPivot entities. Starting in Configuration Manager version
2002, you can search CMPivot entities. New icons have also been added to easily differentiate the
entities and the entity object types.
Examples
The CMPivot optimizations drastically reduce the network and server CPU load needed to run
CMPivot queries. With these optimizations, we can now sift through gigabytes of client data in
real time. The following queries illustrate these optimizations:
Search all event logs on all clients in your enterprise for authentication failures.
Kusto
EventLog('Security')
Kusto
Device
| where SHA256Hash ==
'A92056D772260B39A876D01552496B2F8B4610A0B1E084952FE1176784E2CE77')
WinEvent(<logname>,[<timespan>])
This entity is used to get events from event logs and event tracing log files. The entity gets data
from event logs that are generated by the Windows Event Log technology. The entity also gets
events in log files generated by Event Tracing for Windows (ETW). WinEvent looks at events that
have occurred within the last 24 hours by default. However, the 24-hour default can be overridden
by including a timespan.
Kusto
WinEvent('Microsoft-Windows-HelloForBusiness/Operational', 1d)
FileContent(<filename>)
FileContent is used to get the contents of a text file.
Kusto
FileContent('c:\\windows\\SMSCFG.ini')
ProcessModule(<processname>)
This entity is used to enumerate the modules (dlls) loaded by a given process. ProcessModule is
useful when hunting for malware that hides in legitimate processes.
Kusto
ProcessModule('powershell')
AadStatus
This entity can be used to get the current Azure Active Directory identity information from a
device.
Kusto
AadStatus
| render piechart
EPStatus
EPStatus is used to get the status of antimalware software installed on the computer.
Kusto
EPStatus
| order by QuickScanAge
| render barchart
Other enhancements
You can do regular expression type queries using the new like operator. For example:
Kusto
//Find BIOS manufacture that contains any word like Micro, such as Microsoft
Bios
We've updated the CcmLog() and EventLog() entities to only look at messages in the last 24
hours by default. This behavior can be overridden by passing in an optional timespan. For
example, the following query will look at events in the last 1 hour:
Kusto
CcmLog('Scripts',1h)
The File() entity has been updated to collect information about Hidden and System files, and
include the MD5 hash. While an MD5 hash isn't as accurate as the SHA256 hash, it tends to
be the commonly reported hash in most malware bulletins.
You can add comments in queries. This behavior is useful when sharing queries. For example:
Kusto
Device
| top 10 by UserName
CMPivot automatically connects to the last site. After you start CMPivot, you can connect to
a new site if necessary.
From the Export menu, select the new option to Query link to clipboard. This action copies
a link to the clipboard that you can share with others. For example:
cmpivot:Ly8gU2FtcGxlIHF1ZXJ5DQpPcGVyYXRpbmdTeXN0ZW0NCnwgc3VtbWFyaXplIGNvdW50KCkgYnkgQ2F
wdGlvbg0KfCBvcmRlciBieSBjb3VudF8gYXNjDQp8IHJlbmRlciBiYXJjaGFydA==
Kusto
// Sample query
OperatingSystem
| render barchart
Tip
In query results, if the device is enrolled in Microsoft Defender for Endpoint, right-click the
device to launch the Microsoft Defender Security Center online portal.
Table operators
join Merge the rows of two tables to form a new table by matching row for the same device
The render operator already exists in CMPivot. Support for multiple series and the with statement
were added. For more information, see the examples section and Kusto's join operator article.
Scalar operators
+ Add 2 + 1, now() + 1d
- Subtract 2 - 1, now() - 1d
* Multiply 2 * 2
/ Divide 2 / 1
% Modulo 2 % 1
Aggregation functions
Function Description
percentile() Returns an estimate for the specified nearest-rank percentile of the population defined by Expr
Function Description
case() Evaluates a list of predicates and returns the first result expression whose predicate is satisfied
iff() Evaluates the first argument and returns the value of either the second or third arguments
depending on whether the predicate evaluated to true (second) or false (third)
indexof() Function reports the zero-based index of the first occurrence of a specified string within input
string
substring() Extracts a substring from a source string starting from some index to the end of the string
Examples
Kusto
ComputerSystem
Kusto
SystemBootData
7 Note
CMPivot standalone
You can use CMPivot as a standalone app. CMPivot standalone is only available in English. Run
CMPivot outside of the Configuration Manager console to view the real-time state of devices in
your environment. This change enables you to use CMPivot on a device without first installing the
console.
You can share the power of CMPivot with other personas, such as helpdesk or security admins,
who don't have the console installed on their computer. These other personas can use CMPivot to
query Configuration Manager alongside the other tools that they traditionally use. By sharing this
rich management data, you can work together to proactively solve business problems that cross
roles.
2. Find the CMPivot app installer in the following path: <site install
path>\tools\CMPivot\CMPivot.msi . You can run it from that path, or copy it to another
location.
3. When you run the CMPivot standalone app, you'll be asked to connect to a site. Specify the
fully qualified domain name or computer name of either the Central Administration or
primary site server.
Each time you open CMPivot standalone you'll be prompted to connect to a site server.
4. Browse to the collection on which you want to run CMPivot, then run your query.
7 Note
Right-click actions, such as Run Scripts, Resource Explorer, and web search aren't
available in CMPivot standalone. CMPivot standalone's primary use is querying
independently from the Configuration Manager infrastructure. To help security
administrators, CMPivot standalone does include the ability to connect to Microsoft
Defender Security Center.
You can do local device query evaluation using CMPivot standalone.
Running CMPivot on the CAS will require additional permissions when SQL Server or the SMS
Provider aren't on the same machine or in the case of SQL Server Always On availability group
configuration. With these remote configurations, you have a "double hop scenario" for CMPivot.
To get CMPivot to work on the CAS in such a "double hop scenario", you can define constrained
delegation. To understand the security implications of this configuration, read the Kerberos
constrained delegation article. Kerberos needs to work through all of the hops between the
machines. If you have more than one remote configuration such as SQL Server or SMS Provider
being colocated with the CAS or not, or multiple trusted forests, you may require a combination
of permission settings. Below are the steps that you may need to take:
CAS has a remote SQL Server
1. Go to each primary site's SQL Server.
a. Add the CAS remote SQL Server and the CAS site server to the Configmgr_DviewAccess
group.
On the Query Summary tab, select the count of Failed or Offline devices, and then select the
option to Create Collection. This option makes it easy to target those devices with a
remediation deployment.
This option was removed in version 2006 since CMPivot no longer requires querying
against a collection.
Save Favorite queries by clicking the folder icon.
Clients updated to the 1810 version return output less than 80 KB to the site over a fast
communication channel.
This change increases the performance of viewing script or query output.
If the script or query output is greater than 80 KB, the client sends the data via a state
message.
If the client isn't updated to the 1810 client version, it continues to use state messages.
You may see the following error when you start CMPivot:
You can't use CMPivot right now
due to an incompatible script version. This issue may be because the hierarchy is in the
process of upgrading a site. Wait until the upgrade is complete and then try again.
If you see this message, it could mean:
The security scope isn't set up properly.
There are issues with Upgrade in the process.
The underlying CMPivot script is incompatible.
Scalar functions
CMPivot supports the following scalar functions:
ago(): Subtracts the given timespan from the current UTC clock time
datetime_diff(): Calculates the calendar difference between two datetime values
now(): Returns the current UTC clock time
bin(): Rounds values down to an integer multiple of a given bin size
7 Note
The datetime data type represents an instant in time, typically expressed as a date and time
of day. Time values are measured in 1-second units. A datetime value is always in the UTC
time zone. Always express date time literals in ISO 8601 format, for example, yyyy-mm-dd
HH:MM:ss
Examples
Rendering visualizations
CMPivot now includes basic support for the KQL render operator. This support includes the
following types:
barchart: First column is x-axis, and can be text, datetime or numeric. The second columns
must be numeric and is displayed as a horizontal strip.
columnchart: Like barchart, with vertical strips instead of horizontal strips.
piechart: First column is color-axis, second column is numeric.
timechart: Line graph. First column is x-axis, and should be datetime. Second column is y-
axis.
The following query renders the most recently used applications as a bar chart:
Kusto
CCMRecentlyUsedApplications
| top 10 by dcount_
| render barchart
Kusto
OperatingSystem
| render timechart
Kusto
OperatingSystem
| render piechart
Hardware inventory
Use CMPivot to query any hardware inventory class. These classes include any custom extensions
you make to hardware inventory. CMPivot immediately returns cached results from the last
hardware inventory scan stored in the site database. At the same time, it updates the results if
necessary with live data from any online clients.
The color saturation of the data in the results table or chart indicates if the data is live or cached.
For example, dark blue is real-time data from an online client. Light blue is cached data.
Example
Kusto
LogicalDisk
| render columnchart
Limitations
Scalar operators
CMPivot includes the following scalar operators:
7 Note
!like LHS doesn't contain a match for RHS "Fabrikam" !like "%xyz%"
Query summary
Select the Query Summary tab at the bottom of the CMPivot window. This status helps you
identify clients that are offline, or troubleshoot errors that may occur. Select a value in the Count
column to open a list of specific devices with that status.
For example, select the count of devices with a Failure status. See the specific error message, and
export a list of these devices. If the error is that a specific cmdlet isn't recognized, create a
collection from the exported device list to deploy a Windows PowerShell update.
MessageId 40805: User <UserName> ran script <Script-Guid> with hash <Script-Hash> on
collection <Collection-ID>.
Below are a few common query needs and how CMPivot can be used to meet them.
CMPivot uses a subset of the Kusto Query Language (KQL).
Operating system
Gets operating system information.
Kusto
OperatingSystem
Kusto
CCMRecentlyUsedApplications
Kusto
OperatingSystem
LogicalDisk
Device information
Show device, manufacturer, model, and OSVersion:
Kusto
ComputerSystem
Kusto
SystemBootData
Authentication failures
Search the event logs for authentication failures.
Kusto
EventLog('Security')
ProcessModule(<processname>)
Enumerates all the modules (dlls) loaded by a given process. ProcessModule is useful
when hunting for malware that hides in legitimate processes.
Kusto
ProcessModule('powershell')
Kusto
EPStatus
Bios
// Find BIOS Manufacturer that contains any word like Micro, such as
Microsoft
Kusto
Device
| where SHA256Hash ==
'A92056D772260B39A876D01552496B2F8B4610A0B1E084952FE1176784E2CE77')
Kusto
CcmLog('Scripts',1h)
Kusto
Registry('hklm:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\
*')
RegistryKey('hklm:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificat
es\*')
RegistryKey('hklm:\SOFTWARE\Microsoft\SMS\*')
Registry('hklm:\SOFTWARE\Microsoft\SMS\*')
Next steps
To learn more about CMPivot, see Use CMPivot.
Troubleshoot CMPivot
Article • 10/04/2022
CMPivot is a tool that provides access to a real-time state of the devices in your
environment. CMPivot runs a query on all currently connected devices in the target
collection and returns the results.
Occasionally, you might need to troubleshoot CMPivot. For example, if a state message
from a client to CMPivot gets corrupted, the site server can't process the message. This
article helps you understand the flow of information for CMPivot.
When you run CMPivot from CAS, it uses the high-speed message subscription channel
to communicate with the primary site. CMPivot doesn't use standard SQL Server
replication between sites. If your SQL Server instance or your SMS provider is remote, or
if you use a SQL Server Always On availability group, you'll have a "double hop scenario"
for CMPivot. For information on how to define constrained delegation for a "double hop
scenario", see CMPivot starting in version 1902.
) Important
default installation directory or offloaded items like the SMS Provider to another server.
If you run CMPivot from the CAS, the logs are on the primary site server.
Look in smsprov.log for these lines:
Find the TaskID from the ClientAction table. The TaskID corresponds to the UniqueID in
the ClientAction table.
SQL
In BgbServer.log , look for the TaskID you gathered from SQL Server and note the
PushID . The TaskID is labeled TaskGUID . For example:
Client logs
After you have the information from the site server, check the client logs. By default, the
client logs are located in C:\Windows\CCM\Logs .
In CcmNotificationAgent.log , look for log entries that look like the following lines:
Check Scripts.log for the TaskID . In the following example, you see Task ID
{9A4E59D2-2F5B-4067-A9FA-B99602A3A4A0} :
7 Note
If you don't see "(fast)" in the Scripts.log , then the data is likely over 80 KB. In this
case, the information is sent to the site server as a state message. Use client's
StateMessage.log and the site server's Statesys.log .
Review messages on the site server
When verbose logging is enabled on the management point, you can see how incoming
client messages are handled. In MP_RelayMsgMgr.log , look for the TaskID .
MessageKey: GUID:83F67728-2E6D-4E4F-8075-ED035C31B783{9A4E59D2-2F5B-4067-
A9FA-B99602A3A4A0}
Tip
If you get an exception during processing, you can review it by running the
following SQL query and looking at the Exception column. After the message is
processed, it will no longer be in the MPE_RequestMessages_Instant table.
SQL
In BgbServer.log , look for the PushID to see the number of clients that reported or
failed.
Check the monitoring view for CMPivot from SQL Server by using the TaskID .
SQL
SQL
In BgbServer.log , look for the TaskID you gathered from SQL. It's labeled TaskGUID . For
example:
Starting to send push task (PushID: 260 TaskID: 258 TaskGUID: F8C7C37F-B42B-
4C0A-B050-2BB44DF1098A TaskType: 15
Client logs
After you have the information from the site server, check the client logs. By default, the
client logs are located in C:\Windows\CCM\Logs .
In CcmNotificationAgent.log , look for logs that are similar to the following entry:
Error! Bookmark not
defined.+PFNjcmlwdEhhc2ggU2NyaXB0SGFzaEFsZz0nU0hBMjU2Jz42YzZmNDY0OGYzZjU3M2M
yNTQyNWZiNT
g2ZDVjYTIwNzRjNmViZmQ1NTg5MDZlMWI5NDRmYTEzNmFiMDE0ZGNjPC9TY3JpcHRIYXNoPjxTY3
Jp (truncated log entry)
Look in Scripts.log for the TaskID . In the following example, we see Task ID
{F8C7C37F-B42B-4C0A-B050-2BB44DF1098A} :
Look in StateMessage.log . In the following example, you see that TaskID is near the
bottom of the message next to <Param> :
XML
<Report><ReportHeader><Identification><Machine>
<ClientInstalled>1</ClientInstalled><ClientType>1
</ClientType><ClientID>GUID:DBAC52C9-57E6-47D7-A8D6-E0A5A64B57E6</ClientID>
<ClientVersion>5.00.8670.1000</ClientVersion>
<NetBIOSName>R613924</NetBIOSName><CodePage>437</CodePage>
<SystemDefaultLCID>1033</SystemDefaultLCID><Priority>0</Priority></Machine>
</Identification>
<Date>20180703184447.673000+000</Date><Version>1.0</Version>
<Format>1.0</Format>
</ReportDetails></ReportHeader><ReportBody><StateMessage
MessageTime="20180703184447.517000+000"><Topic ID="7DC6B6F1-E7F6-43C1-96E0-
E1D16BC25C14" Type="9003" IDType="0" User="" UserSID=""/><State ID="1"
Criticality="0"/>
<StateDetails Type="1"><!
[CDATA["PAA/AHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgAgAGUAbgBjAG8AZABp
AG4AZwA9ACIAdQB0AGYALQAxADYAIgA/AD4APAByAGUAcwB1AGwAdAAgAFIAZQBzAHUAbAB0AEMA
bwBkAGUAPQAiADAAIgA+ADwAZQAgAE4AYQBtAGUAPQAiAEkAbgB0AGUAbAAoAFIAKQAgAFgAZQBv
AG4AKABSACkAIABDAFAAVQAgAEUANQAtADIANgA3ADMAIAB2ADQAIABAACAAMgAuADMAMABHAEgA
egAiACAATQBhAG4AdQBmAGEAYwB0AHUAcgBlAHIAPQAiAEEAbQBlAHIAaQBjAGEAbgAgAE0AZQBn
AGEAdAByAGUAbgBkAHMAIABJAG4AYwAuACIAIABWAGUAcgBzAGkAbwBuAD0AIgBWAFIAVABVAEEA
TAAgAC0AIAA2ADAAMAAxADcAMAAyACIAIABSAGUAbABlAGEAcwBlAEQAYQB0AGUAPQAiADIAMAAx
ADcALQAwADYALQAwADIAIAAwADAAOgAwADAAOgAwADAAIgAgAFMAZQByAGkAYQBsAE4AdQBtAGIA
ZQByAD0AIgAwADAAMAAwAC0AMAAwADEAOAAtADMANgA4ADIALQA0ADcAMAA4AC0ANwA2ADQAMAAt
ADcANgAwADAALQAzADMAIgAgAFMATQBCAEkATwBTAEIASQBPAFMAVgBlAHIAcwBpAG8AbgA9ACIA
MAA5ADAAMAAwADcAIAAiACAALwA+ADwALwByAGUAcwB1AGwAdAA+AA=="~~]]>
</StateDetails><UserParameters Flags="0" Count="2">
<Param>{F8C7C37F-B42B-4C0A-B050-2BB44DF1098A}</Param><Param>0</Param>
</UserParameters></StateMessage></ReportBody></Report>
XML
16"?>~~<Report><ReportHeader><Identification><Machine>
<ClientInstalled>1</ClientInstalled><ClientType>1
</ClientType><ClientID>GUID:DBAC52C9-57E6-47D7-A8D6-E0A5A64B57E6</ClientID>
<ClientVersion>5.00.8670.1000</ClientVersion>
<NetBIOSName>R613924</NetBIOSName><CodePage>437</CodePage>
<SystemDefaultLCID>1033</SystemDefaultLCID><Priority>0</Priority></Machine>
</Identification>
<Date>20180703184447.673000+000</Date><Version>1.0</Version>
<Format>1.0</Format>
</ReportDetails></ReportHeader><ReportBody><StateMessage
MessageTime="20180703184447.517000+000"><Topic ID="7DC6B6F1-E7F6-43C1-96E0-
E1D16BC25C14" Type="9003" IDType="0" User="" UserSID=""/><State ID="1"
Criticality="0"/>
<StateDetails Type="1"><!
[CDATA["PAA/AHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgAgAGUAbgBjAG8AZABp
AG4AZwA9ACIAdQB0AGYALQAxADYAIgA/AD4APAByAGUAcwB1AGwAdAAgAFIAZQBzAHUAbAB0AEMA
bwBkAGUAPQAiADAAIgA+ADwAZQAgAE4AYQBtAGUAPQAiAEkAbgB0AGUAbAAoAFIAKQAgAFgAZQBv
AG4AKABSACkAIABDAFAAVQAgAEUANQAtADIANgA3ADMAIAB2ADQAIABAACAAMgAuADMAMABHAEgA
egAiACAATQBhAG4AdQBmAGEAYwB0AHUAcgBlAHIAPQAiAEEAbQBlAHIAaQBjAGEAbgAgAE0AZQBn
AGEAdAByAGUAbgBkAHMAIABJAG4AYwAuACIAIABWAGUAcgBzAGkAbwBuAD0AIgBWAFIAVABVAEEA
TAAgAC0AIAA2ADAAMAAxADcAMAAyACIAIABSAGUAbABlAGEAcwBlAEQAYQB0AGUAPQAiADIAMAAx
ADcALQAwADYALQAwADIAIAAwADAAOgAwADAAOgAwADAAIgAgAFMAZQByAGkAYQBsAE4AdQBtAGIA
ZQByAD0AIgAwADAAMAAwAC0AMAAwADEAOAAtADMANgA4ADIALQA0ADcAMAA4AC0ANwA2ADQAMAAt
ADcANgAwADAALQAzADMAIgAgAFMATQBCAEkATwBTAEIASQBPAFMAVgBlAHIAcwBpAG8AbgA9ACIA
MAA5ADAAMAAwADcAIAAiACAALwA+ADwALwByAGUAcwB1AGwAdAA+AA=="~~]]>
</StateDetails><UserParameters Flags="0" Count="2">
<Param>{F8C7C37F-B42B-4C0A-B050-2BB44DF1098A}</Param><Param>0</Param>
</UserParameters></StateMessage></ReportBody></Report>~~'
If the message hasn't been processed, check the state message inbox. The default inbox
location is C:\Program Files\Microsoft Configuration
Manager\inboxes\auth\statesys.box\ . Look for the files in these locations:
Incoming
Corrupted
Process
Check the monitoring view for CMPivot via the following SQL query using the TaskID :
SQL
7 Note
For clients that are using version 1810 or higher, state messaging isn't used unless
the output is larger than 80 KB. When troubleshooting CMPivot in these cases, you
can get more information when you enable verbose logging on your MPs and the
site server's SMS_MESSAGE_PROCESSING_ENGINE. For information on how to
enable verbose logging, see Site server logging options.
MP_Relay.log
SMS_MESSAGE_PROCESSING_ENGINE.log
Next steps
Using CMPivot
Create and run PowerShell scripts
Maintenance tasks for Configuration
Manager
Article • 10/04/2022
To set up alerts and use the status system to monitor the health of Configuration
Manager, see Use the status system and Configure alerts.
Maintenance tasks
Regular maintenance is important to ensure correct site operations. Keep a maintenance
log to document maintenance dates, who did maintenance, and any maintenance-
related comments about the tasks. To maintain your site, consider daily or weekly
maintenance. Some tasks might require a different schedule. Common maintenance can
include both the built-in maintenance tasks and other tasks like account maintenance to
maintain compliance with your company policies.
Use the following information as a guide to help you plan when to do different
maintenance tasks. Use these lists as a starting point, and add tasks that you might
require.
Daily Tasks
The following are maintenance tasks that you might consider for on a daily schedule:
Check that predefined maintenance tasks that are scheduled to run daily are
running successfully.
Check the operating system event logs from the site systems.
Check the SQL Server error log from the site database computer.
Weekly Tasks
The following are maintenance tasks that you might consider for a weekly schedule:
Check that predefined maintenance tasks that are scheduled to run weekly are
running successfully.
Back up application, security, and system event logs and clear them.
Check the site database size and verify there's enough available disk space on the
site database server so that the site database can grow.
Do SQL Server database maintenance on the site database according to your SQL
Server maintenance plan.
Periodic Tasks
Some tasks that don't require daily or weekly maintenance are important to ensure
overall site health. These tasks also ensure that security and disaster recovery plans are
up-to-date. The following are maintenance tasks that you might consider for a more
periodic schedule than the daily or weekly tasks:
Change accounts and passwords, if it's necessary, according to your security plan.
Review the maintenance plan to check that scheduled maintenance tasks are
scheduled correctly and effectively depending on configured site settings.
Review the Configuration Manager hierarchy design for any required changes.
Check network performance to ensure that changes haven't been made that affect
site operations.
Check that Active Directory settings that affect site operations haven't changed.
For example, check that subnets that are assigned to Active Directory sites and that
are used as boundaries for Configuration Manager site haven't changed.
Do a site recovery according to the disaster recovery plan in a test lab by using a
backup copy of the most recent backup that the Backup Site Server maintenance
task created.
Configuration Manager provides predefined maintenance tasks that you can use to
maintain the health of the Configuration Manager database. Not all maintenance tasks
are available at each site, by default. Several tasks are enabled while some aren't, and all
support a schedule that you can set up.
Most maintenance tasks periodically remove out-of-date data from the Configuration
Manager database. Reducing the size of the database by removing unnecessary data
improves the performance and the integrity of the database, which increases the
efficiency of the site and hierarchy. Other tasks, like Rebuild Indexes, help maintain the
database efficiency. Other tasks, like the Backup Site Server task, help you prepare for
disaster recovery.
) Important
When you plan the schedule of any task that deletes data, consider the use of that
data across the hierarchy. When a task that deletes data runs at a site, the
information is removed from the Configuration Manager database, and this change
replicates to all sites in the hierarchy. This deletion can affect other tasks that rely
on that data. For example, at the central administration site, you might set up
Discovery to run one time per month to identify non-client computers. You plan to
install the Configuration Manager client to these computers within two weeks of
their discovery. However, at one site in the hierarchy, an admin sets up the Delete
Aged Discovery Data task to run every seven days. The result is that seven days
after non-client computers are discovered, they are deleted from the Configuration
Manager database. Back at the central administration site, you prepare to push
install the Configuration Manager client to these new computers on day 10.
However, because the Delete Aged Discovery Data task has recently run and
deleted data that's seven days or older, the recently discovered computers are no
longer available in the database.
After you install a Configuration Manager site, review the available maintenance tasks
and enable those tasks that your operations require. Review the default schedule of
each task, and when necessary, set up the schedule to fine-tune the maintenance task to
fit your hierarchy and environment. Although the default schedule of each task should
suit most environments, monitor the performance of your sites and database and expect
to fine-tune tasks to increase your deployment's efficiency. Plan to periodically review
the site and database performance and reconfigure maintenance tasks and their
schedules to maintain that efficiency.
Only the maintenance tasks that you can set up at a site are displayed in the
Configuration Manager console. For a complete list of maintenance tasks by site type,
see Reference for maintenance tasks for Configuration Manager.
Use the following procedure to help you set up the common settings of maintenance
tasks.
If the state change during a reindex is problematic for your monitoring, each replication
link has a set of thresholds that can be modified to adjust when the link goes into a
degraded state or when it goes into a failed state. Replication links contain multiple
replication groups, which are broken up into two types: global data and site data. Global
data attempts to sync every one minute and site data syncs every five minutes. By
default, the link changes to degraded when the threshold of 12 failures is reached then
changes to the failed state at 24. To set these thresholds, select the link under the
Database Replication node then select Link Properties. In the Alerts tab, there are
thresholds for setting the link to degraded or failed. By default these values are set to 12
and 24 respectively.
Next steps
Reference for maintenance tasks
Reference for maintenance tasks in
Configuration Manager
Article • 10/04/2022
This article lists the details for each of the Configuration Manager site maintenance
tasks. Each entry specifies the site types where the task is available, and whether it's
enabled by default.
Tasks
Tip
You may also see this task in the console named Clear Install Flag.
Use this task to remove the installed flag for clients that don't submit a Heartbeat
Discovery record during the Client Rediscovery period. The installed flag prevents
automatic client push installation to a computer that might have an active Configuration
Manager client. The default value is 21 days.
) Important
Make sure this value is greater than the interval for Heartbeat discovery, which by
default is seven days. Otherwise, clients will unnecessarily reinstall.
Aged or expired client notifications, like download requests for machine or user
policy
Endpoint Protection, like requests by an administrative user for clients to run a
scan or download updated definitions
Run Scripts status results
Heartbeat discovery
Network discovery
Active Directory discovery methods: System, User, and Group
This task also removes aged devices marked as decommissioned. When this task runs at
a site, data associated with that site is deleted, and those changes replicate to other
sites. For more information, see Run discovery.
This task applies to devices that are enrolled with Configuration Manager on-premises
MDM. For more information on these devices, see Supported operating systems for
clients and devices.
Tip
You may also see this task in the console named Delete Aged Devices
Managed by the Exchange Server Connector.
Use this task to delete aged data about mobile devices managed by the Exchange
Server connector. The site deletes this data according to the Ignore mobile devices that
are inactive for more than (days) setting on the Discovery tab of the Exchange Server
connector properties. For more information, see Manage mobile devices with
Configuration Manager and Exchange.
) Important
By default, this task runs daily at each site. At a central administration site and
primary sites, the task deletes data that's older than 30 days. When you use SQL
Server Express at a secondary site, make sure that this task runs daily and deletes
data that's inactive for seven days.
This task operates only on resources that are Configuration Manager clients. It's
different than the Delete Aged Discovery Data task, which deletes any aged discovery
data record. When this task runs at a site, it removes the data from the database at all
sites in a hierarchy. For more information, see How to configure client status.
) Important
When it's enabled, configure this task to run at an interval greater than the
Heartbeat Discovery schedule. This configuration enables active clients to send a
Heartbeat Discovery record to mark their client record as active so this task doesn't
delete them.
) Important
When it's enabled, configure this task to run at an interval greater than the
Heartbeat Discovery schedule. This configuration enables the client to send a
Heartbeat Discovery record that correctly sets the obsolete status.
Monitor Keys
Use this task to monitor the integrity of the Configuration Manager database primary
keys. A primary key is a column or a combination of columns that uniquely identifies
one row. The key distinguishes the row from any other row in a Microsoft SQL Server
database table.
Rebuild Indexes
Use this task to rebuild the Configuration Manager database indexes. An index is a
database structure that's created on a database table to speed up data retrieval. For
example, searching an indexed column is often much faster than searching a column
that isn't indexed.
To summarize software metering data and to conserve disk space in the database, use
this task with the Summarize Software Metering Monthly Usage Data task. For more
information, see Software metering.
To summarize software metering data and to conserve space in the database, use this
task with the Summarize Software Metering File Usage Data task. For more
information, see Software metering.
These mappings are stored in a table for quick reference. When a collections
membership changes, the site updates these stored mappings to reflect those changes.
However, it's possible for these mappings to fall out of sync. For example, if the site fails
to properly process a notification file, that change might not be reflected in a change to
the mappings. This task refreshes that mapping based on current collection
membership.
After you install one or more sites, you might have need to modify configurations or
take actions that affect your infrastructure.
Add an additional instance of the SMS provider. Each additional instance of the
SMS provider must be on a separate computer.
Remove an instance of the SMS provider. To remove the last SMS provider for a
site, you must uninstall the site.
Before you modify the SMS provider at a site, see Plan for the SMS provider.
2. On the Getting Started page, select Perform site maintenance or reset this site.
4. On the Manage SMS providers page, select one of the following options:
Add a new SMS provider: Specify the FQDN for a computer to host the SMS
provider that doesn't currently host it.
Uninstall the specified SMS provider: Select the name of the computer from
which you want to remove the SMS provider.
Tip
To move the SMS provider between two computers, first install it to the new
computer. Then remove it from the original location. There's no option to
move the SMS provider between computers.
After the setup wizard finishes, the SMS provider configuration is complete. In the site
Properties, on the General tab, verify the computers that have an SMS provider installed
for a site.
To modify the language that displays in the Configuration Manager console, see
the Manage Configuration Manager console language section.
To configure DCOM permissions to enable consoles that are remote from the site
server, see the Configure DCOM permissions for remote Configuration Manager
consoles section.
To modify administrative permissions to limit what users can see and do in the
console, see Modify the administrative scope of an administrative user.
When you start the Configuration Manager console installation from this folder on
the site server, it copies the Configuration Manager console and supported
language pack files to the computer.
When a language pack is available for the current language setting on the
computer, the Configuration Manager console opens in that language.
If the associated language pack isn't available for the Configuration Manager
console, the console opens in English (United States).
For example, you install the Configuration Manager console from a site server that
supports English, German, and French. If you open the Configuration Manager console
on a computer with a configured language setting of French, the console opens in
French. If you open the Configuration Manager console on a computer with a
configured language of Japanese, the console opens in English because the Japanese
language pack isn't available.
When you want to open the Configuration Manager console in English regardless of the
configured language settings on the computer, remove or rename the language pack
files on the computer.
Use the following procedures to start the Configuration Manager console in English
regardless of the configured locale setting on the computer.
2. Rename the .msp and .mst files. For example, you could change <file name>.MSP
to <file name>.MSP.disabled.
) Important
When new server languages are configured for the site server, the .msp and
.mst files are recopied to the LanguagePack folder, and you must repeat this
procedure to install new Configuration Manager consoles in only English.
Temporarily disable a console language on an existing
Configuration Manager console installation
1. On the computer that is running the Configuration Manager console, close the
Configuration Manager console.
3. Rename the appropriate language folder for the language that is configured on
the computer. For example, if the language settings for the computer were set for
German, you could rename the de folder to de.disabled.
4. To open the Configuration Manager console in the language that is configured for
the computer, rename the folder to the original name. For example, rename
de.disabled to de.
The security group named SMS Admins grants access to the SMS provider on a
computer, and can also be used to grant the required DCOM permissions. This group is
local to the computer when the SMS provider runs on a member server. It's a domain
local group when the SMS provider runs on a domain controller.
) Important
The Configuration Manager console uses WMI to connect to the SMS provider, and
WMI internally uses DCOM. If the Configuration Manager console runs on a
computer other than the SMS provider computer, it requires permissions to
activate a DCOM server on the SMS provider computer. By default, Remote
Activation is granted only to the members of the built-in Administrators group.
If you allow the SMS Admins group to have Remote Activation permission, a
member of this group could attempt DCOM attacks against the SMS provider
computer. This configuration also increases the attack surface of the computer. To
mitigate this threat, carefully monitor the membership of the SMS Admins group.
Use the following procedure to configure each central administration site (CAS), primary
site server, and each computer where the SMS provider is installed to grant remote
Configuration Manager console access for administrative users.
3. In the My Computer Properties window, switch to the COM Security tab. In the
Launch and Activation Permissions section, select Edit Limits.
5. In the Select Users, Computers, Service Accounts, or Groups window, in the Enter
the object names to select field, type SMS Admins , and then select OK.
Tip
To locate the SMS Admins group, you might have to change the setting: From
this Location. This group is local to the computer when the SMS provider runs
on a member server, and is a domain local group when the SMS provider runs
on a domain controller.
6. In the Permissions for SMS Admins section, to allow remote activation, select the
Allow column for the Remote Activation row.
For more information about the limits of support, see Support policy for manual
database changes in a Configuration Manager environment .
7 Note
When you modify the database configuration for a site, Configuration Manager
restarts or reinstalls Configuration Manager services on the site server and remote
site system servers that communicate with the database.
The instance of SQL Server in use on a server that hosts the SQL Server database.
When you move the database to a new instance on SQL Server, or to a new SQL
Server computer, enable common language runtime (CLR) integration. Use SQL
Server Management Studio to connect to the instance of SQL Server that hosts
the site database. Then run the following stored procedure as a query:
sp_configure 'clr enabled',1; reconfigure
Make sure the new SQL Server has access to the backup location. When you use a
UNC for storing your site database backup, after moving the database to a new
server, make sure the computer account of the new SQL Server has write
permissions to the UNC location. This configuration includes when you move to a
SQL Server Always On availability group or a failover cluster instance.
) Important
Before you move a database that has one or more database replicas for
management points, first remove the database replicas. After you complete the
database move, you can reconfigure database replicas. For more information, see
Database replicas for management points.
When the services run with the computers system account, it automatically
registers the service principal name (SPN) for you.
When the services run with a domain local user account, manually register the SPN.
The SPN allows SQL Server clients and other site systems to authenticate with
Kerberos. Without Kerberos authentication, communication to the database might
fail.
For more information about SPNs and Kerberos connections, see Register a service
principal name for Kerberos connections.
Register an SPN for the SQL Server service account of the site database server by using
the Setspn tool. Run Setspn as a Domain Administrator on a computer in the same
domain as the SQL Server.
The following procedures are examples of how to manage the SPN for the SQL Server
service account. For more information about Setspn, see Setspn Overview.
2. Enter a valid command to create the SPN for both the NetBIOS name and the
FQDN:
) Important
When you create an SPN for a SQL Server Always On failover cluster instance,
specify the virtual name of the failover cluster instance as the SQL Server
computer name.
7 Note
The command to register an SPN for a SQL Server named instance is the same
as that you use when you register an SPN for a default instance. The only
exception is that the port number must match the port that the named
instance uses.
3. Review the registered ServicePrincipalName. Make sure that you created a valid
SPN for the SQL Server.
3. Select SQL Server Services, and then open SQL Server<INSTANCE NAME>.
4. Switch to the Log on tab. Select This account, and then enter the user name and
password for the domain user account from step 1.
5. Confirm the service account change and restart the SQL Server service.
You can manually reset a site. They can also run automatically after you modify the site
configuration. For example:
7 Note
2. Setup removes and recreates the site system share folder and the SMS Executive
component on the local computer and on remote site system computers.
The SMS or NAL registry keys, and any default subkeys under these keys.
The Configuration Manager file directory tree, and any default files or
subdirectories in this file directory tree.
If the primary site is in a hierarchy with a CAS, this account must also be a local
Administrator on the CAS server.
version.
2. On the Getting Started page, select Perform site maintenance or reset this site.
3. On the Site Maintenance page, select Reset site with no configuration changes.
After you update the server language packs at a site, you can add support for the
language packs to Configuration Manager consoles.
To add support for a server language pack to a Configuration Manager console, install
the Configuration Manager console from the ConsoleSetup folder on a site server that
includes the language pack that you want to use. If the Configuration Manager console
is already installed, you must first uninstall it to enable the new installation to identify
the current list of supported language packs.
Client language packs
Changes to the client language packs update the client installation source files. New
client installations and upgrades add support for the updated list of client languages.
After you update the client language packs at a site, install each client that will use the
language packs by using source files that include the client language packs.
For more information about the client and server languages that Configuration Manager
supports, see Language Packs.
2. On the Getting Started page, select Perform site maintenance or reset this Site.
5. On the Server Language Selection page, select the server languages this site
supports.
6. On the Client Language Selection page, select the client languages that this site
supports.
7 Note
Configuration Manager initiates a site reset which also reinstalls all site system
roles at the site.
You can modify these values or disable alerts for each site:
2. Select the site that you want to configure. In the ribbon, select Properties.
Starting in version 2002, you can also remove the CAS from a hierarchy, but keep the
primary site. For more information, see Remove the CAS.
The CD.Latest folder for Configuration
Manager
Article • 10/04/2022
Configuration Manager has a process to deliver updates to the product from within the
Configuration Manager console. To support this new method of updating Configuration
Manager, a new folder is created named CD.Latest . This folder contains a copy of the
Configuration Manager installation files for the updated version of your site.
The CD.Latest folder contains a folder named Redist , which contains the
redistributable files that setup downloads and uses. These files are matched to the
version of Configuration Manager files found in that CD.Latest folder. When you run
Setup from a CD.Latest folder, you must use files that are matched to that version of
Setup. You can either direct Setup to download new and current files from Microsoft, or
direct Setup to use the files from the Redist folder included in the CD.Latest folder.
Baseline media doesn't include a Redist folder. The site doesn't create a Redist folder
until you install an in-console update. In the meantime, use the Redist folder that you
used when installing sites from the baseline media.
Tip
Make sure the redistributable files you use are current. If you haven't recently
downloaded redistributable files, plan to allow Setup to do so from Microsoft.
When you install an update or hotfix from within the Configuration Manager
console, the site creates or updates the folder in the Configuration Manager
installation folder.
When you run the built-in Configuration Manager backup task, the site creates or
updates the folder under the designated backup folder location.
When you install a new site using baseline media, the site creates the CD.Latest
folder.
Supported scenarios
The source files from the CD.Latest folder are supported for the following scenarios:
When you reinstall a site as part of a site recovery, you install the site from the
CD.Latest folder included in your backup. This action installs the site using the file
If you don't have access to the correct CD.Latest folder version, get the
CD.Latest folder with the correct file versions by installing a site in a lab
environment. Then update that site to match the version you want to recover.
If you don't have the correct CD.Latest folder and its contents available, you
can't recover a site. In this circumstance, you need to reinstall the site.
When you don't have a CD.Latest folder, but do have a working child primary site
or central administration site, you can use that site as a reference site for a site
recovery.
Unsupported scenarios
The updated CD.Latest source files aren't supported for:
Next steps
Updates for Configuration Manager
Upgrade on-premises infrastructure that
supports Configuration Manager
Article • 10/04/2022
Use the information in this article to help you upgrade the server infrastructure that runs
Configuration Manager.
If Configuration Manager still supports the resulting service pack level of Windows,
it supports in-place upgrade to a later Windows Server service pack.
To upgrade a server, use the upgrade procedures provided by the OS you're upgrading
to. See the following articles:
Windows Server Upgrade Center
Upgrade either Windows Server 2016 or Windows Server 2019 to Windows Server
2022
Before upgrade
(Windows Server 2012 or Windows Server 2012 R2 only): Remove the System Center
Endpoint Protection (SCEP) client. Windows Server now has Windows Defender
built in, which replaces the SCEP client. The presence of the SCEP client can
prevent an upgrade to Windows Server.
(Windows Server 2012 or Windows Server 2012 R2 only): Install the latest
Cumulative Update and uninstall Windows Management Framework 5.1 before
attempting the upgrade.
Remove the WSUS role from the server if it's installed. You may keep the SUSDB
and reattach it once WSUS is reinstalled.
If you're upgrading the OS of the site server, make sure file-based replication is
healthy for the site. Check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.
On the sending site, review sender.log.
On the receiving site, review despooler log.
After upgrade
Make sure Windows Defender is enabled, set for automatic start, and running.
SMS_SITE_COMPONENT_MANAGER
Make sure the Windows Process Activation and WWW/W3svc services are
enabled and set for automatic start. The upgrade process disables these services,
so make sure they're running for the following site system roles:
Site server
Management point
Make sure each server that hosts a site system role continues to meet all
prerequisites. For example, you might need to reinstall BITS, WSUS, or configure
specific settings for IIS.
After restoring any missing prerequisites, restart the server one more time to make
sure services are started and operational.
If you're upgrading the primary site server, then run a site reset.
1. On the applicable servers, open the Microsoft Management Console (MMC) and
add the snap-in for WMI Control, and then select Local computer.
2. In the MMC, open the Properties of WMI Control (Local) and select the Security
tab.
3. Expand the tree below Root, select the SMS node, and then choose Security. Make
sure the SMS Admins group has the following permissions:
Enable Account
Remote Enable
4. On the Security tab below the SMS node, select the site_<sitecode> node, and
then choose Security. Make sure the SMS Admins group has the following
permissions:
Execute Methods
Provider Write
Enable Account
Remote Enable
5. Save the permissions to restore access for the Configuration Manager console.
After you upgrade a server that hosts a site system role, the value
Software\Microsoft\SMS may be missing from the following registry key:
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths
If this value is missing after you upgrade Windows on the server, manually add it.
Otherwise site system roles can have issues uploading files to the site server inboxes.
On Windows Server 2008 R2: Before you upgrade to Windows Server 2012 R2, you
must uninstall WSUS 3.2 from the server. You may keep the SUSDB and reattach it
once WSUS is reinstalled. For more information, see Windows Server Update
Services Overview.
If you're upgrading the OS of the site server, make sure file-based replication is
healthy for the site. Check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.
On the sending site, review sender.log.
On the receiving site, review despooler log.
Management point
Make sure the Windows Process Activation and WWW/W3svc services are
enabled and set for automatic start. The upgrade process disables these services,
so make sure they're running for the following site system roles:
Site server
Management point
Make sure each server that hosts a site system role continues to meet all
prerequisites. For example, you might need to reinstall BITS, WSUS, or configure
specific settings for IIS.
After restoring any missing prerequisites, restart the server one more time to make
sure services are started and operational.
If Configuration Manager supports the resulting service pack level, it supports in-
place upgrade to a later Windows service pack.
For information about the versions of SQL Server that Configuration Manager supports,
see Support for SQL Server versions.
When you have more than one Configuration Manager site in a hierarchy, each site can
run a different service pack version of SQL Server. There's no limitation to the order in
which sites upgrade the service pack version of SQL Server.
) Important
This support includes the upgrade of SQL Server Express to a newer version of SQL
Server Express at secondary sites.
When you upgrade the version of SQL Server that hosts the site database, you must
upgrade the SQL Server version that's used at sites in the following order:
3. Upgrade parent primary sites last. These sites include both child primary sites that
report to a central administration site, and stand-alone primary sites that are the
top-level site of a hierarchy.
When you upgrade a site database from an earlier version of SQL Server, the database
keeps its existing cardinality estimation level, if it's at the minimum allowed for that
instance of SQL Server. If you upgrade SQL Server with a database at a compatibility
level lower than the allowed level, it automatically sets the database to the lowest
compatibility level allowed by SQL Server. For more information, see Supported SQL
Server versions: Database compatibility level.
For more information about upgrading SQL Server, see the following SQL Server articles:
7 Note
When you change the SQL Server edition in use at the central administration site
from Standard to either a Datacenter or Enterprise, the database partition doesn't
change. This database partition limits the number of clients the hierarchy supports.
Updates and servicing for Configuration
Manager
Article • 04/11/2023
Tip
The terms upgrade, update, and install are used to describe three separate concepts
in Configuration Manager. For more information about how each term is used, see
About upgrade, update, and install.
Also use a baseline version to upgrade from System Center 2012 Configuration
Manager.
Periodically, another baseline version is released. When you use the latest baseline
version to install a new hierarchy, you avoid installing an outdated or unsupported
version of Configuration Manager, followed by another update to your
infrastructure.
After you install a baseline version, later versions of Configuration Manager are available
as in-console updates. Use these updates to update your infrastructure to the latest
version of Configuration Manager.
You install in-console updates to update the version of your top-level site.
Updates you install at the central administration site (CAS) automatically install at
child primary sites. Control this timing by using a service window at the primary
site. For more information, see Service Windows.
Manually update secondary sites to a new update version from within the console.
When you install an update, the update stores installation files for that version on the
site server in a folder named CD.Latest. For more information about these files, see The
CD.Latest folder.
Use the files in the CD. Latest folder during site recovery. Also, when your hierarchy
no longer runs a baseline version, use these files to install other sites.
You can't use installation files from CD. Latest to install the first site of a new
hierarchy, or to upgrade a site from System Center 2012 Configuration Manager.
Version details
Some updates for Configuration Manager are available as both an in-console update
version for existing infrastructure, and as a new baseline version.
Supported versions
The following supported versions of Configuration Manager are currently available as a
baseline, an update, or both:
2303
April 10, 2023 October 10, 2024 YesNote 1 Yes
(5.00.9106)
2211
December 5, 2022 June 5, 2024 No Yes
(5.00.9096)
2207
August 12, 2022 February 12, 2024 No Yes
(5.00.9088)
2203
April 8, 2022 October 8, 2023 YesNote 1 Yes
(5.00.9078)
2111
December 1, 2021 June 1, 2023 No Yes
(5.00.9068)
7 Note
The Availability date in this table is when the early update ring was released.
Baseline media will be available on the VLSC soon after the update is globally
available.
The baseline media is available as part of the following releases on the Volume License
Service Center (VLSC):
For example, search the VLSC for Microsoft Configmgr (current branch) . Find the
baseline media in the list of files, and download for that release.
7 Note
The search string may be different on other media sites. For example, on the Visual
Studio Subscriptions Portal , search for Microsoft Configuration Manager .
Historical versions
The following table lists historical versions of Configuration Manager current branch that
are out of support:
2107
August 2, 2021 February 2, 2023 No Yes
(5.00.9058)
2103
April 19, 2021 October 19, 2022 Yes Yes
(5.00.9049)
2010
November 30, May 30, 2022 No Yes
(5.00.9040) 2020
2006
August 11, 2020 February 11, 2022 No Yes
(5.00.9012)
2002
April 1, 2020 October 1, 2021 Yes Yes
(5.00.8968)
Version Availability date Support end date Baseline In-console
update
1910
November 29, May 29, 2021 No Yes
(5.00.8913) 2019
1906
July 26, 2019 January 26, 2021 No Yes
(5.00.8853)
1902
March 27, 2019 September 27, Yes Yes
(5.00.8790) 2020
1810
November 27, December 1, 2020 No Yes
(5.00.8740) 2018
1806
July 31, 2018 January 31, 2020 No Yes
(5.00.8692)
1802
March 22, 2018 September 22, Yes Yes
(5.00.8634) 2019
1710
November 20, May 20, 2019 No Yes
(5.00.8577) 2017
1706
July 31, 2017 July 31, 2018 No Yes
(5.00.8540)
1702
March 27, 2017 March 27, 2018 Yes Yes
(5.00.8498)
1610
November 18, November 18, No Yes
(5.00.8458) 2016 2017
1606 with KB3186654 October 12, 2016 October 12, 2017 Yes No
(5.00.8412.1307)
1606
July 22, 2016 July 22, 2017 No Yes
(5.00.8412.1000)
1602
March 11, 2016 March 11, 2017 No Yes
(5.00.8355)
1511
December 8, 2015 December 8, 2016 Yes No
(5.00.8325)
To check the version of your Configuration Manager site, in the console go to About
Configuration Manager at the top-left corner of the console. This dialog displays the
site and console versions.
7 Note
The console version is slightly different from the site version. The minor version of
the console corresponds to the Configuration Manager release version. For
example, in Configuration Manager version 1802 the initial site version is
5.0.8634.1000, and the initial console version is 5.1802.1082.1700. The build (1082)
and revision (1700) numbers may change with future hotfixes.
Hotfixes for your version of Configuration Manager and that all customers should
install.
7 Note
The in-console updates deliver increased stability and resolve common issues. They
replace the update types seen for previous product versions such as service packs,
cumulative updates, hotfixes that are applicable to all customers, and the extension for
Microsoft Intune.
The in-console updates can apply to one or more of the following systems:
Configuration Manager discovers new updates for you. Synchronize your Configuration
Manager service connection point with the Microsoft cloud service, noting the following
behaviors:
When your service connection point is in online mode, your site synchronizes with
Microsoft every day. It automatically identifies new updates that apply to your
infrastructure. To download updates and redistributable files, the computer that
hosts the service connection point site system role uses the System context to
access the following internet locations: go.microsoft.com and
download.microsoft.com . For more information about other locations used by the
When your service connection point is in offline mode, use the service connection
tool to manually sync with the Microsoft cloud. For more information, see Use the
service connection tool.
In-console updates replace the need to independently locate and install individual
updates, service packs, and new features.
Install only the in-console updates you choose. When installing some updates, you
can select individual features to enable and use. For more information, see Enable
optional features from updates.
It automatically runs a prerequisite check. You can also manually run this check
before starting the installation.
It installs at the top-level site in your environment. This site is the CAS if there's
one. In a hierarchy, the update automatically installs at primary sites. Control when
each primary site server is allowed to update by using Service windows for site
servers.
After a site server updates, all affected site system roles automatically update.
These roles include instances of the SMS Provider. After the site installs the update,
Configuration Manager consoles also prompt the console user to update the
console.
If an update includes the Configuration Manager client, you're offered the option
to test the update in pre-production, or to apply the update to all clients
immediately.
After a primary site is updated, secondary sites don't automatically update. Instead,
you must manually start the secondary site update.
7 Note
The Configuration Manager current branch, the long-term servicing branch, and the
technical preview branch are different releases. Updates that apply for one branch
aren't available as in-console updates for the other branches. For more information
about available branches, see Which branch of Configuration Manager should I
use?.
Supersedence example
There are three hotfixes available: Hotfix-A, Hotfix-B, and Hotfix-C. Hotfix-A is
superseded by Hotfix-B, and Hotfix-B is superseded by Hotfix-C.
Not installed Not installed Not installed Show all three hotfixes
Out-of-band hotfixes
Some hotfixes release with limited availability to address specific issues. Other hotfixes
are applicable to all customers but can't install using the in-console method. These fixes
are delivered out-of-band and not discovered from the Microsoft cloud service.
Typically, when you're seeking to fix or address a problem with your deployment of
Configuration Manager, you can learn about out-of-band hotfixes from Microsoft
customer support services, a Microsoft support knowledge base article, or the
Configuration Manager team blog .
Install these fixes manually, using one of the following two methods:
This method is used for hotfixes that use the following file name structure:
<Product>-
<product version>-<KB article ID>-ConfigMgr.Update.exe
For more information, see Use the update registration tool to import hotfixes.
Hotfix Installer
Use this tool to manually install a hotfix that can't be installed using the in-console
method.
This method is used for fixes that use the following file name structure:
<Product>-
<product version>-<KB article ID>-<platform>-<language>.exe
For more information, see Use the hotfix installer to install updates.
Next steps
The following articles can help you understand how to find and install the different
update types for Configuration Manager:
For more information about the technical preview branch, see Technical preview.
Prepare to install in-console updates for
Configuration Manager
Article • 04/11/2023
Configuration Manager synchronizes with the Microsoft cloud service to get updates.
Use the steps in this article to prepare your environment.
In offline mode, the service connection point doesn't connect to the Microsoft
cloud service. To download and then import available updates, use the Service
Connection Tool.
7 Note
If necessary, import out-of-band fixes into your console. To do so, use the update
registration tool. These out-of-band fixes supplement the updates you get when
you synchronize with the Microsoft cloud service.
After updates synchronize, view them in the Configuration Manager console. Go to the
Administration workspace and select the Updates and Servicing node.
Updates you've installed display as Installed. Only the most recently installed
update is shown. To view previously installed updates, select History in the ribbon.
Before you configure the service connection point, understand and plan for its use. The
following uses might affect how you configure this site system role:
The site uses the service connection point to upload usage information about your
site. This information helps the Microsoft cloud service identify the updates that
are available for the current version of your infrastructure. For more information,
see Diagnostics and usage data.
To better understand what happens when updates are downloaded, see the following
flowcharts:
Permissions
To view updates in the console, a user must have a role-based administration security
role that includes the security class Update packages. This class grants access to view
and manage updates in the Configuration Manager console.
A user with this security role and access to the All security scope can view and
install updates. The user can also enable features during the installation, and
enable individual features after the site updates.
A user with this security role and access to the Default security scope can view
and install updates. The user can also enable features during the installation,
and view features after the site updates. But this user can't enable the features
after the site updates.
The site replicates update files to other sites before installing the update.
When you choose to install the update, the prerequisite check automatically runs
again.
7 Note
When you start a prerequisite check and then view the status, the Installation
phase appears to be active. However, the site isn't actually installing the update. To
run the prerequisite check, the update process extracts the package from the
content library. It then puts the package into a staging folder where it can access
the current prerequisite checks. When you install an update, this same process runs.
This behavior is why the Installation phase shows as In progress. Only the Extract
Update package step is shown in the Installation category.
Later, when you install the update, you can configure the update to ignore prerequisite
check warnings.
2. Select the update package for which you want to run the prerequisite check.
When you run the prerequisite check, content for the update replicates to child
sites. View the distmgr.log on the site server to confirm that content replicates
successfully.
b. Select the Updates and Servicing Status node and look for the prerequisite
status.
This article describes how to install updates from within the Configuration Manager
console. Before you start, make sure to Prepare to install in-console updates.
When you're ready to install updates from within the Configuration Manager console,
begin with the top-level site of your hierarchy. This site is either the central
administration site (CAS) or a standalone primary site.
Install the update outside of normal business hours for each site to minimize the effect
on business operations. The update installation might include actions like reinstalling
site components and site system roles.
Child primary sites automatically start the update after the CAS completes
installation of the update. This process is by default and recommended. To control
when a primary site installs updates, use Service windows for site servers.
After the primary parent site update is complete, manually update secondary sites
from within the Configuration Manager console. Automatic update of secondary
site servers isn't supported.
When you use a Configuration Manager console after the site is updated, you're
prompted to update the console.
7 Note
Your user account requires permissions to install updates. For more information,
see Permissions for in-console updates.
To monitor the update installation on a secondary site, select the secondary site, and
choose Show Install Status in the ribbon. Also add the Version column to the Sites node
so that you can view the version of each secondary site.
The status in the console may not refresh or it might show that the update failed. After a
secondary site successfully updates, use the Retry installation option. This option
doesn't reinstall the update for a secondary site that successfully installed the update,
but forces the console to update the status.
Install process
Prerequisite errors always stop the update installation. Fix errors before you can
successfully retry the update installation. For more information, see Retry
installation of a failed update.
Prerequisite warnings can also stop the update installation. Fix warnings before
you retry the update installation. For more information, see Retry installation of
a failed update.
Ignore any prerequisite check warnings and install this update regardless of
missing requirements: Set a condition for the update installation to ignore
prerequisite warnings. This option allows the update installation to continue. If
you don't select this option, the update installation stops on a warning. Unless
you've previously run the prerequisite check and fixed prerequisite warnings for
a site, don't use this option.
When an update applies to the Configuration Manager client, choose to test the
client update with a limited set of clients. For more information, see How to test
client upgrades in a pre-production collection.
If you don't wish to onboard, clear both of the Enable Microsoft Intune admin
center and Enable automatic client enrollment for co-management options.
Reinstalls any affected components, like site system roles or the Configuration
Manager console.
Manages updates to clients based on the selections that you made for client
piloting, and for automatic client upgrades.
Site system servers generally don't need to restart as part of the update. If a role
uses .NET, and the package updates that prerequisite component, then the site
system may restart. For more information, see Site and site system prerequisites.
Tip
When you install Configuration Manager updates, the site also updates the
CD.Latest folder. For more information, see The CD.Latest folder.
The update installation is divided into several phases for easier monitoring. For
each of the following phases, more details in the installation status include which
log file to view for more information:
Download: This phase applies only to the top-level site with the service
connection point.
Replication
Prerequisites Check
Installation
7 Note
During the Installation phase, you can see the state of the Upgrade ConfigMgr
database task.
Child primary sites install the update automatically. No further action is required.
Manually update secondary sites from within the Configuration Manager console.
For more information, see start the update installation at a secondary site.
Until all sites in your hierarchy update to the new version, your hierarchy operates
in a mixed version mode. For more information, see Interoperability between
different versions.
After the console update completes, verify the console and site versions are correct. Go
to About Configuration Manager at the top-left corner of the console.
7 Note
The console version is slightly different from the site version. The minor version of
the console corresponds to the Configuration Manager release version. For
example, in Configuration Manager version 1802 the initial site version is
5.0.8634.1000, and the initial console version is 5.1802.1082.1700. The build (1082)
and revision (1700) numbers may change with future hotfixes.
Next steps
Continue reading about what happens after the site updates, or what to do if the update
fails.
After you install an in-console update for Configuration Manager, the site does
additional processing in the background. There are also additional steps that you may
need to take after the update is complete. If something goes wrong, use the steps
below to help troubleshoot and retry the update.
Post-installation tasks
When a site installs an update, there are several tasks that can't start until after the
update completes installation on the site server. This list includes the post-installation
tasks that are critical for site and hierarchy operations. Because they're critical, they're
actively monitored. Other tasks that aren't directly monitored include the reinstallation
of site system roles. To view the status of the critical post-installation tasks, select the
Post Installation task while monitoring the update installation for a site.
Not all tasks complete immediately. Some tasks don't start until each site completes
installation of the update. New functionality you might expect can be delayed until
these tasks complete. Turning on new features doesn't start until all sites complete
update installation, so new features might not be visible for some time.
Responsible for reinstalling roles on site system servers. Status for individual site
system role reinstallation doesn't display.
Some Configuration Manager site roles share the client framework. For
example, the management point and pull distribution point. When these
roles update, the client version on these servers updates at the same time.
For more information, see How to upgrade clients.
Turning on Features
This task displays only at the top-tier site of the hierarchy.
Doesn't start until all sites in the hierarchy finish installing the update.
Individual features aren't displayed.
Tip
If an update has problems downloading or replicating, use the update reset tool.
When you're ready to retry the installation of an update, select the failed update, and
then choose an applicable option. The update installation retry behavior depends on the
node where you start the retry, and the retry option that you use.
Prerequisite checks passed with one or more warnings, and the option to ignore
prerequisite check warnings wasn't set in the Update Wizard. (The update's value
for Ignore Prereq Warning in the Updates and Servicing node is No.)
Prerequisite failed
Installation failed
Go to the Administration workspace and select the Updates and Servicing node. Select
the update, and then choose one of the following options:
Retry: When you Retry from Updates and Servicing, the update install starts again
and automatically ignores prerequisite warnings. If content replication previously
failed, content for the update replicates again.
Ignore prerequisite warnings: If the update install stops because of a warning, you
can then choose Ignore prerequisite warnings. This action allows the installation
of the update to continue after a few minutes, and uses the option to ignore
prerequisite warnings.
Prerequisite failed
Installation failed
Go to the Monitoring workspace, and select the Site Servicing Status node. Select the
update, and then choose one of the following options:
Retry: When you Retry from Site Servicing Status, you restart the installation of
the update at only that site. Unlike running Retry from the Updates and Servicing
node, this retry doesn't ignore prerequisite warnings.
Ignore prerequisite warnings: If the update install stops because of a warning, you
can then select Ignore prerequisite warnings. This action allows the installation of
the update to continue after a few minutes, and uses the option to ignore
prerequisite warnings.
) Important
2. Select an update then select Report update error to Microsoft in the ribbon.
Provide your email address if you're willing to be contacted about the error.
4. When you submit feedback, you'll be given a transaction ID for the feedback. A
status message is also generated with this information.
Next steps
Some updates include optional features, which you can enable during or after
installation.
Optional features
Optional features in Configuration
Manager
Article • 02/22/2023
When an update includes one or more optional features, you can enable those features
in your hierarchy. Enable features when the update installs, or return to the console later
to enable the optional features.
To view available features and their status, in the console go to the Administration
workspace, expand Updates and Servicing, and select the Features node. To enable a
feature, select it in the list, and then select Turn on in the ribbon.
Your user account requires permissions to view and enable optional features. For more
information, see Permissions for in-console updates.
When a feature isn't optional, it's automatically available for use. It doesn't appear in the
Features node.
) Important
When you enable a new feature or pre-release feature, the Configuration Manager
hierarchy manager (HMAN) must process the change before that feature becomes
available. Processing of the change is often immediate. Depending on the HMAN
processing cycle, it can take up to 30 minutes to complete. After the change is
processed, restart the console before you can use the feature.
When new cloud-based features are available in the Microsoft Intune admin center, or
other attached cloud services for your on-premises Configuration Manager installation,
you can opt in to these new features in the Configuration Manager console.
Tip
For more information on features that require consent to enable, see pre-release
features.
For more information on features that are only available in the technical preview
branch, see Technical Preview.
Next steps
The current branch includes pre-release features for early testing in a production
environment. For more information, see pre-release features.
The update requires a configuration that your infrastructure doesn't use, or your
current product version doesn't fulfill a prerequisite for receiving the update.
If you think you have the required configurations and prerequisites for a missing
update, confirm the service connection point is in online mode. Then, use the
Check for Updates option in the Updates and Servicing node to force a check. If
your service connection point is in offline mode, use the service connection tool to
manually sync with the cloud service.
Beginning with version 1706, Configuration Manager primary sites, and central
administration sites include the Configuration Manager Update Reset Tool,
CMUpdateReset.exe. Use the tool to fix issues when in-console updates have problems
downloading or replicating. The tool is found in the \cd.latest\SMSSETUP\TOOLS folder
of the site server.
You can use this tool with any version of the current branch that remains in support.
Use this tool when an in-console update has not yet installed and is in a failed state. A
failed state means that the update download is in progress but stuck or taking an
excessively long time. A long time is considered to be hours longer than your historical
expectations for update packages of similar size. It can also be a failure to replicate the
update to child primary sites.
When you run the tool, it runs against the update that you specify. By default, the tool
does not delete successfully installed or downloaded updates.
Prerequisites
The account you use to run the tool requires the following permissions:
Read and Write permissions to the site database of the central administration site
and to each primary site in your hierarchy. To set these permissions, you can add
the user account as a member of the db_datawriter and db_datareader fixed
database roles on the Configuration Manager database of each site. The tool does
not interact with secondary sites.
Local Administrator on the top-level site of your hierarchy.
Local Administrator on the computer that hosts the service connection point.
You need the GUID of the update package that you want to reset. To get the GUID:
Tip
To copy the GUID, select the row for the update package you want to reset, and
then use CTRL+C to copy that row. If you paste your copied selection into a text
editor, you can then copy only the GUID for use as a command-line parameter
when you run the tool.
Based on the status of the update, the tool identifies the additional servers it needs to
access.
If the update package is in a post download state, the tool does not clean up the
package. As an option, you can force the removal of a successfully downloaded update
by using the force delete parameter (See command-line parameters later in this topic).
If a package was deleted, restart the SMS_Executive service at the top-tier site.
Then, check for updates so you can download the package again.
If a package was not deleted, you do not need to take any action. The update
reinitializes and then restarts replication or installation.
Command-line parameters:
Parameter Description
of your top-tier site> Specify the FQDN of the SQL Server that hosts the site
database for the top-tier site of your hierarchy.
Specify the GUID for the update package you want to reset.
name> Identify the instance of SQL Server that hosts the site database.
Parameter Description
-FDELETE Optional
Examples:
In a typical scenario, you want to reset an update that has download problems. Your SQL
Servers FQDN is server1.fabrikam.com, the site database is CM_XYZ, and the package
GUID is 61F16B3C-F1F6-4F9F-8647-2A524B0C802C. You run: CMUpdateReset.exe -S
server1.fabrikam.com -D CM_XYZ -P 61F16B3C-F1F6-4F9F-8647-2A524B0C802C
In a more extreme scenario, you want to force deletion of problematic update package.
Your SQL Servers FQDN is server1.fabrikam.com, the site database is CM_XYZ, and the
package GUID is 61F16B3C-F1F6-4F9F-8647-2A524B0C802C. You run:
CMUpdateReset.exe -FDELETE -S server1.fabrikam.com -D CM_XYZ -P 61F16B3C-F1F6-
4F9F-8647-2A524B0C802C
Test the database upgrade when
installing an update
Article • 10/04/2022
If necessary, you can run a test database upgrade before you install an in-console
update for the current branch of Configuration Manager.
) Important
The test upgrade is no longer a required or recommend step for most sites.
The changes are to how updates install, including logic that automatically rolls back a
failed update without the need to run a site recovery. These changes enable the use of
the console to manage update installations, and include an option to retry installation of
a failed update.
Tip
If you still plan to test the upgrade of a site database when you install an in-console
update, the following information supplements the guidance on installing an in-console
update.
Prepare to run a test database upgrade
To run the upgrade test, use the Configuration Manager Setup from the CD.Latest
folder. Use the same version of the source files as the version of Configuration Manager
to which you're updating.
You need at least one site on version YYMM from which you can get that CD.Latest
folder.
If you don't have a site that runs the required version, consider installing a site in a
lab environment. Then update that site to the new version. This process creates the
CD.Latest folder with the correct version of source files.
The upgrade test runs against a backup of your site database that you restore to a
separate instance of SQL Server. After the test upgrade completes, discard the upgraded
database. It can't be used by a Configuration Manager site.
2. Copy the CD.Latest folder to a location on the SQL Server instance that you'll use
to run the test database upgrade.
3. Create a backup of the site database that you want to test upgrade. Then restore a
copy of that database to an instance of SQL Server that doesn't host a
Configuration Manager site. The SQL Server instance needs to be the same edition
of SQL Server as your site database. For more information, see Quickstart: Backup
and restore a SQL Server database on-premises.
4. After you restore the database copy, run Setup from the CD.Latest folder. When
you run Setup, use the /TESTDBUPGRADE command-line option. If the SQL Server
instance that hosts the database copy isn't the default instance, provide the
command-line options to identify the instance that hosts the site database copy.
For example, you have a site database with the database name CM_ABC . You restore
a copy of this site database to a supported instance of SQL Server with the
instance name DBTest . To test an upgrade of this copy of the site database, use the
following command line: setup.exe /TESTDBUPGRADE DBtest\CM_ABC
You can find Setup.exe in the following location on the source media for
Configuration Manager: SMSSETUP\BIN\X64
5. On the instance of SQL Server where you run the upgrade test, monitor the
ConfigMgrSetup.log in the root of the system drive for progress and success.
If the test upgrade fails, fix any issues related to the site database upgrade failure.
Then, create a new backup of the site database and retest the upgrade of the new
copy of the database.
Next steps
After the test database update completes successfully, discard the updated database. It
can't be used by a Configuration Manager site. You can then return to your active site
and begin the update installation.
If an update install fails, you shouldn't need to recover the site. Instead, you can retry
the update installation from within the console.
Flowchart - Download updates for
Configuration Manager
Article • 10/04/2022
This data flow displays the process by which a site with an on-line service connection
point downloads in-console updates.
Flowchart - Update replication for
Configuration Manager
Article • 10/04/2022
These data flows display the process by which an in-console update you select to install
replicates to additional sites. These flows also display the process of extracting the
update to run prerequisite checks and to install updates at a central administration site
and at primary sites.
Pre-release features in Configuration
Manager
Article • 04/11/2023
Pre-release features are features that are in the current branch for early testing in a
production environment. These features are fully supported, but still in active
development. They might receive changes until they move out of the pre-release
category.
Give consent
Before using pre-release features, give consent to use pre-release features. Giving
consent is a one-time action per hierarchy that you can't undo. Until you give consent,
you can't enable new pre-release features included with updates. After you turn on a
pre-release feature, you can't turn it off.
3. On the General tab of Hierarchy Settings Properties, enable the option to Consent
to use pre-release features.
Optionally, wait to enable pre-release features later from the Features node under
Updates and Servicing in the Administration workspace. Select a feature, and then
select Turn on in the ribbon. Until you give consent, this option isn't available for use.
If you haven't given consent
In the Updates and Servicing Wizard, pre-release features are visible but you can't
enable them. After the update is installed, these features are visible in the Features
node. However, you can't enable them until you give consent.
) Important
In a multi-site hierarchy, you can only enable optional or pre-release features from
the central administration site. This behavior ensures there are no conflicts across
the hierarchy.
If you gave consent at a stand-alone primary site, and then expand the hierarchy by
installing a new central administration site, you must give consent again at the
central administration site.
When you enable a pre-release feature, the Configuration Manager hierarchy manager
(HMAN) must process the change before that feature becomes available. Processing of
the change is often immediate. Depending on the HMAN processing cycle, it can take
up to 30 minutes to complete. After the change is processed, restart the console before
using the feature.
Cloud management gateway with virtual machine Version 2010 Version 2107
scale set
Tip
For more information on non-pre-release features that you must enable first, see
Enable optional features from updates.
For more information on features that are only available in the technical preview
branch, see Technical Preview.
Service windows for site servers
Article • 10/04/2022
To control when in-console updates can install, configure service windows. You can add
service windows at the central administration site (CAS) and primary sites. Each site can
have multiple service windows. The site determines when it can install an update by the
combination of all service windows that it has.
Tip
A service window is for a site server. A maintenance window is for a client. For more
information, see How to use maintenance windows.
Default behavior
When you don't configure a service window:
On your top-tier site, you choose when to start the update installation. The top-tier
site is either the CAS or a stand-alone primary site.
On a secondary site, updates never start automatically. After the parent primary
site updates, manually start the update from the console.
On your top-tier site, you can't start the installation of any new update from the
console until the time is in the service window. Even with a service window, the site
still automatically downloads updates so they're ready to install.
On a child primary site, an update from the CAS downloads to the primary site, but
doesn't automatically start. You can't manually start the install of an update outside
of a service window. When service windows no longer block update installation,
the primary site automatically starts the update installation.
Secondary sites don't support service windows, and don't automatically install
updates. After the parent primary site updates, manually start the update from the
console.
2. Select the site server where you want to configure a service window.
5. To add a new service window, select the new button (gold asterisk).
6. In the Schedule window, specify a name to describe the service window. This name
helps you identify the service window in the console.
7. Configure the date, time, and recurrence pattern as necessary for this site.
After you create a service window, use the edit and delete buttons to make changes.
Next steps
Install in-console updates
Use the service connection tool for
Configuration Manager
Article • 10/04/2022
Use the service connection tool when your service connection point is in offline mode.
You can also use it when your Configuration Manager site system servers aren't
connected to the internet. The tool can help you keep your site up to date with the
latest updates to Configuration Manager.
When you run the tool, it connects to the Configuration Manager cloud service, uploads
usage information for your hierarchy, and downloads updates. Uploading usage data is
necessary to enable the cloud service to provide the correct updates for your
environment.
Prerequisites
The site has a service connection point, and you configure it for an Offline, on-
demand connection.
You run the tool from the service connection point and a computer that can
connect to the internet. Each of these computers needs to have a x64-bit OS, and
have the following components:
Both the Visual C++ Redistributable x86 and x64 files. By default, Configuration
Manager installs the x64 version on the computer that hosts the service
connection point. To download this component, see Visual C++ Redistributable
Packages for Visual Studio 2013 .
Starting in version 2107, this tool requires .NET version 4.6.2, and version 4.8 is
recommended. In version 2103 and earlier, this tool requires .NET 4.5.2 or later.
For more information, Site and site system prerequisites.
The account you use to run the tool needs the following permissions:
Local administrator on the computer that hosts the service connection point
Overview
1. Prepare: Run the tool on the service connection point. It puts your usage data into
a .cab file at the location you specify. Copy the data file to the computer with an
internet connection.
2. Connect: Run the tool on the computer with an internet connection. It uploads
your usage data, and then downloads Configuration Manager updates. Copy the
downloaded updates to the service connection point.
You can upload multiple data files at one time, each from a different hierarchy. You
can also specify a proxy server and a user for the proxy server.
3. Import: Run the tool on the service connection point. It imports the updates, and
adds them to your site. You can then view and install those updates in the
Configuration Manager console.
When you run the tool to upload data to Microsoft, you specify the folder that
contains the data files.
When you run the tool to import data, the tool only imports the data for that
hierarchy.
To modify this behavior, use one of the following parameters to change what files it
downloads:
-downloadall: Download all updates, including updates and hotfixes, whatever the
version of your site.
) Important
Tip
The tool determines the version of your site from the data file. To verify the version,
look in the .cab file for the text file named with the site version.
Copy the ServiceConnectionTool folder with all of its contents to the computer with an
internet connection.
In this procedure, the command-line examples use the following file names and folder
locations. You don't need to use these paths and file names. You can use alternatives
that match your environment and preferences.
The path to the Configuration Manager installation media source files on the
service connection point: C:\Source
The path to a USB drive where you store the data to transfer between computers:
D:\USB\
The name of the data file that you export from the site: UsageData.cab
The name of the empty folder where the tool stores downloaded updates for
Configuration Manager: UpdatePacks
Prepare
1. On the computer that hosts the service connection point, open a command
prompt as an administrator, and change directory to the tool location. For
example:
cd C:\Source\SMSSETUP\TOOLS\ServiceConnectionTool\
7 Note
If you'll upload data files from more than one hierarchy at the same time, give
each data file a unique name. If necessary, you can rename files later.
The data in the file is based on the level of diagnostic and usage data that you
configure for the site. For more information, see Overview of diagnostics and
usage data. You can use the tool to export the data to a CSV file to view the
contents. For more information, see -export.
3. After the tool finishes exporting the usage data, copy the data file to a computer
that has access to the internet.
Connect
1. On the computer with internet access, open a command prompt as an
administrator, and change directory to the tool location. This location is a copy of
the entire ServiceConnectionTool folder. For example:
cd D:\USB\ServiceConnectionTool\
2. Run the following command to upload the data file and download the
Configuration Manager updates:
D:\USB\UpdatePacks
7 Note
When you run this command line, you might see the following error:
You can safely ignore this error. Close the error window to continue.
3. After the tool finishes downloading the updates, copy them to the service
connection point.
Import
1. On the computer that hosts the service connection point, open a command
prompt as an administrator, and change directory to the tool location. For
example:
cd C:\Source\SMSSETUP\TOOLS\ServiceConnectionTool\
3. After the import completes, close the command prompt. It only imports updates
for the applicable hierarchy.
Log files
ServiceConnectionTool.log: Each time you run the service connection tool, it writes
to this log file. The path of the log file is always the same location as the tool. This
log file provides simple details about the tool usage based on the parameters you
use. Each time you run the tool, the tool replaces any existing log file.
ConfigMgrSetup.log: During the Connect phase, the tool writes to this log file at
the root of the system drive. This log file provides more detailed information. For
example, what files the tool downloads, and if the hash checks are successful.
Command-line parameters
This section lists in alphabetical order all of the available parameters for the service
connection tool.
-connect
Use during the Connect phase on the computer with internet access. It connects to the
Configuration Manager cloud service to upload the data file, and download updates.
-dest
A required parameter with the -export parameter to specify the path and file name of
the CSV file to export. For more information, see -export.
-downloadall
An optional parameter with the -connect parameter to download everything, including
updates and hotfixes, whatever the version of your site. For more information, see -
connect.
-downloadhotfix
An optional parameter with the -connect parameter to only download all hotfixes,
whatever the version of your site. For more information, see -connect.
-downloadsiteversion
An optional parameter with the -connect parameter to only download updates and
hotfixes that have a later version than the version of your site. For more information, see
-connect.
-export
Use during the Prepare phase to export usage data to a CSV file. Run it as an
administrator on the service connection point. This action lets you review the contents
of the usage data before you upload to Microsoft. It requires the -dest parameter to
specify the location of the CSV file.
Example of export
-export -dest D:\USB\usagedata.csv
-import
Use during the Import phase on the service connection point to import the updates to
the site. It requires the -updatepacksrc parameter to specify the location of the
downloaded updates.
Example of import
ServiceConnectionTool.exe -import -updatepacksrc D:\USB\UpdatePacks
-prepare
Use during the Prepare phase on the service connection point to export usage data
from the site. It requires the -usagedatadest parameter to specify the location of the
exported data file.
Example of prepare
-proxyserveruri
An optional parameter with the -connect parameter to specify the FQDN of your proxy
server. For more information, see -connect.
-proxyusername
An optional parameter with the -connect parameter to specify the username to
authenticate with your proxy server. For more information, see -connect.
-updatepackdest
A required parameter with the -connect parameter to specify a path for the downloaded
updates. For more information, see -connect.
-updatepacksrc
A required parameter with the -import parameter to specify a path of the downloaded
updates. For more information, see -import.
-usagedatadest
A required parameter with the -prepare parameter to specify a path and file name of
the exported data file. For more information, see -prepare.
Next steps
Install in-console updates
Some updates for Configuration Manager aren't available from the Microsoft cloud
service and are only obtained out-of-band. An example is a limited release hotfix to
address a specific issue.
When you must install an out-of-band release, and the update or hotfix file name ends
with the extension update.exe, you use the update registration tool. This tool imports
the update to the Configuration Manager console. It enables you to extract and transfer
the update package to the site server, and register the update with the Configuration
Manager console.
If the hotfix file only has the .exe file extension (not update.exe), use the hotfix installer
to install the update.
7 Note
This article provides general guidance about how to install hotfixes that update
Configuration Manager. For details about a specific hotfix or update, refer to the
corresponding hotfix article.
Prerequisites
This tool only installs out-of-band updates that end with the full .update.exe file
extension.
It is self-contained with the individual updates that you get directly from Microsoft.
Run it on the server with the service connection point site system role.
Starting in version 2107, the service connection point requires .NET version 4.6.2,
and version 4.8 is recommended. In version 2103 and earlier, this role requires .NET
4.5.2 or later. For more information, Site and site system prerequisites.
When you run the tool on the service connection point, the account that you use
needs the following configurations:
A local Administrator
Process
1. On the computer that hosts the service connection point, open a command
prompt with administrative privileges. Then change directories to the location that
contains the update file. The update file name uses the following format:
<Product>-<product version>-<KB article ID>-ConfigMgr.Update.exe
2. Run the following command to start the update registration tool: <Product>-
<product version>-<KB article ID>-ConfigMgr.Update.exe
After the hotfix is registered, it appears as a new update in the console within 24
hours. To accelerate this process: in the Configuration Manager console, go to
Administration workspace, and select the Updates and Servicing node. In the
ribbon, select Check for Updates.
The update registration tool logs its actions to a .log file on the local computer.
The log file has the same name as the hotfix file and is in the %SystemRoot%/Temp
folder.
After the update is registered, you can close the update registration tool.
Next steps
Install in-console updates
Use the Hotfix Installer to install
updates for Configuration Manager
Article • 10/04/2022
Some updates for Configuration Manager aren't available from the Microsoft cloud
service. These updates are available out-of-band. An example is a limited release hotfix
to address a specific issue.
When you need to install an update that you get from Microsoft:
If the update has the simple file extension .exe: Use the hotfix installer that's
included with that download. Install the update directly to the Configuration
Manager site server.
If the hotfix file has the .update.exe file extension: Use the update registration tool
to import hotfixes to Configuration Manager.
Overview
Hotfixes for Configuration Manager are similar to updates for other Microsoft products,
such as SQL Server. They contain either one individual fix or a bundle, which is a rollup
of fixes.
If you plan to create deployments to install updates on other computers, install the
update bundle on a central administration site (CAS) server or primary site server.
When you run the update bundle, the following process happens:
It extracts the update files for each applicable component from the update bundle.
Starts a wizard that guides you through a process to configure the updates and
deployment options for the updates.
After you complete the wizard, the updates in the bundle that apply to the site
server are installed on the site server.
The wizard also creates deployments that you can use to install the updates on other
computers. Deploy the updates to other computers by using a supported deployment
method. For example, a software deployment package or System Center Updates
Publisher.
When the wizard runs, it creates a .cab file on the site server for use with Updates
Publisher. Optionally, you can configure the wizard to also create one or more packages
for software deployment. You can use these deployments to install updates on
components, such as clients or the Configuration Manager console. You can also install
updates manually on computers that don't run the Configuration Manager client.
CAS
Primary site
Secondary site
7 Note
Updates for site system roles are installed as part of the update for site servers.
They are serviced by the site component manager. This behavior includes updates
for the site database and the cloud management gateway (CMG).
Each update bundle for Configuration Manager is a self-extractable .exe file (SFX). This
file contains the files that are necessary to install the update on the applicable
components of Configuration Manager. Typically, the SFX file can contain the following
files:
File Details
<Product version>-QFE- This file is the update. The command line for this file is managed by
KB<KB article ID>- Updatesetup.exe. For example: CM1511RTM-QFE-KB123456-X64-ENU.exe
<platform>-
<language>.exe
Updatesetup.exe This MSI wrapper manages the installation of the update bundle. When
you run the update, Updatesetup.exe detects the display language of
the computer where it runs. By default, the user interface for the
update is in English. However, when the display language is supported,
the user interface displays in the computer's local language.
License_<language>.rtf When applicable, each update contains one or more license files for
supported languages.
By default, the update bundle logs its actions to a .log file on the site server. The log file
has the same name as the update bundle and is written to the %SystemRoot%/Temp folder.
When you run the update bundle, it extracts a file with the same name as the update
bundle to a temporary folder on the computer, and then runs Updatesetup.exe.
Updatesetup.exe starts the software update wizard.
As applicable to the scope of the update, the wizard creates a series of folders under the
Configuration Manager installation folder on the site server. The folder structure is
similar to the following example: \Hotfix\<KB Number>\<Update Type>\<Platform>
The following table provides details about the folders in the folder structure:
<Update This folder is the type of update for Configuration Manager. The wizard creates a
type> separate folder for each type of update in the bundle. They include the following
types:
- Server: Includes updates to site servers, site database servers, and SMS Providers.
The wizard also creates a folder named SCUP, which contains the .cab file for
Updates Publisher.
<Platform> This folder is platform-specific. It contains update files that are specific to a type of
processor. These folders include: x64 and I386.
After you install the update bundle on a site server, you can then update other
components for Configuration Manager. The following table describes update actions
for these various components:
Component Instructions
Site server Deploy updates to a remote site server when you don't choose to install the
update bundle directly on that remote site server.
Site database For remote site servers, deploy server updates that include an update to the site
database if you don't install the update bundle directly on that remote site server.
Configuration After initial installation of the Configuration Manager console, you can install
Manager updates for the console on each computer that runs it. You can't modify the
console console installation files to apply the updates during the initial installation of the
console.
Component Instructions
Remote SMS Install updates for each instance of the SMS Provider that runs on a computer
Provider other than the site server where you installed the update bundle.
Configuration After initial installation of the Configuration Manager client, you can install
Manager updates for the Configuration Manager client on each computer that runs the
clients client.
7 Note
You can deploy updates only to computers that run the Configuration Manager
client.
If you reinstall a client, Configuration Manager console, or SMS Provider, also reinstall
the updates for these components.
Update servers
Updates for servers can include updates for sites, the site database, and computers that
run an instance of the SMS Provider.
Update a site
To update a Configuration Manager site, you can install the update bundle directly on
the site server. You can also deploy the updates to a site server after you install the
update bundle on a different site.
When you install an update on a site server, the update installation process manages
other actions that are required to apply the update, such as updating site system roles.
The exception is the site database. The next section contains information about how to
update the site database.
7 Note
When you choose to automatically update the site database, the process updates a
database regardless whether the database is located on the site server or on a
remote computer.
) Important
Before you update the site database, create a backup of the site database. You can't
uninstall an update to the site database. For information about how to create a
backup for Configuration Manager, see Backup and recovery for Configuration
Manager.
If you choose not to automatically update the site database when you install the update
bundle on the site server, the server update doesn't modify the database on the site
server where the update bundle runs. However, deployments that use the package that
is created for software deployment or that installs always update the site database.
2 Warning
When the update includes updates to both the site server and the site database,
the update isn't functional until the update is completed for both the site server
and site database. Until the update is applied to the site database, the site is in an
unsupported state.
3. Run the update script named update.sql on that site's database. For information
about how to run a script to update a SQL Server database, see the documentation
for the version of SQL Server that you use for your site database server.
Tip
If you remove and then reinstall the SMS Provider on a computer, reinstall the update
for the SMS Provider on that computer.
Update clients
When you install an update that includes updates for the Configuration Manager client,
you can automatically upgrade clients with the update installation, or manually upgrade
clients at a later time. For more information about automatic client upgrade, see How to
upgrade clients for Windows computers.
You can deploy updates with Updates Publisher or a software deployment package. You
can also manually install the update on each client. For more information about how to
use deployments to install updates, see Deploy updates for Configuration Manager.
) Important
When you install updates for clients and the update bundle includes updates for
servers, install the server updates on the primary site to which the clients are
assigned.
To manually install the client update, run Msiexec.exe on each Configuration Manager
client. Include the platform-specific client update MSP file in the command line. For
example, you can use the following command line for a client update:
msiexec.exe /p \\<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\Client\<Platform>\
) Important
When you install updates for the Configuration Manager console, and the update
bundle includes updates for servers, also install the server updates on the site that
you use with the Configuration Manager console.
If the computer that you update runs the Configuration Manager client:
You can use a deployment to install the update. For more information about how
to use deployments to install updates, see Deploy updates for Configuration
Manager.
To manually install the Configuration Manager console update, run Msiexec.exe. Include
the Configuration Manager console update MSP file in the command line. For example,
you can use the following command line to update a Configuration Manager console:
) Important
The SCUPCatalog.cab file is created by using paths that are specific to the site
server where the update bundle is installed. It can't be used on other site servers.
After the wizard is finished, import the catalog to Updates Publisher. Then use software
updates to deploy the updates. For more information, see System Center Updates
Publisher.
2. On the Import Type page of the Import Software Updates Catalog Wizard, select
Specify the path to the catalog to import. Then specify the SCUPCatalog.cab file.
4. In the Security Warning - Catalog Validation window, select Accept. Close the
wizard after it's finished.
5. Select the update that you want to deploy, and then select Publish.
6. On the Publish Options page of the Publish Software Updates Wizard, select Full
Content, and then select Next.
The package for servers contains updates for the following components:
Site server
SMS Provider
Site database
Next, on the Configure Software Update Deployment Method page of the wizard,
select the option I will use software distribution.
After the wizard is finished, view the packages in the Configuration Manager console. Go
to the Packages node in the Software Library workspace. Use your standard process to
deploy software packages to Configuration Manager clients. When a package runs on a
client, it installs the updates to the applicable components of Configuration Manager on
the client computer.
For more information about how to deploy packages to Configuration Manager clients,
see Packages and programs.
Component of Instructions
Configuration
Manager
CAS server Create a direct membership query and add the CAS server.
All primary site Create a direct membership query and add each primary site server.
servers
All secondary site Create a direct membership query and add each secondary site server.
servers
All x86 clients Create a collection with the following query criteria: Select * from
SMS_R_System inner join SMS_G_System_SYSTEM on
SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where
SMS_G_System_SYSTEM.SystemType = "X86-based PC"
Component of Instructions
Configuration
Manager
All x64 clients Create a collection with the following query criteria: Select * from
SMS_R_System inner join SMS_G_System_SYSTEM on
SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where
SMS_G_System_SYSTEM.SystemType = "X64-based PC"
All computers Create a direct membership query and add each computer.
that run the
Configuration
Manager console
7 Note
To update a site database, deploy the update to the site server for that site.
When you use the current branch of Configuration Manager, you can install the in-
console update for version 2303 to update your hierarchy from a previous version.
Version 2303 will also be available as baseline media soon after global availability of the
in-console update, so you can use the installation media to install the first site of a new
hierarchy.
To get the update for version 2303, you must use a service connection point at the top-
level site of your hierarchy. This site system role can be in online or offline mode. To
download the update when your service connection point is offline, use the service
connection tool.
After your hierarchy downloads the update package from Microsoft, find it in the
console. In the Administration workspace, select the Updates and Servicing node.
When the update is listed as Available, the update is ready to install. Before
installing version 2303, review the following information about installing update
2303 and the pre-update checklist for configurations to make before starting the
update.
If the update displays as Downloading and doesn't change, review the hman.log
and dmpdownloader.log for errors.
Another common download issue occurs when proxy server settings prevent
downloads from required internet endpoints.
For more information about installing updates, see In-console updates and servicing.
For more information about current branch versions, see Baseline and update versions.
Child primary sites install the update automatically after the CAS finishes the
installation of the update. You can use service windows to control when a site
installs the update. For more information, see Service windows for site servers.
Manually update each secondary site from within the Configuration Manager
console after the primary parent site finishes the update installation. Automatic
update of secondary site servers isn't supported.
) Important
When you install an update at the CAS, be aware of the following limitations and
delays that exist until all child primary sites also complete the update installation:
Client upgrades don't start. This includes automatic updates of clients and
pre-production clients. Additionally, you can't promote pre-production clients
to production until the last site completes the update installation. After the
last site completes the update installation, client updates begin based on your
configuration choices.
New features you enable with the update aren't available. This behavior is to
prevent the CAS replicating data related to that feature to a site that hasn't
yet installed support for that feature. After all primary sites install the update,
the feature is available for use.
Replication links between the CAS and child primary sites display as not
upgraded. This state displays in the update installation status as Completed
with warning for monitoring replication initialization. In the Monitoring
workspace of the console, this state displays as Link is being configured.
Pre-update checklist
This value is optional. You can specify as a convenient reminder of your license
expiration date. This date is visible when you install future updates. You might have
previously specified this value during setup or installation of an update. You can also
specify this value in the Configuration Manager console. In the Administration
workspace, expand Site Configuration, and select Sites. Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.
This installation can put the site system server into a reboot pending state and report
errors to the Configuration Manager component status viewer. .NET applications on the
server might experience random failures until you restart the server.
For more information including how to manage restarts, see Site and site system
prerequisites.
If you update the site before you update the Windows ADK, see Update distribution
points with the boot image.
Database replication
For database replication, to help resolve issues before you start the update, use the
Replication Link Analyzer (RLA). For more information, see Monitor database
replication.
If there's a backlog, wait until it clears out. If the backlog is large, such as millions of
records, then the link is in a bad state. Before updating the site, solve the replication
issue. If you need further assistance, contact Microsoft Support.
File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.
When a site database maintenance task runs during the update installation, the update
installation can fail. Before you disable a task, record the schedule of the task so you can
restore its configuration after the update has been installed.
For more information, see Maintenance tasks and Reference for maintenance tasks.
When you customize hardware inventory classes, note their configuration before you
install the update.
For more information, see Upgrade clients and How to test client upgrades in a pre-
production collection.
7 Note
When you update to version 2107 or later, clients with PKI certificates will recreate
self-signed certificates, but don't reregister with the site. Clients without a PKI
certificate will reregister with the site, which can cause extra processing at the site.
Make sure that your process to update clients allows for randomization. If you
simultaneously update lots of clients, it may cause a backlog on the site server.
Tip
7 Note
Starting in version 2111, third-party add-ons that use Microsoft .NET Framework
and rely on Configuration Manager libraries also need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET 4.6.2.
Feature-specific documentation may include information about known issues that affect
core scenarios.
To run a prerequisite check from the console, go to the Administration workspace, and
select Updates and Servicing. Select the Configuration Manager 2303 update package,
and select Run prerequisite check in the ribbon.
For more information, see the section to Run the prerequisite checker before installing
an update in Before you install an in-console update.
) Important
When the prerequisite checker runs, the process updates some product source files
that are used for site maintenance tasks. After running the prerequisite checker, but
before installing the update, if you need to do a site maintenance task, run
Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site
server.
Update sites
You're now ready to start the update installation for your hierarchy. For more
information about installing the update, see Install in-console updates.
You may plan to install the update outside of normal business hours. Determine when
the process will have the least effect on your business operations. Installing the update
and its actions reinstall site components and site system roles.
Post-update checklist
After the site updates, use the following checklist to complete common tasks and
configurations.
When you customize hardware inventory classes, review their configuration after you
install the update to make sure they are configured as you intend.
Update clients
Update clients per the plan you created, especially if you configured client piloting
before installing the update. For more information, see How to upgrade clients for
Windows computers.
Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that
supports and is compatible with Configuration Manager version 2303.
When you update the site, Configuration Manager automatically updates the default
boot images. It doesn't automatically distribute the updated content to distribution
points. Use the Update Distribution Points action on specific boot images when you're
ready to distribute this content across your network.
7 Note
For default boot images, the site always uses the current version of the
Configuration Manager client that matches the site's version. Even if you configure
automatic client upgrades to use a pre-production collection, that feature doesn't
apply to boot images.
After updating the site, manually update any custom boot images. This action updates
the boot image with the latest client components if necessary, optionally reloads it with
the current Windows PE version, and redistributes the content to the distribution points.
For more information, see Update distribution points with the boot image.
For more information, see Configuration Manager PowerShell cmdlets: Update help.
Next steps
Review the release notes. This article can be updated regularly, especially right after a
new current branch release. You can use RSS to be notified when this page is updated.
For more information, see How to use the docs.
Checklist for installing update 2211 for
Configuration Manager
Article • 12/19/2022
When you use the current branch of Configuration Manager, you can install the in-
console update for version 2211 to update your hierarchy from a previous version.
To get the update for version 2211, you must use a service connection point at the top-
level site of your hierarchy. This site system role can be in online or offline mode. To
download the update when your service connection point is offline, use the service
connection tool.
After your hierarchy downloads the update package from Microsoft, find it in the
console. In the Administration workspace, select the Updates and Servicing node.
When the update is listed as Available, the update is ready to install. Before
installing version 2211, review the following information about installing update
2211 and the pre-update checklist for configurations to make before starting the
update.
If the update displays as Downloading and doesn't change, review the hman.log
and dmpdownloader.log for errors.
Another common download issue occurs when proxy server settings prevent
downloads from required internet endpoints.
For more information about installing updates, see In-console updates and servicing.
For more information about current branch versions, see Baseline and update versions.
Sites
Install update 2211 at the top-level site of your hierarchy. Start the installation from your
central administration site (CAS) or from your stand-alone primary site. After the update
is installed at the top-level site, child sites have the following update behavior:
Child primary sites install the update automatically after the CAS finishes the
installation of the update. You can use service windows to control when a site
installs the update. For more information, see Service windows for site servers.
Manually update each secondary site from within the Configuration Manager
console after the primary parent site finishes the update installation. Automatic
update of secondary site servers isn't supported.
) Important
When you install an update at the CAS, be aware of the following limitations and
delays that exist until all child primary sites also complete the update installation:
Client upgrades don't start. This includes automatic updates of clients and
pre-production clients. Additionally, you can't promote pre-production clients
to production until the last site completes the update installation. After the
last site completes the update installation, client updates begin based on your
configuration choices.
New features you enable with the update aren't available. This behavior is to
prevent the CAS replicating data related to that feature to a site that hasn't
yet installed support for that feature. After all primary sites install the update,
the feature is available for use.
Replication links between the CAS and child primary sites display as not
upgraded. This state displays in the update installation status as Completed
with warning for monitoring replication initialization. In the Monitoring
workspace of the console, this state displays as Link is being configured.
Pre-update checklist
This value is optional. You can specify as a convenient reminder of your license
expiration date. This date is visible when you install future updates. You might have
previously specified this value during setup or installation of an update. You can also
specify this value in the Configuration Manager console. In the Administration
workspace, expand Site Configuration, and select Sites. Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.
This installation can put the site system server into a reboot pending state and report
errors to the Configuration Manager component status viewer. .NET applications on the
server might experience random failures until you restart the server.
For more information including how to manage restarts, see Site and site system
prerequisites.
If you update the site before you update the Windows ADK, see Update distribution
points with the boot image.
Database replication
For database replication, to help resolve issues before you start the update, use the
Replication Link Analyzer (RLA). For more information, see Monitor database
replication.
If there's a backlog, wait until it clears out. If the backlog is large, such as millions of
records, then the link is in a bad state. Before updating the site, solve the replication
issue. If you need further assistance, contact Microsoft Support.
File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.
When a site database maintenance task runs during the update installation, the update
installation can fail. Before you disable a task, record the schedule of the task so you can
restore its configuration after the update has been installed.
For more information, see Maintenance tasks and Reference for maintenance tasks.
When you customize hardware inventory classes, note their configuration before you
install the update.
For more information, see Upgrade clients and How to test client upgrades in a pre-
production collection.
7 Note
When you update to version 2107 or later, clients with PKI certificates will recreate
self-signed certificates, but don't reregister with the site. Clients without a PKI
certificate will reregister with the site, which can cause extra processing at the site.
Make sure that your process to update clients allows for randomization. If you
simultaneously update lots of clients, it may cause a backlog on the site server.
Tip
7 Note
Starting in version 2111, third-party add-ons that use Microsoft .NET Framework
and rely on Configuration Manager libraries also need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET 4.6.2.
Feature-specific documentation may include information about known issues that affect
core scenarios.
To run a prerequisite check from the console, go to the Administration workspace, and
select Updates and Servicing. Select the Configuration Manager 2211 update package,
and select Run prerequisite check in the ribbon.
For more information, see the section to Run the prerequisite checker before installing
an update in Before you install an in-console update.
) Important
When the prerequisite checker runs, the process updates some product source files
that are used for site maintenance tasks. After running the prerequisite checker, but
before installing the update, if you need to do a site maintenance task, run
Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site
server.
Update sites
You're now ready to start the update installation for your hierarchy. For more
information about installing the update, see Install in-console updates.
You may plan to install the update outside of normal business hours. Determine when
the process will have the least effect on your business operations. Installing the update
and its actions reinstall site components and site system roles.
Post-update checklist
After the site updates, use the following checklist to complete common tasks and
configurations.
When you customize hardware inventory classes, review their configuration after you
install the update to make sure they are configured as you intend.
Update clients
Update clients per the plan you created, especially if you configured client piloting
before installing the update. For more information, see How to upgrade clients for
Windows computers.
Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that
supports and is compatible with Configuration Manager version 2211.
When you update the site, Configuration Manager automatically updates the default
boot images. It doesn't automatically distribute the updated content to distribution
points. Use the Update Distribution Points action on specific boot images when you're
ready to distribute this content across your network.
7 Note
For default boot images, the site always uses the current version of the
Configuration Manager client that matches the site's version. Even if you configure
automatic client upgrades to use a pre-production collection, that feature doesn't
apply to boot images.
After updating the site, manually update any custom boot images. This action updates
the boot image with the latest client components if necessary, optionally reloads it with
the current Windows PE version, and redistributes the content to the distribution points.
For more information, see Update distribution points with the boot image.
For more information, see Configuration Manager PowerShell cmdlets: Update help.
Next steps
Review the release notes. This article can be updated regularly, especially right after a
new current branch release. You can use RSS to be notified when this page is updated.
For more information, see How to use the docs.
Checklist for installing update 2207 for
Configuration Manager
Article • 10/04/2022
When you use the current branch of Configuration Manager, you can install the in-
console update for version 2207 to update your hierarchy from a previous version.
To get the update for version 2207, you must use a service connection point at the top-
level site of your hierarchy. This site system role can be in online or offline mode. To
download the update when your service connection point is offline, use the service
connection tool.
After your hierarchy downloads the update package from Microsoft, find it in the
console. In the Administration workspace, select the Updates and Servicing node.
When the update is listed as Available, the update is ready to install. Before
installing version 2207, review the following information about installing update
2207 and the pre-update checklist for configurations to make before starting the
update.
If the update displays as Downloading and doesn't change, review the hman.log
and dmpdownloader.log for errors.
Another common download issue occurs when proxy server settings prevent
downloads from required internet endpoints.
For more information about installing updates, see In-console updates and servicing.
For more information about current branch versions, see Baseline and update versions.
Sites
Install update 2207 at the top-level site of your hierarchy. Start the installation from your
central administration site (CAS) or from your stand-alone primary site. After the update
is installed at the top-level site, child sites have the following update behavior:
Child primary sites install the update automatically after the CAS finishes the
installation of the update. You can use service windows to control when a site
installs the update. For more information, see Service windows for site servers.
Manually update each secondary site from within the Configuration Manager
console after the primary parent site finishes the update installation. Automatic
update of secondary site servers isn't supported.
) Important
When you install an update at the CAS, be aware of the following limitations and
delays that exist until all child primary sites also complete the update installation:
Client upgrades don't start. This includes automatic updates of clients and
pre-production clients. Additionally, you can't promote pre-production clients
to production until the last site completes the update installation. After the
last site completes the update installation, client updates begin based on your
configuration choices.
New features you enable with the update aren't available. This behavior is to
prevent the CAS replicating data related to that feature to a site that hasn't
yet installed support for that feature. After all primary sites install the update,
the feature is available for use.
Replication links between the CAS and child primary sites display as not
upgraded. This state displays in the update installation status as Completed
with warning for monitoring replication initialization. In the Monitoring
workspace of the console, this state displays as Link is being configured.
At this time, version 2207 is released for the early update ring. To install this update, you
need to opt in. The following PowerShell script adds your hierarchy or standalone
primary site to the early update ring for version 2207:
Microsoft digitally signs the script, and bundles it inside a signed self-extracting
executable.
7 Note
The version 2207 update is only applicable to sites running version 2103 or later.
3. Check for updates. For more information, see Get available updates.
) Important
This script only adds your site to the early update ring for version 2207. It's not a
permanent change.
Pre-update checklist
This value is optional. You can specify as a convenient reminder of your license
expiration date. This date is visible when you install future updates. You might have
previously specified this value during setup or installation of an update. You can also
specify this value in the Configuration Manager console. In the Administration
workspace, expand Site Configuration, and select Sites. Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.
This installation can put the site system server into a reboot pending state and report
errors to the Configuration Manager component status viewer. .NET applications on the
server might experience random failures until you restart the server.
For more information including how to manage restarts, see Site and site system
prerequisites.
Review the version of the Windows ADK
The version of the Windows Assessment and Deployment Kit (ADK) should be
supported for Configuration Manager version 2207. For more information, see Support
for the Windows ADK. If you need to update the Windows ADK, do so before you begin
the update of Configuration Manager. This order makes sure the default boot images
are automatically updated to the latest version of Windows PE. Manually update any
custom boot images after updating the site.
If you update the site before you update the Windows ADK, see Update distribution
points with the boot image.
Database replication
For database replication, to help resolve issues before you start the update, use the
Replication Link Analyzer (RLA). For more information, see Monitor database
replication.
If there's a backlog, wait until it clears out. If the backlog is large, such as millions of
records, then the link is in a bad state. Before updating the site, solve the replication
issue. If you need further assistance, contact Microsoft Support.
File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.
When a site database maintenance task runs during the update installation, the update
installation can fail. Before you disable a task, record the schedule of the task so you can
restore its configuration after the update has been installed.
For more information, see Maintenance tasks and Reference for maintenance tasks.
For example, you add custom entries to the osdinjection.xml file in the bin\X64 folder
of your Configuration Manager installation directory. After you update Configuration
Manager, these customizations don't persist. Reapply your customizations.
For more information, see Upgrade clients and How to test client upgrades in a pre-
production collection.
7 Note
When you update to version 2107 or later, clients with PKI certificates will recreate
self-signed certificates, but don't reregister with the site. Clients without a PKI
certificate will reregister with the site, which can cause extra processing at the site.
Make sure that your process to update clients allows for randomization. If you
simultaneously update lots of clients, it may cause a backlog on the site server.
Tip
7 Note
Starting in version 2111, third-party add-ons that use Microsoft .NET Framework
and rely on Configuration Manager libraries also need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET 4.6.2.
Feature-specific documentation may include information about known issues that affect
core scenarios.
To run a prerequisite check from the console, go to the Administration workspace, and
select Updates and Servicing. Select the Configuration Manager 2207 update package,
and select Run prerequisite check in the ribbon.
For more information, see the section to Run the prerequisite checker before installing
an update in Before you install an in-console update.
) Important
When the prerequisite checker runs, the process updates some product source files
that are used for site maintenance tasks. After running the prerequisite checker, but
before installing the update, if you need to do a site maintenance task, run
Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site
server.
Update sites
You're now ready to start the update installation for your hierarchy. For more
information about installing the update, see Install in-console updates.
You may plan to install the update outside of normal business hours. Determine when
the process will have the least effect on your business operations. Installing the update
and its actions reinstall site components and site system roles.
Post-update checklist
After the site updates, use the following checklist to complete common tasks and
configurations.
Consider restarting remote site systems that don't successfully update at first. Review
your site infrastructure and make sure that applicable site servers and remote site
system servers successfully restarted. Typically, site servers restart only when
Configuration Manager installs .NET as a prerequisite for a site system role.
When you customize hardware inventory classes, review their configuration after you
install the update to make sure they are configured as you intend.
Restore user state from active deployments
If you have any active user state migrations, before you update the Configuration
Manager client on those devices, restore the user state. Due to changes to the
encryption algorithm in version 2103, the updated client will fail to restore the user state
when it tries to use a different encryption algorithm.
Update clients
Update clients per the plan you created, especially if you configured client piloting
before installing the update. For more information, see How to upgrade clients for
Windows computers.
Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that
supports and is compatible with Configuration Manager version 2207.
When you update the site, Configuration Manager automatically updates the default
boot images. It doesn't automatically distribute the updated content to distribution
points. Use the Update Distribution Points action on specific boot images when you're
ready to distribute this content across your network.
7 Note
For default boot images, the site always uses the current version of the
Configuration Manager client that matches the site's version. Even if you configure
automatic client upgrades to use a pre-production collection, that feature doesn't
apply to boot images.
After updating the site, manually update any custom boot images. This action updates
the boot image with the latest client components if necessary, optionally reloads it with
the current Windows PE version, and redistributes the content to the distribution points.
For more information, see Update distribution points with the boot image.
For more information, see Configuration Manager PowerShell cmdlets: Update help.
Next steps
Review the release notes. This article can be updated regularly, especially right after a
new current branch release. You can use RSS to be notified when this page is updated.
For more information, see How to use the docs.
Checklist for installing update 2203 for
Configuration Manager
Article • 10/04/2022
When you use the current branch of Configuration Manager, you can install the in-
console update for version 2203 to update your hierarchy from a previous version.
Version 2203 will also be available as baseline media soon after global availability of the
in-console update, so you can use the installation media to install the first site of a new
hierarchy.
To get the update for version 2203, you must use a service connection point at the top-
level site of your hierarchy. This site system role can be in online or offline mode. To
download the update when your service connection point is offline, use the service
connection tool.
After your hierarchy downloads the update package from Microsoft, find it in the
console. In the Administration workspace, select the Updates and Servicing node.
When the update is listed as Available, the update is ready to install. Before
installing version 2203, review the following information about installing update
2203 and the pre-update checklist for configurations to make before starting the
update.
If the update displays as Downloading and doesn't change, review the hman.log
and dmpdownloader.log for errors.
Another common download issue occurs when proxy server settings prevent
downloads from required internet endpoints.
For more information about installing updates, see In-console updates and servicing.
For more information about current branch versions, see Baseline and update versions.
Child primary sites install the update automatically after the CAS finishes the
installation of the update. You can use service windows to control when a site
installs the update. For more information, see Service windows for site servers.
Manually update each secondary site from within the Configuration Manager
console after the primary parent site finishes the update installation. Automatic
update of secondary site servers isn't supported.
) Important
When you install an update at the CAS, be aware of the following limitations and
delays that exist until all child primary sites also complete the update installation:
Client upgrades don't start. This includes automatic updates of clients and
pre-production clients. Additionally, you can't promote pre-production clients
to production until the last site completes the update installation. After the
last site completes the update installation, client updates begin based on your
configuration choices.
New features you enable with the update aren't available. This behavior is to
prevent the CAS replicating data related to that feature to a site that hasn't
yet installed support for that feature. After all primary sites install the update,
the feature is available for use.
Replication links between the CAS and child primary sites display as not
upgraded. This state displays in the update installation status as Completed
with warning for monitoring replication initialization. In the Monitoring
workspace of the console, this state displays as Link is being configured.
Pre-update checklist
This value is optional. You can specify as a convenient reminder of your license
expiration date. This date is visible when you install future updates. You might have
previously specified this value during setup or installation of an update. You can also
specify this value in the Configuration Manager console. In the Administration
workspace, expand Site Configuration, and select Sites. Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.
This installation can put the site system server into a reboot pending state and report
errors to the Configuration Manager component status viewer. .NET applications on the
server might experience random failures until you restart the server.
For more information including how to manage restarts, see Site and site system
prerequisites.
If you update the site before you update the Windows ADK, see Update distribution
points with the boot image.
Database replication
For database replication, to help resolve issues before you start the update, use the
Replication Link Analyzer (RLA). For more information, see Monitor database
replication.
If there's a backlog, wait until it clears out. If the backlog is large, such as millions of
records, then the link is in a bad state. Before updating the site, solve the replication
issue. If you need further assistance, contact Microsoft Support.
File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.
When a site database maintenance task runs during the update installation, the update
installation can fail. Before you disable a task, record the schedule of the task so you can
restore its configuration after the update has been installed.
For more information, see Maintenance tasks and Reference for maintenance tasks.
When you customize hardware inventory classes, note their configuration before you
install the update.
For more information, see Upgrade clients and How to test client upgrades in a pre-
production collection.
7 Note
When you update to version 2107 or later, clients with PKI certificates will recreate
self-signed certificates, but don't reregister with the site. Clients without a PKI
certificate will reregister with the site, which can cause extra processing at the site.
Make sure that your process to update clients allows for randomization. If you
simultaneously update lots of clients, it may cause a backlog on the site server.
Tip
7 Note
Starting in version 2111, third-party add-ons that use Microsoft .NET Framework
and rely on Configuration Manager libraries also need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET 4.6.2.
Feature-specific documentation may include information about known issues that affect
core scenarios.
To run a prerequisite check from the console, go to the Administration workspace, and
select Updates and Servicing. Select the Configuration Manager 2203 update package,
and select Run prerequisite check in the ribbon.
For more information, see the section to Run the prerequisite checker before installing
an update in Before you install an in-console update.
) Important
When the prerequisite checker runs, the process updates some product source files
that are used for site maintenance tasks. After running the prerequisite checker, but
before installing the update, if you need to do a site maintenance task, run
Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site
server.
Update sites
You're now ready to start the update installation for your hierarchy. For more
information about installing the update, see Install in-console updates.
You may plan to install the update outside of normal business hours. Determine when
the process will have the least effect on your business operations. Installing the update
and its actions reinstall site components and site system roles.
Post-update checklist
After the site updates, use the following checklist to complete common tasks and
configurations.
When you customize hardware inventory classes, review their configuration after you
install the update to make sure they are configured as you intend.
Update clients
Update clients per the plan you created, especially if you configured client piloting
before installing the update. For more information, see How to upgrade clients for
Windows computers.
Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that
supports and is compatible with Configuration Manager version 2203.
When you update the site, Configuration Manager automatically updates the default
boot images. It doesn't automatically distribute the updated content to distribution
points. Use the Update Distribution Points action on specific boot images when you're
ready to distribute this content across your network.
7 Note
For default boot images, the site always uses the current version of the
Configuration Manager client that matches the site's version. Even if you configure
automatic client upgrades to use a pre-production collection, that feature doesn't
apply to boot images.
After updating the site, manually update any custom boot images. This action updates
the boot image with the latest client components if necessary, optionally reloads it with
the current Windows PE version, and redistributes the content to the distribution points.
For more information, see Update distribution points with the boot image.
For more information, see Configuration Manager PowerShell cmdlets: Update help.
Next steps
Review the release notes. This article can be updated regularly, especially right after a
new current branch release. You can use RSS to be notified when this page is updated.
For more information, see How to use the docs.
Checklist for installing update 2111 for
Configuration Manager
Article • 10/04/2022
When you use the current branch of Configuration Manager, you can install the in-
console update for version 2111 to update your hierarchy from a previous version.
To get the update for version 2111, you must use a service connection point at the top-
level site of your hierarchy. This site system role can be in online or offline mode. To
download the update when your service connection point is offline, use the service
connection tool.
After your hierarchy downloads the update package from Microsoft, find it in the
console. In the Administration workspace, select the Updates and Servicing node.
When the update is listed as Available, the update is ready to install. Before
installing version 2111, review the following information about installing update
2111 and the pre-update checklist for configurations to make before starting the
update.
If the update displays as Downloading and doesn't change, review the hman.log
and dmpdownloader.log for errors.
Another common download issue occurs when proxy server settings prevent
downloads from required internet endpoints.
For more information about installing updates, see In-console updates and servicing.
For more information about current branch versions, see Baseline and update versions.
Sites
Install update 2111 at the top-level site of your hierarchy. Start the installation from your
central administration site (CAS) or from your stand-alone primary site. After the update
is installed at the top-level site, child sites have the following update behavior:
Child primary sites install the update automatically after the CAS finishes the
installation of the update. You can use service windows to control when a site
installs the update. For more information, see Service windows for site servers.
Manually update each secondary site from within the Configuration Manager
console after the primary parent site finishes the update installation. Automatic
update of secondary site servers isn't supported.
) Important
When you install an update at the CAS, be aware of the following limitations and
delays that exist until all child primary sites also complete the update installation:
Client upgrades don't start. This includes automatic updates of clients and
pre-production clients. Additionally, you can't promote pre-production clients
to production until the last site completes the update installation. After the
last site completes the update installation, client updates begin based on your
configuration choices.
New features you enable with the update aren't available. This behavior is to
prevent the CAS replicating data related to that feature to a site that hasn't
yet installed support for that feature. After all primary sites install the update,
the feature is available for use.
Replication links between the CAS and child primary sites display as not
upgraded. This state displays in the update installation status as Completed
with warning for monitoring replication initialization. In the Monitoring
workspace of the console, this state displays as Link is being configured.
Pre-update checklist
This value is optional. You can specify as a convenient reminder of your license
expiration date. This date is visible when you install future updates. You might have
previously specified this value during setup or installation of an update. You can also
specify this value in the Configuration Manager console. In the Administration
workspace, expand Site Configuration, and select Sites. Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.
This installation can put the site system server into a reboot pending state and report
errors to the Configuration Manager component status viewer. .NET applications on the
server might experience random failures until you restart the server.
For more information including how to manage restarts, see Site and site system
prerequisites.
If you update the site before you update the Windows ADK, see Update distribution
points with the boot image.
Database replication
For database replication, to help resolve issues before you start the update, use the
Replication Link Analyzer (RLA). For more information, see Monitor database
replication.
If there's a backlog, wait until it clears out. If the backlog is large, such as millions of
records, then the link is in a bad state. Before updating the site, solve the replication
issue. If you need further assistance, contact Microsoft Support.
File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.
When a site database maintenance task runs during the update installation, the update
installation can fail. Before you disable a task, record the schedule of the task so you can
restore its configuration after the update has been installed.
For more information, see Maintenance tasks and Reference for maintenance tasks.
When you customize hardware inventory classes, note their configuration before you
install the update.
For more information, see Upgrade clients and How to test client upgrades in a pre-
production collection.
7 Note
When you update to version 2107 or later, clients with PKI certificates will recreate
self-signed certificates, but don't reregister with the site. Clients without a PKI
certificate will reregister with the site, which can cause extra processing at the site.
Make sure that your process to update clients allows for randomization. If you
simultaneously update lots of clients, it may cause a backlog on the site server.
Tip
7 Note
Starting in version 2111, third-party add-ons that use Microsoft .NET Framework
and rely on Configuration Manager libraries also need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET 4.6.2.
Feature-specific documentation may include information about known issues that affect
core scenarios.
To run a prerequisite check from the console, go to the Administration workspace, and
select Updates and Servicing. Select the Configuration Manager 2111 update package,
and select Run prerequisite check in the ribbon.
For more information, see the section to Run the prerequisite checker before installing
an update in Before you install an in-console update.
) Important
When the prerequisite checker runs, the process updates some product source files
that are used for site maintenance tasks. After running the prerequisite checker, but
before installing the update, if you need to do a site maintenance task, run
Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site
server.
Update sites
You're now ready to start the update installation for your hierarchy. For more
information about installing the update, see Install in-console updates.
You may plan to install the update outside of normal business hours. Determine when
the process will have the least effect on your business operations. Installing the update
and its actions reinstall site components and site system roles.
Post-update checklist
After the site updates, use the following checklist to complete common tasks and
configurations.
When you customize hardware inventory classes, review their configuration after you
install the update to make sure they are configured as you intend.
Update clients
Update clients per the plan you created, especially if you configured client piloting
before installing the update. For more information, see How to upgrade clients for
Windows computers.
Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that
supports and is compatible with Configuration Manager version 2111.
When you update the site, Configuration Manager automatically updates the default
boot images. It doesn't automatically distribute the updated content to distribution
points. Use the Update Distribution Points action on specific boot images when you're
ready to distribute this content across your network.
7 Note
For default boot images, the site always uses the current version of the
Configuration Manager client that matches the site's version. Even if you configure
automatic client upgrades to use a pre-production collection, that feature doesn't
apply to boot images.
After updating the site, manually update any custom boot images. This action updates
the boot image with the latest client components if necessary, optionally reloads it with
the current Windows PE version, and redistributes the content to the distribution points.
For more information, see Update distribution points with the boot image.
For more information, see Configuration Manager PowerShell cmdlets: Update help.
Next steps
Review the release notes. This article can be updated regularly, especially right after a
new current branch release. You can use RSS to be notified when this page is updated.
For more information, see How to use the docs.
Support for Configuration Manager
current branch versions
Article • 10/04/2022
Microsoft plans to release updates for Configuration Manager current branch a few
times per year. Each update version remains in support for 18 months from its general
availability release date. Microsoft provides technical support for the entire period of
support. There are two distinct servicing phases that depend on the availability of the
latest current branch version:
Security and Critical Updates servicing phase - When running the latest current
branch version of Configuration Manager, you receive both Security and Critical
Updates.
Security Updates (Only) servicing phase - After the release of a new current
branch version, Microsoft only supports security updates to older versions for the
remainder of that version's support lifecycle.
7 Note
The latest current branch version is always in the Security and Critical Updates
servicing phase. This support statement means that if you encounter a code defect
that warrants a critical update, you must have the latest current branch version
installed in order to receive a fix. All other supported current branch versions are
eligible to receive only security updates.
All support ends after the 18-month lifecycle has expired for a current branch
version.
For example, version 2203 releases in April 2022. Microsoft provides security and critical
updates to that version for four months, through July 2022. It then switches to only
security updates for the remaining 14 months of its support lifecycle, through
September 2023.
Prepare backup and recovery approaches to avoid data loss. For Configuration Manager
sites, a backup and recovery approach can help you to recover sites and hierarchies
more quickly, and with the least data loss.
The sections in this article can help you back up your sites. To recover a site, see
Recovery for Configuration Manager.
2 Warning
The two backup methods supported for Configuration Manager site recovery are:
Configuration Manager can recover the site database from the Configuration
Manager backup task. It can also use a backup of the site database that you create
with another process.
For example, you can restore the site database from a backup that's created as
part of a SQL Server maintenance plan. You can also use a backup that's created by
using Data Protection Manager to back up your site database.
You can also install an additional site server in passive mode. The site server in
passive mode is in addition to your existing site server in active mode. A site server
in passive mode is available for immediate use, when needed. For more
information, see Site server high availability. While this role doesn't remove the
need to plan for and practice backup and recovery operations, it significantly
reduces the effort to recover a site when necessary.
Using Data Protection Manager to back up your site
database
You can use System Center Data Protection Manager (DPM) to back up your
Configuration Manager site database.
Create a new protection group in DPM for the site database computer. On the Select
Group Members page of the Create New Protection Group Wizard, you select the SMS
Writer service from the data source list. Then select the site database as an appropriate
member. For more information about using DPM, see the Data Protection Manager
documentation library.
) Important
Configuration Manager doesn't support DPM backup for a SQL Server Always On
failover cluster instance that uses a named instance. It does support DPM backup
on a failover cluster instance that uses the default instance of SQL Server.
After you restore the site database, follow the steps in setup to recover the site. To use
the site database that you backed up with Data Protection Manager, select the recovery
option to Use a site database that has been manually recovered.
Runs on a schedule
Backs up the site database
Backs up specific registry keys
Backs up specific folders and files
Backs up the CD.Latest folder
Plan to run the default site backup task at a minimum of every five days. This schedule is
because Configuration Manager uses a SQL Server change tracking retention period of
five days. For more information, see SQL Server change tracking retention period.
To simplify the backup process, you can create an AfterBackup.bat file. This script
automatically runs post-backup actions after the backup task completes successfully.
Use the AfterBackup.bat file to archive the backup snapshot to a secure location. You
can also use the AfterBackup.bat file to copy files to your backup folder, or to start other
backup tasks.
You can back up a central administration site and primary site. Secondary sites or site
system servers don't have backup tasks.
When the Configuration Manager backup service runs, it follows the instructions defined
in the backup control file:
<ConfigMgrInstallationFolder>\Inboxes\Smsbkup.box\Smsbkup.ctl . You can modify the
backup control file to change the behavior of the backup service.
7 Note
Site backup status information is written to the Smsbkup.log file. This file is created in
the destination folder that you specify in the properties of the Backup Site Server
maintenance task.
2. Select the site for which you want to enable the site backup maintenance task.
5. Select the option to Enable this task. Select Set Paths to specify the backup
destination. You have the following options:
) Important
To help prevent tampering of the backup files, store the files in a secure
location. The most secure backup path is to a local drive, so you can set NTFS
file permissions on the folder. Configuration Manager doesn't encrypt the
backup data that's stored in the backup path.
Local drive on site server for site data and database: Specifies that the task
stores the backup files for the site and site database in the specified path on
the local disk drive of the site server. Create the local folder before the
backup task runs. The Local System account on the site server must have
Write NTFS file permissions to the local folder for the site server backup. The
Local System account on the computer that's running SQL Server must have
Write NTFS permissions to the folder for the site database backup.
Network path (UNC name) for site data and database: Specifies that the task
stores the backup files for the site and site database in the specified network
path. Create the share before the backup task runs. The computer account of
the site server must have Write NTFS and share permissions to the shared
network folder. If SQL Server is installed on another computer, the computer
account of the SQL Server must have the same permissions.
Local drives on site server and SQL Server: Specifies that the task stores the
backup files for the site in the specified path on the local drive of the site
server. The task stores the backup files for the site database in the specified
path on the local drive of the site database server. Create the local folders
before the backup task runs. The computer account of the site server must
have Write NTFS permissions to the folder that you create on the site server.
The computer account of the SQL Server must have Write NTFS permissions
to the folder that you create on the site database server. This option is
available only when the site database isn't installed on the site server.
7 Note
The option to browse to the backup destination is only available when you
specify the network path of the backup destination.
The folder name or share name that's used for the backup destination doesn't
support the use of Unicode characters.
6. Configure a schedule for the site backup task. Consider a backup schedule that's
outside active working hours. If you have a hierarchy, consider a schedule that runs
at least two times a week. If the site fails, this schedule ensures maximum data
retention.
When you run the Configuration Manager console on the same site server that
you're configuring for backup, the backup task uses local time for the schedule.
When you run the Configuration Manager console from another computer, the
backup task uses Coordinated Universal Time (UTC) for the schedule.
7. Choose whether to create an alert if the site backup task fails. When selected,
Configuration Manager creates a critical alert for the backup failure. You can review
these alerts in the Alerts node of the Monitoring workspace.
When you configure the backup task to create an alert when it fails, look for
backup failure alerts in the Alerts node of the Monitoring workspace.
errors. When site backup completes successfully, the log shows Backup completed
with message ID STATMSG: ID=5035 .
Tip
When the backup maintenance task fails, restart the backup task by stopping
and restarting the SMS_SITE_BACKUP Windows service.
Keep multiple archives of the backup snapshot for the following reasons:
It's common for backup media to fail, get misplaced, or include only a partial
backup. Recovering a failed stand-alone primary site from an older backup is
better than recovering without any backup. For a site server in a hierarchy, the
backup must be in the SQL Server change tracking retention period, or the backup
isn't required.
A corruption in the site can go undetected for several backup cycles. You might
have to use a backup snapshot from before the site became corrupted. This reason
applies to a stand-alone primary site and to sites in a hierarchy where the backup
is in the SQL Server change tracking retention period.
The site might have no backup snapshot at all. For example, if the Backup Site
Server maintenance task fails. Because the backup task removes the previous
backup snapshot before it starts to back up the current data, there won't be a valid
backup snapshot.
The AfterBackup.bat file lets you archive the backup snapshot at the end of every
backup operation. It can automatically perform other post-backup tasks that aren't part
of the Backup Site Server maintenance task. The AfterBackup.bat file integrates the
archive and the backup operations, thereby ensuring that every new backup snapshot is
archived.
If the AfterBackup.bat file isn't present, the backup task skips it without effect on the
backup operation. To verify that the backup task successfully ran this script, go to the
Component Status node in the Monitoring workspace, and review the status messages
for SMS_SITE_BACKUP. When the task successfully starts the AfterBackup.bat command
file, you see message ID 5040.
Tip
To archive your site server backup files with AfterBackup.bat, you must use a copy
command tool in the batch file. One such tool is Robocopy in Windows Server. For
example, create the AfterBackup.bat file with the following command: Robocopy
E:\ConfigMgr_Backup \\ServerName\ShareName\ConfigMgr_Backup /MIR
Although the intended use of the AfterBackup.bat is to archive backup snapshots, you
can create an AfterBackup.bat file to run additional tasks at the end of every backup
operation.
) Important
For more information about backing up your custom reports in Reporting Services, see
Backup and Restore Operations for Reporting Services.
The package source files must be restored before you can update content on
distribution points. When you start a content update, Configuration Manager
copies new or modified files from the package source to the content library. It then
copies the files to associated distribution points. Run the following SQL query
against the site database to find the package source location for all packages and
applications: SELECT * FROM v_Package . You can identify the package source site by
looking at the first three characters of the package ID. For example, if the package
ID is CEN00001, the site code for the source site is CEN. When you restore the
package source files, they must be restored to the same location where they were
before the failure.
Verify that you include both the content library and package source files in your file
system backup for the site server.
2. Copy the database file to your backup destination. For example, if your backup
destination is E:\ConfigMgr_Backup , you could copy the Updates Publisher
database file to E:\ConfigMgr_Backup\SCUP .
Tip
When there's more than one database file on a computer, consider storing
the file in a subfolder that indicates the user profile associated with the
database file. For example, you could have one database file in
E:\ConfigMgr_Backup\SCUP\User1 and another database file in
E:\ConfigMgr_Backup\SCUP\User2 .
2. Select the site system that hosts the state migration role. Then select State
migration point in the Site System Roles pane.
4. The folders that store the user state migration data are listed in the Folder details
section on the General tab.
Process
1. SMS Writer registers with the VSS service and binds to its interfaces and events.
2. When VSS broadcasts events, or if it sends specific notifications to the SMS Writer,
the SMS Writer responds to the notification and takes the appropriate action.
3. The SMS Writer reads the backup control file smsbkup.ctl located in
<ConfigMgrInstallationPath>\inboxes\smsbkup.box , and determines the files and
data to back up.
4. The SMS Writer builds metadata, which consists of various components including
specific data from the SMS registry key and subkeys.
b. VSS then sends the metadata to the requesting application, the Configuration
Manager Backup Manager.
5. Backup Manager selects the data to back up, and sends this data to the SMS
Writer via VSS.
6. The SMS Writer takes the appropriate steps to prepare for the backup.
a. It sends an event
c. It ensures that the Configuration Manager activities are frozen while the
snapshot is created.
8. After the snapshot is complete, the SMS Writer restarts services and activities.
The SMS Writer service is installed automatically. It must be running when the VSS
application requests a backup or restore.
Writer ID
The writer ID for the SMS Writer is 03ba67dd-dc6d-4729-a038-251f7018463b.
Permissions
The SMS Writer service must run under the Local System account.
Next steps
After you create a backup, practice site recovery with that backup. This practice can help
you become familiar with the recovery process before you need to rely on it. It can also
help confirm the backup was successful for its intended purpose.
Recover a Configuration Manager site
Article • 10/04/2022
Run a Configuration Manager site recovery after a site fails or data loss occurs in the site
database. Repairing and resynchronizing data are the core tasks of a site recovery and
are required to prevent interruption of operations.
The sections in this article can help you recover a Configuration Manager site. To create
a backup, see Backup for Configuration Manager.
) Important
This information applies only to site recovery scenarios. When you're upgrading
your on-premises infrastructure and not actively recovering a failed site, review the
information in the following articles:
Use a new server, that meets the general and recovery requirements.
Format the disks, and reinstall the OS on the existing server. Make sure it meets
the general and recovery requirements.
SMS_DISCOVERY_DATA_MANAGER
SMS_EXECUTIVE
SMS_INBOX_MONITOR
SMS_INVENTORY_DATA_LOADER
SMS_LAN_SENDER
SMS_MP_FILE_DISPATCH_MANAGER
SMS_SCHEDULER
SMS_SITE_BACKUP
SMS_SITE_COMPONENT_MANAGER
SMS_SITE_SQL_BACKUP
SMS_SITE_VSS_WRITER
SMS_SOFTWARE_METERING_PROCESSOR
SMS_STATE_SYSTEM
SMS_STATUS_MANAGER
SMS_WSUS_SYNC_MANAGER
SMSvcHost 3.0.0.0
SMSvcHost 4.0.0.0
The server is now ready for the Configuration Manager restore procedure.
1. Back up the site database. Also back up any other supporting databases, like
WSUS.
2. Make sure to note the SQL Server name and instance name
3. Manually delete the site database from the SQL Server
4. Restart the SQL Server
The server is now ready for the Configuration Manager restore procedure.
1. Back up the site database. Also back up any other supporting databases, like
WSUS.
2. Make a copy of the content library
2 Warning
The following step - Uninstall the Configuration Manager site - should only be
performed on a standalone Primary site, or a child Primary site that is unable to
communicate over the network with the Central Administration Site (CAS).
Uninstalling the site in a hierarchy results is the CAS losing the ability to
communicate with that child primary and the restore process will fail. For child
Primary sites, instead follow the Clean an existing server for site server recovery
only steps above.
The server is now ready for the Configuration Manager restore procedure.
Don't change the SQL Server edition. Restoring a site database from Standard edition to
Enterprise edition isn't supported.
Database replicas
After you restore a site database that you configured for database replicas, reconfigure
each replica. Before you can use the database replicas, recreate both the publications
and subscriptions.
7 Note
When Configuration Manager setup detects an existing site on the server, you can
start a site recovery, but the recovery options for the site server are limited. For
example, if you run Setup on an existing site server, when you choose recovery, you
can recover the site database server, but the option to recover the site server is
disabled.
If you run setup from the Start menu on the site server, the Recover a site option
isn't available.
If you installed any updates from within the Configuration Manager console before
you made your backup, you can't reinstall the site by using setup from the
following locations:
Installation media
The Configuration Manager installation path
Then select the Recover a site option. You have the following recovery options for the
failed site server:
Use the same site code and site database name that you used when the failed site
was first installed.
You can reinstall the site on a new computer that runs a new OS version.
The server must use the same hostname and fully qualified domain name (FQDN)
of the original site server.
Use this option when you have a Configuration Manager backup of the site database
from before the database failure. The site creates this backup as part of the Backup Site
Server maintenance task. In a hierarchy, when restoring a primary site, the recovery
process retrieves from the CAS any changes made to the site database after the last
backup. When restoring the CAS, the recovery process retrieves these changes from a
reference primary site. When you recover the site database for a standalone primary site,
you lose site changes after the last backup.
When you recover the site database for a site in a hierarchy, the recovery behavior is
different for a CAS and primary site. The behavior is also different when the last backup
is inside or outside of the SQL Server change tracking retention period. For more
information, see the Site database recovery scenarios section in this article.
7 Note
If you select to restore the site database by using a backup set, but the site
database already exists, the recovery fails.
Configuration Manager can recover the site database from any of the following
processes:
After you restore the site database by using a method outside Configuration
Manager, run Setup, and select this option to complete the site database
recovery.
7 Note
When you use DPM to back up your site database, use the DPM
procedures to restore the site database to a specified location before you
continue the restore process in Configuration Manager. For more
information about DPM, see the Data Protection Manager documentation
library.
In a hierarchy, when you recover a primary site database, the recovery process
retrieves from the CAS any changes made to the site database after the last
backup. When restoring the CAS, the recovery process retrieves these changes
from a reference primary site. When you recover the site database for a standalone
primary site, you lose site changes after the last backup.
For more information about SQL Server change tracking internals, see the following
blog posts from the SQL Server team: Change Tracking Cleanup - part 1 and Change
Tracking Cleanup - part 2.
Global data: The changes in global data after the backup are replicated from all
primary sites.
Site data: The changes in site data after the backup are replicated from all
primary sites.
Global data: The CAS reinitializes the global data from the reference primary
site if you specify it. Then all other primary sites reinitialize the global data from
the CAS. If you don't specify a reference site, all primary sites reinitialize the
global data from the CAS. This data is what you restored from backup.
Site data: The CAS reinitializes the site data from each primary site.
Global data: The changes in global data after the backup are replicated from
the CAS.
Site data: The CAS reinitializes the site data from the primary site. Changes after
the backup are lost. Clients regenerate most data when they send information
to the primary site.
Global data: The primary site reinitializes the global data from the CAS.
Site data: The CAS reinitializes the site data from the primary site. Changes after
the backup are lost. Clients regenerate most data when they send information
to the primary site.
Site recovery procedures
Use one of the following procedures to help you recover your site server and site
database:
2. On the Getting Started page, select Recover a site, and then select Next.
3. Complete the wizard by using the options that are appropriate for your site
recovery.
During the recovery, setup identifies the SQL Server Service Broker (SSB) port
used by the SQL Server. Don't change this port setting during recovery or
data replication won't work properly after the recovery completes.
You can specify the original or a new path to use for the Configuration
Manager installation in the setup wizard.
2. Run Configuration Manager setup by using the /script command-line option. For
example, you create a setup initialization file ConfigMgrUnattend.ini. You save it in
the C:\Temp directory of the computer on which you're running setup. Use the
following command:
7 Note
After you recover a CAS, replication of some site data from child sites can fail to be
established. This data can include hardware inventory, software inventory, and
status messages.
SQL
Post-recovery tasks
After you recover your site, there are several post-recovery tasks to consider before your
site recovery is complete. Use the following sections to help you complete your site
recovery process.
1. Open the Configuration Manager console and connect to the recovered site.
a. Select the account from the list identified after site recovery.
c. On the General tab, select Set, and then reenter the password for the account.
d. Select Verify, choose the appropriate data source for the selected user account,
and then select Test connection. This step tests that the user account can
connect to the data source, and verifies the credentials.
e. Select OK to save the password changes, and then select OK to close the
account properties page.
Reenter PXE passwords
1. In the Configuration Manager console, go to the Administration workspace, and
select the Distribution Points node. Any on-premises distribution point with Yes in
the PXE column is enabled for PXE and may have a password to reenter.
4. If the option to Require a password when computers use PXE is enabled, enter
and confirm the password.
Repeat this process for any other PXE-enabled on-premises distribution point.
Apply Windows Settings: If you enable and specify the local administrator
password, reenter and confirm the password.
Apply Network Settings: For the account that has permission to join the
domain, select Set. Enter and confirm the password, and then select Verify.
Capture Operating System Image: For the account used to access the
destination, select Set. Enter and confirm the password, and then select
Verify.
Enable BitLocker: If you use the key management option TPM and PIN,
reenter the PIN.
Join Domain or Workgroup: For the account that has permission to join the
domain, select Set. Enter and confirm the password, and then select Verify.
Run Command Line: If you use the option to Run this step as the following
account, select Set. Enter and confirm the password, and then select Verify.
Run PowerShell Script: If you use the option to Run this step as the
following account, select Set. Enter and confirm the password, and then
select Verify.
For example, before the site failure the Total activations count shows as 100. The
number of keys that devices have used, or Activations used, is 90. After the site
recovery, the Total activations value still displays 100, but the Activations used column
incorrectly displays 0. After 10 new devices use a sideloading key, there are no more
sideloading keys, and the 11th device fails to apply a sideloading key.
To resolve this issue, Renew the secret key for each Azure tenant connection.
Reinstall hotfixes
After a site recovery, you must reinstall any out-of-band hotfixes that were applied to
the site server. After site recovery, view the list of the previously installed hotfixes on the
Finished page of the setup wizard. This list is also saved to
C:\ConfigMgrPostRecoveryActions.html on the recovered site server.
If you don't have a file system backup for the package source files, manually copy or
download them. This process is similar to when you originally created the package. Run
the following query in SQL Server to find the package source location for all packages
and applications: SELECT * FROM v_Package . Identify the package source site by looking
at the first three characters of the package ID. For example, if the package ID is
CEN00001, the site code for the source site is CEN. When you restore the package
source files, they must be restored to the same location in which they were before the
failure.
If you don't have a file system backup that includes the content library, you have the
following restore options:
Import a prestaged content file: In a Configuration Manager hierarchy, you can
create a prestaged content file with all packages and applications from another
location. Then import the prestaged content file to recover the content library on
the site server.
Update content: Configuration Manager copies the content from the package
source to the content library. For this action to finish successfully, the package
source files must be available in the original location. Do this action on each
package and application.
3. When more than one user runs Updates Publisher on the computer, copy each
database file to the appropriate user profile location.
Requirements
The server must meet all secondary site prerequisites and have appropriate
security rights configured.
Use the same installation path that was used for the failed site.
Use a server with the same configuration as the failed server. This configuration
includes its fully qualified domain name (FQDN).
The server must have the same SQL Server configuration as the failed site.
Use the same version of SQL Server and the same instance of SQL Server that
you used for the secondary site database before the failure.
Procedure
Use the Recover Secondary Site action from the Sites node in the Configuration
Manager console. Unlike with other types of sites, recovery for a secondary site doesn't
use a backup file. This process reinstalls the secondary site files on the failed server.
After the site reinstalls, the secondary site data is reinitialized from the parent primary
site.
During the recovery process, Configuration Manager verifies if the content library exists
on the secondary site server. It also checks that the appropriate content is available. The
secondary site uses the existing content library, if it includes the appropriate content.
Otherwise, to recover the content library of a secondary site, redistribute or prestage the
content to the server.
When you have a distribution point that isn't on the secondary site server, you aren't
required to reinstall the distribution point during a recovery of the secondary site. After
the secondary site recovery, the site automatically synchronizes with the distribution
point.
You can verify the status of the secondary site recovery by using the Show Install Status
action from the Sites node in the Configuration Manager console.
Unattended site recovery for
Configuration Manager
Article • 10/04/2022
To use the /script setup command-line option, first create an answer file. Then specify
this file name on the command line. The name of the file is your decision, but it requires
the .ini file extension. When you reference this answer file from the command line,
provide the full path to the file. For example, if your setup answer file is named
setup.ini , and it's stored in the C:\setup folder, your command line would be:
) Important
You need Administrator rights to run Configuration Manager setup. When you run
setup with the unattended script, open the command prompt with the option to
Run as administrator.
The script contains section names, key names, and values. Required section key names
vary depending on the recovery type that you need. The order of the keys within
sections and the order of sections within the file aren't important. The keys aren't case-
sensitive. When you provide values for keys, the name of the key is followed by an equal
sign ( = ) and the value for the key. For example, Action=RecoverCCAR .
The site server and any of the other site systems can fail and cause a loss of the services
they regularly provide. If you install multiple site systems on the same computer, and
that computer fails, all services regularly provided by those site systems are no longer
available.
Part of your planning process should include understanding the impact on the service
that you provide your organization. Because each site system in the site provides
different functionality, the impact of a failure on the site differs, depending on the role
of the site system that failed.
Use high availability options to help mitigate the failure of any single system. Also plan
for and practice a backup and recovery strategy to reduce the amount of time the
service is unavailable.
The following sections describe the impact when the specified site system isn't
operational:
Site server
No site administration is possible. You can't connect the console to the site.
The management point collects client information and caches it until the site server
is back online.
Users can run existing deployments, and clients can download content from
distribution points.
Site database
No site administration is possible.
If the Configuration Manager client already has a policy assignment with new
policies, and if the management point has cached the policy body, the client can
make a policy body request and receive the policy body reply. However, the site
can't service any new policy assignment requests.
Clients can run deployments, only if they've already received the policy, and the
associated source files are already cached locally at the client.
Management point
Although you can create new deployments, clients don't receive them until a
management point is online.
Clients still collect inventory, software metering, and status information. They store
this data locally until the management point is available.
Clients can run deployments, only if they've already received the policy, and the
associated source files are already cached locally at the client.
Distribution point
Configuration Manager clients can run deployments, only if the associated source
files have already been downloaded locally or are available on a peer source.
Monitor the hierarchy
Article • 10/04/2022
7 Note
The exception to this location is when migrating sites. Monitored this process in the
Migration node of the Administration workspace. For more information, see
Operations for migrating to Configuration Manager current branch.
Along with using the Configuration Manager console for monitoring, use the following
features:
Introduction to reporting
Log files.
When you monitor sites, look for signs that indicate problems that require you to take
action. For example:
Error and warning messages in the Microsoft SQL Server error log.
If monitoring tasks reveal any signs of problems, investigate the source of the problem.
Then quickly repair it to minimize the risk of a site failure.
Alerts
For more information, see Monitor alerts.
Compliance settings
For more information, see How to monitor compliance settings.
Content
For general information about monitoring content, see Manage content and content
infrastructure.
Monitor applications
Endpoint Protection
For more information, see How to monitor Endpoint Protection.
OS deployment
For more information, see Monitor OS deployments.
Use the Site Hierarchy node to monitor the health of each site. Also monitor the
intersite replication links and their relationship to external factors, such as a
geographical location.
Both site status and intersite link status replicate as site data and not global data. When
you connect your Configuration Manager console to a child primary site, you can't view
the site or link status for other primary sites or their child secondary sites. For example,
in a hierarchy with multiple primary sites, when you connect the console to a primary
site, you can view the status of child secondary sites, the primary site, and the central
administration site. From this view, you can't see the status for other sites below the
central administration site.
To control the display in the Site Hierarchy node, use the Configure Settings action. The
hierarchy replicates the settings that you configure in this node.
Hierarchy diagram
The hierarchy diagram displays your sites in a topology map. Select a site, and view a
status message summary from that site. Drill through to view status messages, and
access the site Properties.
To view high-level status for a site or replication link between sites, hover your mouse
pointer over the object. Replication link status doesn't replicate globally. To view the
replication link details between all primary sites in a hierarchy, connect the console to
the central administration site.
Groups
Configure the number of primary sites and secondary sites that trigger a change in the
hierarchy diagram. This change in the display combines the sites into a single object.
Then you see the total number of sites and a high-level rollup of status messages and
site status.
Favorite sites
Specify individual sites to be a favorite site. A star icon identifies a favorite site in the
hierarchy diagram. Favorite sites aren't combined with others sites when you use
groups. They're always displayed individually.
Geographical view
) Important
Starting in August 2020, this feature is deprecated. Use the Hierarchy Diagram
option.
The geographical view displays the location of each site on a geographical map. It only
displays sites that you configure with a location. When you select a site in this view, it
shows replication links to parent or child sites. Unlike the hierarchy diagram view, you
can't display site status message or replication link details in this view.
7 Note
To use the geographical view, the computer to which your Configuration Manager
console connects must have Internet Explorer installed and be able to access Bing
Maps by using the HTTP protocol.
Site Location
Specify a geographical location for each site using one of the following types:
A street address
A place name such as the name of a city
By latitude and longitude coordinates
For example, to use the latitude and longitude of Redmond, Washington, specify N 47
40 26.3572 W 122 7 17.4432 as the location of the site. You don't need to specify the
symbols for the degree, minutes, or seconds of latitude or longitude. Configuration
Manager uses Bing Maps to display the location on the geographical view. Then you can
view your hierarchy with the geographical locations. This view provides insight into
regional issues that might affect specific sites or intersite replication.
When you specify a location, you can use the Location box to search for a specific site in
your hierarchy. With the site selected, enter the location as a city name or street address
in the Location column. Configuration Manager uses Bing Maps to resolve the location.
Next steps
Monitor database replication
Use the status system in Configuration
Manager
Article • 10/04/2022
Use the built-in status message system to understand the state of your Configuration
Manager environment.
All major site components generate status messages that provide feedback on site and
hierarchy operations. This information can keep you informed about the health of
different site processes. You can tune the alert system to ignore noise for known
problems, and increase early visibility for other issues that might need your attention.
You generally don't need to configure the Configuration Manager status system. By
default, it uses suitable settings for most environments. You can configure the following
components:
Status filter rules: Create new status filter rules, modify the priority of rules, disable
or enable rules, and delete unused rules at each site.
7 Note
Status reporting: Configure both server and client component reporting, and
specify where they're sent.
2 Warning
Because the default reporting settings are appropriate for most environments,
change them with caution. When you increase the level of status reporting by
choosing to report all status details, you can increase the amount of status
messages for the site to process. This change increases the processing load
on the Configuration Manager site. If you decrease the level of status
reporting, you might limit the usefulness of the status summarizers.
Because the status system maintains separate configurations for each site, edit each site
individually.
2. Select a site. Then on the Home tab of the ribbon, in the Settings group, select
Status Summarizers.
3. In the Status Summarizers window, select the status summarizer that you want to
configure, and select Edit.
For the application deployment summarizer, these time periods specify how frequently
the site updates the deployment status for applications, task sequences, and packages.
It's calculated based on the deployment start time. The following values show the
defaults:
For the application statistics summarizer, these time periods specify how often the site
updates application statistics. They're based on the date you last modified the
application. The following values show the defaults:
2. On the Thresholds tab, select the Message type: Informational, Warning, or Error.
3. Select a component and then select the properties icon. You can also double-click
the component, or right-click and select Property.
4. Specify the threshold for the number of status messages on the component before
the site changes the status.
Warning 10 50
Error 1 5
For example, if a site system reports less than 10 GB of free space on a drive, that
site system's status changes to warning.
3. The site can also monitor specific thresholds for specific Storage objects. By
default, it includes thresholds for the SQL Server database and transaction log for
the site database. The default values for these default objects are the same as the
default thresholds.
To modify these thresholds, select the object in the list, and then select the
properties icon. (You can also double-click the object, or right-click to access these
actions.)
4. To create a new storage object to monitor, select the gold asterisk "new" icon.
Select a storage object from the list, and specify the free space thresholds.
5. To delete a storage object, select the object, and then select the delete icon.
Tip
Starting in version 2107, you can enable the site to send notifications to an external
system or application. This capability simplifies the process by using a web service-
based method. You configure subscriptions to send these notifications. These
notifications are in response to specific, defined events as they occur. For example,
status message filter rules. For more information, see External notifications.
3. In the Status Filter Rules window, select the rule that you want to modify.
To change the processing order of the status filter rule, select Increase
Priority or Decrease Priority.
To delete the status filter rule from the site, select Delete
To change the criteria for the status message rule, select Edit.
2. Select a site, and then on the Home tab of the ribbon, in the Settings group, select
Status Filter Rules.
3. Select Create.
4. On the General page of the Create Status Filter Rule Wizard, specify a Name for
the new status filter rule. Select message-matching criteria for the rule, and specify
values to match. The following criteria are available:
5. On the Actions page, specify the actions when a status message matches the
specified criteria. The following actions are available:
7 Note
Configuration Manager only requires that a new status filter rule has a name. If you
create a rule, but you don't specify any criteria to process status messages, the
status filter rule has no effect. This behavior allows you to create and organize rules
before you configure the criteria for each rule.
2. Select a site, and then on the Home tab of the ribbon, in the Settings group, select
Configure Site Components, and then select Status Reporting.
3. In the Status Reporting Component Properties window, specify the server and
client component status messages that you want to report or log:
Log: Write the type and severity of status messages to the Windows event
log. By default, this option isn't enabled for either server or client
components.
Most Configuration Manager site system roles and components generate status
messages. Status message details are logged in each component's operational log, but
are also submitted to the site database. The site then summarizes and presents them in
a general health rollup for each component or site system. These status message rollups
provide information details for regular operations, and details of warnings and errors.
You can configure the thresholds at which the site triggers warnings or errors. Tune the
system in your environment to make sure rollup information ignores known issues that
aren't relevant to you. Also configure it to call attention to actual problems that you
need to investigate.
System status is replicated to other sites in a hierarchy as site data, not global data. This
behavior means you can only see the status for the site to which your Configuration
Manager console connects, and any child sites below that site. When you view system
status, use the Configuration Manager console with the top-level site of your hierarchy.
For more information on site data versus global data, see Database replication: Types of
data.
There are different system status views in the Configuration Manager console:
Site Status: View a rollup of the status of each site system to review the health of
each server. The site determines site system health by thresholds that you
configure for each site in the Site System Status Summarizer. In this node:
View status messages for each site system
Set thresholds for status messages
Manage the operation of the components on site systems by using the
Configuration Manager Service Manager
Conflicting Records: View status messages about clients that might have
conflicting records. Configuration Manager uses the hardware ID to attempt to
identify clients that might be duplicates and alert you to the conflicting records.
For example, if you have to reinstall a computer, the hardware ID would be the
same, but the GUID that Configuration Manager uses might change.
Status Message Queries: Query status messages for specific events and related
details. Use status message queries to find the status messages related to specific
events. You can identify when a specific component, operation, or Configuration
Manager object was modified, and the account that was used to make the
modification. For example, run the built-in Collections Created, Modified, or
Deleted query to identify when a specific collection was created, and the user
account used to create it.
2. In the ribbon, select Show Messages, then choose the type of messages to show:
All, Error, Warning, Information.
3. Select the viewing period. Either on or after a specific date and time, or from a
specific time period. By default, the viewing period is 1 day ago.
4. The Status Message Viewer has many controls to customize the view. For example,
to filter the results based on the status messages details, go to the View menu, and
select Filter.
Starting in version 2010, there's an easier way to view status messages for the following
objects:
Devices
Users
Content
Deployments
Monitoring workspace
Phased deployments (select Show Deployments from the Phased
Deployments node)
Deployments tab in the details pane for:
Packages
Task sequences
Select one of these objects in the Configuration Manager console, and then select Show
Status Messages from the ribbon.
Next steps
Configure alerts
To warn you that a condition exists, so that you can continue to monitor the
situation.
Some alerts you configure, such as alerts for endpoint protection and client status.
Configuration Manager automatically configures other alerts.
You can configure subscriptions to alerts. Subscriptions can send details by email, which
increases your awareness of key issues.
Postpone: Suspend monitoring this alert until the specified date is reached. At that
time, the site updates the state of the alert. You can only postpone an enabled
alert. When you postpone an alert, you can also add a comment.
Edit Comments: Enter a comment for the selected alerts. These comments display
with the alert in the Configuration Manager console.
Configure: Modify the name, severity, and definition for the selected alert. If you
change the severity of the alert, this configuration affects how the alerts are
displayed in the Configuration Manager console.
Create subscription: Create an email subscription to the selected alert. For more
information, see Email alerts.
Configure client status alerts
1. In the Configuration Manager console, go to the Assets and Compliance
workspace, and select the Device Collections node.
2. Select the collection for which you want to configure alerts. In the Home tab of the
ribbon, in the Properties group, select Properties.
7 Note
7 Note
The Alerts tab is only visible if your security role has permissions for alerts.
4. Choose the alerts that you want the site to generate when client status thresholds
fall below a specific value:
Client check pass or no results for active clients falls below threshold (%)
Client remediation success falls below the threshold (%)
Client activity falls below threshold (%)
5. In the Conditions list of the Alerts tab, select each client status alert, and then
specify the following information:
Alert Name: Accept the default name or enter a new name for the alert.
Alert Severity: Choose the alert level that displays in the Configuration
Manager console: Information, Warning, or Critical.
Raise alert if...: Specify the threshold percentage for the alert.
Email alerts
You can create an email subscription for alerts. When the site triggers an alert, it can
then send you email notification.
Configure email notification for alerts
Before you can subscribe to email alerts, you need to configure the site to send email
notifications. You'll need information about an SMTP email server.
Tip
2. On the Home tab of the ribbon, in the Create group, select Configure Email
Notification.
FQDN or IP Address of the SMTP server to send email alerts: Enter the fully
qualified domain name (FQDN) or IP address for the email server to use for
these alerts.
Port: Specify the SMTP port for the email server to use for these alerts. For
example, 587 .
This server requires an encrypted connection (SSL): Require that the site
creates an encrypted connection with the SMTP server.
) Important
Test SMTP Server: Sends a test email to the email address specified in Sender
address for email alerts.
2. Select an alert. On the Home tab of the ribbon, in the Subscription group, select
Create subscription.
Subscription name: Enter a name to identify the email subscription. You can
use up to 255 characters.
Email address: Enter the recipient email addresses to get this alert. Separate
multiple email addresses with a semicolon ( ; ).
4. Select OK to close the New Subscription window and to create the email
subscription.
Monitor alerts
You can view alerts in one of the Alerts node of the Monitoring workspace. Alerts have
one of the following alert states:
Never triggered: The component hasn't met the condition of the alert.
Active: The site triggered the alert when the component met the condition.
When Configuration Manager generates an alert, you can take one of the following
actions:
Resolve the condition that caused the alert. For example, you resolve a network
issue. After Configuration Manager detects that the issue no longer exists, the alert
state changes to Cancel.
If the alert is a known issue, postpone the alert until a specific time. At that later
time, Configuration Manager updates the alert to its current state.
Edit the Comment of an alert. This action informs other administrators that you're
aware of the alert. For example, in the comment you can identify how to resolve
the condition, provide information about the current status of the condition, or
explain why you postponed the alert.
External notifications
Starting in version 2107, you can enable the site to send notifications to an external
system or application. This capability simplifies the process by using a web service-
based method. You configure subscriptions to send these notifications. These
notifications are in response to specific, defined events as they occur. For example,
status message filter rules. For more information, see External notifications.
Next steps
Configure endpoint protection alerts for a collection
In a complex IT environment, you may have an automation system like Azure Logic
Apps. Customers use these systems to define and control automated workflows to
integrate multiple systems. You could integrate Configuration Manager into a separate
automation system through the product's SDK APIs. But this process can be complex
and challenging for IT professionals without a software development background.
Starting in version 2107, you can enable the site to send notifications to an external
system or application. This feature simplifies the process by using a web service-based
method. You configure subscriptions to send these notifications. These notifications are
in response to specific, defined events as they occur. For example, status message filter
rules.
7 Note
The external system or application defines and provides the methods that this
feature calls.
When you set up this feature, the site opens a communication channel with the external
system. That system can then start a complex workflow or action that doesn't exist in
Configuration Manager.
Starting in version 2111, use the Configuration Manager console to create or edit
subscriptions for external notifications. This article now focuses on that experience. If
you're using version 2107, see Configuration Manager version 2107.
Prerequisites
Create the subscription on the top-level site of the hierarchy. This site is either a
standalone primary site, or a central administration site (CAS). You can view and
modify an existing subscription on any site in a hierarchy.
The site's service connection point needs to be in online mode. For more
information, see About the service connection point.
Currently, this feature only supports Azure Logic Apps as the external system. An
active Azure subscription with rights to create a logic app is required.
The service connection point needs to communicate with the notification service,
for example Azure Logic Apps. For more information, see Internet access
requirements.
To create an event type for an application approval request, the site needs an app
that requires approval and is deployed to a user collection. For more information,
see Deploy applications and Approve applications.
Permissions
You can configure the following permissions to the NotificationSubscription object:
Read, Delete, Modify, Create.
In version 2107, users also need the All security scope. In version 2111 and later, you
can't scope the subscription objects. If needed, you can use scopes on the Site object, to
which users need at least read permission.
Other permissions may be required for custom roles. Use the following table to
understand what's needed:
Action Alerts:
Site:
Notify:
Notify:
Notify:
Notify:
Site:
View subscription X X
Modify subscription X X X X
Delete subscription X X X
When managing events on the subscription, the permissions to Modify or Create on the
Notification subscription object depend upon whether you need to modify or create
the event. For example, if you have the Create permission, then you can add a status
filter rule to the subscription. If you don't have the Modify permission, then you can't
make changes to the subscription events.
7 Note
This process is provided as an example to help you get started. It's not intended for
production use.
2. In the Azure search box, enter logic apps , and select Logic Apps.
3. Select Add and choose Consumption. This action creates a new logic app.
4. On the Basics tab, specify the project details as necessary for your environment:
subscription name, resource group, logic app name, and region.
5. Select Review + create. On the validation page, confirm the details that you
provided, and select Create.
7. Under the section to Start with a common trigger, select When a HTTP request is
received.
8. At the bottom of the trigger editor, select Use sample payload to generate
schema.
9. Paste the following sample payload:
JSON
"EventID":0,
"EventName":"",
"SiteCode":"",
"ServerName":"",
"MessageID":0,
"Source":"",
"EventPayload":""
11. Copy the generated URL for the logic app. You'll use this URL later when you create
the subscription in Configuration Manager.
7 Note
The URL from Azure for the logic app includes the secret key. When saved in
Configuration Manager, it's protected the same as any other password or
secret key. If your environment uses a proxy server or other network
inspection device, there's a risk that it will log this URL and expose the secret
key. Control access to such systems, and be prepared to renew the secret key
for the logic app in the Azure portal. You can also set an expiration date for
the secret key in the Azure portal. For more information, see Secure your
logic apps.
12. To add a new step in the designer, select + New Step. Choose an appropriate
action when it receives a notification from Configuration Manager. For example:
Sign in if necessary and complete the required information for the action. For more
information, see the Create logic apps quickstart in the Azure Logic Apps
documentation.
Notification schema
These notifications use the following standardized schema:
JSON
"properties": {
"EventID": {
"type": "integer"
},
"EventName": {
"type": "string"
},
"EventPayload": {
"type": "string"
},
"MessageID": {
"type": "string"
},
"ServerName": {
"type": "string"
},
"SiteCode": {
"type": "string"
},
"Source": {
"type": "string"
},
"type": "object"
Create an event
There are two types of events that are currently supported:
The site raises a status message that matches conditions specified in a status filter
rule for external notification. You can create a new rule or use an existing one.
7 Note
2. Go to the Monitoring workspace, expand Alerts, and select the External service
notifications node.
4. In the New Subscription window, specify a Name for the subscription to identify it
in the Configuration Manager console. The maximum length is 254 characters.
Optionally add a Description.
5. For the External service URL value, paste the URL of the Azure Logic App that you
previously copied.
a. In the Create External Service Notification Event wizard, on the Event type page,
select one of the following event types:
New status filter rule: Create a new status filter rule to use for this event.
Specify a name for the status filter rule, and then configure the filter
criteria. For more information about criteria for status message rules, see
Use the status system.
) Important
Be cautious with the type of status filter rule that you create. For
external notifications, the site can process 300 status messages every
five minutes. If your rule allows more messages than this limit, it will
cause a backlog on the site. Create rules with narrow filters for
specific scenarios. Avoid generic rules that allow a lot of messages.
Existing status filter rule: Reuse a status filter rule for external notification
that already exists. It doesn't display all status filter rules, only the rules
that you created using this wizard.
User submits application request: Send an external notification for
application approval requests.
Manage events
After you create a subscription, use the External service notifications node to do the
following actions:
Properties: Edit the name, description, or events for a subscription. You can't edit
the external service URL.
7 Note
You can view and modify an existing subscription on any site in a hierarchy.
When you select a subscription, the details pane shows information about the events
that have happened.
Trigger an event
The process to trigger an event depends upon the type of subscription:
For a status filter rule, trigger an event for the site component. For example, use
the Configuration Manager Service Manager to restart the component.
For an app approval request, use Software Center to request an app that requires
approval. For more information, see Software Center user guide.
For more information, see Monitor run status, review trigger history, and set up alerts
for Azure Logic Apps.
Troubleshoot
Use the following Configuration Manager log files on the site server to help
troubleshoot this process:
Known issues
If you create a status filter rule, you'll see it in the site's list of Status filter rules in the
Configuration Manager console. If you make a change on the Actions tab of the rule
properties, the external notification won't work.
After you recover a central administration site (CAS), delete and recreate the
subscription.
Tip
Before you remove a CAS, recreate the subscriptions at the child primary site.
) Important
This section and the PowerShell script only apply to version 2107. In version 2111
and later, use the Configuration Manager console to create and manage events.
PowerShell
$FileName = ".\SetupExternalServiceNotifications.ps1"
7 Note
The site raises a status message that matches conditions specified in a status filter
rule.
4. Select message-matching criteria for the rule, and specify values to match. Specify
0 to not use a criterion.
For more information about criteria for status message rules, see Use the status
system.
) Important
Be cautious with the type of status filter rule that you create. For external
notifications, the site can process 300 status messages every five minutes. If
your rule allows more messages than this limit, it will cause a backlog on the
site. Create rules with narrow filters for specific scenarios. Avoid generic rules
that allow a lot of messages.
6. Specify a name and description for the subscription. Then specify the logic app
URL that you previously copied from the Azure portal.
7 Note
This event type requires an application that requires approval and is deployed to a
user collection. For more information, see Deploy applications and Approve
applications.
3. Specify a name and description for the subscription. Then specify the logic app
URL that you previously copied from the Azure portal.
tion_ID> .
For more information, see How to use the administration service in Configuration
Manager.
After you remove the subscription, the site doesn't send notifications to the external
system.
0 : Skip/continue
7 Note
This script is only supported for sites running version 2107 or later.
Next steps
Use the status system
Configure alerts
Monitor scenario health in
Configuration Manager
Article • 02/22/2023
You can use Configuration Manager to monitor the health of end-to-end scenarios.
Monitoring scenario health enhances awareness of system latency and component
backlogs which are critical for cloud service-attached features. Configuration Manager
simulates activities to expose performance metrics and failure points.It simulates
activities to expose performance metrics and failure points. These synthetic activities are
similar to methods that Microsoft uses to monitor some components in its cloud
services. Use this additional data to better understand timeframes for activities. If
failures occur, it can help focus your investigation.
Starting in version 2010, Configuration Manager monitors the health for the following
two scenarios:
Client action health: Monitor the health of the fast channel used for client actions.
In the Configuration Manager console, go to the Monitoring workspace, and select the
Scenario Health node. The list view displays the available scenarios:
7 Note
If you use a high availability option, scenario health only monitors the active node.
For the SQL Server Service Broker scenario, it only applies to the primary replica of
the SQL Server Always On availability group. The client action health scenario only
applies to the site server in active mode.
Prerequisites
Full administrator role in Configuration Manager, with scope to the top-level site
Show Status: This action is the main one you'll use to view the latest results of
tests for the scenario. This action opens a window with more information. The top
section shows the overall status per site. Select a site, to see more detailed status
for that site in the bottom section.
Scenario Settings: Configure the settings for this scenario: such as whether it's
enabled, and the time interval in minutes.
Enable activity simulation and measurement: Enable the scenario health
checks.
Run time interval (minute): How frequently the site runs the scenario health
checks. By default, Configuration Manager tests scenarios every 30 minutes.
Job timeout (minute): How long the site waits for a specific test to complete. By
default, the timeout is one hour (60 minutes).
History: Display the previous instances of the synthetic transaction. Use this history
to track the scenario's health over time. From the history node, you can also Show
Status of a specific instance.
Run Now: Trigger the site to check the scenario health. If a previous check isn't
successful, you might use this action after you make changes to a site component.
This action creates audit status message ID 54099.
SQL Server Service Broker
The SQL Server Service Broker is a required configuration for the site database. Many of
the core subsystems in Configuration Manager use the service broker.
7 Note
With this health information, you can see how long it takes for SQL Server to exchange
messages via the service broker. A longer delay or timeout shows a backlog in the
processing queue. A failure indicates a larger problem with the service broker, such as
the queue is disabled. Since SQL Server service broker is a core component, issues with
it can impact many other scenarios. For example, client notifications, client status, and
some tenant attach features.
Created client action: Tests that the site can create a client action using the
administration service.
CMPivot configuration: Makes sure that CMPivot is correctly configured on the
central administration site (CAS). For more detail, see rcmctrl.log.
Client action result: Tests that the CAS receives client action results from primary
sites. This test can fail if the SQL Server Service Broker is unhealthy, or the site is in
maintenance mode.
Processed client action: For more detail, see objreplmgr.log.
Client action inbox backlog: Checks the backlog for the objmgr.box inbox. If
there's a large backlog, it impacts how quickly the site sends actions to clients. For
more detail, see objreplmgr.log.
Message Processing Engine backlog: Checks the backlog for the message
processing engine. If there's a large backlog, it impacts how quickly the site
processes results for client actions. For more detail, see
SMS_MESSAGE_PROCESSING_ENGINE.log.
Management point client action backlog: Checks the backlog for the SQL Server
service broker queue ConfigMgrBGBQueue. If there's a large backlog, it impacts
how quickly the management point can push actions to clients. Check the scenario
health for the SQL Server service broker. For more detail, see the management
point's bgbserver.log.
Client action result summary: Checks the task to calculate client operation
summary. For more detail, see statesys.log.
Management point online status: Checks that management points are online and
able to send actions to clients. For details, check the management point's
ccmexec.log, bgbsetup.log, and bgbserver.log.
Client health summary: Checks the client health scheduled task. For more detail,
see statesys.log.
Client state system inbox backlog: Checks the backlog for the inbox
auth\statesys.box\incoming. If there's a large backlog, it impacts how quickly the
site processes results for client actions. For more detail, see statesys.log.
7 Note
Next steps
Log file reference
You can view the status of Windows 10 Device Health Attestation in the Configuration
Manager console. Device health attestation lets you make sure that client computers
have the following trustworthy BIOS, TPM, and boot software configurations enabled:
Windows BitLocker Drive Encryption encrypts all data stored on the OS and data
volumes, including removable disks. For more information, see Plan for BitLocker
management.
Secure Boot is a security standard to help make sure that a device boots using only
software that's trusted by the PC manufacturer. For more information, see Secure
Boot.
Requirements
Client devices running a supported version of Windows 10 or Windows Server
2016 or later, with Device health attestation enabled.
2. In the Default Settings dialog box, select Computer Agent and then scroll down to
Enable communication with Health Attestation Service.
3. Set Enable communication with Health Attestation Service to Yes, and then select
OK.
You can configure the on-premises device health attestation service URL on the
management point to support client devices without internet access.
1. In the Configuration Manager console, navigate Administration > Overview > Site
Configuration > Sites.
2. Right-click the primary or secondary site with the management point that support
on-premises device health attestation clients, and select Configure site
components > Management Point. The Management Point Component
Properties page opens.
3. On the Advanced Options tab, select Add and specify a valid on-premises device
health attestation service URL. You can add multiple URLs. If multiple on-premises
URLs are specified, clients receive the full set and randomly choose which to use.
4. In the Configuration Manager console, choose Administration > Overview >
Client Settings. Select the tab for Computer Agent settings.
5. Scroll down to Enable communication with Health Attestation Service, and set to
Yes.
6. Select the Use on-premises Health Attestation Service option, and set to Yes.
7. Target the collections of devices that should report device health with the client
agent settings to enable device health attestation reporting.
You can also Edit or Remove device health attestation service URLs.
Top Missing Health Attestation Settings - Shows the number of devices missing
the health attestation setting, listed per setting
Monitor database replication
Article • 10/04/2022
Monitor details for database replication with the Database Replication node in the
Monitoring workspace of the Configuration Manager console. You can monitor the
status of replication links between sites. It also shows initialization and replication of
replication groups for the site to which you connect.
Tip
When a replication link is active, and its status isn't failed or degraded, all groups
replicate quickly. If one or more groups fail to complete replication in the expected
period of time, the link displays as degraded. Degraded links can still function, but you
should monitor them to make sure they return to active status. Investigate them to
make sure additional degradation or replication failures don't occur.
For each replication link, specify the number of times that an unsuccessfully replicated
group retries. After this number of retries, the site sets the status of the link to degraded
or failed. Even if all but one group replicates successfully, the site sets the status of the
link to degraded or failed. It sets this status because the one replication group fails to
complete replication in the specified number of attempts. For more information, see the
Database replication thresholds.
Use the following information to understand the status of replication links that might
require further investigation:
Link is active
No problems have been detected, and communication across the link is current.
While a parent site is updating to a new version, and you view the link status from the
child site, the link status displays as active. After the update, until the child site is at the
same version as the parent site, the link status displays as active when viewed from the
parent site. When viewed from the child site, it displays as being configured.
Link is degraded
Replication is functional, but at least one replication object or group is delayed. Monitor
links that are in this state. Review information from both sites on the link for indications
that the link might fail.
A link can also display a status of degraded when the site that receives replicated data is
unable to quickly commit the data to the database. This behavior happens when large
volumes of data replicate. For example, you deploy a software update to a large number
of computers. The parent site on the link might take some time to process this volume
of replicated data. A processing lag at the parent site results in it setting the link status
to degraded until it can successfully process the backlog of data.
This status can also indicate a problem with the physical network between the parent
and child site on the replication link.
The following sections give details about the different tabs for replication status:
Summary
View high-level information about the replication of site data and global data between
the two sites on a link.
Select View reports for historical traffic data to view a report that shows details about
the network bandwidth used by replication across the link.
Parent Site
For the parent site on a replication link, view details about the database, which include:
Certificates
Child Site
For the child site on a replication link, view details about the database, which include:
Certificates
Initialization Detail
View the initialization status for groups that replicate across the link. This information
can help you identify when initialization of replication data is in progress or has failed.
Replication Detail
View the replication status for each group that replicates across the link. Use this
information to help identify problems or delays for the replication of specific data. It can
help determine the appropriate database replication thresholds for this link. For more
information, see Database replication thresholds.
Tip
Replication groups for site data are sent only from the child site to the parent site.
Replication groups for global data replicate in both directions.
Use RLA to remediate replication issues between the following computers in the
hierarchy:
Between a site's database server and another site's database server, otherwise
known as intersite replication
7 Note
Manager\AdminConsole\bin\Microsoft.ConfigurationManager.ReplicationLinkAnalyze
r.Wizard.exe <source site server FQDN> <destination site server FQDN>
) Important
Starting in version 1910, this path changed to use the Microsoft Endpoint
Manager folder. Make sure you don't use an older version of the file that might
exist in another folder.
When you run RLA, it detects problems by using a series of diagnostic rules and checks.
You view the problems that the tool identifies. When it has instructions to resolve an
issue, it displays them. If RLA can automatically remediate a problem, it presents you
with that option.
When RLA finishes, it saves the results in the following XML-based report and a log file
on the desktop of the user who runs the tool:
ReplicationAnalysis.xml
ReplicationLinkAnalysis.log
RLA stops the following services while it remediates some problems. It restarts these
services when remediation is complete:
SMS_SITE_COMPONENT_MANAGER
SMS_EXECUTIVE
If RLA fails to complete remediation, restart these services on the site server if necessary.
RLA logs all investigation and remediation actions to provide additional details that it
doesn't display in the wizard.
RLA prerequisites
The account that you use to run RLA must have the following permissions:
Local administrator rights on each computer that's involved in the replication link.
Sysadmin rights on each SQL Server database that's involved in the replication link.
7 Note
2. Select the Site Hierarchy node to open the Hierarchy Diagram view.
3. Hover the mouse pointer on the line between the two sites. View the status of
global and site data replication for these sites.
2. Select the Database Replication node, and then select the replication link that you
want to monitor. Then select the appropriate tab to view different details about the
replication status for that link.
Troubleshoot SQL Server replication
Article • 10/04/2022
To better understand and help troubleshoot issues with SQL Server replication, use these
diagrams.
For more information, see the following series of blogs from Microsoft Support:
Use the following diagram to start troubleshooting SQL Server replication when a link
fails:
SELECT * FROM
CAS / Check if the replication group
RCM_ReplicationLinkStatus
Primary link is in degraded or failed state
WHERE Status IN (8, 9)
No
Result
Has
Result
DECLARE @cutoffTime DATETIME
SELECT @cutoffTime =
DATEADD(minute, -30,
GETUTCDATE())
Check if replication group
SELECT * FROM link is recently calculated
RCM_ReplicationLinkStatus
WHERE UpdateTime >@cutoffTime
Has
Result
Has No
Result Result
Queries
This diagram uses the following queries:
Next steps
SQL Server replication reinitialization (reinit)
SQL Server performance
SQL Server configuration
SQL Server configuration
Article • 10/04/2022
Use the following diagram to start troubleshooting SQL Server configuration related to
SQL Server Service Broker:
SELECT
transmission_status, *
FROM CAS /
Check if SQL can deliver SSB messages
sys.transmission_queue Primary
ORDER BY enqueue_time
DESC
No
End
Result
Has
Result
Check transmission_status
You may need to refresh the
previous query as it could be blank
Has Transmission_status
Result is empty
Queries
This diagram has the following queries and actions:
SELECT transmission_status, *
FROM sys.transmission_queue
Remediation actions
Firewall configuration
Network configuration
SSB certificate misconfigured
Use the following diagram to start troubleshooting SQL Server performance that can
impact replication status:
Queries
This diagram uses the following queries:
SELECT @RetentionPeriod=retention_period,
@RetentionUnit=retention_period_units
FROM sys.change_tracking_databases
IF @RetentionUnit = 1
ELSE IF @RetentionUnit = 2
ELSE IF @RetentionUnit = 3
select
req.session_id
,req.blocking_session_id
,req.last_wait_type
,req.wait_type
,req.wait_resource
,t.text
from sys.dm_exec_sessions s
where program_name='SMS_data_replication_service'
FROM sys.dm_tran_locks
GROUP BY request_session_id
See also
SQL Server configuration
SQL Server replication reinit
Article • 10/04/2022
Use the following diagram to start troubleshooting SQL Server replication reinitialization
(reinit):
No
End
Result
Has
Result
SELECT * FROM
RCM_DrsInitializationTracking Check which replication group
WHERE InitializationStatus NOT IN hasn't completed reinit
(6,7)
No
Result
Has
Result
SELECT * FROM
RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg
ON dt.ReplicationGroup =
rg.ReplicationGroup Check global data
WHERE dt.InitializationStatus NOT IN
(6,7)
AND rg.ReplicationPattern=N'GLOBAL'
Has No
Result Result
SELECT * FROM
RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg
ON dt.ReplicationGroup =
rg.ReplicationGroup
Check site data
WHERE dt.InitializationStatus NOT IN
(6,7)
AND rg.ReplicationPattern=N'Site'
ON dt.ReplicationGroup = rg.ReplicationGroup
AND rg.ReplicationPattern=N'GLOBAL'
ON dt.ReplicationGroup = rg.ReplicationGroup
AND rg.ReplicationPattern=N'Site'
Next steps
Global data reinit
Site data reinit
SQL Server configuration
Troubleshoot global data reinit
Article • 10/04/2022
Use the following diagram to start troubleshooting SQL Server replication reinitialization
(reinit) for global data in a Configuration Manager hierarchy:
Troubleshoot global data reinit
Start Troubleshoot SQL replication
reinit for global data
No
End
Result
Has
Result
SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg Get the TrackingGuid &
ON dt.ReplicationGroup =
rg.ReplicationGroup Status from the primary site
WHERE dt.InitializationStatus NOT IN
(6,7)
AND rg.ReplicationPattern=N'Global'
SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
Get the TrackingGuid &
WHERE Status from the CAS
RequestTrackingGUID=@trackingGuid
No Continue to
Result Reinit missing message
Has
Result
Check InitializationStatus
== 3 or Continue to
== 99
== 4 Reinit failed
== 5
SELECT Status FROM
RCM_InitPackageRequest WHERE
Check request status for
RequestTrackingGUID=@trackGuid the tracking ID
Rcmctrl.log (primary site)
RCM on primary site is BCP in the data BcpIn for group <group name>
…
Failed to BCP in for table <table name>
Rcmctrl.log (CAS)
RCM is preparing the data, check
== 1 Creating init package for replication
rcmctrl.log on CAS for BCP progress group <replication group> for site
<CAS>
Rcmctrl.log (CAS)
RCM has finished BCP the data, Created minijob to send compressed
== 2
create/compress the package copy of DRS INIT BCP Package to site
<CAS>. Transfer root = <CAB file to
transfer>
Sender.log (CAS)
== 3 File replication Job created. Check
sender.log on primary for progress Sending completed [CAB file to transfer]
Queries
This diagram uses the following queries:
ON dt.ReplicationGroup = rg.ReplicationGroup
AND rg.ReplicationPattern=N`Global'
FROM RCM_DrsInitializationTracking dt
ON dt.ReplicationGroup = rg.ReplicationGroup
AND rg.ReplicationPattern=N`Global'
FROM RCM_DrsInitializationTracking dt
WHERE RequestTrackingGUID=@trackingGuid
WHERE RequestTrackingGUID=@trackGuid
Next steps
Reinit missing message
Troubleshoot site data reinit
Article • 10/04/2022
Use the following diagram to start troubleshooting SQL Server replication reinitialization
(reinit) for site data in a Configuration Manager hierarchy:
No
End
Result
Has
Result
SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg
ON dt.ReplicationGroup =
Get the TrackingGuid &
rg.ReplicationGroup Status from CAS
WHERE dt.InitializationStatus NOT IN
(6,7)
AND rg.ReplicationPattern=N'Site'
SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
Get the TrackingGuid &
WHERE Status from the primary site
RequestTrackingGUID=@trackingGuid
No Continue to
Result Reinit missing message
Has
Result
Check InitializationStatus
Continue to
== 5 == 99
== 4 Reinit failed
== 3
No Continue to
Result Global data reinit
Has
Result
== 3
== 2
== 1
Despoolr.log (CAS)
Rcmctrl.log (CAS)
RCM on CAS is BCP in the data BcpIn for group <group name>
…
Failed to BCP in for table <table name>
Queries
This diagram uses the following queries:
ON dt.ReplicationGroup = rg.ReplicationGroup
AND rg.ReplicationPattern=N`Site'
FROM RCM_DrsInitializationTracking dt
ON dt.ReplicationGroup = rg.ReplicationGroup
AND rg.ReplicationPattern=N'Site'
FROM RCM_DrsInitializationTracking dt
WHERE RequestTrackingGUID=@trackingGuid
AND SiteCode=dbo.fnGetSiteCode()
AND ServerRole=N'Peer'
WHERE RequestTrackingGUID=@trackGuid
Next steps
Reinit missing message
Global data reinit
Reinit missing message
Article • 10/04/2022
Use the following diagram to start troubleshooting a missing message with SQL Server
replication reinitialization (reinit):
No
Result
Has
Result End
SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg Get the TrackingGuid &
ON dt.ReplicationGroup = Status from subscriber site
rg.ReplicationGroup
WHERE dt.InitializationStatus NOT IN
(6,7)
SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
Get the TrackingGuid & Status
WHERE from the publishing site
RequestTrackingGUID=@trackingGuid
Has No
Result Result
Queries
This diagram uses the following queries:
Check if site replication hasn't finished reinit
SQL
ON dt.ReplicationGroup = rg.ReplicationGroup
FROM RCM_DrsInitializationTracking dt
ON dt.ReplicationGroup = rg.ReplicationGroup
FROM RCM_DrsInitializationTracking dt
WHERE RequestTrackingGUID=@trackingGuid
Remediation actions
SQL
WHERE it.RequestTrackingGUID=@trackingGuid
Then use the InitializeData method on the SMS_ReplicationGroup WMI class with the
following values:
Example
PowerShell
Next steps
SQL Server replication reinitialization (reinit)
Introduction to queries in Configuration
Manager
Article • 10/04/2022
You can create and run queries to locate objects in a Configuration Manager hierarchy
that match your query criteria. These objects include items like specific types of
computers or user groups. Queries can return most types of Configuration Manager
objects, which include sites, collections, applications, and inventory data.
After you create an initial query, you can specify additional query criteria. For example,
you can specify that the query results include only computers that are assigned to a
specified site. You can also change how results are displayed so you can view the results
in an order that's meaningful to you. For example, you can specify that the results are
sorted by the amount of free hard drive space, in either ascending or descending order.
When you create a query, it's stored by Configuration Manager and displayed in the
Queries node in the Monitoring workspace. From this location, you can create new
queries and run, update, and manage existing queries.
You can also import a query into a query rule in a Configuration Manager collection. For
more information, see How to create collections.
Next steps
How to create queries
How to manage queries in
Configuration Manager
Article • 10/04/2022
For information about how to create queries, see How to create queries.
Manage queries
In the Monitoring workspace, select Queries, select the query to manage, and then
select a management task.
Management Details
task
Run Runs the selected query and displays the results in the Configuration Manager
console.
Install Client Opens the Install Client Wizard, which lets you install the Configuration Manager
client on computers returned by the selected query.
This option isn't available for queries that return mobile devices, users, or user
groups.
Export Opens the Export Objects Wizard. This wizard lets you export the query to a
Managed Object Format (MOF) file that you can then import at another site.
Move Opens the Move Selected Items dialog box. This dialog box lets you move the
selected query to a folder that you previously created under the Queries node.
Next steps
Create queries
Create queries in Configuration
Manager
Article • 10/04/2022
This article describes how to create and import queries in Configuration Manager.
Create a query
Use this procedure to create a query in Configuration Manager.
2. In the Monitoring workspace, select Queries. On the Home tab, in the Create
group, select Create Query.
3. On the General tab of the Create Query Wizard, specify a unique name and,
optionally, a comment for the query.
4. If you want to import an existing query to use as a basis for the new query, select
Import Query Statement. In the Browse Query dialog box, select a query that you
want to import, and then select OK.
5. In the Object Type list, select the type of object that you want the query to return.
This table describes some examples of the types of objects you can search for:
System Use to search for typical system attributes, like the NetBIOS name of a
Resource device, the client version, the client IP address, and Active Directory Domain
Services information.
User Use to search for typical user information, like user names, user group
Resource names, and security group names.
Deployment Use to search for typical attributes of a deployment, like the deployment
name, the schedule, and the collection that it was deployed to.
6. Select Edit Query Statement to open the <Query Name> Statement Properties
dialog box.
7. On the General tab of the <Query Name> Statement Properties dialog box,
specify the attributes that the query returns and how they should be displayed.
Select the New icon to add a new attribute. You can also select Show Query
Language to enter or edit the query directly in WMI Query Language (WQL). For
examples of WMI queries, see the Example WQL queries section in this article.
You can use the following reference documentation to help you construct
your own WQL queries:
WQL (SQL for WMI)
WHERE Clause
WQL Operators
Starting in Configuration Manager 2010, you can preview the results when
you're creating or editing a query for collection membership. In the Query
Statement Properties, select the green triangle to show the Query Results
Preview window. Select Stop if you want to stop a long running query.
8. On the Criteria tab of the <Query Name> Statement Properties dialog box,
specify criteria that are used to refine the results of the query. For example, you
could return only resources that have a site code of XYZ. You can configure
multiple criteria for a query.
) Important
If you create a query that contains no criteria, the query will return all devices
in the All Systems collection.
9. On the Joins tab of the <Query Name> Statement Properties dialog box, you can
combine data from two different attributes into your query results. Although
Configuration Manager automatically creates query joins when you choose
different attributes for your query result, the Joins tab provides more advanced
options. Configuration Manager supports these attribute classes:
Join Description
type
Inner Displays only matching results. Always used by joins that are created
automatically.
Left Displays all results for the base attribute and only the matching results for the
join attribute.
Right Displays all results for the join attribute and only the matching results for the
base attribute.
Full Displays all results for both the base attribute and the join attribute.
For more information about how to use join operations, see the SQL Server
documentation.
10. Select OK to close the <Query Name> Statement Properties dialog box.
11. On the General tab of the Create Query Wizard, specify that the results of the
query aren't limited to the members of a collection, that they are limited to the
members of a specified collection, or that a prompt for a collection appears each
time the query is run.
12. Complete the wizard to create the query. The new query appears in the Queries
node in the Monitoring workspace.
Import a query
Use this procedure to import a query into Configuration Manager. For information
about how to export queries, see How to manage queries.
2. In the Monitoring workspace, select Queries. On the Home tab, in the Create
group, select Import Objects.
3. On the MOF File Name page of the Import Objects Wizard, select Browse to
select the Managed Object Format (MOF) file that contains the query that you
want to import.
4. Review the information about the query to be imported and then complete the
wizard. The new query appears on the Queries node in the Monitoring workspace.
Tip
Use the wildcard character % to signify any string of characters. For example,
%Visio% returns Microsoft Office Visio 2010.
Computers that run Windows 10
Use the following query to return the NetBIOS name and operating system version of all
computers that run Windows 10.
WQL
select SMS_R_System.NetbiosName,
SMS_R_System.OperatingSystemNameandVersion from
SMS_R_System where
Tip
This query searches for the software package by using the names that are displayed
in the programs list in Windows Control Panel.
WQL
select SMS_R_System.NetbiosName,
SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName from
SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId =
SMS_R_System.ResourceId where
WQL
select SMS_R_System.NetbiosName,
SMS_R_System.SystemOUName from
SMS_R_System where
WQL
WQL
Nokia Symbian 3
Windows Phone 4
Mac computer 5
Windows Embedded 7
Device type Value of AgentEdition
7 Note
Values that aren't listed in this table are associated with devices that are no longer
supported.
For example, if you want to return only Mac computers, use this query:
WQL
SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client
from SMS_R_System
Next steps
How to manage queries
Security and privacy for queries in
Configuration Manager
Article • 10/04/2022
Queries in Configuration Manager let you retrieve information from the site database
according to criteria that you specify. Configuration Manager collects site database
information during standard operation. For example, by using information that's been
collected during discovery or inventory, you can configure a query to identify devices
that meet specified criteria.
For more information about queries, see Introduction to queries. For security best
practices and privacy information about Configuration Manager operations that collect
the data you can retrieve by using queries, see Security and privacy for Configuration
Manager.
When you export or import a Restrict who can access the network folder.
Next steps
Security and privacy for Configuration Manager
Introduction to reporting in
Configuration Manager
Article • 10/04/2022
Reporting in Configuration Manager provides a set of tools and resources that help you
use the advanced reporting capabilities of SQL Server Reporting Services (SSRS) and
Power BI Report Server. Both reporting platforms provide rich authoring experiences for
custom reports. Reporting helps you gather, organize, and present information about
the wealth of Configuration Manager data in your organization. Configuration Manager
provides many predefined reports in Reporting Services that you can use without
changes. You can duplicate and modify the default reports to meet your requirements,
or you can create custom reports.
Configuration Manager uses SQL Server Reporting Services as its primary reporting
solution. Integration with Reporting Services provides the following advantages:
For more information, see What is SQL Server Reporting Services (SSRS)?
Power BI Report Server
Starting in version 2002, integrate Power BI Report Server with Configuration Manager
reporting. This integration gives you modern visualization and better performance. It
adds console support for Power BI reports similar to what already exists with SQL Server
Reporting Services. For more information, see Integrate with Power BI Report Server.
Power BI Report Server is an on-premises report server with a web portal in which you
display and manage reports. It includes tools to create Power BI reports, paginated
reports, mobile reports, and KPIs. For more information, see What is Power BI Report
Server?.
For more information about how to plan for and install a reporting services point, see
the following articles:
Configure reporting
Reports don't propagate up or down the Configuration Manager hierarchy. They run
only against the database of the site in which you create them. Because Configuration
Manager replicates global data throughout the hierarchy, you have access to hierarchy-
wide information in reports. When a report retrieves data from a site database, it has
access to site data for the current site and child sites, and global data for every site in
the hierarchy.
Like other Configuration Manager objects, an administrative user must have the
appropriate permissions to run or modify reports. To run a report, an administrative user
must have the Run Report permission for the object. To create or modify a report, an
administrative user must have the Modify Report permission for the object.
Starting in version 2002, to create or edit Power BI reports, the console integrates with
Power BI Desktop. For more information, see Create Power BI reports.
Run reports
When you run a Reporting Services-based report in the Configuration Manager console,
Report Viewer opens and connects to Reporting Services. After you specify any required
report parameters, Reporting Services then retrieves the data and displays the results in
the viewer. You can also connect to the SQL Services Reporting Services, connect to the
data source for the site, and run reports.
Starting in version 2002, when you run a Power BI-based report, it opens in the web
browser.
Add to Favorites
Configuration Manager ships with several hundred reports by default, and you might
add more to that list. Instead of continually searching for reports you commonly use,
starting in version 2103 you can make a report a favorite. This action allows you to
quickly access it from the Favorites node.
Report prompts
You can configure a report prompt or parameter when you create or modify a report.
Create report prompts to limit or target the data that a report retrieves. A report can
contain more than one prompt. Make sure the prompt names are unique and contain
only alphanumeric characters that conform to the SQL Server rules for identifiers.
When you run a report, the prompt requests a value for a required parameter. Based on
the parameter value, it retrieves the report data. For example, the Computer
information for a specific computer report prompts for a computer name. Reporting
Services passes the specified value to a variable defined in the report's SQL statement.
Report links
Report links in Configuration Manager are used in a source report to provide easy
access to other data. For example, it can link to more detailed information about each of
the items in the source report. If the destination report requires one or more prompts to
run, the source report must contain a column with the appropriate values for each
prompt.
The link needs to specify the column number with the value for the prompt. For
example:
There's one report that lists computers that the site recently discovered.
You link from it to another report that lists the last messages that the site receives
for a specific computer.
You create the link, and specify that column 2 in the source report contains the
computer name. This value is a required prompt for the destination report.
You run the source report, and a link icon appears to the left of each row of data.
You select the icon on a row, and Report Viewer passes the value in the specified
column for that row as the prompt value for the destination report.
You can only configure one link for a report, and that link can only connect to a single
destination report.
2 Warning
If you move a destination report to a different report folder, the location for the
destination report changes. Configuration Manager doesn't automatically update
the report link in the source report with the new location, and the link won't work in
the source report.
Report folders
Report folders provide a method to sort and filter reports that Configuration Manager
stores in Reporting Services. Report folders are useful when you have many reports to
manage. When you install a reporting services point, it copies reports to Reporting
Services and organizes them into more than 50 report folders. The report folders are
read-only. You can't modify them in the Configuration Manager console.
Report subscriptions
A report subscription in Reporting Services is a recurring request to deliver a report at a
specific time or in response to an event. You specify in the subscription an application
file format. Subscriptions provide an alternative to running a report on demand. On-
demand reporting requires that you actively select the report each time you want to
view the report. In contrast, subscriptions can be used to schedule and then automate
the delivery of a report.
You can manage report subscriptions in the Configuration Manager console. The report
server processes the subscriptions. It distributes them by using delivery extensions that
are deployed on the server. By default, you can create subscriptions that send reports to
a shared folder or to an email address.
Report Builder
For Reporting Services-based reports, Configuration Manager uses Microsoft SQL Server
Report Builder as the exclusive authoring and editing tool for both model-based and
SQL-based reports. If you create or edit a report in the Configuration Manager console,
Report Builder opens. When you create or modify a report for the first time, Report
Builder installs automatically. The version of Report Builder associated with the installed
version of SQL Server opens when you run or edit reports.
The Report Builder installation adds support for over 20 languages. When you run
Report Builder, it displays data in the language of the local computer's OS. If Report
Builder doesn't support the language, it displays the data in English. Report Builder
supports the full capabilities of SQL Server Reporting Services, which includes the
following capabilities:
Offers the flexible report layout of SQL Server report definition language (RDL).
Provides various forms of data visualization including charts and gauges.
You can also open Report Builder directly from SQL Server Reporting Services.
Give logical business names to database fields and views. To produce reports, you
don't require knowledge of the Configuration Manager database structure.
Secure model elements so that administrative users can see only the data that they
have permission to see.
Although Configuration Manager provides sample report models, you can also define
report models to meet your own business requirements. For more information about
how to create report models, see Create custom report models.
Next steps
Plan for reporting
Integrate with Power BI Report Server
Article • 10/04/2022
You can integrate Power BI Report Server with Configuration Manager reporting. This
integration gives you modern visualization and better performance. It adds console
support for Power BI reports similar to what already exists with SQL Server Reporting
Services.
Save Power BI Desktop report files (.PBIX) and deploy them to the Power BI Report
Server. This process is similar as with SQL Server Reporting Services report files (.RDL).
You can also launch the reports in the browser directly from the Configuration Manager
console.
Prerequisites
Power BI Report Server license. For more information, see Licensing Power BI
Report Server.
7 Note
2 Warning
If you skip this step, you'll lose access to any custom reports in SQL Server
Reporting Services.
Before you add the reporting services point role in Configuration Manager,
use SQL Server Reporting Services Configuration Manager to test and verify
the configuration. For more information, see Verify SQL Server Reporting
Services installation.
2. Add the reporting services point role in Configuration Manager. For more
information, see Configure reporting.
2. Install Power BI Desktop. Make sure the language is the same and verify the
versioning prerequisites.
3. After it installs, launch Power BI Desktop at least once before you open the
Configuration Manager console.
2. In the ribbon, select Create Report. This action opens Power BI Desktop.
4. When the report is ready to save, go to the File menu, select Save as, then choose
Power BI Report Server.
5. In the Power BI Report Server Selection window, enter the URL for the reporting
services point as the New report server address. For example,
https://rsp.contoso.com/Reports . Select OK.
Tip
Reports and report folders with Power BI reports must be located in the
ConfigMgr_<SiteCode> folder on the report server or they won't appear in the
Configuration Manager console.
In the Configuration Manager console, you see the new report in the list of Power BI
Reports. If you don't see your reports, verify that you saved the reports to the
ConfigMgr_<SiteCode> folder.
There are sample reports available for download. For more information, see Install
Power BI sample reports.
2. From All objects or a search, choose a Power BI report template, then select
Download.
3. Select a file location to save the downloaded .pbit file and choose Save.
5. Select Yes and Power BI Desktop (Optimized for Power BI Report Server) will load
the .pbit file.
6. Specify your Configuration Manager database name and database server name
when prompted, then select Load.
7 Note
When loading or applying the data model, ignore any errors if you come
across one. For example, if you see the following error: "Connecting to tables
from more than one database isn't supported in DirectQuery mode", select
Close. Then refresh the data source settings:
a. In Power BI Desktop, in the ribbon, select Edit Queries, and then select
Data source settings.
b. Select Change Source, confirm your server and database names, and select
OK.
c. Close the data source settings window, and then select Apply changes.
7. When the report data is loaded, select File > Save As, then select Power BI Report
Server.
8. Save the report to a folder on the root Configuration Manager reporting folder on
the reporting point. You may want to create a Downloaded Reports folder for these
items.
9. Repeat the steps for any other report templates that were downloaded. When
you're done, close Microsoft Power BI Desktop (Optimized for Power BI Report
Server).
Known issues
There's a known issue with Power BI Report Server and email subscriptions. After you
configure the email settings in the Reporting Services Configuration Manager, when you
try to create a new subscription, the option to deliver a report by Email isn't available. To
work around this issue, restart the Power BI Report Server service.
Next steps
After you create a report, use the following actions in the Configuration Manager
console:
Run in Browser: Opens the Power BI report in the web browser. Share this URL
with others, for example:
https://rsp.contoso.com/Reports/POWERBI/ConfigMgr_ABC/Windows%2010/Windows10%2
0Dashboard?rs:embed=true
Tip
Edit: Make changes to the report in Power BI Desktop. For an existing report, use
the Save option to save changes back to the report server.
Add to Favorites: Starting in version 2103, you can make a report a favorite. This
action allows you to quickly access it from the Favorites node. For more
information, see Operations and maintenance for reporting.
For more information on log files to use for reporting, see Log file reference - Reporting.
Install Power BI sample reports
Article • 10/04/2022
You can integrate Power BI Report Server with Configuration Manager reporting. There
are sample reports available for download that you can install in Configuration Manager.
This article explains how to install the Power BI sample reports in Configuration
Manager.
Prerequisites
Configuration Manager reporting services point with Power BI Report Server
integrated
Microsoft Power BI Desktop (Optimized for Power BI Report Server). Use a version
released between September 2019 and January 2021 . For versioning
information, see the Change log for Power BI Report Server.
) Important
1. Download the Power BI sample reports from the Microsoft Download Center .
7 Note
Some of the sample reports are also available for download in Community hub.
1. On the Power BI Report server, create a new folder called Sample Reports in the
root Configuration Manager reporting folder.
3. Select File then Open and navigate to where you saved the extracted .pbit files.
5. Specify your Configuration Manager database name and database server name
when prompted, then select Load.
7 Note
When loading or applying the data model, ignore any errors if you come
across one. For example, if you see the following error: "Connecting to tables
from more than one database isn't supported in DirectQuery mode", select
Close. Then refresh the data source settings:
a. In Power BI Desktop, in the ribbon, select Edit Queries, and then select
Data source settings.
b. Select Change Source, confirm your server and database names, and select
OK.
c. Close the data source settings window, and then select Apply changes.
6. When the report data is loaded, select File > Save As, then select Power BI Report
Server.
7. Save the report to the Sample Reports folder you created on the reporting point.
8. Repeat the steps for any other sample reports. When you're done, close Microsoft
Power BI Desktop (Optimized for Power BI Report Server).
10. Right-click on one of the reports and select Run in Browser to launch the report.
Sample reports
The following sample Power BI reports are included in the download:
Reporting in Configuration Manager provides a set of tools and resources that help you
use the advanced reporting capabilities of SQL Server Reporting Services or Power BI
Report Server. Use the following sections to help you plan for reporting in Configuration
Manager.
7 Note
For more information about planning for site systems in Configuration Manager,
see Add site system roles.
A reporting services point with a child primary site database as its reporting data
source has access to global data and site data for only the local primary site and
any child secondary sites. Site data for other primary sites in the Configuration
Manager hierarchy doesn't replicate to this primary site. Reporting Services can't
access site data for other primary sites. If you require reports that contain site data
for a specific primary site or global data, and you don't want the user to have
access to site data from other primary sites, install a reporting services point on a
site system at the primary site. Then use the primary site's database as the
reporting data source.
For more information on global and site data, see Types of data.
For more information about planning for site systems, see Add site system roles.
Unlike other objects in Configuration Manager, the security rights that you set for
administrative users in the Configuration Manager console are also configured in
Reporting Services. When you configure security rights in the Configuration Manager
console, the reporting services point connects to Reporting Services and sets
appropriate permissions for reports.
For example, the Software Update Manager security role has the Run Report and
Modify Report permissions. Users with the Software Update Manager role can only run
and modify reports for software updates. The Configuration Manager console doesn't
display reports for other objects to this role. The exception to this behavior is that some
reports aren't associated with specific Configuration Manager securable objects. For
these reports, the administrative user must have the Read right for the Site permission
to run the reports and the Modify right for the Site permission to modify the reports.
) Important
For users from a different domain than that of the reporting services point account
to successfully run reports, establish a two-way trust between the two domains.
Reports are fully enabled for role-based administration. Configuration Manager filters
the data for all included reports based on the permissions of the user who runs the
report. Users with specific roles can only view information defined for their roles.
For more information about security rights for reporting, see Configure reporting.
Reporting recommendations
Consider the following recommendations and tips for reporting in Configuration
Manager:
For best performance, install the reporting services point on a remote site system.
Although you can install it on the site server, the reporting services point performs
best when you install it on a remote site system. When this role does background
processing, it can compete for system resources with other roles. There are many
variables to consider with site and role performance, but in general this
configuration improves reporting and overall site performance.
Optimize SQL Server Reporting Services queries. Typically any reporting delays are
because of the time it takes to run queries and retrieve the results. Microsoft SQL
Server tools such as Query Analyzer and Profiler can help you optimize queries.
For more information about any security recommendations and privacy information for
Configuration Manager operations that might generate data that you can view in
reports, see Security and privacy for Configuration Manager.
Next steps
Prerequisites for reporting
Prerequisites for reporting in
Configuration Manager
Article • 10/04/2022
For more information about planning and deploying Reporting Services, see the Install
SQL Server Reporting Services.
Install the Reporting Services database on either the default instance or a named
instance of a 64-bit SQL Server installation. Colocate the SQL Server instance with the
site system server, or configure it on a remote computer.
Configuration Manager supports the same versions of SQL Server for reporting as it
does for the site database. For more information, see Supported SQL Server versions.
Configuration Manager supplies many built-in reports covering many of the reporting
tasks that you might want to do. You can also use the SQL statements in these reports
to help you to write your own reports.
The following reports are included with Configuration Manager. The reports appear in
various categories.
Administrative security
The following six reports are listed under the Administrative Security category.
Administrative users Displays administrative users, their associated security roles, and the
security assignments security scopes associated with each security role for each user.
Objects secured by a Displays objects that an administrator assigned to only the specified
single security scope security scope. This report doesn't display objects that an administrator
associates with more than one security scope.
Security for a specific Displays securable objects, the security scopes associated with the
or multiple objects, and which administrative users have rights to the objects.
Configuration Manager
objects
Security roles summary Displays security roles and the Configuration Manager administrators
associated with each role.
Security scopes Displays security scopes and the Configuration Manager administrative
summary users and security groups associated with each scope.
Alerts
The following two reports are listed under the Alerts category.
Alert scorecard Displays a summary of all postponed alerts that were generated between the
specified start and finish date.
Alerts Displays a summary of the alerts that were generated most often from today
Generated Most back to the specified date for the specified feature area.
Often
Asset Intelligence
The following 67 reports are listed under the Asset Intelligence category.
Hardware 03A - Primary Displays users and the count of computers on which they're the
computer users primary user.
Hardware 03B - Computers Displays all computers for which a specified user is the primary
for a specific primary console console user.
user
Hardware 04A - Computers Displays computers that don't have a primary user because no
with multiple users (shared) one user has a signed-in time greater than 66%.
Hardware 05A - Console Displays all of the console users on a specified computer.
users on a specific computer
Hardware 06A - Computers Helps administrative users identify computers that need to have
for which console users security logging turned on.
could not be determined
Hardware 07B - USB devices Displays USB devices, grouped by manufacturer and description.
by manufacturer and
description
Hardware 07C - Computers Displays all the computers with a specified USB device.
with a specific USB device
Hardware 07D - USB devices Displays all USB devices on a specified computer.
on a specific computer
Report name Description
Hardware 08A - Hardware Displays hardware that doesn't meet the minimum hardware
that is not ready for a requirements.
software upgrade
Hardware 09A - Search for Displays a summary of computers matching keyword filters.
computers These filters are computer name, Configuration Manager site,
domain, top console user, operating system, manufacturer, or
model.
Hardware 10B - Changes on a Displays the classes that have changed on a specified computer
specified computer within a within a specified time period.
specified timeframe
License 01A - Microsoft Displays an inventory of all Microsoft software titles that are
Volume License ledger for available from the Microsoft Volume Licensing program.
Microsoft license statements
License 01B - Microsoft Identifies and displays sales channel for inventoried Microsoft
Volume License ledger item Volume License software.
by sales channel
License 01C - Computers with Identifies and displays computers that have a specified item from
a specific Microsoft Volume the Microsoft Volume license ledger.
License ledger item and sales
channel
License 01D - Microsoft Identifies and displays all Microsoft Volume license ledger items
Volume License ledger on a specified computer.
products on a specific
computer
License 02B - Computers Displays the specified computers with licenses that are nearing
with licenses nearing expiration.
expiration
License 02C - License Displays products on a specified computer that have their
information on a specific licenses managed by the Software Licensing Service.
computer
Report name Description
License 03A - Count of Displays products, by license status, which have their licenses
licenses by license status managed by the Software Licensing Service.
License 03B - Computers Displays products, with a specified license status, whose licenses
with a specific license status are managed by the Software Licensing Service.
License 04A - Count of Displays a count of products that have their licenses managed by
products managed by the Software Licensing Service.
software licensing
License 04B - Computers Displays computers, managed by the Software Licensing Service,
with a specific product that include a specified product.
managed by Software
Licensing Service
License 05A - Computers Displays computers that act as Key Management Servers.
providing Key Management
Service
License 06A - Processor Displays the number of processors on computers using Microsoft
counts for per-processor products that support per-processor licensing.
licensed products
License 06B - Computers Displays a list of computers where a specified Microsoft product
with a specific product that that supports per-processor licensing is installed.
supports per-processor
licensing
License 14B - List of This report displays Microsoft software titles in use that aren't
Microsoft software inventory found in the Microsoft Volume License Agreement.
not found in MVLS
License 15A - General license Displays reconciliation on general software licenses acquired and
reconciliation report the actual inventory count.
License 15B - General license Displays computers that installed the licensed product with a
reconciliation report by specified version.
computer
Software 01A - Summary of Displays a summary of installed software ordered by the number
installed software in a of instances found from inventory.
specific collection
Report name Description
Software 02A - Product Displays the product families and the count of software in the
families for a specific family for a specified collection.
collection
Software 02B - Product Displays the product categories in a specified product family and
categories for a specific the count of software within the category.
product family
Software 02C - Software in a Displays all software that is in the specified product family and
specific product family and category.
category
Software 02D - Computers Displays all computers with specified software installed.
with specific software
installed
Software 04B - Computers Displays all computers with specified software configured to
with specific software automatically run.
configured to automatically
run
Software 05A - Browser Displays the browser helper objects installed on computers in a
Helper Objects specified collection.
Software 05B - Computers Displays all of the computers with a specified browser helper
with a specific Browser object.
Helper Object
Software 05C - Browser Displays all browser helper objects on the specified computer.
Helper Objects on a specific
computer
Report name Description
Software 06A - Search for This report provides a summary of installed software. It searches
installed software based on the following criteria: product name, publisher, or
version.
Software 07A - Recently used Displays executable programs that users recently used. It also
executable programs by the includes the count of computers on which users used the
count of computers program. Software metering must be enabled for this site to view
this report.
Software 07B - Computers Displays the computers on which users recently used a specified
that recently used a specified executable program. This report requires that you enable the
executable program software metering client setting.
Software 07C - Recently used Displays executable files that users recently used on a specified
executable programs on a computer. This report requires that you enable the software
specified computer metering client setting.
Software 08A - Recently used Displays executable programs that users recently used. It also
executable programs by the includes a count of users that most recently used the program.
count of users This report requires that you enable the software metering client
setting.
Software 08B - Users that Displays the users that most recently used a specified executable
recently used a specified program. This report requires that you enable the software
executable program metering client setting.
Software 08C - Recently used Displays executable programs that the specified user used
executable programs by a recently. This report requires that you enable the software
specified user metering client setting.
Software 09A - Infrequently Displays software titles that users haven't used during a specified
used software period of time.
Software 09B - Computers Displays computers with installed software that users haven't
with infrequently used used for a specified period of time. The specified period of time
software installed is based on the value specified in the 'Software 09A -
Infrequently used software' report.
Software 10A - Software Displays software titles based on matching of all specified
titles with specific multiple custom label criteria. Up to three custom labels can be selected
custom labels defined to refine a software title search.
Software 10B - Computers Displays all computers in this collection that have the specified
with a specific custom- custom-labeled software title installed.
labeled software title
installed
Report name Description
Software 11A - Software titles Displays software titles based on matching of at least one of the
with a specific custom label specified custom label criteria.
defined
Software 12A - Software Displays all software titles that don't have a custom label defined.
titles without a custom label
Software 14A - Search for Displays a count of installed software with a software
software identification tag identification tag enabled.
enabled software
Software 14B - Computers Displays all computers that have installed software with a
with specific software specified software identification tag enabled.
identification tag enabled
software installed
Software 14C - Installed Displays all installed software with a specified software
software identification tag identification tag enabled on a specified computer.
enabled software on a
specific computer
Lifecycle 02A - List of View computers that have expired products on them. You can
machines with expired filter this report by product name.
products in the organization
Lifecycle 03A - List of expired View details for products in your environment that have expired
products found in the lifecycle dates.
organization
Lifecycle 04A - General View a list of product lifecycles. Filter the list by product name
Product Lifecycle overview and days to expiration.
Lifecycle 05A - Product Starting in version 1810, this report includes similar information
lifecycle dashboard as the in-console dashboard.
Client push
The following four reports are listed under the Client Push category.
Client push installation status details Displays information about the client push installation
process for all sites.
Report name Description
Client push installation status details Displays information about the client push installation
for a specified site process for a specified site.
Client push installation status Displays a summary view of the client push installation
summary status for all sites.
Client push installation status Displays a summary view of the client push installation
summary for a specified site status for a specified site.
Client status
The following seven reports are listed under the Client Status category.
Client Displays details of client remediation actions for a collection you specify.
remediation
details
Client status Displays a historical view of overall client status in the site.
history
Client status Displays the client check results of active clients for a given collection.
summary
Client time to Displays the percentage of clients that requested policy at least once in the last
request policy 30 days. Each day represents a percentage of total clients that requested policy
since the first day in the cycle.
Clients with Displays details about clients that client check failed for a specified collection.
failed client
check details
Certificate issuance Displays the history of certificates issued by the certificate registration
history point to users and devices for the specified date range.
List of assets by Displays the devices or users in a specified certificate issuance state
certificate issuance following the evaluation of a specified certificate profile.
status
List of assets with Displays the devices or users with certificates that expire on or before
certificates nearing the specified date.
expiry
Details of compliant rules of Displays information about the rules evaluated as compliant
configuration items in a for a specified configuration item for a specified device or
configuration baseline for an user.
asset
Details of non-compliant rules Displays information about rules that were evaluated as
of configuration items in a noncompliant for a specified configuration item, for a
configuration baseline for an specified device or user.
asset
Report name Description
Details of remediated rules of Displays information about rules that were remediated by a
configuration items in a specified configuration item for a specified device or user.
configuration baseline for an
asset
List of assets by compliance Displays the devices or users in a specified compliance state
state for a configuration following the evaluation of a specified configuration baseline.
baseline
List of assets by compliance Displays the devices or users in a specified compliance state
state for a configuration item in following the evaluation of a specified configuration item.
a configuration baseline
List of noncompliant Apps and Displays information about users and devices that have apps
Devices for a specified user installed that aren't compliant with a policy you specified.
List of rules conflicting with a Displays a list of rules that conflict with a specified rule for a
specified rule for an asset deployed configuration item.
List of unknown assets for a Displays a list of devices or users that haven't yet reported any
configuration baseline compliance data for a specified configuration baseline.
List of unknown assets for a Displays a list of devices or users that haven't yet reported any
configuration item compliance data for a specified configuration item.
Rules and errors summary of Displays a summary of the compliance state of the rules and
configuration items in a any setting errors for a specified configuration item. The
configuration baseline for an configuration item must be deployed to a device or user.
asset
Summary of Users who have Displays information about users that have apps installed that
Noncompliant Apps aren't compliant with a policy you specified.
Terms and Conditions Displays Terms and Conditions items and which version each
acceptance user has accepted.
Data warehouse
The following seven reports are listed under the Data warehouse category.
Endpoint Protection and Software Historical: View computers that are missing software
Update Compliance updates.
General Hardware Inventory Historical: View all hardware inventory for a specific
machine.
General Software Inventory Historical: View all software inventory for a specific
machine.
List of Malware Detected Historical: View malware that has been detected in the
organization.
Device management
The following 37 reports are listed under the Device Management category.
7 Note
All corporate-owned mobile devices Displays all corporate owned mobile devices.
All mobile device clients Displays information about all mobile device clients.
Devices that are managed by the Exchange Server
connector aren't included.
Report name Description
Certificate issues on mobile devices Displays detailed information about certificate issues on
that are managed by the mobile devices that are managed by the Configuration
Configuration Manager client for Manager client for Windows CE.
Windows CE and that are not
healthy
Client deployment failure for mobile Displays detailed information about deployment failure
devices that are managed by the for mobile devices that are managed by the
Configuration Manager client for Configuration Manager client for Windows CE.
Windows CE
Client deployment status details for Displays information about the status of mobile devices
mobile devices that are managed by that are managed by the Configuration Manager client
the Configuration Manager client for for Windows CE.
Windows CE
Client deployment success for Displays detailed information about deployment success
mobile devices that are managed by for mobile devices that are managed by the
the Configuration Manager client for Configuration Manager client for Windows CE.
Windows CE
Compliance status of default Displays a summary of the compliance status with the
ActiveSync mailbox policy for the Default Exchange ActiveSync mailbox policy for the
mobile devices that are managed by mobile devices managed by the Exchange Server
the Exchange Server connector connector.
Count of mobile devices by display This report displays the number of mobile devices by
configurations display settings.
Count of mobile devices by program Displays the number of mobile devices by program
memory memory.
Health information for mobile Displays detailed health information for mobile devices
devices that are managed by the that are managed by the Configuration Manager client
Configuration Manager client for for Windows CE.
Windows CE
Report name Description
Health summary for mobile devices Displays health summary information for mobile devices
that are managed by the that are managed by the Configuration Manager client
Configuration Manager client for for Windows CE.
Windows CE
Inactive mobile devices that are Displays the mobile devices managed by the Exchange
managed by the Exchange Server Server connector that haven't connected to an Exchange
connector Server in a specified number of days.
List of devices by Health Attestation Displays a list of devices with attributes reported by
state Health Attestation Service
List of Devices enrolled per user in Displays all devices a user has enrolled with Microsoft
Microsoft Intune Intune.
List of devices in a specific device Displays information for all devices within a specific
category device category.
Local client issues on mobile devices This report contains detailed information about local
that are managed by the client issues on mobile devices that are managed by the
Configuration Manager client for Configuration Manager client for Windows CE.
Windows CE and that are not
healthy
Mobile device client information Displays information about the mobile devices that have
the Configuration Manager client installed. You can use
this report to verify which mobile devices can successfully
communicate with a management point.
Mobile device compliance details for Displays the mobile device compliance details for a
the Exchange Server connector default Exchange ActiveSync mailbox policy that is
configured by using the Exchange Server connector.
Mobile devices by operating system Displays the mobile devices by operating system.
Mobile devices that are jailbroken or Displays the mobile devices that are jailbroken or a
a rooted device rooted device.
Mobile devices that are unmanaged Displays the mobile devices that completed enrollment
because they enrolled but failed to with Configuration Manager, have a certificate, but failed
assign to a site to complete site assignment.
Mobile devices with a specific Displays all mobile devices with their specified amount of
amount of free program memory free program memory.
Mobile devices with a specific Displays all mobile devices with the specified amount of
amount of free removable storage free removable memory.
memory
Report name Description
Mobile devices with certificate Displays the enrolled mobile devices that failed to renew
renewal issues their certificate. If you don't renew the certificate before
the expiry period, the mobile devices become
unmanaged.
Mobile devices with low free Displays the mobile devices for which the program
program memory (less than memory is lower than a specified size in KB.
specified KB free)
Mobile devices with low free Displays the mobile devices for which the removable
removable storage memory (less storage memory is lower than a specified size in KB.
than specified KB free)
Number of devices enrolled per user Displays the users enabled for the Microsoft Intune
in Microsoft Intune subscription. It also shows the total number of devices
enrolled for each user.
Pending retire and wipe request for Displays the wipe requests that are pending for mobile
mobile devices devices.
Recently enrolled and assigned Displays mobile devices that recently enrolled with
mobile devices Configuration Manager and successfully assigned to a
site.
Recently wiped mobile devices Displays the list of mobile devices that were recently
successfully wiped.
Settings summary for mobile Displays the number of mobile devices that apply the
devices that are managed by the settings for each Default Exchange ActiveSync mailbox
Exchange Server connector policy managed by the Exchange Server connector.
Driver management
The following 13 reports are listed under the Driver Management category.
All drivers for a specific platform Displays all drivers for a specified platform.
Report name Description
All drivers in a specific boot image Displays all drivers in a specified boot image.
Computers that failed to install drivers for a Displays computers that failed to install drivers for
specific collection a specified collection.
Driver catalog matching report for a Displays the driver catalog matching report for a
specific collection specified collection.
Driver catalog matching report for a Displays the driver catalog matching report for a
specific computer specified computer.
Driver catalog matching report for a Displays the driver catalog matching report for a
specific device on a specific computer specified device on a specified computer.
Driver catalog matching report for Displays driver catalog matching report for
computers in a specific collection with a computers in a specified collection with a
specific device specified device.
Drivers that failed to install on a specific Displays drivers that failed to install on a specified
computer computer.
Supported platforms for a specific Driver Displays supported platforms for a specified
driver.
Endpoint Protection
The following six reports are listed under the Endpoint Protection category.
Antimalware overall status Displays the antimalware overall status and history.
and history
Computer malware details Displays details about a specified computer and the list of
malware found on it.
Top users by threats Displays the list of users with the most number of detected
threats.
Report name Description
User threat list Displays the list of threats found for a specified user account.
Hardware - CD-ROM
The following four reports are listed under the Hardware - CD-ROM category.
CD-ROM information for a Displays information about the CD-ROM drives on a specified
specific computer computer.
Computers for a specific CD- Displays a list of computers that contain a CD-ROM drive
ROM manufacturer made by a manufacturer you specify.
Count CD-ROM drives per Displays the number of CD-ROM drives inventoried per
manufacturer manufacturer.
History - CD-ROM history for a Displays the inventory history for CD-ROM drives on a
specific computer specified computer.
Hardware - Disk
The following eight reports are listed under the Hardware - Disk category.
Computers with a specific Displays a list of computers that have hard disks of a specified
hard disk size size.
Computers with low free disk Displays a list of computers in a specified collection that have
space (less than specified % less that the specified free disk space.
free)
Computers with low free disk Displays a list of computers and disks where the disks are low
space (less that specified MB on space. The amount of free space to check for is specified in
free) MB.
Count physical disk Displays the number of hard disks inventoried by disk capacity.
configurations
Disk information for a specific Displays summary information about the logical disks on a
computer - Logical disks specified computer.
Disk information for a specific Displays summary information about the disk partitions on a
computer - Partitions specified computer.
Report name Description
Disk information for a specific Displays summary information about the physical disks on a
computer - Physical disks specified computer.
History - Logical disk space Displays the inventory history for logical disk drives on a
history for a specific computer specified computer.
Hardware - General
The following five reports are listed under the Hardware - General category.
Inventory classes assigned to a Displays the inventory classes that are assigned to a
specific collection specified collection.
Inventory classes enabled on a Displays the inventory classes that are enabled on a
specific computer specified computer.
Windows Autopilot Device Displays client device information that is needed for
Information Windows Autopilot registration.
Hardware - Memory
The following five reports are listed under the Hardware - Memory category.
Computers where physical Displays a list of computers where the amount of RAM has
memory has changed changed since the last inventory cycle.
Computers with a specific Displays a list of computers that have a specified amount of
amount of memory RAM (Total Physical Memory rounded to the nearest MB).
Computers with low memory Displays a list of computers that are low on memory. The
(less than or equal to specified amount of memory to check for is specified in MB.
MB)
Hardware - Modem
The following three reports are listed under the Hardware - Modem category.
Computers for a specific modem Displays a list of computers that have a modem made by a
manufacturer specified manufacturer.
Count modems by manufacturer Displays the number of modems inventoried for each
modem manufacturer.
Modem information for a specific Displays summary information about the modem on a
computer specified computer.
Computers with a specific network Displays a list of computers that have a specified network
adapter adapter.
Count network adapters by type Displays the number of inventoried network adapters
cards of each type.
Network adapter information for a Displays information about the network adapters installed
specific computer on a specified computer.
Hardware - Processor
The following five reports are listed under the Hardware - Processor category.
Computers for a specific processor speed Displays a list of computers that have a processor of
a specified speed.
Report name Description
Computers with fast processors (greater Displays a list of computers that have processors
than or equal to a specified clock speed) with a speed that is faster than the specified speed.
Computers with slow processors (less Displays a list of computers that have processors
than or equal to a specified clock speed) that run at or slower than a specified clock speed.
Processor information for a specific Displays information about the processors installed
computer on a specified computer.
Hardware - SCSI
The following five reports are listed under the Hardware - SCSI category.
Computers with a specific SCSI Displays a list of computers that have a specified SCSI card
card type installed.
Count SCSI card types Displays the number of inventoried SCSI cards by card
type.
SCSI card information for a specific Displays information about the SCSI cards installed on a
computer specified computer.
Hardware - Security
The following one report is listed under the Hardware - Security category.
Details of firmware Displays the details of the states of UEFI, SecureBoot, and TPM. Note:
states on devices This report isn't in version 1810.
Computers with a specific sound Displays a list of computers that have a specified sound
card card.
Sound card information for a Displays summary information about the sound cards on a
specific computer specified computer.
Computers with a specific Displays a list of computers that have a specified video card.
video card
Count video cards by type Displays a list of all of the video cards installed on computers. It
also shows the number of each type of video card.
Video card information for Displays summary information about the video cards installed on a
a specific computer specified computer.
Migration
The following five reports are listed under the Migration category.
Clients in exclusion list Displays clients that are excluded from migration.
Migration job properties This report shows the contents of the specified
migration job.
Objects that failed to migrate Displays a list of objects that failed to migrate during
the last attempt.
Network
The following six reports are listed under the Network category.
Count IP addresses by subnet Displays the number of IP addresses inventoried for each IP
subnet.
MAC - Computers for a Displays the computer name and IP address of computers that
specific MAC address have the specified MAC address.
Operating system
The following 10 reports are listed under the Operating System category.
Computer operating system Displays the inventory history for the operating system on
version history a specified computer.
Computers with a specific Displays computers with a specified operating system and
operating system and service pack service pack.
Services - Computers running Displays a list of computers running Remote Access Server.
Remote Access Server
Report name Description
Services - Services information for Displays summary information about the services on a
a specific computer specified computer.
Windows Servicing details for a Displays general information about Windows servicing for
specific collection a specific collection.
Windows Server computers Displays a list of computers that run Windows Server
operating systems.
Power management
The following 18 reports are listed under the Power Management category.
Power Management - Displays a graph showing monitor, computer, and user activity for a
Computer activity specified collection over a specified time period.
Power Management - Displays a graph showing monitor, computer, and user activity for a
Computer activity by specified computer on a specified date.
computer
Power Management - Displays a list of the sleep and wake capabilities of computers in the
Computer activity specified collection for a specified date and time.
details
Power Management - Displays detailed information about the power capabilities, power
Computer details settings, and power plans applied to a specified computer.
Power Management - Displays a list of computers not reporting any power activity for a
Computer not specified date and time.
reporting details
Power Management - Displays a list of computers excluded from the power plan.
Computers excluded
Power Management - Displays a list of computers that have multiple, conflicting power
Computers with settings applied.
multiple power plans
Power Management - Displays the total monthly energy consumption (in kWh) for a specified
Energy consumption collection over a specified time period.
Power Management - Displays the total energy consumption (in kWh) for a specified
Energy consumption collection in the last 31 days.
by day
Report name Description
Power Management - Displays the total monthly energy consumption cost for a specified
Energy cost collection over a specified time period.
Power Management - Displays the total energy consumption cost for a specified collection
Energy cost by day over the past 31 days.
Power Management - Displays a graph showing carbon dioxide (CO2) emissions generated by
Environmental impact a specified collection over a specified time period.
Power Management - Displays detailed information about computers that didn't sleep or
Insomnia computer hibernate within a specified time period.
details
Power Management - Displays a list of common causes that prevented computers from
Insomnia report sleeping or hibernating. It also shows the number of computers affected
by each cause over a specified time period.
Power Management - Used to display further information about computers that were
Power settings details specified in the Power Management - Power settings report.
Replication traffic
The following 10 reports are listed under the Replication Traffic category.
Global Data Replication Traffic Displays total global data replication traffic on a specified link
Per Link (line chart) for a specified number of days.
Global Data Replication Traffic Displays total global data replication traffic on a specified link
Per Link (pie chart) for a specified number of days.
Hierarchy Replication Traffic By Displays total replication traffic for each link in the hierarchy
Link for a specified number of days.
Report name Description
Hierarchy Top Ten Replication Displays the replication traffic for the top 10 replication groups
Groups Traffic Per Link (pie across the entire hierarchy identified by link.
chart)
Link Replication Traffic Displays total replication traffic for all data for a specified
number of days.
Replication group traffic per Displays the replication group network traffic over a specified
link database replication link for a specified number of days.
Site Data Replication Traffic Per Displays total site data replication traffic on a specified link for
Link (line chart) a specified number of days.
Site Data Replication Traffic Per Displays total site data replication traffic on a specified link for
Link (pie chart) a specified number of days.
Total Hierarchy Replication Displays hierarchy aggregate global and site data replication
Traffic (line chart) for each direction of every link for a specified number of days.
Total Hierarchy Replication Displays hierarchy aggregate global and site data replication
Traffic (pie chart) for each direction of every link for a specified number of days.
Client assignment detailed Displays detailed information about client assignment status.
status report
Client assignment failure Displays detailed information about client assignment failures.
details
Client assignment status Displays overview information about client assignment status.
details
Client assignment success Displays detailed information about successfully assigned clients.
details
Client deployment failure Displays detailed information for clients that have failed to deploy.
report
Client deployment status Displays summary information for the status of client installations.
details
Report name Description
Client deployment success Displays detailed information for clients that have successfully
report deployed.
Clients incapable of HTTPS Displays detailed information about each client that runs the
communication HTTPS Communication Readiness Tool, and reports to be
incapable of communicating over HTTPS.
Computers assigned but Displays a list of computers assigned to a specified site, but aren't
not installed for a particular reporting to that site.
site
Computers with a specific Displays a list of computers running a specified version of the
Configuration Manager Configuration Manager client software.
client version
Count of clients assigned Displays the number of computers assigned and installed for each
and installed for each site site. Clients with a network location associated to multiple sites are
only counted as installed if they're reporting to that site.
Count of clients capable of Displays detailed information about each client that runs the
HTTPS communication HTTPS Communication Readiness Tool, and reports to be either
capable or incapable of communicating over HTTPS.
Count of clients for each Displays the number of Configuration Manager clients installed by
site site code.
Problem details reported to Displays detailed information for issues reported by clients in a
the fallback status point for specified collection. These clients must have an assigned fallback
a specified collection status point.
Problem details reported to Displays detailed information about issues reported by clients in a
the fallback status point for specified site. These clients must have an assigned fallback status
a specified site point.
Summary of problems Displays information about all the issues reported by clients. These
reported to the fallback clients must have an assigned fallback status point.
status point
Report name Description
Clients that have not Displays a list of clients that haven't reported discovery data,
reported recently (in a hardware inventory, or software inventory in a specified number of
specified number of days.
days)
Computers discovered Displays a list of all computers that the specified site discovered. It
by a specific site also shows the date of the most recent discovery.
Computers discovered Displays a list of computers that the site discovered within the
recently by discovery specified number of days. It also lists the agents that discovered them.
method If multiple agents discovered a computer, it may appear more than
once in the list.
Computers not Displays a list of computers that the site hasn't recently discovered. It
discovered recently (in a also shows the number of days since the site discovered the
specified number of computer.
days)
Computers not Displays a list of computers that the site hasn't recently inventoried. It
inventoried recently (in also shows the last times the client inventoried the computer.
a specified number of
days)
Computers that might Displays a list of computers that have changed their names. A change
share the same in name is a possible symptom that a computer shares a
Configuration Manager Configuration Manager Unique Identifier with another computer.
unique identifier
Discovery information Displays a list of the agents and sites that discovered a specified
for a specific computer computer.
Inventory dates for a Displays the date and time inventory was last run on a specified
specific computer computer.
Site - General
The following three reports are listed under the Site - General category.
Site status for the hierarchy Displays the list of sites in the hierarchy with site version
and site status information.
Site system roles and site system Displays a list of site system server and their site
servers for a specific site system roles for a specified site.
All inventoried products for Displays a list of the inventoried software products and versions
a specific software company from a specified software company.
Report name Description
All Windows apps Displays a summary of installed Windows apps. It searches using
the following criteria: application name, architecture, or
publisher.
Computers with a specific Displays a list of the computers that a specified product is
product inventoried on, and the versions of that product.
Computers with a specific Displays a list of the computers that a specified version of a
product name and version product is inventoried on.
Computers with specific Displays a summary of all computers with specified software
software registered in Add registered in Add Remove Programs or Programs and Features.
Remove Programs
Count all inventoried Displays a list of the inventoried software products and versions,
products and versions and the number of computers each is installed on.
Count inventoried products Displays a list of the inventoried versions of a specified product,
and versions for a specific and the number of computers each is installed on.
product
Count of all instances of Displays a summary of all instances of software installed and
software registered with Add registered with Add or Remove Programs or Programs and
or Remove Programs Features on computers within the specified collection.
Count of instances of specific Displays a count of instances for specified software packages
software registered with Add installed and registered in Add or Remove Programs or Programs
or Remove Programs and Features.
Default Browser counts Shows the count of clients with a specific web browser as the
Windows default.
Installations of specified This report lists all computers with a specified Windows app.
Windows apps
Windows apps installed to Displays all Windows apps installed to the specified user
the specified user
Software - Files
The following five reports are listed under the Software - Files category.
All inventoried Display a summary of the files inventoried that are associated with a
files for a specific specified software product.
product
All inventoried Display a summary of all the files inventoried on a specified computer.
files on a specific
computer
Compare software Displays the differences between the software inventories reported for two
inventory on two specified computers.
computers
Computers with a Displays a list of computers that have collected software inventory for a
specific file specified file name. If a computer contains multiple copies of the file, it
might appear more than once in the list.
Count computers Displays the number of computers that have collected software inventory
with a specific file for a specified file.
name
Application compliance Displays compliance information for the specified application within
the specified collection.
All resources in a specific collection Displays all the resources in a specified collection.
Maintenance windows available to a Displays all maintenance windows that are applicable to
specified client the specified client.
All active content distributions Displays all distributions points on which content is
currently being installed or removed.
Report name Description
All distribution points Displays information about the distribution points for each
site.
All status messages for a specific Displays all status messages for a specified package on a
package on a specific distribution specified distribution point.
point
Application content distribution Displays information about the distribution status for
status application content.
Applications that are out of Displays the applications for which associated content files
synchronization on a specified haven't been updated with the latest version on a specified
distribution point group distribution point group.
Distribution point usage Displays the distribution point usage summary for each
summary distribution point.
Distribution status of specified Displays the distribution status for specified package
package content on each distribution point.
Packages targeted to distribution Displays information about packages that target a specified
point group distribution point group.
Packages that are out of Displays packages for which associated content files haven't
synchronization on a specified been updated with the latest version on a specified
distribution point group distribution point group.
Peer cache source content Displays the number of peer cache source rejections per
rejection boundary group.
Peer cache source content Displays the peer cache sources that rejected to serve
rejection by condition content based on a condition.
Peer cache source content Displays the name of the content that was rejected by a
rejection details peer source.
Software distribution - Package and program
deployment
The following five reports are listed under the Software Distribution - Package and
Program Deployment category.
All package and program deployments Displays all of the package and program deployments
at this site.
All package and program deployments Displays all of the package and program deployments
to a specified collection to a specified collection.
All package and program deployments Displays all of the package and program deployments
to a specified computer that apply to a specified computer.
All package and program deployments Displays all of the package and program deployments
to a specified user to a specified user.
All system resource Displays all package and program deployments for the site with a
package and program summary status of each deployment.
deployments with
status
All system resources Displays a list of resources that are in a specified state for a specified
for a specified package package and program deployment.
and program
deployment in a
specified state
Chart - Hourly Displays the percentage of computers that successfully installed the
package and program package. The list organizes for every hour since an administrator
deployment creates the package and program deployment. It can be used to track
completion status the average time for a package and program deployment.
Report name Description
Package and program Displays the status messages reported for a specified computer and
deployment status for package and program deployment.
a specified client and
deployment
Status of a specified Displays the status summary for a specified package and program
package and program deployment.
deployment
Software metering
The following 13 reports are listed under the Software Metering category.
All software metering rules Displays a list of all software metering rules at the site.
applied to this site
Computers that have a Displays all computers with the specified metered application,
metered program installed but no user has run the program since the specified date.
but haven't run the program
since a specified date
Computers that have run a Displays a list of computers that have run programs matching
specific metered software the specified software metering rule within the specified month
program and year.
Concurrent usage for all Displays the maximum number of users who concurrently ran
metered software programs each metered software program during the specified month and
year.
Concurrent usage trend Displays the maximum number of users who concurrently ran
analysis of a specific metered the specified metered software program during each month for
software program the past year.
Install base for all metered Displays the number of computers that have metered software
software programs programs installed as reported by software inventory. This
report requires that the computer collects software inventory.
Software metering Displays the time at which the most recently summarized
summarization progress metering data was processed on the site server. The software
metering reports only reflect metering data processed before
these dates.
Time of day usage summary Displays the average number of usages of a particular program
for a specific metered for the past 90 days, broken down by hour and day.
software program
Report name Description
Total usage for all metered Displays the number of users who ran programs within the
software programs specified month and year, and that match each software
metering rule. These rules are for locally installed software, or
using Terminal Services.
Total usage for all metered Displays the number of users who ran programs matching each
software programs on software metering rule using Terminal Services within the
Windows Terminal Servers specified month and year.
Total usage trend analysis for Displays the number of users who ran programs during each
a specific metered software month for the past year, and that match the specified software
program metering rule. These rules are for locally installed software, or
using Terminal Services.
Total usage trend analysis for Displays the number of users who ran programs during each
a specific metered software month for the past year, and that match the specified software
program on Windows metering rule. These rules are for using Terminal Services.
Terminal Servers
Users that have run a specific Displays a list of users who have run programs within the
metered software program specified month and year, and that match the specified software
metering rule.
Compliance 1 - Overall Displays the overall compliance data for a software update
compliance group.
Compliance 2 - Specific Displays the compliance data for a specified software update.
software update
Compliance 3 - Update group Displays the compliance data for software updates defined in a
(per update) software update group.
Compliance 4 - Updates by Displays the compliance data for software updates released by a
vendor month year vendor during a specified month and year.
Compliance 5 - Specific This report returns the software update compliance data for a
computer specified computer. To limit the amount of information returned,
you can specify the vendor and software update classification.
Report name Description
Compliance 9 - Overall health Displays the overall health and compliance data for a software
and compliance update group. (starting in version 1806)
Management 1 - Displays all deployments that include all of the software updates defined in
Deployments of a specified software update group.
an update group
Management 2 - Displays all vendor-specific software updates that clients detect as required,
Updates required but an administrator hasn't deployed to a specified collection.
but not deployed
Management 3 - Displays the software updates that are contained in a specified deployment.
Updates in a
deployment
Management 4 - Displays all software update deployments that target a specified collection.
Deployments that
target a collection
Management 5 - Displays all software update deployments that are deployed to a specified
Deployments that computer.
target a computer
Report name Description
Management 6 - Displays all deployments that include a specified software update and the
Deployments that associated target collection for the deployment.
contain a specific
update
Management 7 - Displays the software updates in a specified deployment that don't have all
Updates in a of the associated content retrieved. This state prevents clients from
deployment installing the update, which prevents the deployment from achieving 100%
missing content compliance.
Management 8 - Displays all computers requiring the specified software update, but the
Computers associated content isn't yet distributed to a distribution point.
missing content
(secondary)
States 1 - Enforcement states for Displays the enforcement states for a specified software
a deployment update deployment, which is typically the second phase of a
deployment assessment.
States 2 - Evaluation states for a Displays the evaluation state for a specified software update
deployment deployment, which is typically the first phase of a
deployment assessment.
States 3 - States for a Displays the states for all software updates in the specified
deployment and computer deployment for a specified computer.
States 4 - Computers in a specific Displays all computers in a specified state for a software
state for a deployment update deployment.
(secondary)
States 5 - States for an update in Displays a summary of states for a specified software update
a deployment (secondary) targeted by a specified deployment.
States 6 - Computers in a specific Displays all computers in a specified enforcement state for a
enforcement state for an update specified software update.
(secondary)
Scan 1 - Last scan states by Specify a collection to display the count of computers in each
collection compliance scan state. The clients return the state during the last
compliance scan.
Scan 2 - Last scan states by Specify a site to display the count of computers in each
site compliance scan state. The clients return the state during the last
compliance scan.
Scan 3 - Clients of a Displays all computers for a specified collection and a specified
collection reporting a specific compliance scan state during their last compliance scan.
state (secondary)
Scan 4 - Clients of a site Specify a site to display all computers with a specified
reporting a specific state compliance scan state. The clients return the state during their
(secondary) last compliance scan.
Troubleshooting 1 - Scan errors Displays scan errors at the site and a count of
computers that are experiencing each error.
Troubleshooting 2 - Deployment errors Displays the deployment errors at the site and a
count of computers that are experiencing each error.
Troubleshooting 3 - Computers failing Displays a list of the computers that failed a scan
with a specific scan error (secondary) because of a specified error.
State migration
The following three reports are listed under the State Migration category.
State migration information for a specific Displays state migration information for a
source computer specified computer.
State migration information for a specific Displays state migration information for a
state migration point specified state migration point.
State migration points for a specific site Displays the state migration points for a specified
site.
Status messages
The following 12 reports are listed under the Status Messages category.
All messages for a specific Displays a list of status messages that have a specified
message ID message ID.
Clients reporting errors in the last Displays a list of computers and components reporting
12 hours for a specific site errors in the last 12 hours, and the number of errors
reported.
Component messages for the last Displays a list of component messages for the last 12 hours
12 hours for a specified site code, computer, and component.
Component messages for the last Displays a list of the status messages created in the last
hour hour by a specified component on a specified computer at
a specified site.
Count component messages for Displays the number of status messages by component and
the last hour for a specific site severity reported in the last hour at a specified site.
Count errors in the last 12 hours Displays the number of server component error status
messages in the last 12 hours.
Fatal errors (by component) Displays a list of computers reporting fatal errors by
component.
Fatal errors (by computer name) Displays a list of computers reporting fatal errors by
computer name.
Last 1000 messages for a specific Displays a summary of the last 1000 error and warning
computer (Errors and Warnings) component status messages for a specified computer.
Last 1000 messages for a specific Displays a summary of the last 1000 error, warning, and
computer (Errors Warnings and informational component status messages for a specified
Information) computer.
Report name Description
Last 1000 messages for a specific Displays a summary of the last 1000 error server
computer (Errors) component status messages for a specified computer.
Last 1000 messages for a specific Displays a summary of the most recent 1000 status
server component messages for a specified server component.
All audit messages for Displays a summary of all audit status messages for a specified user.
a specific user Audit messages describe actions taken in the Configuration Manager
console that add, modify, or delete objects in Configuration Manager.
Remote Control - All Displays a summary of status messages indicating remote control of
computers remote client computers by a specified user.
controlled by a
specific user
Remote Control - All Displays a summary of status messages related to the remote control of
remote control client computers.
information
All system resources for a task Displays a list of the destination computers for the
sequence deployment in a specific specified task sequence deployment in a specified
state deployment state.
All system resources for a task Displays a list of the destination computers for the
sequence deployment that is in a specified task sequence deployment that is in the
specific state and that is available to specified deployment state.
unknown computers
Count of system resources that have Displays the number of computers that have accepted
task sequence deployments task sequences, but haven't run the task sequence.
assigned but not yet run
Report name Description
History of a task sequence Displays the status of each step of the specified task
deployment on a computer sequence deployment on the specified destination
computer. If no record is returned, the task sequence
hasn't started on the computer.
List of computers that exceeded a Displays the list of destination computers that exceeded
specific length of time to run a task the specified length of time to run a task sequence.
sequence deployment
Run time for a specific task Displays the total time that it took to successfully
sequence deployment on a specific complete a specified task sequence on a specified
destination computer computer.
Run time for each step of a task Displays the time that it took to complete each step of
sequence deployment on a specific the specified task sequence deployment on the specified
destination computer destination computer.
Status of a specific task sequence Displays the status summary of a specified task sequence
deployment for a specific computer deployment on a specified computer.
Status of a task sequence Displays the status of the specified task sequence
deployment on an unknown deployment on the specified unknown destination
destination computer computer.
Status summary of a specific task Displays a status summary of all resources that have been
sequence deployment targeted by a deployment.
Status summary of a specific task Displays the status summary of all resources targeted by
sequence deployment available to the specified deployment that is available to a collection
unknown computers containing unknown computers.
All system resources currently in a Displays a list of computers that are currently running
specific group or phase of a specific in a specified group or phase of a specified task
task sequence deployment sequence deployment.
All system resources where a task Displays a list of computers that failed within a
sequence deployment failed within a specified group/phase of the specified task sequence
specific group or phase deployment.
All task sequence deployments Displays details of all task sequence deployments
initiated from the current site.
Report name Description
All task sequence deployments Displays details of all the task sequence deployments
available to unknown computers initiated from the site, and deployed to collections that
contain unknown computers.
Count of failures in each phase or Displays the number of failures in each phase or group
group of a specific task sequence of the specified task sequence.
Count of failures in each phase or Displays the number of failures in each phase or group
group of a specific task sequence of the specified task sequence deployment.
deployment
Deployment status of all task Displays the overall progress of all task sequence
sequence deployments deployments.
Progress of a running task sequence Displays the progress of the specified task sequence.
Progress of a running task sequence Displays the summary information for the specified task
deployment sequence deployment.
Progress of all deployments for a Displays the progress of all deployments for the
specific task sequence specified task sequence.
Summary report for a task sequence Displays the summary information for the specified task
deployment sequence deployment.
Chart - Weekly progress of Displays the weekly progress of a task sequence, starting from the
a task sequence deployment date.
Progress of a task sequence Displays the progress of the specified task sequence.
Progress of all task Displays a summary of the progress of all task sequences.
sequences
Progress of task sequences Displays the progress of all task sequences that deploy operating
for operating system systems.
deployments
Status of all unknown Displays a list of computers that were unknown at the time they
computers ran a task sequence deployment, and whether they're now known
computers.
Task sequences - References
The following one report is listed under the Task Sequences - References category.
Content referenced by a specific task Displays content that is referenced by a specified task
sequence sequence.
Pending user device This report shows all pending user device affinity assignments based
affinity associations by on usage data, for members of a collection.
collection
User device affinity Displays all user device associations for the specified collection, and
associations per collection groups the results by collection type (for example, user or device).
Folder Redirection Displays the health state details of folder redirection for each of the
Health Report - Details redirected folders for a given user.
Roaming User Profiles Displays the health state details of the roaming user profile for a
Health Report - Details specified user.
User Data and Profiles Displays the error or warning details of folder redirection or roaming
Health Report - Details user profiles. This report is the details target from the summary report.
User Data and Profiles Displays the summary of health states for folder redirection and
Health Report - roaming user profiles.
Summary
Users
The following three reports are listed under the Users category.
Report name Description
Computers for a specific user Displays a list of the computers that were used by a specified
name user.
Users in a specific domain Displays a list of users and their computers in a specified
domain.
Virtual applications
The following seven reports are listed under the Virtual Applications category.
App-V Virtual Displays compliance information for a specified virtual environment for
Environment Status a specified collection.
Computers with a Displays a summary of computers that have the specified App-V
specific virtual application shortcut as created using the Application Virtualization
application Management Sequencer.
Computers with a Displays a summary of computers that have the specified App-V
specific virtual application package.
application package
Vulnerability assessment
The following one report is listed under the Vulnerability Assessment category.
Wake On LAN
The following seven reports are listed under the Wake On LAN category.
All computers targeted for Wake Specify the type of deployment to display a list of
On LAN activity computers targeted for Wake on LAN activity.
All objects pending wake-up Displays objects that are scheduled for wakeup.
activity
All sites that are enabled for Wake Displays a list of all sites in the hierarchy that are enabled
On LAN for Wake On LAN.
Errors received while sending Displays errors received while sending wake-up packets to
wake-up packets for a defined computers for a defined period.
period
History of Wake On LAN activity Displays a history of the wakeup activity that has occurred
since a certain period.
Wake-Up Proxy Deployment State Displays information about the deployment status of
Details Wake-Up Proxy for each device in a specified collection.
Wake-Up Proxy Deployment State Displays a summary of the deployment status of wake-up
Summary proxy for a specified collection.
Configure reporting in Configuration
Manager
Article • 10/04/2022
Before you can create, modify, and run reports in the Configuration Manager console,
there are several configuration tasks to complete. Use this article to help you configure
reporting in your Configuration Manager hierarchy.
Before you install and configure SQL Server Reporting Services in your hierarchy, review
the following Configuration Manager reporting articles:
Introduction to reporting
When you run a report, the Reporting Services component connects to the
Configuration Manager site database to retrieve data.
Before you can install the reporting services point in a Configuration Manager site,
install and configure SQL Server Reporting Services on the target site system. For more
information, see Install SQL Server Reporting Services.
3. On the Report Server Status page, verify that Report Service Status is Started. If
it's not in this state, select Start.
4. On the Web Service URL page, select the URL in Report Service Web Service
URLs. This action tests the connection to the report folder. The browser might
prompt you for credentials. Verify that the webpage opens successfully.
5. On the Database page, verify that the Report Server Mode is set to Native.
6. On the Report Manager URL page, select the URL in Report Manager Site
Identification. This action tests the connection to the virtual directory for Report
Manager. The browser might prompt you for credentials. Verify that the webpage
opens successfully.
7 Note
2. Browse to
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\AdminUI\Reporti
ng .
When you select a site to install the reporting services point, users who will access
the reports must be in the same security scope as the site where you install the
role.
After you install a reporting services point on a site system, don't change the URL
for the report server.
For example, you create the reporting services point. You then modify the URL for
the report server in Reporting Services Configuration Manager. The Configuration
Manager console continues to use the old URL. You can't run, edit, or create
reports from the console.
If you need to change the report server URL, first remove the existing reporting
services point. Change the URL, and then reinstall the reporting services point.
When you install a reporting services point, specify a Reporting services point
account. For users from a different domain to run a report, create a two-way trust
between domains. Otherwise the report fails to run.
2. Add the reporting services point to a new or existing site system server:
New site system: On the Home tab of the ribbon, in the Create group, select
Create Site System Server. The Create Site System Server Wizard opens.
Existing site system: Select the target server. On the Home tab of the ribbon,
in the Server group, select Add Site System Role. The Add Site System Roles
Wizard opens.
3. On the General page, specify the general settings for the site system server. When
you add the reporting services point to an existing server, verify the values that
you previously configured.
4. On the System Role Selection page, select Reporting services point in the list of
available roles, and then select Next.
Site database server name: Specify the name of the server that hosts the
Configuration Manager site database. The wizard typically retrieves the fully
qualified domain name (FQDN) for the server. To specify a database instance,
use the format <server name><instance name>. For example,
sqlserver\named1 .
) Important
The user account you use to create the reporting services point must
have Read access to the site database. If the connection test fails, a red
warning icon appears. Contextual hover text on the icon has the details
of the failure. Correct the failure, and then select Test again.
Folder name: Specify the folder name to create and use for Configuration
Manager reports in Reporting Services.
Reporting Services server instance: Select the instance of SQL Server for
Reporting Services. If this page doesn't list any instances, verify that SQL
Server Reporting Services is installed, configured, and started.
) Important
Reporting services point account: Select Set, and then select an account to
use. SQL Server Reporting Services on the reporting services point uses this
account to connect to the Configuration Manager site database. This
connection is to retrieve the data for a report. Select Existing account to
specify a Windows user account that you previously configured as a
Configuration Manager account. Select New account to specify a Windows
user account that's not currently configured for use. Configuration Manager
automatically grants the specified user access to the site database.
The account that runs Reporting Services must belong to the domain local
security group Windows Authorization Access Group. This grants the
account Allow Read permissions on the tokenGroupsGlobalAndUniversal
attribute for all user objects within the domain. Users in a different domain
than the reporting services point account need a two-way trust between the
domains to successfully run reports.
The specified Windows user account and password are encrypted and stored
in the Reporting Services database. Reporting Services retrieves the data for
reports from the site database by using this account and password.
) Important
The account that you specify must have the Log on locally permission
on the server that hosts the Reporting Services database.
After the wizard completes, Configuration Manager creates the report folders in
Reporting Services. It then copies its reports to the specified report folders.
Tip
To list only site systems that host the reporting services point site role, right-click
Servers and Site System Roles, and select Reporting services point.
Folder and report names: the same locale as the site server
Folder and report names: dynamic based on the locale of the console
When you install a reporting services point on a site without language packs, the reports
are installed in English. If you install a language pack after you install the reporting
services point, you must uninstall and reinstall the reporting services point for the
reports to be available in the appropriate language pack language.
) Important
The site does these actions in the context of the account that's configured for the
SMS_Executive service. Typically, this account is the site server local System account.
Add the ConfigMgr Report Users and ConfigMgr Report Administrators security
roles in Reporting Services.
Add the ConfigMgr Report Users role in Reporting Services to the root folders for
all user accounts in Configuration Manager that have Site Read rights.
Add the ConfigMgr Report Administrators role in Reporting Services to the root
folders for all user accounts in Configuration Manager that have Site Modify
rights.
Retrieve the mapping between report folders and Configuration Manager secured
object types. Configuration Manager maintains this map in the site database.
Add users and assign the ConfigMgr Report Users role to the associated report
folder for administrative users who have Run Report permissions for the
Configuration Manager object.
Add users and assign the ConfigMgr Report Administrators role to the
associated report folder for administrative users who have Modify Report
permissions for the Configuration Manager object.
Configuration Manager connects to Reporting Services and sets the permissions for
users on the Configuration Manager and Reporting Services root folders and specific
report folders. After the initial installation of the reporting services point, Configuration
Manager connects to Reporting Services every 10 minutes to verify that the user rights
configured on the report folders are the associated rights that are set for Configuration
Manager users. When users are added or user rights are modified on the report folder
by using Reporting Services Report Manager, Configuration Manager overwrites those
changes by using the role-based assignments stored in the site database. Configuration
Manager also removes users that don't have Reporting rights in Configuration Manager.
ConfigMgr Report Users: Users assigned with this security role can only run
Configuration Manager reports.
ConfigMgr Report Administrators: Users assigned with this security role can do all
tasks related to reporting in Configuration Manager.
Verify installation
Verify the installation of the reporting services point by looking at specific status
messages and log file entries. Use the following procedure to verify that the reporting
services point installation was successful.
7 Note
If you see reports in the Reports subfolder of the Reporting node in the
Monitoring workspace in the Configuration Manager console, you can skip this
procedure.
3. On the Home tab of the ribbon, in the Component group, select Show Messages,
and then choose All.
4. Specify a date and time for a period before you installed the reporting services
point, and then select OK.
5. Verify status message ID 1015. This status message indicates that the reporting
services point was successfully installed.
7 Note
For more information about authoring reports with SQL Server Reporting Services,
see Report Builder authoring environment.
Configuration Manager automatically installs the certificate on the site server and any
SMS Provider roles. You can create or edit reports from the Configuration Manager
console when you run it from one of these servers.
Tip
To list only site systems that host the reporting services point, right-click the
Servers and Site System Roles node, and select Reporting services point.
2. Select the site system that hosts the reporting services point. Then select the
Reporting service point site system roles in the details pane.
3. On the Site Role tab of the ribbon, in the Properties group, select Properties.
4. You can modify the following settings in the Reporting Services Point Properties:
Database name
User account
For more information about these settings, see the descriptions in the section to Install
the reporting services point on a site system.
If you don't follow this process, you'll see errors when you run or edit reports from the
Configuration Manager console. You can continue to run and edit reports successfully
from a web browser.
2. On the Home tab of the ribbon, in the Settings group, select Report Options.
3. Select the default report server in the list, and then select OK.
If it doesn't show any servers, verify that you installed and configured a reporting
services point in the site. For more information, see Verify installation.
Make sure your computer runs a version of SQL Server Report Builder that matches the
version of SQL Server that you use for your report server. Otherwise you'll see an error,
the default report server won't save, and you can't create or edit reports.
Next steps
Operations and maintenance for reporting
Operations and maintenance for
reporting in Configuration Manager
Article • 10/04/2022
After the infrastructure is in place for reporting in Configuration Manager, there are
many operations that you typically do to manage reports and subscriptions.
7 Note
This article focuses on reports in SQL Server Reporting Services. Starting in version
2002, you can integrate reporting with Power BI Report Server. For more
information, see Integrate with Power BI Report Server.
When you run a report, it displays the report title, description, and category in the
language of the local OS. For more information, see Languages for reports.
7 Note
Report Manager is a web-based report access and management tool. You can use it
to administer a single report server instance over an HTTPS connection. Use Report
Manager for operational tasks: view reports, modify report properties, and manage
associated report subscriptions. This article provides the steps to view a report and
modify report properties in Report Manager. For more information about other
options in Report Manager, see What is Report Manager?
Tip
If this node doesn't list any reports, verify that the reporting services point is
installed and configured. For more information, see Configure reporting.
2. Select the report that you want to run. On the Home tab of the ribbon, in the
Report Group section, select Run to open the report.
3. If there are required parameters, specify them and then select View Report.
2. In Report Manager, select the report folder for Configuration Manager, for
example, ConfigMgr_CAS.
Tip
If Report Manager doesn't list any reports, verify that the reporting services
point is installed and configured. For more information, see Configure
reporting.
3. Select the report category for the report that you want to run, and then select the
specific report. The report opens in Report Manager.
4. If there are required parameters, specify them and then select View Report.
2. In Report Manager, select the report folder for Configuration Manager, for
example, ConfigMgr_CAS.
3. Select the report category, and then select the specific report. The report opens in
Report Manager.
4. Select the Properties tab. Modify the report name and description, and then select
Apply.
Report Manager saves the report properties on the report server. The Configuration
Manager console shows the updated report properties for the report.
Edit a report
When an existing Configuration Manager report doesn't retrieve the information that
you want, edit it in Report Builder. You can also use Report Builder to change the layout
or design of the report. While you can directly edit a default report, it's best to clone it.
Open the report to edit, and then select Save As.
To edit a report, you need Site Modify permission and Modify Report permissions on
the specific objects in the report.
) Important
Site updates preserve built-in reports. If you modify a standard report, when the
site updates, it renames the report with an underscore prefix ( _ ). This behavior
makes sure that the site update doesn't overwrite the modified report by the
standard report.
If you modify predefined reports, before you install a site update, back up your
custom reports. After the update, restore the report in Reporting Services. If make
significant changes to a predefined report, create a new report instead. New
reports that you create before you upgrade a site are not overwritten.
Use the following procedure to edit the properties for a Configuration Manager report.
3. In Report Builder, modify the appropriate report settings. Select Save to save the
report to the report server.
Create reports
There are two types of reports that you can create:
A model-based report lets you interactively select the items you want to include in
your report. For more information about creating custom report models, see
Create custom report models for Configuration Manager in SQL Server Reporting
Services.
A SQL-based report lets you retrieve data that's based on a report SQL statement.
) Important
To create a new report, your account needs Site Modify permission. You can only
create a report in folders for which you have Modify Report permissions.
2. On the Home tab of the ribbon, in the Create section, select Create Report. This
action opens the Create Report Wizard.
Server: Displays the name of the report server where you create this report.
Path: Select Browse to specify a folder in which to store the report.
4. On the Model Selection page, select an available model in the list to create this
report. The Preview section displays the SQL Server views and entities that are
available in this report model.
6. Open Report Builder to configure the report settings. For more information, see
Edit a Configuration Manager report.
7. In Report Builder, create the report layout, select data in the available SQL Server
views, and add parameters to the report.
8. Select Run to run your report. Verify that the report provides the information that
you expect. If needed, select Design to modify the report further.
You can also reference public stored procedures from the site database. These stored
procedures have names that start with sp_ .
2. On the Home tab of the ribbon, in the Create section, select Create Report. This
action opens the Create Report Wizard.
Server: Displays the name of the report server where you create this report.
Path: Select Browse to specify a folder in which to store the report.
5. Open Report Builder to configure the report settings. For more information, see
Edit a Configuration Manager report.
6. In Report Builder, provide the SQL statement for the report. You can also build the
SQL statement by using columns in available views. If needed, add parameters to
the report.
7. Select Run to run your report. Verify that the report provides the information that
you expect. If needed, select Design to modify the report further.
When you create a subscription that uses a file share, specify an existing shared folder
as the destination. The report server doesn't create the folder or network share. When
you specify the destination folder in a subscription, use a UNC path and don't include
trailing backslashes ( \ ) in the folder path. The following example is a valid UNC path for
the destination folder: \\server\reportfiles\operations\2001 .
7 Note
When you create the subscription, you specify a user name and password. This
account needs access to this share with Write permissions to the destination folder.
Reporting Services can render reports in different file formats. For example, MHTML or
Excel. You select the format when you create the subscription. Although you can select
any supported rendering format, some formats work better than others when rendering
to a file.
Unlike reports that you host and manage on a report server, Reporting Services
delivers reports to a shared folder as static files.
Interactive features of the report don't work for reports stored as files. The report
represents any interactive features as static elements.
If the report links through to another report, it renders the link as static text.
If you want to keep interactive features in a delivered report, use email delivery. For
more information, see Create a report subscription to deliver a report by email.
2. Select a report folder, then select the report to which you want to subscribe. On
the Home tab of the ribbon, in the Report Group section, select Create
Subscription. This action opens the Create Subscription Wizard.
File Name: Specify the file name for the report. By default, the report file
doesn't include a file name extension. Select Add file extension when
created to automatically add a file name extension based on the format.
Path: Specify a UNC path to an existing folder where you want to deliver this
report. For example, \\server\reportfiles\operations .
Render Format: Select one of the following formats for the report file:
XML file with report data
CSV (comma delimited)
TIFF file
Acrobat (PDF) file
HTML 4.0
7 Note
If your report has images, the HTML 4.0 format doesn't include them.
User Name: Specify a Windows user account with write permissions to the
specified Path.
Password: Specify the password for the above Windows user account.
4. On the Subscription Schedule page, select one of the following delivery schedule
options for the report subscription:
Create new schedule: Configure the schedule on which this report runs. The
schedule includes the interval, start time and date, and the end date for this
subscription. By default, a new subscription creates a new schedule to run
every hour starting at the current date and time.
5. On the Subscription Parameters page, specify any parameters that this report
requires to run unattended. If the report has no parameters, the wizard doesn't
display this page.
7 Note
To enable the Email subscription option, you need to configure the email settings
in Reporting Services. For more information, see Email delivery in reporting
services.
You can select one or both of the following email delivery options:
Use the following procedure to create a report subscription to deliver a report by using
email.
7 Note
Reply To: Specify the reply address. If the recipient replies to the email
message, the reply goes to this address.
Priority: Select the priority flag for this email message: Low, Normal, or High.
Microsoft Exchange uses this flag to indicate the importance of the email
message.
Comment: Specify text for the body of the subscription email message.
Include Link: Include the URL for this report in the body of the email
message.
Include Report: Attach the report to the email message. Use the Render
Format option to specify the report format to attach.
Render Format: Select one of the following formats for the attached report
file:
XML file with report data
CSV (comma delimited)
TIFF file
Acrobat (PDF) file
MHTML (web archive)
Excel
Word
4. On the Subscription Schedule page, select one of the following delivery schedule
options for the report subscription:
Create new schedule: Configure the schedule on which this report runs. The
schedule includes the interval, start time and date, and the end date for this
subscription. By default, a new subscription creates a new schedule to run
every hour starting at the current date and time.
5. On the Subscription Parameters page, specify any parameters that this report
requires to run unattended. If the report has no parameters, the wizard doesn't
display this page.
Favorites
Configuration Manager ships with several hundred reports by default, and you may have
added more to that list. Instead of continually searching for reports you commonly use,
starting in version 2103, you can make a report a favorite. This action allows you to
quickly access it from the new Favorites node.
7 Note
All instances of SQL Server Reporting Services on the server need to be version
2017 or later.
Add a favorite
1. In the Configuration Manager console, go to the Monitoring workspace. Expand
the Reporting node, and select either the Reports or Power BI Reports node.
2. Select a report that you frequently use. Then in the ribbon, select Add to Favorites.
The report's icon changes to a yellow star, which indicates that it's a favorite.
Tip
You can select more than one report to add them all as favorites.
To remove a report from the list of favorites, select it, and then select Remove
from Favorites. When you remove a favorite, Configuration Manager doesn't
delete the report.
3. Under the Reporting node, expand the new Favorites node. To view your list of
favorites, select either the Reports or Power BI Reports node.
Tip
You can directly connect to your favorite reports in your browser. For example,
https://rsp.contoso.com/Reports/favorites .
You can manage the reports the same from the list of favorites.
Creating custom report models for
Configuration Manager in SQL Server
Reporting Services
Article • 10/04/2022
Sample report models are included in Configuration Manager, but you can also define
report models to meet your own business requirements, and then deploy the report
model to Configuration Manager to use when you create new model-based reports. The
following table provides the steps to create and deploy a basic report model.
7 Note
For the steps to create a more advanced report model, see the Steps for Creating
an Advanced Report Model in SQL Server Reporting Services section in this topic.
Verify that Report models are designed and built by using SQL Server For more
SQL Server Business Intelligence Development Studio. Verify that SQL information
Business Server Business Intelligence Development Studio is installed on about SQL
Intelligence the computer on which you are creating the custom report Server Business
Development model. Intelligence
Studio is Development
installed Studio, see the
SQL Server
2008
documentation.
Create a A report model project contains the definition of the data For more
report model source (a .ds file), the definition of a data source view (a .dsv information,
project file), and the report model (an .smdl file). see the To
create the
report model
project section
in this topic.
Step Description More
information
Define a data After creating a report model project, you have to define one For more
source for a data source from which you extract business data. Typically, information,
report model this is the Configuration Manager site database. see the To
define the data
source for the
report model
section in this
topic.
Define a data After defining the data sources that you use in your report For more
source view model project, the next step is to define a data source view for information,
for a report the project. A data source view is a logical data model based see the To
model on one or more data sources. Data source views encapsulate define the data
access to the physical objects, such as tables and views, source view for
contained in underlying data sources. SQL Server Reporting the report
Services generates the report model from the data source view.
model section
in this topic.
Data source views facilitate the model design process by
providing you with a useful representation of the data that you
specified. Without changing the underlying data source, you
can rename tables and fields, and add aggregate fields and
derived tables in a data source view. For an efficient model,
add only those tables to the data source view that you intend
to use.
Create a A report model is a layer on top of a database that identifies For more
report model business entities, fields, and roles. When published, by using information,
these models, Report Builder users can develop reports without see the To
having to be familiar with database structures or understand create the
and write queries. Models are composed of sets of related report model
report items that are grouped together under a friendly name, section in this
with predefined relationships between these business items topic.
and with predefined calculations. Models are defined by using
an XML language called Semantic Model Definition Language
(SMDL). The file name extension for report model files is .smdl.
Publish a To build a report by using the model that you just created, you For more
report model must publish it to a report server. The data source and data information,
source view are included in the model when it is published. see the To
publish the
report model
for use in SQL
Server
Reporting
Services section
in this topic.
Step Description More
information
Deploy the Before you can use a custom report model in the Create For more
report model Report Wizard to create a model-based report, you must information,
to deploy the report model to Configuration Manager. see the To
Configuration deploy the
Manager custom report
model to
Configuration
Manager
section in this
topic.
On the computer where you perform these procedures, ensure that you have installed
SQL Server Business Intelligence Development Studio and that the computer has
network connectivity to the reporting services point server. For detailed information
about SQL Server Business Intelligence Development Studio, see the SQL Server 2008
documentation.
3. In the New Project dialog box, select Report Model Project in the Templates list.
4. In the Name box, specify a name for this report model. For this example, type
Simple_Model.
7 Note
If you cannot see the Solution Explorer pane, click View, and then click
Solution Explorer.
3. On the Select how to define the connection page, verify that Create a data source
based on an existing or new connection is selected, and then click New.
Server name: Type the name of your Configuration Manager site database
server, or select it in the list. If you are working with a named instance instead
of the default instance, type <database server>\<instance name>.
6. If the connection succeeds, click OK to close the Connection Manager dialog box.
If the connection does not succeed, verify that the information you entered is
correct, and then click Test Connection again.
7. On the Select how to define the connection page, verify that Create a data source
based on an existing or new connection is selected, verify that the data source
you have just specified is selected in Data connections, and then click Next.
8. In Data source name, specify a name for the data source, and then click Finish. For
this example, type Simple_Model.
9. The data source Simple_Model.ds is now displayed in Solution Explorer under the
Data Sources node.
7 Note
To edit the properties of an existing data source, double-click the data source
in the Data Sources folder of the Solution Explorer pane to display the data
source properties in Data Source Designer.
2. On the Welcome to the Data Source View Wizard page, click Next. The Select a
Data Source page is displayed.
3. In the Relational data sources window, verify that the Simple_Model data source is
selected, and then click Next.
4. On the Select Tables and Views page, select the following view in the Available
objects list to be used in the report model: v_R_System (dbo).
Tip
To help locate views in the Available objects list, click the Name heading at
the top of the list to sort the objects in alphabetical order.
5. After selecting the view, click > to transfer the object to the Included objects list.
6. If the Name Matching page is displayed, accept the default selections, and click
Next.
7. When you have selected the objects that you require, click Next, and then specify a
name for the data source view. For this example, type Simple_Model.
8. Click Finish. The Simple_Model.dsv data source view is displayed in the Data
Source Views folder of Solution Explorer.
4. On the Select report model generation rules page, accept the default values, and
then click Next.
5. On the Collect Model Statistics page, verify that Update model statistics before
generating is selected, and then click Next.
6. On the Completing the Wizard page, specify a name for the report model. For this
example, verify that Simple_Model is displayed.
7. To complete the wizard and create the report model, click Run.
8. To exit the wizard, click Finish. The report model is shown in the Design window.
2. Examine the deployment status at the lower left corner of the SQL Server Business
Intelligence Development Studio window. When the deployment has finished,
Deploy Succeeded is displayed. If the deployment fails, the reason for the failure is
displayed in the Output window. The new report model is now available on your
SQL Server Reporting Services website.
3. Click File, click Save All, and then close SQL Server Business Intelligence
Development Studio.
2. Copy the following files from the report model project folder to a temporary folder
on your computer:
4. In the file <Model Name>.dsv, locate the first line of the file, which reads as
follows:
<DataSourceView
xmlns="https://schemas.microsoft.com/analysisservices/2003/engine">
<DataSourceView xmlns="
<https://schemas.microsoft.com/analysisservices/2003/engine>"
xmlns:xsi="RelationalDataSourceView">
7. In the file <Model Name>.smdl, locate the last three lines of the file, which appear
as follows:
</Entity>
</Entities>
</SemanticModel>
8. Paste the contents of the file <Model Name>.dsv directly before the last line of the
file (<SemanticModel>).
) Important
After copying the report model file to the Configuration Manager site server,
you must exit and restart the Configuration Manager console before you can
use the report model in the Create Report Wizard.
Steps for Creating an Advanced Report Model
in SQL Server Reporting Services
You can use the following procedures to create an advanced report model that users in
your site can use to build particular model-based reports based on data in multiple
views of the Configuration Manager database. You create a report model that presents
information about the client computers and the operating system installed on these
computers to the report author. This information is taken from the following views in
the Configuration Manager database:
Selected items from the preceding views are consolidated into one list, given
friendly names, and then presented to the report author in Report Builder for
inclusion in particular reports.
On the computer where you perform these procedures, ensure that you have
installed SQL Server Business Intelligence Development Studio and that the
computer has network connectivity to the reporting services point server. For
detailed information about SQL Server Business Intelligence Development Studio,
see the SQL Server documentation.
3. In the New Project dialog box, select Report Model Project in the Templates list.
4. In the Name box, specify a name for this report model. For this example, type
Advanced_Model.
If you cannot see the Solution Explorer pane, click View, and then click
Solution Explorer.
3. On the Select how to define the connection page, verify that Create a data source
based on an existing or new connection is selected, and then click New.
Server name: Type the name of your Configuration Manager site database
server, or select it in the list. If you are working with a named instance instead
of the default instance, type <database server>\<instance name>.
In the Select or enter a database name list, select the name of your
Configuration Manager site database.
6. If the connection succeeds, click OK to close the Connection Manager dialog box.
If the connection does not succeed, verify that the information you entered is
correct, and then click Test Connection again.
7. On the Select how to define the connection page, verify that Create a data source
based on an existing or new connection is selected, verify that the data source
you have just specified is selected in the Data connections list box, and then click
Next.
8. In Data source name, specify a name for the data source and then click Finish. For
this example, type Advanced_Model.
To edit the properties of an existing data source, double-click the data source
in the Data Sources folder of the Solution Explorer pane to display the data
source properties in Data Source Designer.
1. In Solution Explorer, right-click Data Source Views to select Add New Data
Source View.
2. On the Welcome to the Data Source View Wizard page, click Next. The Select a
Data Source page is displayed.
3. In the Relational data sources window, verify that the Advanced_Model data
source is selected, and then click Next.
4. On the Select Tables and Views page, select the following views in the Available
objects list to be used in the report model:
v_R_System (dbo)
v_GS_OPERATING_SYSTEM (dbo)
After selecting each view, click > to transfer the object to the Included
objects list.
Tip
To help locate views in the Available objects list, click the Name heading at
the top of the list to sort the objects in alphabetical order.
5. If the Name Matching dialog box appears, accept the default selections, and click
Next.
6. When you have selected the objects you require, click Next, and then specify a
name for the data source view. For this example, type Advanced_Model.
7. Click Finish. The Advanced_Model.dsv data source view is displayed in the Data
Source Views folder of Solution Explorer.
2. Right-click the title bar of the v_R_System window to select Replace Table, and
then click With New Named Query.
3. In the Create Named Query dialog box, click the Add Table icon (typically the last
icon in the ribbon).
4. In the Add Table dialog box, click the Views tab, select V_GS_OPERATING_SYSTEM
in the list, and then click Add.
6. In the Create Named Query dialog box, specify the following information:
Name: Specify the name for the query. For this example, type
Advanced_Model.
Description: Specify a description for the query. For this example, type
Example Reporting Services report model.
7. In the v_R_System window, select the following items in the list of objects to
display in the report model:
ResourceID
ResourceType
Active0
AD_Domain_Name0
AD_SiteName0
Client0
Client_Type0
Client_Version0
CPUType0
Hardware_ID0
User_Domain0
User_Name0
Netbios_Name0
Operating_System_Name_and0
ResourceID
Caption0
CountryCode0
CSDVersion0
Description0
InstallDate0
LastBootUpTime0
Locale0
Manufacturer0
Version0
WindowsDirectory0
9. To present the objects in these views as one list to the report author, you must
specify a relationship between the two tables or views by using a join. You can join
the two views by using the object ResourceID, which appears in both views.
10. In the v_R_System window, click and hold the ResourceID object and drag it to the
ResourceID object in the v_GS_OPERATING_SYSTEM window.
12. The Advanced_Model window replaces the v_R_System window and contains all of
the necessary objects required for the report model from the v_R_System and the
v_GS_OPERATING_SYSTEM views. You can now delete the
v_GS_OPERATING_SYSTEM window from the Data Source View Designer. Right-
click the title bar of the v_GS_OPERATING_SYSTEM window to select Delete Table
from DSV. In the Delete Objects dialog box, click OK to confirm the deletion.
3. On the Select Data Source View page, select the data source view in the Available
data source views list, and then click Next. For this example, select
Simple_Model.dsv.
4. On the Select report model generation rules page, do not change the default
values, and click Next.
5. On the Collect Model Statistics page, verify that Update model statistics before
generating is selected, and then click Next.
6. On the Completing the Wizard page, specify a name for the report model. For this
example, verify that Advanced_Model is displayed.
7. To complete the wizard and create the report model, click Run.
2. In the report model Design view, right-click any object name to select Rename.
3. Type a new name for the selected object, and then press Enter. For example, you
could rename the object CSD_Version_0 to read Windows Service Pack Version.
4. When you have finished renaming objects, click File, and then click Save All.
2. Examine the deployment status at the lower left corner of the SQL Server Business
Intelligence Development Studio window. When the deployment has finished,
Deploy Succeeded is displayed. If the deployment fails, the reason for the failure is
displayed in the Output window. The new report model is now available on your
SQL Server Reporting Services website.
3. Click File, click Save All, and then close SQL Server Business Intelligence
Development Studio.
1. Locate the folder in which you created the report model project. For example,
%USERPROFILE%\Documents\Visual Studio 2008\Projects\<Project Name>.
2. Copy the following files from the report model project folder to a temporary folder
on your computer:
4. In the file <Model Name>.dsv, locate the first line of the file, which reads as
follows:
<DataSourceView
xmlns="https://schemas.microsoft.com/analysisservices/2003/engine">
<DataSourceView xmlns="
<https://schemas.microsoft.com/analysisservices/2003/engine>"
xmlns:xsi="RelationalDataSourceView">
7. In the file <Model Name>.smdl, locate the last three lines of the file, which appear
as follows:
</Entity>
</Entities>
</SemanticModel>
8. Paste the contents of the file <Model Name>.dsv directly before the last line of the
file (<SemanticModel>).
) Important
After copying the report model file to the Configuration Manager site server,
you must exit and restart the Configuration Manager console before you can
use the report model in the Create Report Wizard.
The data warehouse service point for
Configuration Manager
Article • 10/04/2022
Use the data warehouse service point to store and report on long-term historical data
for your Configuration Manager deployment.
The data warehouse supports up to 2 TB of data, with timestamps for change tracking.
The data warehouse stores data by automatically synchronizing data from the
Configuration Manager site database to the data warehouse database. This information
is then accessible from your reporting service point. Data synchronized to the data
warehouse database is kept for three years. Periodically, a built-in task removes data
that's older than three years.
Data that is synchronized includes the following from the global data and site data
groups:
Infrastructure health
Security
Compliance
Malware
Software deployments
Inventory details (however, inventory history isn't synchronized)
When the site system role installs, it installs and configures the data warehouse
database. It also installs several reports so you can easily search for and report on this
data.
Prerequisites
The data warehouse site system role is supported only at the top-tier site of your
hierarchy. For example, a central administration site (CAS) or standalone primary
site.
Starting in version 2107, the server where you install this site system role requires
.NET version 4.6.2, and version 4.8 is recommended. In version 2103 and earlier,
this role requires .NET 4.5.2 or later. For more information, Site and site system
prerequisites.
Grant the Reporting Services Point Account the db_datareader permission on the
data warehouse database.
The data warehouse database requires the use of SQL Server 2012 or later. The
edition can be Standard, Enterprise, or Datacenter. The SQL Server version for the
data warehouse doesn't need to be the same as the site database server.
If you use distributed views, install the data warehouse service point on the same
server that hosts the CAS's database.
For more information on SQL Server licensing, see the product and licensing FAQ.
Size the data warehouse database the same as your site database. While the data
warehouse is smaller at first, it will grow over time.
Install
Each hierarchy supports a single instance of this role, on any site system of the top-tier
site. The SQL Server that hosts the database for the warehouse can be local to the site
system role, or remote. The data warehouse works with the reporting services point
installed at the same site. You don't need to install the two site system roles on the same
server.
To install the role, use the Add Site System Roles Wizard or the Create Site System
Server Wizard. For more information, see Install site system roles. On the System Role
Selection page of the wizard, select the Data Warehouse service point role.
When you install the role, Configuration Manager creates the data warehouse database
for you on the instance of SQL Server that you specify. If you specify the name of an
existing database, Configuration Manager doesn't create a new database. Instead it uses
the one you specify. This process is the same as when you move the data warehouse
database to a new SQL Server.
Configure properties
General page
SQL Server fully qualified domain name: Specify the full qualified domain name
(FQDN) of the server that hosts the data warehouse service point database.
SQL Server instance name, if applicable: If you don't use a default instance of SQL
Server, specify the named instance.
Database name: Specify a name for the data warehouse database. Configuration
Manager creates the data warehouse database with this name. If you specify a
database name that already exists on the instance of SQL Server, Configuration
Manager uses that database.
SQL Server port used for connection: Specify the TCP/IP port number used by the
SQL Server that hosts the data warehouse database. The data warehouse
synchronization service uses this port to connect to the data warehouse database.
By default, it uses SQL Server port 1433 for communication.
Data warehouse service point account: Set the User name that SQL Server
Reporting Services uses when it connects to the data warehouse database.
7 Note
Recurrence pattern
Weekly: Specify a single day each week, and weekly recurrence for
synchronization.
Reporting
After you install a data warehouse service point, several reports become available on the
reporting services point for the site. If you install the data warehouse service point
before installing a reporting services point, the reports are automatically added when
you later install the reporting services point.
7 Note
The data warehouse point supports alternative credentials. Specify credentials that
SQL Server Reporting Services uses to connect to the data warehouse database.
Data warehouse reports don't open until you add credentials.
To specify an account, set the User name for the data warehouse service point
account in the role properties. For more information, see Configure properties.
The data warehouse site system role includes the following reports, under the Data
Warehouse category:
General Hardware Inventory - Historical: View all hardware inventory for a specific
machine.
General Software Inventory - Historical: View all software inventory for a specific
machine.
When you install the data warehouse, it synchronizes a set of default tables from the site
database. These tables are required for data warehouse reports. While troubleshooting
issues, you may want to stop synchronizing these default tables. Starting in version
2203, you can exclude one or more of these required tables from synchronization. To
exclude tables from synchronization:
1. From the Administration workspace, open Site Configuration > Servers and Site
System Roles.
2. Select the server where the data warehouse service point is installed.
3. In the Site System Roles details pane, select the Data Warehouse service point
role, then select Properties.
4. On the Synchronization settings page, choose Select tables.
5. In the Database tables window, deselect one or more tables of type Required.
6. The console will prompt you to confirm the change, since some reports may no
longer work correctly.
Site expansion
Before you can install a CAS to expand an existing standalone primary site, first uninstall
the data warehouse service point role. After you install the CAS, you can then install the
site system role at the CAS.
Unlike a move of the data warehouse database, this change results in a loss of the
historic data you have previously synchronized at the primary site. It isn't supported to
back up the database from the primary site and restore it at the CAS.
7 Note
After you restore the database to the new server, make sure the database
access permissions are the same on the new data warehouse database as they
were on the original data warehouse database.
2. Use the Configuration Manager console to remove the data warehouse service
point role from the current server.
3. Reinstall the data warehouse service point. Specify the name of the new SQL Server
and instance that hosts the restored data warehouse database.
Troubleshoot
Log files
Use the following logs to investigate problems with the installation of the data
warehouse service point, or synchronization of data:
Set up failure
When the data warehouse service point role is the first one that you install on a remote
server, installation fails for the data warehouse.
To work around this issue, make sure that the computer on which you install the data
warehouse service point already hosts at least one other role.
To work around this issue, make sure that the computer account of the site system role
is a db_owner on the data warehouse database.
To work around this issue, grant the Reporting Services Point Account the
db_datareader permission on the data warehouse database.
Output
A connection was successfully established with the server, but then an error
occurred during the pre-login handshake. (provider: SSL Provider, error: 0 -
The certificate chain was issued by an authority that is not trusted.)
This issue should only occur when the site database and data warehouse database are
on separate SQL Servers.
To work around this issue, use the following steps to configure certificates:
Tip
i. Give the SQL Server service account read permissions to the certificate. Select
the Data Warehouse SQL Server Identification Certificate certificate, then
go to the Action menu, select All Tasks, and select Manage Private Keys.
Add the SQL Server service account, and allow Read permission.
ii. Export the Data Warehouse SQL Server Identification Certificate as a DER
encoded binary X.509 (.CER) file.
ii. Under SQL Server Services, restart the SQL Server service. If SQL Server
Reporting Services is also installed on the server that hosts the data
warehouse database, restart Reporting Service services as well.
2. On the server that hosts SQL Server Reporting Services, open the MMC, and add
the Certificates snap-in. Select Computer account. Under the Trusted Root
Certificate Authorities folder, import the Data Warehouse SQL Server
Identification Certificate.
Data flow
Step Details
1 The site server transfers and stores data in the site database.
2 Based on its schedule and configuration, the data warehouse service point gets data from
the site database.
3 The data warehouse service point transfers and stores a copy of the synchronized data in
the data warehouse database.
Reporting flow
Step Details
A Using built-in reports, a user requests data. This request is passed to the reporting service
point using SQL Server Reporting Services.
B Most reports are for current information, and these requests are run against the site
database.
C When a report requests historical data by using one of the reports with a Category of Data
Warehouse, the request runs against the data warehouse database.
Support Center for Configuration
Manager
Article • 10/04/2022
Use Support Center for client troubleshooting, real-time log viewing, or capturing the
state of a Configuration Manager client computer for later analysis. Support Center is a
single tool to combine many administrator troubleshooting tools.
About
Support Center aims to reduce the challenges and frustration when troubleshooting
Configuration Manager client computers. Previously, when working with support to
address an issue with Configuration Manager clients, you would need to manually
collect log files and other information to help troubleshoot the issue. It was easy to
accidentally forget a crucial log file, causing headaches for you and the support
personnel who you're working with.
Create a troubleshooting bundle (.zip file) that contains the Configuration Manager
client log files. You then have a single file to send to support personnel.
View Configuration Manager client log files, certificates, registry settings, debug
dumps, client policies.
Starting in version 2103, Support Center is split into the following tools:
Support Center Client Data Collector: Collects data from a device to view in the
Support Center Viewer. This separate tool encompasses the existing Support
Center action to Collect selected data.
PowerShell cmdlets
Support Center also includes PowerShell cmdlets. Use these cmdlets to create a remote
connection to another Configuration Manager client, to configure the data collection
options, and to start data collection. These cmdlets are in separate PowerShell module
named ConfigMgrSupportCenter.PS. After you install Support Center, use the following
command to import this module:
PowerShell
Prerequisites
Install the following components on the server or client computer on which you install
Support Center:
Any Windows OS version supported by Configuration Manager. For more
information, see Supported OS versions for clients. Support Center doesn't support
mobile devices or macOS.
Starting in version 2107, the all site and client components require .NET version
4.6.2, and version 4.8 is recommended. For more information, Site and site system
prerequisites. In version 2103 and earlier, this tool requires .NET 4.5.2 or later.
Install
Find the Support Center installer on the site server at the following path:
cd.latest\SMSSETUP\Tools\SupportCenter\SupportCenterInstaller.msi .
After you install it, find the following items on the Start menu in the Microsoft Endpoint
Manager group:
Starting in version 2103, the Start menu group for Support Center includes these five
tools:
Tip
When installing Support Center, you can install tools individually. To install only the
OneTrace log viewer, use the Advanced option when using the Support Center
installer. You can also use the ADDLOCAL property, for example
supportcenterinstaller.msi ADDLOCAL=OneTraceApplication
user without
elevation -l can be used exclusively from -m and -p . If -m and/or -p
is used without -l , elevation will still be requested.
7 Note
Known issues
ComputerName\UserName
DomainName\UserName
Next steps
Support Center quickstart
Support Center quickstart guide
Article • 10/04/2022
Support Center has powerful capabilities including troubleshooting and real-time log
viewing. It can also be used in just a few minutes to capture the state of a Configuration
Manager client computer. This ability includes accessing remote clients.
Create a complete troubleshooting bundle file (.zip) that captures the client state. The
bundle doesn't only contain log files. It can include other types of data such as registry
settings and client configurations. Provide the bundle to a support technician who uses
Support Center Viewer.
Prerequisites
Local administrative rights to a Configuration Manager client
2. Go to the Start menu, in the Microsoft Endpoint Manager group, select the option
based on your site version:
For version 2103 and later: Select Support Center Client Data Collector.
Client log files: All log files from the Configuration Manager clients, by
default in C:\Windows\CCM\logs . It also includes log files for client setup, by
default in C:\Windows\ccmsetup\Logs .
Client configuration: Information from the Configuration Manager client. For
example, the version, the assigned site and management point, and if it's
internet facing. This option is always enabled.
4. Save the troubleshooting bundle file (.zip) to a folder on the computer. By default,
the file name is similar to the following example:
Support_c885cdfed3c7482bba4f9e662978ec07.zip .
2. Select Open bundle, browse to the bundle file, and select Open.
3. After Support Center Viewer processes the file, switch to each available tab. View
the types of data that Support Center collects by default:
Configuration tab
Operating system
Computer
Services
Network adapters
Logs tab: Choose one or more entries in the list, and select Open. This action
opens the selected log files in Log Viewer. Use this feature to look up error
codes, and use advanced filters to help you more quickly analyze log files.
Policy: Configuration Manager policy settings, including both the requested policy
configuration and the actual policy configuration.
Client WMI: Client configuration information from WMI. Support Center doesn't
collect client policy.
Certificates: Public key information for client certificates. Support Center doesn't
collect certificate private keys.
Debug dumps: Collect a debug dump of client and related processes. Debug
dumps can be large. Only enable this option when troubleshooting issues with
client performance.
2 Warning
Collecting debug dumps will cause data bundles to become very large. In
some cases, the size can be several hundred MB.
This data type isn't supported when you make a remote connection to
another client.
Client registry: Collects client configuration information from the registry. Support
Center only collects Configuration Manager registry information.
7 Note
This data type isn't supported when you make a remote connection to
another client.
Windows Update log files: Collects log files for Windows Updates, which are
necessary when troubleshooting issues with software updates.
Next steps
User interface reference
Support Center OneTrace
Article • 10/04/2022
OneTrace is a new log viewer with Support Center. It works similarly to CMTrace, with
the following improvements:
A tabbed view
Dockable windows
Improved search capabilities
Ability to enable filters without leaving the log view
Scrollbar hints to quickly identify clusters of errors
Fast log opening for large files
Windows jump lists for recently opened files (version 2103 and later)
Status messages are displayed in an easy to read format (version 2111 and later)
Entries starting with >> are status messages that are automatically converted
into a readable format when a log is opened. Search or filter on the >> string to
find status messages in the log.
Prerequisites
Starting in version 2107, the all site and client components require .NET version 4.6.2,
and version 4.8 is recommended. For more information, Site and site system
prerequisites.
In version 2103 and earlier, this tool requires .NET 4.6 or later.
Install
OneTrace installs with Support Center. Find the Support Center installer on the site
server at the following path:
cd.latest\SMSSETUP\Tools\SupportCenter\SupportCenterInstaller.msi .
7 Note
Support Center Log File Viewer and OneTrace use Windows Presentation
Foundation (WPF). This component isn't available in Windows PE. Continue to use
CMTrace in boot images with task sequence deployments.
Log groups
OneTrace supports customizable log groups, similar to the feature in Support Center.
Log groups allow you to open all log files for a single scenario. OneTrace currently
includes groups for the following scenarios:
Application management
Compliance settings (also referred to as Desired Configuration Management)
Software updates
To show log groups, go to the View menu, and select Log groups.
Customize log groups
You can customize these groups by modifying the configuration XML, which by default
is in the following path: C:\Program Files (x86)\Configuration Manager Support
Center\LogGroups.xml .
XML
<LogGroups>
<LogFile>CIAgent.log</LogFile>
<LogFile>CIDownloader.log</LogFile>
<LogFile>CIStateStore.log</LogFile>
<LogFile>CIStore.log</LogFile>
<LogFile>CITaskMgr.log</LogFile>
<LogFile>ccmsdkprovider.log</LogFile>
<LogFile>DCMAgent.log</LogFile>
<LogFile>DCMReporting.log</LogFile>
<LogFile>DcmWmiProvider.log</LogFile>
</LogGroup>
</LogGroups>
0 : Unknown or other
1 : Configuration Manager client logs
The GroupFilePath property can include an explicit path for the log files. If it's blank,
OneTrace relies upon the registry configuration for the group type. For example, if you
set GroupType=1 , by default OneTrace will automatically look in C:\Windows\CCM\Logs for
the logs in the group. In this example, you don't need to specify GroupFilePath .
This article is a reference that describes the user interfaces (UI) of the following Support
Center tools:
7 Note
In version 2010 and earlier, the Client Data Collector and Client Tools are combined
into a single tool called Support Center.
The Support Center suite also includes OneTrace. For more information, see Support
Center OneTrace.
7 Note
In version 2010 and earlier, this tool is part of the Support Center tool. The Collect
selected data action is on the Home tab of the Support Center tool.
Local Machine Connection: Gather data from the client that's running Support
Center Client Data Collector.
Options:
Reduce the movement of animated user interface elements
Change the default save location for data bundle files
Change the location of temporary files
Reset warnings. Any warning messages that you previously suppressed appear
again when triggered.
Reset temporary file path to the default,
%UserProfile%\AppData\Local\Microsoft\ConfigMgrSupportCenter
Home tab
Support Center Client Data Collector collects information from the Configuration
Manager client. You can then view this information using Support Center Viewer. By
default, it collects the following types:
To collect other types of information, select the checkbox next to the name for that type.
Select the drop-down at the bottom of the Collect selected data button in the ribbon,
and select Collect all data. This action collects the complete set of client state data.
While Support Center Client Data Collector is collecting data, select Cancel collection to
stop it.
Data types
When you select the checkbox for an option, Support Center Client Data Collector
collects that type of data the next time you select Collect selected data. The following
types are available:
Certificates: Public key information for client certificates. Support Center Client
Data Collector doesn't collect certificate private keys.
Client registry: Collects client configuration information from the registry. Support
Center Client Data Collector only collects Configuration Manager registry
information.
Client WMI: Client configuration information from WMI. Support Center Client
Data Collector doesn't collect client policy.
7 Note
This data type isn't supported when you make a remote connection to
another client.
Debug dumps: Create a debug dump of client and related processes. Debug
dumps can be large. Only enable this option when troubleshooting issues with
client performance.
2 Warning
Collecting debug dumps will cause data bundles to become very large. In
some cases, the size can be several hundred MB.
This data type isn't supported when you make a remote connection to
another client.
Operating system: Collects configuration information about the local machine.
This data includes information about the Windows installation, network adapters,
and system service configuration. You can't disable this data type.
7 Note
Starting in version 2103, use the Support Center Client Data Collector for the
Collect selected data action.
Window menu
Client tab
Policy tab
Content tab
Inventory tab
Troubleshooting tab
Logs tab
Local Machine Connection: Gather log files and troubleshoot the client that's
running Support Center.
About: Provides information about Support Center Client Tools, such as the
version.
Options:
Reduce the movement of animated user interface elements
Change the default save location for data bundle files
Change the location of temporary files
Reset warnings. Any warning messages that you previously suppressed appear
again when triggered.
Reset temporary file path to the default,
%UserProfile%\AppData\Local\Microsoft\ConfigMgrSupportCenter
Client tab
Client information
When you load client details, this tool shows the following properties:
Client ID: A unique identifier that Configuration Manager uses to identify the
client.
Hardware ID: A unique identifier that Configuration Manager uses to identify the
client hardware.
Site Code: The site code for the primary site to which the client is assigned.
Assigned MP: The fully qualified domain name (FQDN) of the client's currently
assigned management point.
Proxy MP: The hostname or FQDN of the proxy management point (if it exists).
Proxy Site Code: The site code for the secondary site (if it exists).
Proxy State: The state of the Configuration Manager client's proxy management
point. For example, Active or Pending.
Maintenance windows
List all maintenance windows currently defined for this client. The next maintenance
window displays a different status than future windows.
Restart client
) Important
If the client agent service doesn't successfully restart, the client isn't
manageable by Configuration Manager until the service starts.
Start client
Stop client
) Important
The client isn't manageable by Configuration Manager until the service starts.
Load policy
This option varies depending upon the view:
Load Actual policy: Select Actual in the View group, and then select this option in
the Policy group. Load the client policy that you've currently selected.
Load Requested policy: Select Requested in the View group, and then select this
option in the Policy group. Load the client policy requested of the client.
Load Default policy: Select Default in the View group, and then select this option
in the Policy group. Load the default policy for this client.
Select the drop-down list at the bottom of this button for other options:
Load or Refresh all: Load or refresh the actual, requested, and default policy at the
same time.
Actual view
Opens the actual policy view.
Requested view
Opens the requested policy view.
Default view
Opens the default policy view. This policy is what devices get when you install the
Configuration Manager client.
Select the drop-down list at the bottom of this button for other options:
Request policy: Request the client policy from the management point.
Reset policy to default: Tell the Configuration Manager client to reapply the
default policy. It removes all machine and user policies on the client.
Listen for policy events. Select this option again to disable listening for policy events. To
view Policy events, select the arrow at the bottom of this tab.
Clear events
Clear any policy events.
Content tab
View content on the client, including cached content. Monitor the progress of software
update and application deployments.
Location services
Refresh content locations: Refreshes the distribution points used by any active
content downloads.
Time out content requests: If any content location requests have been running
for too long, this action stops the request.
Software updates source scan: Starts a task that scans update source locations.
Windows Installer source list update: Starts a task that updates the source
location for Windows Installer (MSI) installations.
Deployment view
See applications, packages, and updates that are loaded on the client. When you select
an application, package, or update, you can view details on that content. For some
applications, you can also do the following actions:
Starting in Configuration Manager version 2107, the view is grouped by Category and
Status. The view can be sorted and filtered to help you find the deployments you're
interested in. Select a deployment in the results pane to display the following
information in the details pane:
Properties tab
Name: The name of the deployment property.
Value: The value assigned to the deployment property.
Policy tab
Display name: Display name of the items in the deployment.
Version: Version for the item in the deployment.
Model name: Model name for the item in the deployment.
CI XML: XML for the configuration item.
Reporting tab
Time: Timestamp of the state message.
State The state that was reported by the client.
Topic ID: ID of what the state message is reporting on, used to map to events in
log files. In this context, it will typically be the Assignment ID of the deployment.
Topic type: The state message type.
Topic type ID: The subtype of the state message.
State ID: The result of the action that you're monitoring.
7 Note
Cache view
View the client cache configuration and details about the cache contents. When you
connect Support Center Client Tools to a local client, you can also do the following
actions:
To change the cache location, select Change next to the Cache location field.
To adjust the size of the cache, select Change next to the Cache size field.
To clear the client cache, select Clear next to the Cache in use field.
Location: The location of each cache folder. Select the link to open the folder in
Windows Explorer.
Content ID
Cache ID
Size
Last Referenced: This property is the date when the client last read from or wrote
to this item in the cache.
Monitoring view
View the active progress of software update and application update deployments. This
view shows state messages raised from application and software updates event WMI
messages.
State
Article ID
Bulletin
Name
Update ID
Scan Time
Source Version
Source Unique ID
Inventory tab
Load or Refresh (Inventory)
Load or refresh the client inventory list for the currently selected view.
7 Note
If you request the task when another inventory task is already running, the
client queues the new task to run after it completes the current task and other
queued tasks.
Track the progress of the task in InventoryAgent.log.
The following items on this menu request client action related to inventory:
Discovery data collection cycle (heartbeat): Triggers the client task used to collect
device discovery information.
File collection cycle: Triggers the client task used to collect local files.
Hardware inventory cycle: Triggers the client task used to collect hardware
inventory data.
IDMIF collection cycle: Triggers the client task used to collect IDMIF data.
Software inventory cycle: Triggers the client task used to collect software
inventory data.
Software metering report cycle: Triggers the client task used to build a software
metering report and send it to the management point. Track the progress of this
task in SWMTRReportGen.log.
Send unsent state messages in queue: Triggers the client task to flush the queue
of state messages.
Advanced
Hardware inventory cycle (full resynchronization)
Software inventory cycle (full resynchronization)
Views
If a feature isn't enabled, the view doesn't display any data.
Status: Show the inventory data sets the client has collected.
DDR: Information about the client discovery data collected from the client.
HINV: Information about the hardware inventory data collected from the client.
SINV: Information about the software inventory data collected from the client.
File collection: Information about the files collected from the client.
IDMIF: Information about the IDMIF and NOIDMIF data collected from the client.
Metering: Information about the software metering data collected from the client.
7 Note
This tab isn't available when you connect to a remote Configuration Manager client.
Start
Starts troubleshooting the client.
If you troubleshoot the client, and then want to try troubleshooting again, choose this
option to keep results from your first attempt. Otherwise, it overwrites previous
troubleshooting log files.
Logs tab
This tab of Support Center Client Tools is almost identical to the Log Viewer tool. The
Log Viewer tool doesn't include the Configure client logging and Log groups features.
The Support Center Log File Viewer section details the other options available on this
tab.
7 Note
If you set these values too low, the client may not log any useful information. If you
set these values too high, the client logs can consume large amounts of storage.
Log groups
Instead of manually selecting log files using the Open logs button, use this drop-down
list to open all log files associated with the following feature areas:
Window menu
Home tab
Configuration tab
Logs tab
Debug dumps tab
WMI tab
Registry tab
Policy tab
Certificates tab
Troubleshooting tab
Open bundle: Browse to the location of a data bundle created by one of the
following tools:
Version 2103 and later: Support Center Client Data Collector
Version 2010 and earlier: Support Center
About: Displays information about Support Center Viewer, such as the version.
Options:
Reduce the movement of animated user interface elements.
Change the location of temporary files.
Reset warnings. Any warning messages that you previously suppressed appear
again when triggered.
Reset temporary file path to the default,
%UserProfile%\AppData\Local\Microsoft\ConfigMgrSupportCenterViewer
Open bundle
Browse to the location of a data bundle created by one of the following tools:
Configuration tab
The Configuration tab of the Support Center Viewer tool provides the following views
using data retrieved from WMI providers:
Client: This view displays the same information shown on the Client tab of Support
Center.
Operating system: Details for the client's OS. It uses the Win32_OperatingSystem
class.
Services: Details for services running on the client computer. It uses the
Win32_Service class.
Network adapters: Details for network adapters installed on the client computer. It
uses the Win32_NetworkAdapterConfiguration class.
Open
After selecting a log file, select this button to open the Log Viewer. It provides a subset
of the functionality seen on the Support Center Client Tools Logs tab.
2 Warning
WMI tab
This tab shows the set of WMI data from the Configuration Manager client that the data
bundle includes.
Find what: Enter a string to search for in the WMI data set. It supports wildcard
characters.
Look at: Choose whether you want to search within the WMI data set for a
matching Class or instance name, Property, or Value.
Match whole string only: By default, it searches for strings that contain the string
for which you're looking. Choose this checkbox to only find strings that are an
exact match to the string that you provided.
Open the next instance of the search string in the WMI data set.
In the Decode certificate window, paste the serialized certificate value for any certificate
on the client. Find this value in the registry, in log files, or in WMI. Select Process to view
general information and details on the certificate. This information includes its
certification path. Select Export to export the certificate as a .cer file.
Registry tab
Use the Registry tab to view registry data included in the data bundle, and to export
that data for further analysis.
Save a copy of the registry key and subkeys that you select as a registry (.reg) file.
Look at: Choose whether you want to search within the WMI data set for a
matching Class or instance name, Property, or Value.
Match whole string only: By default, it searches for strings that contain the string
for which you're looking. Choose this checkbox to only find strings that are an
exact match to the string that you provided.
Open the next instance of the search string in the WMI data set.
In the Decode certificate window, paste the serialized certificate value for any certificate
on the client. Find this value in the registry, in log files, or in WMI. Select Process to view
general information and details on the certificate. This information includes its
certification path. Select Export to export the certificate as a .cer file.
Find what: Enter a string to search for in the WMI data set. It supports wildcard
characters.
Look at: Choose whether you want to search within the WMI data set for a
matching Class or instance name, Property, or Value.
Match whole string only: By default, it searches for strings that contain the string
for which you're looking. Choose this checkbox to only find strings that are an
exact match to the string that you provided.
Certificates tab
Use the Certificates tab to view certificates included in the data bundle, and to export
them.
View certificate
Displays information about a selected certificate.
View log
After you select a row on the Troubleshooting tab, select this option to view the log file
with Log File Viewer.
Window menu
Home tab
This tool is almost identical to the Logs tab of Support Center Client Tools. The main
difference is that this tool doesn't include the options to Configure client logging and
Log groups.
Starting in version 2111, Support Center Log File Viewer display status messages in an
easy to read format. Entries starting with >> are status messages that are automatically
converted into a readable format when a log is opened. Search or filter on the >> string
to find status messages in the log.
Options:
Reduce the movement of animated user interface elements.
Register Log File Viewer as the default app for log files with the .log and .lo_
file extensions.
Reset warnings. Any warning messages that you previously suppressed appear
again when triggered.
About: Displays information about Support Center Log File Viewer, such as the
version.
Open logs
Support Center Log File Viewer prompts you to select one or more log files to open.
Select the drop-down at the bottom of the Open logs button in the ribbon, and select
one of the following options:
Open logs in current view: Opens the selected log files in the current view.
Open logs in new window: Opens the selected log files in a new Log Viewer
window.
Closes any open log files. Also clears any displayed log file entries from the window.
Support Center Log File Viewer won't display these entries in the future.
Select the drop-down at the bottom of the Close and clear logs button in the ribbon,
and select one of the following options:
Clear all entries: Clears any displayed log file entries from the window. Support
Center Log File Viewer won't display these entries in the future.
Close all logs: Closes any open log files.
After finding a match for the string that you're searching for, this option takes you to
the next match.
Options
Live updating: Monitor a currently open log file for changes. This feature doesn't
function when multiple log files are open. This option is enabled by default.
Auto-scroll: If you also chose the Live updating option, this option automatically
scrolls the log view to show newly added entries. This feature doesn't function
when multiple log files are open. This option is enabled by default.
Show details: When you select a log file message, the bottom of the Logs tab
displays the details of the log file message. This option is enabled by default.
Quick filter: Filter the log file messages across all open log files to find a specific
string. You can filter by log text, component name, and thread ID. To find similar
log messages, right-click a log message and select Quick filter on log text.
Wrap log text: Wrap long and multi-line messages to fit into a single column. This
behavior makes these messages easier to read. This option is enabled by default.
Raw log entry display: Displays unprocessed log lines.
Advanced filters: Open the Advanced filters window. For more information, see
Advanced log file filters.
Error code links: Error codes in log text are highlighted and clickable. This option is
enabled by default.
Error lookup
Enter an error code to search for that error code in currently open log files. Use the
following error code formats:
In the Decode certificate window, paste the serialized certificate value for any certificate
on the client. Find this value in the registry, in log files, or in WMI. Select Process to view
general information and details on the certificate. This information includes its
certification path. Select Export to export the certificate as a .cer file.
Advanced log file filters supersede quick filters. Use both together, but quick filters only
apply to the displayed log data. Advanced filters determine what data is initially
displayed before any it applies any quick filters.
In the Advanced filters window, you can create complex filter sets. These filter sets
search for strings across many log file components. These components include
messages, threads, logging levels, and components. A filter set contains multiple filter
statements that you use to include, exclude, or highlight log file messages. A filter
defines a log file column to search within, an operator, and a value. The value can
contain regular expressions, such as the wildcard character * .
Add a filter
1. In the Log File Viewer tool, or on the Support Center Client Tools Logs tab, select
Advanced filters.
2. In the Advanced filters window, select Add. Then select one of the following
options to act on log entries that match your filter:
Include
Exclude
Highlight
Column: Choose where to look for strings that match your filter:
Log severity: Search for logs with a specific severity level. Set these
severity levels in the Value field.
Source file: Search for log messages that occur in a specific log file
4. Enter a value to filter on in the Value field. If your value contains regular
expressions, select Enable regular expression matching.
To save the current filter set, select Save filters. Then save your filter set as a
.filterset file.
To load a saved filter set, select Load filters. Then browse to a previously saved
.filterset file.
Customize Support Center
Article • 10/04/2022
The Support Center tool includes a configuration file that you can customize. By default,
when you install Support Center, this file is in the following path: C:\Program Files
(x86)\Configuration Manager Support Center\ConfigMgrSupportCenter.exe.config . The
Customize data collection: Edit the sets of registry keys and WMI namespaces that
it includes during data collection.
Customize log groups: Define new groups of log files using regular expressions.
Also add other log files to log groups.
Collect other log files using wildcards: Use wildcard searches to collect more log
files.
To make these changes, you need local administrative permissions on the client where
you've installed Support Center. Make these customizations using a text or XML editor,
such as Notepad or Visual Studio.
) Important
The Support Center configuration file is an XML-formatted file. It's essential to the
operation of Support Center. Modifying this file is only recommended for users
who are familiar with XML and regular expressions.
Before you customize the Support Center configuration file, save a backup of the
original. This backup allows you to recover the original Support Center functionality if
you make mistakes while editing the file. If you don't create a backup, and Support
Center doesn't function correctly after you modify the configuration file, reinstall
Support Center. You can also copy a configuration file from another installation of
Support Center.
The default configuration file collects data from the root\ccm namespace. It includes
this path in an <add/> element in <collectionScopes> .
It also ignores everything under the \cimodels , \invagt , \events , and \policy paths for
this namespace. It includes these paths in <add/> elements contained within
<ignoreScopes> .
XML
<CcmWmiDataCollector>
<collectionScopes>
<add key="root\ccm"/>
<add key="root\cimv2\sms"/>
</collectionScopes>
<ignoreScopes>
<add key="root\ccm\cimodels"/>
<add key="root\ccm\invagt"/>
<add key="root\ccm\events"/>
<add key="root\ccm\policy"/>
</ignoreScopes>
</CcmWmiDataCollector>
XML
<RegistryDataCollector>
<registryKeys>
<add key="software\\microsoft\\ccm"/>
<add key="software\\microsoft\\sms"/>
<add key="software\\microsoft\\ccmsetup"/>
<add key="software\\microsoft\\windows\\currentversion\\uninstall"/>
</registryKeys>
</RegistryDataCollector>
Static log group: The <staticLogGroup> element uses a key attribute to define the
name of the log group that appears in the list. It also uses a value attribute that
defines a log file name.
If the same key attribute value is used in an <add/> element within both the
<componentLogGroup> element and the <staticLogGroup> element, Support Center
creates a single group. This group includes the log files defined by both elements that
use the same key.
<componentLogGroup>
<add key="Inventory"
value="^(ccmmessaging|inventoryagent|mtrmgr|swmtrreportgen|virtualapp|mtr.*|
filesystemfile)"/>
<add key="Policy"
value="^(ccmmessaging|policyagent_.*|policyevaluator_.*)"/>
</componentLogGroup>
<staticLogGroup>
</staticLogGroup>
</logGroups>
These examples show how Support Center uses this feature in the default configuration
file.
<CcmLogDataCollector>
<additionalLogFiles>
<!-- Collect these additional log files. Can pass in a wildcard for the
filename. System variables are also supported. -->
<!--
-->
</additionalLogFiles>
</CcmLogDataCollector>
Support Center has many helpful accessibility features that make it easier for everyone
to use.
To switch to a menu, press the associated shortcut key. For example, to go to the
Logs menu, press Alt and then L.
Exit Alt + F4
Refresh a policy
F5
(on the Support Center Client Policy tab, after selecting a
policy)
Copy as MOF
Ctrl + Shift + C
(on the Support Center Client Policy tab, after selecting a
policy; also available for WMI events)
Task Keyboard shortcut
Request policy
Ctrl + R
(on the Support Center Client Policy tab)
Evaluate policy
Ctrl + E
(on the Support Center Client Policy tab)
Load inventory
F5
(on the Support Center Inventory tab)
Start troubleshooting
F5
(on the Support Center Troubleshooting tab)
Open Help F1
Next steps
Accessibility features in Configuration Manager
Configuration Manager Tools
Article • 10/04/2022
The Configuration Manager tools primarily include client-based and server-based tools.
Use these tools to help support and troubleshoot your Configuration Manager
infrastructure.
These tools are included in the CD.Latest\SMSSETUP\Tools folder on the site server. No
further installation is required. Use these versions of the tools with supported versions of
Configuration Manager current branch.
7 Note
For supported versions of Configuration Manager current branch, use the versions
of the tools in the CD.Latest folder on the site server. Some tools were formerly in
the toolkit but not included current branch. These legacy tools are no longer
supported.
Client tools
These tools are in the ClientTools subfolder:
7 Note
The ClientTools folder also includes the file
Microsoft.Diagnostics.Tracing.EventSource.dll. Several client tools require this
library. You can't directly use it.
Server tools
These tools are in the ServerTools subfolder:
) Important
Content Library Explorer: View contents of the content library single instance store
7 Note
Run Meter Summarization Tool: Run metering summarization task and analyze
metering data
7 Note
AdminUI.WqlQueryEngine.dll
Microsoft.ConfigurationManagement.ManagementProvider.dll
Microsoft.Diagnostics.Tracing.EventSource.dll
Several server tools require these libraries. You can't directly use them.
CMPivot: Use the standalone version of this tool to query real-time data from
clients.
Update reset tool: Fix issues when in-console updates have problems downloading
or replicating.
Content library cleanup tool: Remove orphaned content from a distribution point.
Configure client communication ports: Reconfigure the port numbers for existing
clients.
Service Connection Tool: Keep your site up to date when your service connection
point is offline.
Support Center: Gather information from clients for easier analysis when
troubleshooting.
Send feedback that you saved for later submission (UploadOfflineFeedback): Save
your product feedback locally and submit it later.
Other tools
Hierarchy Maintenance Tool: Use Preinst.exe in the \
<SiteServerName>\SMS_<SiteCode>\bin\X64\00000409 shared folder on the site server
to pass commands to the hierarchy manager component.
CMTrace is one of the Configuration Manager tools. It allows you to view and monitor
log files, including the following types:
The tool helps to analyze log files by highlighting, filtering, and error lookup.
7 Note
CMTrace isn't automatically registered with Windows to open the .log file
extension. For more information, see File associations.
Locations
Configuration Manager automatically installs CMTrace in the following locations:
If you have a copy of CMTrace in another location, consider removing it and using a
copy in one of the default paths. If it's in a custom location that meets your business
requirements, then make sure you have a process to keep it up to date. If your custom
location might be of benefit to other customers, file product feedback.
Usage
Run CMTrace.exe. The first time you run the tool, you see a prompt for file association.
For more information, see File associations.
File
Tools
File menu
The following actions are available in the File menu:
Open
Open on Server
Print
Preferences
The File menu also lists the last eight recent files. Quickly reopen one of these logs by
selecting it from the File menu.
Open
Displays the Open dialog box to browse for a log file.
Ignore existing lines: When selected, CMTrace ignores the existing contents of the
selected log file and displays new lines only as they're added. Use this option to
monitor only new actions when you don't need the full history of the log file.
Merge selected files: If you enable this option and select more than one log file,
CMTrace merges the selected logs in the view. It displays them as if they're a single
log file. The merged log updates the same, and supports all other CMTrace
features as if it's a single log file.
Open on Server
Browse the Configuration Manager logs folder on a site system computer with the
standard Browse dialog box. You can also browse the network for a remote computer.
When you select a remote computer to browse, CMTrace checks for the Configuration
Manager share. If it can't find a share with Configuration Manager log files, it displays an
error message.
To connect directly to a known computer without browsing, use the Open action. Then
enter a server name and share using the UNC format.
Display the standard Windows Print dialog box. This action sends the current log file to
a printer. It formats the output according to the settings on the Printing tab of CMTrace
Preferences.
Preferences
General tab
Update Interval: Controls how often CMTrace checks for changes to log files
and loads new lines. By default, this value is 500 milliseconds.
Highlight: Sets the color that CMTrace uses when highlighting log lines that you
choose. By default, this color is basic yellow (Red: 255, Green: 255, Blue: 0).
Columns: Configures the columns that are visible in the log view and the order
in which they appear. By default, it displays Log Text, Component, Date/Time,
and Thread.
Printing tab
Columns: Configure which columns it uses when printing log files and the order
in which they appear. By default, it prints the same columns as it displays.
Orientation: Sets the default print orientation when printing log files. Override
this setting in the Print dialog box. By default, it uses Portrait orientation.
Advanced tab
Refresh Interval: Forces CMTrace to update the log view at a specified interval
when loading a large number of lines. By default, this option is disabled with a
value of zero.
7 Note
Tools menu
The following actions are available in the Tools menu:
Find
Find Next
Copy to Clipboard
Highlight
Filter
Error Lookup
Pause
Show/Hide Details
Show/Hide Info Pane
Find
Find Next
Finds the next matching string, as you previously specified in the Find dialog box.
Copy to Clipboard
Copies the selected lines as plain text to the Windows clipboard. If you're examining
Configuration Manager and CCM log files, it copies the columns in the same order as
the view. It separates each column by a tab character. Use this action when copying logs
into email messages or other documents.
Highlight
Enter a string that CMTrace uses to search the text of each log entry. It then highlights
any log text that matches the string you enter.
The highlight uses the color you specified in Preferences.
If you enter a decimal or hexadecimal number, CMTrace tries to match the value to
the Thread column. Use this behavior to highlight the processing of a single
thread, without filtering out other threads that might interact with it.
Filter
Show or hide log lines based on the specified criteria. Apply filters to any of the four
columns regardless of whether they're visible. These settings apply to each opened log
file.
Examples:
Error Lookup
Type or paste an error code in either decimal or hexadecimal format to display a
description. Possible error sources include: Windows, WMI, or Winhttp.
Pause
Suspend or restart log monitoring. The following use cases are some of the possible
reasons to use this action:
When you pause log monitoring, the information that CMTrace displays isn't lost if
the current file rolls over to a new log
When you want to stop CMTrace from displaying new data while you examine the
log file
Show/Hide Details
Show or hide all columns other than the log text. It also expands the log text column to
the width of the window. Use this action when you're viewing logs on a computer with
low display resolution. It displays more of the log text.
7 Note
When viewing plain-text files, CMTrace automatically hides details because they're
always empty.
Show or hide the Info pane. Use this action when you're viewing logs on a computer
with low display resolution. It displays more logging details.
Log pane
The log pane is at the top of the CMTrace window. It displays lines from log files.
When you select a line, it's temporarily highlighted using the Windows selection color
scheme.
Highlighted lines match the criteria you define with the Highlight option in the Tools
menu. The highlight uses the color that you specify in Preferences.
CMTrace displays lines with errors using a red background and yellow text color. In
CCM-format logs, log entries have an explicit type value that indicates the entry as an
error. For other log formats, CMTrace does a case-insensitive search in each entry for
any text string matching "error".
It displays lines with warnings using a yellow background. In CCM-format logs, log
entries have an explicit type value that indicates the entry as a warning. For other log
formats, CMTrace does a case-insensitive search in each entry for any text string
matching "warn".
Info pane
The Info pane is at the bottom of the CMTrace window. It includes the following
features:
Show or hide the Info pane with the Show/Hide Info Pane option on the Tools menu. If
the Info pane takes up more than half of the log window, CMTrace automatically hides
it.
Progress bar
When you first open a log file, CMTrace replaces the Info pane by a progress bar. This
progress indicates how much of the existing file contents it's loaded. The progress
reaches 100 percent, CMTrace removes the progress bar, and replaces it with the Info
pane. When you load large files, this behavior provides you with an indication of how
long the load might take.
Status bar
For Configuration Manager-format and CCM-format log files, the status bar displays the
elapsed time for the selected log entries. If you select a single entry, the tool displays
the time from the first log entry to the selected entry. If you select multiple entries, it
calculates the time from the top-most selected entry to the bottom-most selected entry.
CMTrace formats this information as follows:
(<seconds+milliseconds> seconds)
File associations
CMTrace can associate itself with .log and .lo_ file name extensions. When the program
starts, it checks the registry to determine whether it's already associated with these file
name extensions. If CMTrace isn't already associated with any file name extensions,
you're prompted to associate the file name extensions with CMTrace. If you select Do
not ask me this again, CMTrace skips this check whenever it's run on this computer.
Drag-and-drop
CMTrace supports basic drag-and-drop functionality. Drag a log file from Windows
Explorer into CMTrace to open it.
Other tips
The first time you launch it on a client, it defaults to the current working directory. This
location may be the path where you saved CMTrace, or a path like
%userprofile%\Desktop .
this value to %windir%\CCM\Logs on your clients, then CMTrace opens files in the client
log location the first time you run it.
Next steps
Log files
OneTrace is the log viewer with Support Center. It works similarly to CMTrace, with
improvements. For more information, see Support Center OneTrace.
Client Spy
Article • 10/04/2022
Client Spy is one of the Configuration Manager tools. It's a tool for troubleshooting
software distribution, inventory, and software metering on Configuration Manager
clients.
7 Note
To improve performance, the tool only collects information for each tab when you
select it. Similarly, when you click Refresh, it only refreshes the information for the
currently displayed tab.
Usage
Tools menu
The following actions are available in the Tools menu:
Connect
Retrieve information from a different computer.
Connect using the remote computer name, user name, and password for the
account. The tool makes a connection to the IPC$ share on the remote computer.
It deletes the connection when either the tool exits or you connect to another
computer.
If you don't specify a user name and password, Client Spy uses the security context
of the currently signed-in user to attempt to make the connection.
When you connect to a remote computer, all tabs that are displayed show
information from the remote computer.
Software Distribution
Displays the Software Distribution tabs and hides the other tabs. By default, Client Spy
displays the Software Distribution tabs.
Inventory
Software Metering
Displays the Software Metering tab and hides the other tabs.
Saves the information in the currently displayed tab to a text file that you specify.
Saves the information in all tabs to a text file that you specify. It only saves information
your account can see.
Software Distribution tab
Configure settings on the following four tabs:
Each tree item in the Software Distribution Execution Requests tab contains the
following four attributes:
For each run request, it also displays the following information in a subtree structure:
Program Name
Package ID
Package Name
Request Creation Time
State
Running State, if State is Running
Execution Context (User or Admin)
History State (Success, Failure, or NotRun)
LastRunTime (Never, if the program hasn't been run before)
RetryCount, if State is WaitingRetry
ContentAccess (Retry Count, if State is WaitingRetry)
FailureCode, if State is WaitingRetry
FailureReason, if State is WaitingRetry
If the request requires content, the state is WaitingContent. The Software Distribution
Cache Information tab shows the details for this download request.
If the run request is a download request, it also displays the number of bytes
downloaded.
7 Note
The main branches of this tree are the different user histories, including System. It
displays a subtree containing the list of packages from which programs have been run
for each user.
The package ID and package name for each package subtree displays a list of programs
that have run. It displays the following attributes for each:
Program name
Run state
Last run time
Failure code
Failure reason
The failure code and failure reason are blank when a program was successfully run.
Cache Config
Contains information about the Configuration Manager Client cache. This information
includes the cache location, the cache size, and whether it's currently in use.
Cached Items
Contains a subtree of all items currently in the cache. Each tree item includes the
following information about each item:
Downloading Items
These are the items that the client is currently downloading. Each of them shows the
same information displayed by the cached items, and the number of kilobytes
downloaded.
Each tree branch is for each user account with deployments available, including System.
For each user, a sub tree contains the following three items:
These are mandatory advertisements that still have programs remaining to be run.
These can be either recurring, one-time, or multiple schedule advertisements. Each
displays the advertisement ID, the next run time, and the schedule on which the
advertisement runs.
Optional Advertisements
Displays a list of all advertisements that are published. It also displays details such as
advertisement ID, program name, and package name for each.
Package name information is only available for packages that have advertised
policies associated to them on the computer being viewed. Packages that no longer
have available policies associated to them display the message "Package Name No
Longer Available".
Inventory tab
There's only one tab containing inventory information. The main tree contains the
following five items:
Software Inventory: Contains the date that the last cycle started, the date of the
last report, and the minor and major versions of the last report.
File Collection: Contains the date that the last cycle started, the date of the last
report, and the minor and major versions of the last report.
Hardware Inventory: Contains the date that the last cycle started, the date of the
last report, and the minor and major versions of the last report.
IDMIF Collection: Contains the date that the last cycle started, the date of the last
report, and the minor and major versions of the last report.
DDR: Contains the date that the last cycle started, the date of the last report, and
the minor and major versions of the last report. The DDR information is also
displayed in a subtree.
The Deployment Monitoring Tool is one of the Configuration Manager tools. It's a
graphical user interface designed to assist in troubleshooting application, software
update, and configuration baseline deployments on a Configuration Manager client. The
tool is read-only as it doesn't change any state on the client. You can safely use it to
diagnose common deployment scenarios.
Features
Run it as an administrator to troubleshoot deployments on a local client.
Export to XML all the data collected in the tool. Share the XML file with others, and
use it as a common platform for talking about troubleshooting deployments.
Import previously exported data to a different machine, and use it to run the tool
in offline mode.
Usage
The Deployment Monitoring Tool supports graphical user interface only. To launch the
tool, run DeploymentMonitoringTool.exe as an administrator. There are three views:
Client Properties: A list of useful attributes about the device and the Configuration
Manager client. This view is the default.
All Updates: View all of the software updates and their status.
Actions menu
The following actions are available in the Actions menu:
Connect to remote machine: Select a computer to connect to. When you don't
specify a user name and password, it uses the current credentials. Click Save to
connect to remote computer.
Export Data: Select the file to write the data into, and click Save. Use the exported
XML file for remote troubleshooting on a different computer.
View Log: Opens an associated log file, depending upon the view:
Client Properties: \\<hostname>\c$\Windows\CCM\Logs\PolicyAgent.log
Deployments: \\<hostname>\c$\Windows\CCM\Logs\PolicyAgent.log
All Updates: C:\Windows\WindowsUpdate.log
See also
Deploy applications
Deploy software updates
Deploy configuration baselines
Policy Spy
Article • 10/04/2022
Policy Spy is one of the Configuration Manager tools. It's a tool for viewing and
troubleshooting the policy system on Configuration Manager clients. Run PolicySpy.exe
to open the user interface. For more information on command-line usage, see
Command-line syntax.
) Important
Run Policy Spy as an administrator. If you don't Run as administrator, you see the
following error in Client Info:
Command-line syntax
Policy Spy is primarily intended for use through its user interface. It does provide limited
command-line options to support automation and batch processing.
Option: /export
This option silently exports the policy of the local or remote computer.
<ExportFilename> is the file name to which the tool saves the XML exported policy. If
you specify the <computername> option, Policy Spy exports the policy of that computer
instead of the local computer.
7 Note
This command-line option doesn't provide a way to specify user credentials. To use
alternative credentials to access a remote computer, use the runas command to
open a new command prompt with the required security credentials.
Usage
Tools menu
The following actions are available in the Tools menu:
Open File: Opens a policy export file (XML) created by the Export Policy option.
The tool displays the exported policy exactly the same as a live policy. It disables
some features that only apply when you connect to an actual client.
Request User Assignments: Triggers a request for user policy assignments for the
currently signed-in user. This feature is only available when viewing a policy on the
local computer.
Evaluate User Policy: Triggers a user policy evaluation for the currently signed-in
user. This feature is only available when viewing a policy on the local computer.
Reset Policy: Removes all non-default policies and resets the policy cookies for the
site. It then triggers a request for machine policy assignments. This feature is
disabled when viewing an exported policy.
Export Policy: Exports the target computer's policy to an XML file. View this file on
any computer with Policy Spy. To open the export file, select Open File on the
Tools menu. This feature is disabled when viewing an exported policy.
Edit menu
The following actions are available in the Edit menu:
Delete: Deletes the instance selected in the Results pane. This action is only
supported for policy instances. If you try to delete anything other than policy
instances, the tool displays an error message. This feature is disabled when viewing
an exported policy.
Refresh: Refreshes all results to view the latest information. All tree nodes that are
expanded before refreshing are automatically expanded afterward. If Policy Spy
hasn't successfully connected to the target computer's policy, it tries to connect
again. This feature is disabled when viewing an exported policy.
Results pane
The results pane displays different views of the policy system on the target computer.
Access these views by clicking on one of the following four tabs:
Actual
Requested
Default
Events
Actual
This tab displays the current policy of the client. The current policy determines a client's
behavior and the behavior of its client agents, such as software distribution and
inventory. The tab displays results in a tree format with a root node for the computer
namespace and each user-specific namespace. Expand a namespace node to display a
list of classes. Expand a class to display a list of its instances. The class list includes only
classes that have instances.
Requested
This tab displays the policy assignments that the client retrieved from its assigned site.
The tab displays results in tree format with a root node for the Machine namespace and
each user-specific namespace. Expanding a namespace node displays the following
nodes:
Settings: Displays all active settings generated by policies. Settings are displayed
under the Configuration node.
7 Note
Multiple instances can exist with the same name because the client hasn't merged
these settings into a final resultant set. Policy Spy displays instances under this
node by using the RealKey properties instead of their true policy keys. Correlate
these instances to the resultant set displayed on the Actual tab.
Default
This tab displays the same information as the Requested tab. It also includes contents of
the DefaultMachine and DefaultUser namespaces.
Events
This tab displays policy agent events as they happen. The view creates a WMI event
subscription for all events derived from CCM_PolicyAgent_Event. The view shows a
maximum of 200 events. It removes the oldest events from the top of the list, as
necessary. If you select the last item in the list, the list automatically scrolls down as it
adds new events. Otherwise, the view maintains its current position, and you must scroll
down or press the End key to view new events. This view is always empty when viewing
an exported policy.
Name
ID
Version
Site
Assigned MP
Resident MP
Proxy MP
Proxy State
Details pane
The Details pane displays detailed information about the current selection. If no
selection is active, it displays information about Policy Spy itself, including the version.
Otherwise, it displays a Manage Object Format (MOF) representation of the selected
item.
Policy Spy uses its own MOF-generation routine to create a more user-friendly HTML
display than the plain-text MOF generated by WMI. This behavior allows Policy Spy to
add the following features to make the MOF more legible:
Syntax highlighting
Properties are arranged into system, inherited, and local groups. By default, it
collapses the system and inherited groups. You can immediately see which
properties the instance actually uses.
Copy MOF or copy plain-text MOF to the clipboard. This feature is useful for
pasting the MOF into other applications by directly calling the MofComp tool.
For instances of Policy objects derived from CCM_Policy_Policy, the details pane displays
the policy body below the MOF that displays. If the client hasn't downloaded the policy
body, Policy Spy displays a hyperlink. Click the link to download the policy body directly
from the client's management point. If the tool successfully downloads the policy body,
it replaces the hyperlink with the contents of the reply. Otherwise, Policy Spy updates
the display indicating that the request failed.
Power Viewer Tool
Article • 10/04/2022
The Power Viewer tool is one of the Configuration Manager tools. Use it to view the
status of the power management feature on a Configuration Manager client.
Run PowerVwr.exe as an administrator. When the tool launches, it displays the power
capabilities and power settings of the local computer on the Power Config tab.
Power Config: View the power capabilities and power settings of the targeted
computer.
Daily Activity: View the daily activity charts of the client, which includes the
following information:
Computer on: The power status of the computer in one day. Sleep mode is
considered as power off.
Power Events: View all of the daily power events. The client summarizes these
events at 12:00 AM. This summarization generates data for the daily activity chart.
Send Schedule Tool
Article • 10/04/2022
The Send Schedule Tool is one of the Configuration Manager tools. Use it to trigger a
schedule on a client or trigger the evaluation of a specified configuration baseline. It
works for the local computer or targeting a remote client.
For example, use the tool to trigger an inventory schedule or compliance evaluation. If a
number of Configuration Manager clients haven't recently reported inventory or
compliance status, run the tool to initiate the necessary schedule on each client.
Usage
Run SendSchedule.exe as an administrator.
Name]
After you trigger the evaluation of a configuration baseline (DCM UID), see
DCMAgent.log.
Command-line options
Option: /L
List all Message GUID or DCM UID available for sending. Display the meaningful name
of messages in the data table for each one. If the computer name is absent, it uses the
local computer. If you specify a message without a machine name, then it sends the
message to the local machine.
Examples
4423-9632-b61148b2b67e MyPC
Message IDs
Message ID Display Name
The Distribution Point (DP) Job Queue Manager is one of the Configuration Manager
tools. Use it to troubleshoot and manage ongoing content distribution jobs to
Configuration Manager distribution points.
The tool displays the list of jobs that the package transfer manager component has in its
queue. It also shows the status of the jobs: ready to be executed, running, or retrying. It
lets you manipulate the jobs in the queue, move jobs higher on the list, cancel a job, or
manually start running a job.
It also gets information from the site server on which distribution point is running a job.
The tool connects through the provider to the site server. It doesn't connect to every
remote distribution point to gather this information. Because it triggers actions and gets
information through the provider, there's a delay in reflecting changes from remote
distribution points.
Usage
Run DPJobMgr.exe. The main menu of the tool contains the following tabs:
Overview: Summarizes in a single view all the jobs that are running on all
distribution points
Distribution Point Info: Multi-select distribution points to track them, and manage
a single job of interest
Manage Jobs: Shows in one flat view a list of all the jobs and their statuses.
Manipulate jobs, move them up, cancel, or manually start.
Connect tab
Use this tab to establish the initial connection to the primary site server. It uses the
currently signed-in user's credentials. You can't connect to the central administration site
or secondary sites. The connection requires the Full Administrator security role.
Once the tool successfully establishes a connection, a notification at the bottom of the
tool confirms that it's connected to the site server.
Overview tab
Shows a summary of all the jobs on all distribution points. See the following columns:
Running Jobs: Shows the number of concurrent jobs that are running on a
particular distribution point.
Tip
Total Jobs: Shows the number of all the jobs targeted to a particular distribution
point. This number includes the jobs that are running, retrying, or waiting to be
executed.
Total Retries: Shows the number of times jobs have been retrying in a particular
distribution point. A higher number may represent a general problem with that
particular distribution point.
Tip
Ready: Indicates that a particular job has finished all the verification steps. It's
ready to be added to the running concurrent jobs. Jobs in this state are usually
in a waiting stage. They wait for the current running processes to finish to open
up a space for them.
Retry: Indicates that a particular job has failed and is now in a retry state. This
job is retried after the retry interval. This interval is configurable, and set to 30
minutes by default.
Progress: Job completion percentage. For more information, see the Running
status icon description.
Start/Restart Time: For a running job, this value is the start time (green). For a retry
job, this value is the time that it will retry the job.
Distribution Point Name: The fully qualified domain name (FQDN) of the
distribution point
Tip
If you need to modify a particular job, right-click the job in this view, and
select Manage Job. This action opens the Manage Jobs tab.
Move To Top: Moves one or more jobs to the top of the queue. This action may
result in the jobs running immediately. A lower priority job may pause because of
this action.
Move Up: Moves a particular job one row above. A lower priority job may pause
running because of this action.
Move To Bottom: Moves one or more jobs to the bottom of the queue.
Tip
7 Note
You can't cancel jobs near their final completion time. If the site server is also
a distribution point, you can't cancel jobs on the site server.
See also
Fundamental concepts for content management
Package transfer manager
Collection Evaluation Viewer
Article • 10/04/2022
Collection Evaluation Viewer is one of the Configuration Manager tools. Use it to view
and troubleshoot the collection evaluation process on the primary site server.
) Important
Both historic and live information for full and incremental collection evaluations
The estimated time that a collection evaluation will start and complete
Manual Queue: For collections that an administrator has manually selected for
evaluation from the console
Requirements
Run the tool on the site server
Run the tool by an administrative user with at least the Read-Only Analyst role
The user also requires Read permission to the site database in SQL
Usage
Run CEViewer.exe. The main menu of the tool contains the following tabs:
Connect: Establish the initial connection to the primary site server and SQL Server
Full Evaluation: Lists the detailed information about all past full evaluations
Incremental evaluation: Lists the detailed information about all past incremental
evaluations
All Queues: Summarizes the current collection evaluations for all four queues
Manual Queue: Lists the detailed information about the current collection
evaluation in the manual queue
New Queue: Lists the detailed information about the current collection evaluation
in the new queue
Full Queue: Lists the detailed information about the current collection evaluation in
the full queue
Incremental Queue: Lists the detailed information about the current collection
evaluation in the incremental queue
Connect tab
This tab allows you to establish the initial connection to the primary site server. The tool
also establishes a connection to the SQL Server that hosts the site database.
The connections to both primary site server and SQL Servers use the current signed-in
user credential. Connections to the central administration site or a secondary site aren't
supported. No collection evaluation process runs on those sites.
Once the tool successfully establishes a connection, see a notification at the bottom of
the Collection Evaluation Viewer that confirms the tool's connection to the SQL Server.
Run Time: How long the last collection evaluation ran, in seconds
Last Evaluation Completion Time: When the last collection evaluation completed
Member Changes: The member changes in the last collection evaluation. These
changes are either plus (members added) or minus (members removed).
Last Member Change Time: The most recent time that there was a membership
change in the collection evaluation
Percent: The percentage of evaluation time for this collection over the total (all
collections) evaluation time
Run Time: How long the last collection evaluation ran, in seconds
Last Evaluation Completion Time: When the last collection evaluation completed
Member Changes: The member changes in the last collection evaluation. These
changes are either plus (members added) or minus (members removed).
Last Member Change Time: The most recent time that there was a membership
change in the collection evaluation
Percent: The percentage of evaluation time for this collection over the total (all
collections) evaluation time
Summary: Lists the total collection number and the queue length for all collections
in all four queues
Manual Update: Shows a brief summary of the collections being evaluated, the
estimated completion time, and the order of the evaluation in the manual queue
New Collection: Shows a brief summary of the collections being evaluated, the
estimated completion time, and the order of the evaluation in the new collection
queue
Full Evaluation: Shows a brief summary of the collections being evaluated, the
estimated completion time, and the order of the evaluation in the full evaluation
queue
Content Library Explorer is one of the Configuration Manager tools. Use the tool for the
following activities:
Copy packages, contents, folders, and files out of the content library
Requirements
Run the tool using an account that has administrative access to:
Only the Full Administrator and Read-Only Analyst roles have sufficient rights to
view all information from this tool.
Other roles, such as Application Administrator, can view partial information. For
more information, see Disabled packages.
Run the tool from any computer, as long as it can connect to:
If the distribution point is colocated with the site server, it's still necessary to have
administrative access to the site server.
Usage
When you start ContentLibraryExplorer.exe, enter the fully qualified domain name
(FQDN) of the target distribution point. It then connects to the distribution point. If the
distribution point is part of a secondary site, it prompts you for the FQDN of the primary
site server, and the primary site code.
In the left pane, view the packages that are distributed to this distribution point. Expand
the packages, and explore their folder structure. This structure matches the folder
structure from which you created the package.
When you select a folder, it displays in the right pane any files within the folder. This
view includes the following information:
File name
File size
Which drive it's on
Other packages that use the same file on the drive
When the file was last changed on the distribution point
The tool also connects to the Configuration Manager provider. This connection is to
determine which packages are distributed to the distribution point, and whether they're
actually in the distribution point's content library. For instance, a package that's pending
distribution may not yet exist in the content library. Such a package would appear as
"PENDING" in the tool, and no actions are enabled for this package.
Disabled packages
Some packages are present on the distribution point but not visible in the Configuration
Manager console. These packages are marked with an asterisk (*). No actions may be
performed on these packages. Other packages may also be marked with an asterisk and
have actions disabled.
The package is the Configuration Manager client upgrade. This package includes
"ccmsetup.exe".
Your user account can't access the package, likely due to role-based
administration. For instance, the Application Author role can't see driver packages
in the console, so any driver packages on the distribution point are marked as
disabled.
The package is orphaned on the distribution point.
Validate packages
Validate packages by using Package > Validate on the toolbar. First select a package
node in the left pane Don't select a content or a folder. The tool connects to the WMI
provider on the distribution point for this action. When the tool starts, packages that are
missing one or more contents are marked invalid. Validating the package reveals which
content is missing. If all content is present but the data is corrupted, validation detects
the corruption.
Redistribute packages
Redistribute packages using Package > Redistribute on the toolbar. First select a
package node in the left pane. This action requires permissions to redistribute packages.
Other actions
Use Edit > Copy to copy packages, contents, folders, and files out of the content library
to a specified folder. You can't copy the content library itself. Select more than one file,
but you can't select multiple folders.
Search for packages using Edit > Find Package. This action searches for your query in
the package name and package ID.
Limitations
The tool can't manipulate the content library directly in any way. Changes to the
content library may result in malfunctions.
The tool can redistribute packages, but only to the target distribution point.
When you colocate the distribution point with the site server, you can't validate
package data. Use the Configuration Manager console instead. The tool still
inspects the package to make sure that all the content is present, though not
necessarily intact.
See also
Fundamental concepts for content management
The content library
Content Library Transfer tool
Article • 10/04/2022
The Content Library Transfer tool is one of the Configuration Manager tools. It transfers
content from one disk drive to another. The tool is designed to run on distribution point
site systems. It supports distribution points colocated with a site or remote site systems.
The tool is useful for the scenario when the disk drive hosting the content library
becomes full. First add or identify another hard disk with sufficient space to host the
content library. Then use ContentLibraryTransfer.exe to transfer content from the old
filled hard disk to the new, empty drive.
Once the transfer is complete, content is accessible to client computers from the new
location.
Usage
Run ContentLibraryTransfer.exe as a user with administrative permissions on the
distribution point.
Syntax
Example
ContentLibraryTransfer –SourceDrive E –TargetDrive G
Limitations
Run the tool locally on the distribution point. You can't run it from a remote
computer.
Only use it when clients aren't actively accessing the distribution point. If you run
the tool while clients are accessing content, the content library on the destination
drive may have incomplete data. The data transfer might fail altogether leading to
an unusable content library.
Don't distribute content to the distribution point when you run the tool. If you run
the tool while content is being written to the distribution point, the content library
on the destination drive may have incomplete data. The data transfer might fail
altogether leading to an unusable content library.
See also
Fundamental concepts for content management
The content library
Content Ownership Tool
Article • 10/04/2022
Run the Content Ownership Tool on any site server in the Configuration Manager
hierarchy. Sign in as an administrative user with sufficient package permissions.
Tip
Use ContentLibraryCleanup.exe in
CD.Latest\SMSSETUP\TOOLS\ContentLibraryCleanup to remove orphaned content
from a distribution point. For more information, see Content library cleanup tool.
Features
Display all orphaned packages
Usage
Run ContentOwnershipTool.exe to start the tool. Local administrator permissions on the
computer aren't required to run the tool.
This tool changes the ownership of an orphaned package. The package itself
doesn't move from the distribution point that it's stored on. This ownership change
doesn't cause the package to update on distribution points. It also doesn't cause
clients to reevaluate policy for deployment of the package. After the ownership
changes, make sure that the new site server can access the source files. It should
have at least Read permissions to the source files of each package.
See also
Fundamental concepts for content management
The content library
Extend and migrate an on-premises site
to Microsoft Azure
Article • 10/04/2022
Starting in version 1910, this tool helps you to programmatically create Azure virtual
machines (VMs) for Configuration Manager. It can install with default settings site roles
like a passive site server, management points, and distribution points. Once you validate
the new roles, use them as additional site systems for high availability. You can also
remove the on-premises site system role and only keep the Azure VM role.
Prerequisites
An Azure subscription
Starting in version 2010, it supports environments with virtual networks other than
ExpressRoute. In version 2006 and earlier, it requires an Azure virtual network with
ExpressRoute gateway.
Starting in version 2010, you can use the tool in a hierarchy or a standalone
primary site. In version 2006 and earlier, it only works with a standalone primary
site.
To add a site server in passive mode, the site server must meet the high availability
requirements. For example, it requires a remote content library.
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
Microsoft.Resources/deployments/validate/action
Microsoft.Compute/virtualMachines/extensions/read
Microsoft.Compute/virtualMachines/extensions/write
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/write
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkSecurityGroups/write
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Storage/storageAccounts/write
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/listkeys/action
Microsoft.Storage/storageAccounts/listServiceSas/action
Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.KeyVault/vaults/deploy/action
Microsoft.KeyVault/vaults/read
For more information about permissions and assigning roles, see Add or remove Azure
role assignments using the Azure portal.
In the configuration of the virtual network, go to the DNS servers settings. Add a
Custom DNS server with the IP address of a domain controller.
On the site server where you'll run the tool, set the following registry value:
HKCU\Software\Microsoft\ConfigMgr10\ExtendToAzure, SkipVNetCheck = 1
2. Review the information on the General tab, and then switch to the Azure
Information tab.
3. On the Azure Information tab, choose your Azure environment, and then Sign in.
Tip
4. After you sign in, select your Subscription ID and Virtual network.
7 Note
In version 2006 and earlier, the tool only lists networks with an ExpressRoute
gateway.
If any of the checks fail, select More detail to determine how to remediate the
problem. For more information about these prerequisites, see Site server high
availability.
2. If you want to extend or migrate your site server to Azure, select Create a site
server in Azure. Then fill in the following fields:
Name Description
Resource Lists available resource groups. If you need to create a new resource group,
group use the Azure portal , and then rerun this tool.
Disk type Read only. The tool uses Premium SSD for best performance.
Subnet Select the subnet to use. If you need to create a new subnet, use the Azure
portal .
Machine Enter the name of the passive site server VM in Azure. It's the same name
name shown in the Azure portal .
Local admin Enter the name of the local administrative user that the Azure VM creates
username before it joins the domain.
Local admin The password of the local administrative user. To protect the password
password during Azure deployment, store the password as a secret in Azure Key Vault.
Then, use the reference here. If needed, create a new one from the Azure
portal .
Domain The fully qualified domain name for the Active Directory domain to join. By
FQDN default, the tool gets this value from your current machine.
Domain The name of the domain user allowed to join the domain. By default, the
username tool uses the name of the currently signed in user.
Name Description
Domain The password of the domain user to join the domain. The tool verifies it
password after you select Start. To protect the password during Azure deployment,
store the password as a secret in Azure Key Vault. Then, use the reference
here. If needed, create a new one from the Azure portal .
Domain Used for joining the domain. By default, the tool uses the current DNS from
DNS IP your current machine.
) Important
By default the virtual machines are set to No for Use existing Windows Server
license. If you want to utilize your on-premises Windows Server licenses with
Software Assurance, configure this setting in the Azure portal after the
virtual machines are provisioned. For more information, see Azure Hybrid
Benefit for Windows Server.
3. To start provisioning the Azure VM, select Start. To monitor the deployment status,
switch to the Deployments in Azure tab in the tool. To get the latest status, select
Refresh deployment status.
Tip
You can also use the Azure portal to check the status, find errors, and
determine potential fixes.
4. When the deployment finishes, go to your SQL Servers, and grant permissions for
the new Azure VM. For more information, see Site server high availability -
Prerequisites.
5. To add the Azure VM as a site server in passive mode, select Add site server in
passive mode.
6. Once the site adds the site server in passive mode, the Site Server High
Availability tab shows the status.
Site database
The tool doesn't currently have any tasks to migrate the database from on-premises to
Azure. You can choose to move the database from an on-premises SQL Server to an
Azure SQL Server VM. The tool lists the following articles on the Site Database tab to
help:
2. In the provisioning window, fill in the fields to provision the site role's VM in Azure.
These details are similar to the above list for the site server.
3. To start provisioning the Azure VM, select Start. To monitor the deployment status,
switch to the Deployments in Azure tab in the tool. To get the latest status, select
Refresh deployment status.
Tip
You can also use the Azure portal to check the status, find errors, and
determine potential fixes.
Deployments in Azure
1. Once Azure creates the VM, switch to the Deployments in Azure tab in the tool.
Select Deploy to configure the role with the default settings.
2. Select Run to start the PowerShell script.
1. On the Deployments in Azure tab, select on a virtual machine deployment that has
a Completed status.
Next steps
Review your changes in the Azure portal
Role-based administration and auditing
tool
Article • 10/04/2022
The role-based administration and auditing tool is one of the Configuration Manager
tools. Use this tool for the following tasks:
Audit the security scopes and security roles that other users have
Requirements
Run it on the same computer as the Configuration Manager site server
Assign your account to the All security scope and all collections
(Optional) To analyze report folder security, you need SQL Server access
(Optional) To analyze report drill-through, run this tool on the site system server
with the reporting services point role
Procedures
1. Run RBAViewer.exe.
2. Select the base security roles you want to build on, or start from an empty
permission set. Select the necessary permissions.
3. Select Analyze to see the user interface this custom role will see.
7 Note
To see whether there's an existing security role that meets your requirements,
switch to the Similarity tab.
4. Select Export to save the role as an XML file. Then import it to the Configuration
Manager console. For more information, see Create custom security roles.
1. Run RBAViewer.exe.
b. To view objects assigned to a security role, switch to the Scope Summary tab.
1. Run RBAViewer.exe.
3. Input the specific user name to check the permissions for that account.
4. The tool displays the security roles assigned to the user or the security group the
user belongs to. It also displays the objects this user can see and the actions they
can take in the console.
See also
Fundamentals of role-based administration
The Run Meter Summarization Tool is one of the Configuration Manager tools. Use it to
immediately trigger the maintenance tasks for software metering summarization on
primary sites. By default, these tasks run as scheduled in Site Maintenance tasks, which
start after 12:00 AM every day.
These tasks summarize the data in the MeterData SQL Server table, and write the
summary results into the FileUsageSummary and MonthlyUsageSummary tables. Then
you see the summarized result in software metering reports. Any Configuration
Manager administrative user who can connect to the primary site database can use this
tool to run summarization.
This tool runs the File Usage Summary and Monthly Usage Summary software
metering data summarization tasks. It summarizes all existing meter data without the
usual 12-hour waiting period. Run it on the SQL Server that hosts the site database. If
summarization is successful, the exit code is set to 0 . If there was an error, the exit code
is 1 .
Usage
Command Line
runmetersumm [sms database name] <delay in hours for summarization <default=0>>
Options
Database name
The tool summarizes the software metering usage generated before the delay. By
default, this delay is zero.
Example
See also
Maintenance tasks
Monitor app usage with software metering
Settings to manage high-risk
deployments for Configuration Manager
Article • 10/04/2022
With Configuration Manager, you can configure deployment verification site settings.
These settings warn administrators if they create a high-risk task sequence deployment.
A high-risk deployment is:
For example, a task sequence with a purpose of Required that deploys an operating
system is considered high-risk.
2 Warning
If you use PXE deployments, and configure device hardware with the network
adapter as the first boot device, these devices can automatically start an OS
deployment task sequence without user interaction. Deployment verification
doesn't manage this configuration. While this configuration may simplify the
process and reduce user interaction, it puts the device at greater risk for accidental
reimage.
Collection size limits: When you create a deployment, hide collections that include
more clients than your limit.
Default size: When you create a deployment, this setting hides collections by
default that include more clients than this limit. You can still see these
collections when creating the deployment, but they're hidden by default. The
default value is 100. To ignore this setting, enter a value of 0.
Maximum size: When you create a deployment, this setting always hides
collections with more clients than this limit. The default value is 0, which ignores
this setting. The Maximum size value must be greater than the Default size
value.
For example, you set Default size to 100 and the Maximum size to 1000. When
you create a high-risk deployment, the Select Collection window only displays
collections that include fewer than 100 clients. If you clear the setting to Hide
collections with a member count greater than the site's minimum size
configuration, the window displays collections that include fewer than 1000
clients.
Collections with site system servers: When the target collection includes a
computer with a site system role, block deployments or require verification before
creating the deployment. When a deployment is blocked, select a different
collection that meets the deployment verification criteria to continue creating the
deployment.
7 Note
2. In the ribbon, select Properties, and then switch to the Deployment Verification
tab.
3. Configure the settings you want to use, and then select OK to save the
configuration and close the properties.
Next steps
High-impact task sequence settings
You can use different methods to install the Configuration Manager client software. Use
one method, or a combination of methods. This article describes each method, so you
can learn which one works best for your organization.
Advantages
Automatically uses client installation properties defined on the Client tab in the
Client Push Installation Properties dialog box.
Disadvantages
Can cause high network traffic when pushing to large collections.
A client push installation account must be specified that has administrative rights
to the intended client computer.
You can't cancel client push installation. Configuration Manager tries to install the
client on all discovered resources. It retries any failures for up to seven days.
For more information, see How to install clients with client push.
Software update point-based installation
Supported client platform: Windows
Advantages
Can use your existing software updates infrastructure to manage the client
software.
If Windows Server Update Services (WSUS) and group policy settings in Active
Directory Domain Services are configured correctly, it can automatically install the
client software on new computers.
Computers can read client installation properties that have been published to
Active Directory Domain Services.
Doesn't require you to configure and maintain an installation account for the
intended client computer.
Disadvantages
Must use the same server for client installation and software updates. This server
must reside in a primary site.
To install new clients, you must configure a group policy object in Active Directory
Domain Services with the client's active software update point and port.
If the Active Directory schema isn't extended for Configuration Manager, you must
use group policy settings to provision computers with client installation properties.
For more information, see How to install clients with software update-based installation.
Advantages
Doesn't require computers to be discovered before the client can be installed.
Computers can read client installation properties that have been published to
Active Directory Domain Services.
Doesn't require you to configure and maintain an installation account for the
intended client computer.
Disadvantages
If a large number of clients are being installed, it can cause high network traffic.
If the Active Directory schema isn't extended for Configuration Manager, you must
use group policy settings to add client installation properties to computers in your
site.
For more information, see How to install clients with group policy.
Advantages
Disadvantages
If a large number of clients are being installed over a short time period, it can
cause high network traffic.
If users don't frequently log on to the network, it can take a long time to install on
all client computers.
For more information, see How to install clients with logon scripts.
Manual installation
Supported client platform: Windows, macOS X
Advantages
Doesn't require computers to be discovered before the client can be installed.
Disadvantages
For more information about how to manually install the client on each of platform, see
the following articles:
Advantages
Doesn't require computers to be discovered before the client can be installed.
Doesn't require you to configure and maintain an installation account for the
intended client computer.
Can automate with Windows Autopilot and Microsoft Intune for co-management.
Disadvantages
Requires additional technologies outside of Configuration Manager.
Requires the device have access to the internet, even if it is not internet-based.
Deploying Configuration Manager clients in your environment has the following external
dependencies and dependencies within the product. Additionally, each client
deployment method has its own dependencies that must be met for client installations
to be successful.
For more information on the minimum hardware and OS requirements for the
Configuration Manager client, see Supported configurations.
7 Note
The software version numbers shown in this article only list the minimum version
numbers required.
Use the following information to determine the prerequisites for when you install the
Configuration Manager client on Windows devices.
Windows components
Many of these components are services or features that Windows enables by default.
Don't disable these components on Configuration Manager clients.
Component Description
Windows Installer Required to support the use of Windows Installer files for applications
and software updates.
Background Intelligent Required to allow throttled data transfers between the client
Transfer Service (BITS) computer and Configuration Manager site systems.
Task Scheduler Required for client operations, such as regularly evaluating the health
of the Configuration Manager client.
Component Description
SHA-2 code signing Clients require support for the SHA-2 code signing algorithm. For
support more information, see SHA-2 code signing support.
If you don't update these OS versions, you can't install a supported version of the
Configuration Manager current branch client. This behavior applies to either a new client
install or updating it from a previous version.
If you need to manage a client on a version of Windows that's not updated, or older
than the versions listed above, use the Configuration Manager extended interoperability
client (EIC) version 1902. For more information, see Extended interoperability client.
Tip
If you don't use automatic client update, and update clients with another
mechanism, make sure to update the version of ccmsetup. An older version of
ccmsetup may not properly validate the new SHA-2 code signing certificate on
client binaries. For example, if you copy ccmsetup.exe to a file share, or use
ccmsetup.msi with group policy.
Client push installation: It uses the client package from the site.
Software update-based installation: The site update republishes to WSUS.
Intune MDM-managed Windows devices: The supported version for this
mechanism already supports SHA-2 code signing, but it's still important to
use the latest ccmsetup.msi.
Components automatically downloaded during
installation
The Configuration Manager client has external dependencies. These dependencies
depend on the OS version and the installed software on the client computer. If the client
requires these dependencies to complete the installation, it automatically installs them.
Component Description
Microsoft Visual C++ 2015-2019 Redistributable (Version 2107 and later) Required to support
version 14.28.29914.0 ( vcredist_x*.exe ) client operations. When you install this
update on client computers, it might require
a restart to complete the installation.
Microsoft Visual C++ 2013 Redistributable version (Version 2103 and earlier) Required to
12.0.40660.0 ( vcredist_x*.exe ) support client operations. When you install
this update on client computers, it might
require a restart to complete the installation.
Microsoft .NET Framework version 4.6.2 or later Version 2107 and later: Required to support
( NDP462-KB3151800-x86-x64-AllOS-ENU.exe ) client operations. Automatically installed on
the computer if it doesn't have this version
installed. For more information, see More
details about Microsoft .NET.
Microsoft .NET Framework version 4.5.2 or later Version 2103 and earlier: Required to
( NDP452-KB2901907-x86-x64-AllOS-ENU.exe ) support client operations. Automatically
installed on the computer if it doesn't have
this version installed. For more information,
see More details about Microsoft .NET.
Microsoft Monitoring Agent version 10.20.18053.0 Installed as needed by devices that you
( MMASetup-*.exe ) onboard to Microsoft Defender for
Endpoint.
7 Note
Starting in version 2107, the Configuration Manager client no longer has an
external dependency on Microsoft SQL Server Compact Edition (CE) 4.0 SP1. It now
uses a built-in version of this component to store information related to client
operations.
When you install or update the Configuration Manager client, if the device doesn't have
at least the required version of the .NET Framework, CCMSetup installs it. Starting in
version 2107, the minimum required version is 4.6.2.
Microsoft recommends that you install the latest version of .NET version 4.8 to get the
latest performance and security improvements. CCMSetup doesn't automatically install
.NET version 4.8. A later version of Configuration Manager will require .NET version 4.8.
7 Note
.NET Framework version 4.6.2 is preinstalled with Windows Server 2016 and
Windows 10 version 1607. Later versions of Windows are preinstalled with a later
version of the .NET Framework.
.NET Framework version 4.8 isn't supported on some OS versions, such as Windows
10 2015 LTSB.
Whether you update .NET before updating the Configuration Manager client, or
CCMSetup updates it, .NET may require a restart to complete its installation. CCMSetup
suppresses a restart if necessary. The user sees a Restart required notice in the Windows
notification area.
) Important
When the Configuration Manager client updates to version 2111 or later, client
notifications are dependent upon .NET 4.6.2 or later. Until you update .NET to
version 4.6.2 or later, and restart the device, users won't see notifications from
Configuration Manager. Other client-side functionality may be affected until the
device is updated and restarted.
The following scenarios are common reasons why .NET requires the computer to restart:
.NET applications or services are running on the computer.
One or more software updates required for .NET installation are missing.
After .NET Framework is installed, it may require other updates. These updates may also
require the computer to restart.
If you need to manage the device restarts before you update the Configuration
Manager client, use the following recommended process:
1. Install the latest baseline .NET version. For example, starting in version 2107, install
.NET version 4.8.
2. Restart the device.
3. Scan for software updates and install the latest .NET cumulative update.
4. Restart the device.
5. Install the latest Configuration Manager client version.
Known issue with .NET version 4.6.2 on Windows Server 2008 SP2
The release of .NET version 4.6.2 that Configuration Manager redistributes doesn't install
on Windows Server 2008 SP2. This version of the OS is covered under the Extended
Security Updates (ESU) program. While products under this program are no longer
supported for use with Configuration Manager, you can use the latest released version of
Configuration Manager current branch to deploy and install Windows security updates
released under the ESU program.
Microsoft recommends updating the OS to a later version that's fully supported. If your
business requirements necessitate use of this OS version, download the latest release of
.NET version 4.6.2 published on 6/23/2021 or later. For more information, see The .NET
Framework 4.6.2 offline installer for Windows . This .NET release does install on Server
2008 SP2. Manually update .NET on devices with this OS version before you update the
Configuration Manager client to version 2107.
Component Description
Component Description
Management To deploy the Configuration Manager client, you don't require a management
point point. Clients require a management point to transfer information with the site.
Without a management point, you can't manage client computers.
Distribution The distribution point is an optional, but recommended site system role for client
point deployment and management. All distribution points host the client source files.
Clients find the nearest distribution point from which to download the source files
during client deployment or update. If the site doesn't have a distribution point,
computers download the client source files from their management point.
Fallback The fallback status point is an optional, but recommended site system role for
status point client deployment. The fallback status point tracks client deployment and enables
computers in the Configuration Manager site to send state messages when they
can't communicate with a management point.
Reporting The reporting services point is an optional, but recommended site system role. It
services displays reports related to client deployment and management. For more
point information, see Introduction to reporting.
If you don't specify a client push installation account, the site server uses its
computer account.
The site needs to discover the computer on which you're installing the client. At
least one Configuration Manager discovery method is needed.
To configure the client push installation account: Modify and Read permission for
the Site object.
To use client push to install the client to collections, devices and queries: Modify
Resource and Read permission for the Collection object.
The Infrastructure Administrator default security role includes the required permissions
to manage client push installations.
To download the source files, the client computer needs to communicate with a
distribution point or a management point.
To download the source files, the client computer needs to communicate with a
distribution point or a management point.
Logon script-based installation
To download the source files, the client computer needs to communicate with a
distribution point or a management point. Unless you specified CCMSetup.exe with the
following command-line parameter: ccmsetup /source
Manual installation
To download the source files, the client computer needs to communicate with a
distribution point or a management point. Unless you specified CCMSetup.exe with the
following command-line parameter: ccmsetup /source
Depending upon the use case, you may also require one or both of the following
technologies:
For more information about how to configure the network access account, see the
Fundamental concepts for content management.
For the security permissions required to upgrade the Configuration Manager client
using application management, see Security and privacy for application management.
Firewall requirements
If there's a firewall between the site system servers and the computers onto which you
want to install the Configuration Manager client, see Windows Firewall and port settings
for clients.
Next steps
Windows firewall and port settings for clients
) Important
On-premises MDM and the Configuration Manager client for macOS are both
deprecated.
Migrate management of macOS and mobile devices to Microsoft Intune. For more
information, see Supported clients and devices.
Deploying Configuration Manager clients in your environment has the following external
dependencies and dependencies within the product.
For more information on the minimum hardware and OS requirements for the
Configuration Manager client, see Supported configurations.
7 Note
The software version numbers shown in this article only list the minimum version
numbers required.
When you install the Configuration Manager client on mobile devices and enroll them,
use this information to determine the prerequisites.
The issuing CA must automatically approve certificate requests from the mobile
device users during the enrollment process.
For more information about the certificate requirements, see Security and privacy
for certificate profiles.
A security group that contains the users that can enroll their mobile devices.
This security group is used to configure the certificate template that is used during
mobile device enrollment.
This DNS alias is required to support automatic discovery for the enrollment
service. If you don't configure this DNS record, users must manually specify the
name of the enrollment proxy point as part of the enrollment process.
Site system role dependencies for the computers that run the enrollment point and
the enrollment proxy point.
For more information, see Supported operating systems for site system servers.
An enrollment proxy point manages enrollment requests from mobile devices and
the enrollment point completes the enrollment process. The enrollment point must
be in the same Active Directory forest as the site server, but the enrollment proxy
point can be in another forest.
Configure client settings to allow users to enroll mobile devices and configure at
least one enrollment profile.
To configure enrollment for mobile devices, your account needs the following
security permissions:
To add, modify, and delete the enrollment site system roles: Modify permission
for the Site object.
The Full Administrator default security role includes the required permissions to
configure the enrollment site system roles.
To manage enrolled mobile devices, your account needs the following security
permissions:
To wipe or retire a mobile device: Delete resource for the Collection object.
To cancel a wipe or retire command: Delete resource for the Collection object.
To allow and block mobile devices: Modify resource for the Collection object.
To remote lock, or reset the passcode on a mobile device: Modify resource for
the Collection object.
For more information about how to configure security permissions, see Fundamentals of
role-based administration and Configure role-based administration.
Firewall requirements
Intervening network devices such as routers and firewalls, and Windows Firewall if
applicable, must allow the traffic associated with mobile device enrollment.
Between mobile devices and the enrollment proxy point: HTTPS (by default, TCP
443)
Between the enrollment proxy point and the enrollment point: HTTPS (by default,
TCP 443)
If you use a proxy web server, configure it for SSL tunneling. SSL bridging isn't
supported for mobile devices.
Next steps
Windows firewall and port settings for clients
Windows Firewall and port settings for
clients in Configuration Manager
Article • 10/04/2022
Client computers in Configuration Manager that run Windows Firewall often require you
to configure exceptions to allow communication with their site. The exceptions that you
must configure depend on the management features that you use with the
Configuration Manager client.
Use the following sections to identify these management features and for more
information about how to configure Windows Firewall for these exceptions.
3. Configure any required exceptions and any custom programs and ports that you
require.
Queries
If you run the Configuration Manager console on a computer that runs Windows
Firewall, queries fail the first time that they are run and the operating system displays a
dialog box asking if you want to unblock statview.exe. If you unblock statview.exe, future
queries will run without errors. You can also manually add Statview.exe to the list of
programs and services on the Exceptions tab of the Windows Firewall before you run a
query.
Client Requests
For client computers to communicate with Configuration Manager site systems, add the
following as exceptions to the Windows Firewall:
) Important
These are default port numbers that can be changed in Configuration Manager. For
more information, see How to How to configure client communication ports. If
these ports have been changed from the default values, you must also configure
matching exceptions on the Windows Firewall.
Client Notification
For the management point to notify client computers about an action that it must take
when an administrative user selects a client action in the Configuration Manager
console, such as download computer policy or initiate a malware scan, add the following
as an exception to the Windows Firewall:
Outbound: TCP Port 10123
If this communication does not succeed, Configuration Manager automatically falls back
to using the existing client-to-management point communication port of HTTP, or
HTTPS:
) Important
These are default port numbers that can be changed in Configuration Manager. For
more information, see How to configure client communication ports. If these
ports have been changed from the default values, you must also configure
matching exceptions on the Windows Firewall.
Remote Control
To use Configuration Manager remote control, allow the following port:
Wake-Up Proxy
If you enable the wake-up proxy client setting, a new service named ConfigMgr Wake-
up Proxy uses a peer-to-peer protocol to check whether other computers are awake on
the subnet and to wake them up if necessary. This communication uses the following
ports:
In addition to these ports, wake-up proxy also uses Internet Control Message Protocol
(ICMP) echo request messages from one client computer to another client computer.
This communication is used to confirm whether the other client computer is awake on
the network. ICMP is sometimes referred to as TCP/IP ping commands.
For more information about wake-up proxy, see Plan how to wake up clients.
) Important
If there is a firewall between the site system servers and the client computer,
confirm whether the firewall permits traffic for the ports that are required for the
client installation method that you choose. For example, firewalls often prevent
client push installation from succeeding because they block Server Message Block
(SMB) and Remote Procedure Calls (RPC). In this scenario, use a different client
installation method, such as manual installation (running CCMSetup.exe) or Group
Policy-based client installation. These alternative client installation methods do not
require SMB or RPC.
For information about how to configure Windows Firewall on the client computer, see
Modifying the Ports and Programs Permitted by Windows Firewall.
Ports that are used for all installation methods
Hypertext Transfer Protocol (HTTP) from the client computer to a -- 80 (See note 1,
fallback status point, when a fallback status point is assigned to the Alternate Port
client. Available)
Server Message Block (SMB) between the site server and client -- 445
computer.
RPC endpoint mapper between the site server and the client 135 135
computer.
RPC dynamic ports between the site server and the client computer. -- DYNAMIC
Hypertext Transfer Protocol (HTTP) from the client computer to a -- 80 (See note 1,
management point when the connection is over HTTP. Alternate Port
Available)
Secure Hypertext Transfer Protocol (HTTPS) from the client computer -- 443 (See note 1,
to a management point when the connection is over HTTPS. Alternate Port
Available)
Hypertext Transfer Protocol (HTTP) from the client computer to the -- 80 or 8530 (See note
software update point. 2, Windows Server
Update Services)
Secure Hypertext Transfer Protocol (HTTPS) from the client -- 443 or 8531 (See
computer to the software update point. note 2, Windows
Server Update
Services)
Server Message Block (SMB) between the source server and the -- 445
client computer when you specify the CCMSetup command-line
property /source:<Path>.
Ports that are used with Group Policy-based installation
Hypertext Transfer Protocol (HTTP) from the client computer to a -- 80 (See note 1,
management point when the connection is over HTTP. Alternate Port
Available)
Secure Hypertext Transfer Protocol (HTTPS) from the client computer to -- 443 (See note
a management point when the connection is over HTTPS. 1, Alternate
Port Available)
Server Message Block (SMB) between the source server and the client -- 445
computer when you specify the CCMSetup command-line property
/source:<Path>.
Server Message Block (SMB) between the client computer and a network -- 445
share from which you run CCMSetup.exe.
When you install Configuration Manager, the client installation source files are
copied and automatically shared from the <InstallationPath>\Client folder on
management points. However, you can copy these files and create a new
share on any computer on the network. Alternatively, you can eliminate this
network traffic by running CCMSetup.exe locally, for example, by using
removable media.
Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a -- 443 (See
management point when the connection is over HTTPS, and you do not note 1,
specify the CCMSetup command-line property /source:<Path>. Alternate
Port
Available)
Server Message Block (SMB) between the source server and the client -- 445
computer when you specify the CCMSetup command-line property /source:
<Path>.
Ports that are used with software distribution-based
installation
Server Message Block (SMB) between the distribution point and the -- 445
client computer.
Hypertext Transfer Protocol (HTTP) from the client to a distribution -- 80 (See note 1,
point when the connection is over HTTP. Alternate Port
Available)
Secure Hypertext Transfer Protocol (HTTPS) from the client to a -- 443 (See note 1,
distribution point when the connection is over HTTPS. Alternate Port
Available)
Notes
1 Alternate Port Available In Configuration Manager, you can define an alternate port
for this value. If a custom port has been defined, substitute that custom port when you
define the IP filter information for IPsec policies or for configuring firewalls.
2 Windows Server Update Services You can install Windows Server Update Service
(WSUS) either on the default Web site (port 80) or a custom Web site (port 8530).
After installation, you can change the port. You do not have to use the same port
number throughout the site hierarchy.
If the HTTP port is anything else, the HTTPS port must be 1 higher. For example, 8530
and 8531.
Determine the site system roles for
Configuration Manager clients
Article • 10/04/2022
This article can help you determine the site system roles that you need to deploy
Configuration Manager clients.
For more information about where to install these roles in the hierarchy, see Design a
hierarchy of sites.
For more information about how to install and configure these roles, see Install site
system roles.
Management point
By default, all Windows client computers use a distribution point to install the
Configuration Manager client. They can fall back to a management point when a
distribution point is unavailable. However, you can install Windows clients on computers
from an alternative source when you use the CCMSetup command-line property
/source:<Path> . For example, you might do this action if you install clients on the
internet. Another scenario is when you want to avoid sending network packets between
the computer and the management point during client installation. This scenario is
because a firewall blocks the required ports or because you have a low-bandwidth
connection. However, all clients must communicate with a management point to assign
to a site and to be managed by Configuration Manager.
For more information about client command-line properties, see About client
installation properties.
When you install more than one management point in the hierarchy, clients
automatically connect to one point based on their forest membership and network
location. You can't install more than one management point in a secondary site.
Mac computer clients and mobile device clients that you enroll with Configuration
Manager always require a management point for client installation. This management
point must be in a primary site, must be configured to support mobile devices, and must
accept client connections from the Internet. These clients can't use management points
in secondary sites or connect to management points in other primary sites.
Distribution point
You don't need a distribution point to install Configuration Manager clients on Windows
computers. By default, Configuration Manager uses a distribution point to install the
client source files on Windows computers. It can fall back to downloading these files
from a management point. Distribution points aren't used to install mobile device clients
that are enrolled by Configuration Manager, but are used if you install the mobile device
legacy client. If you install the Configuration Manager client as part of an OS
deployment, the OS image is stored and retrieved from a distribution point.
Although you might not need distribution points to install most Configuration Manager
clients, you'll need them to install software such as applications and software updates
on the clients.
Mac computers
Mobile devices that are enrolled by Configuration Manager
Mobile devices that are managed by using the Exchange Server connector
A fallback status point isn't required to monitor client activity and client health.
The fallback status point always communicates with clients over HTTP, which uses
unauthenticated connections and sends data in clear text. This behavior makes the
fallback status point vulnerable to attack, particularly when it's used with internet-based
client management. To help reduce the attack surface, always dedicate a server to
running the fallback status point. Don't install other site system roles on the same server
in a production environment.
You want client communication errors from Windows computers to be sent to the
site, even if these client computers can't communicate with a management point.
You want to use the Configuration Manager client deployment reports, which
display the data that's sent by the fallback status point.
You have a dedicated server for this site system role and have additional security
measures to help protect the server from attack.
The benefits of using a fallback status point outweigh any security risks associated
with unauthenticated connections and clear text transfers over HTTP traffic.
Don't install a fallback status point if the security risks of running a website with
unauthenticated connections and clear text transfers outweigh the benefits of
identifying client communication problems.
The reports aren't needed to deploy clients. You can see some deployment information
in the Configuration Manager console or use the client log files for detailed information.
However, the client reports provide valuable information to help monitor and
troubleshoot client deployment.
) Important
With the deprecation of on-premises MDM and the Configuration Manager client
for macOS, these site system roles are also deprecated. For more information, see
Removed and deprecated features for Configuration Manager.
Configuration Manager requires the enrollment point and the enrollment proxy point to
enroll mobile devices and to enroll certificates for Mac computers. You don't need these
site system roles in the following situations:
You plan to manage mobile devices by using the Exchange Server connector
You install the mobile device legacy client
You request and install the client certificate on Mac computers independently from
Configuration Manager
This article describes security and privacy information for Configuration Manager clients.
It also includes information for mobile devices that are managed by the Exchange Server
connector.
Use the following security guidance to help protect the site from rogue or compromised
devices.
Use a certificate revocation list (CRL). Make sure that clients and communicating
servers can always access it.
Mobile device clients and some internet-based clients require these certificates.
Microsoft recommends these certificates for all client connections on the intranet.
For more information on the use of certificates in Configuration Manager, see Plan for
certificates.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
Manual
Automatic for computers in trusted domains
Automatic for all computers
The most secure approval method is to automatically approve clients that are members
of trusted domains. This option includes cloud-domain joined clients from connected
Azure Active Directory (Azure AD) tenants. Then manually check and approve all other
computers. Automatically approving all clients isn't recommended, unless you have
other access controls to prevent untrustworthy computers from accessing your network.
For more information about how to manually approve computers, see Manage clients
from the devices node.
When site systems accept HTTP client connections, don't rely on blocking to protect the
Configuration Manager hierarchy from untrusted computers. In this scenario, a blocked
client could rejoin the site with a new self-signed certificate and hardware ID.
Certificate revocation is the primary line of defense against potentially compromised
certificates. A certificate revocation list (CRL) is only available from a supported public
key infrastructure (PKI). Blocking clients in Configuration Manager offers a second line of
defense to protect your hierarchy.
If you apply access controls and change controls, use imaging and manual
installation methods.
Of all the client installation methods, client push installation is the least secure because
of the many dependencies it has. These dependencies include local administrative
permissions, the Admin$ share, and firewall exceptions. The number and type of these
dependencies increase your attack surface.
When using client push, the site can require Kerberos mutual authentication by not
allowing fallback to NTLM before establishing the connection. This enhancement helps
to secure the communication between the server and the client. For more information,
see How to install clients with client push.
For more information about the different client installation methods, see Client
installation methods.
Wherever possible, select a client installation method that requires the least security
permissions in Configuration Manager. Restrict the administrative users that are
assigned security roles with permissions that can be used for purposes other than client
deployment. For example, configuring automatic client upgrade requires the Full
Administrator security role, which grants an administrative user all security permissions.
For more information about the dependencies and security permissions required for
each client installation method, see Prerequisites for computer clients.
For greater security, create multiple client push installation accounts, each with
administrative access to a limited number of computers. If one account is compromised,
only the client computers to which that account has access are compromised.
You haven't extended the Active Directory schema for Configuration Manager
Clients don't use PKI certificates when they communicate with management points
In this scenario, clients have no way to verify that the management point is trusted for
the hierarchy unless they use the trusted root key. Without the trusted root key, a skilled
attacker could direct clients to a rogue management point.
When clients don't use PKI certificates and can't download the trusted root key from the
Active Directory global catalog, pre-provision the clients with the trusted root key. This
action makes sure that they can't be directed to a rogue management point. For more
information, see Planning for the trusted root key.
When clients can't download this certificate from the Active Directory global catalog, by
default they download it from the management point. If the management point is
exposed to an untrusted network like the internet, manually install the site server
signing certificate on clients. This action makes sure that they can't download tampered
client policies from a compromised management point.
To manually install the site server signing certificate, use the CCMSetup client.msi
property SMSSIGNCERT.
If the client downloads the trusted root key from the first
management point it contacts, don't use automatic site
assignment
To avoid the risk of a new client downloading the trusted root key from a rogue
management point, only use automatic site assignment in the following scenarios:
The client can access Configuration Manager site information that's published to
Active Directory Domain Services.
You use PKI certificates from an enterprise certification authority to establish trust
between the client and the management point.
For more information about the trusted root key, see Planning for the trusted root key.
Configuration Manager locks the computer during this period so that only local
administrators can sign in. Whenever possible, take other security precautions to help
protect the computer. For example, enable restrictions on the firewall.
If you use maintenance windows to persist changes, plan these windows carefully.
Minimize the time that write filters are disabled, but make them long enough to allow
software installations and restarts to complete.
When you update the site, the software update for client deployment that's published to
the software update point isn't automatically updated. Republish the Configuration
Manager client to the software update point and update the version number.
For more information, see How to install Configuration Manager clients by using
software update-based installation.
When you set this client setting to Always, Configuration Manager can complete the
installation of software. This behavior helps install critical software updates and resume
services. If an attacker intercepts the restart process, they could take control of the
computer. Use this setting only when you trust the computer, and when physical access
to the computer is restricted. For example, this setting might be appropriate for servers
in a data center.
For more information on this client setting, see About client settings.
Don't bypass PowerShell execution policy
If you configure the Configuration Manager client setting for PowerShell execution
policy to Bypass, then Windows allows unsigned PowerShell scripts to run. This behavior
could allow malware to run on client computers. When your organization requires this
option, use a custom client setting. Assign it to only the client computers that must run
unsigned PowerShell scripts.
For more information on this client setting, see About client settings.
For mobile devices that don't have the Configuration Manager client installed but are
managed by the Exchange Server connector: Configure the Password Settings for the
Exchange Server connector such that the password complexity is the PIN. Specify at
least the default minimum password length.
For mobile devices that don't have the Configuration Manager client installed but are
managed by the Exchange Server connector: Configure the Application Settings for the
Exchange Server connector such that Unsigned file installation and Unsigned
applications are Prohibited.
For mobile devices that are enrolled by Configuration Manager: Use a mobile device
configuration item to configure the password setting Idle time in minutes before
mobile device is locked.
For mobile devices that don't have the Configuration Manager client installed but are
managed by the Exchange Server connector: Configure the Password Settings for the
Exchange Server connector to set the Idle time in minutes before mobile device is
locked.
The device is transferred to another person without retiring and then re-enrolling
the device.
Device enrollment creates a user device affinity relationship. This relationship maps the
user who does enrollment to the mobile device. If another user uses the mobile device,
they can run the applications deployed to the original user, which might result in an
elevation of privileges. Similarly, if an administrator enrolls the mobile device for a user,
applications deployed to the user aren't installed on the mobile device. Instead,
applications deployed to the administrator might be installed.
For more information about how to renew the certificate, see Renewing the macOS
client certificate manually.
3. In the Keychain Access dialog box, in the Keychains section, select System. Then in
the Category section, select Certificates.
4. Locate and open the root CA certificate for the Mac client certificate.
5. In the dialog box for the root CA certificate, expand the Trust section, and then
make the following changes:
a. When using this certificate: Change the Always Trust setting to Use System
Defaults.
6. Close the dialog box. When prompted, enter the administrator's password, and
then select Update Settings.
After you complete this procedure, the root certificate is only trusted to validate the SSL
protocol. Other protocols that are now untrusted with this root certificate include Secure
Mail (S/MIME), Extensible Authentication (EAP), or code signing.
7 Note
Also use this procedure if you installed the client certificate independently from
Configuration Manager.
Controls exist to help prevent attackers from directly modifying policy. However,
attackers could take an existing policy that reformats and redeploys an OS and send it
to a different computer. This redirected policy could create a denial of service. These
types of attacks would require precise timing and extensive knowledge of the
Configuration Manager infrastructure.
The most serious risk is that an attacker could remove information in the log files. An
administrator might need this information for auditing and intrusion detection.
A computer could be used to obtain a certificate that's
designed for mobile device enrollment
When Configuration Manager processes an enrollment request, it can't verify the
request originated from a mobile device rather than from a computer. If the request is
from a computer, it can install a PKI certificate that then allows it to register with
Configuration Manager.
To help prevent an elevation of privilege attack in this scenario, only allow trusted users
to enroll their mobile devices. Carefully monitor device enrollment activities in the site.
For example, you configure the domain policy for Account lockout threshold to six
attempts. A user mistypes their password three times, and the account is locked out.
This behavior effectively creates a denial of service. If users must sign in to embedded
devices in this scenario, caution them about the potential for a reduced lockout
threshold.
Client information is stored in the Configuration Manager site database in your SQL
Server, and isn't sent to Microsoft. Information is kept in the database until it's deleted
by the site maintenance task Delete Aged Discovery Data every 90 days. You can
configure the deletion interval.
Some summarized or aggregate diagnostics and usage data is sent to Microsoft. For
more information, see Diagnostics and usage data.
You can learn more about Microsoft's data collection and use in the Microsoft Privacy
Statement .
Client status
Configuration Manager monitors the activity of clients. It periodically evaluates the
Configuration Manager client and can remediate issues with the client and its
dependencies. Client status is enabled by default. It uses server-side metrics for the
client activity checks. Client status uses client-side actions for self-checks, remediation,
and for sending client status information to the site. The client runs the self-checks
according to a schedule that you configure. The client sends the results of the checks to
the Configuration Manager site. This information is encrypted during transfer.
Client status information is stored in the Configuration Manager database in your SQL
Server, and isn't sent to Microsoft. The information isn't stored in encrypted format in
the site database. This information is kept in the database until it's deleted according to
the value configured for the Retain client status history for the following number of
days client status setting. The default value for this setting is every 31 days.
You can learn more about Microsoft's data collection and use in the Microsoft Privacy
Statement .
Recommendations for client
deployment in Configuration Manager
Article • 10/04/2022
Planning
You need certificates on certain site systems and the client devices. The most common
site systems are management points and distribution points. On production networks,
you might require change management approval to use new certificates or restart site
system servers. Users may also need to sign out of Windows to get new group
membership. Make sure to allow sufficient time for replication of security permissions
and new certificate templates.
For more information, see About client installation properties published to Active
Directory Domain Services.
Configure maintenance windows for servers and for Windows Embedded devices to
support business continuity on critical devices. Maintenance windows make sure that
required software updates and antimalware software don't restart the computer during
business hours.
For more information, see Configure client settings and How to use maintenance
windows.
Installation
Use the FSP property and install a fallback status point. It allows you to better monitor
client installation and assignment, and identify any communication problems.
For more information about these options, see About client installation properties.
By using security groups and WMI filtering for the group policy configuration, you also
have flexibility to control which computers install the Configuration Manager client.
For more information, see How to install Configuration Manager clients by using
software update-based installation.
If you use another client installation method as the primary upgrade method, use
automatic client upgrade to catch computers that it missed. For example, devices that
were offline during the main deployment.
For example, for a management point in site XYZ, assign the client installed on this site
system server to site XYZ.
When you have a choice of which type of write filter to enable, choose file-based write
filters (FBWF) or unified write filters (UWF). Configure exceptions to persist client state
and inventory data between device restarts. These exceptions improve network and CPU
efficiency on the Configuration Manager client. For more information, see Plan for client
deployment to Windows Embedded devices.
For more information about the maximum number of Windows Embedded clients that a
primary site can support, see Supported operating systems for clients and devices.
) Important
For Windows computers that you plan to protect with a unified write filter (UWF),
configure the device for UWF before you install the client. This configuration
enables Configuration Manager to install the client with a custom credential
provider that locks out low-rights users from signing in to the device during
maintenance mode.
Next steps
How to deploy clients to Windows computers
Determine whether to block clients in
Configuration Manager
Article • 10/04/2022
If a client computer or client mobile device is no longer trusted, you can block the client
in the System Center 2012 Configuration Manager console. Blocked clients are rejected
by the Configuration Manager infrastructure so that they cannot communicate with site
systems to download policy, upload inventory data, or send state or status messages.
You must block and unblock a client from its assigned site rather than from a secondary
site or a central administration site.
) Important
Clients that access the site by using the ISV Proxy certificate cannot be blocked. For
more information about the ISV Proxy certificate, see the Configuration Manager
Software Development Kit (SDK).
If your site systems accept HTTPS client connections and your public key infrastructure
(PKI) supports a certificate revocation list (CRL), always consider certificate revocation to
be the primary line of defense against potentially compromised certificates. Blocking
clients in Configuration Manager offers a second line of defense to protect your
hierarchy.
7 Note
Helps to protect site systems from potentially compromised computers and mobile
devices.
Mac clients always perform CRL checking and this functionality cannot be disabled.
Although mobile device clients do not use certificate revocation lists to check the
certificates for site systems, their certificates can be revoked and checked by
Configuration Manager.
Client communication can be rejected from any computer or mobile device that
requires this client certificate.
For many PKI deployments, this delay can be a day or longer. For example, in
Active Directory Certificate Services, the default expiration period is one week for a
full CRL, and one day for a delta CRL.
Helps to protect site systems and clients from potentially compromised computers
and mobile devices.
7 Note
You can further protect site systems that run IIS from unknown clients by
configuring a certificate trust list (CTL) in IIS.
Planning for client deployment to Mac
computers in Configuration Manager
Article • 10/04/2022
) Important
You can install the Configuration Manager client on Mac computers that run macOS X
and use the following management capabilities:
Hardware inventory
Processor
Computer System
Disk Drive
Disk Partition
Network Adapter
Operating System
Service
Process
Installed Software
Computer System Product
USB Controller
USB Device
CDROM Drive
Video Controller
Desktop Monitor
Portable Battery
Physical Memory
Printer
) Important
You cannot extend the hardware information that is collected from Mac
computers during hardware inventory.
Compliance settings
You can use Configuration Manager compliance settings to view the compliance of
and remediate macOS X preference (.plist) settings. For example, you could enforce
settings for the home page in the Safari web browser or ensure that the Apple
firewall is enabled. You can also use shell scripts to monitor and remediate settings
in macOS X.
Application management
Configuration Manager can deploy software to Mac computers. You can deploy
the following software formats to Mac computers:
When you install the Configuration Manager client on Mac computers, you cannot
use the following management capabilities that are supported by the
Configuration Manager client on Windows-based computers:
Software updates
7 Note
Maintenance windows
Remote control
Power management
For more information about how to install and configure the Configuration
Manager Mac client, see How to deploy clients to Macs.
Planning for client deployment to
Windows Embedded devices in
Configuration Manager
Article • 10/04/2022
If your Windows Embedded device does not include the Configuration Manager client,
you can use any of the client installation methods if the device meets the required
dependencies. If the embedded device supports write filters, you must disable these
filters before you install the client, and then re-enable the filters again after the client is
installed and assigned to a site.
Note that when you disable the filters, you should not disable the filter drivers. Typically
these drivers are started automatically when the computer is started. Disabling the
drivers will either prevent installation of the client, or interfere with write filter
orchestration which will cause client operations to fail. These are the services associated
with each write filter type that must remain running:
Write filters control how the operating system on the embedded device is updated
when you make changes, such as when you install software. When write filters are
enabled, instead of making the changes directly to the operating system, these changes
are redirected to a temporary overlay. If the changes are only written to the overlay,
they are lost when the embedded device shuts downs. However, if the write filters are
temporarily disabled, the changes can be made permanent so that you do not have to
make the changes again (or reinstall software) every time that the embedded device
restarts. However, temporarily disabling and then re-enabling the write filters requires
one or more restarts, so that you typically want to control when this happens by
configuring maintenance windows so that restarts occur outside business hours.
You can configure options to automatically disable and re-enable the write filters when
you deploy software such as applications, task sequences, software updates, and the
Endpoint Protection client. The exception is for configuration baselines with
configuration items that use automatic remediation. In this scenario, the remediation
always occurs in the overlay so that it is available only until the device is restarted. The
remediation is applied again at the next evaluation cycle, but only to the overlay, which
is cleared at restart. To force Configuration Manager to commit the remediation
changes, you can deploy the configuration baseline and then another software
deployment that supports committing the change as soon as possible.
If the write filters are disabled, you can install software on Windows Embedded devices
by using Software Center. However, if the write filters are enabled, the installation fails
and Configuration Manager displays an error message that you have insufficient
permissions to install the application.
2 Warning
Even if you do not select the Configuration Manager options to commit the
changes, the changes might be committed if another software installation or
change is made that commits changes. In this scenario, the original changes will be
committed in addition to the new changes.
When Configuration Manager disables the write filters to make changes permanent,
only users who have local administrative rights can log on and use the embedded
device. During this period, low-rights users are locked out and see a message that the
computer is unavailable because it is being serviced. This helps protect the device while
it is in a state where changes can be permanently applied, and this servicing mode
lockout behavior is another reason to configure a maintenance window for a time when
users will not log on to these devices.
File-Based Write Filter (FBWF) - For more information, see File-Based Write Filter.
Enhanced Write Filter (EWF) RAM - For more information, see Enhanced Write
Filter.
Unified Write Filter (UWF) - For more information, see Unified Write Filter.
Configuration Manager does not support write filter operations when the Windows
Embedded device is in EWF RAM Reg mode.
) Important
If you have the choice, use File-Based Write Filters (FBWF) with Configuration
Manager for increased efficiency and higher scalability.
For devices that use FBWF only: Configure the following exceptions to persist
client state and inventory data between device restarts:
CCMINSTALLDIR\*.sdf
CCMINSTALLDIR\ServiceData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem
Devices that run Windows Embedded 8.0 and later do not support exclusions
that contain wildcard characters. On these devices, you must configure the
following exclusions individually:
c:\Windows\System32\Microsoft\Protect
c:\ProgramData\Microsoft\Crypto
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SMS\Certifi
cates
7 Note
No additional exceptions are needed by the Configuration Manager client other
than those documented in the above Important box. Adding additional
Configuration Manager or WMI (WBEM) related exceptions may lead to failures of
the Configuration Manager including devices getting stuck in servicing mode or
devices experiencing reboot loops. Unneeded exceptions include the Configuration
Manager client directory, the CCMcache directory, the CCMSetup directory, the Task
Sequence cache directory, the WBEM directory, and Configuration Manager related
registry keys.
For more information about how to build images for Windows Embedded devices and
configure write filters, see your Windows Embedded documentation, or contact your
OEM.
7 Note
When you select the applicable platforms for software deployments and
configuration items, these display the Windows Embedded families rather than
specific versions.
Example scenario for deploying and
managing Configuration Manager
clients on Windows Embedded devices
Article • 10/04/2022
Coho Vineyard & Winery is opening a visitor center and needs kiosks that run Windows
Embedded to run interactive presentations. The building for the new visitor center is not
close to the IT department, so the kiosks must be managed remotely. In addition to the
software that runs the presentations, these devices must run up-to-date antimalware
protection software to comply with the company security policies. The kiosks must run 7
days a week, with no downtime while the visitor center is open.
For more information, see Planning for client deployment to Windows Embedded
devices.
2. Before the Admin installs the Configuration Manager client, the Admin creates a
new query-based device collection for the Windows Embedded devices. Because
the company uses standard naming formats to identify their computers, the Admin
can uniquely identify Windows Embedded devices by the first six letters of the
computer name: WEMDVC. The Admin uses the following WQL query to create
this collection: select SMS_R_System.NetbiosName from SMS_R_System where
SMS_R_System.NetbiosName like "WEMDVC%"
This collection allows the Admin to manage the Windows Embedded devices with
different configuration options from the other devices. The Admin will use this
collection to control restarts, deploy Endpoint Protection with client settings, and
deploy the interactive presentation application.
3. The Admin configures the collection for a maintenance window to ensure that
restarts that might be required for installing the presentation application and any
upgrades do not occur during opening hours for the visitor center. Opening hours
will be 09:00 through 18:00, Monday through Sunday. The Admin configures the
maintenance window for every day, 18:30 through 06:00.
5. The Admin then configures a custom device client setting to install the Endpoint
Protection client by selecting Yes for the following settings, and then deploys this
custom client setting to the Windows Embedded device collection:
When the Configuration Manager client is installed, these settings install the
Endpoint Protection client and ensure that it is persisted in the operating
system as part of the installation, rather than written to the overlay only. The
company security policies require that the antimalware software is always
installed and the Admin does not want to run the risk of the kiosks being
unprotected for even a short period of time if they restart.
7 Note
The restarts that are required to install the Endpoint Protection client are a
one-time occurrence, which happen during the setup period for the devices
and before the visitor center is operational. Unlike the periodic deployment of
applications or software definition updates, the next time the Endpoint
Protection client is installed on the same device will probably be when the
company upgrades to the next version of Configuration Manager.
6. With the configuration settings for the client now in place, the Admin prepares to
install the Configuration Manager clients. Before the Admin can install the clients,
they must manually disable the write filter on the Windows Embedded devices. The
Admin reads the OEM documentation that accompanies the kiosks and follows
their instructions to disable the write filters.
The Admin renames the device so it uses the company standard naming format,
and then installs the client manually by running CCMSetup with the following
command from a mapped drive that holds the client source files: CCMSetup.exe
/MP:mpserver.cohovineyardandwinery.com SMSSITECODE=CO1
This command installs the client, assigns the client to the management point that
has the intranet FQDN of mpserver.cohovineyardandwinery.com, and assigns the
client to the primary site named CO1.
The Admin knows that it always takes a while for clients to install and send back
their status to the site. So the Admin waits before they confirm that the clients
successfully install, assign to the site, and appear as clients in the collection that
they created for Windows Embedded devices.
Confident that the clients are successfully installed, assigned, and receiving client
policy from the management point, the Admin then manually enables the write
filters by following the instructions from the OEM.
Because these devices are joined to an Active Directory domain, the Admin does
not have to manually approve them as trusted clients and confirms from the
Configuration Manager console that they are approved.
8. To install the interactive presentation software, the Admin runs the Deploy
Software Wizard and configures a required application. On the User Experience
page of the wizard, in the Write filter handling for Windows Embedded devices
section, they accept the default option that selects Commit changes at deadline
or during a maintenance window (requires restarts).
The Admin keeps this default option for write filters to ensure that the application
persists after a restart, so that it is always available to the visitors using the kiosks.
The daily maintenance window provides a safe period during which the restarts for
installation and any updates can occur.
The Admin deploys the application to the Windows Embedded devices collection.
9. To configure definition updates for Endpoint Protection, the Admin uses software
updates and runs the Create Automatic Deployment Rule Wizard. They select the
Definition Updates template to prepopulate the wizard with settings that are
appropriate for Endpoint Protection.
These settings include the following on the User Experience page of the wizard:
Write filter handling for Windows Embedded devices: The Commit changes
at deadline or during a maintenance window (requires restarts) check box is
not selected.
The Admin keeps these default settings. Together, these two options with this
configuration allow any software update definitions for Endpoint Protection
to be installed in the overlay during the day and not wait to be installed and
committed during the maintenance window. This configuration best meets
the company security policy for computers to run up-to-date antimalware
protection.
7 Note
The Admin selects the Windows Embedded devices collection for the
automatic deployment rule.
10. The Admin decides to configure a maintenance task that periodically commits all
changes on the overlay. This task is to support the software update definitions
deployment, to reduce the number of updates that accumulate and must be
installed again, each time the device restarts. In the Admin's experience, this helps
the antimalware programs run more efficiently.
7 Note
a. On the Create a New Task Sequence page, the Admin selects Create a new
custom task sequence, and then clicks Next.
b. On the Task Sequence Information page, the Admin enters Maintenance task
to commit changes on embedded devices for the task sequence name, and
then clicks Next.
c. On the Summary page, the Admin selects Next, and completes the wizard.
The Admin then deploys this custom task sequence to the Windows Embedded
devices collection, and configures the schedule to run every month. As part of
the deployment settings, they select the Commit changes at deadline or during
a maintenance window (requires restarts) check box to persist the changes
after a restart. To configure this deployment, the Admin selects the custom task
sequence that they just created, and then on the Home tab, in the Deployment
group, they click Deploy to start the Deploy Software Wizard:
d. On the General page, the Admin selects the Windows Embedded devices
collection, and then clicks Next.
e. On the Deployment Settings page, the Admin selects the Purpose of Required,
and then clicks Next.
f. On the Scheduling page, the Admin clicks New to specify a weekly schedule
during the maintenance window, and then clicks Next.
11. For the kiosks to run automatically, the Admin writes a script to configure the
devices for the following settings:
The Admin uses packages and programs to deploy this script to the Windows
Embedded devices collection. When the Admin runs the Deploy Software
Wizard, they again select the Commit changes at deadline or during a
maintenance window (requires restarts) check box to persist the changes
after a restart.
12. The following morning, the Admin checks the Windows Embedded devices. They
confirm the following:
The Endpoint Protection client is installed and has the latest software update
definitions.
13. The Admin monitors the kiosks and reports the successful management of them to
their manager. As a result, 20 kiosks are ordered for the visitor center.
The kiosks are delivered to the visitor center a week before it opens. During this
time, the kiosks are connected to the network, all device management for them is
automatic, and no local administrator is required. The Admin confirms that the
kiosks are functioning as required:
The clients on the kiosks complete site assignment and download the trusted
root key from Active Directory Domain Services.
The clients on the kiosks are automatically added to the Windows Embedded
devices collection and configured with the maintenance window.
The Endpoint Protection client is installed and has the latest software update
definitions for antimalware protection.
The interactive presentation software is installed and runs automatically,
ready for visitors.
14. After this initial setup, any restarts that might be required for updates occur only
when the visitor center is closed.
Plan how to wake up clients in
Configuration Manager
Article • 10/04/2022
7 Note
This article describes how an older version of Wake on LAN functions. This
functionality still exists in Configuration Manager version 1810, which also includes
a newer version of Wake on LAN too. Both versions of Wake on LAN can, and in
many cases will, be enabled simultaneously. For more information about how the
new version of Wake on LAN functions starting in 1810 and enabling either or both
versions, see How to configure Wake on LAN.
You can supplement the traditional wake-up packet method by using the wake-up proxy
client settings. Wake-up proxy uses a peer-to-peer protocol and elected computers to
check whether other computers on the subnet are awake, and to wake them if
necessary. When the site is configured for Wake On LAN and clients are configured for
wake-up proxy, the process works as follows:
1. Computers with the Configuration Manager client installed and that aren't asleep
on the subnet check whether other computers on the subnet are awake. They do
this check by sending each other a TCP/IP ping command every five seconds.
To support wake-up proxy, at least three computers must be awake for each
subnet. To achieve this requirement, three computers are non-deterministically
chosen to be guardian computers for the subnet. This state means that they stay
awake, despite any configured power policy to sleep or hibernate after a period of
inactivity. Guardian computers honor shutdown or restart commands, for example,
as a result of maintenance tasks. If this action happens, the remaining guardian
computers wake up another computer on the subnet so that the subnet continues
to have three guardian computers.
3. Manager computers ask the network switch to redirect network traffic for the
sleeping computers to themselves.
2 Warning
During this process, the IP-to-MAC mapping for the sleeping computer
remains the same. Wake-up proxy works by informing the network switch that
a different network adapter is using the port that was registered by another
network adapter. However, this behavior is known as a MAC flap and is
unusual for standard network operation. Some network monitoring tools look
for this behavior and can assume that something is wrong. Consequently,
these monitoring tools can generate alerts or shut down ports when you use
wake-up proxy.
Do not use wake-up proxy if your network monitoring tools and services do
not allow MAC flaps.
4. When a manager computer sees a new TCP connection request for a sleeping
computer and the request is to a port that the sleeping computer was listening on
before it went to sleep, the manager computer sends a wake-up packet to the
sleeping computer, and then stops redirecting traffic for this computer.
5. The sleeping computer receives the wake-up packet and wakes up. The sending
computer automatically retries the connection and this time, the computer is
awake and can respond.
) Important
If you have a separate team that is responsible for the network infrastructure and
network services, notify and include this team during your evaluation and testing
period. For example, on a network that uses 802.1X network access control, wake-
up proxy will not work and can disrupt the network service. In addition, wake-up
proxy could cause some network monitoring tools to generate alerts when the
tools detect the traffic to wake-up other computers.
Guest operating systems that run on a virtual machine are not supported.
Clients must be enabled for wake-up proxy by using client settings. Although
wake-up proxy operation does not depend on hardware inventory, clients do not
report the installation of the wake-up proxy service unless they are enabled for
hardware inventory and submitted at least one hardware inventory.
Network adapters (and possibly the BIOS) must be enabled and configured for
wake-up packets. If the network adapter is not configured for wake-up packets or
this setting is disabled, Configuration Manager will automatically configure and
enable it for a computer when it receives the client setting to enable wake-up
proxy.
If a computer has more than one network adapter, you cannot configure which
adapter to use for wake-up proxy; the choice is non-deterministic. However, the
adapter chosen is recorded in the SleepAgent_<DOMAIN>@SYSTEM_0.log file.
The network must allow ICMP echo requests (at least within the subnet). You
cannot configure the five-second interval that is used to send the ICMP ping
commands.
Wireless networks
IPv6-only networks
If you want to wake up computers for scheduled software installation, you must
configure each primary site to use wake-up packets.
To use wake-up proxy, you must deploy Power Management wake-up proxy client
settings in addition to configuring the primary site.
Decide whether to use subnet-directed broadcast packets, or unicast packets, and what
UDP port number to use. By default, traditional wake-up packets are transmitted by
using UDP port 9, but to help increase security, you can select an alternative port for the
site if this alternative port is supported by intervening routers and firewalls.
Unicast More secure solution Wake-up packets do not find destination computers
than subnet-directed that have changed their subnet address after the last
broadcasts because the hardware inventory schedule.
subnet.
Subnet- Higher success rate than Less secure solution than using unicast because an
Directed unicast if you have attacker could send continuous streams of ICMP echo
Broadcast computers that requests from a falsified source address to the
frequently change their directed broadcast address. This causes all of the
IP address in the same hosts to reply to that source address. If routers are
subnet.
configured to allow subnet-directed broadcasts, the
additional configuration is recommended for security
No switch reasons:
reconfiguration is
required.
- Configure routers to allow only IP-directed
broadcasts from the Configuration Manager site
High compatibility rate server, by using a specified UDP port number.
because subnet-
directed broadcasts Might require reconfiguration of all intervening
were the original routers to enable subnet-directed broadcasts.
transmission method
for sending wake-up Consumes more network bandwidth than unicast
packets. transmissions.
Personal virtual machines: The virtual machine (VM) maintains user data and
settings between sessions.
Azure Virtual Desktop: A desktop and app virtualization service that runs on
Microsoft Azure. Starting in version 1906, use Configuration Manager to manage
these virtual devices running Windows in Azure.
Personal VMs
Configuration Manager treats personal VMs the same as a physical computer. You can
preinstall the Configuration Manager client on the VM image or after you provision it.
Because the VM might only be operational for a short length of time, some
Configuration Manager features may not return relevant data. For example, hardware
inventory, software inventory, and software metering. Consider excluding pooled VM
from inventory tasks.
Other considerations
Because virtualization supports running multiple Configuration Manager clients on the
same physical computer, many client operations have a built-in randomized delay for
scheduled actions. For example, hardware and software inventory, antimalware scans,
software installations, and software update scans. This delay helps distribute the CPU
processing and data transfer for a server that has multiple VMs that run the
Configuration Manager client.
Except for Windows Embedded clients in servicing mode, Configuration Manager clients
not in virtualized environments also use this randomized delay. This behavior helps
avoid peaks in network bandwidth. It also reduces the CPU processing on site systems,
such as the management point and site server. The delay interval varies according to the
Configuration Manager capability. For example, see About client settings - Disable
deadline randomization.
You can change the request port numbers that Configuration Manager clients use to
communicate with site systems that use HTTP and HTTPS for communication. Although
HTTP or HTTPS is more likely to be already configured for firewalls, client notification
that uses HTTP or HTTPS requires more CPU usage and memory on the management
point computer than if you use a custom port number. You can also specify the site port
number to use if you wake up clients by using traditional wake-up packets.
When you specify HTTP and HTTPS request ports, you can specify both a default port
number and an alternative port number. If communication fails with the default port,
clients automatically try the alternative port. You can specify port settings for HTTP and
HTTPS data communication.
The default values for client request ports are 80 for HTTP traffic and 443 for HTTPS
traffic. Change them only if you don't want to use these default values. A typical
scenario for using custom ports is when you use a custom website in IIS rather than the
default website. If you change the default port numbers for the default website in IIS,
and other applications also use the default website, they're likely to fail.
) Important
If you change the port numbers for the client request services as a site
configuration, and existing clients aren't reconfigured to use the new port
numbers, these clients will be unmanaged.
Before you configure a non-default port number, make sure that firewalls and
all intervening network devices support this configuration. If you will manage
clients on the internet, and change the default HTTPS port number of 443,
routers and firewalls on the internet might block this communication.
To make sure that clients don't become unmanaged after you change the request port
numbers, configure clients to use the new request port numbers. When you change the
request ports on a primary site, any attached secondary sites automatically inherit the
same port configuration.
Clients that can't access this information published to Active Directory include:
Workgroup clients
Clients from another Active Directory forest
Clients that are configured for internet-only
Clients that are currently on the internet.
If you change the default port numbers after you install these clients, reinstall them.
Reinstall the clients by using the Client Push Installation Wizard. Client push
installation automatically configures clients with the current site port configuration.
For more information, see How to install Configuration Manager clients with client
push.
Reinstall the clients by using a method that searches Active Directory Domain
Services for Configuration Manager client installation properties. For more
information, see About client installation properties published to Active Directory
Domain Services.
To reconfigure the port numbers for existing clients, you can also use the script
Portswitch.vbs. Find this script on the installation media in the
SMSSETUP\Tools\PortConfiguration folder.
) Important
For existing and new clients that are currently on the internet, configure the non-
default port numbers by using the CCMSetup.exe client.msi properties of
CCMHTTPPORT and CCMHTTPSPORT.
After changing the request ports on the site, when you install new clients with the site-
wide client push installation method, they're automatically configured with the current
port numbers for the site.
5. Select a service, and then select the Properties icon to open the Port Detail
window.
6. Specify the port number and description for the item, and then select OK.
7. If you want to use the custom website SMSWeb for site systems that run IIS, select
Use custom web site. For more information, see Websites for site system servers.
8. Select OK to save the configuration and close the site properties window.
Before you use DNS publishing for management points, make sure that DNS servers on
the intranet have service location resource records (SRV RR) and corresponding host (A
or AAA) resource records for the site's management points. The service location
resource records can be created automatically by Configuration Manager or manually,
by the DNS administrator who creates the records in DNS.
For more information about DNS publishing as a service location method for
Configuration Manager clients, see Understand how clients find site resources and
services for Configuration Manager.
By default, clients search DNS for management points in their DNS domain. However, if
there are no management points published in the clients' domain, you must manually
configure clients with a management point DNS suffix. You can configure this DNS suffix
on clients either during or after client installation:
For more information about the CCMSetup command-line properties, see About
client installation properties.
2. On the Site tab, specify the DNS suffix of a management point, and then click OK.
If the site has more than one management point and they are in more than one
domain, specify just one domain. When clients connect to a management point in
this domain, they download a list of available management points, which will
include the management points from the other domains.
How to configure client settings in
Configuration Manager
Article • 10/04/2022
You manage all client settings in Configuration Manager from the Client Settings node
of the Administration workspace in the console. When you want to configure settings
for all users and devices in the hierarchy, modify the default settings. If you want to
apply different settings to just some users or devices, create custom settings and deploy
to collections. Custom client settings override the default settings.
For information about each client setting, see About client settings.
7 Note
You can also use configuration items to manage clients to assess, track, and
remediate the configuration compliance of devices. For more information, see
Ensure device compliance.
2. Select Default Client Settings. On the Home tab of the ribbon, select Properties.
3. View and configure the client settings for each group of settings in the navigation
pane.
Tip
Configuration Manager configures clients with these settings when they next
download policy. To start policy retrieval for a single client, see Start policy retrieval
for a Configuration Manager client.
2. On the Home tab of the ribbon, in the Create group, select Create Custom Client
Settings. Then choose either Create Custom Client Device Settings or Create
Custom Client User Settings.
c. Select each group of settings from the navigation pane, configure the available
settings, and then select OK to save the settings.
3. Select the custom client setting that you created. On the Home tab of the ribbon,
in the Client Settings group, choose Deploy.
4. In the Select Collection window, select the appropriate collection, and then choose
OK. To verify the targeted collection, switch to the Deployments tab in the details
pane of the Client Settings node.
5. View the order of the custom client setting that you created. When you have
multiple custom client settings, they're applied according to their order number. If
there are any conflicts between settings, the setting that has the lowest order
number overrides the other settings. To change the order number, on the Home
tab of the ribbon, in the Client Settings group, choose Move Item Up or Move
Item Down.
Tip
Configuration Manage configures clients with these settings when they next
download policy. To start policy retrieval for a single client, see Start policy retrieval
for a Configuration Manager client.
2. Select a device or user, and in the Client Settings group of the ribbon, select
Resultant Client Settings.
3. Select a client setting from the left pane, and it displays the settings. In this view,
the settings are read-only.
7 Note
To view the client settings, your account needs Read access to client settings.
Use the following cmdlets to configure client settings for the specific group:
Set-CMClientSettingBackgroundIntelligentTransfer
Set-CMClientSettingClientCache
Set-CMClientSettingClientPolicy
Set-CMClientSettingCloudService
Set-CMClientSettingComplianceSetting
Set-CMClientSettingComputerAgent
Set-CMClientSettingComputerRestart
Set-CMClientSettingDeliveryOptimization
Set-CMClientSettingEndpointProtection
Set-CMClientSettingEnrollment
Set-CMClientSettingGeneral
Set-CMClientSettingHardwareInventory
Set-CMClientSettingMeteredInternetConnection
Set-CMClientSettingPowerManagement
Set-CMClientSettingRemoteTool
Set-CMClientSettingSoftwareCenter
Set-CMClientSettingSoftwareDeployment
Set-CMClientSettingSoftwareInventory
Set-CMClientSettingSoftwareMetering
Set-CMClientSettingSoftwareUpdate
Set-CMClientSettingStateMessaging
Set-CMClientSettingUserAndDeviceAffinity
New-CMClientSettingDeployment
Remove-CMClientSettingDeployment
Next steps
About client settings
About client settings in Configuration
Manager
Article • 04/11/2023
Manage all client settings in the Configuration Manager console from the Client
Settings node in the Administration workspace. Configuration Manager comes with a
set of default settings. When you change the default client settings, these settings are
applied to all clients in the hierarchy. You can also configure custom client settings,
which override the default client settings when you assign them to collections. For more
information, see How to configure client settings.
Configure BranchCache
Set up the client computer for Windows BranchCache. To allow BranchCache caching on
the client, set Enable BranchCache to Yes.
Tip
To disable BranchCache, set Configure BranchCache to Yes, and then set Enable
BranchCache to No.
Port for initial network broadcast (default UDP 8004): Configuration Manager uses
this port in Windows PE or the full Windows OS. The task sequence engine in
Windows PE sends the broadcast to get content locations before it starts the task
sequence.
Port for content download from peer (default TCP 8003): Configuration Manager
automatically configures Windows Firewall rules to allow this traffic. If you use a
different firewall, you must manually configure rules to allow this traffic.
This setting gives you greater control over the client cache on different types of devices.
You might reduce the value on clients that have small hard drives and don't need to
keep existing content before another deployment runs.
Client policy
If this setting is No, users don't receive required applications that you deploy to users.
Users also don't receive any other management tasks in user policies.
This setting applies to users when their computer is on either the intranet or the
internet. It must be Yes if you also want to enable user policies on the internet.
The client and site are configured for internet-based client management or a cloud
management gateway.
If you set this option to No, or any of the previous requirements aren't met, then a
computer on the internet only receives computer policies. If this setting is No, but
Enable user policy on clients is Yes, users don't receive user policies until the computer
is connected to the intranet.
7 Note
For internet-based client management, application approval requests from users
don't require user policies or user authentication. The cloud management gateway
doesn't support application approval requests.
The client only disables user policy when it detects this type of device during a new
installation. For an existing client of this type that you update to a later client version,
the previous behavior persists. On an existing device, it configures the user policy
setting even if it detects that the device allows multiple user sessions.
If you require user policy in this scenario, and accept any potential performance impact,
enable this client setting.
Cloud services
Compliance settings
Enable compliance evaluation on clients
Set this option to Yes to configure the other settings in this group.
Computer agent
The previous version of Software Center and the application catalog are no longer
supported.
Install permissions
Configure how users can install software, software updates, and task sequences:
Only Administrators and primary users: Users must be a member of the local
Administrators group, or a primary user of the computer.
You use the Configuration Manager software development kit (SDK) to manage
client agent notifications, and the installation of applications and software updates.
2 Warning
If you choose this option when neither of these conditions apply, the client doesn't
install software updates and required applications. This setting doesn't prevent
users from installing available software from Software Center, including
applications, packages, and task sequences.
When you enable this setting, toast notifications for new software or required
software don't occur on clients.
All Signed: The Configuration Manager client runs scripts only if a trusted
publisher has signed them. This restriction applies independently from the current
PowerShell configuration on the client computer.
This option requires at least Windows PowerShell version 2.0. The default is All Signed.
Tip
If unsigned scripts fail to run because of this client setting, Configuration Manager
reports this error in the following ways:
If clients must install required software updates at the deployment deadline without
delay, then configure this setting to Yes.
) Important
Set a grace period of 0 to 120 hours. Use this setting along with the deployment
property Delay enforcement of this deployment according to user preferences. For
more information, see Deploy applications.
Computer restart
For more information about these settings, see Device restart notifications.
Delivery Optimization
You use Configuration Manager boundary groups to define and regulate content
distribution across your corporate network and to remote offices. Windows Delivery
Optimization is a cloud-based, peer-to-peer technology to share content between
Windows devices. Configure Delivery Optimization to use your boundary groups when
sharing content among peers.
7 Note
7 Note
Microsoft recommends allowing the client to configure this setting via local policy
rather than group policy. This allows the boundary group identifier to be set as the
Delivery Optimization group identifier on the client. For more information, see
Delivery Optimization.
Endpoint Protection
Tip
In addition to the following information, you can find details about using Endpoint
Protection client settings in Example scenario: Using Endpoint Protection to
protect computers from malware.
Choose this option if you've already installed the Endpoint Protection client, and want to
manage it with Configuration Manager. This separate installation includes a scripted
process that uses a Configuration Manager application or package and program.
Windows 10 or later devices don't need to have the Endpoint Protection agent installed.
However, those devices will still need Manage Endpoint Protection client on client
computers enabled.
7 Note
If you choose No, the client installs on a temporary overlay that clears when the device
restarts. In this scenario, the Endpoint Protection client doesn't fully install until another
installation commits changes to the device. This configuration is the default.
) Important
If the Endpoint Protection client requires a computer restart and this setting is No,
then the computer restarts regardless of any configured maintenance windows.
Enrollment
Enrollment profile: Select Set Profile to create or select an enrollment profile. For
more information, see Configure client settings for enrollment.
7 Note
For a MIF file to be collected by hardware inventory, it must be in the correct location on
the client computer. By default, the files are located in the following paths:
7 Note
7 Note
Limit: The client only communicates over the metered internet connection for the
following behaviors:
7 Note
If the client reaches the data transfer limit for the metered internet connection, the
client no longer communicates with the site.
) Important
The client always permits software installations from Software Center, regardless of
the metered internet connection settings. If the user requests a software installation
while the device is on a metered network, Software Center honors the user's intent.
Client install and update both work when you configure this client setting to Allow or
Limit. This behavior allows the client to stay current, but still manage the client
communication on a metered network. You can control this behavior during client install
with the ccmsetup parameter /AllowMetered . For more information, see About client
installation parameters and properties.
Power management
Allow power management of devices
Set this option to Yes to enable power management on clients. For more information,
see Introduction to power management.
For more information about wake-up proxy, see Plan how to wake up clients.
2 Warning
Wake-up proxy port number (UDP): The port number that clients use to send
wake-up packets to sleeping computers. Keep the default port 25536, or change
the number to a value of your choice.
Wake On LAN port number (UDP): Keep the default value of 9, unless you've
changed the Wake On LAN (UDP) port number on the Ports tab of the site
Properties.
) Important
This number must match the number in the site Properties. If you change this
number in one place, it isn't automatically updated in the other place.
If clients run a different firewall, manually configure it to allow the Wake-up proxy
port number (UDP).
Remote tools
) Important
If you don't configure firewall settings, remote control might not work correctly.
No Access
View Only
Full Control
No sound
Beginning and end of session (default)
Repeatedly during session
In an unsolicited Remote Assistance session, the user at the client computer didn't
request assistance to start the session.
In a solicited Remote Assistance session, the user at the client computer sent a request
to the admin for remote assistance.
None (default)
Remote Viewing
Full Control
7 Note
The user at the client computer must always grant permission for a Remote
Assistance session to occur.
Software Center
If you install the Company Portal on a co-managed device, but configure this setting to
Software Center, then notifications from Configuration Manager launch Software
Center. Notifications from Intune launch the Company Portal. This behavior may be
confusing to users to interact with different portals.
The behavior of the Company Portal depends upon your co-management workload
configuration. For more information, see Use the Company Portal app on co-managed
devices.
Color scheme for Software Center: Select the primary color that Software Center
uses. You can choose from 48 basic colors, or define a custom color. By default,
this color is Microsoft blue (Red: 0, Green: 120, Blue: 212).
Select a logo for Software Center: Enable this setting, and then Browse to select
an image to appear in Software Center. The logo for Software Center has the
following requirements:
A JPG, PNG, or BMP file.
Dimensions of 400 x 100 pixels.
A maximum file size of 750 KB.
No spaces in the file name.
Select a logo for notifications: Starting in version 2111, enable this setting to
display a logo with notifications on devices running Windows 10 or later. Because
of how the image is used, it's separate from the Software Center logo. The logo for
notifications has the following requirements:
A JPG, PNG, or BMP file.
Square aspect ratio. For example, 100 x 100 pixels.
A maximum file size of 2 MB.
No spaces in the file name.
Hide unapproved applications in Software Center: When you enable this option,
user-available applications that require approval are hidden in Software Center.
Hide installed applications in Software Center: When you enable this option,
applications that are already installed no longer show in the Applications tab. This
option is enabled by default. Installed applications are still available for review
under the Installation Status tab.
Hide Application Catalog link in Software Center: Enable this setting. The
application catalog is no longer supported. This link would appear on the
Installation Status tab of Software Center.
Choose which tabs should be visible in Software Center. To move a tab to Visible tabs
list, select Add. To move it to the Hidden tabs list, select Remove. To change the order
of the tabs in Software Center, select Move Up or Move Down.
Default tabs:
Applications
Updates
Operating Systems
Installation Status
Device Compliance
Options
Select Delete Tab to remove a custom tab. Select Edit tab to change the configuration
of a custom tab.
) Important
Some website features may not work in a custom tab in Software Center. Make sure
to test the results before deploying this to clients.
Specify only trusted or intranet website addresses when you add a custom tab.
Display custom tabs with Microsoft Edge WebView2 runtime
Enable this option for Software Center to use the Microsoft Edge WebView2 browser
control. The WebView2 browser control provides improved security and user experience.
For example, more websites should work with these custom tabs without displaying
script errors or security warnings.
If it's not already installed, the Configuration Manager client installs the Microsoft Edge
WebView2 runtime (fixed version) on the device. The installer is over 100 MB in size. If
you need to enable this setting on a large number of clients, and are concerned about
the effect of network usage, predeploy the WebView2 runtime as an application. Use the
software distribution features of Configuration Manager to better control the content
distribution and timing of software installation.
7 Note
If the client device isn't running .NET Framework version 4.6.2 or later, it falls
back to use the Internet Explorer browser control. Starting in version 2107, the
client requires .NET version 4.6.2, and version 4.8 is recommended. For more
information, see Prerequisites for deploying clients to Windows computers.
When using custom tabs in certain circumstances, you may encounter the
following exception: Could not load type
'System.Runtime.InteropServices.Architecture' from assembly 'mscorlib
work around the issue, update .NET Framework to version 4.7.1 or later for the
client.
If you don't enable this option, Software Center uses the Windows built-in Internet
Explorer browser control.
Configure the Default application filter as either All or only Required applications.
By default, it shows all applications.
Software Center always uses your default setting. Users can change this filter, but
Software Center doesn't persist their preference.
Set the Default application view as either Tile view or List view. By default, it uses
the tile view.
If a user changes this configuration, Software Center persists the user's preference
in the future.
For more information on the appearance of these settings, see the Software Center user
guide.
Software deployment
) Important
This setting is more invasive to the local client than it is to the network or site
server. A more aggressive reevaluation schedule negatively affects the performance
of your network and client computers. Microsoft doesn't recommend setting a
lower value than the default. If you change this value, closely monitor performance.
Start this action from a client as follows: in the Configuration Manager control panel,
from the Actions tab, select Application Deployment Evaluation Cycle.
Software inventory
File only
Product only
Full details (default)
7 Note
If multiple custom client settings are applied to a computer, the inventory that each
setting returns is merged.
Select New to add a new file type to inventory. Then specify the following
information in the Inventoried File Properties dialog box:
Name: Provide a name for the file that you want to inventory. Use an asterisk
( * ) wildcard to represent any string of text, and a question mark ( ? ) to
represent any single character. For example, if you want to inventory all files
with the extension .doc, specify the file name *.doc .
Location: Select Set to open the Path Properties dialog box. Configure software
inventory to search all client hard disks for the specified file, search a specified
path (for example, C:\Folder ), or search for a specified variable (for example,
%windir% ). You can also search all subfolders under the specified path.
Exclude encrypted and compressed files: When you choose this option, any
compressed or encrypted files aren't inventoried.
Exclude files in the Windows folder: When you choose this option, any files in
the Windows folder and its subfolders aren't inventoried.
Select OK to close the Inventoried File Properties dialog box. Add all the files that
you want to inventory, and then select OK to close the Configure Client Setting
dialog box.
Collect files
If you want to collect files from client computers, select Set Files, and then configure the
following settings:
7 Note
If multiple custom client settings are applied to a computer, the inventory that each
setting returns is merged.
In the Configure Client Setting dialog box, select New to add a file to be collected.
In the Collected File Properties dialog box, provide the following information:
Name: Provide a name for the file that you want to collect. Use an asterisk ( * )
wildcard to represent any string of text, and a question mark ( ? ) to represent
any single character.
Location: Select Set to open the Path Properties dialog box. Configure software
inventory to search all client hard disks for the file that you want to collect,
search a specified path (for example, C:\Folder ), or search for a specified
variable (for example, %windir% ). You can also search all subfolders under the
specified path.
Exclude encrypted and compressed files: When you choose this option, any
compressed or encrypted files aren't collected.
Stop file collection when the total size of the files exceeds (KB): Specify the file
size, in kilobytes (KB), after which the client stops collecting the specified files.
7 Note
The site server collects the five most recently changed versions of collected
files, and stores them in the <ConfigMgr installation
directory>\Inboxes\Sinv.box\Filecol directory. If a file hasn't changed since
the last software inventory cycle, the file isn't collected again.
The value Maximum size for all collected files (KB) in the Configure Client
Setting dialog box shows the maximum size for all collected files. When this
size is reached, file collection stops. Any files already collected are retained
and sent to the site server.
) Important
For information about how to view collected files, see How to use Resource
Explorer to view software inventory.
Select OK to close the Collected File Properties dialog box. Add all the files that
you want to collect, and then select OK to close the Configure Client Setting
dialog box.
Set Names
The software inventory agent retrieves manufacturer and product names from file
header information. These names aren't always standardized in the file header
information. When you view software inventory in Resource Explorer, different versions
of the same manufacturer or product name can appear. To standardize these display
names, select Set Names, and then configure the following settings:
Name type: Software inventory collects information about both manufacturers and
products. Choose whether you want to configure display names for a
Manufacturer or a Product.
Display name: Specify the display name that you want to use in place of the names
in the Inventoried names list. To specify a new display name, select New.
Inventoried names: To add an inventoried name, select New. This name is replaced
in software inventory by the name chosen in the Display name list. You can add
multiple names to replace.
Software Metering
Software updates
) Important
When you disable this setting, compliance policies that rely on software updates
will no longer function.
By default, this scan uses a simple schedule to start every seven days. You can create a
custom schedule. You can specify an exact start day and time, use Universal Coordinated
Time (UTC) or the local time, and configure the recurring interval for a specific day of the
week.
7 Note
If you specify an interval of less than one day, Configuration Manager automatically
defaults to one day.
2 Warning
The actual start time on client computers is the start time plus a random amount of
time, up to two hours. This randomization prevents client computers from initiating
the scan and simultaneously connecting to the active software update point.
Schedule deployment re-evaluation
Select Schedule to configure how often the software updates client agent reevaluates
software updates for installation status on Configuration Manager client computers.
When previously installed software updates are no longer found on clients but are still
required, the client reinstalls the software updates.
Adjust this schedule based on company policy for software update compliance, and
whether users can uninstall software updates. Every deployment re-evaluation cycle
results in network and client computer processor activity. By default, this setting uses a
simple schedule to start the deployment re-evaluation scan every seven days.
7 Note
If you specify an interval of less than one day, Configuration Manager automatically
defaults to one day.
Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will
be secure by default. A client scanning for updates against an HTTP-based WSUS will no
longer be allowed to leverage a user proxy by default. Set this option to Yes to allow
these connections if you require a user proxy despite the security trade-offs. By default,
this setting is set to No. For more information about the changes for scanning WSUS,
see September 2020 changes to improve security for Windows devices scanning
WSUS . To ensure that the best security protocols are in place, we highly recommend
that you use the TLS/SSL protocol to help secure your software update infrastructure.
Further increase the security of HTTPS scans against WSUS by enforcing certificate
pinning. To use certificate pinning, ensure your WSUS server is enabled for TLS/SSL, and
add the certificates for the WSUS servers to the new WindowsServerUpdateServices
certificate store on your clients. For more information about certificate pinning for
devices scanning HTTPS-configured WSUS servers, see secure your software update
infrastructure. The following settings are available starting in Configuration Manager
version 2103:
No: Don't enable enforcement of TLS certificate pinning for WSUS scanning
Yes: Enables enforcement of TLS certificate pinning for devices during WSUS
scanning (default)
Use this setting to speed up installation for required software updates. This setting also
has the potential to increase client security, decrease notifications to the user, and
decrease client restarts. By default, this setting is set to No.
When this option is set, delta download is used for all Windows update installation
files, not just express installation files.
When using a CMG for content storage, the content for third-party updates won't
download to clients if the Download delta content when available client setting is
enabled.
7 Note
This client setting replaces Port used to download content for Express installation
files.
If delta content is unavailable from distribution points in the current boundary group,
you can allow immediate fallback to a neighbor or the site default boundary group
distribution points. This setting is useful when using delta content for software updates
since the timeout setting per download job is 5 minutes. The following options are
available:
Yes: For delta content, the client doesn't wait to reach the fallback time (in minutes)
defined by the Boundary Group relationship. Clients immediately fall back to a
neighbor or the site default content distribution points when both of the following
conditions are met:
- Delta content is unavailable from distribution points in the
current boundary group.
- The software update deployment allows fallback.
No (default): The client honors the fallback time (in minutes) defined by the
Boundary Group relationship when it's allowed on the software update
deployment. Delta download content may fail with a timeout even if the update
content is available on a neighbor or the site default distribution point group.
7 Note
You can configure the end-user experience for Microsoft 365 Apps updates. This client
setting allows you to enable or disable notifications from Microsoft 365 Apps for these
updates. The following options are available for the setting:
No: Doesn't display Microsoft 365 Apps updates notifications from Microsoft 365
Apps (default)
Yes: Displays Microsoft 365 Apps updates notifications from Microsoft 365 Apps
Which notifications are displayed to the user about updates for Microsoft 365 Apps is
also determined by the settings for per deployment notifications from Software Center.
If the deployment's user notifications from Software Center are disabled (found on the
User Experience page for the deployment), then the end user won't receive any
notifications from either Software Center or Microsoft 365 Apps, regardless of how
notifications from Microsoft 365 Apps are set. If notifications from both Software Center
and Microsoft 365 Apps are enabled, then the end user will receive notifications from
Software Center and Microsoft 365 Apps. Below is a chart of which notifications for
Microsoft 365 Apps updates are displayed to the end user for these settings:
By default, this setting is set to No. This value uses the same behavior as before: if both
types exist, it ignores the window.
7 Note
This setting also applies to maintenance windows that you configure to apply to
Task sequences.
If the client only has an All deployments window available, it still installs software
updates or task sequences in that window.
By default, the client only installs software updates during the second maintenance
window. It ignores the maintenance window for all deployments in this scenario. When
you change this setting to Yes, the client installs software updates between 02:00 -
06:00.
Not Configured: Configuration Manager doesn't change the setting. Admins can
pre-stage their own setupconfig.ini file. This value is the default.
Normal: Windows Setup uses more system resources and updates faster. It uses
more processor time, so the total installation time is shorter, but the user's outage
is longer.
Configures the setupconfig.ini file on the device with the /Priority Normal
Windows setup command-line option.
Low: You can continue to work on the device while it downloads and updates in
the background. The total installation time is longer, but the user's outage is
shorter. You may need to increase the update max run time to avoid a time-out
when you use this option.
Not Configured - The default value. No changes are made to the setupconfig file.
Dynamic Update is enabled by default on all supported versions of Windows 10
or later.
For Windows 10, version 1803 and earlier, Dynamic Update checks the
device's WSUS server for approved dynamic updates. In Configuration
Manager environments, dynamic updates are never directly approved in the
WSUS server so these devices don't install them.
Starting with Windows 10, version 1809, Dynamic Update uses the device's
internet connection to get dynamic updates from Microsoft Update. These
dynamic updates aren't published for WSUS use.
Yes - Enables Dynamic Update.
No - Disables Dynamic Update.
Not Configured - The default value, then features that are shipped via a monthly
quality update (servicing) will remain off until the feature update that includes
these features is installed.
Enable features introduced via servicing are off by default on all supported
versions of Windows 11 22621.1344 or later.
Yes - Enables Feature Update, then all features available in the latest monthly
quality update installed will be on.
No - Disables Feature Update, then features that are shipped via a monthly quality
update (servicing) will remain off until the feature update that includes these
features is installed.
State Messaging
7 Note
For example, you specify User device affinity usage threshold (minutes) as 60
minutes, and User device affinity usage threshold (days) as 5 days. Then the user
must use the device for 60 minutes over a period of 5 days to create automatic
affinity with the device.
7 Note
) Important
This group was previously called Windows Analytics. Microsoft retired the
Windows Analytics service on January 31, 2020. For more information, see KB
4521815: Windows Analytics retirement on January 31, 2020 .
The notifications a user receives for a pending device restart can vary depending on the
Computer restart client settings and which version of Configuration Manager you use.
This article helps you configure the user experience for pending device restart
notifications.
7 Note
By default, Windows 11 enables focus assist for the first hour after a user signs on
for the first time. For more information, see Reaching the Desktop and the Quiet
Period.
Software Center notifications are currently suppressed during this time. For more
information, see Turn Focus assist on or off in Windows .
Application
Task sequence
Software update
Toast notification
A Windows toast notification informs the user that the device needs to restart. The
information in the toast notification can be different depending on which version of
Configuration Manager you're running. This type of notification is native to the
Windows OS. You may also see third-party software using this type of notification.
Available apps
When you don't use toast notifications, the dialog for software marked as Available is
similar to proactively installed software. For Available software, the notification doesn't
have a deadline for the restart and the user can choose their own snooze interval. For
more information, see Approval settings.
If you Snooze this notification, it will show again based on how you configure the
frequency of restart reminder notifications. The device won't restart until you select
Restart or manually restart Windows.
7 Note
Client settings
To control the client restart behaviors, configure the following device client settings in
the Computer Restart group. For more information, see How to configure client
settings.
To take full advantage of new Configuration Manager features, after you update the site,
also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the complete
scenario isn't functional until the client version is also updated.
) Important
This client setting applies to all application, software update, and package
deployments to the device. Until a user manually restarts the device:
When you disable this setting, you can't specify the amounts of time after the deadline
that the device is restarted or the user is presented a final countdown notification.
The default value is 90 minutes. The maximum value is 20160 minutes (two weeks).
7 Note
This setting was previously titled Display a temporary notification to the user that
indicates the interval before the user is logged off or the computer restarts
(minutes).
7 Note
This setting was previously titled Display a dialog box that the user cannot close,
which displays the countdown interval before the user is logged off or the
computer restarts (minutes).
7 Note
This setting was previously titled Specify the snooze duration for computer restart
countdown notifications (minutes).
When a deployment requires a restart, show a dialog
window to the user instead of a toast notification
To change the user experience to be more intrusive, configure this setting to Yes. This
setting applies to all deployments of applications, task sequences, and software updates.
For more information, see User notifications.
) Important
Allowing low-rights users to restart a server can potentially impact other users or
services.
If the setting When a deployment requires a restart, show a dialog window to the user
instead of a toast notification is set to:
No: Windows shows toast notifications until the deployment reaches the final
countdown notification.
If the restart is less than 24 hours away, it shows a progress bar. The timing of
this notification is based on the setting: Specify the amount of time after the
deadline before a device gets restarted (minutes).
If the user selects Snooze, another temporary notification shows after the snooze period
elapses. This behavior assumes it hasn't yet reached the final countdown. The timing of
the next notification is based on the setting: Specify the frequency of reminder
notifications presented to the user, after the deadline, before a device gets restarted
(minutes). If the user selects Snooze, and your snooze interval is one hour, then
Software Center notifies the user again in 60 minutes. This behavior assumes it hasn't
yet reached the final countdown.
When it reaches the final countdown, Software Center shows the user a notification they
can't close. The progress bar is in red and the user can't Snooze it.
The following notification occurs when both the user experience setting allows
notifications and you don't use toast notifications for the deployment:
Once the deployment reaches its deadline, Software Center follows the behavior to
Install required software at or after the deadline.
Example configurations
The following examples describe how to configure the client settings to achieve specific
behaviors.
7 Note
If the user puts the device to sleep, it doesn't pause or interrupt a countdown. For
example, a restart countdown is halfway into a four-hour timer, and the user puts
the device to sleep. 12 hours later the user wakes up the device. The device restarts,
as it's past the deadline.
Setting Value
Specify the amount of time after the deadline before a device gets restarted (minutes) 180
Setting Value
Specify the amount of time that a user is presented a final countdown notification before 60
a device gets restarted (minutes)
Specify the frequency of reminder notifications presented to the user, after the deadline, 240
before a device gets restarted (minutes)
When a deployment requires a restart, show a dialog window to the user instead of a No
toast notification
The device will restart three hours (180 minutes) after the deployment deadline. One
hour (60 minutes) before it restarts, the user sees a countdown that they can't close or
snooze. The first reminder notification is set to start four hours (240 minutes) after the
deadline, which is after the restart. So the user doesn't see any reminders.
Setting Value
Specify the amount of time after the deadline before a device gets restarted (minutes) 7200
Specify the amount of time that a user is presented a final countdown notification before 120
a device gets restarted (minutes)
Specify the frequency of reminder notifications presented to the user, after the deadline, 900
before a device gets restarted (minutes)
When a deployment requires a restart, show a dialog window to the user instead of a Yes
toast notification
The device will restart five days (7200 minutes) after the deployment deadline. Two
hours (120 minutes) before it restarts, the user sees a countdown that they can't close or
snooze. This configuration allows for 118 hours to show reminders ( (7200 - 120) / 60 ).
15 hours (900 minutes) after the deadline, Software Center displays the first reminder. It
displays a maximum of six additional reminders every 15 hours (900 minutes). The user
sees the reminder as a window on the screen, instead of a notification that disappears in
a few seconds.
Setting Value
Specify the amount of time after the deadline before a device gets restarted (minutes) 2880
Setting Value
Specify the amount of time that a user is presented a final countdown notification before 60
a device gets restarted (minutes)
Specify the frequency of reminder notifications presented to the user, after the deadline, 30
before a device gets restarted (minutes)
When a deployment requires a restart, show a dialog window to the user instead of a Yes
toast notification
The device will restart two days (2880 minutes) after the deployment deadline. One hour
(60 minutes) before it restarts, the user sees a countdown that they can't close or
snooze. This configuration allows for 47 hours to show reminders ( (2880 - 60) / 60 ). 30
minutes after the deadline, Software Center displays the first reminder. It displays a
maximum of 92 additional reminders every 30 minutes. The user sees the reminder as a
window on the screen, instead of a notification that disappears in a few seconds.
Log files
To troubleshoot device restarts, use the RebootCoordinator.log and SCNotify.log files
on the client. Based on the specific type of deployment, you may also have to use
additional client log files.
Next steps
How to configure client settings
Application deployment User Experience settings
User notifications for required app deployments
How to configure Wake on LAN in
Configuration Manager
Article • 10/04/2022
Specify Wake on LAN (WoL) settings for Configuration Manager when you want to bring
computers out of a sleep state.
2. Select the client settings you want to edit, or create new custom client settings to
deploy. For more information, see How to configure client settings.
3. Under the Power Management client settings, select Enable for the Allow network
wake-up setting. For more information about this setting, see About client
settings.
4. Starting in Configuration Manager 1902, the new version of Wake on LAN honors
the custom UDP port you specify for the Wake On LAN port number (UDP) client
setting. This setting is shared by both the new and older version of Wake on LAN.
Starting in Configuration Manager version 2010, you can allow the site to wake devices
at the deadline of a deployment, using the client notification channel. Instead of the site
server issuing the magic packet directly, the site uses the client notification channel to
find an online machine in the last known subnet of the target device(s) and instructs the
online client to issue the WoL packet for the target device.
Offline
Updated to latest Configuration Manager client version
Targeted with a Required deployment with a Deadline and the Send wake-up
packages option enabled.
Prerequisites for the computer sending the WoL magic packet to the target computer:
Online
Updated to latest client version
On the same subnet as the target computer
2. Verify Allow network wake-up under the Power Management client settings is
enabled.
3. Create a deployment as Required with the Send wake-up packages option and a
Deadline. Clients are sent a notification when a deadline is received on
deployments such as task sequences, software distribution, or software updates
installation.
Starting in Configuration Manager version 1902, you can specify the Wake on LAN
port. This setting is shared by both the new and older version of Wake on LAN.
Starting in Configuration Manager version 2010, you can use the client notification
channel to wake clients when a deadline is received on deployments such as task
sequences, software distribution, or software updates installation. For more
information, see Use the client notification channel to wake a client when a
deployment deadline occurs.
What to expect when both versions of Wake on
LAN are enabled
When you have both versions of Wake on LAN enabled, you can use the Wake Up client
notification and wake up on deadline. The client notification functions a little differently
than traditional Wake on LAN. For a brief explanation of how the client notification
works, see the Wake on LAN starting in version 1810 section. The new client setting
Allow network wake-up will change the NIC properties to allow Wake on LAN. You no
longer need to manually change it for new machines that are added to your
environment. All other functionality of Wake on LAN hasn't been changed.
Starting in version 1902, the Wake Up client notification honors your existing Wake
On LAN port number (UDP) setting.
Starting in Configuration Manager version 2010, you can use the client notification
channel to wake clients when a deadline is received on deployments such as task
sequences, software distribution, or software updates installation. For more
information, see Use the client notification channel to wake a client when a
deployment deadline occurs.
You can supplement Wake on LAN by using the wake-up proxy client settings. However,
to use wake-up proxy, you must first enable Wake on LAN for the site and specify Use
wake-up packets only and the Unicast option for the Wake on LAN transmission
method. This wake-up solution also supports ad-hoc connections, such as a remote
desktop connection.
Use the first procedure to configure a primary site for Wake on LAN. Then, use the
second procedure to configure the wake-up proxy client settings. This second procedure
configures the default client settings for the wake-up proxy settings to apply to all
computers in the hierarchy. If you want these settings to apply to only selected
computers, create a custom device setting and assign it to a collection that contains the
computers that you want to configure for wake-up proxy. For more information about
how to create custom client settings, see How to configure client settings.
A computer that receives the wake-up proxy client settings will likely pause its network
connection for 1-3 seconds. This pause occurs because the client must reset the network
interface card to enable the wake-up proxy driver on it.
2 Warning
You can use the following Wake On LAN reports to monitor the installation and
configuration of wake-up proxy:
This article provides details on how to deploy the Configuration Manager client to
Windows computers. For more information on planning and preparing for client
deployment, see these articles:
When you configure client push installation for a site, client installation
automatically runs on computers that the site discovers. This method is scoped to
the site's configured boundaries when those boundaries are configured as a
boundary group.
Start client push installation by running the Client Push Installation Wizard for a
specific collection or resource within a collection.
Use the Client Push Installation Wizard to install the Configuration Manager client,
which you can use to query the result. The installation will succeed only if one of
the items returned by the query is the ResourceID attribute of the System
Resource class.
If the site server can't contact the client computer or start the setup process, it
automatically retries the installation every hour. The server continues to retry for up to
seven days.
To help track the client installation process, install a fallback status point before you
install the clients. When you install a fallback status point, it's automatically assigned to
clients when they're installed by the client push installation method. To track client
installation progress, view the client deployment and assignment reports.
Client log files provide more detailed information for troubleshooting. The log files
don't require a fallback status point. For example, the CCM.log file on the site server
records any problems that occur when the site server connects to the computer. The
CCMSetup.log file on the client records the installation process.
) Important
Client push only succeeds if all prerequisites are met. For more information, see
Installation method dependencies.
2. Select the site for which you want to configure automatic site-wide client push
installation.
3. On the Home tab of the ribbon, in the Settings group, select Client Installation
Settings, and then select Client Push Installation.
4. On the General tab of the Client Push Installation Properties window, select Enable
automatic site-wide client push installation.
5. Starting in version 1806, when you update the site, a Kerberos check for client push
is enabled. The option to Allow connection fallback to NTLM is enabled by
default, which is consistent with previous behavior. If the site can't authenticate the
client by using Kerberos, it retries the connection by using NTLM. The
recommended configuration for improved security is to disable this setting, which
requires Kerberos without NTLM fallback.
7 Note
When it uses client push to install the Configuration Manager client, the site
server creates a remote connection to the client. Starting in version 1806, the
site can require Kerberos mutual authentication by not allowing fallback to
NTLM before establishing the connection. This enhancement helps to secure
the communication between the server and the client.
6. Select the system types to which Configuration Manager should push the client
software. Select whether you want to install the client on domain controllers.
7. On the Accounts tab, specify one or more accounts for Configuration Manager to
use when it connects to the target computer. Select the Create icon, enter the User
name and Password (no more than 38 characters), confirm the password, and then
select OK. Specify at least one client push installation account. This account must
have local administrator rights on the target computer to install the client. If you
don't specify a client push installation account, Configuration Manager tries to use
the site system computer account. Cross-domain client push fails when using the
site system computer account.
7 Note
To use client push from a secondary site, specify the account at the secondary
site that initiates the client push.
For more information about the client push installation account, see the next
procedure, Use the Client Push Installation Wizard.
If you've extended the Active Directory schema for Configuration Manager, the site
publishes the specified client installation properties to Active Directory Domain
Services. When CCMSetup runs without installation properties, it reads these
properties from Active Directory.
7 Note
2. Select the site for which you want to configure automatic site-wide client push
installation.
3. On the Home tab of the ribbon, in the Settings group, select Client Installation
Settings, and then select Client Push Installation.
If you've extended the Active Directory schema for Configuration Manager, the site
publishes the specified client installation properties to Active Directory Domain
Services. When CCMSetup runs without installation properties, it reads these
properties from Active Directory.
To push the client to one or more devices, in the Device group, select Install
Client.
8. On the Before You Begin page of the Install Configuration Manager Client Wizard,
review the information, and then select Next.
10. Review the installation settings, and then complete the wizard.
7 Note
Use this wizard to install clients even if the site isn't configured for client push.
) Important
For software update-based installation, use the same Windows Server Update
Services (WSUS) server for client installation and software updates. This server must
be the active software update point in a primary site. For more information, see
Install a software update point.
If the Configuration Manager client isn't installed on a computer, configure and assign a
Group Policy Object. The Group Policy specifies the server name of the software update
point.
If you haven't extended the Active Directory schema, use Group Policy to provision client
installation settings. These settings are automatically applied to any software update-
based client installation. For more information, see the section on How to provision
client installation properties and the article on How to assign clients to a site.
Tip
3. Open the properties of the setting Specify intranet Microsoft update service
location, and then select Enabled.
4. Set the intranet update service for detecting updates: Specify the name and port
of the software update point server.
Tip
To determine the port number, see How to determine the port settings used
by WSUS.
5. Set the intranet statistics server: This setting is typically configured with the same
server name.
6. Assign the Group Policy Object to the computers on which you want to install the
client and receive software updates.
2. Select the site for which you want to configure software update-based client
installation.
3. On the Home tab of the ribbon, in the Settings group, select Client Installation
Settings, and then select Software Update-Based Client Installation.
7 Note
If you haven't already published the client software to the software update
point, this dialog box is blank.
The software update for the Configuration Manager client isn't automatically updated
when there's a new version. When you update the site, repeat this procedure to update
the client.
Use the Windows Installer package CCMSetup.msi for Group Policy-based installations.
This file is found in the <ConfigMgr installation directory>\bin\i386 folder on the site
server. You can't add properties to this file to change installation behavior.
) Important
You must have administrator permissions to access the client installation files.
If you've extended the Active Directory schema for Configuration Manager, and
you selected the domain on the Publishing tab of the Site Properties dialog box,
client computers automatically search Active Directory Domain Services for
installation properties. For more information, see About client installation
properties published to Active Directory Domain Services.
If you haven't extended the Active Directory schema, see the section on
provisioning client installation properties for information about storing installation
properties in the Windows registry of computers. The client uses these installation
properties when it installs.
For more information, see How to use Group Policy to remotely install software .
Manual installation
Manually install the client software on computers by using CCMSetup.exe. You can find
this program and its supporting files in the Client folder in the Configuration Manager
installation folder on the site server. The site shares this folder to the network as:
<site server name> is the primary site server name. <site code> is the primary site
code to which the client is assigned. To run CCMSetup.exe from the command line on
the client, connect to this network location, and then run the command.
) Important
You must have administrator permissions to access the client installation files.
CCMSetup.exe copies all necessary prerequisites to the client computer and calls the
Windows Installer package (Client.msi) to install the client. You can't run Client.msi
directly.
To modify the behavior of the client installation, specify command-line options for both
CCMSetup.exe and Client.msi. Make sure that you specify CCMSetup parameters that
begin with / before you specify Client.msi properties. For example:
Option Description
/mp:SMSMP01 This CCMSetup parameter specifies the management point SMSMP01 for
downloading the required client installation files.
/logon This CCMSetup parameter specifies that the installation should stop if an
existing Configuration Manager client is found on the computer.
SMSSITECODE=AUTO This Client.msi property specifies that the client tries to locate the
Configuration Manager site code to use, by using Active Directory Domain
Services, for example.
FSP=SMSFP01 This Client.msi property specifies that the fallback status point named
SMSFP01 is used to receive state messages sent from the client computer.
For more information, see About client installation parameters and properties.
Tip
Assume that you've configured all site system servers with an intranet FQDN and
published the site information to Active Directory.
Manual example 1
CCMSetup.exe
This command installs the client with no additional parameters or properties. The client
is automatically configured with the client installation properties published to Active
Directory Domain Services, including these settings:
Site code: This setting requires the client's network location to be included in a
boundary group that you've configured for client assignment.
Management point.
Fallback status point.
Communicate using HTTPS only.
For more information, see About client installation properties published to Active
Directory Domain Services.
Manual example 2
This command overrides the automatic configuration that Active Directory Domain
Services provides. It doesn't require that you include the client's network location in a
boundary group that's configured for client assignment. Instead, the installation
specifies these settings:
Site code
Intranet management point
Internet-based management point
Fallback status point that accepts connections from the internet
Use a client public key infrastructure (PKI) certificate (if available) that has the
longest validity period
Logon script installation uses the same methods as manual client installation. Specify
the /logon installation parameter for CCMSsetup.exe. If any version of the client already
exists on the computer, this parameter prevents the client from installing. This behavior
prevents reinstallation of the client each time the logon script runs.
If you don't specify an installation source by using the /Source parameter and no
management point from which to obtain installation is specified by the /MP parameter,
CCMSetup.exe locates the management point by searching Active Directory Domain
Services. This behavior occurs only if you've extended the schema for Configuration
Manager and published the site to Active Directory Domain Services. Alternatively, the
client can use DNS to locate a management point.
7 Note
You can't upgrade Configuration Manager 2007 clients by using this method.
Instead, use automatic client upgrade, which automatically creates and deploys a
package that contains the latest version of the client. For more information, see
Upgrade clients.
For more information about how to migrate from older versions of the
Configuration Manager client, see Planning a client migration strategy.
2. On the Home tab of the ribbon, in the Create group, select Create Package from
Definition.
3. On the Package Definition page of the wizard, select Microsoft from the Publisher
list, and select Configuration Manager Client Upgrade from the Package
definition list.
4. On the Source Files page, select Always obtain files from a source folder.
5. On the Source Folder page, select Network path (UNC Name). Then enter the
network path of the server and share that contains the client installation files.
7 Note
6. Distribute the package to all distribution points that you want to host the client
upgrade package. Then deploy the package to device collections that contain
clients that you want to upgrade.
For the procedure to install the Configuration Manager client on a Windows device by
using Azure AD identity, see Install and assign Configuration Manager clients using
Azure AD for authentication.
After you install the Configuration Manager client, devices don't unenroll from Intune.
They can use the Configuration Manager client and MDM enrollment at the same time.
For more information, see Co-management overview.
7 Note
You can use other client installation methods to install the Configuration Manager
client on an Intune-managed device. For example, if an Intune-managed device is
on the intranet, and joined to the Active Directory domain, you can use group
policy to install the Configuration Manager client.
7 Note
OS image installation
Preinstall the Configuration Manager client on a reference computer that you use to
create an OS image.
) Important
When you use the Configuration Manager task sequence to deploy an OS image,
the Prepare ConfigMgr Client step completely removes the Configuration Manager
client.
) Important
Don't specify a Configuration Manager site code for the client in the
CCMSetup.exe command-line properties.
2. At a command prompt, type net stop ccmexec to stop the SMS Agent Host service
(CcmExec.exe) on the reference computer.
3. Delete the SMSCFG.INI file from the Windows folder on the reference computer.
4. Remove the certificates from the local computer's SMS certificate store.
5. Remove any other valid client authentication certificates that are stored in the local
computer store on the reference computer. For example, if you use PKI certificates,
before you image the computer, remove the certificates in the Personal store for
Computer and User.
6. If the clients are installed in a different Configuration Manager hierarchy than the
hierarchy of the reference computer, remove the trusted root key from the
reference computer.
7 Note
If you deploy the clients in different hierarchies, remove the trusted root key.
Also provision these clients with the new trusted root key. For more
information, see Planning for the trusted root key.
Workgroup computers
Configuration Manager supports client installation for computers in workgroups. Install
the client on workgroup computers by using the method specified in How to install
Configuration Manager clients manually.
Prerequisites
Manually install the client on each workgroup computer. During installation, the
interactive user must have local administrator rights.
Global roaming isn't supported. Workgroup clients can't query Active Directory
Domain Services for site information.
You can't use the client push installation method to install the client on workgroup
computers.
Workgroup clients can't use Kerberos for authentication, and they might require
manual approval.
Workgroup example 1
Workgroup example 2
CCMSetup.exe FSP=fspserver.constoso.com
Internet-based client management
7 Note
This section doesn't apply to clients that use a cloud management gateway. To
install internet-based clients by using a cloud management gateway, see Install
and assign Configuration Manager clients using Azure AD for authentication.
When the Configuration Manager site supports internet-based client management for
clients that are sometimes on an intranet and sometimes on the internet, you have two
options when you install clients on the intranet:
push, for example. When you use this method, directly assign the client to the site.
You can't use automatic site assignment. See the How to install Configuration
Manager clients manually section, which provides an example of this configuration
method.
Install the client for intranet client management, and then assign an internet-based
client management point to the client. Change the management point by using the
client properties on the Configuration Manager page in Control Panel, or by using
a script. When you use this method, you can use automatic client assignment. For
more information, see the How to configure clients for internet-based client
management after client installation section.
To install clients that are on the internet, choose one of the following supported
methods:
Provide a mechanism for these clients to temporarily connect to the intranet with a
VPN. Then install the client by using any appropriate client installation method.
the media, include a script to manually copy over the client folder. From this folder,
install the client by using CCMSetup.exe and all the appropriate CCMSetup
command-line properties.
7 Note
Configuration Manager doesn't support installing a client directly from the
internet-based management point or from the internet-based software update
point.
Clients that are managed over the internet must communicate with internet-based site
systems. Ensure that these clients also have public key infrastructure (PKI) certificates
before you install the client. Install these certificates independently from Configuration
Manager. For more information, see PKI certificate requirements.
7 Note
If the site has more than one internet-based management point, it doesn't
matter which one you specify for the CCMHOSTNAME property. When a
Configuration Manager client connects to the specified internet-based
management point, it sends the client a list of available internet-based
management points in the site. The client randomly selects one from the list.
2. If you don't want the client to check the certificate revocation list (CRL), specify the
CCMSetup command-line parameter /NoCRLCheck .
Internet-based example
CCMSetup.exe /source: D:\Clients /UsePKICert CCMHOSTNAME=server1.contoso.com
2. On the Network tab, enter the fully qualified domain name (FQDN) of the internet-
based management point as the Internet FQDN.
7 Note
The Network tab is available only if the client has a client PKI certificate.
3. If the client accesses the internet by using a proxy server, enter the proxy server
settings.
PowerShell
1. Open a PowerShell in-line editor, like PowerShell ISE or Visual Studio Code. You can
also use a text editor, like Notepad.
2. Copy and insert the following lines of code into the editor. Replace
'mp.contoso.com' with the internet FQDN of your internet-based management
point.
PowerShell
$newInternetBasedManagementPointFQDN = 'mp.contoso.com'
$client.SetInternetManagementPointFQDN($newInternetBasedManagementPoint
FQDN)
Restart-Service CcmExec
$client.GetInternetManagementPointFQDN()
7 Note
The last line is there only to verify the new internet management point value.
4. Run the script with elevated rights on client computers. Use one of these methods:
You're using the group policy settings or software update-based client installation
methods. You haven't extended the Active Directory schema for Configuration
Manager.
7 Note
Tip
3. Select Enabled.
4. In the CCMSetup box, enter the required CCMSetup command-line properties. For
a list of all CCMSetup command-line properties and examples of their use, see
About client installation parameters and properties.
5. Assign the GPO to the computers that you want to provision with Configuration
Manager client installation properties.
About client installation parameters and
properties in Configuration Manager
Article • 04/11/2023
Use the CCMSetup.exe command to install the Configuration Manager client. If you
provide client installation parameters on the command line, they modify the installation
behavior. If you provide client installation properties on the command line, they modify
the initial configuration of the installed client agent.
About CCMSetup.exe
The CCMSetup.exe command downloads needed files to install the client from a
management point or a source location. These files might include:
The Windows Installer package client.msi that installs the client software
Client prerequisites
7 Note
You can also supply properties at the CCMSetup.exe command line to modify the
behavior of client.msi. Properties by convention are upper case. You specify a value for a
property using an equal sign ( = ) immediately followed by the value. For more
information, see Client.msi properties.
) Important
At the command prompt, the CCMSetup.exe command uses the following format:
For example:
Specifies that installation should stop if a version of the client already exists on the
computer.
Tip
If you extend the Active Directory schema for Configuration Manager, the site publishes
many client installation properties in Active Directory Domain Services. The
Configuration Manager client automatically reads these properties. For more
information, see About client installation properties published to Active Directory
Domain Services
/?
Example: ccmsetup.exe /?
/AllowMetered
Use this parameter to control the client's behavior on a metered network. This
parameter takes no values. When you allow client communication on a metered network
for ccmsetup, it downloads the content, registers with the site, and downloads the initial
policy. Any further client communication follows the configuration of the client setting
from that policy. For more information, see About client settings.
If you reinstall the client on an existing device, it uses the following priority to determine
its configuration:
/AlwaysExcludeUpgrade
This parameter specifies whether or not a client will auto upgrade when you enable
Automatic client upgrade.
Supported values:
For example:
CCMSetup.exe /AlwaysExcludeUpgrade:TRUE
7 Note
When using the /AlwaysExcludeUpgrade parameter, the auto upgrade still runs.
However when CCMSetup runs to perform the upgrade, it will note that
/AlwaysExcludeUpgrade parameter has been set and will log the following line in the
ccmsetup.log:
CCMSetup will then immediately exit and not perform the upgrade.
/BITSPriority
When the device downloads client installation files over an HTTP connection, use this
parameter to specify the download priority. Specify one of the following possible values:
FOREGROUND
HIGH
NORMAL (default)
LOW
/config
This parameter specifies a text file that lists client installation properties.
If CCMSetup runs as a service, place this file in the CCMSetup system folder:
%Windir%\Ccmsetup .
If you specify the /noservice parameter, place this file in the same folder as
CCMSetup.exe.
To provide the correct file format, use the mobileclienttemplate.tcf file in the \bin\
<platform> folder in the Configuration Manager installation directory on the site server.
This file has comments about the sections and how to use them. Specify the client
installation properties in the [Client Install] section, after the following text:
Install=INSTALL=ALL .
/downloadtimeout
If CCMSetup fails to download the client installation files, this parameter specifies the
maximum timeout in minutes. After this timeout, CCMSetup stops trying to download
the installation files. The default value is 1440 minutes (one day).
Use the /retry parameter to specify the interval between retry attempts.
This parameter specifies that CCMSetup.exe doesn't install the specified feature.
7 Note
/forceinstall
Specify that CCMSetup.exe uninstalls any existing client, and installs a new client.
/forcereboot
Use this parameter to force the computer to restart if necessary to complete the
installation. If you don't specify this parameter, CCMSetup exits when a restart is
necessary. It then continues after the next manual restart.
/logon
If any version of the client is already installed, this parameter specifies that the client
installation should stop.
/mp
Specifies a management point for clients to use to find the nearest distribution point for
the client installation files. If there are no distribution points, or computers can't
download the files from the distribution points after four hours, they download the files
from the specified management point.
For more information on how ccmsetup downloads content, see Boundary groups -
client installation. That article also includes details of ccmsetup behavior if you use both
/mp and /source parameters.
) Important
Computers download the files over an HTTP or HTTPS connection, depending on the
site system role configuration for client connections. The download can also use BITS
throttling if you configure it. If you configure all distribution points and management
points for HTTPS client connections only, verify that the client computer has a valid
client certificate.
You can use the /mp command-line parameter to specify more than one management
point. If the computer fails to connect to the first one, it tries the next in the specified
list. When you specify multiple management points, separate the values by semicolons.
If the client connects to a management point using HTTPS, specify the FQDN not the
computer name. The value must match the management point PKI certificate's Subject
or Subject Alternative Name. Although Configuration Manager supports using a
computer name in the certificate for connections on the intranet, using an FQDN is
recommended.
This parameter can also specify the URL of a cloud management gateway (CMG). Use
this URL to install the client on an internet-based device. To get the value for this
parameter, use the following steps:
PowerShell
) Important
When specifying the URL of a cloud management gateway for the /mp parameter,
it must start with https:// .
7 Note
The /mp command-line parameter doesn't specify the management point used by
the Configuration Manager client once it is installed. To specify the initial
management point used by the Configuration Manager client once it is installed,
use the SMSMP client.msi property. To specify a list of management points for the
Configuration Manager client to use once it is installed, use the SMSMPLIST
client.msi property.
/NoCRLCheck
Specifies that a client shouldn't check the certificate revocation list (CRL) when it
communicates over HTTPS with a PKI certificate. When you don't specify this parameter,
the client checks the CRL before it establishes an HTTPS connection. For more
information about client CRL checking, see Planning for PKI certificate revocation.
/noservice
This parameter prevents CCMSetup from running as a service, which it does by default.
When CCMSetup runs as a service, it runs in the context of the Local System account of
the computer. This account might not have sufficient rights to access required network
resources for the installation. With /noservice , CCMSetup.exe runs in the context of the
user account that you use to start the installation.
/regtoken
Use this parameter to provide a bulk registration token. An internet-based device uses
this token in the registration process through a cloud management gateway (CMG). For
more information, see Token-based authentication for CMG.
When you use this parameter, also include the following parameters and properties:
/mp
CCMHOSTNAME
SMSSITECODE
SMSMP
The following example command line includes the other required setup parameters and
properties:
ccmsetup.exe
/mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500
CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500
SMSSITECODE=ABC SMSMP=https://mp1.contoso.com
/regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik9Tbzh2Tmd5VldRUjlDYVh5T2lac
HFlMDlXNCJ9.eyJTQ0NNVG9rZW5DYXRlZ29yeSI6IlN7Q01QcmVBdXRoVG9rZW4iLCJBdXRob3JpdHkiOiJ
TQ0NNIiwiTGljZW5zZSI6IlNDQ00iLCJUeXBlIjoiQnVsa1JlZ2lzdHJhdGlvbiIsIlRlbmFudElkIjoiQ0
RDQzVFOTEtMEFERi00QTI0LTgyRDAtMTk2NjY3RjFDMDgxIiwiVW5pcXVlSWQiOiJkYjU5MWUzMy1wNmZkL
TRjNWItODJmMy1iZjY3M2U1YmQwYTIiLCJpc3MiOiJ1cm46c2NjbTpvYXV0aDI6Y2RjYzVlOTEtMGFkZi00
YTI0LTgyZDAtMTk2NjY3ZjFjMDgxIiwiYXVkIjoidXJuOnNjY206c2VydmljZSIsImV4cCI6MTU4MDQxNbU
wNSwibmJmIjoxNTgwMTU2MzA1fQ.ZUJkxCX6lxHUZhMH_WhYXFm_tbXenEdpgnbIqI1h8hYIJw7xDk3wv62
5SCfNfsqxhAwRwJByfkXdVGgIpAcFshzArXUVPPvmiUGaxlbB83etUTQjrLIk-
gvQQZiE5NSgJ63LCp5KtqFCZe8vlZxnOloErFIrebjFikxqAgwOO4i5ukJdl3KQ07YPRhwpuXmwxRf1vsia
wXBvTMhy40SOeZ3mAyCRypQpQNa7NM3adCBwUtYKwHqiX3r1jQU0y57LvU_brBfLUL6JUpk3ri-
LSpwPFarRXzZPJUu4-mQFIgrMmKCYbFk3AaEvvrJienfWSvFYLpIYA7lg-6EVYRcCAA
Tip
If CCMSetup returns error 0x87d0027e, try removing the /mp parameter from the
command line.
/retry
If CCMSetup.exe fails to download installation files, use this parameter to specify the
retry interval in minutes. CCMSetup continues to retry until it reaches the limit specified
in the /downloadtimeout parameter.
Example: ccmsetup.exe /retry:20
/service
Specifies that CCMSetup should run as a service that uses the Local System account.
Tip
/skipprereq
This parameter specifies that CCMSetup.exe doesn't install the specified prerequisite.
You can enter more than one value. Use the semicolon character ( ; ) to separate each
value.
Examples:
CCMSetup.exe /skipprereq:filename.exe
CCMSetup.exe /skipprereq:filename1.exe;filename2.exe
/source
Specifies the file download location. Use a local or UNC path. The device downloads files
using the server message block (SMB) protocol. To use /source , the Windows user
account for client installation needs Read permissions to the location.
For more information on how ccmsetup downloads content, see Boundary groups -
client installation. That article also includes details of ccmsetup behavior if you use both
/mp and /source parameters.
Tip
You can use the /source parameter more than once in a command line to specify
alternative download locations.
/uninstall
Use this parameter to uninstall the Configuration Manager client. For more information,
see Uninstall the client.
7 Note
Starting in version 2111, when you uninstall the client it also removes the client
bootstrap, ccmsetup.msi, if it exists.
/UsePKICert
Specify this parameter for the client to use a PKI client authentication certificate. If you
don't include this parameter, or if the client can't find a valid certificate, it filters out all
HTTPS management points, including cloud management gateways (CMG). The client
uses an HTTP connection with a self-signed certificate.
If a device uses Azure Active Directory (Azure AD) for client authentication and also has
a PKI-based client authentication certificate, if you use include this parameter the client
won't be able to get Azure AD onboarding information from a cloud management
gateway (CMG). For a client that uses Azure AD authentication, don't specify this
parameter, but include the AADRESOURCEURI and AADCLIENTAPPID properties.
7 Note
In some scenarios, you don't have to specify this parameter, but still use a client
certificate. For example, client push and software update-based client installation.
Use this parameter when you manually install a client and use the /mp parameter
with an HTTPS-enabled management point.
Also specify this parameter when you install a client for internet-only
communication. Use CCMALWAYSINF=1 together with the properties for the internet-
based management point ( CCMHOSTNAME ) and the site code ( SMSSITECODE ). For more
information about internet-based client management, see Considerations for client
communications from the internet or an untrusted forest.
/IgnoreSkipUpgrade
Specify this parameter to manually upgrade an excluded client. For more information,
see How to exclude clients from upgrade.
0 Success
6 Error
7 Reboot required
Ccmsetup.msi properties
The following properties can modify the installation behavior of ccmsetup.msi.
CCMSETUPCMD
Client.msi properties
The following properties can modify the installation behavior of client.msi, which
ccmsetup.exe installs.
AADCLIENTAPPID
Specifies the Azure Active Directory (Azure AD) client app identifier. You create or import
the client app when you configure Azure services for Cloud Management. An Azure
administrator can get the value for this property from the Azure portal. For more
information, see get application ID. For the AADCLIENTAPPID property, this application ID
is for the Native application type.
AADRESOURCEURI
Specifies the Azure AD server app identifier. You create or import the server app when
you configure Azure services for Cloud Management. When you create the server app,
in the Create Server Application window, this property is the App ID URI.
An Azure administrator can get the value for this property from the Azure portal. In
Azure Active Directory, find the server app under App registrations. Look for
application type Web app / API. Open the app, select Settings, and then select
Properties. Use the App ID URI value for this AADRESOURCEURI client installation property.
AADTENANTID
Specifies the Azure AD tenant identifier. Configuration Manager links to this tenant
when you configure Azure services for Cloud Management. To get the value for this
property, use the following steps:
On a device that runs Windows 10 or later and is joined to the same Azure AD
tenant, open a command prompt.
Run the following command: dsregcmd.exe /status
In the Device State section, find the TenantId value. For example, TenantId :
607b7853-6f6f-4d5d-b3d4-811c33fdd49a
7 Note
An Azure administrator can also obtain this value in the Azure portal. For
more information, see get tenant ID.
CCMADMINS
Specifies one or more Windows user accounts or groups to be given access to client
settings and policies. This property is useful when you don't have local administrative
credentials on the client computer. Specify a list of accounts that are separated by
semicolons ( ; ).
CCMALLOWSILENTREBOOT
If necessary, allow the computer to silently restart after the client installation.
) Important
When you use this property, the computer restarts without warning. This behavior
occurs even if a user is signed in to Windows.
CCMALWAYSINF
To specify that the client is always internet-based and never connects to the intranet, set
this property value to 1 . The client's connection type displays Always Internet.
Use this property with CCMHOSTNAME to specify the FQDN of the internet-based
management point. Also use it with the CCMSetup parameter UsePKICert and the
SMSSITECODE property.
For more information about internet-based client management, see Considerations for
client communications from the internet or an untrusted forest.
CCMCERTISSUERS
Use this property to specify the certificate issuers list. This list includes certificate
information for the trusted root certification authorities (CA) that the Configuration
Manager site trusts.
This value is a case-sensitive match for subject attributes that are in the root CA
certificate. Separate attributes by a comma ( , ) or a semicolon ( ; ). Specify more than
one root CA certificate by using a separator bar ( | ).
Tip
Use the value of the CertificateIssuers attribute in the mobileclient.tcf file for the
site. This file is in the \bin\<platform> subfolder of the Configuration Manager
installation directory on the site server.
For more information about the certificate issuers list and how clients use it during the
certificate selection process, see Planning for PKI client certificate selection.
CCMCERTNAMECHECK
Starting in version 2207, this property can be used to skip checking the subject name for
the certificate. CCMCERTNAMECHECK=0 skips checking the subject name of the certificate.
CCMCERTSEL
If the client has more than one certificate for HTTPS communication, this property
specifies the criteria for it to select a valid client authentication certificate.
Use the following keywords to search the certificate Subject Name or Subject Alternative
Name:
Subject : Find an exact match
Examples:
Use the SubjectAttr keyword to search for the Object Identifier (OID) or distinguished
name attributes in the Subject Name or Subject Alternative Name.
Examples:
) Important
If you use the Subject Name, the Subject keyword is case-sensitive, and the
SubjectStr keyword is case-insensitive.
If you use the Subject Alternative Name, both the Subject and the SubjectStr
keywords are case-insensitive.
For the complete list of attributes that you can use for certificate selection, see
Supported attribute values for PKI certificate selection criteria.
If more than one certificate matches the search, and you set CCMFIRSTCERT to 1 , then
the client installer selects the certificate with the longest validity period.
CCMCERTSTORE
If the client installer can't locate a valid certificate in the default Personal certificate store
for the computer, use this property to specify an alternate certificate store name.
This property enables debug logging when the client installs. This property causes the
client to log low-level information for troubleshooting. Avoid using this property in
production sites. Excessive logging can occur, which might make it difficult to find
relevant information in the log files. Also enable CCMENABLELOGGING.
Supported values:
CCMENABLELOGGING
Supported values:
CCMEVALINTERVAL
The frequency in minutes at which the client health evaluation tool (ccmeval.exe) runs.
Specify an integer value from 1 to 1440 . By default, ccmeval runs once a day (1440
minutes).
CCMEVALHOUR
The hour during the day when the client health evaluation tool (ccmeval.exe) runs.
Specify an integer value from 0 (midnight) to 23 (11:00 PM). By default, ccmeval runs at
midnight.
CCMFIRSTCERT
If you set this property to 1 , the client selects the PKI certificate with the longest validity
period.
CCMHOSTNAME
If the client is managed over the internet, this property specifies the FQDN of the
internet-based management point.
Don't specify this option with the installation property of SMSSITECODE=AUTO . Directly
assign internet-based clients to an internet-based site.
This property can specify the address of a cloud management gateway (CMG). To get
the value for this property, use the following steps:
PowerShell
) Important
When you specify the address of a CMG for the CCMHOSTNAME property, don't
append a prefix such as https:// . Only use this prefix with the /mp URL of a CMG.
CCMHTTPPORT
Specifies the port for the client to use when it communicates over HTTP to site system
servers. By default, this value is 80 .
CCMHTTPSPORT
Specifies the port for the client to use when it communicates over HTTPS to site system
servers. By default, this value is 443 .
CCMINSTALLDIR
Use this property to set the folder to install the Configuration Manager client files. By
default, it uses %WinDir%\CCM .
Tip
Regardless of where you install the client files, it always installs the ccmcore.dll file
in the %WinDir%\System32 folder. On a 64-bit OS, it installs a copy of ccmcore.dll in
the %WinDir%\SysWOW64 folder. This file supports 32-bit applications that use the 32-
bit version of the client APIs from the Configuration Manager SDK.
CCMLOGLEVEL
Use this property to specify the level of detail to write to Configuration Manager log
files.
Supported values:
0 : Verbose
1 : Default
2 : Warnings and errors
3 : Errors only
CCMLOGMAXHISTORY
When a Configuration Manager log file reaches the maximum size, the client renames it
as a backup and creates a new log file. This property specifies how many previous
versions of the log file to keep. The default value is 1 . If you set the value to 0 , the
client doesn't keep any log file history.
CCMLOGMAXSIZE
This property specifies the maximum log file size in bytes. When a log grows to the
specified size, the client renames it as a history file, and creates a new one. The default
size is 250,000 bytes, and the minimum size is 10,000 bytes.
DISABLESITEOPT
Set this property to TRUE to block administrators from changing the assigned site in the
Configuration Manager control panel.
DISABLECACHEOPT
If set to TRUE, this property disables the ability of administrative users from changing
the client cache folder settings in the Configuration Manager control panel.
DNSSUFFIX
Specify a DNS domain for clients to locate management points that you publish in DNS.
When the client locates a management point, it tells the client about other management
points in the hierarchy. This behavior means that the management point that the client
finds from DNS can be any one in the hierarchy.
7 Note
You don't have to specify this property if the client is in the same domain as a
published management point. In that case, the client's domain is automatically
used to search DNS for management points.
For more information about DNS publishing as a service location method for
Configuration Manager clients, see Service location and how clients determine their
assigned management point.
7 Note
FSP
Specify the fallback status point that receives and processes state messages sent by
Configuration Manager clients.
For more information, see Determine if you need a fallback status point.
IGNOREAPPVVERSIONCHECK
If you set this property to TRUE , the client installer doesn't check the minimum required
version of Microsoft Application Virtualization (App-V).
) Important
If you install the Configuration Manager client without installing App-V, you can't
deploy virtual applications.
Example: CCMSetup.exe IGNOREAPPVVERSIONCHECK=TRUE
MANAGEDINSTALLER
If you set this property to 1 then ccmsetup.exe and client.msi are set as managed
installers. For more information, see Automatically allow apps deployed by a managed
installer with Windows Defender Application Control.
NOTIFYONLY
When you enable this property, the client reports status, but doesn't remediate
problems that it finds.
PROVISIONTS
Use this property to start a task sequence on a client after it successfully registers with
the site.
7 Note
If the task sequence installs software updates or applications, clients need a valid
client authentication certificate. Token authentication alone doesn't work.
For example, you provision a new Windows device with Windows Autopilot, auto-enroll
it to Microsoft Intune, and then install the Configuration Manager client for co-
management. If you specify this new option, the newly provisioned client then runs a
task sequence. This process gives you additional flexibility to install applications and
software updates, or configure settings.
2. Deploy this task sequence to the new built-in collection, All Provisioning Devices.
Note the task sequence deployment ID, for example PRI20001 .
Tip
7 Note
After the client installs and properly registers with the site, it starts the referenced task
sequence. If client registration fails, the task sequence won't start.
7 Note
The task sequence launched by PROVISIONTS uses the Default Client Settings. This
task sequence starts immediately after the client registers, so it won't be part of any
collection to which you've deployed custom client settings. The client doesn't
process or apply custom client settings before this task sequence runs.
For the task sequence to work properly, you may need to change certain settings in
the Default Client Settings. For example:
If devices don't need these client settings after the task sequence completes,
deploy new custom client settings to reverse the default settings.
If a client has the wrong Configuration Manager trusted root key, it can't contact a
trusted management point to receive the new trusted root key. Use this property to
remove the old trusted root key. This situation may occur when you move a client from
one site hierarchy to another. This property applies to clients that use HTTP and HTTPS
client communication. For more information, see Planning for the trusted root key.
SITEREASSIGN
Enables automatic site reassignment for client upgrades when used with
SMSSITECODE=AUTO.
SMSCACHEDIR
Specifies the location of the client cache folder on the client computer. By default, the
cache location is %WinDir%\ccmcache .
Use this property with the SMSCACHEFLAGS property to control the client cache folder
location. For example, to install the client cache folder on the largest available client disk
drive: CCMSetup.exe SMSCACHEDIR=Cache SMSCACHEFLAGS=MAXDRIVE
SMSCACHEFLAGS
Use this property to specify further installation details for the client cache folder. You
can use SMSCACHEFLAGS properties individually or in combination separated by
semicolons ( ; ).
The client installs the cache folder according to the SMSCACHEDIR property
The folder isn't compressed
The client uses the SMSCACHESIZE property as the size limit in MB of the cache
When you upgrade an existing client, the client installer ignores this property.
Values for the SMSCACHEFLAGS property
PERCENTDISKSPACE : Set the cache size as a percentage of the total disk space. If you
specify this property, also set SMSCACHESIZE to a percentage value.
PERCENTFREEDISKSPACE : Set the cache size as a percentage of the free disk space. If
you specify this property, also set SMSCACHESIZE as a percentage value. For
example, the disk has 10 MB free, and you specify SMSCACHESIZE=50 . The client
installer sets the cache size to 5 MB. You can't use this property with the
PERCENTDISKSPACE property.
MAXDRIVE : Install the cache on the largest available disk. If you specify a path with
the SMSCACHEDIR property, the client installer ignores this value.
MAXDRIVESPACE : Install the cache on the disk drive with the most free space. If you
specify a path with the SMSCACHEDIR property, the client installer ignores this
value.
NTFSONLY : Only install the cache on an NTFS-formatted disk drive. If you specify a
path with the SMSCACHEDIR property, the client installer ignores this value.
SMSCACHESIZE
) Important
Client settings are available for specifying the client cache folder size. The addition
of those client settings effectively replaces using SMSCACHESIZE as a client.msi
property to specify the size of the client cache. For more information, see the client
settings for cache size.
When you upgrade an existing client, the client installer ignores this setting. The client
also ignores the cache size when it downloads software updates.
If you reinstall a client, you can't use SMSCACHESIZE or SMSCACHEFLAGS to set the
cache size to be smaller than it was previously. The previous size is the minimum
value.
SMSCONFIGSOURCE
Use this property to specify the location and order that the client installer checks for
configuration settings. It's a string of one or more characters, each defining a specific
configuration source:
U : Upgrade the installed client to a newer version and use the assigned site code.
By default, the client installer uses PU . It first checks the installation properties ( P ) and
then the existing settings ( U ).
SMSMP
Specifies an initial management point for the Configuration Manager client to use.
) Important
If the management point only accepts client connections over HTTPS, prefix the
management point name with https:// .
Examples:
CCMSetup.exe SMSMP=smsmp01.contoso.com
CCMSetup.exe SMSMP=https://smsmp01.contoso.com
SMSMPLIST
Specifies a list of management points for the Configuration Manager client to use. Use a
semicolon ( ; ) as the delimiter when specifying multiple management points.
) Important
If the management point only accepts client connections over HTTPS, prefix the
management point name with https:// .
Examples:
CCMSetup.exe
SMSMPLIST=https://smsmp01.contoso.com;https://smsmp02.contoso.com;smsmp03.cont
oso.com
CCMSetup.exe
SMSMPLIST=https://smsmp01.contoso.com;smsmp02.contoso.com;smsmp03.contoso.com
SMSPUBLICROOTKEY
If the client can't get the Configuration Manager trusted root key from Active Directory
Domain Services, use this property to specify the key. This property applies to clients
that use HTTP and HTTPS communication. For more information, see Planning for the
trusted root key.
Tip
Get the value for the site's trusted root key from the mobileclient.tcf file on the site
server. For more information, see Pre-provision a client with the trusted root key
by using a file.
SMSROOTKEYPATH
Use this property to reinstall the Configuration Manager trusted root key. It specifies the
full path and name of a file that contains the trusted root key. This property applies to
clients that use HTTP and HTTPS client communication. For more information, see
Planning for the trusted root key.
Example: CCMSetup.exe SMSROOTKEYPATH=C:\folder\trk
SMSSIGNCERT
Specifies the full path and name of the exported self-signed certificate on the site server.
The site server stores this certificate in the SMS certificate store. It has the Subject name
Site Server and the friendly name Site Server Signing Certificate.
Export the certificate without the private key, store the file securely, and access it only
from a secured channel.
SMSSITECODE
This property specifies a Configuration Manager site to which you assign the client. This
value can either be a three-character site code or the word AUTO . If you specify AUTO , or
don't specify this property, the client attempts to determine its site assignment from
Active Directory Domain Services or from a specified management point. To enable
AUTO for client upgrades, also set SITEREASSIGN=TRUE.
7 Note
UPGRADETOLATEST
This property forces CCMSetup to send a location request to the management point to
get the latest version of the Configuration Manager client installation source. There are
several scenarios where this property is especially useful:
Pull distribution points. Allow pull distribution points to install the latest client
version even if it's not in the pre-production collection. This action makes sure that
the client version on the pull distribution point is the same as the distribution point
binaries. If these versions aren't the same, it may cause issues.
2.5.4.7 L Locality
/AlwaysExcludeUpgrade
/BITSPriority
/downloadtimeout
/ExcludeFeatures
/forcereboot
/logon
/skipprereq
/UsePKICert
About client installation properties
published to Active Directory Domain
Services
Article • 10/04/2022
When you extend the Active Directory schema for Configuration Manager, and the site
is published to Active Directory Domain Services, many client installation properties are
published to Active Directory Domain Services. If a computer can locate these client
installation properties, it can use them during Configuration Manager client deployment.
The advantages of using Active Directory Domain Services to publish client installation
properties include the following:
7 Note
For more information about how to extend the Active Directory schema for
Configuration Manager, and how to publish a site, see Schema extensions for
Configuration Manager.
A setting to indicate that the client must communicate by using HTTPS only.
The selection criteria for certificate selection. This may be required because the
client has more than one valid PKI certificate that can be used for Configuration
Manager.
A setting to determine which certificate to use if the client has multiple valid
certificates after the certificate selection process.
The certificate issuers list that contains a list of trusted root CA certificates.
Client.msi installation properties that are specified in the Client tab of the Client
Push Installation Properties dialog box.
Client installation (CCMSetup) uses the properties that are published to Active Directory
Domain Services only if no other properties are specified by using either of the
following:
7 Note
The client installation properties are used to install the client. These properties
might be overwritten with new settings from its assigned site after the client is
installed and has successfully been assigned to a Configuration Manager site.
Use the details in the following sections to determine which Configuration Manager
client installation methods use Active Directory Domain Services to obtain client
installation properties.
7 Note
You do not have to specify any CCMSetup properties for client push installation, or
the fallback status point, or the trusted root key in the Installation Properties tab.
These settings are automatically supplied to clients when they are installed by using
client push installation.
In addition to Client.msi properties, CCMSetup supports the
following parameters: /forcereboot, /skipprereq, /logon, /BITSPriority,
/downloadtimeout, /forceinstall
Any properties that you specify in the Installation Properties tab are published to Active
Directory Domain Services if the site is published to Active Directory Domain Services.
These settings are read by client installations where CCMSetup is run with no installation
properties.
If no command line properties have been provisioned on the client computer by using
Group Policy, CCMSetup searches Active Directory Domain Services for installation
properties.
Manual installation
CCMSetup searches Active Directory Domain Services for installation properties under
the following circumstances:
No command line properties are specified after the CCMSetup.exe command.
The computer has not been provisioned with installation properties by using
Group Policy.
The computer has not been provisioned with installation properties by using
Group Policy.
The computer has not been provisioned with installation properties by using
Group Policy.
Workgroup computers.
Clients that are assigned to a Configuration Manager site that is not published to
Active Directory Domain Services.
) Important
Follow these steps to make sure that you're ready to deploy the Configuration Manager
client to Mac computers.
For the list of supported versions, see Supported operating systems for clients and
devices.
Certificate requirements
Client installation and management for Mac computers requires public key
infrastructure (PKI) certificates. PKI certificates secure the communication between the
Mac computers and the Configuration Manager site by using mutual authentication and
encrypted data transfers. Configuration Manager can request and install a user client
certificate. It uses Certificate Services with an enterprise certification authority, and the
Configuration Manager enrollment point and enrollment proxy point. You can also
request and install a computer certificate independently from Configuration Manager.
This certificate must meet the Configuration Manager certificate requirements.
Configuration Manager Mac clients always check for certificate revocation. You can't
disable this function.
If Mac clients can't locate the certificate revocation list (CRL), they can't connect to
Configuration Manager site systems. Especially for Mac clients in a different forest to the
issuing certification authority, check your CRL design. Make sure that Mac clients can
locate and download a CRL.
Before you install the Configuration Manager client on a Mac computer, decide how to
install the client certificate:
Use Configuration Manager enrollment by using the CMEnroll tool. The enrollment
process doesn't support automatic certificate renewal. Re-enroll Mac computers
before the certificate expires.
For more information about Mac client certificate requirements, see PKI certificate
requirements for Configuration Manager.
Mac clients are automatically assigned to the Configuration Manager site that manages
them. Mac clients install as internet-only clients, even if communication is restricted to
the intranet. This configuration means that they communicate with internet-enabled
management points and distribution points in their assigned site. Mac computers don't
communicate with site systems outside their assigned site.
) Important
Management point
Distribution point
Enrollment point
The web server certificate must include the internet FQDN that's specified in the site
system properties. The server doesn't have to be accessible from the internet to support
Mac computers. If you don't require internet-based client management, you can specify
the intranet FQDN value for the internet FQDN.
Specify the site system's internet FQDN value in the web server certificate for the
management point, the distribution point, and the enrollment proxy point.
For more information of an example deployment, see Deploying the web server
certificate for site systems that run IIS.
Management point
Distribution point
For an example deployment that creates and installs the client certificate for
management points, see the Deploying the client certificate for Windows computers.
For an example deployment that creates and installs the client certificate for distribution
points, see the Deploying the client certificate for distribution points.
) Important
To deploy the client to devices running macOS Sierra, the subject name of the
management point certificate must be configured correctly. For example, use the
FQDN of the management point server.
For more information, see Deploying the client certificate for Mac computers.
HTTPS
Allow client connections from the internet. This configuration value is required to
manage Mac computers. However, it doesn't mean that site system servers must
be accessible from the internet.
Allow mobile devices and Mac computers to use this management point
Distribution points aren't required to install the client for Mac. If you want to deploy
software to these computers after you install the client, configure distribution points to
allow client connections from the internet.
2. In the details pane, select the Management point role, and select Properties in the
ribbon. In the Management point Properties window, configure these options:
a. Choose HTTPS.
c. Choose Allow mobile devices and Mac computers to use this management
point.
3. In the details pane of the Server and Site System Roles node, select the
Distribution point role, and select Properties in the ribbon. In the Distribution
point Properties window, configure these options:
Choose HTTPS.
4. Repeat this procedure for all management points and distribution points in
primary sites that manage Mac computers.
For more information about site system role placement and considerations, see Site
system roles.
To add the site system roles to support Mac computers, see Install site system roles.
On the System Role Selection page, select Enrollment proxy point and Enrollment
point from the list of available roles.
Next steps
Deploy the Configuration Manager client to Mac computers
How to deploy clients to Macs
Article • 10/04/2022
) Important
This article describes how to deploy and maintain the Configuration Manager client on
Mac computers. To learn about what you have to configure before deploying clients to
Mac computers, see Prepare to deploy client software to Macs.
When you install a new client for Mac computers, you might have to also install
Configuration Manager updates to reflect the new client information in the
Configuration Manager console.
In these procedures, you have two options for installing client certificates. Read more
about client certificates for Macs in Prepare to deploy client software to Macs.
Use Configuration Manager enrollment by using the CMEnroll tool. The enrollment
process doesn't support automatic certificate renewal. Re-enroll the Mac computer
before the installed certificate expires.
) Important
To deploy the client to devices running macOS Sierra, correctly configure the
Subject name of the management point certificate. For example, use the FQDN of
the management point server.
2. On the Home tab of the ribbon, in the Properties group, choose Properties.
3. Select the Enrollment section, and then configure the following settings:
5. In the Create Enrollment Profile dialog box, enter a name for this enrollment
profile. Then configure the Management site code. Select the Configuration
Manager primary site that contains the management points for these Mac
computers.
7 Note
If you can't select the site, make sure that you configure at least one
management point in the site to support mobile devices.
6. Choose Add.
7. In the Add Certification Authority for Mobile Devices window, select the
certification authority server that issues certificates to Mac computers.
8. In the Create Enrollment Profile dialog box, select the Mac computer certificate
template that you previously created.
9. Select OK to close the Enrollment Profile dialog box, and then the Default Client
Settings dialog box.
Tip
If you want to change the client policy interval, use Client policy polling
interval in the Client Policy client setting group.
The next time the devices download client policy, Configuration Manager applies these
settings for all users. To initiate policy retrieval for a single client, see Initiate policy
retrieval for a Configuration Manager client.
In addition to the enrollment client settings, make sure that you have configured the
following client device settings:
Hardware inventory: Enable and configure this feature if you want to collect
hardware inventory from Mac and Windows client computers. For more
information, see How to extend hardware inventory.
Compliance settings: Enable and configure this feature if you want to evaluate and
remediate settings on Mac and Windows client computers. For more information,
see Plan for and configure compliance settings.
7 Note
The macOS client installation package isn't available for new deployments, but
existing deployments are supported until December 31, 2022.
2. Run the installer on the Windows computer. Extract the Mac client package,
Macclient.dmg, to a folder on the local disk. The default path is C:\Program
Files\Microsoft\System Center Configuration Manager for Mac client .
4. On the Mac computer, run Macclient.dmg to extract the files to a folder on the
local disk.
CMAppUtil: Converts Apple application packages into a format that you can
deploy as a Configuration Manager application
CMEnroll: Requests and installs the client certificate for a Mac computer so
that you can then install the Configuration Manager client
) Important
When you use an email address to populate the User name field,
Configuration Manager automatically populates the Server name
field. It uses the default name of the enrollment proxy point server
and the domain name of the email address. If these names don't
match the name of the enrollment proxy point server, fix the Server
name during enrollment.
1. On the Mac computer, navigate to the folder where you extracted the contents of
the Macclient.dmg file.
3. Wait until you see the Completed installation message. Although the installer
displays a message that you must restart now, don't restart, and continue to the
next step.
4. From the Tools folder on the Mac computer, type the following command: sudo
./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u
'<user_name>'
After the client installs, the Mac Computer Enrollment wizard opens to help you
enroll the Mac computer. For more information, see Enroll the client by using the
Mac computer enrollment wizard.
7 Note
If the user name includes any of the following characters, enrollment fails:
<>"+=, . Use an out-of-band certificate with a user name that doesn't include
these characters.
For a more seamless user experience, script the installation steps. Then users
only have to supply their user name and password.
5. Type the password for the Active Directory user account. When you enter this
command, it prompts for two passwords. The first password is for the super user
account to run the command. The second prompt is for the Active Directory user
account. The prompts look identical, so make sure that you specify them in the
correct sequence.
b. In the Keychain Access window, in the Keychains section, choose System. Then
in the Category section, choose Keys.
c. Expand the keys to view the client certificates. Find the certificate with a private
key that you installed, and open the key.
f. Choose Save Changes and close the Keychain Access dialog box.
To verify that the client installation is successful, open the Configuration Manager item
in System Preferences on the Mac computer. Also update and view the All Systems
collection in the Configuration Manager console. Confirm that the Mac computer
appears in this collection as a managed client.
Tip
To help troubleshoot the Mac client, use the CMDiagnostics tool included with the
Mac client package. Use it to collect the following diagnostic information:
When you install the Configuration Manager client, use the MP and SubjectName
command-line options. Enter the following command: sudo ./ccmsetup -MP
<management point internet FQDN> -SubjectName <certificate subject name> . The
If you have more than one certificate that contains the same subject value, specify
the certificate serial number to use for the Configuration Manager client. Use the
following command: sudo defaults write com.microsoft.ccmclient SerialNumber -
data "<serial number>" .
) Important
After you replace the client SMSID, when you delete the old resource in the
Configuration Manager console, you also delete any stored client history. For
example, hardware inventory history for that client.
1. Create and populate a device collection for the Mac computers that must renew
the computer certificates.
2. In the Assets and Compliance workspace, start the Create Configuration Item
Wizard.
Type: Mac OS X
5. On the Settings page, select New. In the Create Setting window, specify the
following information:
6. In the Create Setting window, for Discovery script, select Add script. This action
specifies a script to discover Mac computers configured with an SMSID.
7. In the Edit Discovery Script window, enter the following shell script:
Shell
9. In the Create Setting window, for Remediation script (optional), choose Add
script. This action specifies a script to remove the SMSID when it's found on Mac
computers.
10. In the Create Remediation Script window, enter the following shell script:
Shell
12. On the Compliance Rules page, choose New. Then in the Create Rule window,
specify the following information:
Enable the option to Run the specified remediation script when this setting
is noncompliant.
14. Create a configuration baseline that contains this configuration item. Deploy the
baseline to the target collection.
15. After you install a new certificate on Mac computers that have the SMSID removed,
run the following command to configure the client to use the new certificate:
Shell
See also
Prepare to deploy clients to Macs
After you install the Configuration Manager client, before you can manage the client, it
needs to join a Configuration Manager primary site. The site that a client joins is called
its assigned site. You can't assign a client to a central administration site or a secondary
site.
The assignment process happens after you successfully install the client and it
determines which site manages the computer. You can either directly assign the client to
a site, or use automatic site assignment. With automatic assignment, the client finds an
appropriate site based on its current network location. The client may assign to a
fallback site, if you configure it for the hierarchy.
7 Note
Always assign clients to sites running the same version of Configuration Manager.
Avoid assigning a client from a later release to a site on an earlier release. If
necessary, update the primary site to the same Configuration Manager version that
you use for the clients.
After the client assigns to a site, it remains assigned to that site, even if it changes its IP
address or roams to another site. Only an administrator can manually assign the client
to another site or remove the client assignment.
2 Warning
To avoid this behavior, disable the write filters before you assign the client on
embedded devices. Then enable the write filters after you have verified that site
assignment was successful.
If assignment fails, the client remains installed, but you can't manage it. A client is
considered unmanaged when it's installed but not assigned to a site. It's also
unmanaged when it's assigned to a site but it can't communicate with a management
point.
Use a client installation property that specifies the site code. For more information,
see Client installation properties - SMSSITECODE.
In the Windows Control Panel for Configuration Manager, specify the site code.
7 Note
If you manually assign a client to a site code that doesn't exist, the site assignment
fails.
7 Note
If a client computer has multiple network adapters and multiple IP addresses, the IP
address used to evaluate client site assignment is assigned randomly.
For more information about how to configure boundary groups for site assignment, see
Define site boundaries and boundary groups.
Configuration Manager clients that use automatic site assignment attempt to find site
boundary groups that you publish to Active Directory Domain Services. If this process
fails, clients can get boundary group information from a management point. This
process can fail if you don't extend the Active Directory schema for Configuration
Manager, or clients are workgroup computers.
When you install the client, you can specify a management point for it to use, or the
client can locate a management point automatically. For more information, see How
clients find site resources and services.
If the client can't find a site in a boundary group for its network location, and the
hierarchy doesn't have a fallback site, the client retries every 10 minutes. It repeats this
process until it assigns to a site.
Configuration Manager clients can't automatically assign to a site if any of the following
conditions apply:
Their network location doesn't fall within one of the boundary groups in the
hierarchy, and there's no fallback site.
If any of these conditions apply, you have to manually assign the client.
If you try to assign a client that runs a legacy OS version, site assignment fails. When you
assign a Configuration Manager 2007 client or a System Center 2012 Configuration
Manager client to a current branch site, assignment succeeds to support automatic
client upgrade. However, until you upgrade the older generation clients, you can't
manage it.
7 Note
Configuration Manager also checks that you've assigned the current branch client to a
site that supports it.
The client can access site information published to Active Directory Domain
Services.
If the site compatibility check fails to finish successfully, the site assignment fails. The
client remains unmanaged until the site compatibility check runs again and succeeds.
An exception to this site compatibility check is when you configure a client for an
internet-based management point. In this case, Configuration Manager doesn't check
site compatibility. If you assign clients to a site that contains internet-based site systems,
and you specify an internet-based management point, make sure that you assign the
client to the correct site.
In this case, the client automatically tries to find a current branch site.
The client first checks Active Directory Domain Services. If it finds a current branch site
published, site assignment succeeds. If this check fails, the client then checks for site
information from its assigned management point.
7 Note
You can specify an initial management point for the client during client installation.
For more information, see Client installation properties - SMSMP.
If both these methods fail, site assignment fails. You need to manually assign the client.
Accidental manual assignment to a legacy site version
For example, you assign a current branch client with a specific site code, and mistakenly
specify a site code for a version of Configuration Manager earlier than System Center
2012 R2 Configuration Manager.
In this case, site assignment fails. Manually reassign the client to a current branch site.
If the client used Active Directory Domain Services for its site compatibility check, it
downloads these settings for its assigned site from the domain.
When clients can't get site settings from Active Directory, they download them
from the management point.
You specify the settings during client installation. For more information, see About
client installation properties.
For clients on Windows computers, use the Configuration Manager control panel.
Verify that it shows the correct site code on the Site tab.
Clients that roam to other sites can always use management points in other sites for
content location requests. Management points in the current site can give clients a list
of distribution points that have the requested content.
When you configure clients for internet-only client management, they only
communicate with management points in their assigned site. These clients never
communicate with management points in secondary sites or with management points in
other primary sites. This behavior is the same for macOS and on-premises MDM devices
that you enroll to Configuration Manager.
Next steps
How to monitor client deployment status
Before you can monitor Configuration Manager clients and remediate problems,
configure the site's client status settings. These settings specify the parameters that the
site uses to mark clients as inactive. Also configure options to alert you if client activity
falls below a specified threshold.
7 Note
If a client doesn't meet any of the settings, the site marks it as inactive.
Client policy requests during the following days: Specify the number of days
since the client requested policy from the site. The default value is 7 days.
Compare this value to the Client policy polling interval setting in the Client
Policy group of client settings. Its default is 60 minutes. In other words, a
client should poll the site for policy every hour. If it doesn't request policy
after one week, the site marks it as inactive.
Heartbeat discovery during the following days: Specify the number of days
since the client sent a heartbeat discovery record to the site. The default
value is 7 days.
Compare this value to the schedule for the Heartbeat discovery method. By
default, the site runs heartbeat discovery once a week.
Hardware inventory during the following days: Specify the number of days
since the client sent a hardware inventory record to the site. The default value
is 7 days.
Software inventory during the following days: Specify the number of days
since the client sent a software inventory record to the site. The default value
is 7 days.
Compare this value to the Schedule software inventory and file collection
setting in the Software Inventory group of client settings. Its default is seven
days.
Status messages during the following days: Specify the number of days
since the client sent any status messages to the site. The default value is 7
days. The client can send status messages for different kinds of activities,
such as running a task sequence. The site deletes old status messages as part
of the maintenance task, Delete Aged Status Messages.
3. Specify the following value to determine how long the site keeps client status
history data:
Retain client status history for the following number of days: By default, the
site keeps client status information for 31 days. This setting doesn't have any
impact on client or site behavior. It's similar to a maintenance task for client
status history.
7 Note
When you change the schedule for client status updates, it doesn't take effect
until the next scheduled client status update on the previous schedule.
Configure alerts
1. In the Configuration Manager console, go to the Assets and Compliance
workspace, and select the Device Collections node.
2. Select the collection for which you want to configure alerts. On the Home tab of
the ribbon, in the Properties group, select Properties.
7 Note
Tip
You can only view the Alerts tab if your security role has permissions for
alerts.
Choose the alerts that you want the site to generate for client status thresholds,
and select OK.
4. In the Conditions list of the Alerts tab, select each client status alert, and then
specify the following information:
Alert Name: Accept the default name or enter a new name for the alert.
Alert Severity: Choose the alert level that the Configuration Manager console
displays.
2 Warning
If you use the registry editor incorrectly, you can cause serious problems that
could require you to reinstall Windows. Microsoft can't guarantee that you
can solve problems that result from using the registry editor incorrectly. Use it
at your own risk.
2. Navigate to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\CcmEval.
TRUE : The client won't automatically remediate any problems that it finds. The
site still notifies you in the Monitoring workspace about any problems with
this client.
When you install clients, you can exclude them from automatic remediation with the
NotifyOnly installation property. For more information, see About client installation
properties.
Next steps
Monitor clients
How to monitor client deployment
status in Configuration Manager
Article • 10/04/2022
Deploying clients across your site takes time and some installations are not successful
the first time. The Configuration Manager console provides a way to keep an eye on
client deployments within a collection by reporting client deployment status in real time.
7 Note
The best and most reliable way to monitor client deployment is with the
Configuration Manager console (as described in this article). The Client Status
section of the Monitoring workspace in the console provides client deployment
status accurately and in real time. You can monitor client deployments with other
tools, such as Server Manager in Windows Server or System Center Operations
Manager, but you may receive alarms from normal client installation activity.
Because of how the client installation program (CCMSetup.exe) runs in various
environments, these other tools may generate false alarms and warnings that do
not accurately reflect the state of client deployments.
In the Monitoring workspace of the console, you can monitor the following statuses for
client deployments taking place within a collection that you specify:
Compliant
In progress
Not compliant
Failed
Unknown
Review the charts of client deployment status and client deployment failure.
If you want to change the scope of the report, click Browse... and choose a
different collection.
To learn more about pre-production client deployments, see How to test client
upgrades in a pre-production collection.
7 Note
You can use Configuration Manager reports to find out more information about
the status of clients in your site. For more information about how to run reports,
see Introduction to reporting.
Monitor and manage clients in
Configuration Manager
Article • 10/04/2022
After you install the client on devices in your organization, Configuration Manager
provides several ways to monitor and manage it. You can monitor clients to check their
status, and Configuration Manager can automatically fix some problems it detects. Use
the Configuration Manager console to manage clients for individual devices or device
collections.
Use collections
Once you install the Configuration Manager client on the Windows devices in your site,
monitor their health and activity in the Configuration Manager console.
Client online status: The site considers a device as online if it's connected to its
assigned management point. To indicate that the client is online, it sends ping-like
messages to the management point. If the management point doesn't receive a
message in five minutes, the site considers the client as offline.
Tip
These messages use the client notification channel. For more information, see
Ports used in Configuration Manager.
Client activity: The site considers the client as active if it has communicated with
Configuration Manager in the past seven days. The site considers the client
inactive if it hasn't done the following actions in seven days:
Requested policy update
Sent a heartbeat message
Sent hardware inventory
Client check: The state of the periodic evaluation that the Configuration Manager
client runs on the device. The evaluation checks the device and can remediate
some of the problems it finds. For more information, see Client health checks.
You can configure remediation not to run on specific devices, for example, a
business-critical server. For more information, see How to configure client status.
If there are more items that you want to evaluate, use Configuration Manager
compliance settings to monitor other configurations. For more information about
compliance settings, see Plan for and configure compliance settings.
Decommissioned: The site has marked the device record for deletion. This
behavior can happen when a new registration for same device assigns to the same
or a different primary site in a hierarchy. The site deletes these devices the next
time it runs the site maintenance task Delete Aged Discovery Data.
Obsolete: The site has discovered a new device record with the same hardware ID,
so it marks the old record as obsolete. Reports don't count obsolete records of the
same device multiple times. You can still target policies to obsolete devices. If the
site doesn't get a heartbeat for an obsolete record after 90 days of inactivity, it
removes the obsolete device when it runs the site maintenance task Delete
Obsolete Client Discovery Data.
Tip
The Power BI sample reports for Configuration Manager includes a report called
Client Status. This report can also help with monitoring clients.
The icons at the beginning of each row indicate the online status of the device:
Icon Description
Device is online.
Device is offline.
Last Online Time: Indicates when the client online status changed to online.
3. Select an individual client in the list pane to see more status in the detail pane. This
information includes client activity and client check status.
2. To drill down into detail about the reported statistics, choose the name of the
reported information. For example, Active clients that have passed client check or
no results. Then review the information about the individual clients.
3. Select Client Activity to see charts showing the client activity in your Configuration
Manager site.
4. Select Client Check to see charts showing the status of client checks in your
Configuration Manager site.
Configure alerts to notify you when client check results or client activity drops
below a specified percentage. The site can also alert you when remediation fails on
a specified percentage of clients. For more information, see How to configure
client status.
For more information on the client's regular checks to keep healthy, see Client health
checks.
Next steps
Use the client health dashboard to view your client health, scenario health, and
common errors. Filter the view by several attributes to see any potential issues by OS
and client versions. For more information, see Client health dashboard.
For more information about the log files used by client deployment and management
operations, see Log files.
Client health dashboard
Article • 10/04/2022
You deploy software updates and other apps to help secure your environment, but these
deployments only reach healthy clients. Unhealthy Configuration Manager clients
adversely effect overall compliance. Determining client health can be challenging
depending upon the denominator: how many total devices should be in your scope of
management? For example, if you discover all systems from Active Directory, even if
some of those records are for retired machines, this process increases your
denominator.
By default, the client health dashboard shows online clients, and clients active in the
past three days. So you may see different numbers in this dashboard than in other
historical sources of client health. For example, other nodes under Client Status, or
reports in the client status category.
7 Note
To view this dashboard your account needs the Read Client Status Settings permission
on the Site object.
Configure
There are two actions in the ribbon to configure client health and the dashboard:
Choose Default Collection: Set a persistent user preference for the collection to
scope the dashboard.
When you set the collection on the Filter tile of the dashboard, that selection
resets when you refresh the dashboard.
Client Status Settings: Adjust the evaluation periods for scenario health. By default,
if a client doesn't send scenario-specific data in 7 days, Configuration Manager
considers it unhealthy for that scenario.
Tip
You can also configure these settings from the ribbon of the Client Status
node.
Filters
The single Filter tile at the top of the dashboard lets you adjust the data that it displays.
It includes the following filters:
Include client health for offline clients: By default, the dashboard displays only
online clients. This state comes from the client notification channel that updates a
client's status every five minutes. For more information, see About client status.
Only show unhealthy client details: Scope the view to only devices that are
reporting a client health failure.
Tip
Combine this filter with the tiles for Client Versions and OS Versions. For
more information, see Version tiles.
Clients active in last number of days: By default, the dashboard displays clients
that are active in the last three days.
Client health for clients in the following collections: By default, the dashboard
displays devices in the All Systems collection. Browse for a device collection to
scope the view to a subset of devices in a specific collection.
Tip
This filter is temporary. When you refresh the dashboard, it'll reset to the
default. To change the collection scope so it's persistent, use the Choose
default collection action in the ribbon. For more information, see Configure
the dashboard.
Overall client health
This tile shows the percentage of all clients reporting healthy in your hierarchy. This
percentage should be as close to 100% as possible. It's on the top row, which makes it
easier to see when you view the dashboard.
Online
Actively sending data
Passes all client health evaluation checks
A healthy client successfully communicates with the site. It reports all data based on the
defined schedules.
Hover over the segment to see the number of devices that are unhealthy. Select it to
drill down to a device list view.
Tip
This tile replaces the Combined (All) and Combined (Any) scenarios from earlier
versions.
Version tiles
Client Versions OS Versions
There are two tiles that show client health by Configuration Manager Client versions
and OS versions. These tiles are useful when you make changes to the filters, such as
Failure only. They can help highlight whether any issues are consistent across a specific
version. Use this information to help you make upgrade decisions.
Select Show table to switch to a table view of the data. You can select and copy the data
from the table. Select Show chart to show the donut chart. The following example
shows a chart of Configuration Manager client versions:
Scenario health
This bar chart shows the overall health for the following core scenarios:
This tile shows the percentage of healthy clients for the selected scenario. To adjust the
number of days the chart displays, use the slider control at the top of the tile.
7 Note
The maximum value for the slider control is the same as the Retain client status
history for the following number of days in Client Status Settings. It's 31 days by
default.
It's limited by the amount of client health data in the site database. For example,
you configure it to display 31 days of history. There's only three days of available
data, so the chart shows three days.
This chart lists the most common failures in your environment. These errors come from
Windows or Configuration Manager.
Select a row of this table to drill down to a device list view. This action lets you easily
create a collection of devices to target a remediation action or for more detailed
reporting.
7 Note
Client health for clients in the following collections: By default, the dashboard
displays devices in the All Systems collection. Select a device collection to scope
the view to a subset of devices in a specific collection.
Client active in last number of days: By default, the dashboard displays clients that
are active in the last three days.
Include client health for offline clients: By default, the dashboard displays only
online clients. This state comes from the client notification channel that updates a
client's status every five minutes. For more information, see About client status.
Only show unhealthy client details: Scope the view to only devices that are
reporting a client health failure.
Tip
Use this filter along with the client version and OS version tiles. For more
information, see Version tiles.
Online
Actively sending data
Passes all client health evaluation checks
A healthy client successfully communicates with the site. It reports all data based on the
defined schedules in client settings.
Client policy
Heartbeat discovery
Hardware inventory
Software inventory
Status messages
Use the selectors to adjust the focus on specific scenarios in the chart.
Next steps
For more information on the client's regular checks to keep healthy, see Client health
checks.
Use the Surface device dashboard to see the use of Surface devices in your
environment.
Client health checks
Article • 10/04/2022
The Configuration Manager client regularly runs the checks and remediations to keep
healthy. For more information, see How to monitor clients.
Client checks
First, it verifies that the service exists. If it doesn't exist, you need to reinstall the
client.
Next, it verifies that the service startup type is automatic. To remediate a failure
with this check, reset the service startup type to automatic. Check group policies to
make sure something isn't automatically configuring the service startup type.
Then it verifies that the client service is running. The remediation for this check is
to start the client service. Then monitor it to make sure it keeps running. Review
Windows event logs to see if there are any related activities that might be stopping
the service. Review client logs to make sure it's not failing to start.
Verify that client check has recently run
Verify that the client check scheduled task ( CcmEval ) has run at least one time in the past
three days. You can manually run the scheduled task. Make sure that Windows can run
scheduled tasks.
Verify WMI
There are several checks specific to WMI. The first three checks are for the Windows
Management Instrumentation (WMI) service ( Winmgmt ).
Verify that the service exists. WMI is a fundamental component of Windows. If this
service doesn't exist, you may need to reinstall Windows.
Verify that the service startup type is automatic. To remediate a failure with this
check, reset the service startup type to automatic. Check group policies to make
sure something isn't automatically configuring the service startup type.
Verify that the service is running. The remediation for this check is to start the WMI
service. Then monitor it to make sure it keeps running. Review Windows event logs
to see if there are any related activities that might be stopping the service.
There are two other checks to test the overall health of WMI on the device:
The WMI repository integrity test checks that Configuration Manager client entries
exist in WMI. If this check fails, reinstall the Configuration Manager client.
The WMI event sink test checks whether the Configuration Manager-related WMI
event sink is lost. If this check fails, restart the client service.
Verify that the antimalware service startup type is automatic. To remediate a failure
with this check, reset the service startup type to automatic. Check group policies to
make sure something isn't automatically configuring the service startup type.
Verify that the antimalware service is running. The remediation for this check is to
start the antimalware service. Then monitor it to make sure it keeps running.
Review Windows event logs to see if there are any related activities that might be
stopping the service.
If you're using Windows Defender, the Configuration Manager client also verifies the
Windows Defender Antivirus Network Inspection Service ( WdNisSvc ). It checks to make
sure the service startup type is manual.
Verify that the service exists. The policy platform is one of the prerequisite
components that the Configuration Manager client automatically installs. If this
service doesn't exist, reinstall the Configuration Manager client.
Verify that the service startup type is manual. To remediate a failure with this check,
reset the service startup type to manual. Check group policies to make sure
something isn't automatically configuring the service startup type.
Verify that the service exists. BITS is a fundamental component of Windows. If this
service doesn't exist, you may need to reinstall Windows.
Verify that the service startup type is automatic or manual. To remediate a failure
with this check, reset the service startup type to automatic. Check group policies to
make sure something isn't automatically configuring the service startup type.
Verify that the service type is automatic or manual. To remediate a failure with this
check, reset the service startup type to automatic. Check group policies to make
sure something isn't automatically configuring the service startup type.
Verify that the service is running. The remediation for this check is to start the
remote control service. Then monitor it to make sure it keeps running. Review
Windows event logs to see if there are any related activities that might be stopping
the service.
Verify that the service startup type is automatic. To remediate a failure with this
check, reset the service startup type to automatic. Check group policies to make
sure something isn't automatically configuring the service startup type.
Verify that the service is running. The remediation for this check is to start the
wake-up proxy service. Then monitor it to make sure it keeps running. Review
Windows event logs to see if there are any related activities that might be stopping
the service.
The Surface device dashboard gives you information about Surface devices found in
your environment at a single glance.
How to open
To open the Surface device dashboard, use the following steps:
Review information
The Surface device dashboard shows three graphs:
Percent of Surface devices: The percentage of Surface devices throughout your
environment.
Surface Models: The number of devices per Surface model. Hover over a graph
section to see the percentage of Surface devices for that model.
Next steps
You can use Configuration Manager to deploy Surface firmware updates. For more
information, see Managing Surface driver updates.
For more information about Surface devices, see the Surface website.
Removed and deprecated features for
Configuration Manager
Article • 07/03/2023
This article lists the features that are deprecated or removed from support for
Configuration Manager. Deprecated features will be removed in a future update. These
future changes might affect your use of Configuration Manager.
This information is subject to change with future releases. It might not include each
deprecated Configuration Manager feature.
Deprecated features
The following features are deprecated. You can still use them now, but Microsoft plans
to end support in the future.
Community hub service and integration with ConfigMgr October The first
2022 release
after
March 1,
2023
Upgrade from any version of System Center 2012 Configuration April 2022 Version
Manager to current branch. For more information, see Upgrade to 2303
Configuration Manager current branch
The Configuration Manager client for macOS and Mac client January 2022 December
management. For more information, see Supported clients: Mac 31, 2022
computers. Migrate management of macOS devices to Microsoft
Intune. For more information, see Deployment guide: Manage
macOS devices in Microsoft Intune.
The site system roles for on-premises MDM and macOS clients: January 2022 December
enrollment proxy point and enrollment point. 31, 2022
Feature Deprecation Planned
first end of
announced support
The Microsoft Store for Business and Education. For more November The first
information, see Manage apps from the Microsoft Store for Business 2021 release
and Education with Configuration Manager. after
March 1,
2023
Asset intelligence. For more information, see Asset intelligence November The first
deprecation. 2021 release
after
November
1, 2022
On-premises MDM. For more information, see On-premises MDM in November The first
Configuration Manager. 2021 release
after
November
1, 2022
Azure Active Directory (Azure AD) Graph API and Azure AD July 2021 June 30,
Authentication Library (ADAL), which is used by Configuration 2022
Manager for some cloud-attached scenarios. If you use cloud-
attached features such as co-management, tenant attach, or Azure
AD discovery, starting June 30, 2022, these features may not work
correctly in Configuration Manager version 2107 or earlier. Stay
current with Configuration Manager to make sure these features
continue to work. For more information, see CMG FAQ.
The BitLocker management implementation for the recovery service March 2021 The first
has changed. The legacy MBAM-based service is replaced by the release
messaging processing engine on the management point. after May
2022
Older style of console extensions that haven't been approved in the April 2021 TBDNote 1
Console Extension node, will no longer be supported. For more
information about new console extensions, see Manage console
extensions.
Sites that allow HTTP client communication. Configure the site for March 2021 The first
HTTPS or Enhanced HTTP. For more information, see Enable the site release
for HTTPS-only or enhanced HTTP. after
November
1, 2022
Feature Deprecation Planned
first end of
announced support
The geographical view in the Site Hierarchy node of the Monitoring August 2020 The first
workspace in the Configuration Manager console. release
after
October
2023
The implementation for sharing content from Azure has changed. February The first
Use a content-enabled cloud management gateway. Starting in 2019 release
version 2107, you can't create a traditional cloud distribution point. after
October 5,
2022
Cloud management gateway and cloud distribution point November The first
deployments with Azure Service Manager using a management 2018 release
certificate. For more information, see Plan for CMG. after
October 5,
2022
Desktop Analytics. For more information, see Windows November November 30,
compatibility reports in Intune . 2021 2022
The ability to deploy a cloud management gateway (CMG) as September Version 2203
a cloud service (classic). All CMG deployments should use a 2021
virtual machine scale set.
Feature Deprecation Support removed
first
announced
The following compliance settings for Company resource March 2021 Version 2203
access: Certificate profiles, VPN profiles, Wi-Fi profiles,
Windows Hello for Business settings, and email profiles. This
deprecation includes the co-management resource access
workload. Use Microsoft Intune to deploy resource access
profiles. For more information, see Frequently asked
questions about resource access deprecation.
Desktop Analytics data for Windows 7, Windows 8, and July 2021 January 31, 2022
earlier versions of Windows 10 that don't support the
Windows diagnostic data processor configuration.
Third-party add-ons that use Microsoft .NET Framework September Version 2111
version 4.6.1 or earlier, and rely on Configuration Manager 2021
libraries. Such add-ons need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET
4.6.2.
Log Analytics connector for Azure Monitor. This feature is November Version 2107
called the OMS Connector in the Azure Services node. 2020
Microsoft Edge legacy browser profiles. For more March 2021 April 2021
information, see New Microsoft Edge to replace Microsoft
Edge Legacy with April’s Windows 10 Update Tuesday
release
The collection evaluation viewer, which was integrated in November Version 2103
version 2010. 2020
Desktop Analytics tile and page for Security Updates December March 2021
2020
Desktop Analytics option to View recent data for device May 2020 July 2020
enrollment and security updates. For more information, see
Data latency.
Windows Analytics and Upgrade Readiness integration. For October 14, January 31, 2020
more information, see KB 4521815: Windows Analytics 2019
retirement on January 31, 2020 .
Device health attestation assessment for conditional access July 3, 2019 Version 1910
compliance policies For more information, see What
happened to hybrid MDM.
The Configuration Manager Company Portal app May 21, Version 1910
2019
Feature Deprecation Support removed
first
announced
The application catalog, including both site system roles: the May 21, Version 1910
application catalog website point and web service point. For 2019
more information, see Remove the application catalog.
The Silverlight user experience for the application catalog August 11, Version 1806
website point is no longer supported. Users should use the 2017
new Software Center. For more information, see Configure
Software Center.
Task sequences:
November Version 1710
- Convert Disk to Dynamic
18, 2016
- Install Deployment Tools
Software update points with a network load balancing (NLB) February 27, Version 1702
cluster 2016
Task sequences:
June 20, Version 1606
- OSDPreserveDriveLetter
2016
Network Access Protection (NAP) - as found in System July 10, 2015 Version 1511
Center 2012 Configuration Manager
Out of Band Management - as found in System Center 2012 October 16, Version 1511
Configuration Manager 2015
System Center Configuration Manager Management Pack - October 16, Version 1511
for System Center Operations Manager is not available for 2015
download
WINS
Windows Internet Name Service (WINS) is a legacy computer name registration and
resolution service. It's a deprecated service. You should replace WINS with Domain
Name System (DNS). For more information, see Windows Internet Name Service (WINS).
Out of Band Management
With Configuration Manager, native support for AMT-based computers from within the
Configuration Manager console has been removed.
AMT-based computers remain fully managed when you use the Intel SCS Add-on
for Configuration Manager . The add-on provides you access to the latest
capabilities to manage AMT, while removing limitations introduced until
Configuration Manager could incorporate those changes.
For network access protection alternatives, see the Deprecated functionality section of
Network Policy and Access Services Overview.
See also
Removed and deprecated
Microsoft Support Lifecycle
Support for current branch versions of Configuration Manager
How to manage clients in Configuration
Manager
Article • 10/04/2022
When the Configuration Manager client installs on a device and successfully assigns to a
site, you see the device in the Assets and Compliance workspace in the Devices node,
and in one or more collections in the Device Collections node. Select the device or a
collection, and then run management operations. However, there are other ways to
manage the client, which might involve other workspaces in the console, or tasks
outside of the console.
7 Note
If you install the Configuration Manager client, but it hasn't yet successfully
assigned to a site, it might not display in the console. After the client assigns to a
site, update collection membership, and then refresh the console view.
A device can also display in the console when the Configuration Manager client
isn't installed. This behavior happens if the site discovers a device but the client
isn't installed and assigned.
To manage a device from the console, use the Client column in the Devices node to
determine whether the client is installed.
2. Select one or more devices, and then select one of these client management tasks
from the ribbon. You can also right-click the device.
For more information, see Link users and devices with user device affinity.
Add selected items to existing device collection: Opens the Select Collection
dialog box. Select the collection to which you want to add this device. The device is
included in this collection by using a Direct membership rule.
Add selected items to new device collection: Opens the Create Device Collection
Wizard where you can create a new collection. The selected collection is included
in this collection by using a Direct membership rule.
Install client
Opens the Install Client Wizard. This wizard uses client push installation to install or
reinstall the Configuration Manager client on the selected device.
Tip
There are many different ways to install the Configuration Manager client. Although
the Client Push wizard offers a convenient client installation method from the
console, this method has many dependencies and isn't suitable for all
environments. For more information about the dependencies, see Prerequisites for
deploying clients to Windows computers. For more information about the other
client installation methods, see Client installation methods.
For more information, see How to install Configuration Manager clients by using client
push.
Run script
Opens the Run Script wizard to run a PowerShell script on the selected device.
Install application
Install an application to a device in real time. This feature can help reduce the need for
separate collections for every application.
Starting in version 2111, select the Install Application Group action for an app group.
Reassign site
Reassign one or more clients, including managed mobile devices, to another primary
site in the hierarchy. You can individually reassign clients or select more than one to
reassign them in bulk.
Start
Run Resource Explorer to see the hardware and software inventory information
from a Windows client. For more information, see the following articles:
) Important
Although some management functions might work for unapproved clients, this is
an unsupported scenario for Configuration Manager.
You don't have to approve clients that always communicate to site systems using HTTPS,
or clients that use a PKI certificate when they communicate to site systems using HTTP.
These clients establish trust by using the PKI certificates.
Block or unblock
Block a client that you no longer trust. Blocking prevents the client from receiving policy,
and prevents site systems from communicating with the client.
) Important
For more information, see Use PXE to deploy Windows over the network.
Client notification
For more information, see Client notifications.
Endpoint Protection
For more information, see Client notifications.
For more information, see Link users and devices with user device affinity.
Tip
Check the manufacturer's documentation for more information about how the
mobile device processes a remote wipe command.
There's often a delay until the mobile device receives the wipe command:
If the mobile device is enrolled by Configuration Manager, the client receives the
command when it downloads its client policy.
If the mobile device is managed by the Exchange Server connector, it receives the
command when it synchronizes with Exchange.
To monitor when the device receives the wipe command, use the Wipe Status column.
Until the device sends a wipe acknowledgment to Configuration Manager, you can
cancel the wipe command.
Retire a mobile device
The Retire option is supported only by mobile devices enrolled by on-premises MDM.
For more information, see Help protect your data with remote wipe, remote lock, or
passcode reset.
Change ownership
If a device isn't domain-joined and doesn't have the Configuration Manager client
installed, use this option to change the ownership to Company or Personal.
You can use this value in application requirements to control deployments, and to
control how much inventory is collected from users' devices.
You may need to add the Device Owner column to the view by right-clicking any
column heading and choosing it.
Delete
2 Warning
Don't delete a client if you want to uninstall the Configuration Manager client or
remove it from a collection.
The Delete action manually removes the client record from the Configuration Manager
database. Only use this action to troubleshoot a problem. If you delete the object, but
the client is still installed and communicating with the site, Heartbeat Discovery
recreates the client record. It reappears in the Configuration Manager console, although
the client history and any previous associations are lost.
7 Note
When you delete a mobile device client that was enrolled by Configuration
Manager, this action also revokes the issued PKI certificate. This certificate is then
rejected by the management point, even if IIS doesn't check the certificate
revocation list (CRL).
Certificates on mobile device legacy clients are not revoked when you delete these
clients.
To uninstall the client, see Uninstall the Configuration Manager client.
To assign the client to a new primary site, see How to assign clients to a site.
To remove the client from a collection, reconfigure the collection properties. For more
information, see How to manage collections.
Refresh
Refresh the console view with the latest data in the database. For example, if a device
appears in the list from discovery, but doesn't show as installed. After you install the
client and make sure it's assigned to the site, select Refresh.
Properties
View the discovery data and deployments targeted for the client.
Switch to the Variables tab to configure variables that task sequences use to deploy an
OS to the device. For more information, see Create task sequence variables for devices
and collections.
Starting in version 2111, switch to the Custom properties tab to manually set custom
properties on the device for reporting or to create collections. For more information, see
Custom properties for devices.
Consider the following questions before you run collection-level tasks. Once started, you
can't stop the task from the console.
Tip
Enable automatic client upgrade to keep your clients up-to-date with less effort.
For more information, see About automatic client upgrade.
To identify devices that are pending a restart, go to the Assets and Compliance
workspace in the Configuration Manager console and select the Devices node. Then
view the status for each device in the details pane in a new column named Pending
Restart. Each device has one or more of the following values:
Add or remove feature: this value comes from the Windows component-based
servicing reporting the addition or removal of a Windows feature requires a restart
( HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based
Servicing\Reboot Pending )
7 Note
You can't uninstall the Configuration Manager client from a mobile device. If you
must remove the Configuration Manager client from a mobile device, you must
wipe the device, which deletes all data on the mobile device.
Tip
The uninstall process displays no results on the screen. To verify that the client
successfully uninstalls, see the following log file:
%windir%\ccmsetup\logs\CCMSetup.log
If you need to wait for the uninstall process to complete before doing something
else, run Wait-Process CCMSetup in PowerShell. This command can pause a script
until the CCMSetup process completes.
Starting in version 2111, when you uninstall the client it also removes the client
bootstrap, ccmsetup.msi, if it exists.
3. Switch to the Client Approval and Conflicting Records tab, and select one of the
following options:
2. Select one or more conflicting records, and then choose Conflicting Record.
Merge: Combine the newly detected record with the existing client record.
1. Many new devices don't include an onboard Ethernet port. Technicians use a USB-
to-Ethernet adapter to establish a wired connection for purposes of OS
deployment. These adapters are often shared because of cost and general
usability. The site uses the MAC address of this adapter to identify the device. So
reusing the adapter becomes problematic without other administrator actions
between each deployment. To reuse the adapter in this scenario, exclude its MAC
address.
2. While the SMBIOS attribute should be unique, some specialty hardware devices
have duplicate identifiers. Exclude this duplicate identifier and rely on the unique
MAC address of each device.
Use the following process to add hardware identifiers for Configuration Manager to
ignore:
2. On the Home tab of the ribbon, in the Sites group, choose Hierarchy Settings.
3. Switch to the Client Approval and Conflicting Records tab. To add new hardware
identifiers, choose Add in the Duplicate hardware identifiers section.
Get-CMDuplicateHardwareIdGuid
New-CMDuplicateHardwareIdGuid
Remove-CMDuplicateHardwareIdGuid
Get-CMDuplicateHardwareIdMacAddress
New-CMDuplicateHardwareIdMacAddress
Remove-CMDuplicateHardwareIdMacAddress
Start policy retrieval
A Configuration Manager client downloads its client policy on a schedule that you
configure as a client setting. You can also start on-demand policy retrieval from the
client. For example, for troubleshooting or testing situations.
Client notification
The client control panel
Support Center
A script
2. Select the device that you want to download policy. On the Home tab of the
ribbon, in the Device group, select Client Notification, and then choose Download
Computer Policy.
7 Note
You can also use client notification to start policy retrieval for all devices in a
collection.
2. Switch to the Actions tab. Select Machine Policy Retrieval & Evaluation Cycle to
start the computer policy, and then select Run Now.
4. Repeat the previous steps for any other actions. For example, User Policy Retrieval
& Evaluation Cycle for user client settings.
2. Copy and insert the following sample PowerShell code into the file:
PowerShell
$trigger = "{00000000-0000-0000-0000-000000000021}"
Tip
For more information about the schedule IDs, see Message IDs.
Next steps
Configure the content cache for clients
Client notification
Configure the content cache for
Configuration Manager clients
Article • 10/04/2022
The client cache stores temporary files for when clients install applications and
programs. Software updates also use the client cache, but always attempt to download
to the cache whatever of the size setting. Configure the cache settings, such as size and
location, when you manually install the client, when you use client push installation, or
after installation.
You can specify the cache folder size using client settings in the Configuration Manager
console. For more information, see Client cache settings.
The default location for the Configuration Manager client cache is %windir%\ccmcache
and the default disk space is 5120 MB.
) Important
Don't encrypt the folder used for the client cache. Configuration Manager can't
download content to an encrypted folder.
About
The Configuration Manager client downloads the content for required software soon
after the deployment's available time but waits to run it until the deployment's
scheduled time. At the scheduled time, the Configuration Manager client checks to see
whether the content is available in the cache. If content is in the cache and it's the
correct version, the client uses the cached content. When the required version of the
content changes, or if the client deletes the content to make room for another package,
the client downloads the content to the cache again.
If the client attempts to download content for a program or application that's greater
than the size of the cache, the deployment fails because of insufficient cache size. The
client generates status message 10050 for insufficient cache size. If you increase the
cache size later, the result is:
For a required program: The client doesn't automatically retry to download the
content. Redeploy the package and program to the client.
For a required application: The client automatically retries to download the content
when it downloads its client policy.
If the client attempts to download content that's less than the size of the cache, but the
cache is full, all required deployments keep retrying until:
If you later increase the cache size, the client attempts to download the content again
during the next retry interval. The client tries to download the content every four hours
until it tries 18 times.
Cached content isn't automatically deleted and is only removed if new content requires
its disk space. It remains in the cache for the configured number of minutes after the
client uses that content. If you configure the content with the option to persist content
in the client cache, the client doesn't automatically delete it. If the cache space is used
by content that was downloaded within the configured number of minutes, and the
client must download new content, either increase the cache size or choose the option
to delete persisted cache content. For more information, see About client settings.
) Important
Don't manually delete files from the client cache folder using Windows Explorer or
the command line. This action can cause issues with the Configuration Manager
client. The client manages the cache and tracks the content apart from the file
system. Always use a supported method to delete files in the cache.
For applications only, if the content for a related deployment currently exists in the
cache, then the client downloads only new or changed files. Related deployments
include those deployments for older revisions of the same deployment type and
superseded applications.
Configure
Use the following procedures to configure the client cache during manual client
installation or after you install the client.
DISABLECACHEOPT
SMSCACHEDIR
SMSCACHEFLAGS
7 Note
Use the cache size settings available in Client Settings in the Configuration
Manager console instead of SMSCACHESIZE. For more information, see Client
cache settings.
For more information about how to use these command-line properties for
CCMSetup.exe, see About client installation properties.
2. Select the appropriate site. On the Home tab of the ribbon, in the Settings group,
select Client Installation Settings, and choose Client Push Installation. Switch to
the Installation Properties tab.
DISABLECACHEOPT
SMSCACHEDIR
SMSCACHEFLAGS
7 Note
Use the cache size settings available in Client Settings in the Configuration
Manager console instead of SMSCACHESIZE. For more information, see Client
cache settings.
For more information about how to use these command-line properties for
CCMSetup.exe, see About client installation properties.
Configure the cache on the client computer
1. On the client computer, open the Configuration Manager control panel.
2. Switch to the Cache tab. Set the space and location properties. The default location
is %windir%\ccmcache .
) Important
Don't manually delete files from the ccmcache folder using Windows Explorer
or the command line. This action can cause issues with the Configuration
Manager client. The client manages the cache and tracks the content apart
from the file system. Always use a supported method to delete files in the
cache. For example, the Delete Files option on the control panel.
Next steps
Client notification
Client notification in Configuration
Manager
Article • 10/04/2022
To take immediate action on remote clients, send a client notification action from the
Configuration Manager console. Start these actions on an individual device or on a
collection of devices.
Actions
The following actions are on the ribbon in the Device or Collection group of the Home
tab.
Install client
Opens the Install Client Wizard. This wizard uses client push installation to install a
Configuration Manager client. For more information, see Client push installation.
Application Administrator
Full Administrator
Infrastructure Administrator
Operations Administrator
OS Deployment Manager
Add these permissions to any custom roles that need to push the client.
Run script
Opens the Run Script wizard to run a PowerShell script on all of the clients in the
collection. For more information, see Create and run PowerShell scripts.
Permissions - Run script
This action requires the Run Script permission on the Collection object.
Full Administrator
Infrastructure Administrator
Operations Administrator
Add this permission to any custom roles that need to run scripts.
Start CMPivot
Starts CMPivot, which runs real-time queries against the targeted devices. For more
information, see CMPivot.
This action requires the Run CMPivot permission on the Collection object.
Client notification
These actions are under the Client notification menu, on the ribbon in the Device or
Collection group of the Home tab. You can start a Client Notification from the Devices
node or within a collection membership view.
7 Note
Starting in version 2203, you can perform client notification actions, including Run
Scripts, from the Deployment Status view. Use the right-click menu on either a
group of clients in a Category or a single client in the Asset details pane to display
the client notification actions.
Client notification actions require the Notify Resource permission on the Collection
object. This permission applies to all actions under the Client notification menu.
Full Administrator
Operations Administrator
Add this permission to any custom roles that need to use client notification actions.
Wake Up
Trigger devices configured to support Wake-on-LAN to wake up using other devices on
the same subnet to send the Wake-on-LAN package. For more information, see How to
configure Wake on LAN.
Restart
Trigger the selected devices to restart. For more information, see Restart clients.
Client diagnostics
Use the following actions to help troubleshoot clients:
Enable verbose logging: Change the global log level for the CCM component to
verbose, and enable debug logging.
Disable verbose logging: Change the global log level to default, and disable
debug logging.
Collect Client Logs: The site sends a client notification message to the selected
clients to gather the CCM logs. The client sends the logs to the management point
using the same channel as software inventory file collection. You don't need to
enable software inventory in client settings.
The size limit for the compressed client logs is 100 MB.
Use Resource Explorer manage and view these files.
) Important
These actions only change the log verbosity, not the size or history. More
verbose logging can generate more log content.
The management point role also uses the CCM component. If the targeted
device is also a management point, this action also applies to that role.
For more information about these settings, see About log files.
Track the status of the task in the diagnostics.log on the client. When client logs are
collected, additional information is logged in MP_SinvCollFile.log on the management
point and sinvproc.log on the site server.
7 Note
Starting in version 2107, you can inventory client log file settings such as log levels
and size. Enable the hardware inventory class, Client Diagnostics
(CCM_ClientDiagnostics). For more information, see Enable or disable existing
hardware inventory classes.
Add this permission to any custom roles that need to use client notification
actions.
The maintenance task to delete aged diagnostic files varies depending on your
Configuration Manager version:
Version 2010 and later uses the Delete Aged Collected Diagnostic Files site
maintenance task to delete diagnostic files.
Version 2006 and earlier uses the Delete Aged Collected Files site maintenance
task to delete diagnostic files.
For more information, see Reference for maintenance tasks in Configuration Manager.
Endpoint Protection
The following actions are under the Endpoint Protection menu. This menu is on the
ribbon in the Collection group of the Home tab. When you select one or more devices,
these actions are on the Selected Object tab of the ribbon.
Full Administrator
Endpoint Protection Manager
Operations Administrator
Add this permission to any custom roles that need to trigger Endpoint Protection
actions.
Full Scan
Trigger Endpoint Protection or Windows Defender to run a full antimalware scan.
Quick Scan
Trigger Endpoint Protection or Windows Defender to run a quick antimalware scan.
Download Definition
Trigger Endpoint Protection or Windows Defender to download the latest antimalware
definitions.
Next steps
How to manage clients
) Important
Here are procedures for uninstalling Mac clients and for renewing their certificates.
./CMUninstall -c
7 Note
The -c property instructs the client uninstall to also remove client crash logs
and log files. We recommend this to avoid confusion if you later reinstall the
client.
Example: If the values are left as their defaults, 45 days before the certificate
expires, the wizard will open every 24 hours. Within 3 days of the certificate
expiring, the wizard will open every 8 hours.
Example: Use the following command line, or a script, to set the first renewal
period to 20 days.
2. When the Renew Certificate Wizard opens, the User name and Server name fields
will typically be pre-populated and the user can just enter a password to renew the
certificate.
7 Note
If the wizard does not open, or if you accidentally close the wizard, click
Renew from the Configuration Manager preference page to open the wizard.
) Important
If the certificate expires, you must uninstall, reinstall and then re-enroll the Mac
client.
This procedure removes the SMSID, which is required to request a new certificate for the
same Mac computer. When you remove and replace the client SMSID, any stored client
history such as inventory is deleted after you delete the client from the Configuration
Manager console.
1. Create and populate a device collection for the Mac computers that must renew
the user certificates.
2 Warning
Configuration Manager does not monitor the validity period of the certificate
that it enrolls for Mac computers. You must monitor this independently from
Configuration Manager to identify the Mac computers to add to this
collection.
2. In the Assets and Compliance workspace, start the Create Configuration Item
Wizard.
Type:Mac OS X
4. On the Supported Platforms page, ensure that all macOS X versions are selected.
5. On the Settings page, choose New and then, in the Create Setting dialog box,
specify the following information:
Setting type:Script
Data type:String
6. In the Create Setting dialog box, for Discovery script, choose Add script to specify
a script that discovers Mac computers with an SMSID configured.
7. In the Edit Discovery Script dialog box, enter the following Shell Script:
Shell
9. In the Create Setting dialog box, for Remediation script (optional), choose Add
script to specify a script that removes the SMSID when it is found on Mac
computers.
10. In the Create Remediation Script dialog box, enter the following Shell Script:
Shell
12. On the Compliance Rules page of the wizard, click New, and then in the Create
Rule dialog box, specify the following information:
Selected setting: Choose Browse and then select the discovery script that
you specified previously.
Enable the option Run the specified remediation script when this setting is
noncompliant.
13. Complete the Create Configuration Item Wizard.
14. Create a configuration baseline that contains the configuration item that you have
just created and deploy it to the device collection that you created in step 1.
For more information about how to create and deploy configuration baselines, see
How to create configuration baselines and How to deploy configuration baselines.
15. On Mac computers that have the SMSID removed, run the following command to
install a new certificate:
Shell
When prompted, provide the password for the super user account to run the
command and then the password for the Active Directory user account.
16. To limit the enrolled certificate to Configuration Manager, on the Mac computer,
open a terminal window and make the following changes:
b. In the Keychain Access dialog, in the Keychains section, choose System, and
then, in the Category section, choose Keys.
c. Expand the keys to view the client certificates. When you have identified the
certificate with a private key that you have just installed, double-click the key.
f. Choose Save Changes and close the Keychain Access dialog box.
Collections help you organize resources into manageable units. You can create
collections to match your client management needs, and to perform operations on
multiple resources at one time.
Most management tasks rely on or require using one or more collections. Although you
can use the built-in collection of All Systems, using it for management tasks is not a best
practice. Create custom collections to more specifically identify the devices or users for a
task.
Built-in and custom collections appear in the User Collections and Device Collections
nodes in the Assets and Compliance workspace in the Configuration Manager console.
Collections that you have recently viewed appear in the Users node and in the Devices
node in the Assets and Compliance workspace.
Operation Example
Grouping You can create collections that group resources based on your organization's
resources hierarchy.
For example, you could create a collection of all computers in the "London
Headquarters" Active Directory Organizational Unit (OU). For more information
about how to create this type of collection, see How to create collections.
You could use this collection for operations such as configuring Endpoint
Protection settings, configuring device power management settings, or installing
the Configuration Manager client.
Application You can create a collection of all computers that do not have Microsoft Microsoft
deployment 365 Apps installed and then deploy it to all computers in that collection.
You can also use application requirements to perform this task. For more
information, see How to create applications with Configuration Manager.
Operation Example
Managing Although the default client settings in Configuration Manager apply to all
client settings devices and all users, you can create custom client settings that apply to a
collection of devices or a collection of users.
For example, if you want remote control to be available on all but a few devices,
configure the default client settings to allow remote control and then configure
custom client settings that do not allow remote control, and deploy those to the
collection of exceptional clients.
Role-based Use collections to control which groups of users have access to various
administration functionality in the Configuration Manager console.
Maintenance With maintenance windows you can define a time period when various
Windows Configuration Manager operations can be carried out on members of a device
collection.
Built-in collections
By default, Configuration Manager includes the following collections, which cannot be
modified.
Collection Description
name
All User Contains the user groups that are discovered by using Active Directory Security
Groups Group Discovery.
All Users Contains the users who are discovered by using Active Directory User Discovery.
All Users and Contains the All Users and the All User Groups collections. This collection
User Groups contains the largest scope of user and user group resources.
All Desktop Contains the server and desktop devices that have the Configuration Manager
and Server client installed. Membership is maintained by Heartbeat Discovery.
Clients
Collection Description
name
All Mobile Contains the mobile devices that are managed by Configuration Manager.
Devices Membership is restricted to those mobile devices that are successfully assigned
to a site or discovered by the Exchange Server connector.
All Systems Contains the All Desktop and Server Clients, the All Mobile Devices, and the All
Unknown Computers collections, and all mobile devices that are enrolled by
Microsoft Intune. This collection contains the largest scope of device resources.
All Unknown Contains generic computer records for multiple computer platforms. You can use
Computers this collection to deploy an operating system by using a task sequence and PXE
boot, bootable media, or prestaged media.
Co- Contains devices that meet the client prerequisites and are eligible for co-
management management enrollment (added in version 2111).
Eligible
Devices
Custom collections
When you create a custom collection in Configuration Manager, the membership of that
collection is determined by one or more collection rules, as described in How to create
collections.
Prerequisites for collections in
Configuration Manager
Article • 10/04/2022
Reporting services point The reporting services point site system role must be installed
before you can run reports for collections. For more information,
see Introduction to reporting.
Specific security permissions You must have the following security permissions to manage
must have been granted to compliance settings:
manage collections
- To create and manage collections: Create, Delete, Modify,
Modify Folder, Move Object, Read and Read Resource for the
Collection Object.
If the incremental evaluation cycle is taking longer than the configured update
frequency, then Configuration Manager is constantly processing collection evaluations,
which could affect system performance. Reduce the number of incrementally updated
collections, or increase the time between incremental evaluation cycles.
Given the potential impacts of incremental collections, it's important to have a policy or
procedure for creating the collections and assigning update schedules. Examples of
policy considerations might be:
Only use incremental updates for collections that are used for security scoping,
client settings, and maintenance windows. These collection updates affect client
behavior and access to resources.
For applications with no licensing approval, advertise applications to existing
collections, and use global conditions to restrict availability.
Outline appropriate periods for other collections that have full collection updates
scheduled.
Avoid evaluation of large trees from the CAS
In a Configuration Manager environment, the central administration site (CAS) doesn't
evaluate collection membership. Primary sites are the only sites that evaluate collections.
Secondary sites act as proxies that use only data they replicate from their primary site.
To request a collection update, the CAS sends a request to each primary site. The
primary sites evaluate the collection and send the results back to the CAS. The collection
evaluation results appear only after all collection evaluation instructions replicate to all
sites, all sites evaluate all collections, and all data returns to the CAS and is combined.
The following diagram demonstrates the flow when the CAS requests a manual
collection update:
A collection update from a CAS with multiple primary sites can be time consuming. If a
collection doesn't evaluate in a timely fashion, it's tempting to repeat the request.
Once a collection evaluation thread begins and loads the evaluation graph, evaluation
continues until the collection evaluation graph is empty. The thread then terminates and
becomes available for the next evaluation. However, if another collection evaluation
cycle queues while the thread is evaluating collections, the thread immediately restarts
to attempt an evaluation of the "missed" cycle.
Each evaluation method runs in its own thread. It's possible that within the thread,
Configuration Manager may attempt to graph the same collection more than once.
Configuration Manager then drops the second and later requests.
To prevent these scenarios, avoid manual collection evaluations of large trees, especially
when working from the CAS with multiple sites.
Consider collection depth and cross-
referencing
To strike a balance between business requirements and performance, it's important to
understand the collection structure you create, and its dependencies on other
collections. If you create a collection with rules that reference one or more collections
that also refer to other collections, all of those collections are evaluated to create the
membership of the collection.
The include and exclude collection rules in Configuration Manager make referencing
collections easier than writing a custom WQL query. However, if using include and
exclude collections results in a high-performance toll, you can use the WQL query
method instead. Use the following example queries and replace the example collection
ID XYZ0003F with the ID of the collection you want to include or exclude.
Include:
Exclude:
from SMS_CM_RES_COLL_XYZ0003F)
Tip
To manually do a similar check with SQL, you can use the following query:
SQL
FROM (
) AS [t2]
It's important to understand collection evaluation behavior so you can make appropriate
collection design decisions. For collection evaluation guidance and recommendations,
see Best practices for collections.
Evaluation process
The colleval.log records when the collection evaluator creates, changes, and deletes
collections.
At a high level, each individual collection evaluation and update follows these steps:
Tip
You can use management insights in the Configuration Manager console to help
you manage your collections. There's a group of insights specific to Collections.
There are also several insights in the Configuration Manager Assessment group for
collections.
The following table describes collection evaluation triggers and their corresponding
evaluation types.
Staging Single or All collections directly or indirectly depend on All Systems or All
Auxiliary Users and User Groups. Both of these collections do a full collection
evaluation at 4:00 AM daily. A change to either of these collections
triggers updates of dependent collections, based on a full collection
graph.
Trigger Evaluation Description
Type
When collection evaluation starts, Configuration Manager builds a graph that includes
all collections that could possibly need evaluating as a result of changes to the target
collection, starting from the highest level in the cycle. The collection evaluator then
moves through the graph in order, evaluating each collection membership in turn. After
the collection is fully evaluated, the collection evaluator removes lower-level collections
that aren't affected by this cycle from the collection evaluation graph.
If one or more of the collections being evaluated has an include or exclude rule, the
collection evaluator adds the included or excluded collection to the graph, along with
any collections that collection limits. If there are any changes during the evaluation of
the include and exclude collections, the graph continues on that branch before it returns
to the main branch.
For example, the following diagram shows newly discovered resources that are
applicable to all collections. However, collection evaluation only updates the All Servers
and All Domain Controllers collections. The collection evaluator doesn't evaluate the
other collections, because the All Member Servers collection isn't enabled for
incremental evaluation.
The following diagram shows how a scheduled or manual collection update request for
the All Servers collection produces a full graph that includes all applicable collections.
The new DNS server and domain controller resources are in scope of the membership
queries of all collections, so all the collections update.
A full evaluation doesn't always evaluate all collections. The collection evaluation graph
only continues to evaluate dependent collections if an update occurs to the current
referenced collection. If an incrementally updated collection updates during scheduled
incremental evaluations, referencing collections that aren't enabled for incremental
updates may not update. A full evaluation doesn't update the collection, ending the
collection evaluation graph and any referencing collection evaluations for that cycle.
In the following example, installing DNS on the existing server makes it a member of the
DNS Servers collection, but because there's no update to its limiting All Member
Servers collection, the full evaluation doesn't evaluate the DNS Servers collection. The
next incremental evaluation cycle will evaluate the DNS Servers collection, because it's
an incremental collection.
Next steps
How to create collections
Best practices for collections
View collection evaluation (starting in version 2010)
Collection Evaluation Viewer
How to create collections in
Configuration Manager
Article • 12/05/2022
Collections are groupings of users or devices. Use collections for tasks like managing
applications, deploying compliance settings, or installing software updates. You can also
use collections to manage groups of client settings or use them with role-based
administration to specify the resources that an administrative user can access.
Configuration Manager contains several built-in collections. For more information, see
Introduction to collections.
7 Note
The information in this article can help you create collections in Configuration Manager.
You can also import collections that were created at the current Configuration Manager
site or at another one. For more information about how to export and import
collections, see How to manage collections.
Collection rules
There are different types of rules that you can use to configure the members of a
collection in Configuration Manager.
Direct rule
Use direct rules to choose the users or computers that you want to add to a collection.
The membership doesn't change unless you remove a resource from Configuration
Manager. Before you can add the resources to a direct rule collection, Configuration
Manager must have discovered them or you must have imported them. Direct rule
collections have more administrative overhead than query rule collections because they
require manual changes.
Query rule
Dynamically update the membership of a collection based on a query that Configuration
Manager runs on a schedule. For example, you can create a collection of users that are a
member of the Human Resources organizational unit in Active Directory Domain
Services. This collection is automatically updated when new users are added to or
removed from the Human Resources organizational unit.
For example queries that you can use to build collections, see How to create queries.
You can add multiple exclude collection rules to a collection. If a collection includes both
include collection and exclude collection rules and there's a conflict, the exclude
collection rule takes priority.
You create a collection that has one include collection rule and one exclude collection
rule. The include collection rule is for a collection of Dell desktops. The exclude
collection is for a collection of computers that have less than 4 GB of RAM. The new
collection contains Dell desktops that have at least 4 GB of RAM.
Create a collection
1. In the Configuration Manager console, go to the Assets and Compliance
workspace.
To create a device collection, select the Device Collections node. Then, on the
Home tab of the ribbon, in the Create group, select Create Device Collection.
To create a user collection, select the User Collections node. Then, on the
Home tab of the ribbon, in the Create group, select Create User Collection.
2. On the General page of the wizard, provide a Name and a Comment. In the
Limiting collection section, select Browse, and then select a limiting collection. The
collection you're creating will contain only members from the limiting collection.
3. On the Membership Rules page, in the Add Rule list, select the type of
membership rule that you want to use for the collection. You can configure
multiple rules for each collection. The configuration for each rule varies. For more
information on configuring each rule, see the following sections of this article:
Direct rule
Query rule
Include collection rule
Exclude collection rule
Use incremental updates for this collection: Select this option to periodically
scan for and update only new or changed resources from the previous
collection evaluation. This process is independent of a full collection
evaluation. By default, incremental updates occur at 5-minute intervals.
) Important
Collections with query rules that use the following classes don't support
incremental updates:
SMS_G_System_CollectedFile
SMS_G_System_LastSoftwareScan
SMS_G_System_AppClientState
SMS_G_System_DCMDeploymentState
SMS_G_System_DCMDeploymentErrorAssetDetails
SMS_G_System_DCMDeploymentCompliantAssetDetails
SMS_G_System_DCMDeploymentNonCompliantAssetDetails
SMS_G_User_DCMDeploymentCompliantAssetDetails (for collections
of users only)
SMS_G_User_DCMDeploymentNonCompliantAssetDetails (for
collections of users only)
SMS_G_System_SoftwareUsageData
SMS_G_System_CI_ComplianceState
SMS_G_System_EndpointProtectionStatus
SMS_GH_System_*
SMS_GEH_System_*
When you disable this setting, the site clears the schedule. This change
from previous behavior makes sure that the site doesn't continue to
evaluate the query. To stop the site evaluating a collection on a schedule,
disable this option.
You can't disable the evaluation of built-in collections like All Systems, but
you can configure the schedule. This behavior allows you to customize this
action at a time that meets your requirements.
Tip
5. Complete the wizard to create the new collection. The new collection is displayed
in the Device Collections node of the Assets and Compliance workspace.
7 Note
Resource class: Select the type of resource you want to search for and add to
the collection. For example:
System Resource: Search for inventory data returned from client
computers.
Unknown Computer: Select from values returned by unknown computers.
User Resource: Search for user information collected by Configuration
Manager.
User Group Resource: Search for user group information collected by
Configuration Manager.
Attribute name: Select the attribute associated with the selected resource
class that you want to search for. For example:
If you want to select users by their organizational unit (OU) name, select
User Resource in the Resource class list and User OU Name in the
Attribute name list.
Value: Enter a value to search the selected attribute name. Use the percent
character ( % ) as a wildcard. For example:
To search for users in the Contoso OU, enter Contoso in this field.
2. On the Select Resources page, select the resources that you want to add to the
collection in the Resources list, and then select Next.
Import Query Statement: Opens the Browse Query dialog box. Select a
Configuration Manager query to use as the query rule for the collection.
Resource class: Select the type of resource you want to search for and add to the
collection. Select a value from System Resource to search for inventory data
returned from client computers or from Unknown Computer to select from values
returned by unknown computers.
Edit Query Statement: Opens the Query Statement Properties dialog box, where
you can write a query to use as the rule for the collection. On the General tab, if
you select the option to Omit duplicate rows (select distinct), it may result in
fewer rows returned but potentially quicker results. For more information about
queries, see Introduction to queries.
Starting in Configuration Manager 2010, you can preview the results when
you're creating or editing a query for collection membership. For more
information, see the Preview collection queries section.
Starting in Configuration Manager 2010, you can preview the results when you're
creating or editing a query for collection membership. In the Query Statement
Properties, select the green triangle to show the Query Results Preview window. Select
Stop if you want to stop a long running query.
Starting in Configuration Manager version 2103, you have more options when using the
collection query preview. The following improvements have been made to previewing
collection queries:
7 Note
Elapsed times shown for the query preview may not be the same as actual
execution of the target query.
Query execution elapsed time and Displaying results elapsed time shouldn't
be added for a total elapsed time since these processes run in parallel.
Import a collection
When you export a collection from a site, Configuration Manager saves it as a Managed
Object Format (MOF) file. Use this procedure to import that file into your site database.
To complete this procedure, you need Create permissions on the collections class.
) Important
Make sure the MOF file contains only collection data, is from a trusted source, and
hasn't been tampered with.
Also make sure to export the file from a site that's the same version of
Configuration Manager as the import site.
For more information about exporting collections, see How to manage collections.
1. In the Configuration Manager console, go to the Assets and Compliance
workspace. Select either the User Collections or the Device Collections node.
2. On the Home tab of the ribbon, in the Create group, select Import Collections.
4. On the MOF File Name page, select Browse. Browse to the MOF file that contains
the collection information you want to import.
5. Complete the wizard to import the collection. The new collection is displayed in
the User Collections or Device Collections node of the Assets and Compliance
workspace. Refresh or reload the Configuration Manager console to see the
collection members for the newly imported collection.
Use PowerShell
You can use PowerShell to create and import collections. For more information, see the
following cmdlet articles:
New-CMCollection
Set-CMCollection
Import-CMCollection
Next steps
Manage collections
Synchronizations can either be full or incremental and they have slightly different
behaviors:
Full synchronization: Occurs on the first synchronization after enabling it. You can
force a full synchronization by selecting the collection, and then choosing
Synchronize Membership from the ribbon. A full synchronization will overwrite
members of the Azure AD group.
1. From Azure AD, create a group called Group1 and add DeviceA , DeviceB , and
DeviceC .
3. Select New group, enter a Group name, and optionally enter a Group description.
5. Select Owners, then add the identity that will create the synchronization
relationship in Configuration Manager.
Tip
The Server App (Service Principle) of Azure AD tenant will be the owner for
the created Azure AD group.
2. Select the cloud management service for the Azure AD tenant where you created
the group. Then in the ribbon, select Properties.
3. Switch to the Collection Synchronization tab, and select the option to Enable
Azure Directory Group Sync.
4. If necessary, change the Tenant to where you created the Azure AD group.
5. Type in your search criteria in the Name starts with field, then select Search. If you
leave the criteria blank, the search returns all groups from the tenant. If it prompts
you to sign in, use the identity you specified as the owner for the Azure AD group.
6. Choose the target group, and then select OK to add the group. Select OK again to
exit the collection's properties.
Wait about five to seven minutes before you can verify the group memberships in the
Azure portal. To start a full synchronization, select the collection, and then in the ribbon
select Synchronize Membership.
Use PowerShell
You can use PowerShell to synchronize collections. For more information, see the
following cmdlet article:
Set-CMCollectionCloudSync
2. select Collection Cloud Sync and select either the Device Collections or User
Collections node.
3. The view lists all the collections that are enabled for cloud sync and relevant
details.
4. Right click on column header and add additional columns to view more
information.
5. On clicking each collection, you can view collection member status in the bottom
tab.
6. The members are categorized based on sync status - Success, Failed, In Progress.
7. On clicking Failed tab, you can find the reason for failure across each member.
Default Columns:
Collection Id – Id of Collection
Optional Columns:
Last Sync Member Count - Count of members synchronized during last sync
4. Confirm that the members reflect the resources in the Configuration Manager
collection. Only resources with Azure AD identity show in the group.
How to manage collections in
Configuration Manager
Article • 02/22/2023
Use the overview information in this article to help you run management tasks for
collections in Configuration Manager.
For information about how to create Configuration Manager collections, see How to
create collections.
Collection actions
In the Configuration Manager console, go to the Assets and Compliance workspace.
Select Device Collections or User Collections, select the collection to manage, and then
select a management task.
Show Members
Displays all of the resources that are members of the selected collection in a temporary
node under the Devices node.
Add Selected Items to Existing Device Collection: Opens the Select Collection
window. Select the collection to which you want to add the members of the
selected collection. The selected collection is included in this collection by using an
Include Collections membership rule.
Add Selected Items to New Device Collection: Opens the Create Device
Collection Wizard where you can create a new collection. The selected collection is
included in this collection by using an Include Collections membership rule.
Run Script
Opens the Run Script wizard to run a PowerShell script on all of the clients in the
collection. For more information, see Create and run PowerShell scripts.
Start CMPivot
Opens CMPivot for this collection. Use CMPivot to query device information and take
action in real time. For more information, see CMPivot for real-time data.
Update membership
Evaluates the membership for the selected collection. For collections with many
members, this update might take some time to finish. Use the Refresh action to update
the display with the new collections members after the update is completed.
Synchronize membership
If you configured this collection for cloud sync, synchronize the current membership
with an Azure Active Directory group. For more information, see Create collections.
Add resources
Opens the Add Resources to Collection window. Search for new resources to add to the
selected collection. The icon for the selected collection displays an hourglass symbol
while the update is in progress.
Client notification
For more information, see Client notifications.
Client diagnostics
Displays the following options:
Endpoint Protection
Export
Opens the Export Collection Wizard that helps you export this collection to a Managed
Object Format (MOF) file. You can then archive this file, or import it to another
Configuration Manager site. When you export a collection, referenced collections aren't
exported. A referenced collection is referenced by the selected collection by using an
Include or Exclude rule.
Copy
Creates a copy of the selected collection. The new collection uses the selected collection
as a limiting collection.
Refresh
Delete
Deletes the selected collection. You can also delete all of the resources in the collection
from the site database.
You can't delete the collections that are built into Configuration Manager. For a list of
the built-in collections, see Introduction to collections.
Starting in version 2203, when you delete a collection, you can review and delete its
dependent collections at the same time. For more information, see Delete collection
references.
Simulate deployment
Opens the Simulate Application Deployment Wizard. This wizard lets you test the
results of an application deployment without installing or uninstalling the application.
For more information, see How to simulate application deployments.
Deploy
Program: Opens the Deploy Software Wizard. Select and configure a package and
program deployment to the selected collection. For more information, see
Packages and programs.
Task Sequence: Opens the Deploy Software Wizard. Select and configure a task
sequence deployment to the selected collection. For more information, see Deploy
a task sequence.
Software Updates: Opens the Deploy Software Updates Wizard. Configure the
deployment of software updates to resources in the selected collection. For more
information, see Deploy software updates.
View relationships
Properties
A new Details window shows more information about the relationship types, and lets
you view collection relationships in a graphical chart.
3. Once the relationship types finish loading, select View Relationships to see the
graph.
4. If all of the dependent collections can be deleted, select Delete all listed
collections.
5. Review the list of collections and any software deployments that the site will also
remove. You also can Delete each collection member from the database.
There are several reasons why the site can't delete a dependent collection:
Assigned to user: For more information, see Modify the administrative scope of an
administrative user.
Used by cloud attach: For more information, see Enable cloud attach for
Configuration Manager.
Use for upload to Microsoft Intune: For more information, see Make
Configuration Manager collections available to assign Endpoint security policies.
The details window lists collections that can't be deleted with the reason why.
Show Members
Add Selected Items
Add Selected Items to Existing User Collection
Add Selected Items to New User Collection
Manage Affinity Requests
Update Membership
Synchronize Membership
Add Resources
Export
Copy
Refresh
Delete
Simulate Deployment
Deploy
Application
Program
Configuration Baseline
View Relationships
Move
Properties
Collection properties
When you view properties for a collection, you can view and configure the following
options:
General: View and configure general information about the selected collection
including the collection name, the limiting collection, the collection ID, and last
update times.
Membership Rules: Configure the membership rules that define the membership
of this collection. For more information, see How to create collections.
Collection Variables: Configure variables that apply to this collection and can be
used by task sequences. For more information, see How to set task sequence
variables.
Starting in version 2006, you can also make this collection available to assign
endpoint security policies when you tenant-attach the site. For more information,
see Tenant attach: Onboard Configuration Manager clients to Microsoft Defender
for Endpoint from the admin center.
Security: Displays the administrative users who have permissions for the selected
collection from associated roles and security scopes. For more information, see
Fundamentals of role-based administration.
Alerts: Configure when alerts are generated for client status and endpoint
protection. For more information, see How to configure client status and How to
monitor endpoint protection.
Basic cmdlets
Get-CMCollection
New-CMCollection
Remove-CMCollection
Set-CMCollection
Other actions
Copy-CMCollection
Export-CMCollection
Get-CMCollectionMember
Get-CMCollectionSetting
Import-CMCollection
Invoke-CMCollectionUpdate
Get-CMCollectionDirectMembershipRule
Get-CMCollectionExcludeMembershipRule
Get-CMCollectionIncludeMembershipRule
Get-CMCollectionQueryMembershipRule
Remove-CMCollectionDirectMembershipRule
Remove-CMCollectionExcludeMembershipRule
Remove-CMCollectionIncludeMembershipRule
Remove-CMCollectionQueryMembershipRule
Add-CMDeviceCollectionDirectMembershipRule
Add-CMDeviceCollectionExcludeMembershipRule
Add-CMDeviceCollectionIncludeMembershipRule
Add-CMDeviceCollectionQueryMembershipRule
Get-CMDeviceCollectionDirectMembershipRule
Get-CMDeviceCollectionExcludeMembershipRule
Get-CMDeviceCollectionIncludeMembershipRule
Get-CMDeviceCollectionQueryMembershipRule
Remove-CMDeviceCollectionDirectMembershipRule
Remove-CMDeviceCollectionExcludeMembershipRule
Remove-CMDeviceCollectionIncludeMembershipRule
Remove-CMDeviceCollectionQueryMembershipRule
Get-CMUserCollectionDirectMembershipRule
Get-CMUserCollectionExcludeMembershipRule
Get-CMUserCollectionIncludeMembershipRule
Get-CMUserCollectionQueryMembershipRule
Remove-CMUserCollectionDirectMembershipRule
Remove-CMUserCollectionExcludeMembershipRule
Remove-CMUserCollectionIncludeMembershipRule
Remove-CMUserCollectionQueryMembershipRule
Next steps
Client notifications
If you want to change or delete collections, view the relationships to understand the
effect of the proposed change. Before you create a deployment, look at the potential
target collection for any include or exclude relationships that might affect the
deployment.
When you select the View Relationships action on a device or user collection:
For example, if you select the All Systems collection to view its relationships, the
Dependency node will be 0 as it has no parent collections.
Select the plus ( + ) or minus ( - ) icons next to the collection name to expand or
collapse members of a node.
If you hover over a specific line, a tooltip shows the relationship type.
The maximum number of child nodes displayed depends upon the level of the
graph:
First level: five nodes
Second level: three nodes
Third level: two nodes
Fourth level: one node
If there are more objects than the graph can display at that level, you'll see the
More icon.
When the width of the tree is larger than the window, use the green arrows to the
right or the left to view more.
When a node of the relationship tree is larger than the available space, select More
to change the view to just that node.
To navigate to a prior view, select the Back arrow in the upper right corner. Select
the Home icon to return to the main page.
Use the Search box in the upper right corner to locate a collection in the current
tree view.
Use the Navigator in the lower right corner to zoom and pan around the tree. You
can also print the current view.
You can only see relationships between collections to which you have permission:
If you have permission for All Systems or All Users and User Groups, then you'll
see all relationships.
If you don't have permission for a specific collection, you don't see it in the
graph, and can't view its relationships.
The following example shows the relationships for the "c1" collection in the center. It's
dependent upon the collections above it (parents), and has dependencies below it
(children).
To see the relationships of another collection in the graph, select it to open a new
window targeted on that collection.
Other improvements:
There's a new Filter button in the upper right corner. This action lets you reduce
the graph to specific relationship types: Limiting, Include, or Exclude.
If you don't have permissions to all related collections, the graph includes a
warning message that the graph may be incomplete.
When the graph is wider than the window can display, use the page navigation
controls in the upper left corner. The first number is the page for parents (above),
and the second number is the page for children (below). The window title also
shows the page numbers.
The tooltip for a collection displays the count of dependencies it has and the count
of dependant collections where applicable. This count only includes unique
subcollections. The count no longer displays in the parentheses next to the
collection name.
Previously the Back button took you through your viewing history. Now it takes
you to the previously selected collection. For example, changing pages for the
current collection doesn't activate the Back button. When you select a new
collection, you can select Back to return to the original collection graph.
Tip
Hold the Ctrl key and scroll the mouse wheel to zoom the graph.
For more information on how to navigate the collection dependency graph with a
keyboard, see Accessibility features.
Next steps
How to view collection evaluation
How to view collection evaluation
Article • 10/04/2022
Historic and live information for full and incremental collection evaluations
The evaluation queue status
The time for collection evaluations to complete
Which collections are currently being evaluated
The estimated time that a collection evaluation will start and complete
Tip
When using the console connected to a CAS using Configuration Manager 2010,
you'll see the following behavior:
Evaluation (Full)
Last Completion Time: When the last collection evaluation completed
(default column)
Run Time: How long the last collection evaluation ran, in seconds
Next Refresh Time: When the next full evaluation starts
Member Changes: The member changes in the last collection evaluation.
Positive numbers mean members were added while negative numbers
mean members were removed.
Last Member Change Time: The most recent time that there was a
membership change in the collection evaluation
Evaluation (Incremental)
Last Evaluation Completion Time: When the last collection evaluation
completed
Run Time: How long the last collection evaluation ran, in seconds
Member Changes: The member changes in the last collection evaluation.
These changes are either plus (members added) or minus (members
removed).
Last Member Change Time: The most recent time that there was a
membership change in the collection evaluation
5. The Related Objects give links to view status of the collection in the specific queue.
These links take you to the queues in the Monitoring workspace under the
Collection Evaluation node.
This action creates a new node is created where you can see the evaluation
status for the specific collection.
3. The total number of collections in queue and queue length is listed as a summary.
Additionally, the following status summaries for the evaluation queues are listed:
The Full Evaluation Status and Incremental Evaluation Status subnodes have been
added to the Collection Evaluation node in the Monitoring workspace.
On a primary site, Full Evaluation Status and Incremental Evaluation Status show
the data for the local evaluations.
On a CAS, Full Evaluation Status and Incremental Evaluation Status shows the
data from the primary site with the longest run time.
Using the longest runtime for these nodes is the same logic that's used for the
collection evaluation columns at the CAS.
Since collection evaluation happens at the primary site level, the collection evaluation
view on the CAS is a summary of what's occurring on the primary sites. Starting in
Configuration Manager version 2103, there are two new tabs in the details pane of the
collection view in the console. The following new tabs show collection evaluation
information from all primary sites in hierarchy:
From the Device Collections node at the CAS, the evaluation columns display the
evaluation status from the primary site with the longest run time. The column
information at the CAS for the full evaluation status could be from a different primary
site than the incremental information since the longest runtime for the incremental
might have occurred at a different primary.
For instance, incremental evaluation for the All Systems collection on the WMI primary
site takes longer than the other primary sites. The full evaluation columns on the CAS
display the information from primary site WMI for the All Systems collection in the
Device Collections node.
You can navigate to a collection in the Assets and Compliance workspace from a
collection evaluation status view or evaluation queue in the Monitoring workspace.
Select a collection from one of the status views or queues, then choose View collection
from the ribbon or right-click menu to open the collection.
Navigation to the collection from queues won't occur if the collection evaluation has
completed. You can only drill though from an item in a queue that's still currently
running its evaluation. If the evaluation has already completed, the View collection
action takes you to the main collection view. Drill though from the evaluation status
views, Full Evaluation Status and Incremental Evaluation Status, will always take you to
the collection.
Next steps
Learn more about Collection evaluation in Configuration Manager.
How to use maintenance windows in
Configuration Manager
Article • 10/04/2022
Use maintenance windows to define when Configuration Manager can run impacting
tasks on devices. Maintenance windows help make sure that client configuration
changes occur during times that don't affect productivity. With Software Center, users
can see the device's next maintenance window on the Installation status tab.
Configure maintenance windows with an effective date, a start and end time, and a
recurrence pattern. The maximum duration of a window has to be less than 24 hours.
The console doesn't allow a single maintenance window longer than 24 hours. For
example, if you want to allow maintenance all day Saturday and Sunday, then create two
24-hour maintenance windows for each day.
Tip
A maintenance window is for a client. A service window is for a site server. For more
information, see Service windows for site servers.
Multiple maintenance windows
When a client computer is a member of multiple device collections that have
maintenance windows, these rules apply:
If the maintenance windows don't overlap, the client treats them as two
independent maintenance windows.
If the maintenance windows overlap, the client treats them as a single window for
the entire time of both windows. For example, you create two maintenance
windows on a collection. The first is effective from 6:00 to 7:00, and the second is
effective from 6:30 to 7:30. Because they overlap by 30 minutes, the effective
duration of the combined maintenance window is 90 minutes from 6:00 to 7:30.
When a user installs an application from Software Center, the client starts it immediately.
It prioritizes the user's intent over the administrator's.
By default, with multiple maintenance windows, the client only installs software updates
during Software Update type windows. It ignores any All deployments maintenance
windows, unless they're the only type. You can configure this behavior with the following
client setting in the Software updates group: Enable installation of software updates in
"All deployments" maintenance window when "Software Update" maintenance
window is available. For more information, see About client settings.
7 Note
This setting also applies to maintenance windows that you configure to apply to
Task sequences.
If the client only has an All deployments window available, it still installs software
updates or task sequences in that window.
You can't create maintenance windows for the All Systems collection.
3. On the Home tab of the ribbon, in the Properties group, choose Properties.
4. Switch to the Maintenance Windows tab, and select the New icon.
a. Specify a Name to uniquely identify this maintenance window for the collection.
Effective date: The date when the maintenance windows starts. The
default is the current date.
Start and End: The start and end times of the maintenance window. It
calculates the Duration for the window. The minimum duration is five
minutes, and the maximum is 24 hours. The default duration is three
hours, from 01:00 to 04:00.
Coordinated Universal Time (UTC): Enable this option for the client to
interpret the start and end times in the UTC time zone. For regionally or
globally distributed devices in the same collection, this option sets the
maintenance window to occur simultaneously on all devices in the
collection. Disable this option for the client to use the device's local time
zone. This option is disabled by default.
c. Configure the recurrence pattern. The default is once per week on the current
day of the week.
7 Note
d. Apply this schedule to: By default the window applies to All deployments. You
can select either Software updates or Task sequences to further control what
deployments run during this window.
Tip
If you configure multiple maintenance windows of different types on the
same collection, make sure you understand the client behaviors. For more
information, see Multiple maintenance windows.
The Maintenance Windows tab of the collection properties displays all configured
windows.
Use PowerShell
You can use PowerShell to configure maintenance windows. For more information, see
the following articles:
Get-CMMaintenanceWindow
New-CMMaintenanceWindow
Remove-CMMaintenanceWindow
Set-CMMaintenanceWindow
Security and privacy for collections in
Configuration Manager
Article • 10/04/2022
This article contains security recommendations and privacy information for collections in
Configuration Manager.
Security recommendations
When you export or import a collection by using a managed object format (MOF) file
that's saved to a network location, secure the location and the network channel. Restrict
who can access the network folder. Use Server Message Block (SMB) signing or Internet
Protocol security (IPsec) between the network location and the site server. These
mechanisms help prevent an attacker from tampering with the exported collection data.
Use IPsec to encrypt the data on the network to prevent information disclosure.
Security issues
Collections have the following security issues:
If you use collection variables, local administrators can read potentially sensitive
information. Collection variables are only used when you deploy an OS. For more
information, see Collection and device variables.
Privacy information
There's no privacy information specifically for collections in Configuration Manager.
Collections are containers for resources, such as users and devices. Collection
membership often depends on the information that Configuration Manager collects
during standard operation.
For more information about other security features in Configuration Manager, see the
Security documentation hub.
Introduction to hardware inventory
Article • 10/04/2022
After hardware inventory is enabled and the client runs a hardware inventory cycle, the
client sends the information to a management point in the client's site. The
management point then forwards the inventory information to the Configuration
Manager site server, which stores the inventory information in the site database.
Hardware inventory runs on clients according to the schedule that you specify in client
settings.
Create queries that return devices that are based on a specific hardware
configuration.
Run reports that display specific details about hardware configurations in your
organization.
Use Resource Explorer to view detailed information about the hardware inventory
that's collected from client devices.
When hardware inventory runs on a client device, the first inventory data that the client
returns is always a full inventory. The next set of inventory data contains only delta
inventory information. The site server processes delta inventory information in the order
received. If delta information for a client is missing, the site server rejects more delta
information and directs the client to run a full inventory cycle.
Configuration Manager provides limited support for dual-boot computers.
Configuration Manager can discover dual-boot computers but returns inventory
information only from the OS that's active when the inventory cycle runs.
Extend inventory
To collect more information than what Configuration Manager inventories by default,
you can also use one of these methods to extend hardware inventory:
Enable, disable, add, and remove inventory classes for hardware inventory from the
Configuration Manager console.
Use NOIDMIF files to collect information about client devices that can't be
inventoried by Configuration Manager. For example, you might want to collect
device asset number information that exists only as a label on the device. NOIDMIF
inventory is automatically associated with the client device that it was collected
from.
Use IDMIF files to collect information about assets that aren't associated with a
Configuration Manager client, for example, projectors, photocopiers, and network
printers.
Starting in version 2107, you can use the administration service to set custom
properties on devices. You can then use the custom properties in Configuration
Manager for reporting or to create collections. For more information, see Custom
properties for devices.
Next steps
How to configure hardware inventory
How to extend hardware inventory in
Configuration Manager
Article • 10/04/2022
The Configuration.mof file also defines and registers the WMI providers that access
device information during hardware inventory. Registering providers defines the type of
provider to be used and the classes that the provider supports.
In Configuration Manager current branch, you don't edit the sms_def.mof file as with
earlier versions. Instead, make these changes with client settings. Configuration
Manager provides the following methods to extend hardware inventory.
7 Note
If you changed the state of classes in client settings, when you update the site,
some classes may revert to a default state. For example, if you disable the
SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're
Starting in version 2107, you can use the administration service to set custom properties
on devices. You can then use the custom properties in Configuration Manager for
reporting or to create collections. For more information, see Custom properties for
devices.
Methods
Enable or disable
Enable or disable some of all attributes of a class that already exists on the client. This
action instructs the hardware inventory agent to collect it on clients. You can do this
action in default client settings, or custom device client settings. For more information,
see Enable or disable existing classes.
Add
If a WMI class exists on the client and is known to the site, this action includes it to the
possible set of hardware inventory classes. You can add a new inventory class from the
WMI namespace of another device. This action is only on default client settings. For
more information, see Add a new class.
Extend
Add a new WMI class to the client. To manually extend hardware inventory, edit the
configuration.mof on the top-level site.
If the WMI class doesn't already exist on the client, you need to extend the WMI
schema:
1. Edit the configuration.mof on the top-level site. Review dataldr.log to see the site
add it.
2. Refresh policy on a client, and wait for the new class to compile.
3. Use default client settings to Add the new class to hardware inventory. You don't
have to enable this class in default client settings. You can then enable it in a
custom device client setting.
Procedures
These procedures help you to configure the default client settings for hardware
inventory and they apply to all the clients in your hierarchy. If you want these settings to
apply to only some clients, create a custom client device setting and assign it to a
collection of specific clients. For more information, see How to configure client settings.
2. Select the Default Client Settings. On the Home tab, in the Properties group,
choose Properties.
5. In the Hardware Inventory Classes dialog box, select or clear the classes and class
properties to be collected by hardware inventory. You can expand classes to select
or clear individual properties within that class. Use the Search for inventory classes
field to search for individual classes.
) Important
When you add new classes to Configuration Manager hardware inventory, the size
of the inventory file that is collected and sent to the site server will increase. This
might negatively affect the performance of your network and Configuration
Manager site. Enable only the inventory classes that you want to collect.
2. Select the Default Client Settings. On the Home tab, in the Properties group,
choose Properties.
8. Choose Connect.
9. In the Add Hardware Inventory Class dialog box, in the Inventory classes list,
select the WMI classes that you want to add to Configuration Manager hardware
inventory.
10. If you want to edit information about the selected WMI class, choose Edit, and in
the Class qualifiers dialog box, provide the following information:
Properties: Specify the units in which each property of the WMI class will be
displayed.
You can also set properties as a key property to help uniquely identify each
instance of the class. If no key is defined for the class, and multiple instances
of the class are reported from the client, only the latest instance that's found
is stored in the database.
When you've finished configuring the properties, select OK to close the Class
qualifiers dialog box and the other open dialogs.
2. Select the Default Client Settings. On the Home tab, in the Properties group,
choose Properties.
2. Select the Default Client Settings. On the Home tab, in the Properties group,
choose Properties.
7 Note
When you export classes, all currently selected classes will be exported.
6. In the Export dialog box, specify the Managed Object Format (MOF) file that you
want to export the classes to, and then choose Save.
3. Select Connect.
7. Make sure that the edited property is selected for Add Hardware Inventory Class,
and select OK.
) Important
Before you can add information from MIF files to the Configuration Manager
database, create or import the class. For more information, see Add a new class or
How to import classes in this article.
For more information about creating NOIDMIF files, see About inventory in the
Configuration Manager SDK documentation.
) Important
When you create a NOIDMIF file, save it in an ANSI-encoded format. If you save
NOIDMIF files in UTF-8 encoded format, Configuration Manager can't read it.
For more information about creating IDMIF files, see About inventory in the
Configuration Manager SDK documentation.
7 Note
MIF files could contain large amounts of data and collecting this data could
negatively affect the performance of your site. Enable MIF collection only when
required. Configure the option Maximum custom MIF file size (KB) in the hardware
inventory settings. For more information, see Introduction to hardware inventory.
How to configure hardware inventory in
Configuration Manager
Article • 10/04/2022
This procedure configures the default client settings for hardware inventory and will
apply to all the clients in your hierarchy. If you want these settings to apply to only some
clients, create a custom device client setting and assign it to a collection that contains
the devices that you want to use hardware inventory. See How to configure client
settings.
7 Note
If a client device receives hardware inventory settings from multiple sets of client
settings, then the hardware inventory classes from each set of settings will be
merged when the client reports hardware inventory. Additionally, not checking a
class in a custom client setting with a higher priority doesn't disable the client from
inventorying that class.
To disable a specific hardware inventory class on a majority of systems except a few, the
class needs to be unchecked in the default client settings. Then create a custom client
setting to enable the class, and deploy it to the target systems.
Tip
Resource Explorer doesn't display any data until a hardware inventory cycle runs on
the client to which you're connecting.
Overview
Resource Explorer has the following sections related to hardware inventory:
Hardware: Shows the most recent hardware inventory collected from the specified
client device.
The Workstation Status node shows the time and date of the last hardware
inventory from the device.
Hardware History: A history of inventoried items that changed since the last
hardware inventory cycle.
Expand an item to see a Current node and one or more nodes with the
historical date. Compare the information in the current node to one of the
historical nodes to see the items that changed.
7 Note
2. Select a device. In the ribbon, on the Home tab and Devices group, click Start, and
then select Resource Explorer.
Tip
In Resource Explorer, right-click an item in the right results pane for additional
actions. Click Properties to view that item in a different format.
For a property with a value that doesn't change, like total disk size, you may not
immediately see the value after upgrading the site. Most hardware inventory is a delta
report. The client only sends values that change. To work around this behavior, add
another property to the same class. This action causes the client to update all properties
in the class that changed.
See also
Resource Explorer also shows Software Inventory. For more information, see How to use
Resource Explorer to view software inventory.
Resource Explorer default inventory
classes
Article • 10/04/2022
1394 Controller
Namespace: root\cimv2
class Win32_1394Controller
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt32) MaxNumberControlled
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset
Account SID
Namespace: root\cimv2
class Win32_AccountSID
(String) Element
(String) Setting
ActiveSync Service
Namespace: root\SmsDm
class SMS_ActiveSyncService
(UInt32) MajorVersion
(UInt32) MinorVersion
(String) LastSyncTime
AMT Agent
Namespace: root\cimv2\sms
class SMS_AMTObject
(UInt32) DeviceID
(String) AMT
(String) AMTApps
(String) BiosVersion
(String) BuildNumber
(String) Flash
(String) LegacyMode
(String) Netstack
(UInt32) ProvisionMode
(UInt32) ProvisionState
(String) RecoveryBuildNum
(String) RecoveryVersion
(String) Sku
(UInt32) TLSMode
(String) VendorID
(UInt32) ZTCEnabled
class AppvClientApplication
(String) ApplicationId
(String) PackageId
(String) PackageVersionId
(Boolean) EnabledForUser
(Boolean) EnabledGlobally
(String) Name
(String) TargetPath
(String) Version
AppV Client Package
Namespace: root\AppV
class AppvClientPackage
(String) PackageId
(String) VersionId
(String) Assets[]
(String) DeploymentMachineData
(String) DeploymentUserData
(Boolean) HasAssetIntelligence
(Boolean) InUse
(Boolean) IsPublishedGlobally
(Boolean) IsPublishedToUser
(String) Name
(UInt64) PackageSize
(String) Path
(UInt16) PercentLoaded
(String) UserConfigurationData
(String) Version
AutoStart Software
Namespace: root\cimv2\sms
class SMS_AutoStartSoftware
(String) FilePropertiesHash
(String) BinFileVersion
(String) BinProductVersion
(String) Description
(String) FileName
(String) FilePropertiesHashEx
(String) FileVersion
(String) Location
(String) Product
(String) ProductVersion
(String) Publisher
(String) StartupType
(String) StartupValue
BaseBoard
Namespace: root\cimv2
class Win32_BaseBoard
(String) Tag
(String) Caption
(String) ConfigOptions[]
(String) Description
(Boolean) HostingBoard
(Boolean) HotSwappable
(DateTime) InstallDate
(String) Manufacturer
(String) Model
(String) Name
(String) OtherIdentifyingInfo
(String) PartNumber
(Boolean) PoweredOn
(String) Product
(Boolean) Removable
(Boolean) Replaceable
(String) RequirementsDescription
(Boolean) RequiresDaughterBoard
(String) SerialNumber
(String) SKU
(String) SlotLayout
(Boolean) SpecialRequirements
(String) Status
(String) Version
Battery
Namespace: root\cimv2
class Win32_Battery
(String) DeviceID
(UInt16) Availability
(UInt16) BatteryStatus
(String) Caption
(UInt16) Chemistry
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt32) DesignCapacity
(UInt64) DesignVoltage
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt16) EstimatedChargeRemaining
(UInt32) EstimatedRunTime
(UInt32) ExpectedLife
(UInt32) FullChargeCapacity
(DateTime) InstallDate
(UInt32) LastErrorCode
(UInt32) MaxRechargeTime
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) SmartBatteryVersion
(String) Status
(UInt16) StatusInfo
(String) SystemName
(UInt32) TimeOnBattery
(UInt32) TimeToFullCharge
BitLocker
Namespace: root\cimv2\security\MicrosoftVolumeEncryption
class Win32_EncryptableVolume
(String) DeviceID
(String) DriveLetter
(String) PersistentVolumeID
(UInt32) ProtectionStatus
class Win32_BitLockerEncryptionDetails
(String) BitlockerPersistentVolumeId
(SInt32) Compliant
(SInt32) ConversionStatus
(String) DeviceId
(String) DriveLetter
(SInt32) EncryptionMethod
(String) EnforcePolicyDate
(Boolean) IsAutoUnlockEnabled
(SInt32) KeyProtectorTypes[]
(String) MbamPersistentVolumeId
(SInt32) MbamVolumeType
(String) NoncomplianceDetectedDate
(SInt32) ProtectionStatus
(SInt32) ReasonsForNonCompliance[]
BitLocker Policy
Namespace: root\cimv2
class Win32Reg_MBAMPolicy
(String) EncodedComputerName
(UInt32) EncryptionMethod
(UInt32) FixedDataDriveAutoUnlock
(UInt32) FixedDataDriveEncryption
(UInt32) FixedDataDrivePassphrase
(String) KeyName
(String) LastConsoleUser
(UInt32) MBAMMachineError
(UInt32) MBAMPolicyEnforced
(UInt32) OsDriveEncryption
(UInt32) OsDriveProtector
(DateTime) UserExemptionDate
Boot Configuration
Namespace: root\cimv2
class Win32_BootConfiguration
(String) Name
(String) BootDirectory
(String) ConfigurationPath
(String) Description
(String) LastDrive
(String) ScratchDirectory
(String) SettingID
(String) TempDirectory
class SMS_BrowserHelperObject
(String) FilePropertiesHash
(String) BinFileVersion
(String) BinProductVersion
(String) CLSID
(String) Description
(String) FileName
(String) FilePropertiesHashEx
(String) FileVersion
(String) Product
(String) ProductVersion
(String) Publisher
(String) Version
CCM_RAX
Namespace: root\ccm\cimodels
class CCM_RAXInfo
(String) AppID
(String) FeedURL
(String) UserSID
CD-ROM
Namespace: root\cimv2
class Win32_CDROMDrive
(String) DeviceID
(UInt16) Availability
(UInt16) Capabilities[]
(String) CapabilityDescriptions[]
(String) Caption
(String) CompressionMethod
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(UInt64) DefaultBlockSize
(String) Description
(String) Drive
(Boolean) DriveIntegrity
(Boolean) ErrorCleared
(String) ErrorDescription
(String) ErrorMethodology
(UInt16) FileSystemFlags
(UInt32) FileSystemFlagsEx
(String) ID
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt64) MaxBlockSize
(UInt32) MaximumComponentLength
(UInt64) MaxMediaSize
(Boolean) MediaLoaded
(String) MediaType
(UInt64) MinBlockSize
(String) Name
(Boolean) NeedsCleaning
(UInt32) NumberOfMediaSupported
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) RevisionLevel
(UInt32) SCSIBus
(UInt16) SCSILogicalUnit
(UInt16) SCSIPort
(UInt16) SCSITargetId
(UInt64) Size
(String) Status
(UInt16) StatusInfo
(String) SystemName
(String) VolumeName
(String) VolumeSerialNumber
Client Diagnostics
Starting in version 2107
Namespace: root\cimv2
class CCM_ClientDiagnostics
(String) Identifier
(String) DebugLoggingEnabled
(UInt32) LogEnabled
(UInt32) LogLevel
(UInt32) LogMaxHistory
(UInt32) LogMaxSize
Client Events
Namespace: root\ccm\invagt
class ClientEvents
(String) EventName
(UInt16) Count
Computer System
Namespace: root\cimv2
class Win32_ComputerSystem
(String) Name
(UInt16) AdminPasswordStatus
(Boolean) AutomaticResetBootOption
(Boolean) AutomaticResetCapability
(UInt16) BootOptionOnLimit
(UInt16) BootOptionOnWatchDog
(Boolean) BootROMSupported
(String) BootupState
(String) Caption
(UInt16) ChassisBootupState
(SInt16) CurrentTimeZone
(Boolean) DaylightInEffect
(String) Description
(String) Domain
(UInt16) DomainRole
(UInt16) FrontPanelResetStatus
(Boolean) InfraredSupported
(String) InitialLoadInfo[]
(DateTime) InstallDate
(UInt16) KeyboardPasswordStatus
(String) LastLoadInfo
(String) Manufacturer
(String) Model
(String) NameFormat
(Boolean) NetworkServerModeEnabled
(UInt32) NumberOfProcessors
(String) OEMLogoBitmap
(String) OEMStringArray[]
(SInt64) PauseAfterReset
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) PowerOnPasswordStatus
(UInt16) PowerState
(UInt16) PowerSupplyState
(String) PrimaryOwnerContact
(String) PrimaryOwnerName
(UInt16) ResetCapability
(SInt16) ResetCount
(SInt16) ResetLimit
(String) Roles[]
(String) Status
(String) SupportContactDescription[]
(UInt16) SystemStartupDelay
(String) SystemStartupOptions[]
(UInt8) SystemStartupSetting
(String) SystemType
(UInt16) ThermalState
(UInt64) TotalPhysicalMemory
(String) UserName
(UInt16) WakeUpType
Computer System Ex
Namespace: root\cimv2
class CCM_ComputerSystemExtended
(String) Name
(UInt16) PCSystemType
class Win32_ComputerSystemProduct
(String) IdentifyingNumber
(String) Name
(String) Version
(String) Caption
(String) Description
(String) SKUNumber
(String) UUID
(String) Vendor
class Win32Reg_SMSAdvancedClientPorts
(String) InstanceKey
(UInt32) HttpsPortName
(UInt32) PortName
class Win32Reg_SMSAdvancedClientSSLConfiguration
(String) InstanceKey
(String) CertificateSelectionCriteria
(String) CertificateStore
(UInt32) ClientAlwaysOnInternet
(UInt32) HttpsStateFlags
(String) InternetMPHostName
(UInt32) SelectFirstCertificate
(String) Name
(String) DisplayName
(String) Version
Connected Device
Namespace: root\SmsDm
class SMS_ActiveSyncConnectedDevice
(String) DeviceOEMInfo
(String) DeviceType
(String) OS_Major
(String) OS_Minor
(String) OS_Platform
(String) ProcessorArchitecture
(String) ProcessorLevel
(String) ProcessorRevision
(String) InstalledClientID
(String) InstalledClientServer
(String) InstalledClientVersion
(String) LastSyncTime
(String) OS_AdditionalInfo
(String) OS_Build
SMS_DefaultBrowser
Namespace: root\cimv2\sms
class SMS_DefaultBrowser
(String) BrowserProgId
Desktop
Namespace: root\cimv2
class Win32_Desktop
(String) Name
(UInt32) BorderWidth
(String) Caption
(Boolean) CoolSwitch
(UInt32) CursorBlinkRate
(String) Description
(Boolean) DragFullWindows
(UInt32) GridGranularity
(UInt32) IconSpacing
(String) IconTitleFaceName
(UInt32) IconTitleSize
(Boolean) IconTitleWrap
(String) Pattern
(Boolean) ScreenSaverActive
(String) ScreenSaverExecutable
(Boolean) ScreenSaverSecure
(UInt32) ScreenSaverTimeout
(String) SettingID
(String) Wallpaper
(Boolean) WallpaperStretched
(Boolean) WallpaperTiled
Desktop Monitor
Namespace: root\cimv2
class Win32_DesktopMonitor
(String) DeviceID
(UInt16) Availability
(UInt32) Bandwidth
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt16) DisplayType
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(Boolean) IsLocked
(UInt32) LastErrorCode
(String) MonitorManufacturer
(String) MonitorType
(String) Name
(UInt32) PixelsPerXLogicalInch
(UInt32) PixelsPerYLogicalInch
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt32) ScreenHeight
(UInt32) ScreenWidth
(String) Status
(UInt16) StatusInfo
(String) SystemName
Device Info
Namespace: Reserved
class Device_Info
(String) CertExpiry
(String) DeviceName
(String) Manufacturer
(String) Model
(String) OS
MDM DevDetail
Namespace: root\cimv2\mdm\dmmap
class MDM_DevDetail_Ext01
(String) InstanceID
(String) ParentID
(String) DeviceHardwareData
(String) WLANMACAddress
Disk
Namespace: root\cimv2
class Win32_DiskDrive
(String) DeviceID
(UInt16) Availability
(UInt32) BytesPerSector
(UInt16) Capabilities[]
(String) CapabilityDescriptions[]
(String) Caption
(String) CompressionMethod
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(UInt64) DefaultBlockSize
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(String) ErrorMethodology
(UInt32) Index
(DateTime) InstallDate
(String) InterfaceType
(UInt32) LastErrorCode
(String) Manufacturer
(UInt64) MaxBlockSize
(UInt64) MaxMediaSize
(Boolean) MediaLoaded
(String) MediaType
(UInt64) MinBlockSize
(String) Model
(String) Name
(Boolean) NeedsCleaning
(UInt32) NumberOfMediaSupported
(UInt32) Partitions
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt32) SCSIBus
(UInt16) SCSILogicalUnit
(UInt16) SCSIPort
(UInt16) SCSITargetId
(UInt32) SectorsPerTrack
(UInt64) Size
(String) Status
(UInt16) StatusInfo
(String) SystemName
(UInt64) TotalCylinders
(UInt32) TotalHeads
(UInt64) TotalSectors
(UInt64) TotalTracks
(UInt32) TracksPerCylinder
Partition
Namespace: root\cimv2
class Win32_DiskPartition
(String) DeviceID
(UInt16) Access
(UInt16) Availability
(UInt64) BlockSize
(Boolean) Bootable
(Boolean) BootPartition
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt32) DiskIndex
(Boolean) ErrorCleared
(String) ErrorDescription
(String) ErrorMethodology
(UInt32) HiddenSectors
(UInt32) Index
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Name
(UInt64) NumberOfBlocks
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(Boolean) PrimaryPartition
(String) Purpose
(Boolean) RewritePartition
(UInt64) Size
(UInt64) StartingOffset
(String) Status
(UInt16) StatusInfo
(String) SystemName
(String) Type
DMA
Namespace: root\cimv2
class Win32_DeviceMemoryAddress
(UInt64) StartingAddress
(String) Caption
(String) Description
(UInt64) EndingAddress
(DateTime) InstallDate
(String) MemoryType
(String) Name
(String) Status
DMA Channel
Namespace: root\cimv2
class Win32_DMAChannel
(UInt32) DMAChannel
(UInt16) AddressSize
(UInt16) Availability
(Boolean) BurstMode
(UInt16) ByteMode
(String) Caption
(UInt16) ChannelTiming
(String) Description
(DateTime) InstallDate
(UInt32) MaxTransferSize
(String) Name
(UInt32) Port
(String) Status
(UInt16) TransferWidths[]
(UInt16) TypeCTiming
(UInt16) WordMode
Driver - VxD
Namespace: root\cimv2
class Win32_DriverVXD
(String) Name
(String) SoftwareElementID
(UInt16) SoftwareElementState
(UInt16) TargetOperatingSystem
(String) Version
(String) BuildNumber
(String) Caption
(String) CodeSet
(String) Control
(String) Description
(String) DeviceDescriptorBlock
(String) IdentificationCode
(DateTime) InstallDate
(String) LanguageEdition
(String) Manufacturer
(String) OtherTargetOS
(String) PM_API
(String) SerialNumber
(UInt32) ServiceTableSize
(String) Status
(String) V86_API
class CCM_EmbeddedDeviceInformation
(String) DeviceType
(String) Model
(String) OEMName
Environment
Namespace: root\cimv2
class Win32_Environment
(String) Name
(String) UserName
(String) Caption
(String) Description
(DateTime) InstallDate
(String) Status
(Boolean) SystemVariable
(String) VariableValue
Firmware
Namespace: root\cimv2\sms
class SMS_Firmware
(Boolean) UEFI
(Boolean) SecureBoot
class SMS_FolderRedirectionHealth
(String) FolderName
(String) SID
(UInt8) HealthStatus
(DateTime) LastSuccessfulSyncTime
(UInt8) LastSyncStatus
(DateTime) LastSyncTime
(Boolean) OfflineAccessEnabled
(String) OfflineFileNameFolderGUID
(Boolean) Redirected
IDE Controller
Namespace: root\cimv2
class Win32_IDEController
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt32) MaxNumberControlled
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset
Add Remove Programs (64)
Namespace: root\cimv2
class Win32Reg_AddRemovePrograms64
(String) ProdID
(String) DisplayName
(String) InstallDate
(String) Publisher
(String) Version
class Win32Reg_AddRemovePrograms
(String) ProdID
(String) DisplayName
(String) InstallDate
(String) Publisher
(String) Version
Installed Executable
Namespace: root\cimv2\sms
class SMS_InstalledExecutable
(String) ExecutableName
(String) ProductCode
(String) BinFileVersion
(String) BinProductVersion
(String) Description
(String) FilePropertiesHash
(String) FilePropertiesHashEx
(UInt32) FileSize
(String) FileVersion
(Boolean) HasPatchAdded
(String) InstalledFilePath
(Boolean) IsSystemFile
(Boolean) IsVitalFile
(UInt32) Language
(String) Product
(String) ProductVersion
(String) Publisher
Installed Software
Namespace: root\cimv2\sms
class SMS_InstalledSoftware
(String) SoftwareCode
(String) ARPDisplayName
(String) ChannelCode
(String) ChannelID
(String) CM_DSLID
(String) EvidenceSource
(DateTime) InstallDate
(UInt32) InstallDirectoryValidation
(String) InstalledLocation
(String) InstallSource
(UInt32) InstallType
(UInt32) Language
(String) LocalPackage
(String) MPC
(UInt32) OsComponent
(String) PackageCode
(String) ProductID
(String) ProductName
(String) ProductVersion
(String) Publisher
(String) RegisteredUser
(String) ServicePack
(String) SoftwarePropertiesHash
(String) SoftwarePropertiesHashEx
(String) UninstallString
(String) UpgradeCode
(UInt32) VersionMajor
(UInt32) VersionMinor
IRQ Table
Namespace: root\cimv2
class Win32_IRQResource
(UInt32) IRQNumber
(UInt16) Availability
(String) Caption
(String) Description
(Boolean) Hardware
(DateTime) InstallDate
(String) Name
(Boolean) Shareable
(String) Status
(UInt16) TriggerLevel
(UInt16) TriggerType
(UInt32) Vector
Keyboard
Namespace: root\cimv2
class Win32_Keyboard
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(Boolean) IsLocked
(UInt32) LastErrorCode
(String) Layout
(String) Name
(UInt16) NumberOfFunctionKeys
(UInt16) Password
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
class Win32_LoadOrderGroup
(String) Name
(String) Caption
(String) Description
(Boolean) DriverEnabled
(UInt32) GroupOrder
(DateTime) InstallDate
(String) Status
Logical Disk
Namespace: root\cimv2\sms
class SMS_LogicalDisk
(String) DeviceID
(UInt16) Access
(UInt16) Availability
(UInt64) BlockSize
(String) Caption
(Boolean) Compressed
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt32) DriveType
(Boolean) ErrorCleared
(String) ErrorDescription
(String) ErrorMethodology
(String) FileSystem
(UInt64) FreeSpace
(DateTime) InstallDate
(UInt32) LastErrorCode
(UInt32) MaximumComponentLength
(UInt32) MediaType
(String) Name
(UInt64) NumberOfBlocks
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) ProviderName
(String) Purpose
(UInt64) Size
(String) Status
(UInt16) StatusInfo
(Boolean) SupportsFileBasedCompression
(String) SystemName
(String) VolumeName
(String) VolumeSerialNumber
Memory
Namespace: root\cimv2
class CCM_LogicalMemoryConfiguration
(String) Name
(UInt64) AvailableVirtualMemory
(UInt64) TotalPageFileSpace
(UInt64) TotalPhysicalMemory
(UInt64) TotalVirtualMemory
Device Bluetooth
Namespace: Reserved
class Device_Bluetooth
(Boolean) Enabled
Device Camera
Namespace: Reserved
class Device_Camera
(Boolean) Enabled
Device Certificates
Namespace: Reserved
class Device_Certificates
(String) Thumbprint
(String) Type
(String) IssuedBy
(String) IssuedTo
(DateTime) ValidFrom
(DateTime) ValidTo
Device Client
Namespace: Reserved
class Device_Client
(Boolean) DownloadWhenRoaming
(Boolean) SyncWhenRoaming
class Device_ClientAgentVersion
(String) Version
class Device_ComputerSystem
(String) CellularTechnology
(String) DeviceClientID
(String) DeviceManufacturer
(String) DeviceModel
(String) DMVersion
(String) FirmwareVersion
(String) HardwareVersion
(String) IMEI
(String) IMSI
(UInt8) IsActivationLockEnabled
(UInt8) Jailbroken
(String) MEID
(String) OEM
(String) PhoneNumber
(String) PlatformType
(UInt32) ProcessorArchitecture
(UInt32) ProcessorLevel
(UInt32) ProcessorRevision
(String) Product
(String) ProductVersion
(String) SerialNumber
(String) SoftwareVersion
(String) SubscriberCarrierNetwork
Device Display
Namespace: Reserved
class Device_Display
(UInt32) HorizontalResolution
(UInt64) NumberOfColors
(UInt32) VerticalResolution
Device Email
Namespace: Reserved
class Device_Email
(String) OwnerEmailAddress
(String) SyncDomain
(String) SyncServer
(String) SyncUser
(String) Type
Device Encryption
Namespace: Reserved
class Device_Encryption
(UInt32) EmailEncryptionAlgorithm
(UInt32) EmailEncryptionNegotiation
(Boolean) EmailEncryptionRequired
(Boolean) EmailSigningAlgorithm
(Boolean) EmailSigningRequired
(Boolean) EncryptionCompliance
(Boolean) PhoneMemoryEncrypted
(Boolean) StorageCardEncrypted
Device Exchange
Namespace: Reserved
class Device_Exchange
(Boolean) ConflictResolution
(SInt32) HTMLEmailTruncation
(UInt32) MailFormat
(UInt32) MaxCalendarAge
(UInt32) MaxEmailAge
(SInt32) MaxMailFileAttachmentSize
(UInt32) OffPeakSyncFrequency
(UInt32) PeakDays
(String) PeakEndTime
(String) PeakStartTime
(UInt32) PeakSyncFrequency
(SInt32) PlainTextEmailTruncation
(Boolean) SendEmailImmediately
(Boolean) SyncCalendar
(Boolean) SyncContacts
(Boolean) SyncEmail
(Boolean) SyncTasks
(Boolean) SyncWhenRoaming
class Device_InstalledApplications
(String) Name
(String) Version
Device IrDA
Namespace: Reserved
class Device_IrDA
(Boolean) Enabled
class MDM_RemoteFind
(Real32) Latitude
(Real32) Longitude
Device Memory
Namespace: Reserved
class Device_Memory
(UInt64) ProgramFree
(UInt64) ProgramTotal
(UInt64) RemovableStorageFree
(UInt64) RemovableStorageTotal
(UInt64) StorageFree
(UInt64) StorageTotal
Device OS Information
Namespace: Reserved
class Device_OSInformation
(String) Language
(String) Platform
(String) Version
Device Password
Namespace: Reserved
class Device_Password
(Boolean) AllowRecoveryPassword
(UInt32) AutolockTimeout
(Boolean) Enabled
(UInt32) Expiration
(UInt32) History
(UInt32) MaxAttemptsBeforeWipe
(UInt32) MinComplexChars
(UInt32) MinLength
(UInt8) PasswordQuality
(UInt32) Type
Device Policy
Namespace: Reserved
class Device_Policy
(String) Name
(Boolean) Enforced
Device Power
Namespace: Reserved
class Device_Power
(UInt32) BacklightACTimeout
(UInt32) BacklightBatTimeout
(SInt32) BackupPercent
(SInt32) BatteryPercent
class MDM_SecurityStatus
(UInt32) HardwareEncryptionCaps
(UInt8) PasscodeCompliant
(UInt8) PasscodeCompliantWithProfiles
(UInt8) PasscodePresent
(UInt8) RequireEncryption
class Device_WindowsSecurityPolicy
(UInt32) ID
(String) Name
(UInt32) Value
Device WLAN
Namespace: Reserved
class Device_WLAN
(Boolean) Enabled
(String) EthernetMAC
(String) WiFiMAC
Modem
Namespace: root\cimv2
class Win32_POTSModem
(String) DeviceID
(UInt16) AnswerMode
(String) AttachedTo
(UInt16) Availability
(String) BlindOff
(String) BlindOn
(String) Caption
(String) CompatibilityFlags
(UInt16) CompressionInfo
(String) CompressionOff
(String) CompressionOn
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) ConfigurationDialog
(String) CountriesSupported[]
(String) CountrySelected
(String) CurrentPasswords[]
(String) DCB
(String) Default
(String) Description
(String) DeviceLoader
(String) DeviceType
(UInt16) DialType
(DateTime) DriverDate
(Boolean) ErrorCleared
(String) ErrorControlForced
(UInt16) ErrorControlInfo
(String) ErrorControlOff
(String) ErrorControlOn
(String) ErrorDescription
(String) FlowControlHard
(String) FlowControlOff
(String) FlowControlSoft
(String) InactivityScale
(UInt32) InactivityTimeout
(UInt32) Index
(DateTime) InstallDate
(UInt32) LastErrorCode
(UInt32) MaxBaudRateToPhone
(UInt32) MaxBaudRateToSerialPort
(UInt16) MaxNumberOfPasswords
(String) Model
(String) ModemInfPath
(String) ModemInfSection
(String) ModulationBell
(String) ModulationCCITT
(UInt16) ModulationScheme
(String) Name
(String) PNPDeviceID
(String) PortSubClass
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) Prefix
(String) Properties
(String) ProviderName
(String) Pulse
(String) Reset
(String) ResponsesKeyName
(UInt8) RingsBeforeAnswer
(String) SpeakerModeDial
(String) SpeakerModeOff
(String) SpeakerModeOn
(String) SpeakerModeSetup
(String) SpeakerVolumeHigh
(UInt16) SpeakerVolumeInfo
(String) SpeakerVolumeLow
(String) SpeakerVolumeMed
(String) Status
(UInt16) StatusInfo
(String) StringFormat
(Boolean) SupportsCallback
(Boolean) SupportsSynchronousConnect
(String) SystemName
(String) Terminator
(DateTime) TimeOfLastReset
(String) Tone
(String) VoiceSwitchFeature
Motherboard
Namespace: root\cimv2
class Win32_MotherboardDevice
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) PrimaryBusType
(String) RevisionNumber
(String) SecondaryBusType
(String) Status
(UInt16) StatusInfo
(String) SystemName
NAP Client
Namespace: root\Nap
class NAP_Client
(String) name
(String) description
(String) fixupURL
(Boolean) napEnabled
(String) napProtocolVersion
(String) probationTime
(UInt32) systemIsolationState
class NAP_SystemHealthAgent
(UInt32) ID
(String) description
(UInt32) fixupState
(String) friendlyName
(String) infoClsid
(Boolean) isBound
(UInt8) percentage
(String) registrationDate
(String) vendorName
(String) version
Network Adapter
Namespace: root\cimv2
class Win32_NetworkAdapter
(String) DeviceID
(String) AdapterType
(Boolean) AutoSense
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt32) Index
(DateTime) InstallDate
(Boolean) Installed
(UInt32) LastErrorCode
(String) MACAddress
(String) Manufacturer
(UInt32) MaxNumberControlled
(UInt64) MaxSpeed
(String) Name
(String) NetworkAddresses[]
(String) PermanentAddress
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) ProductName
(String) ServiceName
(UInt64) Speed
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset
class Win32_NetworkAdapterConfiguration
(UInt32) Index
(Boolean) ArpAlwaysSourceRoute
(Boolean) ArpUseEtherSNAP
(String) Caption
(String) DatabasePath
(Boolean) DeadGWDetectEnabled
(String) DefaultIPGateway[]
(UInt8) DefaultTOS
(UInt8) DefaultTTL
(String) Description
(Boolean) DHCPEnabled
(DateTime) DHCPLeaseExpires
(DateTime) DHCPLeaseObtained
(String) DHCPServer
(String) DNSDomain
(String) DNSDomainSuffixSearchOrder[]
(Boolean) DNSEnabledForWINSResolution
(String) DNSHostName
(String) DNSServerSearchOrder[]
(Boolean) DomainDNSRegistrationEnabled
(UInt32) ForwardBufferMemory
(Boolean) FullDNSRegistrationEnabled
(UInt16) GatewayCostMetric[]
(UInt8) IGMPLevel
(String) IPAddress[]
(UInt32) IPConnectionMetric
(Boolean) IPEnabled
(Boolean) IPFilterSecurityEnabled
(Boolean) IPPortSecurityEnabled
(String) IPSecPermitIPProtocols[]
(String) IPSecPermitTCPPorts[]
(String) IPSecPermitUDPPorts[]
(String) IPSubnet[]
(Boolean) IPUseZeroBroadcast
(String) IPXAddress
(Boolean) IPXEnabled
(String) IPXFrameType
(UInt32) IPXMediaType
(String) IPXNetworkNumber[]
(String) IPXVirtualNetNumber
(UInt32) KeepAliveInterval
(UInt32) KeepAliveTime
(String) MACAddress
(UInt32) MTU
(UInt32) NumForwardPackets
(Boolean) PMTUBHDetectEnabled
(Boolean) PMTUDiscoveryEnabled
(String) ServiceName
(String) SettingID
(UInt32) TcpipNetbiosOptions
(UInt32) TcpMaxConnectRetransmissions
(UInt32) TcpMaxDataRetransmissions
(UInt32) TcpNumConnections
(Boolean) TcpUseRFC1122UrgentPointer
(UInt16) TcpWindowSize
(Boolean) WINSEnableLMHostsLookup
(String) WINSHostLookupFile
(String) WINSPrimaryServer
(String) WINSScopeID
(String) WINSSecondaryServer
Network Client
Namespace: root\cimv2
class Win32_NetworkClient
(String) Name
(String) Caption
(String) Description
(DateTime) InstallDate
(String) Manufacturer
(String) Status
class Win32_NetworkLoginProfile
(String) Name
(DateTime) AccountExpires
(UInt32) AuthorizationFlags
(UInt32) BadPasswordCount
(String) Caption
(UInt32) CodePage
(String) Comment
(UInt32) CountryCode
(String) Description
(UInt32) Flags
(String) FullName
(String) HomeDirectory
(String) HomeDirectoryDrive
(DateTime) LastLogoff
(DateTime) LastLogon
(String) LogonHours
(String) LogonServer
(UInt64) MaximumStorage
(UInt32) NumberOfLogons
(String) Parameters
(DateTime) PasswordAge
(DateTime) PasswordExpires
(UInt32) PrimaryGroupId
(UInt32) Privileges
(String) Profile
(String) ScriptPath
(String) SettingID
(UInt32) UnitsPerWeek
(String) UserComment
(UInt32) UserId
(String) UserType
(String) Workstations
NT Eventlog File
Namespace: root\cimv2
class Win32_NTEventlogFile
(String) Name
(UInt32) AccessMask
(Boolean) Archive
(String) Caption
(Boolean) Compressed
(String) CompressionMethod
(DateTime) CreationDate
(String) Description
(String) Drive
(String) EightDotThreeFileName
(Boolean) Encrypted
(String) EncryptionMethod
(String) Extension
(String) FileName
(UInt64) FileSize
(String) FileType
(String) FSName
(Boolean) Hidden
(DateTime) InstallDate
(UInt64) InUseCount
(DateTime) LastAccessed
(DateTime) LastModified
(String) LogfileName
(String) Manufacturer
(UInt32) MaxFileSize
(UInt32) NumberOfRecords
(UInt32) OverwriteOutDated
(String) OverWritePolicy
(String) Path
(Boolean) Readable
(String) Sources[]
(String) Status
(Boolean) System
(String) Version
(Boolean) Writeable
Office365ProPlusConfigurations
Namespace: root\cimv2
class Office365ProPlusConfigurations
(String) KeyName
(String) AutoUpgrade
(String) CCMManaged
(String) CDNBaseUrl
(String) cfgUpdateChannel
(String) ClientCulture
(String) ClientFolder
(String) GPOChannel
(String) GPOOfficeMgmtCOM
(String) InstallationPath
(String) LastScenario
(String) LastScenarioResult
(String) OfficeMgmtCOM
(String) Platform
(String) SharedComputerLicensing
(String) UpdateChannel
(String) UpdatePath
(String) UpdatesEnabled
(String) UpdateUrl
(String) VersionToReport
Office Addin
Namespace: root\ccm\InvAgt
class CCM_OfficeAddin
(String) Architecture
(String) ID
(String) OfficeApp
(String) Type
(UInt32) AverageLoadTimeInMilliseconds
(String) CLSID
(String) CompanyName
(UInt32) CrashCount
(String) Description
(UInt32) ErrorCount
(String) FileName
(UInt64) FileSize
(UInt32) FileTimestamp
(String) FileVersion
(String) FriendlyName
(String) FriendlyNameHash
(String) IdHash
(UInt32) LoadBehavior
(UInt32) LoadCount
(UInt32) LoadFailCount
(String) ProductName
(String) ProductVersion
class CCM_OfficeClientMetric
(String) OfficeApp
(UInt32) CompatibilityErrorCount
(UInt32) CrashedSessionCount
(UInt32) MacroCompileErrorCount
(UInt32) MacroRuntimeErrorCount
(UInt32) SessionCount
Office Device Summary
Namespace: root\ccm\InvAgt
class CCM_OfficeDeviceSummary
(Boolean) IsProPlusInstalled
(Boolean) IsTelemetryEnabled
class CCM_OfficeDocumentMetric
(String) OfficeApp
(UInt32) TotalCloudDocs
(UInt32) TotalLegacyDocs
(UInt32) TotalLocalDocs
(UInt32) TotalMacroDocs
(UInt32) TotalNonMacroDocs
(UInt32) TotalUncDocs
class CCM_OfficeDocumentSolution
(String) DocumentSolutionId
(String) OfficeApp
(UInt32) CompatibilityErrorCount
(UInt32) CrashCount
(String) ExampleFileName
(UInt32) LoadCount
(UInt32) LoadFailCount
(UInt32) MacroCompileErrorCount
(UInt32) MacroRuntimeErrorCount
(String) Type
class CCM_OfficeMacroError
(String) DocumentSolutionId
(UInt32) ErrorCode
(UInt32) Count
(UInt64) LastOccurrence
(String) Type
class CCM_OfficeProductInfo
(String) ProductName
(String) ProductVersion
(String) Architecture
(String) Channel
(UInt32) IsProPlusInstalled
(String) Language
(String) LicenseState
Office Vba Rule Violation
Namespace: root\ccm\InvAgt
class CCM_OfficeVbaRuleViolation
(UInt32) RuleId
(UInt32) FileCount
(String) OfficeApp
Office VbaSummary
Namespace: root\ccm\InvAgt
class CCM_OfficeVbaScanResultsSummary
(UInt32) Design
(UInt32) Design64
(UInt32) DuplicateVba
(Boolean) HasResults
(UInt32) HasVba
(UInt32) Inaccessible
(UInt32) Issues
(UInt32) Issues64
(UInt32) IssuesNone
(UInt32) IssuesNone64
(UInt32) Locked
(UInt32) NoVba
(UInt32) Protected
(UInt32) RemLimited
(UInt32) RemLimited64
(UInt32) RemSignificant
(UInt32) RemSignificant64
(UInt32) Score
(UInt32) Score64
(UInt32) Total
(UInt32) Validation
(UInt32) Validation64
Operating System
Namespace: root\cimv2
class Win32_OperatingSystem
(String) Name
(String) BootDevice
(String) BuildNumber
(String) BuildType
(String) Caption
(String) CodeSet
(String) CountryCode
(String) CSDVersion
(SInt16) CurrentTimeZone
(Boolean) Debug
(String) Description
(Boolean) Distributed
(UInt8) ForegroundApplicationBoost
(UInt64) FreePhysicalMemory
(UInt64) FreeSpaceInPagingFiles
(UInt64) FreeVirtualMemory
(DateTime) InstallDate
(DateTime) LastBootUpTime
(DateTime) LocalDateTime
(String) Locale
(String) Manufacturer
(UInt32) MaxNumberOfProcesses
(UInt64) MaxProcessMemorySize
(String) MUILanguages[]
(UInt32) NumberOfLicensedUsers
(UInt32) NumberOfProcesses
(UInt32) NumberOfUsers
(UInt32) OperatingSystemSKU
(String) Organization
(String) OSArchitecture
(UInt32) OSLanguage
(UInt32) OSProductSuite
(UInt16) OSType
(String) OtherTypeDescription
(String) PlusProductID
(String) PlusVersionNumber
(Boolean) Primary
(UInt32) ProductType
(String) RegisteredUser
(String) SerialNumber
(UInt16) ServicePackMajorVersion
(UInt16) ServicePackMinorVersion
(UInt64) SizeStoredInPagingFiles
(String) Status
(String) SystemDevice
(String) SystemDirectory
(UInt64) TotalSwapSpaceSize
(UInt64) TotalVirtualMemorySize
(UInt64) TotalVisibleMemorySize
(String) Version
(String) WindowsDirectory
Operating System Ex
Namespace: root\cimv2
class CCM_OperatingSystemExtended
(String) Name
(UInt32) SKU
class Win32_OSRecoveryConfiguration
(String) Name
(Boolean) AutoReboot
(String) Caption
(String) DebugFilePath
(String) Description
(Boolean) KernelDumpOnly
(Boolean) OverwriteExistingDebugFile
(Boolean) SendAdminAlert
(String) SettingID
(Boolean) WriteDebugInfo
(Boolean) WriteToSystemLog
Optional Feature
Namespace: root\cimv2
class Win32_OptionalFeature
(String) Name
(String) Caption
(String) Description
(DateTime) InstallDate
(UInt32) InstallState
(String) Status
class Win32_PageFileSetting
(String) Name
(String) Caption
(String) Description
(UInt32) InitialSize
(UInt32) MaximumSize
(String) SettingID
Parallel Port
Namespace: root\cimv2
class Win32_ParallelPort
(String) DeviceID
(UInt16) Availability
(UInt16) Capabilities[]
(String) CapabilityDescriptions[]
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) DMASupport
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(UInt32) MaxNumberControlled
(String) Name
(Boolean) OSAutoDiscovered
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset
BIOS
Namespace: root\cimv2
class Win32_BIOS
(String) Name
(String) SoftwareElementID
(UInt16) SoftwareElementState
(UInt16) TargetOperatingSystem
(String) Version
(UInt16) BiosCharacteristics[]
(String) BIOSVersion[]
(String) BuildNumber
(String) Caption
(String) CodeSet
(String) CurrentLanguage
(String) Description
(String) IdentificationCode
(UInt16) InstallableLanguages
(DateTime) InstallDate
(String) LanguageEdition
(String) ListOfLanguages[]
(String) Manufacturer
(String) OtherTargetOS
(Boolean) PrimaryBIOS
(DateTime) ReleaseDate
(String) SerialNumber
(String) SMBIOSBIOSVersion
(UInt16) SMBIOSMajorVersion
(UInt16) SMBIOSMinorVersion
(Boolean) SMBIOSPresent
(String) Status
PCMCIA Controller
Namespace: root\cimv2
class Win32_PCMCIAController
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt32) MaxNumberControlled
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset
Physical Memory
Namespace: root\cimv2
class Win32_PhysicalMemory
(String) CreationClassName
(String) Tag
(String) BankLabel
(UInt64) Capacity
(String) Caption
(UInt16) DataWidth
(String) Description
(String) DeviceLocator
(UInt16) FormFactor
(Boolean) HotSwappable
(DateTime) InstallDate
(UInt16) InterleaveDataDepth
(UInt32) InterleavePosition
(String) Manufacturer
(UInt16) MemoryType
(String) Model
(String) Name
(String) OtherIdentifyingInfo
(String) PartNumber
(UInt32) PositionInRow
(Boolean) PoweredOn
(Boolean) Removable
(Boolean) Replaceable
(String) SerialNumber
(String) SKU
(UInt32) Speed
(String) Status
(UInt16) TotalWidth
(UInt16) TypeDetail
(String) Version
PhysicalDisk
Namespace: root\microsoft\windows\storage
class MSFT_PhysicalDisk
(String) ObjectId
(UInt64) AllocatedSize
(UInt16) BusType
(UInt16) CannotPoolReason[]
(Boolean) CanPool
(String) Description
(String) DeviceId
(UInt16) EnclosureNumber
(String) FirmwareVersion
(String) FriendlyName
(UInt16) HealthStatus
(Boolean) IsIndicationEnabled
(Boolean) IsPartial
(UInt64) LogicalSectorSize
(String) Manufacturer
(UInt16) MediaType
(String) Model
(UInt16) OperationalStatus[]
(String) OtherCannotPoolReasonDescription
(String) PartNumber
(String) PhysicalLocation
(UInt64) PhysicalSectorSize
(String) SerialNumber
(UInt64) Size
(UInt16) SlotNumber
(String) SoftwareVersion
(UInt32) SpindleSpeed
(UInt16) SupportedUsages[]
(String) UniqueId
(UInt16) Usage
class Win32_PnpEntity
(String) DeviceID
(UInt16) Availability
(String) Caption
(String) ClassGuid
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) CreationClassName
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) Service
(String) Status
(UInt16) StatusInfo
(String) SystemCreationClassName
(String) SystemName
Pointing Device
Namespace: root\cimv2
class Win32_PointingDevice
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt16) DeviceInterface
(UInt32) DoubleSpeedThreshold
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt16) Handedness
(String) HardwareType
(String) InfFileName
(String) InfSection
(DateTime) InstallDate
(Boolean) IsLocked
(UInt32) LastErrorCode
(String) Manufacturer
(String) Name
(UInt8) NumberOfButtons
(String) PNPDeviceID
(UInt16) PointingType
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt32) QuadSpeedThreshold
(UInt32) Resolution
(UInt32) SampleRate
(String) Status
(UInt16) StatusInfo
(UInt32) Synch
(String) SystemName
Portable Battery
Namespace: root\cimv2
class Win32_PortableBattery
(String) DeviceID
(UInt16) Availability
(UInt16) BatteryStatus
(UInt16) CapacityMultiplier
(String) Caption
(UInt16) Chemistry
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt32) DesignCapacity
(UInt64) DesignVoltage
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt16) EstimatedChargeRemaining
(UInt32) EstimatedRunTime
(UInt32) ExpectedLife
(UInt32) FullChargeCapacity
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Location
(String) ManufactureDate
(String) Manufacturer
(UInt16) MaxBatteryError
(UInt32) MaxRechargeTime
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) SmartBatteryVersion
(String) Status
(UInt16) StatusInfo
(String) SystemName
(UInt32) TimeOnBattery
(UInt32) TimeToFullCharge
Ports
Namespace: root\cimv2
class Win32_PortResource
(UInt64) StartingAddress
(Boolean) Alias
(String) Caption
(String) Description
(UInt64) EndingAddress
(DateTime) InstallDate
(String) Name
(String) Status
Power Capabilities
Namespace: root\CCM\powermanagementagent
class CCM_PwrMgmtSystemPowerCapabilities
(UInt32) PreferredPMProfile
(Boolean) ApmPresent
(Boolean) BatteriesAreShortTerm
(Boolean) FullWake
(Boolean) LidPresent
(String) MinDeviceWakeState
(Boolean) ProcessorThrottle
(String) RtcWake
(Boolean) SystemBatteriesPresent
(Boolean) SystemS1
(Boolean) SystemS2
(Boolean) SystemS3
(Boolean) SystemS4
(Boolean) SystemS5
(Boolean) UpsPresent
(Boolean) VideoDimPresent
Power Configurations
Namespace: root\CCM\policy\machine\actualconfig
class CCM_PowerConfig
(String) PowerConfigID
(UInt32) DurationInSec
(String) NonPeakPowerPlan
(String) NonPeakPowerPlanName
(String) PeakPowerPlan
(String) PeakPowerPlanName
(String) PeakStartTimeHoursMin
(String) WakeUpTimeHoursMin
class CCM_PwrMgmtLastSuspendError
(String) Requester
(String) RequesterType
(String) RequestType
(DateTime) Time
(UInt32) AdditionalCode
(String) AdditionalInfo
(String) RequesterInfo
(Boolean) UnknownRequester
class CCM_PwrMgmtActualDay
(DateTime) Date
(String) TypeOfEvent
(UInt32) hr0_1
(UInt32) hr1_2
(UInt32) hr10_11
(UInt32) hr11_12
(UInt32) hr12_13
(UInt32) hr13_14
(UInt32) hr14_15
(UInt32) hr15_16
(UInt32) hr16_17
(UInt32) hr17_18
(UInt32) hr18_19
(UInt32) hr19_20
(UInt32) hr2_3
(UInt32) hr20_21
(UInt32) hr21_22
(UInt32) hr22_23
(UInt32) hr23_0
(UInt32) hr3_4
(UInt32) hr4_5
(UInt32) hr5_6
(UInt32) hr6_7
(UInt32) hr7_8
(UInt32) hr8_9
(UInt32) hr9_10
(UInt32) minutesTotal
class CCM_PowerManagementClientOptoutSetting
(Boolean) AdminAllowOptout
(Boolean) EffectiveClientOptOut
(Boolean) IsClientOptOut
class CCM_PwrMgmtMonth
(DateTime) MonthStart
(UInt32) minutesComputerActive
(UInt32) minutesComputerOn
(UInt32) minutesComputerShutdown
(UInt32) minutesComputerSleep
(UInt32) minutesMonitorOn
(UInt32) minutesTotal
(String) TypeOfEvent
Power Settings
Namespace: root\cimv2\sms
class SMS_PowerSettings
(String) GUID
(String) ACSettingIndex
(String) ACValue
(String) DCSettingIndex
(String) DCValue
(String) Name
(String) UnitSpecifier
Print Jobs
Namespace: root\cimv2
class Win32_PrintJob
(String) Name
(String) Caption
(String) DataType
(String) Description
(String) Document
(String) DriverName
(DateTime) ElapsedTime
(String) HostPrintQueue
(DateTime) InstallDate
(UInt32) JobId
(String) JobStatus
(String) Notify
(String) Owner
(UInt32) PagesPrinted
(String) Parameters
(String) PrintProcessor
(UInt32) Priority
(UInt32) Size
(DateTime) StartTime
(String) Status
(UInt32) StatusMask
(DateTime) TimeSubmitted
(UInt32) TotalPages
(DateTime) UntilTime
Printer Configuration
Namespace: root\cimv2
class Win32_PrinterConfiguration
(String) Name
(UInt32) BitsPerPel
(String) Caption
(Boolean) Collate
(UInt32) Color
(UInt32) Copies
(String) Description
(String) DeviceName
(UInt32) DisplayFlags
(UInt32) DisplayFrequency
(UInt32) DitherType
(UInt32) DriverVersion
(Boolean) Duplex
(String) FormName
(UInt32) HorizontalResolution
(UInt32) ICMIntent
(UInt32) ICMMethod
(UInt32) LogPixels
(UInt32) MediaType
(UInt32) Orientation
(UInt32) PaperLength
(String) PaperSize
(UInt32) PaperWidth
(UInt32) PelsHeight
(UInt32) PelsWidth
(UInt32) PrintQuality
(UInt32) Scale
(String) SettingID
(UInt32) SpecificationVersion
(UInt32) TTOption
(UInt32) VerticalResolution
(UInt32) XResolution
(UInt32) YResolution
Printer Device
Namespace: root\cimv2
class Win32_Printer
(String) DeviceID
(UInt32) Attributes
(UInt16) Availability
(UInt32) AveragePagesPerMinute
(UInt16) Capabilities[]
(String) CapabilityDescriptions[]
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(UInt32) DefaultPriority
(String) Description
(UInt16) DetectedErrorState
(String) DriverName
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt32) HorizontalResolution
(DateTime) InstallDate
(UInt32) JobCountSinceLastReset
(UInt16) LanguagesSupported[]
(UInt32) LastErrorCode
(String) Location
(String) Name
(UInt16) PaperSizesSupported[]
(String) PNPDeviceID
(String) PortName
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) PrinterPaperNames[]
(UInt32) PrinterState
(UInt16) PrinterStatus
(String) PrintJobDataType
(String) PrintProcessor
(String) SeparatorFile
(String) ServerName
(String) ShareName
(Boolean) SpoolEnabled
(DateTime) StartTime
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset
(DateTime) UntilTime
(UInt32) VerticalResolution
Process
Namespace: root\cimv2
class Win32_Process
(String) Handle
(String) Caption
(DateTime) CreationDate
(String) Description
(String) ExecutablePath
(UInt16) ExecutionState
(UInt32) HandleCount
(DateTime) InstallDate
(UInt64) KernelModeTime
(UInt32) MaximumWorkingSetSize
(UInt32) MinimumWorkingSetSize
(String) Name
(String) OSName
(UInt64) OtherOperationCount
(UInt64) OtherTransferCount
(UInt32) PageFaults
(UInt32) PageFileUsage
(UInt32) ParentProcessId
(UInt32) PeakPageFileUsage
(UInt64) PeakVirtualSize
(UInt32) PeakWorkingSetSize
(UInt32) Priority
(UInt64) PrivatePageCount
(UInt32) ProcessId
(UInt32) QuotaNonPagedPoolUsage
(UInt32) QuotaPagedPoolUsage
(UInt32) QuotaPeakNonPagedPoolUsage
(UInt32) QuotaPeakPagedPoolUsage
(UInt64) ReadOperationCount
(UInt64) ReadTransferCount
(UInt32) SessionId
(String) Status
(DateTime) TerminationDate
(UInt32) ThreadCount
(UInt64) UserModeTime
(UInt64) VirtualSize
(String) WindowsVersion
(UInt64) WorkingSetSize
(UInt64) WriteOperationCount
(UInt64) WriteTransferCount
Processor
Namespace: root\cimv2\sms
class SMS_Processor
(String) DeviceID
(UInt16) AddressWidth
(UInt16) Architecture
(UInt16) Availability
(UInt16) BrandID
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) CPUHash
(String) CPUKey
(UInt16) CpuStatus
(UInt32) CurrentClockSpeed
(UInt16) CurrentVoltage
(UInt16) DataWidth
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt32) ExtClock
(UInt16) Family
(DateTime) InstallDate
(Boolean) Is64Bit
(Boolean) IsHyperthreadCapable
(Boolean) IsHyperthreadEnabled
(Boolean) IsMobile
(Boolean) IsTrustedExecutionCapable
(Boolean) IsVitualizationCapable
(UInt32) L2CacheSize
(UInt32) L2CacheSpeed
(UInt32) L3CacheSize
(UInt32) L3CacheSpeed
(UInt32) LastErrorCode
(UInt16) Level
(UInt16) LoadPercentage
(String) Manufacturer
(UInt32) MaxClockSpeed
(String) Name
(UInt32) NormSpeed
(UInt32) NumberOfCores
(UInt32) NumberOfLogicalProcessors
(String) OtherFamilyDescription
(Boolean) PartOfDomain
(UInt32) PCache
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) ProcessorId
(UInt16) ProcessorType
(UInt16) Revision
(String) Role
(String) SocketDesignation
(String) Status
(UInt16) StatusInfo
(String) Stepping
(String) SystemName
(String) UniqueId
(UInt16) UpgradeMethod
(String) Version
(UInt32) VoltageCaps
(String) Workgroup
class CCM_ProtectedVolumeInfo
(String) Name
(String) DriveLetter
(UInt32) ProtectionType
Protocol
Namespace: root\cimv2
class Win32_NetworkProtocol
(String) Name
(String) Caption
(Boolean) ConnectionlessService
(String) Description
(Boolean) GuaranteesDelivery
(Boolean) GuaranteesSequencing
(DateTime) InstallDate
(UInt32) MaximumAddressSize
(UInt32) MaximumMessageSize
(Boolean) MessageOriented
(UInt32) MinimumAddressSize
(Boolean) PseudoStreamOriented
(String) Status
(Boolean) SupportsBroadcasting
(Boolean) SupportsConnectData
(Boolean) SupportsDisconnectData
(Boolean) SupportsEncryption
(Boolean) SupportsExpeditedData
(Boolean) SupportsFragmentation
(Boolean) SupportsGracefulClosing
(Boolean) SupportsGuaranteedBandwidth
(Boolean) SupportsMulticasting
(Boolean) SupportsQualityofService
class Win32_QuickFixEngineering
(String) HotFixID
(String) ServicePackInEffect
(String) Caption
(String) Description
(String) FixComments
(DateTime) InstallDate
(String) InstalledBy
(String) InstalledOn
(String) Name
(String) Status
class CCM_RecentlyUsedApps
(String) ExplorerFileName
(String) FolderPath
(String) LastUserName
(String) AdditionalProductCodes
(String) CompanyName
(String) FileDescription
(String) FilePropertiesHash
(UInt32) FileSize
(String) FileVersion
(DateTime) LastUsedTime
(UInt32) LaunchCount
(String) msiDisplayName
(String) msiPublisher
(String) msiVersion
(String) OriginalFileName
(String) ProductCode
(UInt32) ProductLanguage
(String) ProductName
(String) ProductVersion
(String) SoftwarePropertiesHash
Registry
Namespace: root\cimv2
class Win32_Registry
(String) Name
(String) Caption
(UInt32) CurrentSize
(String) Description
(DateTime) InstallDate
(UInt32) MaximumSize
(UInt32) ProposedSize
(String) Status
SCSI Controller
Namespace: root\cimv2
class Win32_SCSIController
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(UInt32) ControllerTimeouts
(String) Description
(String) DeviceMap
(String) DriverName
(Boolean) ErrorCleared
(String) ErrorDescription
(String) HardwareVersion
(UInt32) Index
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt32) MaxDataWidth
(UInt32) MaxNumberControlled
(UInt64) MaxTransferRate
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtectionManagement
(UInt16) ProtocolSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset
Serial Port Configuration
Namespace: root\cimv2
class Win32_SerialPortConfiguration
(String) Name
(Boolean) AbortReadWriteOnError
(UInt32) BaudRate
(Boolean) BinaryModeEnabled
(UInt32) BitsPerByte
(String) Caption
(Boolean) ContinueXMitOnXOff
(Boolean) CTSOutflowControl
(String) Description
(Boolean) DiscardNULLBytes
(Boolean) DSROutflowControl
(Boolean) DSRSensitivity
(String) DTRFlowControlType
(UInt32) EOFCharacter
(UInt32) ErrorReplaceCharacter
(Boolean) ErrorReplacementEnabled
(UInt32) EventCharacter
(Boolean) IsBusy
(String) Parity
(Boolean) ParityCheckEnabled
(String) RTSFlowControlType
(String) SettingID
(String) StopBits
(UInt32) XOffCharacter
(UInt32) XOffXMitThreshold
(UInt32) XOnCharacter
(UInt32) XOnXMitThreshold
(UInt32) XOnXOffInFlowControl
(UInt32) XOnXOffOutFlowControl
Serial Ports
Namespace: root\cimv2
class Win32_SerialPort
(String) DeviceID
(UInt16) Availability
(Boolean) Binary
(UInt16) Capabilities[]
(String) CapabilityDescriptions[]
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(UInt32) MaxBaudRate
(UInt32) MaximumInputBufferSize
(UInt32) MaximumOutputBufferSize
(UInt32) MaxNumberControlled
(String) Name
(Boolean) OSAutoDiscovered
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(String) ProviderType
(Boolean) SettableBaudRate
(Boolean) SettableDataBits
(Boolean) SettableFlowControl
(Boolean) SettableParity
(Boolean) SettableParityCheck
(Boolean) SettableRLSD
(Boolean) SettableStopBits
(String) Status
(UInt16) StatusInfo
(Boolean) Supports16BitMode
(Boolean) SupportsDTRDSR
(Boolean) SupportsElapsedTimeouts
(Boolean) SupportsIntTimeouts
(Boolean) SupportsParityCheck
(Boolean) SupportsRLSD
(Boolean) SupportsRTSCTS
(Boolean) SupportsSpecialCharacters
(Boolean) SupportsXOnXOff
(Boolean) SupportsXOnXOffSet
(String) SystemName
(DateTime) TimeOfLastReset
Server Feature
Namespace: root\cimv2
class Win32_ServerFeature
(UInt32) ID
(String) Name
(UInt32) ParentID
Services
Namespace: root\cimv2
class Win32_Service
(String) Name
(Boolean) AcceptPause
(Boolean) AcceptStop
(String) Caption
(UInt32) CheckPoint
(String) Description
(Boolean) DesktopInteract
(String) DisplayName
(String) ErrorControl
(UInt32) ExitCode
(DateTime) InstallDate
(String) PathName
(UInt32) ProcessId
(UInt32) ServiceSpecificExitCode
(String) ServiceType
(Boolean) Started
(String) StartMode
(String) StartName
(String) State
(String) Status
(String) SystemName
(UInt32) TagId
(UInt32) WaitHint
Shares
Namespace: root\cimv2
class Win32_Share
(String) Name
(UInt32) AccessMask
(Boolean) AllowMaximum
(String) Caption
(String) Description
(DateTime) InstallDate
(UInt32) MaximumAllowed
(String) Path
(String) Status
(UInt32) Type
SW Licensing Product
Namespace: root\cimv2
class SoftwareLicensingProduct
(String) ID
(String) ApplicationID
(String) Description
(DateTime) EvaluationEndDate
(UInt32) GracePeriodRemaining
(UInt32) LicenseStatus
(String) MachineURL
(String) Name
(String) OfflineInstallationId
(String) PartialProductKey
(String) ProcessorURL
(String) ProductKeyID
(String) ProductKeyURL
(String) UseLicenseURL
SW Licensing Service
Namespace: root\cimv2
class SoftwareLicensingService
(String) Version
(String) ClientMachineID
(UInt32) IsKeyManagementServiceMachine
(UInt32) KeyManagementServiceCurrentCount
(String) KeyManagementServiceMachine
(String) KeyManagementServiceProductKeyID
(UInt32) PolicyCacheRefreshRequired
(UInt32) RequiredClientCount
(UInt32) VLActivationInterval
(UInt32) VLRenewalInterval
Software Shortcut
Namespace: root\cimv2\sms
class SMS_SoftwareShortcut
(String) ShortcutKey
(String) BinFileVersion
(String) BinProductVersion
(String) Description
(String) FilePropertiesHash
(String) FilePropertiesHashEx
(UInt32) FileSize
(String) FileVersion
(UInt32) Language
(String) ParentName
(String) Product
(String) ProductCode
(String) ProductVersion
(String) Publisher
(String) ShortcutName
(UInt32) ShortcutType
(String) TargetExecutable
SMS_SoftwareTag
Namespace: root\cimv2\sms
class SMS_SoftwareTag
(String) TagCreatorRegid
(String) UniqueID
(String) DisplayVersion
(Boolean) EntitlementRequired
(String) ProductName
(String) SoftwareCreator
(String) SoftwareCreatorRegid
(String) SoftwareLicensor
(String) SoftwareLicensorRegid
(String) TagCreator
(SInt32) VersionMajor
(SInt32) VersionMinor
Sound Devices
Namespace: root\cimv2
class Win32_SoundDevice
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt16) DMABufferSize
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt32) MPU401Address
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) ProductName
(String) Status
(UInt16) StatusInfo
(String) SystemName
System Account
Namespace: root\cimv2
class Win32_SystemAccount
(String) Domain
(String) Name
(String) Caption
(String) Description
(DateTime) InstallDate
(String) SID
(UInt8) SIDType
(String) Status
class CCM_SystemBootData
(UInt64) SystemStartTime
(UInt32) BiosDuration
(UInt16) BootDiskMediaType
(UInt32) BootDuration
(UInt32) EventLogStart
(UInt32) GPDuration
(String) OSVersion
(UInt32) UpdateDuration
class CCM_SystemBootSummary
(UInt32) AverageBootFrequency
(UInt32) LatestBiosDuration
(UInt32) LatestBootDuration
(UInt32) LatestCoreBootDuration
(UInt32) LatestEventLogStart
(UInt32) LatestGPDuration
(UInt32) LatestUpdateDuration
(UInt32) MaxBiosDuration
(UInt32) MaxBootDuration
(UInt32) MaxCoreBootDuration
(UInt32) MaxEventLogStart
(UInt32) MaxGPDuration
(UInt32) MaxUpdateDuration
(UInt32) MedianBiosDuration
(UInt32) MedianBootDuration
(UInt32) MedianCoreBootDuration
(UInt32) MedianEventLogStart
(UInt32) MedianGPDuration
(UInt32) MedianUpdateDuration
class SMS_SystemConsoleUsage
(DateTime) SecurityLogStartDate
(String) TopConsoleUser
(UInt32) TotalConsoleTime
(UInt32) TotalConsoleUsers
(UInt32) TotalSecurityLogTime
System Console User
Namespace: root\cimv2\sms
class SMS_SystemConsoleUser
(String) SystemConsoleUser
(DateTime) LastConsoleUse
(UInt32) NumberOfConsoleLogons
(UInt32) TotalUserConsoleMinutes
System Devices
Namespace: root\cimv2\sms
class CCM_SystemDevices
(String) Name
(String) CompatibleIDs[]
(String) DeviceID
(String) HardwareIDs[]
(Boolean) IsPnP
System Drivers
Namespace: root\cimv2
class Win32_SystemDriver
(String) Name
(Boolean) AcceptPause
(Boolean) AcceptStop
(String) Caption
(String) Description
(Boolean) DesktopInteract
(String) DisplayName
(String) ErrorControl
(UInt32) ExitCode
(DateTime) InstallDate
(String) PathName
(UInt32) ServiceSpecificExitCode
(String) ServiceType
(Boolean) Started
(String) StartMode
(String) StartName
(String) State
(String) Status
(String) SystemName
(UInt32) TagId
System Enclosure
Namespace: root\cimv2
class Win32_SystemEnclosure
(String) Tag
(Boolean) AudibleAlarm
(String) BreachDescription
(String) CableManagementStrategy
(String) Caption
(UInt16) ChassisTypes[]
(SInt16) CurrentRequiredOrProduced
(String) Description
(UInt16) HeatGeneration
(Boolean) HotSwappable
(DateTime) InstallDate
(Boolean) LockPresent
(String) Manufacturer
(String) Model
(String) Name
(UInt16) NumberOfPowerCords
(String) OtherIdentifyingInfo
(String) PartNumber
(Boolean) PoweredOn
(Boolean) Removable
(Boolean) Replaceable
(UInt16) SecurityBreach
(UInt16) SecurityStatus
(String) SerialNumber
(String) ServiceDescriptions[]
(UInt16) ServicePhilosophy[]
(String) SKU
(String) SMBIOSAssetTag
(String) Status
(String) TypeDescriptions[]
(String) Version
(Boolean) VisibleAlarm
Tape Drive
Namespace: root\cimv2
class Win32_TapeDrive
(String) DeviceID
(UInt16) Availability
(UInt16) Capabilities[]
(String) CapabilityDescriptions[]
(String) Caption
(UInt32) Compression
(String) CompressionMethod
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(UInt64) DefaultBlockSize
(String) Description
(UInt32) ECC
(UInt32) EOTWarningZoneSize
(Boolean) ErrorCleared
(String) ErrorDescription
(String) ErrorMethodology
(UInt32) FeaturesHigh
(UInt32) FeaturesLow
(String) ID
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt64) MaxBlockSize
(UInt64) MaxMediaSize
(UInt32) MaxPartitionCount
(String) MediaType
(UInt64) MinBlockSize
(String) Name
(Boolean) NeedsCleaning
(UInt32) NumberOfMediaSupported
(UInt32) Padding
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt32) ReportSetMarks
(String) Status
(UInt16) StatusInfo
(String) SystemName
Time Zone
Namespace: root\cimv2
class Win32_TimeZone
(String) StandardName
(SInt32) Bias
(String) Caption
(SInt32) DaylightBias
(UInt32) DaylightDay
(UInt8) DaylightDayOfWeek
(UInt32) DaylightHour
(UInt32) DaylightMillisecond
(UInt32) DaylightMinute
(UInt32) DaylightMonth
(String) DaylightName
(UInt32) DaylightSecond
(UInt32) DaylightYear
(String) Description
(String) SettingID
(UInt32) StandardBias
(UInt32) StandardDay
(UInt8) StandardDayOfWeek
(UInt32) StandardHour
(UInt32) StandardMillisecond
(UInt32) StandardMinute
(UInt32) StandardMonth
(UInt32) StandardSecond
(UInt32) StandardYear
TPM
Namespace: root\CIMv2\Security\MicrosoftTpm
class Win32_Tpm
(Boolean) IsActivated_InitialValue
(Boolean) IsEnabled_InitialValue
(Boolean) IsOwned_InitialValue
(UInt32) ManufacturerId
(String) ManufacturerVersion
(String) ManufacturerVersionInfo
(String) PhysicalPresenceVersionInfo
(String) SpecVersion
TPM Status
Namespace: root\cimv2\sms
class SMS_TPM
(Boolean) IsReady
(UInt32) Information
(Boolean) IsApplicable
TS Issued License
Namespace: root\cimv2
class Win32_TSIssuedLicense
(UInt32) LicenseId
(DateTime) ExpirationDate
(DateTime) IssueDate
(UInt32) KeyPackId
(UInt32) LicenseStatus
(String) sHardwareId
(String) sIssuedToComputer
(String) sIssuedToUser
class Win32_TSLicenseKeyPack
(UInt32) KeyPackId
(UInt32) AvailableLicenses
(String) Description
(UInt32) IssuedLicenses
(UInt32) KeyPackType
(UInt32) ProductType
(String) ProductVersion
(UInt32) TotalLicenses
class Win32_UninterruptiblePowerSupply
(String) DeviceID
(UInt16) ActiveInputVoltage
(UInt16) Availability
(Boolean) BatteryInstalled
(Boolean) CanTurnOffRemotely
(String) Caption
(String) CommandFile
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt16) EstimatedChargeRemaining
(UInt32) EstimatedRunTime
(UInt32) FirstMessageDelay
(DateTime) InstallDate
(Boolean) IsSwitchingSupply
(UInt32) LastErrorCode
(Boolean) LowBatterySignal
(UInt32) MessageInterval
(String) Name
(String) PNPDeviceID
(Boolean) PowerFailSignal
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt32) Range1InputFrequencyHigh
(UInt32) Range1InputFrequencyLow
(UInt32) Range1InputVoltageHigh
(UInt32) Range1InputVoltageLow
(UInt32) Range2InputFrequencyHigh
(UInt32) Range2InputFrequencyLow
(UInt32) Range2InputVoltageHigh
(UInt32) Range2InputVoltageLow
(UInt16) RemainingCapacityStatus
(String) Status
(UInt16) StatusInfo
(String) SystemName
(UInt32) TimeOnBackup
(UInt32) TotalOutputPower
(UInt16) TypeOfRangeSwitching
(String) UPSPort
USB Controller
Namespace: root\cimv2
class Win32_USBController
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt32) MaxNumberControlled
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset
USB Device
Namespace: root\cimv2
class Win32_USBDevice
(String) DeviceID
(String) Caption
(String) ClassGuid
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) CreationClassName
(String) Description
(String) Manufacturer
(String) Name
(String) PNPDeviceID
(String) Service
(String) Status
(String) SystemCreationClassName
(String) SystemName
USM User Profile
Namespace: root\cimv2
class Win32_UserProfile
(String) SID
(UInt8) HealthStatus
(String) LastAttemptedProfileDownloadTime
(String) LastAttemptedProfileUploadTime
(String) LastBackgroundRegistryUploadTime
(DateTime) LastDownloadTime
(DateTime) LastUploadTime
(DateTime) LastUseTime
(Boolean) Loaded
(String) LocalPath
(UInt32) RefCount
(Boolean) RoamingConfigured
(String) RoamingPath
(Boolean) RoamingPreference
(Boolean) Special
(UInt32) Status
Video Controller
Namespace: root\cimv2
class Win32_VideoController
(String) DeviceID
(UInt16) AcceleratorCapabilities[]
(String) AdapterCompatibility
(String) AdapterDACType
(UInt32) AdapterRAM
(UInt16) Availability
(String) CapabilityDescriptions[]
(String) Caption
(UInt32) ColorTableEntries
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(UInt32) CurrentBitsPerPixel
(UInt32) CurrentHorizontalResolution
(UInt64) CurrentNumberOfColors
(UInt32) CurrentNumberOfColumns
(UInt32) CurrentNumberOfRows
(UInt32) CurrentRefreshRate
(UInt16) CurrentScanMode
(UInt32) CurrentVerticalResolution
(String) Description
(UInt32) DeviceSpecificPens
(UInt32) DitherType
(DateTime) DriverDate
(String) DriverVersion
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt32) ICMIntent
(UInt32) ICMMethod
(String) InfFilename
(String) InfSection
(DateTime) InstallDate
(String) InstalledDisplayDrivers
(UInt32) LastErrorCode
(UInt32) MaxMemorySupported
(UInt32) MaxNumberControlled
(UInt32) MaxRefreshRate
(UInt32) MinRefreshRate
(Boolean) Monochrome
(String) Name
(UInt16) NumberOfColorPlanes
(UInt32) NumberOfVideoPages
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(UInt32) ReservedSystemPaletteEntries
(UInt32) SpecificationVersion
(String) Status
(UInt16) StatusInfo
(String) SystemName
(UInt32) SystemPaletteEntries
(DateTime) TimeOfLastReset
(UInt16) VideoArchitecture
(UInt16) VideoMemoryType
(UInt16) VideoMode
(String) VideoModeDescription
(String) VideoProcessor
class Package
(String) PackageGUID
(UInt64) CachedLaunchSize
(UInt16) CachedPercentage
(UInt64) CachedSize
(UInt64) LaunchSize
(String) Name
(String) SftPath
(UInt64) TotalSize
(String) Version
(String) VersionGUID
Virtual Applications
Namespace: root\Microsoft\appvirt\client
class Application
(String) Name
(String) Version
(String) CachedOsdPath
(UInt32) GlobalRunningCount
(DateTime) LastLaunchOnSystem
(Boolean) Loading
(String) OriginalOsdPath
(String) PackageGUID
class Win32Reg_SMSGuestVirtualMachine64
(String) InstanceKey
(String) PhysicalHostName
(String) PhysicalHostNameFullyQualified
Virtual Machine
Namespace: root\cimv2
class Win32Reg_SMSGuestVirtualMachine
(String) InstanceKey
(String) PhysicalHostName
(String) PhysicalHostNameFullyQualified
class VirtualMachine
(String) Name
(UInt32) CpuUtilization
(UInt64) DiskBytesRead
(UInt64) DiskBytesWritten
(UInt64) DiskSpaceUsed
(UInt64) HeartbeatCount
(UInt32) HeartbeatInterval
(UInt32) HeartbeatPercentage
(UInt32) HeartbeatRate
(UInt64) NetworkBytesReceived
(UInt64) NetworkBytesSent
(UInt64) PhysicalMemoryAllocated
(UInt32) Uptime
Volume
Namespace: root\cimv2
class Win32_Volume
(String) DeviceID
(UInt16) Access
(Boolean) Automount
(UInt16) Availability
(UInt64) BlockSize
(UInt64) Capacity
(String) Caption
(Boolean) Compressed
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) CreationClassName
(String) Description
(Boolean) DirtyBitSet
(String) DriveLetter
(UInt32) DriveType
(Boolean) ErrorCleared
(String) ErrorDescription
(String) ErrorMethodology
(String) FileSystem
(UInt64) FreeSpace
(Boolean) IndexingEnabled
(DateTime) InstallDate
(String) Label
(UInt32) LastErrorCode
(UInt32) MaximumFileNameLength
(String) Name
(UInt64) NumberOfBlocks
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) Purpose
(Boolean) QuotasEnabled
(Boolean) QuotasIncomplete
(Boolean) QuotasRebuilding
(UInt32) SerialNumber
(String) Status
(UInt16) StatusInfo
(Boolean) SupportsDiskQuotas
(Boolean) SupportsFileBasedCompression
(String) SystemCreationClassName
(String) SystemName
CCM_WebAppInstallInfo
Namespace: root\ccm\cimodels
class CCM_WebAppInstallInfo
(String) AppDeliveryTypeId
(UInt32) AppDtRevision
(String) TargetURL
(String) UserSID
(String) URLFileName
(String) URLPath
SMS_Windows8Application
Namespace: root\cimv2\sms
class SMS_Windows8Application
(String) FullName
(String) ApplicationName
(String) Architecture
(Boolean) ConfigMgrManaged
(String) DependencyApplicationNames
(String) FamilyName
(String) InstalledLocation
(Boolean) IsFramework
(String) Publisher
(String) PublisherId
(String) Version
SMS_Windows8ApplicationUserInfo
Namespace: root\cimv2\sms
class SMS_Windows8ApplicationUserInfo
(String) FullName
(String) UserSecurityId
(String) InstallState
(String) UserAccountName
Windows Update
Namespace: root\cimv2
class Win32Reg_SMSWindowsUpdate
(String) InstanceKey
(UInt32) AUOptions
(UInt32) NoAutoUpdate
(UInt32) UseWUServer
class Win32_WindowsUpdateAgentVersion
(String) Version
Write Filter State
Namespace: root\cimv2\sms
class CCM_WriteFilterState
(Boolean) WriteFilterEnabled
Security and privacy for hardware
inventory in Configuration Manager
Article • 10/04/2022
This topic contains security and privacy information for hardware inventory in
Configuration Manager.
Sign and When clients communicate with management points by using HTTPS, all data that
encrypt they send is encrypted by using SSL. However, when client computers use HTTP
inventory to communicate with management points on the intranet, client inventory data
data and collected files can be sent unsigned and unencrypted. Make sure that the site
is configured to require signing and use encryption. In addition, if clients can
support the SHA-256 algorithm, select the option to require SHA-256.
Do not You can use IDMIF and NOIDMIF file collection to extend hardware inventory
collect IDMIF collection. When necessary, Configuration Manager creates new tables or
and NOIDMIF modifies existing tables in the Configuration Manager database to accommodate
files in high- the properties in IDMIF and NOIDMIF files. However, Configuration Manager
security does not validate IDMIF and NOIDMIF files, so these files could be used to alter
environments tables that you do not want altered. Valid data could be overwritten by invalid
data. In addition, large amounts of data could be added and the processing of
this data might cause delays in all Configuration Manager functions. To mitigate
these risks, configure the hardware inventory client setting Collect MIF files as
None.
Send invalid data, which will be accepted by the management point even when the
software inventory client setting is disabled and file collection is not enabled.
Send excessively large amounts of data in a single file and in lots of files, which
might cause a denial of service.
Because a user with local administrative privileges can send any information as
inventory data, do not consider inventory data that is collected by Configuration
Manager to be authoritative.
Hardware inventory is enabled by default as a client setting and the WMI information
collected is determined by options that you select. Software inventory is enabled by
default but files are not collected by default. Asset Intelligence data collection is
automatically enabled, although you can select the hardware inventory reporting classes
to enable.
Before you configure hardware inventory, software inventory, file collection, or Asset
Intelligence data collection, consider your privacy requirements.
Introduction to software inventory in
Configuration Manager
Article • 10/04/2022
Use software inventory to collect information about files on client devices. Software
inventory can also collect files from client devices and store them on the site server.
Software inventory is collected when you select the Enable software inventory on
clients setting in client settings. You can also schedule the operation in client settings.
After you enable software inventory and the clients run a software inventory cycle, the
client sends the information to a management point in the client's site. The
management point then forwards the inventory information to the Configuration
Manager site server, which stores the information in the site database.
Use Resource Explorer to examine detailed information about the files that were
inventoried and collected from client devices.
When software inventory runs on a client device, the first report is a full inventory.
Subsequent reports contain only delta inventory information. The site server processes
delta information in the order received. If delta information for a client is missing, the
site server rejects further delta information and directs the client to run a full inventory.
Configuration Manager can discover dual-boot computers but only returns inventory
information from the operating system that's active at the time of inventory.
How to configure software inventory in
Configuration Manager
Article • 10/04/2022
This procedure configures the default client settings for software inventory and applies
to all the computers in your hierarchy. If you want to apply these settings to only some
computers, create a custom device client setting and assign it to a collection. For more
information about how to create custom device settings, see How to configure client
settings.
Enable software inventory on clients - From the drop-down list, select True.
5. Configure the client settings that you require. The Software inventory section of
the About client settings article has a list of the client settings.
Client computers will be configured with these settings when they next download
client policy. To initiate policy retrieval for a single client, see How to manage
clients.
Tip
A possible solution for this error would be to reduce the scope of the software
inventory collection. In circumstances when the error occurs after limiting the
inventory scope, increasing the MemoryPerHost property defined in the
_ProviderHostQuotaConfiguration class can provide a solution.
2. Right-click the Skpswi.dat file and click Properties. In the file properties for the
Skpswi.dat file, select the Hidden attribute.
3. Place the Skpswi.dat file at the root of each client hard drive or folder structure
that you want to exclude from software inventory.
7 Note
Software inventory will not inventory the client drive again unless this file is deleted
from the drive on the client computer.
How to use Resource Explorer to view
software inventory in Configuration
Manager
Article • 10/04/2022
7 Note
Resource Explorer will not display any inventory data until a software inventory
cycle has run on the client.
Software:
File Details - Files that were inventoried during software inventory that are not
associated with a specific product or manufacturer.
Last Software Scan - Date and time of the last software inventory and file
collection for the client computer.
2. In the Assets and Compliance workspace, choose Devices or open any collection
that displays devices.
3. Choose the computer containing the inventory that you want to view and then, in
the Home tab > Devices group, choose Start > Resource Explorer.
4. You can right-click any item in the right-pane of the Resource Explorer window and
choose Properties to view the collected inventory information in a more readable
format.
1. From the Devices node, right-click on the device you want to view logs for.
2. Select Start, then Resource Explorer.
3. From Resource Explorer, click on Diagnostic Files.
4. In the Diagnostic Files list, you can see the collection date for the files. The name
format of the client logs is Support_<guid>.zip .
5. Right-click on the zip file and select one of the following options:
Next steps
Use Support Center to view collected diagnostic files.
Security and privacy for software
inventory in Configuration Manager
Article • 10/04/2022
This topic contains security and privacy information for software inventory in
Configuration Manager.
Sign and When clients communicate with management points by using HTTPS, all data
encrypt that they send is encrypted by using SSL. However, when client computers use
inventory HTTP to communicate with management points on the intranet, client inventory
data data and collected files can be sent unsigned and unencrypted. Make sure that
the site is configured to require signing and use encryption. In addition, if clients
can support the SHA-256 algorithm, select the option to require SHA-256.
Do not use Configuration Manager software inventory uses all the rights of the LocalSystem
file collection account, which has the ability to collect copies of critical system files, such as the
to collect registry or security account database. When these files are available at the site
critical files or server, someone with the Read Resource rights or NTFS rights to the stored file
sensitive location could analyze their contents and possibly discern important details
information about the client in order to be able to compromise its security.
Restrict local A user with local administrative rights can send invalid data as inventory
administrative information.
rights on
client
computers
Send excessively large amounts of data in a single file and in lots of files, which
might cause a denial of service.
If users know that they can create a hidden file named Skpswi.dat and place it in
the root of a client hard drive to exclude it from software inventory, you will not be
able to collect software inventory data from that computer.
Because a user with local administrative privileges can send any information as
inventory data, do not consider inventory data that is collected by Configuration
Manager to be authoritative.
Hardware inventory is enabled by default as a client setting and the WMI information
collected is determined by options that you select. Software inventory is enabled by
default but files are not collected by default. Asset Intelligence data collection is
automatically enabled, although you can select the hardware inventory reporting classes
to enable.
Before you configure hardware inventory, software inventory, file collection, or Asset
Intelligence data collection, consider your privacy requirements.
Introduction to asset intelligence in
Configuration Manager
Article • 10/04/2022
) Important
Inventory and manage software license usage throughout your enterprise by using the
asset intelligence catalog. Asset intelligence adds hardware inventory classes to improve
the breadth of information that Configuration Manager collects. This information
includes the hardware and software titles used in your environment. Over 60 reports
present this information in an easy-to-use format. Many of these reports link to more
specific reports. Query for general information and drill down to more detailed
information.
Add custom information to the asset intelligence catalog. For example, custom software
categories, software families, software labels, and hardware requirements. To
dynamically update the asset intelligence catalog with the most current information
available, connect it to the Microsoft Cloud.
Use asset intelligence to help reconcile your enterprise software license usage. Import
software license information into the Configuration Manager site database to view it
against what software is being used.
Asset intelligence provides software license information for software titles that are being
used, both of Microsoft and of non-Microsoft software. A predefined set of hardware
requirements for software titles is available in the asset intelligence catalog, and you can
create new user-defined hardware requirement information to meet custom
requirements. You can also customize information in the asset intelligence catalog, and
you can upload software title information to the Microsoft cloud for categorization.
Asset intelligence catalog updates that include newly released software are available for
download periodically to perform bulk catalog updates. It can also be dynamically
updated by using the asset intelligence synchronization point.
Software categories
Asset intelligence software categories are used to widely categorize inventoried
software titles and as high-level groupings of more specific software families. For
example, a software category could be energy companies, and a software family within
that software category could be oil and gas or hydroelectric. Many software categories
are predefined in the asset intelligence catalog. You can create user-defined categories
to additionally define inventoried software. The validation state for all predefined
software categories is always Validated. Custom software category information added to
the asset intelligence catalog is User Defined.
For more information about how to manage software categories, see Configuring asset
intelligence.
7 Note
Software families
Asset intelligence software families are used to define inventoried software titles within
software categories. Many software families are predefined in the asset intelligence
catalog. You can create user-defined categories to additionally define inventoried
software. The validation state for all predefined software families is always Validated.
Custom software family information added to the asset intelligence catalog is User-
Defined.
For more information about how to manage software families, see Configuring asset
intelligence.
7 Note
Predefined software family information is read-only and can't be changed.
Administrative users can add, modify, or delete user-defined software families.
Software labels
Asset intelligence custom software labels let you create filters to group software titles
and to view them in asset intelligence reports. Use software labels to create user-
defined groups of software titles that share a common attribute. For example, you could
create a software label called Shareware, associate it with inventoried shareware titles,
and run a report to display all software titles with that label. There are no predefined
labels. The validation state for software labels is always User Defined.
For more information about how to manage software labels, see Configuring asset
intelligence.
Hardware requirements
Use the hardware requirements information to verify that computers meet the hardware
requirements for software titles before they're targeted for software deployments.
Manage hardware requirements for software titles in the Assets and Compliance
workspace in the Hardware Requirements node under the Asset Intelligence node.
Many hardware requirements are predefined in the asset intelligence catalog. Create
new user-defined hardware requirement information to meet custom requirements. The
validation state for all predefined hardware requirements is always Validated. User-
defined hardware requirements information added to the asset intelligence catalog is
User Defined.
For more information about how to manage hardware requirements, see Configuring
asset intelligence.
7 Note
You can create user-defined hardware requirements for inventoried software that
doesn't have associated hardware requirements.
By default, the following information is displayed for each listed hardware requirement:
Software Title: The software title associated with the hardware requirement
Minimum RAM (KB): The minimum RAM in kilobytes (KB) required by the software
title
Minimum Disk Space (KB): The minimum free hard disk space in KB required by
the software title
Minimum Disk Size (KB): The minimum hard disk size in KB required by the
software title
Predefined hardware requirements stored in the asset intelligence catalog are read-only
and can't be deleted. Administrative users can add, modify, or delete user-defined
hardware requirements for software titles that aren't stored in the asset intelligence
catalog.
7 Note
The hardware inventory agent collects inventory based on the asset intelligence
hardware inventory reporting classes that you enable. For more information about
how to enable the reporting classes, see Configuring asset intelligence.
By default, the following information is displayed for each inventoried software title:
Vendor: The name of the vendor that developed the inventoried software title
Version: The product version of the inventoried software title
Family: The software family that's currently assigned to the inventoried software
title
Label [1, 2, and 3]: The custom labels associated with the software title. Inventoried
software titles can have up to three custom labels associated with them.
Count: The number of Configuration Manager clients that have inventoried the
software title
7 Note
You can change the categorization information for inventoried software only at the
top-level site in your hierarchy. This information includes product name, vendor,
software category, and software family. After you modify the categorization
information for predefined software, the validation state for the software changes
from Validated to User Defined.
While you configure all updates at the top-level site, catalog information is replicated to
other sites in the hierarchy. The site role lets you request on-demand catalog
synchronization with Microsoft, or schedule automatic catalog synchronization. In
addition to downloading new catalog information, the asset intelligence synchronization
point can upload custom software title information to Microsoft for categorization.
Microsoft treats all uploaded software titles as public information. Make sure that your
custom software titles don't include confidential or proprietary information.
After you submit an uncategorized software title, Microsoft doesn't review it until there
are at least four categorization requests from customers for the same software title.
Then Microsoft researchers identify, categorize, and make the software title
categorization information available to all customers who are using the online service.
Software titles that represent the most requests for categorization receive the highest
priority to categorize. Custom software and line-of-business applications are unlikely to
receive a category. Don't send these software titles to Microsoft for categorization.
7 Note
The Asset Intelligence home page doesn't automatically update while you're
viewing it.
7 Note
The home page only displays this section when you install an asset
intelligence synchronization point.
Synchronization schedule
The number of changes after you installed the asset intelligence synchronization
point
Inventoried Software Status: The count and percentage of inventoried software,
software categories, and software families that are identified by Microsoft,
identified by an administrator, pending online identification, or unidentified and
not pending. The information displayed in table format shows the count for each,
and the information displayed in the chart shows the percentage for each.
7 Note
The accuracy of the quantity of installed software titles and license information
displayed in asset intelligence reports might vary from the actual number of
software titles installed or licenses that are used in the environment. This variation
is because of the complex dependencies and limitations involved in inventorying
software license information for software titles that are installed in enterprise
environments. Don't use asset intelligence reports as the sole source for
determining purchased software license compliance.
Hardware reports
Asset intelligence hardware reports provide information about hardware assets in the
organization. By using hardware inventory information such as speed, memory, and
peripheral devices, asset intelligence hardware reports can present information about
USB devices, about hardware that must be upgraded, and even about computers that
aren't ready for a specific software upgrade.
7 Note
Some user data in asset intelligence hardware reports is collected from the
Windows security event log. For better report accuracy, clear this log when you
reassign a computer to a new user.
) Important
Software reports
Asset intelligence software reports provide information about software families,
categories, and specific software titles that are installed on computers in the
organization. The software reports present information such as browser helper objects
and software that starts automatically. These reports can be used to identify adware,
spyware, and other malware. You can also use them to identify software redundancy to
help streamline software acquisition and support.
Software 14A - Search for software identification tag enabled software: The
count of installed software with a software identification tag enabled
Reporting limitations
Asset intelligence reports can provide large amounts of information about installed
software titles and acquired software licenses that are being used. Don't use this
information as the only source for determining acquired software license compliance.
Example dependencies
The accuracy of the quantity displayed in the asset intelligence reports for installed
software titles and license information can vary from the actual amounts currently used.
This variation is caused by the complex dependencies involved in inventorying software
license information for software titles in use in enterprise environments. The following
examples show the dependencies involved in inventorying installed software in the
enterprise by using asset intelligence that might affect the accuracy of asset intelligence
reports:
For example, an inventoried licensed software title might be uninstalled after the
client finishes a successful hardware inventory cycle. Asset intelligence reports
display the software title as installed until the client's next scheduled hardware
inventory reporting cycle.
Legal limitations
The information displayed in asset intelligence reports is subject to many limitations.
The information displayed in them doesn't represent legal, accounting, or other
professional advice. The information provided by asset intelligence reports is for
information only. Don't use it as the only source of information for determining software
license usage compliance.
The following limitations are examples of using asset intelligence that might affect the
accuracy of the reports:
Software licenses acquired in the last 45 days might not be included in the
quantity of Microsoft software licenses reported because of software reseller
reporting requirements and schedules.
User Defined Microsoft researchers Customize the local catalog This state is
haven't defined the information displayed in asset
catalog item intelligence reports
Updateable A user-defined catalog Use the Resolve Conflict After you resolve a
item has been action to decide whether to categorization
categorized differently by use the new categorization conflict, the item
Microsoft during catalog information or the previous isn't validated as
synchronization. user-defined value. For conflicting again
more information about unless later
how to resolve conflicts, see categorization
Operations for asset updates introduce
intelligence. new information
about the item.
State Definition Administrator action Comment
7 Note
Catalog items that you submit to Microsoft for categorization have a validation
state of Pending on a central administration site, but continue to be displayed with
a validation state of Uncategorized on child primary sites.
For examples of when a validation state might transition from one state to another, see
Example validation state transitions for asset intelligence.
Prerequisites for Asset Intelligence in
Configuration Manager
Article • 10/04/2022
Auditing of Four Asset Intelligence reports display information gathered from the Windows
Success Security event logs on client computers. If the Security event log settings are not
Logon configured to log all Success logon events, these reports contain no data even if
Events the appropriate hardware inventory reporting class is enabled.
Prerequisites
The following Asset Intelligence reports depend on collected Windows Security
event log information:
7 Note
Client Agent The Asset Intelligence reports depend on client information that is obtained
Prerequisites through client hardware and software inventory reports. To obtain the
information necessary for all Asset Intelligence reports, the following client
agents must be enabled:
Hardware To collect inventory data required for some Asset Intelligence reports, the
Inventory Hardware Inventory Client Agent must be enabled. In addition, some hardware
Client Agent inventory reporting classes that Asset Intelligence reports depend on must be
Dependencies enabled on primary site server computers.
For information about enabling the Hardware Inventory Client Agent, see How to
extend hardware inventory.
Dependencies
The following Asset Intelligence reports depend on the Software Metering Client
Agent to provide data:
Prerequisites
- SMS_SystemConsoleUsage1
- SMS_SystemConsoleUser1
- SMS_InstalledSoftware
- SMS_AutoStartSoftware
- SMS_BrowserHelperObject
- Win32_USBDevice
- SMS_InstalledExecutable
- SMS_SoftwareShortcut
- SoftwareLicensingService
- SoftwareLicensingProduct
- SMS_SoftwareTag
You can edit the Asset Intelligence hardware inventory reporting classes in the
Configuration Manager console, in the Assets and Compliance workspace, when
you click the Asset Intelligence node. For more information, see the Enable Asset
Intelligence hardware inventory reporting classes section in the Configuring
Asset Intelligence topic.
Reporting The reporting services point site system role must be installed before software
services point updates reports can be displayed. For more information about creating a
reporting services point, see Configuring reporting.
Configure Asset Intelligence in
Configuration Manager
Article • 10/04/2022
1. In the Configuration Manager console, choose Asset and Compliance > Asset
Intelligence.
2. On the Home tab, in the Asset Intelligence group, choose Edit Inventory Classes.
Asset Intelligence reports that depend on the hardware inventory classes that
you enable by using this procedure do not display data until clients have
scanned for and returned hardware inventory.
1. In the Configuration Manager console, choose Administration > Client Settings >
Default Client Agent Settings. If you have created custom client settings, you can
select those instead.
4. Choose Filter by category > Asset Intelligence Reporting Classes. The list of
classes is refreshed with only the Asset Intelligence hardware inventory reporting
classes.
7 Note
Asset Intelligence reports that depend on the hardware inventory classes that
you enable by using this procedure do not display data until clients have
scanned for and returned hardware inventory.
2. Add the Asset Intelligence synchronization point site system role to a new or
existing site system server:
For a New site system server: On the Home tab, in the Create group, choose
Create Site System Server to start the wizard.
7 Note
For an Existing site system server: Choose the server on which you want to
install the Asset Intelligence synchronization point site system role. When you
choose a server, a list of the site system roles that are already installed on the
server are displayed in the details pane.
On the Home tab, in the Server group, choose Add Site System Role to start
the wizard.
3. Complete the General page. When you add the Asset Intelligence synchronization
point to an existing site system server, verify the values that were previously
configured.
6. Optionally, you can specify a path to the System Center Online authentication
certificate (.pfx) file. Typically, you do not specify a path for the certificate because
the connection certificate is automatically provisioned during site role installation.
7. On the Proxy Server Settings page, specify whether the Asset Intelligence
synchronization point will use a proxy server when connecting to System Center
Online to synchronize the catalog and whether to use credentials to connect to the
proxy server.
2 Warning
2. In the Local Security Policy dialog box, under Security Settings, expand Local
Policies, and then choose Audit Policy.
3. In the results pane, double-click Audit logon events, ensure that the Success check
box is selected, and then choose OK.
2. In the Local Security Policy dialog box, under Security Settings, expand Local
Policies, and then choose Audit Policy.
3. In the results pane, double-click Audit logon events, ensure that the Success check
box is selected, and then choose OK.
) Important
When software license information is imported into the site database, existing
software license information is overwritten. Ensure that the software license
information file that you use with the Import Software License Wizard contains a
complete listing of all necessary software license information.
3. On the Import page, specify whether you are importing a Microsoft Volume
Licensing (MVLS) file (.xml or .csv) or a General License Statement file (.csv). For
more information about creating a General License Statement file, see Create a
general license statement information file for import later in this topic.
2 Warning
To download an MVLS file in .csv format that you can import to the Asset
Intelligence catalog, see Microsoft Volume Licensing Service Center . To
access this information, you must have a registered account on the website.
You must contact your Microsoft account representative for information about
how to get your MVLS file in .xml format.
4. Enter the UNC path to the license statement file or choose Browse to select a
network shared folder and file.
7 Note
7 Note
While only the Name, Publisher, Version, and EffectiveQuantity fields are required
to contain data, all fields must be entered on the first row of the license import file.
All date fields should be displayed in the following format: Month/Day/Year, for
example, 08/04/2008.
Asset Intelligence matches the products that you specify in the general license
statement by using the product name and product version, but not publisher name. You
must use a product name in the general license statement that is an exact match with
the product name stored in the site database. Asset Intelligence takes the
EffectiveQuantity number given in the general license statement and compares the
number with the number of installed products found in Configuration Manager
inventory.
Tip
To get a complete list of the product names stored in the Configuration Manager
site database, you can run the following query on the site database: SELECT
DISTINCT ProductName0 FROM v_GS_INSTALLED_SOFTWARE.
You can specify exact versions for a product or specify part of the version, such as only
the major version. The following examples provide the resulting version matches for a
general license statement version entry for a specific product.
ProductVersion0:"2"
ProductName0: "MySoftware", ProductVersion0: "2.02.5678"
Version "2.05"
ProductName0: "MySoftware", ProductVersion0: "2.05.5678"
Name: "Mysoftware", Error during import. The import fails when more than one entry
Version "2"
matches the same product version.
Name: "Mysoftware",
Version "2.05"
To create a general license statement import file by using
Microsoft Excel
2. On the first row of the new spreadsheet, enter all software license data field names.
3. On the second and subsequent rows of the new spreadsheet, enter software
license information as required. Ensure that at least all of the required software
license data fields are entered on subsequent rows for each software license to be
imported. The software title name entered in the spreadsheet must be the same as
the software title that is displayed in Resource Explorer for a client computer after
hardware inventory has run.
5. Copy the .csv file to the file share that is used to import software license
information into the Asset Intelligence catalog.
6. In the Configuration Manager console, use the Import Software License Wizard to
import the newly created .csv file.
7. Run the Asset Intelligence License 15A - Third Party Software Reconciliation
Report to verify that the licensing information has been successfully imported into
the Asset Intelligence catalog.
7 Note
For an example of a general software license file that you can use for testing
purposes, see Example Asset Intelligence general license import file.
Check Application Title with Inventory Information: Checks that the software title
that is reported in software inventory is reconciled with the software title in the
Asset Intelligence catalog. By default, this task is enabled and scheduled to run on
Saturday after 12:00 A.M. and before 5:00 A.M. This maintenance task is only
available at the top-level site in your Configuration Manager hierarchy.
3. On the Home tab, in the Settings group, choose Site Maintenance. Select a task,
and choose Edit to modify the settings.
We recommend that you set the time period to off-peak hours of the site. The time
period is the time interval in which the task can run. It is defined by the Start after
and Latest start time specified in the Task Properties dialog box.
You can initiate the task right away by selecting the current day and setting the
Start after time to a couple minutes after the present time.
4. Choose OK to save your settings. The task now runs according to its schedule.
7 Note
This topic contains information to help you manage typical Asset Intelligence tasks in
your Configuration Manager hierarchy:
7 Note
Use the following procedure to view Asset Intelligence information on the Asset
Intelligence home page.
2. In the Asset and Compliance workspace, click Asset Intelligence. The Asset
Intelligence reports are displayed.
7 Note
The accuracy of installed software title quantities and license information displayed
in Asset Intelligence reports might vary from the actual number of software titles
installed or licenses in use in the environment because of the complex
dependencies and limitations involved in inventorying software license information
for software titles installed in enterprise environments. Asset Intelligence reports
should not be used as the sole source for determining purchased software license
compliance.
Use the following procedure to view Asset Intelligence information by using the Asset
Intelligence reports.
2 Warning
If no report folders exist under the Reports node, verify that you have
configured reporting. For more information, see Configuring reporting.
3. Select the Asset Intelligence report that you want to run, and then on the Home
tab, in the Report Group group, click Run.
7 Note
An Asset Intelligence synchronization point site system role must first be installed
before by using the procedures. For information about installing an Asset
Intelligence synchronization point, see Configuring Asset Intelligence.
Use the following procedure to create a synchronization schedule for the Asset
Intelligence catalog.
3. On the Home tab, in the Create group, click Synchronize, and then click Schedule
Synchronization.
4. In the Asset Intelligence Synchronization Point Schedule dialog box, select Enable
synchronization on a schedule, and then configure a simple or custom schedule.
5. Click OK to save the changes.
7 Note
2 Warning
System Center Online accepts only one manual synchronization request in a 12-
hour period.
3. On the Home tab, in the Create group, click Synchronize, click Synchronize Asset
Intelligence Catalog, and then click OK.
Software categories
Asset Intelligence software categories are used to broadly categorize inventoried
software titles and are also used as high-level groupings of more specific software
families. For example, a software category could be energy companies, and a software
family within that software category could be oil and gas or hydroelectric. Many
software categories are predefined in the Asset Intelligence catalog, and additional user-
defined categories can be created to further define inventoried software. The validation
state for all predefined software categories is always Validated, while custom software
category information added to the Asset Intelligence catalog is User Defined.
2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Catalog.
3. On the Home tab, in the Create group, click Create Software Category.
4. On the General page, enter a name for the new software category and, optionally,
a description.
7 Note
The validation state for all new custom software categories is always set to
User Defined.
Click Next.
5. On the Summary page, review the settings, and then click Next.
Software families
Asset Intelligence software families are used to further define inventoried software titles
within software categories. For example, a software category could be energy
companies, and a software family within that software category could be oil and gas or
hydroelectric. Many software families are predefined in the Asset Intelligence catalog,
and additional user-defined families can be created to define inventoried software. The
validation state for all predefined software families is always Validated, while custom
software family information added to the Asset Intelligence catalog is User Defined.
2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Catalog.
3. On the Home tab, in the Create group, click Create Software Family.
4. On the General page, enter a name for the new software family and, optionally, a
description.
7 Note
The validation state for all new custom software families is always set to User
Defined.
5. On the Summary page, review the settings, and then click Next.
Software labels
Asset Intelligence custom software labels let you create filters that you can use to group
software titles and view them by using Asset Intelligence reports. For example, you can
create a software label called shareware, associate it with a number of applications, and
then run a report that shows you all titles with the software label of shareware. The
validation state is User Defined for all custom software labels that you add to the Asset
Intelligence catalog.
2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Catalog.
3. On the Home tab, in the Create group, click Create Software Label.
4. On the General page, enter a name for the new software family and, optionally, a
description.
7 Note
The validation state for all new custom software labels is always set to User
Defined.
5. On the Summary page, review the settings, and then click Next.
Hardware requirements
Hardware requirements information can help you verify that computers meet the
hardware requirements for software titles before they are targeted for software
deployments. Many hardware requirements are predefined in the Asset Intelligence
catalog, and you can create new user-defined hardware requirement information to
meet custom requirements. The validation state for all predefined hardware
requirements is always Validated, while user-defined hardware requirements
information added to the Asset Intelligence catalog is User Defined.
) Important
3. On the Home tab, in the Create group, click Create Hardware Requirements.
a. Software title: Specifies the software title for which the hardware requirements
are associated. The software title cannot already exist in the Asset Intelligence
catalog.
b. Validation state: Lists the validation state as User Defined for the hardware
requirements. You cannot modify this setting.
d. Minimum RAM (KB): Specifies the minimum RAM, in kilobytes (KB), required by
the software title.
e. Minimum Disk Space (KB): Specifies the minimum free disk space, in KB,
required by the software title.
f. Minimum Disk Size (KB): Specifies the minimum hard disk size, in KB, required
by the software title.
Click Next.
5. On the Summary page, review the settings, and then click Next.
) Important
The categorization information can only be modified at the top-level site.
2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Inventoried Software.
3. Select a software title or select multiple software titles for which you want to
modify categorizations.
5. On the General tab, you can modify the following categorization information:
Vendor: Specifies the name of the vendor that developed the inventoried
software title.
2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Inventoried Software.
3. Select a software title or select multiple software titles that you want to revert to
the original settings. Only software that has a User Defined state can be reverted.
Tip
Click the State column to sort by the validation state. Sorting lets you see all
software by validation state and quickly select multiple items to revert to the
original settings.
6. When you revert categorization information for software that is in the Asset
Intelligence catalog, the validation state changes from User Defined to Validated.
When you revert software that is not in the catalog, the validation state changes
from User Defined to Uncategorized.
Only basic software title information is transmitted to System Center Online, and
software title information to be categorized can be reviewed before submission.
Any software title that is uploaded becomes publicly available as part of the
System Center Online catalog and can be downloaded by other customers.
The source of the software title is not stored in the System Center Online catalog.
However, application titles containing confidential or proprietary information
should not be submitted for categorization by System Center Online.
7 Note
For more information about Asset Intelligence privacy information, see Security
and privacy for Asset Intelligence.
Use the following procedure to request Asset Intelligence catalog software title
categorization from System Center Online.
2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Inventoried Software.
7 Note
Tip
Click the State column to sort by the validation state. This lets you see all
uncategorized product names and quickly select multiple items to submit for
categorization.
5. Review the System Center Online categorization submission privacy message. Click
Details to view the information that will be sent to System Center Online.
6. Select I have read and understood this message, and then click OK to allow the
selected software titles to be submitted for categorization.
7. Verify that the state of the inventoried software product names submitted to
System Center Online for categorization has changed from Uncategorized to
Pending.
7 Note
2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Inventoried Software.
3. Review the State column for software titles in the Updatable state.
4. Select the software title for which you have to resolve a conflict, and then on the
Home tab, in the Product group, and click Resolve Conflict.
6. Select one of the following settings to resolve the software details conflict:
Do not change the locally edited catalog information value: Resolves the
software details conflict by retaining the existing Asset Intelligence catalog
software categorization information. When you select this setting, the
software title state changes from Updatable to User Defined.
This article contains security guidance and privacy information for Asset Intelligence in
Configuration Manager.
Security guidance
Privacy information
Asset Intelligence extends the inventory capabilities of Configuration Manager to
provide a higher level of asset visibility. Asset Intelligence information collection isn't
automatically enabled. You can modify the type of information collected by enabling
hardware inventory reporting classes. For more information, see Configure Asset
Intelligence.
Configuration Manager stores Asset Intelligence information in the site database the
same as inventory information. When clients connect to management points by using
HTTPS, the data is always encrypted during transfer to the management point. When
clients connect by using HTTP, configure the inventory data transfer to be signed and
encrypted. Inventory data isn't stored in an encrypted format in the database.
Information is kept in the database until the site maintenance task Delete Aged
Inventory History deletes it every 90 days by default. You can configure the deletion
interval.
Asset Intelligence doesn't send information about users, computers, or license usage to
Microsoft. You can choose to send System Center Online requests for categorization. For
these requests, you tag one or more uncategorized software titles and send them to
Microsoft for research and categorization. After you upload a software title, Microsoft
researchers identify and categorize the software. They then make that information
available to all customers who use the online service.
When you submit information to System Center Online, understand the following
privacy implications:
Upload applies only to generic software title information that you choose to send
to Microsoft. For example, software name and publisher. Inventory information
isn't sent to Microsoft.
Upload never occurs automatically, and the system isn't designed for this task to
be automated. Manually select and approve the upload of each software title.
Before the upload process starts, the Configuration Manager console shows you
exactly what data it will upload.
Any software title that you upload becomes public. The knowledge of that
software and its categorization become part of the online Asset Intelligence
catalog. Other customers can then download the catalog updates.
The source of the software title isn't recorded in the Asset Intelligence catalog, and
it isn't made available to other customers. Still verify that you don't include any
application titles that contain any private information.
Asset Intelligence validation states in Configuration Manager are not static and can
change from administrative actions that you take to affect the data that are stored in the
Asset Intelligence catalog. This topic provides examples for possible validation state
transitions.
Uncategorized An inventoried software title that has not been previously categorized by System
Center Online or that the administrative user has entered into the Asset
Intelligence catalog.
Validated Catalog item has been defined by System Center Online researchers and is
present in the Asset Intelligence catalog.
7 Note
Uncategorized An inventoried software title is entered into the Asset Intelligence catalog that
has not been previously categorized by System Center Online or the
administrative user.
User Defined A user-defined catalog item has been categorized differently by System Center
to Updateable Online during subsequent manual bulk updates of the Asset Intelligence
catalog.
The administrative user can use the Software Details Conflict Resolution dialog
box to decide whether to use the new categorization information or the
previous user-defined value.
Updateable to The administrative user uses the Software Details Conflict Resolution dialog
Validated box to use the new categorization information received from System Center
Online during the previous catalog update.
or
Updateable to The administrative user uses the Software Details Conflict Resolution dialog
User Defined box to use the previous user-defined value.
7 Note
Uncategorized An inventoried software title is entered into the Asset Intelligence database that
has not been previously categorized by System Center Online or the
administrative user.
Uncategorized The uncategorized item is submitted to System Center Online for categorization
to Pending by the administrative user.
Pending to The item is categorized by System Center Online. The administrative user
Validated imports the item into the Asset Intelligence catalog by using a bulk catalog
update or Asset Intelligence catalog synchronization. Both are available by using
the Asset Intelligence synchronization point site system role.
Uncategorized An inventoried software title is entered into the Asset Intelligence database that
has not been previously categorized by an administrative user or System Center
Online.
User Defined You submit the user-defined item to System Center Online for categorization.
to Pending
Pending to A user-defined catalog item has been categorized differently by System Center
Updateable Online during subsequent catalog synchronization. You can use the Resolve
Conflict action to decide whether to use the new categorization information or
the previous user-defined value. For more information about resolving conflicts,
see Resolve software details conflicts.
Updateable to You use the Resolve Conflict action and select the new categorization
Validated information received from System Center Online during the previous catalog
update. For more information about resolving conflicts, see Resolve software
details conflicts.
or
Updateable to You use the Resolve Conflict action and select to use the previous user-defined
User Defined value. For more information about resolving conflicts, see Resolve software
details conflicts.
7 Note
The example information in this topic can be used to create a sample general software license file to import software licenses into the Asset
Intelligence catalog by using the Import Software License Wizard. You can copy and paste the following table into a new Microsoft Excel
spreadsheet and save it with a .csv file name extension to be used as an example general software license import file for testing purposes.
When creating the license import file, all header fields are required while only Name, Publisher, Version, and EffectiveQuantity data values
are required in the spreadsheet. For more information about importing software licenses to the Asset Intelligence catalog, see Configuring
Asset Intelligence.
Name Publisher Version Language EffectiveQuantity PONumber ResellerName DateOfPurchase SupportPurchased SupportExpirationDat
Use the Configuration Manager product lifecycle dashboard to view the Microsoft
Lifecycle Policy. The dashboard shows the state of the Microsoft Lifecycle Policy for
Microsoft products installed on devices managed with Configuration Manager. It also
provides you with information about Microsoft products in your environment,
supportability state, and support end dates. Use the dashboard to understand the
availability of support for each product. This information helps you plan for when to
update the Microsoft products you use before their current end of support is reached.
Prerequisites
To see data in the product lifecycle dashboard, the following components are required:
Install Internet Explorer 9 or later on the computer that runs the Configuration
Manager console.
To get updates for the data on this dashboard, the service connection point must
be online. If the service connection point is in offline mode, synchronize it
regularly. For more information, see About the service connection point.
In version 2111 and earlier: Configure and synchronize the asset intelligence
synchronization point. The dashboard uses the asset intelligence catalog as
metadata for product titles. Configuration Manager compares this metadata
against inventory data in your hierarchy. For more information, see Configure asset
intelligence in Configuration Manager.
7 Note
Based on inventory data the site collects from managed devices, the dashboard displays
information about all current products. However, the information displayed for
operating systems and SQL Server is limited to the following versions:
7 Note
The data in the dashboard is based on the site the Configuration Manager console
connects to. If the console connects to your top-tier site, you see data for the entire
hierarchy. When connected to a child primary site, only data from that site displays.
Change the view by selecting one of the following options from the Product category
list:
Lifecycle data for installed products: This tile gives you a general idea of when a
product transitions from supported to the expired state. The chart provides a
breakdown of the number of clients where the product is installed, the support
availability state, and a link to learn more about the next steps to take. The
following information is included in the chart:
Support time remaining
Number in environment
Mainstream support end date
Extended support end date
Next steps
Starting in version 2103, the dashboard also has a subnode, All Product Lifecycle Data.
You can sort and filter the product lifecycle information, which gives you multiple ways
to view it. When you select a product, you can View devices for that product. From the
list of devices, you can create a direct membership collection. Use this action to deploy
the latest software versions to these collections so that the devices are kept current.
) Important
The information shown in this dashboard is provided for your convenience and
only for use internally within your company. You should not solely rely on this
information to confirm compliance. Be sure to verify the accuracy of the
information provided to you, along with availability of support information by
visiting the Microsoft Lifecycle Policy.
Reporting
Other reports are available as well. In the Configuration Manager console, go to the
Monitoring workspace, expand Reporting, and expand Reports. The following reports
are added under the category Asset Intelligence:
Lifecycle 02A - List of machines with expired products in the organization: View
computers that have expired products on them. You can filter this report by
product name.
Lifecycle 03A - List of expired products found in the organization: View details
for products in your environment that have expired lifecycle dates.
Deprecated functionality
The following functional areas are deprecated and may be removed in a future version.
Support for these areas will end November 2022.
Cloud updates to the predefined software categories and software families and
the associated SQL views and reports
Cloud updates to the predefined hardware requirements for software titles and
the associated SQL views and reports
Catalog synchronization
The Microsoft Volume License import and reconciliation including the associated
SQL views and reports
Supported functionality
The following functional areas aren't currently included in the deprecation and will
remain supported:
The General License Statement import and reconciliation and the associated SQL
views and reports
The ability to view the asset intelligence inventory in the console from the
Inventoried Software node
The existing static, predefined software title information provided with setup for
new and existing sites:
Product name
Vendor
Product category
Product family
Hardware requirement
The ability to customize the inventoried software title information such as the
product name and vendor
The ability to add custom software categories, families, and labels to inventoried
software titles
References
Asset intelligence reports
Use remote control to remotely administer, provide assistance, or view any client
computer in the hierarchy. You can use remote control to troubleshoot hardware and
software configuration problems on client computers and to provide support.
Configuration Manager supports the remote control of all workgroup computers and
domain-joined computers that run supported operating systems for the Configuration
Manager client. For more information, see Supported operating systems for clients and
devices for Configuration Manager
Configuration Manager also lets you configure client settings to run Windows Remote
Desktop and Remote Assistance from the Configuration Manager console.
7 Note
You cannot establish a Remote Assistance session from the Configuration Manager
console to a client computer that is in a workgroup.
You can start a remote control session in the Configuration Manager console from
Assets and Compliance > Devices, from any device collection, from the Windows
Command Prompt window, or from the Windows Start menu.
Prerequisites for remote control in
Configuration Manager
Article • 02/22/2023
You can't use Configuration Manager remote control to remotely administer client
computers that run versions of the Configuration Manager client earlier than current
branch.
7 Note
The following OS versions don't support the remote control viewer, but they do support
the remote control client:
Windows Embedded
Windows Embedded for Point of Service (POS)
Windows Fundamentals for Legacy PCs
Reporting
Before you can run reports for remote control, install the reporting services point site
system role. For more information, see Introduction to reporting.
Security permissions
To access collection resources and to start a remote control session from the
Configuration Manager console, your account needs the Read, Read Resource, and
Remote Control permissions for the Collection object.
The Remote Tools Operator security role includes the permissions that are
required to manage remote control in Configuration Manager.
Permitted viewers must be given permission to use remote control by adding these
users to the Permitted viewers of Remote Control and Remote Assistance list in
the Remote Tools client settings.
Remote clients
Remote tools aren't supported for clients that are connected remotely. For example, you
can't remote control a client that communicates with the site through a cloud
management gateway (CMG). For more information about the network ports required
for remote tools, see Ports used in Configuration Manager.
Tip
For tenant-attached devices, remote tools are available in the Microsoft Intune
admin center. For more information, see Support for remote tools.
Next steps
Configure remote control
Configuring remote control in
Configuration Manager
Article • 10/04/2022
This procedure describes configuring the default client settings for remote control.
These settings apply to all computers in your hierarchy. If you want these settings to
apply to only some computers, assign a custom device client setting to a collection that
contains those computers. For more information a see How to configure client settings.
1. In the Configuration Manager console, choose Administration > Client Settings >
Default Client Settings.
4. Configure the remote control, Remote Assistance and Remote Desktop client
settings. For a list of remote tools client settings that you can configure, see
Remote Tools.
You can change the company name that appears in the ConfigMgr Remote
Control dialog box by configuring a value for Organization name displayed in
Software Center in the Computer Agent client settings.
Client computers are configured with these settings the next time they download
client policy. To initiate policy retrieval for a single client, see How to manage
clients.
By default, Configuration Manager transmits the key position from the viewer's location
to the sharer's location. This can present a problem for keyboard configurations that
differ from viewer to sharer. For example, a viewer with an English keyboard would type
an "A", but the sharer's French keyboard would provide a "Q". You now have the option
of configuring remote control so that the character itself is transmitted from the viewer's
keyboard to the sharer, and what the viewer intends to type arrives at the sharer.
7 Note
Alt+Insert Cycles through running programs in the order that they were
opened.
Ctrl+Alt+Minus Sign (on the Copies the active window of the local computer to the remote
numeric keypad) computer Clipboard.
Ctrl+Alt+Plus Sign (on the Copies the entire local computer's window area to the remote
numeric keypad) computer Clipboard.
How to remotely administer a Windows
client computer by using Configuration
Manager
Article • 10/04/2022
From the Windows Start menu, on a computer that runs the Configuration
Manager console, in the Microsoft Endpoint Manager program group.
7 Note
The above Start menu path is for versions from November 2019 (version 1910)
or later. In earlier versions, the folder name is Microsoft System Center.
2. Select the computer that you want to remotely administer and then, in the Home
tab, in the Device group, choose Start > Remote Control.
) Important
If the client setting Prompt user for Remote Control permission is set to True,
the connection does not initiate until the user at the remote computer agrees
to the remote control prompt. For more information, see Configuring remote
control.
3. After the Configuration Manager Remote Control window opens, you can
remotely administer the client computer. Use the following options to configure
the connection.
7 Note
If the computer that you connect to has multiple monitors, the display from
all the monitors is shown in the remote control window.
File
Connect - Connect to another computer. This option is unavailable when a
remote control session is active.
Disconnect - Disconnects the active remote control session but doesn't
close the Configuration Manager Remote Control window.
Exit - Disconnects the active remote control session and closes the
Configuration Manager Remote Control window.
7 Note
View
Color depth - Choose either 16 bits or 32 bits per pixel.
Full Screen - Maximizes the Configuration Manager Remote Control
window. To exit full screen mode, press Ctrl+Alt+Break.
Optimize for low bandwidth connection - Choose this option if the
connection is low bandwidth.
Display:
All Screens - If the computer that you connect to has multiple monitors,
the display from all the monitors is shown in the remote control
window.
First Screen - The first screen is at the top and far left as shown in
Windows display settings. You can't select a specific screen. When you
switch the configuration of the viewer, reconnect the remote session.
The viewer saves your preference for future connections.
Scale to Fit - Scales the display of the remote computer to fit the size of
the Configuration Manager Remote Control window.
Status Bar - Toggles the display of the Configuration Manager Remote
Control window status bar.
7 Note
Action
Send Ctrl+Alt+Del Key - Sends a Ctrl+Alt+Del key combination to the
remote computer.
Enable Clipboard Sharing - Lets you copy and paste items to and from the
remote computer. If you change this value, you must restart the remote
control session for the change to take effect.
If you don't want clipboard sharing to be enabled in the Configuration
Manager console, on the computer running the console, set the value
of the registry key
HKEY_CURRENT_USER\Software\Microsoft\ConfigMgr10\Remote
Control\Clipboard Sharing to 0.
Enable Keyboard Translation - Translates the keyboard layout of the
computer running the console to the connected device's layout.
Lock Remote Keyboard and Mouse - Locks the remote keyboard and
mouse to prevent the user from operating the remote computer.
Help
About Remote Control - Displays the current version of the viewer.
4. Users at the remote computer can view more information about the remote
control session when they click the Configuration Manager Remote Control icon.
The icon is in the Windows notification area or the icon on the remote control
session bar.
Address - Specifies the NetBIOS name, the fully qualified domain name (FQDN), or
the IP address of the client computer that you want to connect to.
Site Server Name - Specifies the name of the Configuration Manager site server to
which you want to send status messages that are related to the remote control
session.
/? - Displays the command-line options for the remote control viewer.
7 Note
The remote control viewer is supported on all operating systems that are supported
for the Configuration Manager console. For more information, see Supported
configurations for Configuration Manager consoles and Prerequisites for remote
control.
Next steps
Audit remote control usage
How to audit remote control usage in
Configuration Manager
Article • 10/04/2022
You can use Configuration Manager reports to view audit information for remote
control.
For more information about how to configure reporting in Configuration Manager, see
Introduction to reporting.
The following two reports are available with the category Status Messages - Audit:
3. In the Reports node, click the Category column to sort the reports so that you can
more easily find the reports in the category Status Messages - Audit.
4. Select the report Remote Control - All computers remote controlled by a specific
user, and then, on the Home tab, in the Report Group, click Run.
5. In the User Name list of the Remote Control - All computers remote controlled
by a specific user, specify the user that you want to report audit information for,
and then click View Report.
6. When you have finished viewing the data in the report, close the report window.
3. In the Reports node, click the Category column to sort the reports so that you can
more easily find the reports in the category Status Messages - Audit.
4. Select the report Remote Control - All remote control information, and then, on
the Home tab, in the Report Group, click Run to open the Remote Control - All
remote control information window.
5. When you have finished viewing data in the report, close the report window.
Security and privacy for remote control
in Configuration Manager
Article • 10/04/2022
This topic contains security and privacy information for remote control in Configuration
Manager.
When you connect to a When Configuration Manager detects that the remote control session
remote computer, do is authenticated by using NTLM instead of Kerberos, you see a prompt
not continue if NTLM that warns you that the identity of the remote computer cannot be
instead of Kerberos verified. Do not continue with the remote control session. NTLM
authentication is used. authentication is a weaker authentication protocol than Kerberos and
is vulnerable to replay and impersonation.
Do not enable The Clipboard supports objects such as executable files and text and
Clipboard sharing in the could be used by the user on the host computer during the remote
remote control viewer. control session to run a program on the originating computer.
Do not enter passwords Software that observes keyboard input could capture the password. Or,
for privileged accounts if the program that is being run on the client computer is not the
when remotely program that the remote control user assumes, the program might be
administering a capturing the password. When accounts and passwords are required,
computer. the end user should enter them.
Lock the keyboard and If Configuration Manager detects that the remote control connection is
mouse during a remote terminated, Configuration Manager automatically locks the keyboard
control session. and mouse so that a user cannot take control of the open remote
control session. However, this detection might not occur immediately
and does not occur if the remote control service is terminated.
Select the action Lock Remote Keyboard and Mouse in the ConfigMgr
Remote Control window.
Security best practice More information
Do not let users Do not enable the client setting Users can change policy or
configure remote notification settings in Software Center to help prevent users from
control settings in being spied on. If one user changes it, it can allow a different user on
Software Center. the same machine to be viewed remotely.
This setting is for the computer, not for the logged-on user.
Enable the Domain Enable the client setting Enable remote control on clients Firewall
Windows Firewall exception profiles and then select the Domain Windows Firewall for
profile. intranet computers.
If you log off during a If you do not log off in this scenario, the session remains open.
remote control session
and log on as a
different user, ensure
that you log off before
you disconnect the
remote control session.
Do not give users local When you give users local administrator rights, they might be able to
administrator rights. take over your remote control session or compromise your credentials.
Use either Group Policy You can use Configuration Manager and Group Policy to make
or Configuration configuration changes to the Remote Assistance settings. When Group
Manager to configure Policy is refreshed on the client, by default, it optimizes the process by
Remote Assistance changing only the policies that have changed on the server.
settings, but not both. Configuration Manager changes the settings in the local security
policy, which might not be overwritten unless the Group Policy update
is forced.
Enable the client setting Although there are ways around this client setting that prompts a user
Prompt user for to confirm a remote control session, enable this setting to reduce the
Remote Control chance of users being spied upon while working on confidential tasks.
permission.
In addition, educate users to verify the account name that is displayed
during the remote control session and disconnect the session if they
suspect that the account is unauthorized.
Limit the Permitted Local administrator rights are not required for a user to be able to use
Viewers list. remote control.
If you start a remote control session and then log on by using alternative
credentials, the original account sends the audit messages, not the account that
used the alternative credentials.
Audit messages are not sent if you copy the binary files for remote control rather
than install the Configuration Manager console, and then run remote control at the
command prompt.
Although you can configure remote control to provide prominent notice and get
consent from a user before a remote control session begins, it can also monitor users
without their permission or awareness. You can configure View Only access level so that
nothing can be changed on the remote control, or Full Control. The account of the
connecting administrator is displayed in the remote control session, to help users
identify who is connecting to their computer.
For a detailed workflow about how to configure and use power management, see
Administrator checklist for power management.
) Important
) Important
Do not apply power plans to computers in your site until you collect and analyze
the power data from client computers. If you apply new power management
settings to computers without first examining the existing settings, you might
experience an increase in power consumption.
Enforcement phase
Power management lets you create power plans that you can apply to collections of
computers in your site. These power plans configure Windows power management
settings on computers. You can use the power plans that are included with
Configuration Manager, or you can configure your own custom power plans. You can
use the power data that is collected during the monitoring and planning phase as a
baseline to help you evaluate power savings after you apply a power plan to computers.
For more information, see Administrator checklist for power management.
Compliance phase
In the compliance phase, you can run reports that help you to evaluate power usage
and power cost savings in your organization. You can also run reports that describe the
improvements in the amount of CO2 generated by computers. Reports are also available
that help you validate that power settings were correctly applied to computers and that
help you troubleshoot problems with the power management feature.
Prerequisites for power management in
Configuration Manager
Article • 10/04/2022
Client To use all features of power management, client computers must be able to
computers support the sleep, hibernate, wake from sleep, and wake from hibernate actions.
must be able You can use the Power Capabilities report to determine if computers can support
to support these actions. For more information, see Power Capabilities report in the topic
the required How to monitor and plan for power management.
power states
Power management must be For information about how to enable and configure power
enabled before you can create management, see Configuring power management.
and monitor power plans.
Reporting services point You must configure a reporting services point before you
can view power management reports. For more information,
see Introduction to reporting.
Recommendations for power
management in Configuration Manager
Article • 10/04/2022
Power consumption
Activity
Power management capabilities
Environmental impact
Choose a representative time to monitor the devices. For example, monitoring during a
public holiday doesn't provide a realistic report on computer power usage.
Exclude servers
Power management for computers that run Windows Server isn't supported. Add
servers to a collection and exclude it from power management.
7 Note
You might want to exclude from power management the following types of computers:
When you exclude a computer from power management, all power settings revert to
their original values. You can't revert individual power settings to their original values.
Power plan: If you apply multiple values for power settings to a computer, it uses
the least restrictive value.
Wakeup time: If you apply multiple wakeup times to a desktop computer, it uses
the time closest to midnight.
Configuration Manager keeps in the site database the following power management
information:
This administrator checklist provides the recommended steps for using Configuration
Manager power management in your organization.
) Important
Do not apply power plans to computers in your hierarchy until you have collected
and analyzed power data from client computers. If you apply new power
management settings to computers without first examining the existing settings,
this might lead to an increase in power consumption.
Task Details
Configure your Use the Collection for reporting of baseline data, Collection for reporting of
collections to baseline data, Collection of computers incapable of power management,
manage power Collections of computers to which power plans will be applied, Collections of
consumption computers to which power plans will be applied, and Collections of
from computers that are running Windows Server to help you manage power
computers settings for computers in your hierarchy. You can create multiple collections and
within your apply different power plans to each collection.
environment.
Enable power Before you can begin to use power management, you must enable it and
management. configure the required client settings. For more information, see Configuring
power management.
Collect power Power management data is reported by clients through Configuration Manager
management hardware inventory. Depending on the hardware inventory schedule that you
information have configured, it might take some time to retrieve inventory from all client
from client computers.
computers.
Run the report The Computer Activity report displays a graph showing monitor, computer, and
Computer user activity for a specified collection over a specified time period. This report
Activity. links to the Computer Activity Details report which displays the sleep and wake
capabilities of computers in the specified collection. For more information, see
How to monitor and plan for power management.
Run the report The Energy Consumption and Energy Consumption by Day reports display the
Energy total monthly power consumption in kilowatt per hour (kWh) for a specified
Consumption collection over a specified time period. For more information, see How to
or Energy monitor and plan for power management.
Consumption
by Day.
Task Details
Run the report The Environmental Impact and Environmental Impact by Day reports display a
Environmental graph showing carbon dioxide (CO2) emissions saved by a specified collection of
Impact or computers for a specified period of time. For more information, see How to
Environmental monitor and plan for power management.
Impact by
Day.
Run the report The Energy Cost and Energy Cost by Day reports display the total power
Energy Cost consumption cost for a specified period of time. For more information, see How
or Energy to monitor and plan for power management.
Cost by Day.
Run the report The Power Capabilities report displays the power management capabilities of
Power computers in the specified collection. For more information, see How to monitor
Capabilities. and plan for power management.
Run the report The Power Settings report displays an aggregated list of the current power
Power settings used by computers in a specified collection. For more information, see
Settings. How to monitor and plan for power management.
) Important
Ensure that you save the information from power management reports generated
during the monitoring and planning phase. You can compare this data to power
management information generated during the enforcement and compliance
phases to help you evaluate, the power usage, power cost and environmental
impact savings from applying a power plan to computers in your hierarchy.
Enforcement phase
Task Details
Select existing power plans or create new power plans for See How to create and
collections of computers in your organization. apply power plans.
Run the report The Computer Activity report displays a graph showing monitor, computer, and
Computer user activity for a specified collection over a specified time period. This report
Activity. links to the Power Computer Activity Details report which displays the sleep
and wake capabilities of computers in the specified collection. For more
information, see How to monitor and plan for power management.
Run the report The Energy Consumption and Energy Consumption by Day reports display the
Energy total monthly power consumption in kilowatt per hour (kWh) for a specified
Consumption collection over a specified time period. For more information, see How to
or Energy monitor and plan for power management.
Consumption
by Day.
Run the report The Environmental Impact and Environmental Impact by Day reports display a
Environmental graph showing carbon dioxide (CO2) emissions saved by a specified collection of
Impact or computers for a specified period of time. For more information, see How to
Environmental monitor and plan for power management.
Impact by
Day.
Run the report The Energy Cost and Energy Cost by Day reports display the total power
Energy Cost consumption cost for a specified period of time. For more information, see How
or Energy to monitor and plan for power management.
Cost by Day.
Troubleshooting
Task Details
If computers in your hierarchy have not The Insomnia Report displays a list of common causes
entered sleep or hibernate, run the that prevented computers from entering sleep or
report Insomnia Report to display hibernate and the number of computers affected by
possible causes. each cause for a specified time period. For more
information, see How to monitor and plan for power
management.
If multiple power plans are applied to See Computers with Multiple Power Plans in How to
one computer, then the least restrictive monitor and plan for power management.
power plan is applied. Run the report
Computers with Multiple Power Plans
to see computers with multiple power
plans applied.
Configure power management in
Configuration Manager
Article • 10/04/2022
If you want to apply these settings to only some computers, create a custom device
client setting. Then assign it to a collection that contains the computers for power
management. For more information, see How to configure client settings.
2. On the Home tab of the ribbon, in the Properties group, select Properties.
5. Configure the additional client settings that you require. For more information, see
About client settings - Power Management.
Clients configure these settings when they next download client policy. To initiate policy
retrieval for a single client, see How to manage clients.
Exclude computers
You can prevent collections of computers from receiving power management settings. If
a computer is a member of any collection that you exclude from power management
settings, that computer doesn't apply power management settings. This behavior
applies even if it's a member of another collection that does apply power management
settings.
You might want to exclude computers from power management for the following
reasons:
You have a control collection of computers on which you don't want to apply
power management settings.
You want to exclude computers that run Windows Server from power
management.
7 Note
If you configure the client setting to Allow users to exclude their device from
power management, users can exclude their own computers from power
management by using Software Center.
To find out which computers are excluded from power management, run the report
Computers Excluded. For more information about this report see How to monitor and
plan for power management.
) Important
2. Select the collection that you want to exclude from power management. In the
Home tab of the ribbon, in the Properties group, select Properties.
3. Switch to the Power Management tab, and select Never apply power
management settings to computers in this collection.
Next steps
How to create and apply power plans
You can only apply Configuration Manager power plans to device collections. If a
computer is a member of multiple collections, each with different power plans, then the
following actions happen:
Power plan: If policy applies multiple values for power settings on a computer, it
uses the least restrictive value.
To display all computers that have multiple power plans applied to them, use the
Computers with Multiple Power Plans report. This report can help you discover
computers that have power conflicts. For more information about power management
reports, see How to monitor and plan for power management.
Make sure to review any power settings that you apply from group policy. Power
settings configured by using group policy will override settings configured by
Configuration Manager power management.
) Important
Systems that you enable for Modern Standby (S0) won't apply Configuration
Manager power policies. You'll see a message similar to the following in the
PwrProvider.log: The "Required idleness to sleep" setting (<738eddaa-52e2-467f-
b453-821ef2884d47>) is not supported on this operating system. This setting
will be ignored.
2. In the Assets and Compliance workspace, select the Device Collections node.
3. In the Device Collections list, choose the collection to which you want to apply
power management settings. In the Home tab of the ribbon, in the Properties
group, select Properties.
4. Switch to the Power Management tab of the collection, and select Specify power
management settings for this collection.
7 Note
You can also select Browse, and copy the power management settings from
another collection to this collection.
5. Specify the Start and End time for peak (or business) hours.
6. To specify a time when a desktop computer wakes from sleep or hibernate, Enable
Wakeup time (desktop computers). When the client wakes up, it can install
scheduled software updates or other deployments.
) Important
Power management uses the internal Windows wakeup time feature to wake
computers from sleep or hibernate. Wakeup time settings aren't applied to
portable computers to prevent scenarios in which they might wake when not
plugged in. The wake up time is randomized and computers will be woken
over a one hour period from the specified wakeup time.
7. If you want to configure a custom power plan for business hours, select
Customized Peak (ConfigMgr) from the Peak plan list, and then select Edit. If you
want to configure a power plan for non-business hours, select Customized Non-
Peak (ConfigMgr) from the Non-peak plan list, and then select Edit.
7 Note
You can use the Computer Activity report to help you decide the schedules to
use for peak and non-peak hours when you apply power plans to collections
of computers. For more information, see How to monitor and plan for power
management.
You can also select from the built-in power plans: Balanced (ConfigMgr), High
Performance (ConfigMgr), and Power Saver (ConfigMgr). Select View to display
the properties of each power plan.
7 Note
Name: Specify a name for this power plan or use the supplied default value.
Specify the properties for this power plan: Configure the power plan
properties. For more information, see Available power management plan
settings.
) Important
When the Configuration Manager client applies the power plan to the
device, it applies the enabled settings. If you unselect a power setting in
the policy, the value on the client computer doesn't change when it
applies the power plan. This action also doesn't restore the power
setting to its previous value before a power plan was applied.
10. Select OK to save and close the collection properties, and to apply the power plan.
7 Note
Power settings that you don't configure keep their current value on client
computers.
Name Description
Turn off display Specifies the length of time, in minutes, that the computer must be inactive
after (minutes) before the display is turned off. If you don't want power management to turn
off the display, specify a value of 0 .
Sleep after Specifies the length of time, in minutes, that the computer must be inactive
(minutes) before it enters sleep. If you don't want the device to sleep, specify a value of
0.
Require a Yes specifies that a user has to unlock the computer when it wakes up.
password on
wakeup
Power button Specifies the action when you press the computer's power button: Do
action nothing, Sleep, Hibernate, or Shut down.
Start menu Specifies the action when you press the computer's Start menu power button:
power button Sleep, Hibernate, or Shut down.
Sleep button Specifies the action when you press the computer's Sleep button: Do nothing,
action Sleep, Hibernate, or Shut down.
Lid close action Specifies the action when the user closes the lid of a portable computer: Do
nothing, Sleep, Hibernate, and Shut down.
Turn off hard Specifies the length of time, in minutes, that the computer's hard disk must be
disk after inactive before it's turned off. If you don't want power management to turn off
(minutes) the computer's hard disk, specify a value of 0 .
Hibernate after Specifies the length of time, in minutes, that the computer must be inactive
(minutes) before it hibernates. If you don't want the device to hibernate, specify a value
of 0 .
Low battery Specifies the action when the computer's battery reaches the specified low
action battery notification level: Do nothing, Sleep, Hibernate, or Shut down.
Critical battery Specifies the action when the computer's battery reaches the specified critical
action battery notification level. When it's on battery: Sleep, Hibernate, or Shut
down. When it's plugged in: Do nothing, Sleep, Hibernate, or Shut down.
Name Description
Allow hybrid On specifies that Windows saves a hibernation file when it enters sleep. If
sleep there's a power loss while it's asleep, Windows uses this file to restore the
computer's state.
Hybrid sleep is designed for desktop computers. By default, it's not enabled
on portable computers. Enabling hybrid sleep disables the hibernate
functionality.
Allow standby On enables the computer to be on standby. This state still consumes some
state when power, but enables the computer to wake faster. If this setting is Off , the
sleeping action computer can only hibernate or turn off.
Required Specifies the percentage of idle time on the computer processor time required
idleness to sleep for the computer to enter sleep. For computers running Windows 7 and alter,
(%) this value is always 0 .
Enable Windows Set Enable to enable the built-in Windows timer to wake a desktop computer.
wake up timer When this timer wakes a desktop computer, it stays awake for 10 minutes by
for desktop default. This time period allows the client to install any updates or to receive
computers policy.
Use the following information to help you monitor and plan for power management in
Configuration Manager.
Before you can use the power management reports, you must configure reporting for
your hierarchy. For more information about reporting in Configuration Manager, see
Introduction to reporting.
7 Note
When you run reports during the monitoring and planning and compliance phases
of power management, save or export the results from any reports for which you
want to retain the data for later comparison in case they are later removed by
Configuration Manager.
7 Note
Power management reports display the number of physical computers and the
number of virtual computers in a selected collection. However, only power
management information from physical computers is displayed in power
management reports.
User Active – Activity has been detected from the computer mouse, computer
keyboard, or from a Remote Desktop connection to the computer
This report is used during the monitoring and planning and enforcement stages to
help you understand the alignment between computer activity, monitor activity
and user activity over a 24 hour period. If you run the report over a number of days
then the data is aggregated over this period. This report can help you to determine
typical business (peak) and nonbusiness (non-peak) hours for a selected collection
to help you decide when to apply configured power management plans.
The graph shows time periods where a computer might be turned on, but there is
no user activity. Consider applying more restrictive power settings during these
times to save on the power costs of computers that are turned on, but are not
being used. A computer is counted as being active if there has been computer,
user or monitor activity for one minute or more for a displayed hour on the graph.
If a computer is not reporting power management data, it will not be included in
the Computer Activity report.
Parameter Description
Name
Start date From the drop-down list, select the start date for this report.
Parameter Description
Name
End date From the drop-down list, select an optional end date for this report.
(Optional)
Collection From the drop-down list, select a collection to use for this report.
name
Device From the drop-down list, select the type of computer for which you want a report.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only).
Report links
If a value for End date (optional) is not specified, this report contains a link to the
following report which provides further information.
Computer Click the Click for detailed information link to see a list of active, inactive and
Activity Details non-reporting computers for the specified date.
For more information, see Computer Activity Details Report in this topic.
User Active – Activity has been detected from the computer mouse, computer
keyboard, or from a Remote Desktop connection to the computer.
This report can be run independently or called by the Computer Activity Details
report.
7 Note
Report date From the drop-down list, select a date for this report.
Computer name Enter a computer name for which you want a report.
Report links
This report contains links to the following report which provides further information
about the selected item.
Report Details
Name
Computer Click the Click for detailed information link to see the power capabilities, power
Details settings, and applied power plans for the selected computer.
Parameter Description
Name
Collection From the drop-down list, select a collection to use for this report.
name
Report From the drop-down list, select a date to use for this report.
date
Report From the drop-down list, select an hour from the specified date for which to run this
hour report. Valid values are between 12am and 11pm.
Computer From the drop-down list, select the computer state for which to run this report. Valid
state values are All (computers that were turned on or off), On (computers that were
turned on), and Off (computers that were turned off, in sleep, or in hibernate). These
values are only returned for the chosen reporting period.
Device From the drop-down list, select the type of computer for which you want a report.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.
Sleep From the drop-down list, select if you want to display computers capable of sleep in
capable the report. Valid values are All (both computers capable and incapable of sleep), No
(computers that are incapable of sleep), and Yes (computers that are capable of
sleep).
Wake From the drop-down list, select if you want to display computers capable of wake
from sleep from sleep in the report. Valid values are All (both computers capable and incapable
capable of wake from sleep), No (computers that are incapable of wake from sleep), and Yes
(computers that are capable of wake from sleep).
Power From the drop-down list, select the power plan types you want to display in the
plan report. Valid values are All (computers that do not have any power management
plans applied; computers that have a power management plan applied; computers
excluded from power management), Not specified (computers that do not have a
power management plan applied), Defined (computers that have a power
management plan applied), and Excluded (computers that have been excluded from
power management).
Operating From the drop-down list, select the computer operating systems that you want to
system display in the report or select All to display all operating systems.
Report links
This report contains links to the following report which provides further information
about the selected item.
Report Details
Name
Computer Click a computer name to see specific activity for that computer over a chosen
Activity reporting period. These activities include Computer on (has the computer been
by turned on?), Monitor on (has the monitor been turned on?), and User Active (activity
Computer has been detected from the computer's mouse, keyboard, or a remote desktop
connection).
For more information, see Computer Activity by Computer Report in this topic.
Parameter Description
Name
Power From the drop down list, select the type of power settings you want to display in the
mode report results. Select Plugged In to view the power settings configured for when the
computer is plugged in and On Battery to view the power settings configured for
when the computer is running on battery power.
7 Note
Parameter Description
Name
Collection From the drop-down list, select a collection to use for this report.
name
Report From the drop-down list, select a date for this report.
date
Report From the drop-down list, select an hour from the specified date for which to run this
hour report. Valid values are between 12am and 11pm.
Device From the drop-down list, select the type of computer for which you want a report.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.
Computers Excluded
The Computers Excluded report displays a list of computers in a specified collection
that have been excluded from Configuration Manager power management.
Parameter Description
Name
Collection From the drop-down list, select a collection for this report.
Reason From the drop-down list, select the reason why the computers were excluded from
power management. You can display All (all excluded computers), Excluded by
administrator (only computers that were excluded by an administrative user), and
Excluded by user (only computers that were excluded by a user of Software Center).
Report links
This report contains links to the following report which provides further information
about the selected item.
Power Click a computer name to see the power capabilities, power settings, and
Computer applied power plans for the selected computer.
Details
For more information, see Computer Details Report in this topic.
) Important
Collection name From the drop-down list, select a collection for this report.
Report links
This report contains links to the following report which provides further information
about the selected item.
Power Click a computer name to see the power capabilities, power settings, and
Computer applied power plans for the selected computer.
Details
For more information, see Computer Details Report in this topic.
A graph showing the average power consumption in kiloWatt per hour (kWh) of
each computer in the specified collection for the specified time period.
A table showing the total monthly power consumption in kiloWatt per hour (kWh)
and the average power consumption of computers in the specified collection for
the specified time period.
7 Note
If you add or remove members to the collection after you have applied a power
plan, this will affect the results shown by the Energy Consumption report and
might make it more difficult to compare the results from the monitoring and
planning phase and the enforcement phase.
Parameter Description
Name
Start date From the drop-down list, select a start date for this report.
End date From the drop-down list, select an end date for this report.
Collection From the drop-down list, select a collection for this report.
name
Device From the drop-down list, select the type of computer for which you want a report.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.
Hidden report parameters
The following hidden parameters can optionally be specified to change the behavior of
this report.
Parameter Description
Name
Desktop Specify the power consumption of a desktop computer when it is turned on.
computer on The default value is 0.07 kW per hour.
Laptop Specify the power consumption of a portable computer when it is turned on.
computer on The default value is 0.02 kW per hour.
Desktop Specify the power consumption of a desktop computer that has entered sleep.
computer The default value is 0.003 kW per hour.
sleep
Laptop Specify the power consumption of a portable computer that has entered sleep.
computer The default value is 0.001 kW per hour.
sleep
Desktop Specify the power consumption of a desktop computer when it is turned off.
computer off The default value is 0 kW per hour.
Laptop Specify the power consumption of a portable computer when it is turned off.
computer off The default value is 0 kW per hour.
Report links
This report does not link to any other power management reports.
A graph showing the total daily power consumption of computers in kiloWatt per
hour (kWh) in the specified collection for the last 31 days.
A graph showing the average daily power consumption in kiloWatt per hour (kWh)
of each computer in the specified collection for last 31 days.
A table showing the total daily power consumption in kiloWatt per hour (kWh) and
the average daily power consumption of computers in the specified collection for
the last 31 days.
7 Note
If you add or remove members to the collection after you have applied a power
plan, this will affect the results shown by the Energy Consumption report and
might make it more difficult to compare the results from the monitoring and
planning phase and the enforcement phase.
Parameter Description
Name
Collection From the drop-down list, select a collection for this report.
Device From the drop-down list, select the type of computer for which you want to report.
Type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.
The following hidden parameters can optionally be specified to change the behavior of
this report.
Parameter Description
Name
Desktop Specify the power consumption of a desktop computer when it is turned on.
computer on The default value is 0.07 kW per hour.
Laptop Specify the power consumption of a portable computer when it is turned on.
computer on The default value is 0.02 kW per hour.
Parameter Description
Name
Desktop Specify the power consumption of a desktop computer that has entered sleep.
computer The default value is 0.003 kW per hour.
sleep
Laptop Specify the power consumption of a portable computer that has entered sleep.
computer The default value is 0.001 kW per hour.
sleep
Desktop Specify the power consumption of a desktop computer when it is turned off.
computer off The default value is 0 kW per hour.
Laptop Specify the power consumption of a portable computer when it is turned off.
computer off The default value is 0 kW per hour.
Report links
This report does not link to any other power management reports.
A graph showing the total monthly power cost for computers in the specified
collection for specified time period.
A graph showing the average monthly power cost for each computer in the
specified collection for the specified time period.
A table showing the total monthly power cost and the average monthly power cost
for computers in the specified collection for the last 31 days.
This information can be used to help you to understand power cost trends in your
environment. After applying a power plan to computers in the selected collection,
the power cost for computers should decrease.
Parameter Description
Name
Start date From the drop-down list, select a start date for this report.
End date From the drop-down list, select an end date for this report.
Cost of Specify the cost per kWh of electricity. The default value is 0.09.
KwH
You can modify the unit of currency used by this report in the hidden parameters
section.
Collection From the drop-down list, select a collection to use for this report.
name
Device From the drop-down list, select the type of computer for which you want to report.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.
The following hidden parameters can optionally be specified to change the behavior of
this report.
Parameter Description
Name
Desktop Specify the power consumption of a desktop computer when it is turned on.
computer on The default value is 0.07 kW per hour.
Laptop Specify the power consumption of a portable computer when it is turned on.
computer on The default value is 0.02 kW per hour.
Desktop Specify the power consumption of a desktop computer that has entered sleep.
computer The default value is 0.003 kW per hour.
sleep
Laptop Specify the power consumption of a portable computer that has entered sleep.
computer The default value is 0.001 kW per hour.
sleep
Desktop Specify the power consumption of a desktop computer when it is turned off.
computer off The default value is 0 kW per hour.
Parameter Description
Name
Laptop Specify the power consumption of a portable computer when it is turned off.
computer off The default value is 0 kW per hour.
Currency Specify the currency label to use for this report. The default value is USD ($).
Report links
This report does not link to any other power management reports.
A graph showing the total daily power cost for computers in the specified
collection for the last 31 days.
A graph showing the average daily power cost for each computer in the specified
collection for the last 31 days.
A table showing the total daily power cost and the average daily power cost for
computers in the specified collection for the last 31 days.
This information can be used to help you to understand power cost trends in your
environment. After applying a power plan to computers in the selected collection,
the power cost for computers should decrease.
Parameter Description
Name
Parameter Description
Name
Collection From the drop-down list, select a collection to use for this report.
name
Device From the drop-down list, select the type of computer you want to report about.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.
Cost of Specify the cost per kWh of electricity. The default value is 0.09.
KwH
You can modify the unit of currency used by this report in the hidden parameters
section.
The following hidden parameters can optionally be specified to change the behavior of
this report.
Parameter Description
Name
Desktop Specify the power consumption of a desktop computer when it is turned on.
computer on The default value is 0.07 kW per hour.
Laptop Specify the power consumption of a portable computer when it is turned on.
computer on The default value is 0.02 kW per hour.
Desktop Specify the power consumption of a desktop computer that has entered sleep.
computer The default value is 0.003 kW per hour.
sleep
Laptop Specify the power consumption of a portable computer that has entered sleep.
computer The default value is 0.001 kW per hour.
sleep
Desktop Specify the power consumption of a desktop computer when it is turned off.
computer off The default value is 0 kW per hour.
Laptop Specify the power consumption of a portable computer when it is turned off.
computer off The default value is 0 kW per hour.
Currency Specify the currency label to use for this report. The default value is USD ($).
Report links
This report does not link to any other power management reports.
A graph showing the total monthly CO2 generated (in tons) for computers in the
specified collection for the specified time period.
A graph showing the average monthly CO2 generated (in tons) for each computer
in the specified collection for the specified time period.
A table showing the total monthly CO2 generated and the average monthly CO2
generated for computers in the specified collection for specified time period.
The Environmental Impact report calculates the amount of CO2 generated (in
tons) by using the time that a computer or monitor was turned on in a 24 hour
period.
Parameter Description
Name
Report From the drop-down list, select a start date for this report.
start date
Report From the drop-down list, select an end date for this report.
end date
Collection From the drop-down list, select a collection for this report.
name
Parameter Description
Name
Device From the drop-down list, select the type of computer for which you want a report.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.
The following hidden parameters can optionally be specified to change the behavior of
this report.
Desktop Specify the power consumption of a desktop computer when it is turned on.
computer on The default value is 0.07 kW per hour.
Laptop computer Specify the power consumption of a portable computer when it is turned on.
on The default value is 0.02 kW per hour.
Desktop Specify the power consumption of a desktop computer that has entered
computer sleep sleep. The default value is 0.003 kW per hour.
Laptop computer Specify the power consumption of a portable computer that has entered
sleep sleep. The default value is 0.001 kW per hour.
Desktop Specify the power consumption of a desktop computer when it is turned off.
computer off The default value is 0 kW per hour.
Laptop computer Specify the power consumption of a portable computer when it is turned off.
off The default value is 0 kW per hour.
Desktop monitor Specify the power consumption of a desktop computer monitor when it is
on turned on. The default value is 0.028 kW per hour.
Laptop monitor Specify the power consumption of a portable computer monitor when it is
on turned on. The default value is 0 kW per hour.
Carbon Factor Specify the value for carbon factor (in tons/kWh) that you typically can obtain
(tons/kWh) from your power company. The default value is 0.0015 tons per kWh.
(CO2Mix)
Report links
This report does not link to any other power management reports.
Environmental Impact by Day report
The Environmental Impact by Day report displays the following information:
A graph showing the total daily CO2 generated (in tons) for computers in the
specified collection for the last 31 days.
A graph showing the average daily CO2 generated (in tons) for each computer in
the specified collection for the last 31 days.
A table showing the total daily CO2 generated and the average daily CO2
generated for computers in the specified collection for the last 31 days.
The Environmental Impact by Day report calculates the amount of CO2 generated
(in tons) by using the time that a computer or monitor was turned on in a 24 hour
period.
Parameter Description
Name
Collection From the drop-down list, select a collection for this report.
name
Device From the drop-down list, select the type of computer you want to report about.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.
Desktop Specify the power consumption of a desktop computer when it is turned on.
computer on The default value is 0.07 kWh.
Laptop computer Specify the power consumption of a portable computer when it is turned on.
on The default value is 0.02 kWh.
Parameter Name Description
Desktop Specify the power consumption of a desktop computer when it is turned off.
computer off The default value is 0 kWh.
Laptop computer Specify the power consumption of a portable computer when it is turned off.
off The default value is 0 kWh.
Desktop Specify the power consumption of a desktop computer that has entered
computer sleep sleep. The default value is 0.003 kWh.
Laptop computer Specify the power consumption of a portable computer has entered sleep.
sleep The default value is 0.001 kWh.
Desktop monitor Specify the power consumption of a desktop computer monitor when it is
on turned on. The default value is 0.028 kWh.
Laptop monitor Specify the power consumption of a portable computer monitor when it is
on turned on. The default value is 0 kWh.
Carbon Factor Specify a value for the carbon factor (in tons/kWh) that you typically can
(tons/kWh) obtain from your power company. The default value is 0.0015 tons per kWh.
(CO2Mix)
Report links
This report does not link to any other power management reports.
The Insomnia Report displays computers as Not sleep capable when they are not
capable of sleep and have been turned on during the entire specified report interval.
The report displays computers as Not hibernate capable when they are not capable of
hibernate and have been turned on during the entire specified report interval.
7 Note
Power management can only collect causes that prevented computers from
entering sleep or hibernate from computers running Windows 7 or Windows Server
2008 R2.
Use the following parameters to configure this report.
Parameter Description
Name
Collection From the drop-down list, select a collection to use for this report.
name
Report Specify the number of days to report. The default value is 7 days.
interval (days)
Cause of From the drop-down list, select one of the causes that can prevent computers
Insomnia from entering sleep or hibernate.
Report links
This report contains links to the following report which provides further information
about the selected item.
Report Details
Name
Computer Click the Click for detailed information link to see the power capabilities, power
Details settings, and applied power plans for the selected computer.
Insomnia report
The Insomnia Report displays a list of common causes that prevented computers from
entering sleep or hibernate and the number of computers affected by each cause for a
specified time period. There are a number of causes that might prevent a computer
from entering sleep or hibernate such as a process running on the computer, an open
Remote Desktop session, or that the computer is incapable of sleep or hibernate. From
this report, you can open the Insomnia Computer Details report which displays a list of
computers affected by each cause of computers not sleeping or hibernating.
The Power Insomnia report displays computers as Not sleep capable when they are not
capable of sleep and have been turned on during the entire specified report interval.
The report displays computers as Not hibernate capable when they are not capable of
hibernate and have been turned on during the entire specified report interval.
7 Note
Power management can only collect causes that prevented computers from
entering sleep or hibernate from computers running Windows 7 or Windows Server
2008 R2.
Parameter Description
Name
Collection From the drop-down list, select a collection to use for this report.
name
Report Specify the number of days to report. The default value is 7 days. The maximum
interval value is 365 days. Specify 0 to run the report for today.
(days)
Report links
This report contains links to the following report which provides further information
about the selected item.
Insomnia Click a number in the Affected Computers column to see a list of computers
Computer that could not sleep or hibernate because of the selected cause.
Details
For more information, see Insomnia Computer Details Report in this topic.
Sleep Capable - Indicates whether the computer has the capability to enter sleep if
it is configured to do so.
Wake from Sleep – Indicates whether the computer can wake from sleep if it is
configured to do so.
Wake from Hibernate – Indicates whether the computer can wake from hibernate
if it is configured to do so.
The values reported by the Power Capabilities report indicate the sleep and
hibernate capabilities of computers as reported by Windows. However, the
reported values do not reflect cases where Windows or BIOS settings prevent these
functions from working.
Parameter Description
Name
Collection From the drop-down list, select a collection for this report.
Parameter Description
Name
Display From the drop-down list, select Not Supported to display only computers in the
Filter specified collection that are incapable of sleep, hibernate, wake from sleep, or wake
from hibernate. Select Show All to display all computers in the specified collection.
Report links
This report contains links to the following report which provides further information
about the selected item.
Report Details
Name
Computer Click a computer name to see the power capabilities, power settings, and applied
Details power plans for the selected computer.
7 Note
The settings displayed are collected from client computers during hardware
inventory. Depending on the time at which hardware inventory runs, settings from
applied peak or non-peak power plans might be collected.
Collection name From the drop-down list, select a collection for this report.
The following hidden parameters can optionally be specified to change the behavior of
this report.
numberOfLocalizations Specify the number of languages in which you want to view power
setting names reported by client computers. If you only want to view
the most popular language, leave this setting at the default of 1. To
view all languages, set this value to 0.
Report links
This report contains links to the following report which provides further information
about the selected item.
Report Details
Name
Power Click the number of computers in the Computers column to see a list of all
Settings computers that use the power settings in that row.
Details
For more information, see Power Settings Details Report in this topic.
Collection From the drop-down list, select a collection to use for this report.
Power From the drop-down list, select the power setting GUID on which you want to
Setting report. For a list of all power settings and their uses, see Available power
GUID management plan settings in the topic How to create and apply power plans.
Power From the drop down list, select the type of power settings you want to display in the
Mode report results. Select Plugged In to view the power settings configured for when the
computer is plugged in and On Battery to view the power settings configured for
when the computer is running on battery power.
Setting From the drop-down list, select the value for the selected power setting name on
Index which you want to report. For example, if you want to display all computers with the
turn off hard disk after setting set to 10 minutes, select turn off hard disk after for
Power Setting Name and 10 for Setting Index.
numberOfLocalizations Specify the number of languages in which you want to view power
setting names reported by client computers. If you only want to view
the most popular language, leave this setting at the default of 1. To
view all languages, set this value to 0.
Report links
This report contains links to the following report which provides further information
about the selected item.
Report Details
Name
Computer Click a computer name to see the power capabilities, power settings, and applied
Details power plans for the selected computer.
This section contains security and privacy information for power management in
Configuration Manager.
The power usage information is stored in the Configuration Manager database and is
not sent to Microsoft. Detailed information is retained in the database for 31 days and
summarized information is retained for 13 months. You cannot configure the deletion
interval.
You can use different methods to upgrade the Configuration Manager client software on
Windows computers and Mac computers. Here are the advantages and disadvantages
of each method.
Tip
If you are upgrading your server infrastructure from System Center 2012
Configuration Manager, before upgrading the Configuration Manager clients,
complete the server upgrades including installing all current branch updates. This
process makes sure that you'll have the most recent version of the client software.
Advantages:
Computers can read client installation properties that have been published to
Active Directory Domain Services.
Doesn't require you to configure and maintain an installation account for the
intended client computer.
Disadvantages:
If you don't extend the Active Directory schema for Configuration Manager, use
Group Policy settings. These settings add client installation properties to
computers in your site.
Logon script installation
Supported client platform: Windows
Advantages:
Disadvantages:
Can cause high network traffic if you're upgrading many clients in a short time.
Can take a long time to upgrade all client computers if users don't frequently sign
in to the network.
For more information, see How to install clients by using logon scripts.
Manual installation
Supported client platform: Windows, macOS
Advantages:
Disadvantages:
Disadvantages:
Can cause high network traffic if you distribute the client to large collections.
Can only be used to upgrade the client software on computers that have been
discovered and assigned to the site.
For more information, see How to install clients by using a package and program.
Advantages:
7 Note
Client piloting isn't good for large scale as it doesn't randomize at all.
Can be used to automatically keep clients in your site at the latest version.
Disadvantages:
Can only be used to upgrade the client software and can't be used to install a new
client.
Applies to all clients in the hierarchy that are assigned to a site. Can't be scoped by
collection.
For more information, see How to upgrade clients for Windows computers.
Client testing
Supported client platform: Windows
Advantages:
Disadvantages:
Can only be used to upgrade the client software and can't be used to install a new
client.
For more information, see How to test client upgrades in a pre-production collection.
Next steps
How to test client upgrades in a pre-production collection
You can test a new Configuration Manager client version in a pre-production collection
before upgrading the rest of the site with it. When you do this process, the site only
updates devices that are part of the test collection. Once you've had a chance to test the
client, you can promote the client. Client promotion makes the new version of the client
software available to the rest of the site.
7 Note
Only a user with the Full Administrator security role and the All security scope can
promote a test client to production. For more information, see Fundamentals of
role-based administration. This action is only available when connected to the
central administration site (CAS) or a standalone primary site.
2. Install a Configuration Manager update that includes a new version of the client.
) Important
1. Set up a collection that contains the computers to which you want to deploy the
pre-production client.
2. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node. In the ribbon, select
Hierarchy Settings.
3. Switch to the Client Upgrade tab, and configure the following settings:
7 Note
Only a user with the Full Administrator security role and the All security scope can
change these settings.
2. During installation of the update, on the Client Options page of the wizard, select
Test in pre-production collection.
3. Complete the rest of the wizard and install the update pack.
After the wizard complete, clients in the pre-production collection will begin to deploy
the updated client. You can monitor the deployment of upgraded clients in the console.
Go to the Monitoring workspace, expand Client Status, and select the Pre-production
Client Deployment node. For more information, see How to monitor client deployment
status.
7 Note
For computers in a pre-production collection that also host site system roles, their
deployment status may report as Not compliant. This state may show even when
the client was successfully updated. When you promote the client to production,
the deployment status reports correctly.
Tip
The Promote Pre-production Client action is also available when you monitor
client deployments in the console at Monitoring > Client Status > Pre-
production Client Deployment.
2. Review the client versions in production and pre-production, and make sure the
correct pre-production collection is specified. When ready, select Promote, and
then select Yes to confirm.
The updated client version now replaces the client version in use in your hierarchy. You
can then upgrade the clients for your whole site. For more information, see How to
upgrade clients for Windows computers.
7 Note
Known issues
After you promote the site server, the pre-production client version shows as the
production version. Depending on your configuration, it may automatically deploy to all
systems.
When you install an update, Configuration Manager currently updates the Client folder
of the site server in passive mode with the pre-production client version.
Wait to promote the site server in passive mode until after you promote the pre-
production client version to production version.
If you have to fail over for high availability, manually correct the client version in
the Client folder.
Next steps
How to exclude clients from upgrade
You can exclude a collection of clients from automatically installing updated client
versions. Use this exclusion for a collection of computers that need greater care when
upgrading the client. A client that's in an excluded collection ignores requests to install
updated client software.
Automatic upgrade
Software update-based upgrade
Logon scripts
Group policy
7 Note
Although the user interface states that clients won't upgrade via any method, there
are two methods you can use to override these settings. Use client push or manual
client installation to override this configuration. For more information, see How to
upgrade an excluded client.
Configure exclusion
1. In the Configuration Manager console, go to the Administration workspace.
Expand Site Configuration, select the Sites node, and then select Hierarchy
Settings in the ribbon.
3. Select the option to Exclude specified clients from upgrade. Then select the
Exclusion collection you want to exclude. You can only select a single collection for
exclusion.
7 Note
Excluded clients still download and run Ccmsetup, but don't upgrade.
When you remove a client from the exclude collection, it doesn't automatically upgrade
until the next auto-upgrade cycle.
Client push installation: Ccmsetup allows client push installation because it's your
direct intent. This method lets you upgrade a client without removing it from the
collection, or removing the entire collection from exclusion.
Manual client installation: Manually upgrade an excluded client by using the
following Ccmsetup command-line parameter: /IgnoreSkipUpgrade
Next steps
How to upgrade clients for Windows computers
Manual installation
Upgrade installation
Tip
7 Note
If you plan to reassign the site for the clients during upgrade, specify the new site
using the SMSSITECODE client.msi property. If you use the value of AUTO for the
SMSSITECODE , also specify SITEREASSIGN=TRUE . This property allows for automatic
site reassignment during upgrade. For more information, see Client installation
properties - SMSSITECODE.
About automatic client upgrade
Configure the site to automatically upgrade clients to the latest Configuration Manager
version. When Configuration Manager identifies an assigned client's version is earlier
than the hierarchy version, it automatically upgrades the client. This scenario includes
upgrading the client to the latest version when it attempts to assign to a Configuration
Manager site.
The client version is earlier than the version used in the hierarchy.
The client on the central administration site (CAS) has a language pack installed
and the existing client doesn't.
A client prerequisite in the hierarchy is a different version than the one installed on
the client.
7 Note
Enable automatic client upgrade across your hierarchy. This configuration keeps your
clients up to date with less effort.
If you also manage your Configuration Manager site systems as clients, determine
whether to include them as part of the automatic upgrade process. You can exclude all
servers, or a specific collection from client upgrade. Some Configuration Manager site
roles share the client framework. For example, the management point and pull
distribution point. These roles upgrade when you update the site, so the client version
on these servers updates at the same time.
Configure automatic client upgrade
Use the following procedure to configure automatic client upgrade at the CAS. This
configuration applies to all clients in your hierarchy.
2. On the Home tab of the ribbon, in the Sites group, select Hierarchy Settings.
3. Switch to the Client Upgrade tab. Review the version and date of the production
client. Make sure it's the version you want to use to upgrade your clients. If it's not
the client version you expect, you may need to promote the pre-production client
to production. For more information, see How to test client upgrades in a pre-
production collection.
4. Select Upgrade all clients in the hierarchy using the production client. Select OK
to confirm.
5. If you don't want client upgrades to apply to servers, select Do not upgrade
servers.
6. Specify the number of days in which devices must upgrade the client. After the
device receives policy, it upgrades the client at a random interval within this
number of days. This behavior prevents a large number of clients simultaneously
upgrading.
7 Note
Because of this behavior, computers that are routinely shut down may take
longer to upgrade than expected if the randomly scheduled upgrade time
isn't within the normal working hours.
7. To exclude clients from upgrade, select Exclude specified clients from upgrade,
and specify the collection to exclude. For more information, see Exclude clients
from upgrade.
8. If you want the site to copy the client installation package to distribution points
that you've enabled for prestaged content, select the option to Automatically
distribute client installation package to distribution points that are enabled for
prestaged content.
7 Note
If the device runs an edition of Windows with a write filter, ccmsetup tries to
download and install at the same time. Otherwise, ccmsetup randomizes a time to
download content. After it downloads content and compiles the local policy,
ClientServicing schedules the client upgrade during the next maintenance window.
Known issues
The client upgrade starts at 10 PM after the business hours. It doesn't wait until the start
of the maintenance window at 12 AM.
This issue is fixed with the version 2203 client. When you upgrade clients from version
2203 to a later version, they will honor maintenance windows.
Next steps
For alternative methods to upgrade clients, see How to deploy clients to Windows
computers.
Exclude specific clients from automatic upgrade. For more information, see How to
exclude clients from upgrade.
How to upgrade clients on Mac
computers in Configuration Manager
Article • 10/04/2022
) Important
Follow the high-level steps in this article to upgrade the client for Mac computers by
using a Configuration Manager application. You can also download the Mac client
installation file, copy it to a shared network location or a local folder on the Mac
computer, and then instruct users to manually run the installation.
7 Note
Before you do these steps, make sure that your Mac computer meets the
prerequisites. For more information, see Supported operating systems for Mac
computers.
7 Note
The macOS client installation package isn't available for new deployments, but
existing deployments are supported until December 31, 2022.
For more information, see the Supplemental procedures to create and deploy
applications for Mac computers.
After the computer restarts, the Computer Enrollment wizard automatically runs to
request a new user certificate.
If you don't use Configuration Manager enrollment, but install the client certificate
independently from Configuration Manager, see Configure clients to use an existing
certificate.
Configure clients to use an existing certificate
Use this procedure to prevent the Computer Enrollment Wizard from running, and to
configure the upgraded client to use an existing client certificate.
1. In the Configuration Manager console, create a configuration item of the type Mac
OS X.
2. Add a setting to this configuration item with the setting type Script.
Shell
#!/bin/sh
cd /Users/Administrator/Desktop/'MAC Client'/
cd /Library/'Application Support'/Microsoft/CCM/
exit
Typically in Configuration Manager, most of the managed computers and servers are
physically on the same internal network as the site system servers that perform
management functions. However, you can manage clients outside your internal network
when they are connected to the internet. This ability doesn't require the clients to
connect via VPN to reach the site system servers.
7 Note
You can have a combination of both services for a single site. If a device gets policy
from the site for both IBCM and CMG, then it randomizes between them for
communication. The only mechanism available to control communication is client
authentication. For example, if an Azure AD-joined client doesn't trust the server
authentication certificate of the internet-based management point, it can only use
the CMG. If a domain-joined client doesn't trust the server authentication certificate
of the CMG, it can only use the internet-based management point.
CMG advantages
No additional on-premises infrastructure investment required.
CMG disadvantages
Cloud subscription cost.
IBCM advantages
No cloud service dependency.
IBCM disadvantages
Require additional infrastructure investment.
Next steps
Overview of cloud management gateway
The cloud management gateway (CMG) provides a simple way to manage Configuration
Manager clients over the internet. You deploy CMG as a cloud service in Microsoft
Azure. Then without more on-premises infrastructure, you can manage clients that roam
on the internet or are in branch offices across the WAN. You also don't need to expose
your on-premises infrastructure to the internet.
After establishing the prerequisites, creating the CMG consists of the following three
steps in the Configuration Manager console:
Once deployed and configured, clients seamlessly access on-premises site roles whether
they're on the intranet or internet.
This article provides the foundational knowledge to learn about the CMG and the
scenarios where you can use it.
Scenarios
There are several scenarios for which a CMG is beneficial. The following scenarios are
some of the more common:
Manage traditional Windows 10 or later clients with modern identity, either hybrid
or pure cloud domain-joined with Azure Active Directory (Azure AD). Clients use
Azure AD to authenticate rather than PKI certificates. Using Azure AD is simpler to
set up, configure and maintain than more complex PKI systems. Management
activities are the same as the first scenario plus:
Software distribution to the user
Install the Configuration Manager client on Windows 10 or later devices over the
internet. Using Azure AD allows the device to authenticate to the CMG for client
registration and assignment. You can install the client manually, or using another
software distribution method, such as Microsoft Intune.
Remote/branch office devices that are less expensive and more efficient to manage
over the internet than across a WAN or through a VPN.
Mergers and acquisitions, where it may be easiest to join devices to Azure AD and
manage through a CMG.
) Important
By default all clients receive policy for a CMG, and start using it when they become
internet-based. Depending upon the scenario and use case that applies to your
organization, you may need to scope usage of the CMG. For more information, see
the Enable clients to use a cloud management gateway client setting.
Next steps
Develop your design and plan for implementing a CMG in your environment:
To simplify management of internet-based clients, first develop a plan for the cloud
management gateway (CMG). Design how it fits in your environment and prepare for
your implementation.
For more foundational knowledge of CMG scenarios and use cases, see Overview of
CMG.
7 Note
Planning checklist
The overall CMG planning process is divided into the following parts:
Components and requirements: This article summarizes the components that make
up the CMG system. It also lists the system requirements.
Client authentication: Determine which authentication method you'll use for clients
from potentially untrusted networks.
Performance and scale: Decide how many service components you'll need to best
support your number of clients.
The CMG connection point site system role enables a consistent and high-
performance connection from the on-premises network to the CMG service in
Azure. It also publishes settings to the CMG including connection information and
security settings. The CMG connection point forwards client requests from the
CMG to on-premises roles according to URL mappings. For example, the
management point and software update point.
The service connection point site system role runs the cloud service manager
component, which handles all CMG deployment tasks. Additionally, it monitors and
reports service health and logging information from Azure Active Directory (Azure
AD). Make sure your service connection point is in online mode.
The management point and software update point site system roles service client
requests per normal.
The CMG uses a certificate-based HTTPS web service to help secure network
communication with clients.
The CMG creates an Azure storage account, which it uses for its standard
operations. By default, the CMG is also content-enabled to provide deployment
content to internet-based clients. This storage account doesn't support
customizations, such as virtual network restrictions.
7 Note
The cloud-based distribution point (CDP) is deprecated. Starting in version
2107, you can't create new CDP instances. To provide content to internet-
based devices, enable the CMG to distribute content.
) Important
Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is
removed. All CMG deployments should use a virtual machine scale set. For more
information, see Removed and deprecated features.
7 Note
This feature was first introduced in version 2010 as a pre-release feature. Starting
in version 2107, it's no longer a pre-release feature.
Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.
Starting in version 2010, customers with a Cloud Solution Provider (CSP) subscription
can deploy the CMG with a virtual machine scale set in Azure. This support is only if
they don't currently have a CMG deployed using classic cloud services to another
subscription.
Starting in version 2107, all customers can deploy a CMG with a virtual machine scale
set. If you have an existing CMG deployed with the classic cloud service, convert the
CMG to use a virtual machine scale set.
With a few exceptions, the configuration, operation, and functionality of the CMG
remains the same.
The CMG connection point only communicates with the virtual machine scale set in
Azure over HTTPS. It doesn't require TCP-TLS ports.
7 Note
Starting in version 2111, CMG deployments with a virtual machine scale set support
Azure US Government cloud environments.
Requirements
Tip
The Azure AD tenant is the directory of user accounts and app registrations.
One tenant can have multiple subscriptions.
An Azure subscription separates billing, resources, and services. It's associated
with a single tenant.
For more information, see Subscriptions, licenses, accounts, and tenants for
Microsoft's cloud offerings.
An Azure subscription to host the CMG. This subscription can be in one of the
following environments:
Global Azure cloud
Azure US Government cloud
Customers with a Cloud Service Provider (CSP) subscription need to use version
2010 or later with a virtual machine scale set deployment.
Integrate the site with Azure AD to deploy the service with Azure Resource
Manager. For more information, see Configure Azure AD for CMG.
When you onboard the site to Azure AD, you can optionally enable Azure AD user
discovery. It isn't required to create the CMG, but required if you plan to use Azure
AD authentication with hybrid identities. For more information, see Install clients
using Azure AD and see About Azure AD user discovery.
When you integrate the site with Azure AD for deploying the CMG using Azure
Resource Manager, you need a Global Administrator.
When you create the CMG, you need an account that is an Azure Subscription
Owner and an Azure AD Global Administrator.
At least one on-premises Windows server to host the CMG connection point. You
can colocate this role with other Configuration Manager site system roles.
Configure the management point to allow traffic from the CMG. It also needs to
require HTTPS, or configure the site for Enhanced HTTP.
CMG names need to be between 3-24 alphanumeric characters. The name must
begin with a letter, end with a letter or digit, and not contain consecutive hyphens.
Other certificates may be required, depending upon your client OS version and
authentication model. For more information, see Configure client authentication.
Make sure the following client settings in the Cloud services group are enabled for
devices that will use the CMG:
Enable clients to use a cloud management gateway
Allow access to cloud distribution point
7 Note
If you enable the client setting to Download delta content when available,
the content for third-party updates won't download to clients.
Next steps
Next, determine how clients will authenticate with the CMG:
Plan for CMG client authentication
CMG client authentication
Article • 10/04/2022
Clients that connect to a cloud management gateway (CMG) are potentially on the
untrusted public internet. Because of the client's origin, they have a higher
authentication requirement. There are three options for identity and authentication with
a CMG:
Azure AD
PKI certificates
Configuration Manager site-issued tokens
The following table summarizes the key factors for each method:
Microsoft recommends joining devices to Azure AD. Internet-based devices can use
Azure AD modern authentication with Configuration Manager. It also enables both
device and user scenarios whether the device is on the internet or connected to the
internal network.
You can use one or more methods. All clients don't have to use the same method.
Which ever method you choose, you may also need to reconfigure one or more
management points. For more information, see Configure client authentication for CMG.
Azure AD
If your internet-based devices are running Windows 10 or later, consider using Azure AD
modern authentication with the CMG. This authentication method is the only one that
enables user-centric scenarios. For example, deploying apps to a user collection.
First, the devices need to be either cloud domain-joined or hybrid Azure AD-joined, and
the user also needs an Azure AD identity. If your organization is already using Azure AD
identities, then you should be set with this prerequisite. If not, talk with your Azure
administrator to plan for cloud-based identities. For more information, see Azure AD
device identity. Until that process is complete, consider token-based authentication for
internet-based clients with your CMG.
For more information on these prerequisites, see Install clients using Azure AD.
7 Note
If your devices are in an Azure AD tenant that's separate from the tenant with a
subscription for the CMG compute resources, starting in version 2010 you can
disable authentication for tenants not associated with users and devices. For more
information, see Configure Azure services.
PKI certificate
If you have a public key infrastructure (PKI) that can issue client authentication
certificates to devices, then consider this authentication method for internet-based
devices with your CMG. It doesn't support user-centric scenarios, but supports devices
running any supported version of Windows.
Tip
Windows devices that are hybrid or cloud domain-joined don't require this
certificate because they use Azure AD to authenticate.
Site token
If you can't join devices to Azure AD or use PKI client authentication certificates, then
use Configuration Manager token-based authentication. Site-issued client
authentication tokens work on all supported client OS versions, but only support device
scenarios.
If clients occasionally connect to your internal network, they're automatically issued a
token. They need to communicate directly with an on-premises management point to
register with the site and get this client token.
If you can't register clients on the internal network, you can create and deploy a bulk
registration token. The bulk registration token enables the client to initially install and
communicate with the site. This initial communication is long enough for the site to
issue the client its own, unique client authentication token. The client then uses its
authentication token for all communication with the site while it's on the internet.
Next steps
Next, design how to use a CMG in your hierarchy:
Whether you have a central administration site (CAS), a standalone primary site, or a
small test lab, design the cloud management gateway (CMG) for that environment. This
article provides the information to help you decide how to position the CMG in your
environment.
Create the CMG at the top-tier site of your hierarchy. If that's a CAS, then create CMG
connection points at child primary sites. The cloud service manager component is on the
service connection point, which is also on the CAS. This design can share the service
across different primary sites if needed.
You can create multiple CMG services in Azure, and you can create multiple CMG
connection points. Multiple CMG connection points provide load balancing of client
traffic from the CMG to the on-premises roles.
Other factors, such as the number of clients to manage, also affect your CMG design.
For more information, see Performance and scale.
Design examples
They create a CMG in the East US Azure region to reduce network latency.
They create two CMG connection points, both linked to the single CMG service.
As clients roam onto the internet, they communicate with the CMG in the East US Azure
region. The CMG forwards this communication through both of the CMG connection
points.
Example 2: Hierarchy
Fourth Coffee has a CAS in an on-premises datacenter at their headquarters in Seattle.
One primary site is in the same datacenter, and the other primary site is in their main
European office in Paris.
On the CAS, they create a CMG service in the West US Azure region. They scale the
number of VMs for the expected load of roaming clients in the entire hierarchy.
On the Seattle-based primary site, they create a CMG connection point linked to
the single CMG.
On the Paris-based primary site, they create a CMG connection point linked to the
single CMG.
As clients roam onto the internet, they communicate with the CMG in the West US
Azure region. The CMG forwards this communication to the CMG connection point in
the client's assigned primary site.
Tip
You don't need to deploy more than one CMG for the purposes of geolocation. The
Configuration Manager client is mostly unaffected by the slight latency that can
occur with the cloud service, even when geographically distant.
Test environments
Many organizations have separate environments for production, test, development, or
quality assurance. When you plan your CMG deployment, consider the following
questions:
For more information, see the following FAQ: Do the user accounts have to be in the
same Azure AD tenant as the tenant associated with the subscription that hosts the
CMG cloud service?
Boundary groups
You can associate a CMG with a boundary group. This configuration allows clients to
default or fall back to the CMG for client communication according to boundary group
relationships. This behavior is especially useful in branch office and VPN scenarios. You
can direct client traffic away from expensive and slow WAN links to instead use faster
services in Microsoft Azure.
Intranet clients can access a CMG-enabled software update point when it's assigned to a
boundary group. For more information, see Configure boundary groups.
Internet-based clients don't rely on boundary groups. They only use internet-facing or
cloud content sources. If you're only using content-enabled CMGs for these types of
clients, then you don't need to include them in boundary groups.
If you want clients on your internal network to get content from a CMG, then it needs to
be in the same boundary group as the clients. By default, clients prioritize cloud-based
sources last in their list of content sources. This behavior is because there's a cost
associated with downloading content from Azure. Cloud-based sources are typically
used as a fallback source for intranet-based clients. If you want a cloud-first design, then
design your boundary groups to meet this business requirement. For more information,
see Configure boundary groups. For more information on content location priority and
when intranet-based clients use a cloud-based content source, see Content source
priority.
Even though you install the CMG in a specific region of Azure, clients aren't aware of the
Azure regions. They randomly select an available CMG as a content source. If you have
CMGs in multiple regions, and a client receives more than one in the content location
list, it may not download content from the same Azure region.
Next steps
Next, review the features and configurations that the CMG supports:
Use this article as a reference for the features and configurations that are supported by
the Configuration Manager cloud management gateway (CMG).
Specifications
All Windows versions listed in Supported operating systems for clients and devices
are supported for CMG.
CMG only supports the management point and software update point roles.
CMG doesn't support clients that only communicate with IPv6 addresses.
Software update points using a network load balancer don't work with CMG.
Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is
removed. All CMG deployments should use a virtual machine scale set. For more
information, see Removed and deprecated features.
CMG names need to be between 3-24 alphanumeric characters. The name must
begin with a letter, end with a letter or digit, and not contain consecutive hyphens.
Feature Support
Software updates
Endpoint protection
Note 1
Run scripts
Feature Support
CMPivot
Compliance settings
Client install
Client install
(all requirements)
BitLocker Management
Task sequence without a boot image, deployed with the option to Download all
content locally before starting task sequence Note 2
Task sequence without a boot image, deployed with either download option Note 2
Task sequence with a boot image, started from Software Center Note 2
Task sequence with a boot image, started from bootable media Note 2
Client push
Remote tools
Note 3
Feature Support
Reporting website
Wake on LAN
macOS clients
Peer cache
On-premises MDM
Prestage content
Key
= This feature is supported with CMG by all supported versions of Configuration Manager
(YYMM) = This feature is supported with CMG starting with version YYMM of Configuration
Manager
= This feature isn't supported with CMG
Support notes
Remote Help: a new remote assistance tool from Microsoft (blog post)
Tip
Starting in version 2203, you can also configure the task sequence to allow token
authentication with alternate content providers. For more information, see Task
sequence variables: SMSTSAllowTokenAuthURLForACP.
Next steps
Next, plan how the design the CMG for the best performance at the appropriate scale:
The supported scale and performance of the cloud management gateway (CMG) is
based on the number of devices that you expect to simultaneously connect to the
service. Use the information in this article to determine how many of the following
components you need in your environment for the best performance at the appropriate
scale:
7 Note
Sizing guidance for management points and software update points doesn't
change whether they service on-premises or internet-based clients. For more
information, see Size and scale numbers.
You can install multiple instances of the cloud management gateway (CMG) at
primary sites, or the central administration site (CAS).
Tip
One CMG supports up to 16 virtual machine (VM) instances in the Azure cloud
service.
Simultaneous client connections per each CMG VM instance depend upon the
deployment model and VM size. When the CMG is under high load with more than
the supported number of clients, it still handles requests but there may be delay.
Virtual machine scale-set (version 2107 and later)
Lab (B2s): 10
Standard (A2_v2): 6,000
Large (A4_v2): 10,000
) Important
The Lab (B2s) size VM is only intended for lab testing and small proof-of-
concept environments. They aren't intended for production use with the
CMG. The B2s VMs are low cost and low performing. The Configuration
Manager technical preview branch only supports 10 clients, which is why
this size supports that number of clients.
Virtual machine scale set (version 2010 and 2103 for Cloud Service Provider
(CSP) subscriptions): 2,000
) Important
You can install multiple instances of the CMG connection point at primary sites.
One CMG connection point can support a CMG with up to four VM instances. If the
CMG has more than four VM instances, add a second CMG connection point for
load balancing. A CMG with 16 VM instances should be linked with four CMG
connection points.
7 Note
When considering hardware requirements for the CMG connection point, see
Recommended hardware for remote site system servers.
Improve performance
The following recommendations can help you improve CMG performance:
The connection between the Configuration Manager client and the CMG isn't
region-aware. Client communication is largely unaffected by latency and
geographic separation. It's generally not necessary to deploy multiple CMG for the
purposes of geo-proximity. Deploy the CMG at the top-level site in your hierarchy.
To increase scale, add VM instances.
For high availability of the service, create a CMG with at least two VM instances
and two CMG connection points per site.
Scale the CMG to support more clients by adding more VM instances. The Azure
load balancer controls client connections to the service.
Create more CMG connection points to distribute the load among them. The CMG
distributes the traffic to its connecting CMG connection points in a round-robin
fashion.
7 Note
The CMG connection point creates a TCP connection to the management point for
each client. While Configuration Manager has no hard limit on the number of
clients for a CMG connection point, Windows Server has a default maximum TCP
dynamic port range of 16,384. If a Configuration Manager site manages more than
16,384 clients with a single CMG connection point, add another site system or
increase the Windows Server limit. All clients maintain a channel for client
notifications, which holds a port open on the CMG connection point. For more
information on how to increase this limit, see Microsoft Support article 929851 .
Content performance
As with any distribution point design, consider the following factors for a content-
enabled CMG:
Depending upon your design, if clients have the option of more than one CMG for any
given content, then they naturally randomize across those cloud sources. If you only
distribute a certain piece of content to a single CMG, and a large number of clients try
to download this content at the same time, it puts higher load on that single CMG.
Adding another CMG includes a separate Azure storage service. For more information
on how the client communicates with the CMG components and downloads content,
see Data flow.
7 Note
The Azure storage service supports 500 requests per second for a single file.
Performance testing of a single cloud-based content source supported distribution
of a single 100-MB file to 50,000 clients in 24 hours.
Next steps
Next, understand the costs associated with operating an Azure service for the CMG:
Cost of CMG
Cost of CMG
Article • 10/04/2022
) Important
The following cost information is for estimating purposes only. Your environment
may have other variables that affect the overall cost of using CMG.
7 Note
7 Note
Pricing for data transfer is tiered. The more you use, the less you pay per
gigabyte.
Compute costs
CMG uses Azure platform as a service (PaaS), which uses virtual machines (VMs). These
VMs incur compute costs. The specific type to use when estimating costs depends upon
which deployment method you use.
) Important
The Lab (B2s) size VM is only intended for lab testing and small proof-of-
concept environments. It isn't intended for production use with the CMG. The
B2s VMs are low cost and low performing.
You can change the VM size after you deploy the CMG. This action updates the
Azure service to use a new VM.
In version 2103 and earlier, the CMG uses a Standard A2_v2 VM. The VM size isn't
configurable. To change the VM size, you need to Redeploy the service.
You select how many VM instances support the CMG. One is the default, and 16 is
the maximum. This number is set when you create the CMG, but you can change it
afterwards to scale the service as needed.
For more information on how many VMs you need to support your clients, see
CMG performance and scale.
Virtual machine
) Important
Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is
removed. All CMG deployments should use a virtual machine scale set. For more
information, see Removed and deprecated features.
If you deployed the CMG as a classic cloud service, when estimating cost, this
deployment method replaces the virtual machine scale set. The specific details are
otherwise the same. With this deployment method, it uses a Standard A2_v2 VM. The
VM size isn't configurable. The cost difference between a virtual machine and a virtual
machine scale set should be negligible, but may vary by Azure region.
CMG data flows out of Azure include policy to the client, client notifications, and
client responses that the CMG forwards to the site. These responses include
inventory reports, status messages, and compliance status.
View the Outbound data transfer (GB) in the Configuration Manager console. For
more information, see Monitor clients on CMG.
For estimating purposes only, expect approximately 100-300 MB per client per
month for internet-based clients. The lower estimate is for a default client
configuration. The upper estimate is for a more aggressive client configuration.
Your actual usage may vary depending upon how you configure client settings.
7 Note
Tip
Any data flows into Azure are free. These flows are otherwise referred to as ingress
or upload. When you distribute content from the site to the content-enabled CMG,
you're uploading the content to Azure.
Content storage
Internet-based clients get Microsoft software update content from Windows
Update at no charge. Don't distribute update packages with Microsoft update
content to a content-enabled CMG. If you do distribute software update packages
to your cloud content sources, you may incur storage and data egress costs.
7 Note
CMG uses Azure locally redundant storage (LRS). For more information, see Locally
redundant storage.
For any other necessary content, distribute it to a content-enabled CMG. This other
content includes applications or third-party software updates.
7 Note
If you enable the client setting to Download delta content when available,
the content for third-party updates won't download to clients.
Other costs
Each distinct CMG has one Basic (ARM) dynamic IP address. If you add other VMs to a
CMG, it doesn't increase the number of these IP addresses. For more information, see IP
addresses pricing .
If you deploy the CMG as a virtual machine scale set, it uses Azure Key Vault. The CMG
usage of Key Vault is low, significantly less than 10,000 operations per month. For more
information, see Key Vault pricing .
If you get a CMG server authentication certificate from a public provider, there's
generally a cost associated with this certificate. For more information, see CMG server
authentication certificate.
To help reduce the number of data transfers from cloud-based sources by clients, use
one of the following peer caching technologies:
Windows BranchCache
7 Note
Next steps
Now that you have your CMG design, understand the supported configurations and
cost, you're ready to set up the CMG:
Before you deploy a cloud management gateway (CMG), use this article to understand
the setup process. Also make sure you have all of the prerequisites ready to get started.
First, develop your design and plan for implementing a CMG in your environment. For
more information, see Plan for cloud management gateway. Use that section of articles
to determine your CMG design.
The overall CMG setup process is divided into the following five main parts:
1. Get the CMG server authentication certificate: The CMG uses HTTPS for secure
client communication over the public internet. You can get a certificate from a
public provider, or issue one from your public key infrastructure (PKI).
2. Configure Azure Active Directory (Azure AD): Configuration Manager requires app
registrations in Azure AD. You can let Configuration Manager create them, or an
Azure administrator can pre-create the registrations.
4. Set up the CMG: This step also includes configuring the site, and adding the CMG
connection point site system role.
The other articles in this section step through each part of the process.
Terminology
The following terms are used in the context of setting up a CMG. They're defined here
for clarity.
Azure AD tenant: The directory of user accounts and app registrations. One tenant
can have multiple subscriptions.
Azure subscription: A subscription separates billing, resources, and services. It's
associated with a single tenant.
Tip
For more information, see Subscriptions, licenses, accounts, and tenants for
Microsoft's cloud offerings.
Azure resource group: A container that holds related resources for an Azure
solution. The resource group includes those resources that you want to manage as
a group. You decide which resources belong in a resource group based on what
makes the most sense for your organization. For more information, see Resource
groups.
CMG service name: The common name (CN) of the CMG server authentication
certificate. Clients and the CMG connection point site system role communicate
with this service name. For example, GraniteFalls.Contoso.Com or
GraniteFalls.WestUS.CloudApp.Azure.Com .
CMG deployment name: The first part of the service name plus the Azure location
for the cloud service deployment. The cloud service manager component of the
service connection point uses this name when it deploys the CMG in Azure. The
deployment name is always in an Azure domain. The Azure location depends upon
the deployment method, for example:
Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
Classic deployment: GraniteFalls.CloudApp.Net
Checklist
Use the following checklist to make sure you have the necessary information and
prerequisites to create a CMG:
The Azure environment to use. For example, the Azure Public Cloud or the Azure
US Government Cloud.
At least one existing site system server on which you plan to add the CMG
connection point role.
Review the internet access requirements to make sure each required services can
be reached.
You'll set up other prerequisite components during the next steps in the process.
For example, an Azure administrator first creates the two required apps in Azure Active
Directory (Azure AD). Then you write a script that uses the following cmdlets to deploy a
CMG:
You can use these cmdlets to automate the creation, configuration, and management of
the CMG service and Azure Active Directory (Azure AD) requirements.
Get-CMAADApplication
Import-CMAADClientApplication
Import-CMAADServerApplication
Get-CMCloudManagementGateway
New-CMCloudManagementGateway
Remove-CMCloudManagementGateway
Set-CMCloudManagementGateway
Start-CMCloudManagementGateway
Stop-CMCloudManagementGateway
Add-CMCloudManagementGatewayConnectionPoint
Get-CMCloudManagementGatewayConnectionPoint
Remove-CMCloudManagementGatewayConnectionPoint
Set-CMCloudManagementGatewayConnectionPoint
Next steps
Get started with your CMG setup by getting a server authentication certificate:
The first step when you set up a cloud management gateway (CMG) is to get the server
authentication certificate. The CMG creates an HTTPS service to which internet-based
clients connect. The server requires a server authentication certificate to build the secure
channel. You can acquire a certificate for this purpose from a public provider, or issue it
from your public key infrastructure (PKI).
When you create the CMG in the Configuration Manager console, you provide this
certificate. The common name (CN) of this certificate defines the service name of the
CMG.
7 Note
You may need additional certificates for clients and management points. These
certificates are covered in the third step of the CMG setup process, Configure client
authentication.
Service name: The common name (CN) of the CMG server authentication
certificate. Clients and the CMG connection point site system role communicate
with this service name. For example, GraniteFalls.contoso.com or
GraniteFalls.WestUS.CloudApp.Azure.Com .
Deployment name: The first part of the service name plus the Azure location for
the cloud service deployment. The cloud service manager component of the
service connection point uses this name when it deploys the CMG in Azure. The
deployment name is always in an Azure domain. The Azure location depends upon
the deployment method, for example:
Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
Classic deployment: GraniteFalls.CloudApp.Net
) Important
This article uses examples with a virtual machine scale set as the
recommended deployment method in version 2107 and later. If you use a
classic deployment, note the difference as you read this article and prepare
the server authentication certificate.
Clients must trust the CMG server authentication certificate to establish the HTTPS
channel with the CMG service. There are two methods to accomplish this trust:
Windows clients include trusted root certificate authorities (CAs) from these
providers. By using a certificate issued by one of these providers, your clients
automatically trust it.
There's a cost associated with this certificate, which is specific to the provider.
Most enterprise PKI implementations add the trusted root CAs to Windows
clients. For example, if you use Active Directory Certificate Services with
group policy. If you issue the CMG server authentication certificate from a CA
that your clients don't automatically trust, add the CA trusted root certificate
to internet-based clients.
If you plan to install the Configuration Manager client from Intune, you can
also use Intune certificate profiles to provision certificates on clients. For
more information, see Configure a certificate profile.
Your organization may have an internal cost to issue certificates, but there are
generally no external costs associated with this certificate.
) Important
Before you get this certificate, make sure the service name is globally unique for
the cloud service and storage account. Also make sure the name uses supported
characters. For more information, see Globally unique name.
7 Note
For more information on how to use a wildcard certificate with a CMG, see Set up a
CMG.
2. From the Azure portal home page, select Create a resource under Azure services.
4. Select the Subscription and Resource group that you'll use for the CMG.
5. In the Virtual machine scale set name field, type the prefix that you want. For
example, GraniteFalls .
6. Select the Region that you'll use for the CMG. For example, (US) West US.
The interface reflects whether the domain name is available or already in use by another
service.
) Important
Don't create the service in the portal, just use this process to check the name
availability.
Repeat this process for the Key Vault resource. The virtual machine scale set deployment
creates a key vault with the same name, which also needs to be globally unique.
) Important
The DNS name prefix should be 3 to 24 characters long, and contain numbers and
lowercase letters only. Don't use special characters, like a dash ( - ). For example:
granitefalls .
This certificate supports key storage providers for certificate private keys (v3). For
more information, see CNG v3 certificates overview.
The specific process to get this certificate varies by provider. For more information,
contact your third-party certificate provider.
You've made sure the deployment name is globally unique in Azure for the cloud
service and storage account. For example,
GraniteFalls.WestUS.CloudApp.Azure.Com .
To determine the service name, append the deployment name prefix ( GraniteFalls )
to your organization's domain name ( contoso.com ).
Use this service name for the certificate common name (CN). For example,
GraniteFalls.contoso.com .
You've made sure the deployment name is globally unique in Azure for the cloud
service and storage account. For example,
GraniteFalls.WestUS.CloudApp.Azure.Com .
Use your domain name (recommended). Append the deployment name prefix
( GraniteFalls ) to your organization's domain name ( contoso.com ). For example,
GraniteFalls.contoso.com . For this option, you also need to create a DNS
CNAME alias.
Use the Azure deployment name. This option doesn't require a DNS CNAME
alias. For example:
For the Azure public cloud: GraniteFalls.WestUS.CloudApp.Azure.Com .
7 Note
If the Azure deployment name changes, you'll need to redeploy the service
to change this service name. For example, if your service name is in the
cloudapp.net domain, you can't convert the classic cloud service CMG to a
virtual machine scale set. If you use your domain name for the CMG service
name, then you can update the DNS CNAME for the new deployment
name.
Use this service name for the certificate common name (CN).
Create a CNAME record in your organization's public DNS. The CMG service in Azure
and all clients that use it need to resolve the service name. For example:
When you create the CMG, while the certificate has GraniteFalls.contoso.com as the
CN, Configuration Manager only extracts the service name prefix, for example:
GraniteFalls. It appends this prefix to the Azure service domain ( cloudapp.azure.com )
with the region ( westus ) to create the deployment name. For example,
GraniteFalls.WestUS.CloudApp.Azure.Com . The CNAME alias in the DNS namespace for
your domain ( contoso.com ) maps together these two FQDNs.
The Configuration Manager client policy includes the CMG service name,
GraniteFalls.contoso.com . The client resolves the service name via the CNAME alias to
the deployment name, GraniteFalls.WestUS.CloudApp.Azure.Com . It then can resolve the
IP address of the deployment name to communicate with the service in Azure.
Next steps
Continue your CMG setup by configuring Azure Active Directory (Azure AD):
Configure Azure AD
Configure Azure Active Directory for
CMG
Article • 10/04/2022
The second primary step to set up a cloud management gateway (CMG) is to integrate
the Configuration Manager site with your Azure Active Directory (Azure AD) tenant. This
integration allows the site to authenticate with Azure AD, which it uses to deploy and
monitor the CMG service. If you choose the Azure AD authentication method for clients
in the next step, then this integration is a prerequisite for that authentication method.
Tip
This article provides prescriptive guidance to integrate the site specifically for the
cloud management gateway. For more information on this process and other uses
of the Azure Services node in the Configuration Manager console, see Configure
Azure services.
When you integrate the site, you create app registrations in Azure AD. The CMG requires
two app registrations:
There are two methods to create these apps, both of which require a global
administrator role in Azure AD:
Use Configuration Manager to automate the creation of the apps when you
integrate the site.
Manually create the apps in advance, and then import them when you integrate
the site.
This article primarily follows the first method. For more information on the other
method, see Manually register Azure AD apps for CMG.
Before you start, make sure you have an Azure AD global administrator available.
7 Note
If you plan to import precreated app registrations, you first need to create them in
Azure AD. Start with the article to Manually register Azure AD apps for CMG. Then
return to this article to run the Azure Services wizard and import the apps to
Configuration Manager.
The client app represents managed clients and users that connect to the CMG. It
defines what resources they have access to within Azure, including the CMG itself.
The server app represents the CMG components that are hosted in Azure. It defines
what resources they have access to within Azure. The server app is used to
facilitate authentication and authorization from managed clients, users, and the
CMG connection point to the Azure-based CMG components. This communication
includes traffic to on-premises management points and software update points,
initial CMG provisioning in Azure, and Azure AD discovery.
If clients use PKI-issued client authentication certificates, then the two client apps aren't
used for device-centric activity. For example, software distribution targeted to a device
collection. User-centric activity always uses these two app registrations for
authentication and authorization purposes.
2. On the Home tab of the ribbon, in the Azure Services* group, select Configure
Azure Services.
a. Specify a Name for the object in Configuration Manager. This name is only to
identify the connection in Configuration Manager.
4. On the App page of the Azure Services Wizard, select the Azure environment for
your tenant:
AzurePublicCloud: Your tenant is in the global Azure cloud.
AzureUSGovernmentCloud: Your tenant is in the Azure US Government
cloud.
2. In the Server App window, select Create to use Configuration Manager to automate
the creation of the app.
HomePage URL: This value isn't used by Configuration Manager, but required
by Azure AD. By default this value is https://ConfigMgrService .
App ID URI: This value needs to be unique in your Azure AD tenant. It's in the
access token used by the Configuration Manager client to request access to
the service. By default this value is https://ConfigMgrService . Change the
default to one of the following recommended formats:
api://{tenantId}/{string} , for example, api://5e97358c-d99c-4558-af0c-
de7774091dda/ConfigMgrService
Secret key validity period: choose either 1 year or 2 years from the drop-
down list. One year is the default value.
4. Select OK to create the web app in Azure AD and close the Create Server
Application window.
5. In the Server App window, make sure your new app is selected, then select OK to
save and close the window.
Create the native (client) app registration
1. On the App page of the Azure Services Wizard window, for the Native Client app,
select Browse.
2. In the Client App window, select Create to use Configuration Manager to automate
the creation of the app.
4. Select OK to create the native app in Azure AD and close the Create Client
Application window.
5. In the Client App window, make sure your new app is selected, then select OK to
save and close the window.
2. The Discovery page of the wizard is only necessary in some scenarios. It's optional
when you onboard the site to Azure AD, and not required to create the CMG. If
you need it to support specific functionality in your environment, you can enable it
later.
For more information on the CMG scenarios that may require Azure AD user
discovery, see Configure client authentication: Azure AD and Install clients using
Azure AD.
For more information on this discovery method, see Configure Azure AD user
discovery.
3. Select the option to Disable Azure Active Directory authentication for this tenant.
Microsoft.KeyVault
Microsoft.Storage
Microsoft.Network
Microsoft.Compute
7 Note
If you previously deployed the CMG using a classic cloud service, your Azure
subscription requires the following two resource providers:
Microsoft.ClassicCompute
Microsoft.Storage
Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is
removed. All CMG deployments should use a virtual machine scale set. For more
information, see Removed and deprecated features.
Your Azure AD account needs permission to do the /register/action operation for the
resource provider. By default, the Contributor and Owner roles include this permission.
The following steps summarize the process to register a resource provider. For more
information, see Azure resource providers and types.
2. On the Azure portal menu, search for Subscriptions. Select it from the available
options.
5. Find the resource provider you want to register, and select Register. To maintain
least privileges in your subscription, only register those resource providers that
you're ready to use.
Next steps
Continue your CMG setup by deciding which type of client authentication to use:
The next step in the setup of a cloud management gateway (CMG) is to configure how
clients authenticate. Because these clients are potentially connecting to the service from
the untrusted public internet, they have a higher authentication requirement. There are
three options:
This article describes how to configure each of these options. For more foundational
information, see Plan for CMG client authentication methods.
Azure AD
If your internet-based devices are running Windows 10 or later, use Azure AD modern
authentication with the CMG. This authentication method is the only one that enables
user-centric scenarios.
The devices need to be either cloud domain-joined or hybrid Azure AD-joined, and
the user also needs an Azure AD identity.
Tip
One of the primary requirements for using Azure AD authentication for internet-
based clients with a CMG is to integrate the site with Azure AD. You already
completed that action in the prior step.
There are a few other requirements, depending upon your environment:
Enable user discovery methods for hybrid identities
Enable ASP.NET 4.5 on the management point
Configure client settings
For more information on these prerequisites, see Install clients using Azure AD.
PKI certificate
Use these steps if you have a public key infrastructure (PKI) that can issue client
authentication certificates to devices.
This certificate may be required on the CMG connection point. For more information,
see CMG connection point.
This certificate supports key storage providers for certificate private keys (v3). For
more information, see CNG v3 certificates overview.
Make sure to export all certificates in the trust chain. For example, if the client
authentication certificate is issued by an intermediate CA, export both the intermediate
and root CA certificates.
7 Note
Export this certificate when any client uses PKI certificates for authentication. When
all clients use either Azure AD or tokens for authentication, this certificate isn't
required.
After you issue a client authentication certificate to a computer, use this process on that
computer to export the trusted root certificate.
1. Open the Start menu. Type "run" to open the Run window. Open mmc .
3. In the Add or Remove Snap-ins dialog box, select Certificates, then select Add.
a. In the Certificates snap-in dialog box, select Computer account, then select
Next.
b. In the Select Computer dialog box, select Local computer, then select Finish.
c. Select the next certificate up the chain, and select View Certificate.
6. On this new Certificate dialog box, go to the Details tab. Select Copy to File....
7. Complete the Certificate Export Wizard using the default certificate format, DER
encoded binary X.509 (.CER). Make note of the name and location of the exported
certificate.
8. Export all of the certificates in the certification path of the original client
authentication certificate. Make note of which exported certificates are
intermediate CAs, and which ones are trusted root CAs.
7 Note
The CMG connection point doesn't require a client authentication certificate in the
following scenarios:
Site token
If you can't join devices to Azure AD or use PKI client authentication certificates, then
use Configuration Manager token-based authentication. For more information, or to
create a bulk registration token, see Token-based authentication for cloud management
gateway.
Configure the site for Enhanced HTTP, and configure the management point for
HTTP
Configure the management point for HTTPS
1. Create and issue a web server certificate from your PKI or a third-party provider,
which are outside of the context of Configuration Manager. For example, use
Active Directory Certificate Services and group policy to issue a web server
certificate to the site system server with the management point role. For more
information, see the following articles:
2. On the properties of the management point role, set the client connections to
HTTPS.
Tip
After you set up the CMG, you'll configure other settings for this management
point.
If your environment has multiple management points, you don't have to HTTPS-enable
them all for CMG. Configure the CMG-enabled management points as Internet only.
Then your on-premises clients don't try to use them.
Workgroup: The device isn't joined to a domain or Azure AD, but has a client
authentication certificate.
AD domain-joined: You join the device to an on-premises Active Directory domain.
Azure AD-joined: Also known as cloud domain-joined, you join the device to an
Azure AD tenant. For more information, see Azure AD joined devices.
Hybrid-joined: You join the device to your on-premises Active Directory and
register it with your Azure AD. For more information, see Hybrid Azure AD joined
devices.
HTTP: On the management point properties, you set the client connections to
HTTP.
HTTPS: On the management point properties, you set the client connections to
HTTPS.
E-HTTP: On the site properties, Communication Security tab, you set the site
system settings to HTTPS or HTTP, and you enable the option to Use
Configuration Manager-generated certificates for HTTP site systems. You
configure the management point for HTTP, and the HTTP management point is
ready for both HTTP and HTTPS communication.
) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
Configure an on-premises management point to allow connections from the CMG with
the following client connection mode:
7 Note
Note 1: This configuration requires the client has a client authentication certificate,
and only supports device-centric scenarios.
For on-premises clients communicating with the on-premises
management point
7 Note
On-premises Azure AD-joined and hybrid-joined clients can communicate via HTTP
for device-centric scenarios, but need E-HTTP or HTTPS to enable user-centric
scenarios. Otherwise they behave the same as workgroup clients.
Next steps
You're now ready to create the CMG in Configuration Manager:
Set up CMG
Set up CMG for Configuration Manager
Article • 10/04/2022
Once you have the prerequisites in place, you can start the process to set up a cloud
management gateway (CMG). Before you start this process, make sure you have the
necessary information and prerequisites to create a CMG. For more information, see Set
up checklist for CMG.
Use the Configuration Manager console to create the CMG service in Azure.
Configure the primary site for client certificate authentication.
Add the CMG connection point site system role.
Configure the management point and software update point for CMG traffic.
Configure boundary groups.
Set up a CMG
7 Note
Deploying a CMG with a virtual machine scale set in Azure was first introduced in
version 2010 as a pre-release feature. Beginning with version 2107, it's no longer a
pre-release feature.
Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.
Do this procedure on the top-level site. That site is either a standalone primary site, or
the central administration site (CAS).
3. On the General page of the wizard, first specify the Azure environment for this
CMG:
Starting in version 2203, virtual machine scale set is the only option.
In versions 2010 and 2103, you have to enable this pre-release feature to
see it. In these releases, it's only intended for customers with a Cloud
Solution Provider (CSP) subscription. If you already deployed a CMG with
the cloud service (classic) method, this option is unavailable. For more
information, see Plan for CMG: Virtual machine scale sets.
) Important
In version 2107 and later, only use this option if you can't deploy with a
virtual machine scale set because of one of the limitations.
In versions 2010 and 2103, most customers should use this deployment
method.
5. Select Sign in. Authenticate with an Azure Subscription Owner account. The
wizard automatically populates the remaining fields from the information stored
during the Azure AD integration prerequisite. If you own multiple subscriptions,
select the Subscription ID of the subscription you want to use.
Select Next, and wait as the site tests the connection to Azure.
6. On the Settings page of the wizard, first Browse to the .PFX file for the CMG server
authentication certificate (Certificate file). The common name from this certificate
is used to populate the Service name and Deployment name fields.
If you use a wildcard certificate, replace the asterisk ( * ) in the Service name field
with the globally unique deployment name prefix for your CMG.
b. Select an Azure Region for this CMG. The list of available regions may vary
based on the selected subscription.
If you choose Use existing, then select an existing resource group from
the list. This resource group needs to already exist in the same region you
selected for the CMG. If you select an existing resource group, and it's in a
different region than the previously selected region, the CMG will fail to
deploy.
If you choose Create new, then enter the new resource group name.
) Important
The Lab (B2s) size VM is only intended for lab testing and small proof-of-
concept environments. For example, with the Configuration Manager
technical preview branch. The B2s VMs aren't intended for production use
with the CMG. They are low cost and low performing.
e. In the VM Instance field, enter the number of VMs for this service. The default is
one, but you can scale up to 16 VMs per CMG.
7 Note
A trusted root certificate isn't required when using Azure Active Directory
(Azure AD) or site-issued tokens for client authentication.
h. By default, the wizard enables the option to Enforce TLS 1.2. This setting
requires the Azure VM to use the TLS 1.2 encryption protocol. It doesn't apply
to any on-premises Configuration Manager site servers or clients. Starting in
version 2107 with the update rollup, this setting also applies to the CMG
storage account. For more information, see How to enable TLS 1.2.
i. By default, the wizard enables the option to Allow CMG to function as a cloud
distribution point and serve content from Azure storage. If you plan on
targeting deployments with content to clients, you need to configure the CMG
to serve content.
7. Next is the Alerts page of the wizard. To monitor CMG traffic with a 14-day
threshold, enable the threshold alert. Then specify the threshold, and the
percentage at which to raise the different alert levels. You can also enable a
storage alert threshold. Choose Next when you're done.
Configuration Manager starts to set up the service. The amount of time it takes to
completely provision the service in Azure is dependent upon the settings that you
specified. To determine when the service is ready, view the Status column for the new
CMG.
Tip
2. Select the primary site to which your internet-based clients are assigned, and
choose Properties.
3. Switch to the Communication Security tab, and select Use PKI client certificate
(client authentication) when available.
4. If you don't publish a CRL, disable the following option: Clients check the
certificate revocation list (CRL) for site systems.
To add the CMG connection point, the following steps summarize the instructions to
install site system roles:
2. Select an existing site server to which you want to add this role. In the ribbon, on
the Home tab, select Add Site System Roles.
) Important
If you're using client authentication certificates, the CMG connection point needs
this certificate. For more information, see client authentication certificate.
2. Select the site system server you want to configure for CMG traffic. Select the
Management point role in the details pane, and then in the Site Role group of the
ribbon, select Properties.
3. In the Management point properties sheet, under Client Connections select Allow
Configuration Manager cloud management gateway traffic.
Depending upon your CMG design and Configuration Manager version, you may
need to enable the HTTPS option. For more information, see Enable management
point for HTTPS.
Repeat these steps for other management points as needed, and for any software
update points.
When you create or configure a boundary group, on the References tab, add a cloud
management gateway. This action associates the CMG with this boundary group.
BranchCache
To enable a content-enabled CMG to use Windows BranchCache, install the
BranchCache feature on the site server.
If the site server has an on-premises distribution point site system role, configure
the option in that role's properties to Enable and configure BranchCache. For
more information, see Configure a distribution point.
If the site server doesn't have a distribution point role, install the BranchCache
feature in Windows. For more information, see Install the BranchCache feature.
If you've already distributed content to a CMG, and then decide to enable BranchCache,
first install the feature. Then redistribute the content to the CMG.
Manage content on a CMG the same as any other distribution point. These actions
include assigning it to a distribution point group and managing content packages. For
more information, see Install and configure distribution points.
Next steps
Continue your CMG setup by configuring clients for CMG:
Once the cloud management gateway (CMG) and the supporting site system roles are
operational, you may need to make configuration changes on Configuration Manager
clients.
Clients that can communicate with the management point automatically get the location
of the CMG service on the next location request. The polling cycle for location requests
is every 24 hours. If you don't want to wait for the normally scheduled location request,
you can force the request. To force the request, restart the SMS Agent Host service
(ccmexec.exe) on the computer.
For devices that aren't connected to the internal network, there are several options to
configure them with a CMG location. For more information, see Install off-premises
clients using a CMG.
7 Note
By default all clients receive CMG policy. Control this behavior with the client
setting, Enable clients to use a cloud management gateway. For more information,
see About client settings.
Client location
The Configuration Manager client automatically determines whether it's on the intranet
or the internet. If the client can contact a domain controller or an on-premises
management point, it sets its connection type to Currently intranet. Otherwise, it
switches to Currently Internet, and uses the location of the CMG service to
communicate with the site.
7 Note
You can force the client to always use the CMG regardless of whether it's on the
intranet or internet. This configuration is useful for testing purposes, or for clients
that you want to force to always use the CMG. Set the following registry key on the
client:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security, ClientAlwaysOnInternet = 1
You can also specify this setting during client installation using the
CCMALWAYSINF property.
This setting will always apply, even if the client roams into a location where
boundary group configurations would otherwise leverage local resources.
To verify that clients have the policy specifying the CMG, open a Windows PowerShell
command prompt as an administrator on the client computer, and run the following
command:
PowerShell
This command displays any internet-based management points the client knows about.
While the CMG isn't technically an internet-based management point, clients view it as
one.
7 Note
The first method is to use a bulk registration token to install the client on a device.
For more information on this method, see Create a bulk registration token.
For the second method, when you run ccmsetup.exe, use the /mp parameter to
specify the CMG's URL. For more information, see About client installation
parameters and properties. This method requires one of the following conditions:
The Configuration Manager site is properly configured to use PKI certificates for
client authentication. Additionally, the client systems each have a valid, unique,
and trusted client authentication certificate previously issued to them.
The systems are Azure Active Directory (Azure AD) domain-joined or hybrid
Azure AD domain-joined.
Azure AD domain-joined
You have a method to change a machine registry value and restart the SMS Agent
Host service using a local administrator account.
To force the connection on these devices, create the REG_SZ registry entry CMGFQDNs in
the key HKLM\Software\Microsoft\CCM . Set its value to the URL of the CMG, for example,
https://GraniteFalls.contoso.com . Then restart the SMS Agent Host Windows service
on the device.
Next steps
Your CMG is now set up and functional with clients communicating to the site. Next,
understand how to monitor the CMG service and clients:
Monitor CMG
Monitor the CMG
Article • 10/04/2022
After the cloud management gateway (CMG) is running and clients are connecting
through it, you can monitor clients and network traffic. Monitor the service to make sure
its performance is optimal.
Monitor clients
Clients connected through the CMG appear in the Configuration Manager console the
same way on-premises clients do. For more information, see how to monitor clients.
1. Go to the Administration workspace, expand Cloud Services, and select the Cloud
Management Gateway node.
3. View the traffic information in the details pane for the CMG connection point and
the site system roles it connects to. These statistics show the client requests
coming into these roles. The requests include policy, location, registration, content,
inventory, and client notifications.
Monitor content
Monitor content that you distribute to a CMG the same as with any other distribution
point. For more information, see Monitor content.
When you view the list of CMGs in the console, you can add more columns to the list.
For example, the Storage egress (GB) column shows the amount of data that clients
downloaded from the service in the last 30 days.
Monitor logs
The following table lists the log files that contain information related to the cloud
management gateway.
These are local Configuration Manager log files that cloud service manager syncs from
Azure storage every five minutes. The cloud management gateway pushes logs to Azure
storage every five minutes. So the maximum delay is 10 minutes. Verbose switches affect
both local and remote logs. The actual file names include the service name and role
instance identifier. For example, CMG-ServiceName-RoleInstanceID-CMGSetup.log.
These log files are synced, so you don't need to RDP to the cloud management gateway
to obtain them, and that option isn't supported.
The following screenshot shows the section of the cloud management dashboard
specific for the CMG:
Connection analyzer
To aid troubleshooting, use the CMG connection analyzer for real-time verification. The
in-console utility checks the current status of the service, and the communication
channel through the CMG connection point to any management points that allow CMG
traffic.
2. Select the target CMG instance, and then select Connection analyzer in the ribbon.
3. In the CMG connection analyzer window, select one of the following options to
authenticate with the service:
a. Azure AD user: Use this option to simulate communication the same as a cloud-
based user identity signed in to an Azure AD-joined Windows device. Select
Sign In to securely enter the credentials for an Azure AD user account.
4. Select Start to start the analysis. The analyzer window displays the results. Select
an entry to see more details in the Description field.
Set up outbound traffic alerts
Outbound traffic alerts help you know when network traffic approaches a 14-day
threshold level. When you create the CMG, you can set up traffic alerts. If you skipped
that part, you can still set up the alerts after the service is running. Adjust the alert
settings at any time.
You can also configure thresholds for the amount of data that you want to store on the
CMG and that clients download. Use alerts for these thresholds to help you decide when
to stop or delete the cloud service, adjust the content that you store on the CMG, or
modify which clients can use the service.
1. Go to the Administration workspace, expand Cloud Services, and select the Cloud
Management Gateway node.
2. Select the CMG in the list pane, and then select Properties in the ribbon.
3. Go to the Alerts tab to enable the threshold and alerts:
Specify the 14-day data threshold for outbound data transfer in gigabytes
(GB). This threshold helps you to monitor the amount of data that transfers
from the CMG to clients every two weeks. By default, this threshold is
approximately 10 TB. The default value is 10,000 GB. The site raises warning
and critical alerts when transfers reach values that you define. By default,
these alerts occur at 50% and 90% of the threshold.
7 Note
Alerts for the CMG depend on usage statistics from Azure, which can take up to 24
hours to become available. For more information about Storage Analytics for Azure,
see Storage Analytics.
In an hourly cycle, the primary site that monitors the CMG downloads transaction
data from Azure. It stores this transaction data in the CloudDP-<ServiceName>.log
file on the site server. Configuration Manager then evaluates this information
against the storage and transfer quotas for each CMG. When the transfer of data
reaches or exceeds the specified volume for either warnings or critical alerts,
Configuration Manager generates the appropriate alert.
Because the site downloads information about data transfers from Azure every
hour, the usage might exceed a warning or critical threshold before Configuration
Manager can access the data and raise an alert.
) Important
Even if the service isn't running, there are still costs associated with the cloud
service. Stopping the service doesn't eliminate all associated Azure costs. To
remove all cost for the cloud service, delete the CMG.
When you stop the CMG service, internet-based clients can't communicate with
Configuration Manager.
The total data transfer (egress) includes data from the cloud service and storage
account. This data comes from the following flows:
CMG to client
CMG to site, including CMG log files
If you enable CMG for content, storage account to client
For more information on these data flows, see CMG ports and data flow.
The storage alert threshold is separate. That alert monitors the capacity of your Azure
storage instance.
When you select the CMG instance in the Cloud Management Gateway node in the
console, you can see the total data transfer in the details pane.
Configuration Manager checks the threshold value every six minutes. If there's a sudden
spike in usage, Configuration Manager can take up to six minutes to detect that it
exceeded the threshold and then stop the service.
2. On the Alerts tab of the CMG properties window, enable the option to Stop this
service when the critical threshold is exceeded.
14-day threshold for outbound data transfer (GB). The default value is 10000 .
Next steps
If you need to change the configuration, you can modify the CMG:
Modify a CMG
Modify a CMG
Article • 10/04/2022
If you need to change the configuration, you can modify the cloud management
gateway (CMG).
Configure properties
After you create a CMG, you can modify some of its settings. Select the CMG in the
Configuration Manager console and select Properties. Configure settings on the
following tabs:
Settings tab
Certificate file: Change the server authentication certificate for the CMG. This
option is useful when you renew the certificate before it expires. When you get a
new certificate, make sure its common name is the same.
7 Note
When you renew the server authentication certificate for the CMG, the FQDN
that you specify for the certificate's common name (CN) is case-sensitive. For
example, if the CN of the current certificate is granitefalls.contoso.com ,
create the new certificate with the same lowercase CN. The wizard won't
accept a certificate with the CN GRANITEFALLS.CONTOSO.COM .
If you make significant changes to the certificate, you may need to Redeploy
the service. For example, changing the organization name on the certificate.
VM Instance: Change the number of virtual machines that the service uses in
Azure. This setting allows you to dynamically scale the service up or down based
on usage or cost considerations.
Enforce TLS 1.2: The CMG enables this option by default. Require it to use the TLS
1.2 encryption protocol. Starting in version 2107 with the update rollup, this setting
also applies to the CMG storage account. For more information, see How to enable
TLS 1.2.
Allow CMG to function as a cloud distribution point and serve content from
Azure storage: The CMG enables this option by default. If you plan on targeting
deployments with content to clients, you need to configure the CMG to serve
content.
Alerts tab
Reconfigure the alerts at any time after you create the CMG. For more information, see
Monitor the CMG: Set up outbound traffic alerts.
Content tab
View the packages that are assigned to the cloud storage account for this CMG. See
how much space each package uses in the storage account. When you select a package,
you can redistribute or remove the content files.
To verify that the content files for a package are available on the content-enabled CMG,
go to the Content Status node in the Monitoring workspace. For more information, see
Monitor content you distribute.
Convert
7 Note
Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.
Starting in version 2107, if you have a CMG that uses the classic cloud service, convert it
to use a virtual machine scale set.
Tip
Setting Convert
VM size
VM instances
Verify CRL
Require TLS
Serve content
Azure environment
Subscription
Azure AD app
Region
Resource group
To make changes that the conversion process doesn't support, you need to Redeploy
the service.
) Important
If your CMG's service name is in the cloudapp.net domain, you can't convert it to a
virtual machine scale set. For example, you issued a server authentication certificate
from your internal PKI with a common name of GraniteFalls.cloudapp.net . Since
Microsoft owns the cloudapp.net domain, you can't create a DNS CNAME to map
this service name to the new deployment name in the cloudapp.azure.com domain.
1. Issue a new server authentication certificate from your internal PKI with a new
service name. Consider using your domain name instead of a Microsoft
domain. For more information, see Use an enterprise PKI certificate.
2. Deploy a new CMG as a virtual machine scale set with the new certificate.
3. Once clients refresh policy to get this new CMG, delete the old CMG.
For more information, see Replace a CMG with a new service name.
) Important
First review the prerequisites for virtual machine scale sets. For example, make sure
that you register the necessary Azure resource providers in the subscription. You
also need both Subscription Owner permission to the associated subscription and
Global Administrator permissions for the associated tenant.
2. Select a CMG instance whose Status is Ready. In the ribbon, select Convert. This
action opens the Convert CMG wizard.
3. On the General page, select Next. You can't change any of these settings.
4. On the Settings page, note the new Deployment name with the suffix for the virtual
machine scale set.
5. Make other configuration changes as needed. Then select Next and complete the
wizard.
Monitor the conversion process the same as a new deployment. For example, view the
state in the console, and review cloudmgr.log. For more information, see Monitor CMG.
For example:
Classic: GraniteFalls.cloudapp.net
Virtual machine scale set: GraniteFalls.EastUS.CloudApp.Azure.Com
Subscription
Service name
Region
Resource group
Significant changes to the server authentication certificate
Always keep at least one active CMG for internet-based clients to receive updated
policy. Internet-based clients can't communicate with a removed CMG. Clients don't
know about a new one until they refresh policy. When you create a second CMG
instance to delete the first, also create another CMG connection point.
Clients refresh policy by default every 24 hours. Before you delete the old CMG, wait at
least one day after you create a new one. If clients are turned off or without an internet
connection, you may need to wait longer.
If you have an existing CMG from version 1810 or earlier, it uses the Azure Service
Manager deployment method. This method used an Azure management certificate. This
method is deprecated, and support will be removed in a later version of Configuration
Manager. Redeploy a new CMG to use the Azure Resource Manager deployment
method.
The process to redeploy the service depends upon your service name and whether you
want to reuse it.
7 Note
In version 2107 and later, you can have multiple CMGs that use different
deployment methods. You can also convert a cloud service (classic) CMG to a
virtual machine scale set. For more information, see Convert.
In versions 2010 and 2103, if you already deployed a CMG with the cloud service
(classic) method, you can't deploy another CMG as a virtual machine scale set, and
vice versa. First delete the existing CMG, and then create a new one with the other
deployment method. All CMG instances for the site need to use the same
deployment method. For more information, see Plan for CMG: Virtual machine
scale sets.
) Important
This process assumes that you already have at least two CMG services, and are
replacing one of them at a time. You need to have at least one active CMG for
internet-based clients.
3. Create a new CMG connection point and link it with the new CMG.
4. Wait at least one day for internet-based clients to receive policy about the new
CMG. If clients are turned off or without an internet connection, you may need to
wait longer.
Configuration Manager can stop a CMG service when the total data transfer goes over
your limit. For more information, see Stop CMG when it exceeds threshold
) Important
Even if the service isn't running, there are still costs associated with the cloud
service. Stopping the service doesn't eliminate all associated Azure costs. To
remove all cost for the cloud service, delete the CMG.
When you stop the CMG service, internet-based clients can't communicate with
Configuration Manager.
Start-CMCloudManagementGateway
Stop-CMCloudManagementGateway
3. In the Details pane at the bottom of the window, look for the Deployment Model
attribute.
Starting in version 2010, you'll see either Cloud service (classic) or Virtual machine
scale set.
In version 2006 and earlier, for a Resource Manager deployment, this attribute is
Azure Resource Manager. The legacy deployment model with the Azure
management certificate displays as Azure Service Manager.
) Important
CMG deployments using Azure Service Manager are deprecated. Support will
be removed in a later version of Configuration Manager. Redeploy a new
CMG to use the Azure Resource Manager deployment method.
You can also add the Deployment Model attribute as a column to the list view.
The second primary step to set up a cloud management gateway (CMG) is to integrate
the Configuration Manager site with your Azure Active Directory (Azure AD) tenant. This
integration allows the site to authenticate with Azure AD, which it uses to deploy and
monitor the CMG service. If you can't use Configuration Manager to automate the
creation of the apps during the Azure Service Wizard, you can use the wizard to import
a previously created app. For example, if your Azure administrators require that they
manually create all Azure AD app registrations, then use this process.
Tip
This article provides prescriptive guidance to integrate the site specifically for the
cloud management gateway. For more information on this process and other uses
of the Azure Services node in the Configuration Manager console, see Configure
Azure services.
When you integrate the site, you create app registrations in Azure AD. The CMG requires
two app registrations:
There are two methods to create these apps, both of which require a global
administrator role in Azure AD:
Use Configuration Manager to automate the creation of the apps when you
integrate the site.
Manually create the apps in advance, and then import them when you integrate
the site.
This article provides the specific details for the second method. Pair these instructions
with the procedures in the Configure Azure AD for CMG article to complete the process.
During this process, you'll need to note several values to use later. Open an app like
Windows Notepad to paste in the values that you'll copy from the Azure Portal.
First, you need to make note of the Azure AD tenant name and tenant ID. These values
are the first two pieces of information that you need to import the app registrations in
Configuration Manager.
Display name: This value is the friendly name for this app registration that
you'll use later as the application name.
Application (client) ID: You'll use this GUID value later as the client ID.
5. In the menu of the app properties, select Certificates & secrets, then select New
client secret.
Description: You can use any name for the secret or leave it blank.
Expires: Select either 12 months or 24 months.
Select Add. Immediately copy the client secret string Value and Expires. If you
leave this pane, you can't retrieve the same secret again. You'll use these values
later as the secret key and secret key expiry values.
a. Select Microsoft Graph to enumerate the list of available API permissions, then
select Application permissions.
f. On the API permissions pane, select Grant admin consent for..., then select Yes.
a. For the Application ID URI, select Set. Specify a URI that's unique for the tenant.
You'll use this value later as the App ID URI. Use one of the following
recommended formats:
Select Save.
JSON
"oauth2AllowIdTokenImplicitFlow": true,
Select Save.
The web (server) app for CMG is now registered in Azure AD.
Display name: This value is the friendly name for this app registration that
you'll use later as the application name.
Application (client) ID: You'll use this GUID value later as the client ID.
ii. In the Configure Desktop + devices pane, under Custom redirect URIs,
specify ms-appx-web://Microsoft.AAD.BrokerPlugin/<ClientID> . Use the app's
client ID GUID, for example: ms-appx-
web://Microsoft.AAD.BrokerPlugin/2afe572e-d268-4c77-a22d-fdca617e2255 .
6. Adjust the permissions on this app. In the menu of the app properties, select API
permissions. By default it should have the User.Read delegated permission for the
Microsoft Graph API.
b. Switch to the My APIs tab, and select your web (server) app. For example, CMG-
ServerApp. Select the user_impersonation permission, and then select Add
permissions to save.
c. On the API permissions pane, select Grant admin consent for..., and then select
Yes.
JSON
"oauth2AllowIdTokenImplicitFlow": true,
Select Save.
The native (client) app for CMG is now registered in Azure AD. This step also concludes
the process in the Azure portal. The role of the Azure global administrator is done.
These processes import metadata about the Azure AD apps into Configuration Manager.
You don't require any Azure AD permissions to import these apps.
After entering the information, select Verify. Then select OK to close the Import apps
window.
) Important
When you use an imported Azure AD app, you aren't notified of an upcoming
expiration date from console notifications.
The wizard autopopulates the Azure AD tenant name and tenant ID based on the
web (server) app that you already specified.
Application Name: A friendly name for the app.
Client ID: The Application (client) ID value of the app registration. The format is a
standard GUID.
After entering the information, select Verify. Then select OK to close the Import apps
window.
Next steps
After you manually register the two apps in the Azure portal, use the process in the
following article to import the apps:
This article includes security and privacy information for the Configuration Manager
cloud management gateway (CMG). For more information, see Overview of cloud
management gateway.
Security details
The CMG accepts and manages connections from CMG connection points. It uses
mutual authentication using certificates and connection IDs.
The CMG accepts and forwards client requests using the following methods:
IIS on the CMG VM instances verifies the certificate path based on the trusted
root certificates that you upload to the CMG.
If you enable certificate revocation, IIS on the VM instance also verifies client
certificate revocation. For more information, see Publish the certificate
revocation list.
The certificate trust list (CTL) checks the root of the client authentication certificate.
It also does the same validation as the management point for the client. For more
information, see Review entries in the site's certificate trust list.
Validates and filters client requests (URLs) to check if any CMG connection point
can service the request.
Configuration Manager rotates the storage account key for the CMG. This process
happens automatically every 180 days.
The service principals are authenticated by the server app registration in Azure AD. This
app is also known as the web app. You create this app registration automatically when
you create the CMG, or manually by an Azure administrator in advance. For more
information, see Manually register Azure AD apps for the CMG.
The secret keys for the Azure apps are encrypted and stored in the Configuration
Manager site database. As part of the setup process, the server app has Read Directory
Data permission to the Microsoft Graph API. It also has the contributor role on the
resource group that hosts the CMG. Each time the app needs to access resources like
Microsoft Graph, it gets an access token from Azure, which it uses to access the cloud
resource.
Azure AD can automatically rotate the secret key for these apps, or you can do it
manually. When the secret key changes, you need to renew the secret key in
Configuration Manager.
The external URL is the one the client uses to communicate with the CMG.
The internal URL is the CMG connection point used to forward requests to the
internal server.
URL-mapping example
When you enable CMG traffic on a management point, Configuration Manager creates
an internal set of URL mappings for each management point server. For example:
ccm_system, ccm_incoming, and sms_mp. The external URL for the management point
ccm_system endpoint might look like:
The URL is unique for each management point. The Configuration Manager client then
puts the CMG-enabled management point name into its internet management point list.
This name looks like:
The site automatically uploads all published external URLs to the CMG. This behavior
allows the CMG to do URL filtering. All URL mappings replicate to the CMG connection
point. It then forwards the communication to internal servers according to the external
URL from the client request.
Security guidance
If you use PKI, and externally publish the CRL, then enable this option
(recommended).
If you use PKI, don't publish the CRL, then disable this option.
If you misconfigure this option, it can cause more traffic from clients to the CMG.
This traffic can increase the Azure egress data, which can increase your Azure costs.
Use a more restrictive CTL for a site with a CMG using PKI client authentication.
Otherwise, clients with client authentication certificates issued by any trusted root that
already exists on the management point are automatically accepted for client
registration.
This subset provides administrators with more control over security. The CTL restricts the
server to only accept client certificates that are issued from the certification authorities
in the CTL. For example, Windows ships with certificates for many public and globally
trusted certificate providers. By default, the computer running IIS trusts certificates that
chain to these well-known certificate authorities (CA). Without configuring IIS with a CTL,
any computer that has a client certificate issued from these CAs are accepted as a valid
Configuration Manager client. If you configure IIS with a CTL that didn't include these
CAs, client connections are refused if the certificate chained to these CAs.
Starting in version 2107 with the update rollup, this setting also applies to the CMG
storage account.
For more information on TLS 1.2, see How to enable TLS 1.2.
With token-based authentication, the site automatically issues tokens for devices that
register on the internal network. You can create a bulk registration token for internet-
based devices. For more information, see Token-based authentication for CMG.
Frequently asked questions about
the CMG
FAQ
This article answers your frequently asked questions about the cloud management
gateway (CMG). For more information, see Overview of CMG.
When you use this client authentication method, you also need to export the client
certificate's trusted root chain. You then use this chain of certificates when you
create the CMG and on the CMG connection point.
HTTPS-enabled the management point: Depending upon how you configure the
site, and which client authentication method you choose, you may need to
configure your internet-enabled management points to support HTTPS. For more
information, see Configure client authentication for CMG: Enable management
point for HTTPS.
Since the CMG acts as a proxy for client communication, it doesn't process, keep, or
store any client data. The communication path over the internet always uses HTTPS. For
greater security, configure the management point for HTTPS. Also configure the site
option for clients to encrypt inventory and status messages. For more information, see
Plan for security: Signing and encryption.
To clarify terms:
The Azure AD tenant is the directory of user accounts and app registrations. One
tenant can have multiple subscriptions.
An Azure subscription separates billing, resources, and services. It's associated with
a single tenant.
Tip
For more information, see Subscriptions, licenses, accounts, and tenants for
Microsoft's cloud offerings.
When you have distinct test and production Active Directory and Azure AD
environments, but one single, centralized Azure hosting subscription.
When you're using a Resource Manager deployment, onboard the Azure AD tenant
associated with the subscription. This connection allows Configuration Manager to
authenticate to Azure to create, deploy, and manage the CMG.
If you're using Azure AD authentication for the users and devices managed over the
CMG, onboard that Azure AD tenant. For more information on Azure services for cloud
management, see Configure Azure services. When you onboard each Azure AD tenant, a
single CMG can provide Azure AD authentication for multiple tenants, regardless of the
hosting location.
If the user and device identities are in one tenant, but the CMG's subscription is in
another tenant, you need to attach the site to both tenants. Technically, the client app
isn't needed for the second tenant that only has the CMG service. The client app only
provides user and device authentication for clients that use the CMG service.
You can also associate the CMG with a boundary group. This action forces these clients
to not use the on-premises site systems. For more information, see Configure boundary
groups.
Then when you deploy a CMG, if you use PKI certificates for HTTPS communication on
the CMG-enabled management point, select the option to Allow internet-only clients
on the management point properties. This setting makes sure that internal clients
continue to use HTTP management points in your environment.
If you use Enhanced HTTP, you don't need to configure this setting. Clients continue to
use HTTP when communicating directly to the CMG-enabled management point. For
more information, see Enhanced HTTP.
If you manage traditional Windows clients with Active Directory domain-joined identity,
they need PKI certificates to secure the communication channel. These clients can
include any supported version of Windows. You can use all CMG-supported features, but
software distribution is limited to devices only. Install the Configuration Manager client
before the device roams onto the internet, or use token authentication.
You can also manage Windows 10 or later clients with modern identity, either hybrid or
pure cloud domain-joined with Azure AD. Clients use Azure AD to authenticate rather
than PKI certificates. Using Azure AD is simpler to set up, configure and maintain than
more complex PKI systems. You can do all of the same management activities plus
software distribution to the user. It also enables additional methods to install the client
on a remote device.
Microsoft recommends joining devices to Azure AD. Internet-based devices can use
Azure AD to authenticate with Configuration Manager. It also enables both device and
user scenarios whether the device is on the internet or connected to the internal
network.
) Important
Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is
removed. All CMG deployments should use a virtual machine scale set. For more
information, see Removed and deprecated features.
For more information about deploying a CMG as a virtual machine scale set, see Plan for
CMG.
Some people confuse the information in this blog post with the application registrations
in Azure AD that Configuration Manager uses for various cloud-attached services. These
app registrations are cloud-based service principals that don't directly use these
authentication libraries. If an Azure global administrator manually created the
Configuration Manager app registrations in Azure AD, they can double-check that those
registrations have permissions for the Microsoft Graph API. They don't need
permissions for the Azure AD Graph API. For more information, see Manually register
Azure AD apps.
Data flow for CMG
Article • 10/04/2022
Use this article to understand how data flows between components of the cloud
management gateway (CMG). It requires specific network ports and internet endpoints
to function. You don't need to open any inbound ports to your on-premises network.
The service connection point and CMG connection point site system roles start all
communication with Azure and the CMG. These two roles need to create outbound
connections to the Microsoft cloud. The service connection point deploys and monitors
the service in Azure, so needs to be online. The CMG connection point connects to the
CMG to manage communication between the CMG and on-premises site system roles.
1. The service connection point connects to Azure over HTTPS port 443. It
authenticates using Azure Active Directory (Azure AD). The service connection
point deploys the CMG in Azure. The CMG creates the HTTPS service using the
server authentication certificate.
2. The CMG connection point connects to the CMG in Azure. It holds the connection
open, and builds the channel for future two-way communication.
When you deploy the CMG as a virtual machine scale set, this flow is over
HTTPS.
If you deploy the CMG as a classic cloud service, it first tries TCP-TLS. If that
connection fails, it switches to HTTPS.
For more information, see Note 2: CMG connection point HTTPS ports for one VM.
3. The client connects to the CMG over HTTPS port 443. It authenticates using Azure
AD, the client authentication certificate, or a site-issued token.
7 Note
If you enable the CMG to serve content, the client connects directly to Azure
blob storage over HTTPS port 443. For more information, see Content data
flow.
4. The CMG forwards the client communication over the existing connection to the
on-premises CMG connection point. You don't need to open any inbound firewall
ports.
5. The CMG connection point forwards the client communication to the on-premises
management point and software update point.
For more information when you integrate with Azure AD, see Configure Azure services:
Cloud management data flow.
1. The management point gives the client an access token along with the list of
content sources. This token is valid for 24 hours, and gives the client access to the
cloud-based content source.
2. The management point responds to the client's location request with the service
name of the CMG. This property is the same as the common name of the server
authentication certificate.
4. The client connects to the CMG. Azure load balances the connection to one of the
VM instances. The client authenticates itself using the access token.
5. The CMG authenticates the client's access token, and then gives the client the
exact content location in Azure storage.
6. If the client trusts the CMG's server authentication certificate, it connects to Azure
storage to download the content.
Required ports
This table lists the required network ports and protocols. The Client is the device that
starts the connection, requiring an outbound port. The Server is the device that accepts
the connection, requiring an inbound port.
CMG connection point HTTPS 443 CMG service Protocol to build CMG channel
(virtual machine scale to only one VM instance Note 2
set)
CMG connection point HTTPS 10124- CMG service Protocol to build CMG channel
(virtual machine scale 10139 to two or more VM instances
set) Note 3
CMG connection point TCP-TLS 10140- CMG service Preferred protocol to build
(classic cloud service) 10155 CMG channel Note 1
CMG connection point HTTPS 443 CMG service Fall back protocol to build
(classic cloud service) CMG channel to only one VM
instance Note 2
CMG connection point HTTPS 10124- CMG service Fall back protocol to build
(classic cloud service) 10139 CMG channel to two or more
VM instances Note 3
Notes on ports
The CMG connection point first tries to establish a long-lived TCP-TLS connection with
each CMG VM instance. It connects to the first VM instance on port 10140. The second
VM instance uses port 10141, up to the 16th on port 10155. A TCP-TLS connection has
the best performance, but it doesn't support internet proxy. If the CMG connection
point can't connect via TCP-TLS, then it falls back to HTTPSNote 2.
For a CMG deployed as a classic cloud service, it only uses this port if the TCP-TLS
connection fails. If the CMG connection point can't connect to the CMG via TCP-TLSNote
1, it connects to the Azure network load balancer over HTTPS 443. This behavior is only
for one VM instance.
Note 3: CMG connection point HTTPS ports for two or more VMs
If there are two or more VM instances, the CMG connection point uses HTTPS 10124 to
the first VM instance, not HTTPS 443. It connects to the second VM instance on HTTPS
10125, up to the 16th on HTTPS port 10139.
7 Note
The following sections list the endpoints by role. Some endpoints refer to a service by
<prefix> , which is the prefix name of the CMG. For example, if your CMG is
GraniteFalls.blob.core.windows.net .
Tip
CMG service name: The common name (CN) of the CMG server authentication
certificate. Clients and the CMG connection point site system role
communicate with this service name. For example, GraniteFalls.contoso.com
or GraniteFalls.WestUS.CloudApp.Azure.Com .
CMG deployment name: The first part of the service name plus the Azure
location for the cloud service deployment. The cloud service manager
component of the service connection point uses this name when it deploys
the CMG in Azure. The deployment name is always in an Azure domain. The
Azure location depends upon the deployment method, for example:
Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
Classic deployment: GraniteFalls.CloudApp.Net
This article uses examples with a virtual machine scale set as the recommended
deployment method in version 2107 and later. If you use a classic deployment, note
the difference as you read this article and configure internet access.
Specific Azure endpoints, which are different per environment depending upon the
configuration. Configuration Manager stores these endpoints in the site database.
Query the AzureEnvironments table in SQL Server for the list of Azure endpoints.
Azure services:
management.azure.com (Azure public cloud)
The CMG connection point site system supports using a web proxy. For more
information on configuring this role for a proxy, see Proxy server support.
The CMG connection point only needs to connect to the CMG service endpoints. It
doesn't need access to other Azure endpoints.
Configuration Manager client for cloud services
Any Configuration Manager client that needs to communicate with a CMG needs access
to the following endpoints:
aadcdn.msftauth.net
HTTP headers
Range:
CCMClientID:
CCMClientIDSignature:
CCMClientTimestamp:
CCMClientTimestampsSignature:
HTTP verbs
HEAD
CCM_POST
BITS_POST
GET
PROPFIND
Plan for internet-based client
management in Configuration Manager
Article • 10/04/2022
Client communications
The following site system roles at primary sites support connections from clients that are
in untrusted locations:
7 Note
While IBCM primarily focuses on the internet-based scenario, the same behaviors
apply to clients in an untrusted Active Directory forest. Secondary sites don't
support client connections from untrusted locations.
Certificate registration point for the Configuration Manager policy module (NDES)
2 Warning
Distribution point
Content-enabled cloud management gateway (CMG)
Management point
For example, the following configurations illustrate when IBCM supports user policies for
devices on the internet:
The user account and the internet-based management point are both in the
intranet-based forest. You publish the management point to the internet with a
web proxy server.
With SSL termination at the proxy, it inspects packets from the internet before it
forwards them to the internal network. The proxy authenticates the connection from the
client, terminates it, and then opens a new authenticated connection to the internet-
based site systems. When Configuration Manager clients use a proxy, the client securely
contains its identity (GUID) in the packet payload. The management point doesn't
consider the proxy to be the client. Configuration Manager doesn't support bridging
with HTTP to HTTPS, or from HTTPS to HTTP.
7 Note
Tunneling
If your proxy web server can't support the requirements for SSL bridging, Configuration
Manager also supports SSL tunneling. You can also use SSL tunneling to support mobile
devices that you enroll with Configuration Manager. It's a less secure option because the
proxy forwards the SSL packets from the internet to the site systems without SSL
termination. The proxy doesn't inspect the packets for malicious content. When you use
SSL tunneling, there are no certificate requirements for the proxy web server.
7 Note
Clients that you configure for internet-only management only communicate with the
site systems that you configure for client connections from the internet. Use this
configuration in the following scenarios:
For computers that you know will never connect to your intranet. For example,
point of sale computers in remote locations.
To restrict client communication to HTTPS only. For example, to support firewall
and restricted security policies.
When you install internet-based site systems in a perimeter network, and you want
to manage these servers as Configuration Manager clients.
7 Note
When you want to manage workgroup clients on the internet, install them as
internet-only.
You can configure other clients for both internet and intranet client management. When
they detect a change of network, they automatically switch between IBCM and intranet
client management. If these clients can find and connect to a management point that
supports client connections on the intranet, these clients are managed as intranet
clients. Intranet clients have full Configuration Manager functionality. If the clients can't
find or connect to a management point that supports client connections on the intranet,
they attempt to connect to an internet-based management point. If this action
succeeds, these clients are then managed by the internet-based site systems in their
assigned site.
The benefit in automatic switching is that clients can use all features when they connect
to the intranet, and receive essential management when they're on the internet. Content
download that begins on the internet can seamlessly resume on the intranet, and the
other way around.
Prerequisites
IBCM in Configuration Manager has the following dependencies:
Clients require an internet connection. Configuration Manager uses the device's
existing internet connection. Mobile devices must have a direct internet
connection. Full client computers can have either a direct internet connection or
connect by using a proxy web server.
Site systems that support IBCM require an internet connection, and must be in an
Active Directory domain. The internet-based site systems don't require a trust
relationship with the Active Directory forest of the site server. However, when the
internet-based management point can authenticate the user by using Windows
authentication, it supports user policies. If Windows authentication fails, it only
supports device policies.
7 Note
To support user policies, also enable the following client settings in the Client
Policy group:
Enable user policy polling on clients
Enable user policy requests from Internet clients
A public key infrastructure (PKI) to deploy and manage the required certificates for
internet-based clients and site system servers. For more information, see PKI
certificate requirements.
Register public DNS host entries for the internet fully qualified domain names
(FQDN) of site systems that support IBCM.
Enable the option to Use PKI client certificate (client authentication capability)
when available on the Communication Security tab of the site properties. This
option is required.
Verbs
Allow the following verbs for the internet-based site system server roles:
Role Verbs
- CCM_POST
- BITS_POST
- GET
- PROPFIND
- GET
- PROPFIND
HTTP headers
Allow the following HTTP headers for the internet-based site system server roles:
- CCMClientID:
- CCMClientIDSignature:
- CCMClientTimestamp:
- CCMClientTimestampsSignature:
For similar communication requirements when you use the software update point for
client connections from the internet, see the documentation for Windows Server Update
Services (WSUS).
Unsupported features
Not all client management functionality is appropriate for the internet. Configuration
Manager doesn't support some features for clients on the internet. These unsupported
features typically rely on Active Directory Domain Services or aren't appropriate for a
public network.
The following features aren't supported when you manage clients on the internet with
IBCM:
Client deployment over the internet, such as client push and software update-
based client deployment. Use manual client installation.
Wake-on-LAN
OS deployment. However, you can deploy task sequences that don't deploy an OS.
Remote control
Software deployment to users. This feature relied upon the application catalog,
which is no longer supported.
Client roaming. Roaming enables clients to always find the closest distribution
points to download content. Clients non-deterministically select one of the
internet-based site systems, whatever the bandwidth or physical location.
When you configure a software update point to accept connections from the internet,
internet-based clients always scan against this software update point to determine
which software updates are required. When these clients are on the internet, they first
try to download the software updates from Microsoft Update, rather than from an
internet-based distribution point. If this behavior fails, they then try to download the
required software updates from an internet-based distribution point.
Tip
To install the Configuration Manager client on Windows devices using Azure Active
Directory (Azure AD) authentication, integrate Configuration Manager with Azure AD.
Clients can be on the intranet communicating directly with an HTTPS-enabled
management point or any management point in a site enabled for Enhanced HTTP. They
can also be internet-based communicating through the CMG or with an Internet-based
management point. This process uses Azure AD to authenticate clients to the
Configuration Manager site. Azure AD replaces the need to configure and use client
authentication certificates.
Setting up Azure AD may be easier for some customers than setting up a public key
infrastructure for certificate-based authentication. There are features that require you
onboard the site to Azure AD, but don't necessarily require the clients to be Azure AD-
joined. For more information, see the following articles:
Device requirements:
Joined to Azure AD, either pure cloud domain-joined, or hybrid Azure AD-
joined
User requirements:
Determine whether your management point needs HTTPS. For more information,
see Enable management point for HTTPS.
Tip
Configuration Manager extends its support for internet-based devices that don't
often connect to the internal network, aren't able to join Azure Active Directory
(Azure AD), and don't have a method to install a PKI-issued certificate. For more
information, see Token-based authentication for CMG.
After you complete these actions, your Configuration Manager site is connected to
Azure AD.
7 Note
If your devices are in an Azure AD tenant that's separate from the tenant with a
subscription for the CMG compute resources, starting in version 2010 you can
disable authentication for tenants not associated with users and devices. For more
information, see Configure Azure services.
1. Configure the following client settings in the Cloud Services group. For more
information, see How to configure client settings.
Allow access to cloud distribution point: Enable this setting to help internet-
based devices get the required content to install the Configuration Manager
client. Devices can get the content from the CMG.
Tip
2. Deploy the client settings to the required collection of devices. Don't deploy these
settings to user collections.
7 Note
The device needs access to the internet to contact Azure AD, but doesn't need to
be internet-based.
The following example shows the general structure of the command line:
ccmsetup.exe
/mp:<source management point> CCMHOSTNAME=<internet-based management point>
SMSSITECODE=<site code> SMSMP=<initial management point> AADTENANTID=<Azure AD
The /mp parameter and CCMHOSTNAME property specify one of the following, depending
upon the scenario:
On-premises management point. Only specify the /mp parameter. The CCMHOSTNAME
property isn't required.
Cloud management gateway
Internet-based management point
The SMSMP property specifies the on-premises management point. It's not required. It's
recommended for Azure AD-joined devices that roam onto the intranet, so they can find
an on-premises management point.
CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500
SMSSITECODE=ABC SMSMP=https://mp1.contoso.com AADTENANTID=daf4a1c2-3a0c-401b-966f-
0b855d3abd1a AADCLIENTAPPID=7506ee10-f7ec-415a-b415-cd3d58790d97
AADRESOURCEURI=https://contososerver
The site publishes additional Azure AD information to the cloud management gateway
(CMG). An Azure AD-joined client gets this information from the CMG during the
ccmsetup process, using the same tenant to which it's joined. This behavior further
simplifies installing the client in an environment with more than one Azure AD tenant.
The only two required ccmsetup properties are CCMHOSTNAME and SMSSITECODE .
To automate the client install using Azure AD identity via Microsoft Intune, see How to
prepare internet-based devices for co-management.
Next steps
Once complete, you can continue to monitor and manage clients.
Token-based authentication for cloud
management gateway
Article • 10/04/2022
The cloud management gateway (CMG) supports many types of clients, but even with
Enhanced HTTP, these clients require a client authentication certificate. This certificate
requirement can be challenging to provision on internet-based clients that don't often
connect to the internal network, aren't able to join Azure Active Directory (Azure AD),
and don't have a method to install a PKI-issued certificate.
Clients initially register for these tokens using one of the following two methods:
Internal network
Bulk registration
The Configuration Manager client together with the management point manage this
token, so there's no OS version dependency. This feature is available for any supported
client OS version.
7 Note
Microsoft recommends joining devices to Azure AD. Internet-based devices can use
Azure AD to authenticate with Configuration Manager. It also enables both device
and user scenarios whether the device is on the internet or connected to the
internal network. For more information, see Install and register the client using
Azure AD identity.
Make sure to Enable clients to use a cloud management gateway in the Cloud services
group of client settings. Even with a site token, clients can't communicate with a CMG if
client settings don't allow it. For more information, see About client settings: Cloud
services.
7 Note
With an HTTPS management point, the client needs to first register regardless of
internet/intranet management point. The client needs to present a valid PKI-issued
certificate, an Azure AD token, or a bulk registration token.
7 Note
Don't confuse bulk registration tokens with those that Configuration Manager
issues to individual clients. The bulk registration token enables the client to initially
install and communicate with the site. This initial communication is long enough for
the site to issue the client its own, unique client authentication token. The client
then uses its authentication token for all communication with the site while it's on
the internet. Beyond the initial registration, the client doesn't use or store the bulk
registration token.
To create a bulk registration token for use during client installation on internet-based
devices, complete the following actions:
1. Sign in to the top-level site server in the hierarchy with local administrator
privileges.
3. Run the tool from the \bin\X64 folder of the Configuration Manager installation
directory on the site server: BulkRegistrationTokenTool.exe . Create a new token
with the /new parameter. For example, BulkRegistrationTokenTool.exe /new . For
more information, see Bulk registration token tool usage.
ccmsetup.exe
/mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500
CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500
SMSSiteCode=ABC
/regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik9Tbzh2Tmd5VldRUjlDYVh5
T2lacHFlMDlXNCJ9.eyJTQ0NNVG9rZW5DYXRlZ29yeSI6IlN7Q01QcmVBdXRoVG9rZW4iLCJBdXRob
3JpdHkiOiJTQ0NNIiwiTGljZW5zZSI6IlNDQ00iLCJUeXBlIjoiQnVsa1JlZ2lzdHJhdGlvbiIsIlR
lbmFudElkIjoiQ0RDQzVFOTEtMEFERi00QTI0LTgyRDAtMTk2NjY3RjFDMDgxIiwiVW5pcXVlSWQiO
iJkYjU5MWUzMy1wNmZkLTRjNWItODJmMy1iZjY3M2U1YmQwYTIiLCJpc3MiOiJ1cm46c2NjbTpvYXV
0aDI6Y2RjYzVlOTEtMGFkZi00YTI0LTgyZDAtMTk2NjY3ZjFjMDgxIiwiYXVkIjoidXJuOnNjY206c
2VydmljZSIsImV4cCI6MTU4MDQxNbUwNSwibmJmIjoxNTgwMTU2MzA1fQ.ZUJkxCX6lxHUZhMH_WhY
XFm_tbXenEdpgnbIqI1h8hYIJw7xDk3wv625SCfNfsqxhAwRwJByfkXdVGgIpAcFshzArXUVPPvmiU
GaxlbB83etUTQjrLIk-
gvQQZiE5NSgJ63LCp5KtqFCZe8vlZxnOloErFIrebjFikxqAgwOO4i5ukJdl3KQ07YPRhwpuXmwxRf
1vsiawXBvTMhy40SOeZ3mAyCRypQpQNa7NM3adCBwUtYKwHqiX3r1jQU0y57LvU_brBfLUL6JUpk3r
i-LSpwPFarRXzZPJUu4-mQFIgrMmKCYbFk3AaEvvrJienfWSvFYLpIYA7lg-6EVYRcCAA
Tip
For more information on this command line, see Install and register the client
using Azure AD identity. This process is similar, just doesn't use the Azure AD
properties.
CMG logs
Management point
CCM_STS.log
MP_RegistrationManager.log
ClientAuth.log
/?
/new
/lifetime
/?
Example: BulkRegistrationTokenTool.exe /?
/new
The token isn't stored on the client or the site. Make sure to copy the token from the
command prompt, and store in a secure location.
/lifetime
Use with /new parameter to specify the token validity period of the token. Specify an
integer value in minutes. The default value is 4,320 (three days). The maximum value is
10,080 (seven days).
2. Expand Security, and select the Certificates node. The console lists all site-related
certificates and bulk registration tokens in the details pane.
You can filter or sort on the Type column. Identify specific bulk registration tokens based
on their GUID. When you create a bulk registration token, the tool displays the GUID.
2. Expand Security, select the Certificates node, and select the bulk registration
token to block.
3. On the Home tab of the ribbon bar or the right-click context menu, select Block.
To unblock previously blocked bulk registration tokens, select the Unblock action.
Token renewal
The client renews its unique, Configuration Manager-issued token once a month, and
it's valid for 90 days. A client doesn't need to connect to the internal network to renew
its token. As long as the token is still valid, connecting to the site using a CMG is
sufficient. If the token isn't renewed within 90 days, the client must directly connect to a
management point on an internal network to receive a new token.
You can't renew a bulk registration token. Once a bulk registration token expires,
generate a new one for internet-based device registration using a CMG.
See also
Overview of cloud management gateway
Install and assign Configuration Manager clients using Azure AD for authentication
Azure AD authentication workflow
Article • 10/04/2022
This article is a technical reference for the Configuration Manager client installation and
registration process on a Windows device that is joined to Azure Active Directory (Azure
AD). It details the workflow process for the device authentication.
7 Note
Windows clients get a workplace join (WPJ) certificate when they join an Azure AD
tenant. If the certificate isn't found, the Configuration Manager client can't request
Azure AD tokens. Without a token, the client can't use the Configuration Manager
security token service (CCM_STS) communication channel for Azure AD
authentication with Configuration Manager site systems.
Client installation
In this workflow sample, you installed the Configuration Manager client on a Windows
device over the internet with the following ccmsetup command-line properties:
CCMHOSTNAME="CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500"
SMSSITECODE="MEM"
1. Azure AD info request from ccmsetup
Clients installed from internet need specific command-line properties to use Azure AD
authentication. You can include these properties in the command line for internet
ccmsetup, but they aren't required. When you don't use Azure AD properties, ccmsetup
requests the AADCLIENTAPPID and AADRESOURCEURI properties from the cloud
management gateway (CMG). It uses the device's Azure AD TenantID as a reference. If
you haven't onboarded the client's TenantID in Configuration Manager, the CMG
doesn't give the required properties to ccmsetup to continue client installation.
log
) Important
During ccmsetup, the device has to validate the CMG server authentication
certificate. The root certificate authority (CA) certificate for the CMG server
authentication certificate needs to be available on the client for the chain
validation. If you use PKI, when the root CA isn't published on the internet, add the
root CA certificate to the device's root CAs store.
If the root CA certificate revocation list (CRL) isn't published on internet, add the
/nocrlcheck parameter in the ccmsetup command line.
Log
If the device token request fails, ccmsetup falls back to try requesting an Azure AD user
token. If the device can't get either an Azure AD device or user token, ccmsetup doesn't
continue.
7 Note
If the device has a valid PKI client authentication certificate, ccmsetup always
prefers the certificate. In this case, the client installs as a PKI client and doesn't use
Azure AD authentication.
Log
WAM token request failed. Status 5, Details 'AAD WAM extension error'
Failed to get AAD token for 'S-1-5-18' from WAM API. Error 0xd0090016
Log
Log
Tip
Log
The following entries are logged in CCM_STS.log of the site system that hosts the
management point that handles the client request:
Log
ProcessRequest - Start
TokenType is UDA
Issued token
Log
ccmsetup: Host=CMG.cloudapp.net,
Path=/CCM_Proxy_ServerAuth7981/ccm_system_tokenauth/request, Port=443,
Protocol=https, CcmTokenAuth=1, Flags=0x4100, Options=0xe0
...
ccmsetup: Host=CMG.cloudapp.net,
Path=/CCM_Proxy_ServerAuth/72057594037937995/CCM_Client
The location
'https://CMG.cloudapp.net/downloadrestservice.svc/getcontentxmlsecure?
pid=CS100001&cid=CS100001
...
Package: C:\WINDOWS\ccmsetup\{E6F27809-FF66-4BAA-B0FB-
E4A154A6A388}\client.msi
7 Note
If the client finds the content from a content-enabled CMG, ccmsetup downloads
the content from the cloud storage. If the latest client version isn't available on the
cloud, it downloads the content from the management point via a CMG request.
Client registration
Log
...
Log
3. Registration request
The registration component on the management point handles the client registration
process. The client sends a registration message to the MP_ClientRegistration endpoint.
Log
Log
Log
...
The following entries are logged in CMGService.log of the CMG VM and the site system
that hosts the CMG connection point role:
Log
Log
Log
ProcessRequest - Start
TokenType is UDA
Issued token
The server returns the CCM token to the client for the rest of client-to-site
communication.
7 Note
During client registration, certificate validation always runs. This process happens
even if you're using the Azure AD authentication method to register the client. This
behavior is a fallback option, in case Azure AD authentication doesn't succeed.
Log
...
...
ccmhttp: Host=CMG.CLOUDAPP.NET,
Path=/CCM_Proxy_ServerAuth/72186325152220500/ccm_system_tokenauth/request,
Port=443, Protocol=https, CcmTokenAuth=1, Flags=0x4200, Options=0x1e0
...
Common issues
Root CA not present: Clients need the root CA certificate to validate the CMG
server authentication certificate.
CRL check is enabled: Publish the CRL on the internet. As an alternative, use the
/NoCRLCheck parameter for ccmsetup. You can also disable the following option:
Clients check the certificate revocation list (CRL) for site systems. Find this setting
on the Communication Security tab of the site properties.
The WPJ certificate isn't found: Make sure the device is Azure AD-joined. Use
dsregcmd.exe. For example, dsregcmd /status and look at the Device State
section.
Tip
Client communication via CMG, CMG connection point, and management point
runs over HTTPS. If you configure the site for enhanced HTTP, you can still
configure the management point for HTTP.
CMG, CMG connection point, and management point validate Azure AD and
CCM tokens.
2 Warning
The implementation for sharing content from Azure has changed. Use a content-
enabled cloud management gateway by enabling the option to Allow CMG to
function as a cloud distribution point and serve content from Azure storage. For
more information, see Modify a CMG.
Starting in version 2107, you can't create a traditional cloud distribution point
(CDP).
This article helps you learn about the cloud distribution point, plan for its use, and
design your implementation. It includes the following sections:
Features
The cloud distribution point supports several features that are also offered by on-
premises distribution points:
Benefits
The cloud distribution point provides the following additional benefits:
The site encrypts the content before sending it to the cloud distribution point in
Azure.
To meet changing demands for content requests by clients, manually scale the
cloud service in Azure. This action doesn't require that you install and provision
additional distribution points in Configuration Manager.
Topology design
Deployment and operation of the cloud distribution point includes the following
components:
A cloud service in Azure. The site distributes content to this service, which stores it
in Azure cloud storage. The management point provides to clients this content
location in the list of available sources as appropriate.
A management point site system role services client requests per normal.
The cloud distribution point uses a certificate-based HTTPS web service to help
secure network communication with clients. Clients must trust this certificate.
7 Note
This feature doesn't enable support for Azure Cloud Service Providers (CSP). The
cloud distribution point deployment with Azure Resource Manager continues to
use the classic cloud service, which the CSP doesn't support. For more information,
see available Azure services in Azure CSP.
Azure Resource Manager is the only deployment mechanism for new instances of the
cloud distribution point. Existing deployments continue to work.
Hierarchy design
Where you create the cloud distribution point depends upon which clients need to
access the content.
Azure Resource Manager deployment: Create this type at a primary site or the
central administration site.
The cloud management gateway (CMG) can also serve content to clients. This
functionality reduces the required certificates and cost of Azure VMs. For more
information, see Overview of cloud management gateway.
Internet-based clients don't rely on boundary groups. They only use internet-
facing distribution points or cloud distribution points. If you're only using cloud
distribution points to service these types of clients, then you don't need to include
them in boundary groups.
If you want clients on your internal network to use a cloud distribution point, then
it needs to be in the same boundary group as the clients. Clients prioritize cloud
distribution points last in their list of content sources, because there's a cost
associated with downloading content out of Azure. So a cloud distribution point is
typically used as a fallback source for intranet-based clients. If you want a cloud-
first design, then design your boundary groups to meet this business requirement.
For more information, see Configure boundary groups.
Even though you install cloud distribution points in specific regions of Azure, clients
aren't aware of the Azure regions. They randomly select a cloud distribution point. If you
install cloud distribution points in multiple regions, and a client receives more than one
in the content location list, the client might not use a cloud distribution point from the
same Azure region.
When you use the Backup Site Server maintenance task, Configuration Manager
automatically includes the configurations for the cloud distribution point.
Back up and save a copy of the server authentication certificate. When you restore
the Configuration Manager primary site to a different server, reimport the
certificate.
Requirements
You need an Azure subscription to host the service.
An Azure administrator needs to participate in the initial creation of certain
components, depending upon your design. This persona doesn't require
permissions in Configuration Manager.
The site server requires internet access to deploy and manage the cloud service.
Set the client setting, Allow access to cloud distribution points, to Yes in the
Cloud Services group. By default, this value is set to No.
Specifications
The cloud distribution point supports all Windows versions listed in Supported
operating systems for clients and devices.
Applications
Packages
OS upgrade packages
) Important
While the Configuration Manager console doesn't block the distribution
of Microsoft software updates to a cloud distribution point, you're
paying Azure costs to store content that clients don't use. Internet-
based clients always get Microsoft software update content from the
Microsoft Update cloud service. Don't distribute Microsoft software
updates to a cloud distribution point.
When using a CMG for content storage, the content for third-party
updates won't download to clients if the Download delta content when
available client setting is enabled.
Deployment settings
Download content locally when needed by the running task sequence. The task
sequence engine can download packages on-demand from a content-enabled
CMG or a cloud distribution point. This option provides additional flexibility with
your Windows in-place upgrade deployments to internet-based devices.
Download all content locally before starting task sequence. With this option, the
Configuration Manager client downloads the content from the cloud source before
starting the task sequence.
A cloud distribution point doesn't support package deployments with the option
to Run program from distribution point. Use the deployment option to Download
content from distribution point and run locally.
Limitations
You can't use a cloud distribution point for PXE or multicast-enabled deployments.
A cloud distribution point doesn't support content for Microsoft 365 Apps
updates.
You can't prestage content on a cloud distribution point. The distribution manager
of the primary site that manages the cloud distribution point transfers all content.
Cost
) Important
The following cost information is for estimating purposes only. Your environment
may have other variables that affect the overall cost of using a cloud distribution
point.
Configuration Manager includes the following options to help control costs and monitor
data access:
Control and monitor the amount of content that you store in a cloud service. For
more information, see Monitor cloud distribution points.
Configure Configuration Manager to alert you when thresholds for client
downloads meet or exceed monthly limits. For more information, see Data transfer
threshold alerts.
To help reduce the number of data transfers from cloud distribution points by
clients, use one of the following peer caching technologies:
Windows BranchCache
Components
A cloud distribution point uses the following Azure components, which incur charges to
the Azure subscription account:
Tip
The cloud management gateway can also serve content to clients. This functionality
reduces the cost by consolidating the Azure VMs. For more information, see Cost
for cloud management gateway.
Virtual machine
The cloud distribution point uses Azure Cloud Services as platform as a service
(PaaS). This service uses virtual machines (VMs) that incur compute costs.
7 Note
Charges are based on data flowing out of Azure (egress or download). Cloud
distribution point dataflows out of Azure consist of the software content that
clients download.
See the Azure bandwidth pricing details to help determine potential costs.
Pricing for data transfer is tiered. The more you use, the less you pay per gigabyte.
Content storage
Internet-based clients get Microsoft software update content from the Microsoft
Update cloud service at no charge. Don't distribute software update deployment
packages with Microsoft software updates to a cloud distribution point. Otherwise,
you'll incur data storage costs for content that clients never use.
Cloud distribution points with an Azure Resource Manager deployment use Azure
locally redundant storage (LRS). For more information, see Locally redundant
storage.
Other costs
Each cloud service has a dynamic IP address. Each distinct cloud distribution point
uses a new dynamic IP address. Adding additional VMs per cloud service doesn't
increase these addresses.
The site server connects to Azure to set up the cloud distribution point service
For more information on content location priority and when intranet-based clients use a
cloud distribution point, see Content source priority.
1. The management point gives the client an access token along with the list of
content sources. This token is valid for 24 hours, and gives the client access to the
cloud distribution point.
2. The management point responds to the client's location request with the Service
FQDN of the cloud distribution point. This property is the same as the common
name of the server authentication certificate.
If you're using your domain name, for example, WallaceFalls.contoso.com, then the
client first tries to resolve this FQDN. You need a CNAME alias in your domain's
internet-facing DNS for clients to resolve the Azure service name, for example:
WallaceFalls.cloudapp.net.
3. The client next resolves the Azure service name, for example,
WallaceFalls.cloudapp.net, to a valid IP address. This response should be handled
by Azure's DNS.
4. The client connects to the cloud distribution point. Azure load balances the
connection to one of the VM instances. The client authenticates itself using the
access token.
5. The cloud distribution point authenticates the client's access token, and then gives
the client the exact content location in Azure storage.
6. If the client trusts the cloud distribution point's server authentication certificate, it
connects to Azure storage to download the content.
Depending upon your topology design, if clients have the option of more than one
cloud distribution point for any given content, then they naturally randomize across
those cloud services. If you only distribute a certain piece of content to a single cloud
distribution point, and a large number of clients try to download this content at the
same time, this activity puts higher load on that single cloud distribution point. Adding
an additional cloud distribution point also includes a separate Azure storage service. For
more information on how the client communicates with the cloud distribution point
components and downloads content, see Ports and data flow.
The cloud distribution point uses two Azure VMs as the front end to the Azure storage.
This default deployment meets most customer's needs. In some extreme circumstances,
with a large number of concurrent client connections (for example, 150,000 clients), the
processing capacity of the Azure VMs can't keep up with the client requests. You can't
resize the Azure VMs used for the cloud distribution point. While you can't configure the
number of VM instances for the cloud distribution point in Configuration Manager, if
necessary, reconfigure the cloud service in the Azure portal. Either manually add more
VM instances, or configure the service to automatically scale.
) Important
When you update Configuration Manager, the site redeploys the cloud service. If
you manually reconfigure the cloud service in the Azure portal, the number of
instances resets to the default of two.
The Azure storage service supports 500 requests per second for a single file.
Performance testing of a single cloud distribution point supported distribution of a
single 100-MB file to 50,000 clients in 24 hours.
Certificates
Depending upon your cloud distribution point design, you need one or more digital
certificates.
General information
Certificates for cloud distribution points support the following configurations:
When you configure Windows with the following policy: System cryptography:
Use FIPS compliant algorithms for encryption, hashing, and signing
Support for TLS 1.2. For more information, see Cryptographic controls technical
reference.
For more information, see CMG server authentication certificate, and the following
subsections, as necessary:
The cloud distribution point uses this type of certificate in the same way as the cloud
management gateway. Clients also need to trust this certificate. To reduce complexity,
Microsoft recommends using a certificate issued by a public provider.
Unless you use a wildcard certificate, don't reuse the same certificate. Each instance of
the cloud distribution point and cloud management gateway requires a unique server
authentication certificate.
For more information on creating this certificate from a PKI, see Deploy the service
certificate for cloud distribution points.
If your organization uses ExpressRoute, isolate the Azure subscription for the cloud
distribution point from the subscription that uses ExpressRoute. This configuration
ensures that the cloud distribution point isn't accidentally connected in this manner.
The Configuration Manager cloud distribution point currently doesn't support Azure
CDN.
Next steps
Install cloud distribution points
Install a cloud distribution point for
Configuration Manager
Article • 10/04/2022
2 Warning
The implementation for sharing content from Azure has changed. Use a content-
enabled cloud management gateway by enabling the option to Allow CMG to
function as a cloud distribution point and serve content from Azure storage. For
more information, see Modify a CMG.
Starting in version 2107, you can't create a traditional cloud distribution point
(CDP).
This article details the steps to install a Configuration Manager cloud distribution point
in Microsoft Azure. It includes the following sections:
Use the following checklist to make sure you have the necessary information and
prerequisites to create a cloud distribution point:
The site server can connect to Azure. If your network uses a proxy, configure the
site system role.
The Azure environment to use. For example, the Azure Public Cloud or the Azure
US Government Cloud.
Use the Azure Resource Manager deployment. It has the following requirements:
Integration with Azure Active Directory for Cloud Management. Azure AD user
discovery isn't required.
Tip
Before requesting the server authentication certificate that uses this service
name, confirm that the desired Azure domain name is unique. For example,
WallaceFalls.CloudApp.Net.
Don't create the service in the portal, just use this process to check the name
availability.
BranchCache
To enable a cloud distribution point to use Windows BranchCache, install the
BranchCache feature on the site server.
If the site server has an on-premises distribution point site system role, configure
the option in that role's properties to Enable and configure BranchCache. For
more information, see Configure a distribution point.
If the site server doesn't have a distribution point role, install the BranchCache
feature in Windows. For more information, see Install the BranchCache feature.
If you've already distributed content to a cloud distribution point, and then decide to
enable BranchCache, first install the feature. Then redistribute the content to the cloud
distribution point.
Set up
2 Warning
Starting in version 2107, this action isn't available. You can't create a traditional
cloud distribution point (CDP). Use a content-enabled cloud management gateway
by enabling the option to Allow CMG to function as a cloud distribution point
and serve content from Azure storage. For more information, see Modify a CMG.
Perform this procedure on the site to host this cloud distribution point as determined by
your design.
2. On the General page of the Create Cloud Distribution Point Wizard, configure the
following settings:
4. On the Settings page, specify the following settings, and then select Next:
Region: Select the Azure region where you want to create the cloud
distribution point.
Resource Group (Azure Resource Manager deployment method only)
Use existing: Select an existing resource group from the drop-down list.
Create new: Enter the new resource group name to create in your Azure
subscription.
Primary site: Select the primary site to distribute content to this distribution
point.
Certificate file: Select Browse and select the .PFX file for this cloud
distribution point's server authentication certificate. The common name from
this certificate populates the required Service FQDN and Service name fields.
7 Note
5. On the Alerts page, set up storage quotas, transfer quotas, and at what percentage
of these quotas you want Configuration Manager to generate alerts. Then select
Next.
Monitor installation
The site starts to create a new hosted service for the cloud distribution point. After you
close the wizard, monitor the installation progress of the cloud distribution point in the
Configuration Manager console. Also monitor the CloudMgr.log file on the primary site
server. If necessary, monitor the provisioning of the cloud service in the Azure portal.
7 Note
After it provisions the storage account, the service is created and configured.
Verify installation
Verify that the cloud distribution point installation is complete by using the following
methods:
If necessary, go to the Azure portal. The Deployment for the cloud distribution
point displays a status of Ready.
Configure DNS
Before clients can use the cloud distribution point, they must be able to resolve the
name of the cloud distribution point to an IP address that Azure manages. The
management point gives them the Service FQDN of the cloud distribution point. The
cloud distribution point exists in Azure as the Service name. See these values on the
Settings tab of the cloud distribution point properties.
7 Note
The Cloud Distribution Points node in the console includes a column named
Service Name, but actually shows the Service FQDN value. To see both values,
open Properties for the cloud distribution point and switch to the Settings tab.
The server authentication certificate common name should include your domain name.
This name is required when you purchase a certificate from a public provider. It's
recommended when issuing this certificate from your PKI. For example,
WallaceFalls.contoso.com . When you specify this certificate in the Create Cloud
Distribution Point Wizard, the common name populates the Service FQDN property
( WallaceFalls.contoso.com ). The Service name takes the same hostname ( WallaceFalls )
and appends it to the Azure domain name, cloudapp.net . In this scenario, clients need
to resolve your domain's Service FQDN ( WallaceFalls.contoso.com ) to the Azure
Service name ( WallaceFalls.cloudapp.net ). Create a CNAME alias to map these names.
Create CNAME alias
Create a canonical name record (CNAME) in your organization's public, internet-facing
DNS. This record creates an alias for the cloud distribution point's Service FQDN
property that clients receive, to the Azure Service name. For example, create a new
CNAME record for WallaceFalls.contoso.com to WallaceFalls.cloudapp.net .
1. The client gets the Service FQDN of the cloud distribution point in the list of
content sources. For example, WallaceFalls.contoso.com .
2. It queries DNS, which resolves the Service FQDN using the CNAME alias to the
Azure Service name. For example, WallaceFalls.cloudapp.net .
3. It queries DNS again, which resolves the Azure service name to the Azure public IP
address.
4. The client uses this IP address to start communication with the cloud distribution
point.
5. The cloud distribution point presents the server authentication certificate to the
client. The client uses the trust chain of the certificate to validate.
Default client settings automatically enable clients to use cloud distribution points.
Control access to all cloud distribution points in your hierarchy with the following client
setting:
In the Cloud Settings group, modify the setting Allow access to cloud distribution
points.
Modify and deploy this setting for both users and devices.
When you view the list of cloud distribution points in the console, you can add
additional columns to the list. For example, the Data egress column shows the amount
of data clients downloaded from the service in the last 30 days.
Alerts
Configuration Manager periodically checks the Azure service. If the service isn't active, or
if there are subscription or certificate issues, Configuration Manager raises an alert.
Configure thresholds for the amount of data that you want to store on the cloud
distribution point, and for the amount of data that clients download from the
distribution point. Use alerts for these thresholds to help you decide when to stop or
delete the cloud service, adjust the content that you store on the cloud distribution
point, or modify which clients can use the service.
Storage alert threshold: The storage alert threshold sets an upper limit in GB on
the amount of data or content that you want store on the cloud distribution point.
By default, this threshold is 2,000 GB. Configuration Manager generates warning
and critical alerts when the remaining free space reaches the levels that you
specify. By default, these alerts occur at 50% and 90% of the threshold.
Monthly transfer alert threshold: The monthly transfer alert threshold helps you to
monitor the amount of content that transfers from the distribution point to clients
for a 30-day period. By default, this threshold is 10,000 GB. The site raises warning
and critical alerts when transfers reach values that you define. By default, these
alerts occur at 50% and 90% of the threshold.
) Important
Configuration Manager monitors the transfer of data, but does not stop the
transfer of data beyond the specified transfer alert threshold.
Specify thresholds for each cloud distribution point during installation, or use the Alerts
tab of the cloud distribution point properties.
7 Note
Alerts for a cloud distribution point depend on usage statistics from Azure, which
can take up to 24 hours to become available. For more information about Storage
Analytics for Azure, see Storage Analytics.
In an hourly cycle, the primary site that monitors the cloud distribution point downloads
transaction data from Azure. It stores this transaction data in the CloudDP-
<ServiceName>.log file on the site server. Configuration Manager then evaluates this
information against the storage and transfer quotas for each cloud distribution point.
When the transfer of data reaches or exceeds the specified volume for either warnings
or critical alerts, Configuration Manager generates the appropriate alert.
2 Warning
Because the site downloads information about data transfers from Azure every
hour, the usage might exceed a warning or critical threshold before Configuration
Manager can access the data and raise an alert.
Modify
View high-level information about the distribution point in the Cloud Distribution
Points node under Cloud Services in the Administration workspace of the
Configuration Manager console. Select a distribution point and select Properties to see
more details.
When you edit the properties of a cloud distribution point, the following tabs include
settings to edit:
Settings
Description
Certificate file: Before the server authentication certificate expires, issue a new
certificate with the same common name. Then add the new certificate here for the
service to start using. If the certificate expires, clients won't trust and use the
service.
Alerts
Adjust the data thresholds for storage and monthly transfer alerts.
Content
Manage content the same as for an on-premises distribution point.
If you have an existing cloud distribution point on the classic deployment method, in
order to use the Azure Resource Manager deployment method you need to deploy a
new cloud distribution point. There are two options:
1. First delete the classic cloud distribution point. If there isn't another cloud
distribution point, then clients may not be able to get content.
Tip
When you stop a cloud distribution point, the cloud service doesn't delete the content
from the storage account. It also doesn't prevent the site server from transferring
additional content to the cloud distribution point. The management point still returns
the cloud distribution point to clients as a valid content source.
2. Select the cloud distribution point. To stop the cloud service that runs in Azure,
select Stop service in the ribbon.
When you delete a cloud distribution point from a hierarchy, Configuration Manager
removes the content from the cloud service in Azure.
Manually removing any components in Azure causes the system to be inconsistent. This
state leaves orphaned information, and unexpected behaviors may occur.
Advanced troubleshooting
If you need to collect diagnostic logging from the Azure VMs to help troubleshoot
problems with your cloud distribution point, use the following PowerShell sample to
enable the service diagnostic extension for the subscription:
PowerShell
# Change these variables for your Azure environment. The current values are
provided as examples. You can find the values for these from the Azure
portal.
$storage_name="4780E38368358502
23C071" # The name of the storage account
that goes with the CloudDP
$key="3jSyvMssuTyAyj5jWHKtf2bV5JF^aDN%z%2g*RImGK8R4vcu3PE07!P7CKTbZhT1Sxd3l^
t69R8Cpsdl1xhlhZtl" # The storage access key from the Storage Account view
$service_name="4780E38368358502
23C071" # The name of the cloud service for
the CloudDP, which for a Cloud DP is the same as the storage name
$azureSubscriptionName="8ba1cb83-84a2-457e-bd37-f78d2dd371ee" # The
subscription name the tenant is using
# This variable is the path to the config file on the local computer.
$public_config="F:\PowerShellDiagFile\diagnostics.wadcfgx"
Select-AzureSubscription $azureSubscriptionName
XML
<PublicConfig
xmlns="http://schemas.microsoft.com/ServiceHosting/2010/10/DiagnosticsConfig
uration">
<WadCfg>
<DiagnosticMonitorConfiguration overallQuotaInMB="4096">
<Directories scheduledTransferPeriod="PT1M">
</Directories>
<WindowsEventLog scheduledTransferPeriod="PT1M">
</WindowsEventLog>
<Logs scheduledTransferPeriod="PT1M"
scheduledTransferLogLevelFilter="Information" />
<CrashDumps dumpType="Full">
</CrashDumps>
<PerformanceCounters scheduledTransferPeriod="PT1M">
<PerformanceCounterConfiguration counterSpecifier="\Memory\Available
MBytes" sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\Web
Service(_Total)\ISAPI Extension Requests/sec" sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\Web
Service(_Total)\Bytes Total/Sec" sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\ASP.NET
Applications(__Total__)\Requests/Sec" sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\ASP.NET
Applications(__Total__)\Errors Total/Sec" sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\ASP.NET\Requests
Queued" sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\ASP.NET\Requests
Rejected" sampleRate="PT3M" />
<PerformanceCounterConfiguration
counterSpecifier="\Processor(_Total)\% Processor Time" sampleRate="PT3M" />
</PerformanceCounters>
</DiagnosticMonitorConfiguration>
</WadCfg>
</PublicConfig>