0% found this document useful (0 votes)
332 views2,832 pages

Mem Configmgr Core

This document provides an overview of Microsoft Configuration Manager and resources for getting help with Configuration Manager: - Configuration Manager is a systems management solution for deploying software and managing devices. It is now part of the Microsoft Intune family of products along with Intune, Endpoint Analytics, and Autopilot. - The main interfaces for administering Configuration Manager are the Configuration Manager console and Software Center application. - Resources for getting help with Configuration Manager include providing feedback directly in the product, searching the documentation library, following the product blog, and understanding support options.

Uploaded by

José Adail Maia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
332 views2,832 pages

Mem Configmgr Core

This document provides an overview of Microsoft Configuration Manager and resources for getting help with Configuration Manager: - Configuration Manager is a systems management solution for deploying software and managing devices. It is now part of the Microsoft Intune family of products along with Intune, Endpoint Analytics, and Autopilot. - The main interfaces for administering Configuration Manager are the Configuration Manager console and Software Center application. - Resources for getting help with Configuration Manager include providing feedback directly in the product, searching the documentation library, following the product blog, and understanding support options.

Uploaded by

José Adail Maia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2832

Tell us about your PDF experience.

Core infrastructure documentation


Fundamental information about the Configuration Manager product, including site
servers and clients.

About core infrastructure

e OVERVIEW

What is Configuration Manager?

Microsoft Configuration Manager FAQ

What's new

Technical preview

b GET STARTED

Use the console

Use Software Center

Use the docs

Find help

Get started

Y ARCHITECTURE

Supported configurations

Support for Windows 11

Site prerequisites

` DEPLOY

Updates and servicing

Install in-console updates

Deploy clients
Migrate between hierarchies

Top tasks

c HOW-TO GUIDE

Enable TLS 1.2

CMPivot

Overview of cloud management gateway (CMG)

Enhanced HTTP

i REFERENCE

Log files

Ports

Client settings

Tools
What is Configuration Manager?
Article • 03/02/2023

Applies to: Configuration Manager (current branch)

Configuration Manager is part of the Microsoft Intune family of products.

The Microsoft Intune family of products is an integrated solution for managing all of
your devices. Microsoft brings together Configuration Manager and Intune, without a
complex migration, and with simplified licensing. Continue to leverage your existing
Configuration Manager investments, while taking advantage of the power of the
Microsoft cloud at your own pace.

The following Microsoft management solutions are all now part of the Microsoft Intune
brand:

Configuration Manager
Intune
Endpoint analytics
Autopilot

For more information, see Microsoft Configuration Manager FAQ.

Introduction
Use Configuration Manager to help you with the following systems management
activities:

Increase IT productivity and efficiency by reducing manual tasks and letting you
focus on high-value projects.
Maximize hardware and software investments.
Empower user productivity by providing the right software at the right time.

Configuration Manager helps you deliver more effective IT services by enabling:

Secure and scalable deployment of applications, software updates, and operating


systems.
Real-time actions on managed devices.
Cloud-powered analytics and management for on-premises and internet-based
devices.
Compliance settings management.
Comprehensive management of servers, desktops, and laptops.
Configuration Manager extends and works alongside many Microsoft technologies and
solutions. For example, Configuration Manager integrates with:

Microsoft Intune to co-manage a wide variety of mobile device platforms


Microsoft Azure to host cloud services to extend your management services
Windows Server Update Services (WSUS) to manage software updates
Certificate Services
Exchange Server and Exchange Online
Group Policy
DNS
Windows Automated Deployment Kit (Windows ADK) and the User State Migration
Tool (USMT)
Windows Deployment Services (WDS)
Remote Desktop and Remote Assistance

Configuration Manager also uses:

Active Directory Domain Services and Azure Active Directory for security, service
location, configuration, and to discover the users and devices that you want to
manage.
Microsoft SQL Server as a distributed change management database—and
integrates with SQL Server Reporting Services (SSRS) to produce reports to
monitor and track management activities.
Site system roles that extend management functionality and use the web services
of Internet Information Services (IIS).
Delivery Optimization, Windows Low Extra Delay Background Transport (LEDBAT),
Background Intelligent Transfer Service (BITS), BranchCache, and other peer
caching technologies to help manage content on your networks and between
devices.

To be successful with Configuration Manager in a production environment, thoroughly


plan and test the management features. Configuration Manager is a powerful
management application, with the potential to affect every computer in your
organization. When you deploy and manage Configuration Manager with careful
planning and consideration of your business requirements, Configuration Manager can
reduce your administrative overhead and total cost of ownership.

User interfaces

The Configuration Manager console


After you install Configuration Manager, use the Configuration Manager console to
configure sites and clients, and to run and monitor management tasks. This console is
the main point of administration, and lets you manage multiple sites.

You can install the Configuration Manager console on additional computers, and restrict
access and limit what administrative users can see in the console by using Configuration
Manager role-based administration.

For more information, see Use the Configuration Manager console.

Software Center
Software Center is an application that's installed when you install the Configuration
Manager client on a Windows device. Users use Software Center to request and install
software that you deploy. Software Center lets users do the following actions:

Browse for and install applications, software updates, and new OS versions
View their software request history
View device compliance against your organization's policies

You can also show custom tabs in Software Center to meet additional business
requirements.

For more information, see the Software Center user guide.

Next steps
Before you install Configuration Manager, familiarize yourself with the basic concepts
and terms:

If you're familiar with System Center 2012 Configuration Manager, see What's
changed from System Center 2012 Configuration Manager.

For a high-level technical overview of Configuration Manager, see Fundamentals of


Configuration Manager.

When you're familiar with the basic concepts, use this documentation library to help you
successfully deploy and use Configuration Manager. Start with the following articles:

Features and capabilities of Configuration Manager


Choose a device management solution
Evaluate Configuration Manager by building your own lab environment
Find help for using Configuration Manager
Microsoft Configuration Manager
FAQ
FAQ

Applies to: Configuration Manager (current branch, technical preview branch)

Configuration Manager is part of the Microsoft Intune family of products. This article
provides answers to frequently asked questions.

What is the Microsoft Intune family of


products?
The Microsoft Intune family of products is an integrated solution for managing all of
your devices. Microsoft brings together Configuration Manager and Intune with
simplified licensing. Continue to use your existing Configuration Manager investments,
while taking advantage of the power of the Microsoft cloud at your own pace.

The following Microsoft management solutions are all now part of the Microsoft Intune
brand:

Configuration Manager
Intune
Desktop Analytics
[Autopilot]/autopilot/enrollment-autopilot)

What things change in Configuration


Manager and the Microsoft Intune
family of products?
Aside from the name change, Configuration Manager still functions the same.

Most notably, the Start menu folder names changed for common components, such as
the Configuration Manager console and Software Center.

How do we refer to the product now?


When referring to the entire solution that includes all components: Microsoft
Intune family of products

When referring to the on-premises component:


On first reference, use the full brand name: Microsoft Configuration Manager
For general use: Configuration Manager
For space-constrained use: ConfigMgr, only in instances where the general use
name doesn't fit

Are there any licensing changes?


If you're licensed for Configuration Manager, then you're also licensed for Intune to co-
manage your Windows PCs. For more information, see the Product and licensing FAQ.

Why do I still see "System Center


Configuration Manager" some places?
It takes time to make changes across all products, services, and supporting materials like
documentation.

There are also some fundamental components that may never change. The main
Windows service on site servers is still SMS_Executive.

Next steps
Learn about the what's new in Configuration Manager incremental versions.
Find help for using Configuration
Manager
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

There are several resources that you can use to find help with Configuration Manager.
Whether you're just getting started or an experienced administrator, use the following
resources when you need assistance:

Send a smile or file a frown with product feedback

Search the product documentation

Follow the Configuration Manager team blog

Understand support options and community resources

For help with product accessibility, see Accessibility features.

To get support for co-management, tenant attach, and analytics features, see How to
get support in Microsoft Intune admin center.

Product feedback
From the Configuration Manager console, you can share feedback directly to the
Microsoft product group. In the upper right corner of the console, select the smiley face
icon. There are three types of feedback:

Send a smile: Send feedback on what you liked.


Send a frown: Send feedback on what you didn't like, and how Microsoft can
improve it.

Send a suggestion: Open the Configuration Manager product feedback site to


share your idea.

For more information, see Product feedback.

Product documentation
To access the most current product documentation, start at the library index.

For tips on searching, providing feedback, and more information about using the
product documentation, see How to use the docs.

Configuration Manager team blog


The engineering and partner teams use the Configuration Manager blog to provide
you with technical information and other news about Configuration Manager and
related technologies. Our blog posts supplement the product documentation and
support information.

Support options and community resources


The following links provide information about support options and community
resources:

Microsoft support

Configuration Manager forums on Microsoft Q&A

Configuration Manager Community: Configuration Manager (Current Branch)


Survival Guide

Next steps
Product feedback

Accessibility features

How to use the docs

How to use the console


Software Center user guide

How to get support in Microsoft Intune admin center


Product feedback for Configuration
Manager
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

From the Configuration Manager console, you can share feedback directly to the
Microsoft product group. In the upper right corner of the console, select the feedback
icon. There are three types of feedback:

Send a smile (ALT + SHIFT + 7): Send feedback on what you liked.

Send a frown (ALT + SHIFT + 8): Send feedback on what you didn't like, and how
Microsoft can improve it.

Send a suggestion (ALT + SHIFT + 9): Open the Configuration Manager product
feedback website to share your idea. For more information, see Send a suggestion.

Contact support (ALT + SHIFT + 0): Opens the Microsoft support for business
portal .

When using the feedback wizard from the console, the following items are displayed
where needed:

A description of the feedback is required


Select from a list of issue categories for the console workspace
It includes tips for how to write useful feedback
You can attach additional files
A summary page displays your feedback ID, and includes any error messages with
suggestions to resolve them.
7 Note

This wizard is in the Configuration Manager console. Support Center has a similar
feedback experience.

Recent changes to feedback


Starting in version 2203, you have the ability to connect feedback you send to Microsoft
through the Configuration Manager console to an authenticated Azure Active Directory
(Azure AD) user account or Microsoft Account (MSA). User authentication will help
Microsoft ensure the privacy of your feedback and diagnostic data. Currently, Azure AD
authentication for government clouds isn't available. After selecting either Send a smile
or Send a frown:

1. Select Sign in and sign in with either your Azure AD user account or your Microsoft
account.

Selecting Continue without signing in will allow you to send feedback, but
we won't be able to contact you with questions or updates unless you
provide an e-mail address.

2. Once you're signed in, select Next then provide your feedback. If you need to use
a different account, you can select Sign out to start again.

Starting in version 2203, the feedback button is displayed in additional console


locations. You can also use the keyboard shortcuts for Send a smile and Send a frown
from more locations in the console.

Starting in Configuration Manager 2111, when you Report error to Microsoft the error
information included with the feedback can't be altered or removed. Wizards and some
property pages also include an icon to provide feedback allowing you to quickly send
feedback right from your current activity.

Starting in version 2107, error messages include a link to Report error to Microsoft. This
action opens the standard send a frown window to provide feedback. It automatically
includes details about the user interface and the error to better help Microsoft engineers
diagnose the error. Aside from making it easier to send a frown, it also includes the full
context of the error message when you share a screenshot.

Prerequisites
Update the Configuration Manager console to the latest version.

On the computer where you run the console, allow it to access the following internet
endpoints to send diagnostic data to Microsoft:

petrol.office.microsoft.com

ceuswatcab01.blob.core.windows.net

ceuswatcab02.blob.core.windows.net

eaus2watcab01.blob.core.windows.net

eaus2watcab02.blob.core.windows.net

weus2watcab01.blob.core.windows.net

weus2watcab02.blob.core.windows.net

umwatsonc.events.data.microsoft.com

*-umwatsonc.events.data.microsoft.com

Send a smile
To send feedback on something that you like about Configuration Manager:

1. In the upper-right corner of the Configuration Manager console, select the


feedback icon. Choose Send a smile.

2. On the first page of the Provide feedback wizard:

Tell us what you liked: Enter a detailed description of why you're filing this
feedback.

You can contact me about this feedback: To allow Microsoft to contact you
about this feedback if necessary, select this option and specify a valid email
address.

Include screenshot: Select this option to add a screenshot. By default it uses


the full screen, select Refresh to capture the latest image. Select Browse to
select a different image file.

3. Select Next to send the feedback. You may see a progress bar as it packages the
content to send.

4. When the progress is complete, select Details to see the transaction ID or any
errors that occurred.


Send a frown
Before you file a frown, prepare your information:

If you have multiple issues, send a separate report for each issue. Don't include
multiple issues in a single report.

Provide clear details on the issue. Share any research that you've gathered so far.
More detailed information is better to help Microsoft investigate and diagnose the
issue.

Do you need immediate assistance? If so, contact Microsoft support for urgent
issues. For more information, see Support options and community resources.

Is this feedback a suggestion to improve the product? If so, share a new idea
instead. For more information, see Send a suggestion.

Is the issue with the product documentation? You can file feedback directly on the
documentation. For more information, see Doc feedback.

To send feedback on something that you didn't like about the Configuration Manager
product:

1. In the upper-right corner of the Configuration Manager console, select the


feedback icon. Choose Send a frown.

2. On the first page of the Provide feedback wizard:

Issue category: Select a category that's most appropriate for your issue.

Describe your issue with as much detail as possible.

You can contact me about this feedback: To allow Microsoft to contact you
about this feedback if necessary, select this option and specify a valid email
address.

3. On the Add more details page of the wizard:

Include screenshot: Select this option to add a screenshot. By default it uses


the full screen, select Refresh to capture the latest image. Select Browse to
select a different image file.

Include additional files: Select Attach and add log files, which can help
Microsoft better understand the issue. To remove all attached files from your
feedback, select Clear all. To remove individual files, select the delete icon to
the right of the file name.

4. Select Next to send the feedback. You may see a progress bar as it packages the
content to send.

5. When the progress is complete, select Details to see the transaction ID or any
errors that occurred.

If you don't have internet connectivity:

The Provide feedback wizard still packages your feedback and files.

The final summary page shows an error that it couldn't send the feedback.

Select the option to Save a copy of feedback and attachments. For more
information on how to send it to Microsoft, see Send feedback that you saved for
later submission.

If the Provide feedback wizard successfully submits your feedback, but fails to send the
attached files, use the same instructions for no internet connectivity.

Send a suggestion
When you Send a suggestion, it opens the Feedback for Configuration Manager site.

For more information, including the different status values, see How Microsoft uses
feedback.
Status messages
When you Send a smile or Send a frown, it creates a status message when you submit
the feedback. This message provides a record of:

When you submitted the feedback


Who submitted it
The feedback ID
The message ID identifies if the feedback submission was successful:
53900: Success
53901: Failed

You can use the built-in status message query, Feedback sent to Microsoft to easily
display these status messages. You can also display status messages in the Monitoring
workspace, under System Status in the Status Message Queries node. Start with the All
Status Messages query and select your time frame. When the messages load, select
Filter messages, and filter for message ID 53900 or 53901. If you create feedback that
you save for later submission, the site doesn't create a status message.

Information sent with feedback


When you Send a smile or Send a frown, the feedback includes the following
information:

OS build information
Configuration Manager support ID, also known as the hierarchy ID

Product build information

Language information

Device identifier: HKLM\SOFTWARE\Microsoft\SQMClient:MachineId

Send feedback that you saved for later


submission
You can save your feedback locally and submit it later. Use this process if the current
computer doesn't have internet-access.

1. At the bottom of the Provide feedback window, select Save a copy of feedback
and attachments.

2. Save the .zip file. If the local machine doesn't have internet access, copy the file to
an internet-connected machine.

3. If needed, copy the UploadOfflineFeedback folder from the site server located at
cd.latest\SMSSETUP\Tools\UploadOfflineFeedback\ .

7 Note

For more information about the cd.latest folder, see the CD.Latest folder.

4. On an internet-connected machine, open a command prompt.

5. Run the following command: UploadOfflineFeedback.exe -f


c:\folder\location_of.zip

UploadOfflineFeedback tool usage


The UploadOfflineFeedback tool supports the following command-line parameters:

-f , --file (Required): The path to the saved feedback file to send.


-t , --timeout : Timeout in seconds for sending the data. 0 is unlimited. Default is

30 .
-s , --silent : Don't log any output to the command prompt. You can't combine

this parameter with --verbose .


-v , --verbose : Log verbose output to the command prompt. You can't combine

this parameter with --silent .


--help : Display this usage information.

--version : Display the tool version.

The UploadOfflineFeedback utility supports the use of a proxy server. You can specify
the following parameters:

-x , --proxy : Specify the proxy server address.


-o , --port : Specify the port for the proxy server.

-u , --user : Specify the user name to authenticate to the proxy server.


-w , --password : Specify the password for the specified user name. If you use an

asterisk ( * ), the tool prompts for the password. The password isn't displayed in the
prompt. This value is recommended. Including the password in plain text on the
command line is less secure.
-i , --SkipConnectionCheck : Skips the network connection check, and just starts to
upload the feedback with the specified settings.

Confirmation of console feedback


When you send feedback, it shows a confirmation message. This message includes a
Feedback ID, which you can give to Microsoft as a tracking identifier.

In the Provide feedback window from the console, it displays the feedback ID on
the final page. To copy it, select the copy icon next to the ID, or use the CTRL + C
key shortcut. This ID isn't stored on your computer, so make sure to copy it before
you close the window.

The status message includes the feedback ID.

The UploadOfflineFeedback command tool writes the FeedbackID to the console


unless you use --silent .

Feedback for Support Center


If you have feedback on Support Center, use the following instructions:
1. In the upper right corner of the application, select the smiley face.

2. In the drop-down menu, select Send a smile or Send a frown.

If you select Send a suggestion, you will be taken to the feedback portal. For
more information, see Send a suggestion.

3. Use the text box to explain what you liked or what you didn't like.

4. Choose if you would like to share your e-mail address and a screenshot.

5. Select Submit Feedback.

Feedback for PowerShell


If you have feedback on the Configuration Manager PowerShell cmdlets, use the same
options in the Configuration Manager console to send feedback.

When you send a frown, include the following additional information specific to
PowerShell:

The exact script or command syntax that you used so that Microsoft can try to
reproduce the issue.

What behavior you expected compared to the actual behavior.


The full output when you run it with the Verbose common parameter.

The version and path of the ConfigurationManager module. For example, include
the output of the following commands:

PowerShell

(Get-Module -Name ConfigurationManager).Version

(Get-Module -Name ConfigurationManager).Path

If a cmdlet returns an error, use the following command to get exception details:

PowerShell

$Error[0].Exception | Format-List * -Force

Next steps
How to use the docs

How to use the console

How to get support in Microsoft Intune admin center


How to use Microsoft Intune
documentation
Article • 09/27/2022

This article provides resources and tips for using the Microsoft Intune product family
documentation library. It applies to Configuration Manager, Microsoft Intune, Endpoint
analytics, and Autopilot, and covers the following areas:

How to search
Submitting doc bugs, enhancements, questions, and new ideas
How to get notified of changes
How to contribute to documentation on Microsoft Learn

For general help and support, see:

Find help for Configuration Manager


Get support in Microsoft Intune

 Tip

Also visit the Documentation node in the Community workspace of the


Configuration Manager console. This node includes up-to-date information about
Configuration Manager documentation and support articles. For more information,
see Using the Configuration Manager console.

Information in this article also applies to the Configuration Manager PowerShell


documentation in the sccm-docs-powershell-ref repository .

Search
Use the following search tips to help you find the information that you need:

When using your preferred search engine to locate content, include a keyword
along with your search keywords. For example, ConfigMgr for Configuration
Manager and Intune for Intune.

Look for results from learn.microsoft.com/mem . Results from


learn.microsoft.com/previous-versions , technet.microsoft.com , or

msdn.microsoft.com are for older product versions.


To further focus the search results to the current content library, include
site:learn.microsoft.com in your query to scope the search engine.

Use search terms that match terminology in the user interface and online
documentation. Avoid unofficial terms or abbreviations that you might see in
community content. For example, search for:
"management point" rather than "MP"
"deployment type" rather than "DT"
"Intune management extension" rather than "IME"

To search within the current article, use your browser's Find feature. With most
modern web browsers, press Ctrl+F and then enter your search terms.

Each article on learn.microsoft.com includes the following fields to assist with


searching the content:

Search in the upper right corner. To search all articles, enter terms in this field.
Articles in this content library automatically include one of the following search
scopes: ConfigMgr , Intune , or Autopilot .

Filter by title above the left table of contents. To search the current table of
contents, enter terms in this field. This field only matches terms that appear in
the article titles for the current node. For example, Configuration Manager Core
Infrastructure ( learn.microsoft.com/mem/configmgr/core ) or Intune Apps
( https://learn.microsoft.com/mem/intune/apps/ ). The last item in the search
results gives you the option to search for the terms in the entire content library.
Having problems finding something? File feedback! When you file an issue about search
results, provide the search engine you're using, the keywords you tried, and the target
article. This feedback helps Microsoft optimize the content for better search.

Add a custom search engine


With many modern web browsers, you can create a custom search engine. Use this
feature to quickly and easily search learn.microsoft.com . For example, with Microsoft
Edge, version 77 and later, use the following process:

1. In Microsoft Edge, version 77 and later, open Settings.

2. In the left menu, select Privacy, search, and services.

3. Scroll to the bottom of the Services group and select Address bar and search.

4. Select Manage search engines.

5. Select Add and specify the following information:

Search engine: Enter a friendly name to identify it in the list of search


engines. For example, Microsoft Learn .

Keyword: Specify a short term to use in the address bar to activate this search
engine. For example, memdocs .

URL with %s in place of query: For example,

url
https://learn.microsoft.com/search/index?search=%s&scope=ConfigMgr

7 Note

This example is specific to the ConfigMgr scope. You can remove the
scope variable to search all learn.microsoft.com or use a different
scope.

The Microsoft technical documentation search engine requires a locale


in the address. For example, en-us . You can change your entry to use a
different locale.

After you add this search engine, type your keyword in the browser address bar, press
Tab , then type your search terms, and press Enter . It will automatically search Microsoft
technical documentation for your specified terms using the defined scope.

About feedback
Select the Feedback link in the upper right of any article to go to the Feedback section
at the bottom. Feedback is integrated with GitHub Issues. For more information about
this integration with GitHub Issues, see the docs platform blog post.
To share feedback about the current article, select This page. A GitHub account is a
prerequisite for providing documentation feedback. Once you sign in, there's a one-time
authorization for the MicrosoftDocs organization. It then opens the GitHub new issue
form. Add a descriptive title and detailed feedback in the body, but don't modify the
document details section. Then select Submit new issue to file a new issue for the target
article in the MEMDocs GitHub repository .

To see whether there's already feedback for this article, select View all page feedback.
This action opens a GitHub issue query for this article. By default it displays both open
and closed issues. Review any existing feedback before you submit a new issue. If you
find a related issue, select the face icon to add a reaction, add a comment to the thread,
or Subscribe to receive notifications.

Types of feedback
Use GitHub Issues to submit the following types of feedback:

Doc bug: The content is out of date, unclear, confusing, or broken.


Doc enhancement: A suggestion to improve the article.
Doc question: You need help with finding existing documentation.
Doc idea: A suggestion for a new article.
Kudos: Positive feedback about a helpful or informative article!
Localization: Feedback about content translation.
Search engine optimization (SEO): Feedback about problems searching for content.
Include the search engine, keywords, and target article in the comments.

If you create an issue for something not related to an article, Microsoft will close the
issue and redirect you to a better feedback channel. For example:

Product feedback for Configuration Manager or Intune


Product questions
Support requests for Configuration Manager or Microsoft Intune
To share feedback on the Microsoft Learn platform itself, see Docs feedback . The
platform includes all of the wrapper components such as the header, table of contents,
and right menu. Also how the articles render in the browser, such as the font, alert
boxes, and page anchors.

Notifications
To receive notifications when content changes in the documentation library, use the
following steps:

1. Use the docs search to find an article or set of articles.

Search for a single article by title, such as What's new in Microsoft Intune.

 Tip

To refine the search to a single article, use the full title that displays in
the Microsoft technical documentation search results. You can also use a
string from the first paragraph, as shown in this example.

This example results in the following RSS link:

url

https://learn.microsoft.com/api/search/rss?
search=%22What%27s+new+in+microsoft+intune%22%2B%22learn+what%27s+
new%22&locale=en-
us&facet=&%24filter=scopes%2Fany%28t%3A+t+eq+%27Intune%27%29

7 Note

The above RSS feed URL example includes the &locale=en-us variable.
The locale variable is required, but you can change it to another
supported locale. For example, &locale=ja-jp .

Search for any Configuration Manager article about BitLocker

7 Note

Use other keywords or the Microsoft Learn search filters to further refine your
search query.
2. At the bottom of the list of results, select the RSS link.

3. Use this feed in an RSS application to receive notifications when there's a change
to any of the search results. Refer to the RSS application's documentation on how
to configure and tune it.

 Tip

You can also Watch the MEMDocs repository on GitHub. This method can
generate many notifications. It also doesn't include changes from the private
repository that Microsoft uses.

Contribute
The Microsoft Intune product family documentation library, like most Microsoft
technical documentation, is open-sourced on GitHub. This library accepts and
encourages community contributions. For more information on how to get started, see
our contributor guide. The only prerequisite is to create a GitHub account .

Basic steps to contribute


1. From the target article, select Edit in the upper right corner. This action opens the
source file in GitHub.

2. To edit the source file, select the pencil icon.


3. Make changes in the markdown source. For more information, see How to use
Markdown in Microsoft Learn articles.

4. In the Propose file change section, enter the public commit comment describing
what you changed. Then select Propose file change.

5. Scroll down and verify the changes you made. Select Create pull request to open
the form. Describe why you made this change. Select Create pull request.

The writing team receives your pull request, and assigns it to the appropriate writer. The
author reviews the text, and does a quick edit pass on it. They'll either approve and
merge the changes, or contact you for more information about the update.

What to contribute
If you want to contribute, but don't know where to start, see the following suggestions:

Review an article for accuracy. Then update the ms.date metadata using
mm/dd/yyyy format. This contribution helps keep the content fresh.

Add clarifications, examples, or guidance based on your experience. This


contribution uses the power of the community to share knowledge.

7 Note

Large contributions require signing a Contribution License Agreement (CLA) if you


aren't a Microsoft employee. GitHub automatically requires you to sign this
agreement when a contribution meets the threshold. You only need to sign this
agreement once.

Contribution tips
Follow these general guidelines when you contribute:

Don't surprise us with large pull requests. Instead, file an issue and start a
discussion. Then we can agree on a direction before you invest a large amount of
time.

Read the Microsoft style guide. Know the Top 10 tips for Microsoft style and voice.

Follow the GitHub Flow workflow .

Blog and tweet (or whatever) about your contributions, frequently!


(This list was borrowed from the .NET contributing guide .)
Accessibility features in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager includes features to help make it accessible for everyone.

7 Note

To improve the accessibility features of the Configuration Manager console, update


.NET to version 4.7 or later on the computer running the console.

For more information on the accessibility changes made in .NET 4.7.1 and 4.7.2, see
What's new in accessibility in the .NET Framework.

Keyboard shortcuts

Console workspaces
To access a workspace, use the following keyboard shortcuts:

Keyboard shortcut Workspace

Ctrl + 1 Assets and Compliance

Ctrl + 2 Software Library

Ctrl + 3 Monitoring

Ctrl + 4 Administration

Other console shortcuts

Keyboard Purpose
shortcut

Ctrl + M Set the focus on the main (central) pane.

Ctrl + T Set the focus to the top node in the navigation pane. If the focus was already in that
pane, the focus is set to the last node you visited.
Keyboard Purpose
shortcut

Ctrl + I Set the focus to the breadcrumb bar, below the ribbon.

Ctrl + L Set the focus to the Search field, when available.

Ctrl + D Set the focus to the details pane, when available.

Alt Change the focus in and out of the ribbon.

CMPivot shortcuts
Most web browser keyboard shortcuts will work in CMPivot.

Keyboard shortcut Purpose

Ctrl + 1 Set the focus on the first tab.

Alt + < To back to the address

Collection relationship diagram shortcuts


When you view collection relationships in the Configuration Manager console, use the
TAB key to change the focus. By default, the focus is on the page number controls.
When the focus is on the graph itself (navigator), use the following keyboard shortcuts
to navigate:

Navigator shortcut Purpose

Ctrl + W Scroll up

Ctrl + S Scroll down

Ctrl + A Scroll left

Ctrl + D Scroll right

Ctrl + + Zoom in

Ctrl + - Zoom out

Use the following keyboard shortcuts to quickly move focus to different areas of the
window:

Keyboard shortcut Purpose


Keyboard shortcut Purpose

Alt + P Dependent page

Alt + B Back

Alt + H Home

Alt + N Collection name

Alt + T Filter

Other accessibility features


To navigate the navigation pane, type the letters of a node name.

Keyboard navigation through the main view and the ribbon is circular.

Keyboard navigation in the details pane is circular. To return to the previous object
or pane, use Ctrl + D, then Shift + TAB.

After refreshing a Workspace view, the focus is set to the main pane of that
workspace.

To access a workspace menu, select the Tab key until the Expand/Collapse icon is in
focus. Then, select the Down arrow key to access the workspace menu.

To navigate through a workspace menu, use the arrow keys.

To access different areas in the workspace, use the Tab key and Shift+Tab keys. To
navigate within an area of the workspace, such as the ribbon, use the arrow keys.

To access the address bar when your focus is in the tree node, use Shift+Tab three
times.

On a wizard or property page, you can move between the boxes with keyboard
shortcuts. Select the Alt key plus the underlined character (Alt+_) to select a
specific box.

To navigate to the different nodes of a workspace, enter the first letter of the name
of a node. Each key press moves the cursor to the next node that begins with that
letter. When you're using a screen reader, the reader reads out the name of that
node.

Next steps
For more information on the fundamentals of navigating Configuration Manager user
interfaces, see the following articles:

Using the Configuration Manager console


Software Center user guide

7 Note

The information in this article might apply only to users who license Microsoft
products in the United States. If you obtained this product outside of the United
States, you can use the subsidiary information card that came with your software
package or visit the Microsoft Accessibility website for contact information for
Microsoft support services. You can contact your subsidiary to find out whether the
type of products and services that are described in this section are available in your
area. Information about accessibility is available in other languages, including
Japanese and French.
Software Center user guide
Article • 12/19/2022

Applies to: Configuration Manager (current branch)

Your organization's IT admin uses Software Center to install applications, software


updates, and upgrade Windows. This user guide explains the functionality of Software
Center for users of the computer.

Software Center is installed automatically on Windows devices that your IT organization


manages. To get started, see How to open Software Center.

General notes about Software Center functionality:

This article describes the latest features of Software Center. If your organization is
using an older but still supported version of Software Center, not all features are
available. For more information, contact your IT admin.

Your IT admin may disable some aspects of Software Center. Your specific
experience may vary.

If multiple users are using a device at the same time, the user with the lowest
session ID will be the only one to see all available deployments in Software Center.
For example, multiple users on a remote desktop environment. Users with higher
session IDs may not see some of the deployments in Software Center. For example,
the users with higher session IDs may see deployed Applications, but not deployed
Packages or Task Sequences. Meanwhile the user with the lowest session ID will see
all deployed Applications, Packages, and Task Sequences. The Users tab of
Windows Task Manager shows all users and their session IDs.

Your IT admin may change the color of Software Center, and add your
organization's logo.

How to open Software Center


Software Center is installed automatically on Windows devices that your IT organization
manages. For the simplest method to start Software Center, go to Start and type
Software Center . You may not need to type the entire string for Windows to find the

best match.
To navigate the Start menu, look under the Microsoft Endpoint Manager group for the
Software Center icon.

7 Note

The above Start menu path is for versions from November 2019 (version 1910) or
later. In earlier versions, the folder name is Microsoft System Center.

If you can't find Software Center in the Start menu, contact your IT administrator.

Applications

Select the Applications tab (1) to find and install applications that your IT admin deploys
to you or this computer.

All (2): Shows all available applications that you can install.
Required (3): Your IT admin enforces these applications. If you uninstall one of
these applications, Software Center reinstalls it.

Filters (4): Your IT admin may create categories of applications. If available, select
the drop-down list to filter the view to only those applications in a specific
category. Select All to show all applications.

Sort by (5): Rearrange the list of applications. By default this list sorts by Most
recent. Recently available applications display with a New banner that's visible for
seven days.

Search (6): Still can't find what you're looking for? Enter keywords in the Search
box to find it!

Switch the view (7): Select the icons to switch the view between list view and tile
view. By default the applications list shows as graphic tiles.

Icon View Description

Multi-select Install more than one application at a time. For more information, see
mode Install multiple applications.

List view This view displays the application icon, name, publisher, version, and status.

Tile view Your IT admin can customize the icons. Below each tile displays the
application name, publisher, and version.

Install an application
Select an application from the list to see more information about it. Select Install to
install it. If an app is already installed, you may have the option to Uninstall.

Some apps may require approval before they install.

When you try to install it, you can enter a comment and then Request the app.
Software Center shows the request history, and you can cancel the request.

When an administrator approves your request, you can install the app. If you wait,
Software Center automatically installs the app during your non-business hours.
Install multiple applications
Install more than one application at a time instead of waiting for one to finish before
starting the next. The selected apps need to qualify:

The app is visible to you


The app isn't already downloading or installed
Your IT admin doesn't require approval to install the app

To install more than one application at a time:

1. Select the multi-select icon in the upper right corner:

2. Select two or more apps to install. Select the checkbox to the left of each app in
the list.

3. Select the Install Selected button to start.

The apps install as normal, only now in succession.

Share an application
To share a link to a specific app, after you select the app, select the Share icon in the
upper right corner:

Copy the string, and paste elsewhere, such as an email message. For example,
softwarecenter:SoftwareID=ScopeId_73F3BB5E-5EDC-4928-87BD-
4E75EB4BBC34/Application_b9e438aa-f5b5-432c-9b4f-6ebeeb132a5a . Anyone else in your

organization with Software Center can use the link to open the same application.

Featured Apps
Featured tab in Software Center displays featured apps. With this tab, IT admin can
mark apps as "featured" and encourage end users to use these apps.
Currently, this
feature is available only for "User Available" apps.
Also, admins can make the Featured
tab of Software Center as the default tab from Client Settings.

If an app is marked as Featured and it's deployed to a User Collection as an Available


app, it will show under the Featured pivot in Software Center.

Updates

Select the Updates tab (1) to view and install software updates that your IT admin
deploys to this computer.

All (2): Shows all updates that you can install

Required (3): Your IT admin enforces these updates.


Sort by (4): Rearrange the list of updates. By default this list sorts by Application
name: A to Z.

Search (5): Still can't find what you're looking for? Enter keywords in the Search
box to find it!

To install updates, select Install All (6).

To only install specific updates, select the icon to enter multi-select mode (7):
Check
the updates to install, and then select Install Selected.

Operating Systems

Select the Operating Systems tab (1) to view and install versions of Windows that your
IT admin deploys to this computer.

All (2): Shows all Windows versions that you can install

Required (3): Your IT admin enforces these upgrades.

Sort by (4): Rearrange the list of updates. By default this list sorts by Application
name: A to Z.

Search (5): Still can't find what you're looking for? Enter keywords in the Search
box to find it!

Installation status
Select the Installation status tab to view the status of applications. You may see the
following states:

Installed: Software Center already installed this application on this computer.

Downloading: Software Center is downloading the software to install on this


computer.

Failed: Software Center wasn't able to install the software.


Scheduled to install after: Shows the date and time of the device's next
maintenance window to install upcoming software. Maintenance windows are
defined by your IT admin.

The status can be seen in the All and the Upcoming tab.

You can install before the maintenance window time by selecting the Install
Now button.

Device compliance
Select the Device compliance tab to view the compliance status of this computer.

Select Check compliance to evaluate this device's settings against the security policies
defined by your IT admin.

Options
Select the Options tab to view additional settings for this computer.

Work information
Indicate the hours that you typically work. Your IT admin may schedule software
installations outside your business hours. Allow at least four hours each day for system
maintenance tasks. Your IT admin can still install critical applications and software
updates during business hours.

Select the earliest and latest hours that you use this computer. By default these
values are from 5:00 AM through 10:00 PM.

Select the days of the week that you typically use this computer. By default
Software Center only selects the weekdays.

Specify whether you regularly use this computer to do your work. Your administrator
might automatically install applications or make additional applications available to
primary computers. If the computer you're using is a primary computer, select I
regularly use this computer to do my work.

Power management
Your IT admin may set power management policies. These policies help your
organization conserve electricity when this computer isn't in use.
To make this computer exempt from these policies, select Do not apply power settings
from my IT department to this computer. By default this setting is disabled and the
computer applies power settings.

Computer maintenance
Specify how Software Center applies changes to software before the deadline.

Automatically install or uninstall required software and restart the computer


only outside of the specified business hours: This setting is disabled by default.

Suspend Software Center activities when my computer is in presentation mode:


This setting is enabled by default.

7 Note

These settings are designed to be managed by end users and do not impact
deployment deadlines.

When instructed by your IT admin, select Sync Policy. This computer checks with the
servers for anything new, such as applications, software updates, or operating systems.

Remote Control
Specify remote access and remote control settings for your computer.

Use remote access settings from your IT department: By default, your IT department
defines the settings to remotely assist you. The other settings in this section show the
state of the settings that your IT department defines. To change any settings, first
disable this option.

Level of remote access allowed


Do not allow remote access: IT administrators can't remotely access this
computer to assist you.
View only: An IT administrator can only remotely view your screen.
Full: An IT administrator can remotely control this computer. This setting is the
default option.

Allow remote control of this computer by administrators when I am away. This


setting is Yes by default.

When an administrator tries to control this computer remotely


Ask for permission each time: This setting is the default option.
Do not ask for permission

Show the following during remote control: These visual notifications are both
enabled by default to let you know that an administrator is remotely accessing the
device.
Status icon in the notification area
A session connection bar on the desktop

Play sound: This audible notification lets you know that an administrator is
remotely accessing the device.
When session begins and ends: This setting is the default option.
Repeatedly during session
Never

Custom tabs
Your IT admin can remove the default tabs or add additional tabs to Software Center.
Custom tabs are named by your admin, and they open a web site that the admin
specifies. For instance, you might have a tab called "Help Desk" that opens your IT
organization's help desk web site.

More information for IT administrators


More information is available for IT administrators on how to plan for and configure
Software Center in the following articles:

Plan for Software Center


Software Center client settings
Device restart notifications
Introduction to Remote Control
How to use the Configuration Manager
console
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Administrators use the Configuration Manager console to manage the Configuration


Manager environment. This article covers the fundamentals of navigating the console.

Open the console


The Configuration Manager console is always installed on every site server. You can also
install it on other computers. For more information, see Install the Configuration
Manager console.

The simplest method to open the console on a Windows computer is to go to Start and
start typing Configuration Manager console . You may not need to type the entire string
for Windows to find the best match.

If you browse the Start menu, look for the Configuration Manager console icon in the
Microsoft Endpoint Manager group.

Connect to a site server


The console connects to your central administration site server or to your primary site
servers. You can't connect a Configuration Manager console to a secondary site. During
installation, you specified the fully qualified domain name (FQDN) of the site server to
which the console connects.
To connect to a different site server, use the following steps:

1. Select the arrow at the top of the ribbon, and choose Connect to a New Site.

2. Type in the FQDN of the site server. If you've previously connected to site server,
select the server from the drop-down list.

3. Select Connect.

 Tip

You can specify the minimum authentication level for administrators to access
Configuration Manager sites. This feature enforces administrators to sign in to
Windows with the required level. For more information, see Plan for the SMS
Provider.

Navigation
Some areas of the console may not be visible depending on your assigned security role.
For more information about roles, see Fundamentals of role-based administration.

Workspaces
The Configuration Manager console has four workspaces:
Assets and Compliance

Software Library

Monitoring

Administration

Reorder workspace buttons by selecting the down arrow and choosing Navigation Pane
Options. Select an item to Move Up or Move Down. Select Reset to restore the default
button order.

Minimize a workspace button by selecting Show Fewer Buttons. The last workspace in
the list is minimized first. Select a minimized button and choose Show More Buttons to
restore the button to its original size.

Nodes
Workspaces are a collection of nodes. One example of a node is the Software Update
Groups node in the Software Library workspace.

Once you are in the node, you can select the arrow to minimize the navigation pane.

Use the navigation bar to move around the console when you minimize the navigation
pane.

In the console, nodes are sometimes organized into folders. When you select the folder,
it usually displays a navigation index or a dashboard.

7 Note

You can use PowerShell to manage console folders with the following cmdlets:
Get-CMFolder
New-CMFolder
Remove-CMFolder
Set-CMFolder

Ribbon
The ribbon is at the top of the Configuration Manager console. The ribbon can have
more than one tab and can be minimized using the arrow on the right. The buttons on
the ribbon change based on the node. Most of the buttons in the ribbon are also
available on context menus.

Details pane
You can get additional information about items by reviewing the details pane. The
details pane can have one or more tabs. The tabs vary depending on the node.

Columns
You can add, remove, reorder, and resize columns. These actions allow you to display
the data you prefer. Available columns vary depending on the node. To add or remove a
column from your view, right-click on an existing column heading and select an item.
Reorder columns by dragging the column heading where you would like it to be.

At the bottom of the column context menu, you can sort or group by a column.
Additionally, you can sort by a column by selecting its header.

Reclaim lock for editing objects


If the Configuration Manager console stops responding, you can be locked out of
making further changes until the lock expires after 30 minutes. This lock is part of the
Configuration Manager SEDO (Serialized Editing of Distributed Objects) system. For
more information, see Configuration Manager SEDO.

You can clear your lock on any object in the Configuration Manager console. This action
only applies to your user account that has the lock, and on the same device from which
the site granted the lock. When you attempt to access a locked object, you can now
Discard Changes, and continue editing the object. These changes would be lost anyway
when the lock expired.
View recently connected consoles
You can view the most recent connections for the Configuration Manager console. The
view includes active connections and those connections that recently connected. You'll
always see your current console connection in the list and you only see connections
from the Configuration Manager console. You won't see PowerShell or other SDK-based
connections to the SMS Provider. The site removes instances from the list that are older
than 30 days.

Prerequisites to view connected consoles


Your account needs the Read permission on the SMS_Site object.

Configure the administration service REST API. For more information, see What is
the administration service?.

View connected consoles


1. In the Configuration Manager console, go to the Administration workspace.

2. Expand Security and select the Console Connections node.

3. View the recent connections, with the following properties:

User name
Machine name
Connected site code
Console version
Last connected time: When the user last opened the console
An open console in the foreground sends a heartbeat every 10 minutes,
which shows in the Last Console Heartbeat column.
Start Microsoft Teams Chat from Console
Connections
You can message other Configuration Manager administrators from the Console
Connections node using Microsoft Teams. When you choose to Start Microsoft Teams
Chat with an administrator, Microsoft Teams is launched and a chat is opened with the
user.

Prerequisites
For starting a chat with an administrator, the account you want to chat with needs
to have been discovered with Azure AD or AD User Discovery.
Microsoft Teams installed on the device from which you run the console.
note
All prerequisites to view connected consoles

Start Microsoft Teams Chat


1. Go to Administration > Security > Console Connections.
2. Right-click on a user's console connection and select Start Microsoft Teams Chat.

If the User Principal Name isn't found for the selected administrator, Start
Microsoft Teams Chat is grayed out.
An error message, including a download link, appears if Microsoft Teams isn't
installed on the device from which you run the console.
If Microsoft Teams is installed on the device from which you run the console,
it will open a chat with the user.
Known issues
The error message notifying you that Microsoft Teams isn't installed won't be displayed
if the following Registry key doesn't exist:

Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Unins
tall

To work around the issue, manually create the Registry key.

In-console documentation dashboard


The Documentation node in the Community workspace includes information about
Configuration Manager documentation and support articles. It includes the following
sections:

Recommended: a manually curated list of important articles.


Troubleshooting articles: guided walkthroughs to assist with troubleshooting
Configuration Manager components and features.
New and updated support articles: articles that are recently new or updated.

Troubleshooting connection errors


The Documentation node has no explicit proxy configuration. It uses any OS-defined
proxy in the Internet Options control panel applet. To retry after a connection error,
refresh the Documentation node.

Dark theme for the console


(Introduced in version 2203)

Starting in version 2203, the Configuration Manager console offers a dark theme. To use
the theme, select the arrow from the top left of the ribbon, then choose Switch console
theme. Select Switch console theme again to return to the light theme. As of version
2303, the main screen of the console and delete secondary site wizards adhere to the
dark theme.
Known issue
Console restart is required on doing the theme switch, as the node navigation
pane might not properly render when you move to a new workspace.
Currently, there are locations in the console that may not display the dark theme
correctly. We are continuosly working to improve the dark theme.

Connect via Windows PowerShell


The Configuration Manager console includes a PowerShell module with over a thousand
cmdlets to interact programmatically from the command line. Select the arrow at the
top of the ribbon, and choose Connect via Windows PowerShell.

For more information, see Get started with Configuration Manager cmdlets.

Command-line options
The Configuration Manager console has the following command-line options:

Option Description

/sms:debugview=1 A DebugView is included in all ResultViews that specify a view.


DebugView shows raw properties (names and values).
Option Description

/sms:NamespaceView=1 Shows namespace view in the console.

/sms:ResetSettings The console ignores user-persisted connection and view states. The
window size isn't reset.

/sms:IgnoreExtensions Disables any Configuration Manager extensions.

/sms:NoRestore The console ignores previous persisted node navigation.

/server=[ServerName] Connect to a CAS or Primary site server by specifying the fully qualified
domain name (FQDN) or server name for that site.

Next steps
Console notifications
Console tips
Accessibility features
Task sequence editor
Configuration Manager console
notifications
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Configuration Manager console notifies you for specific events that occur. You can
configure some of the event notifications for your Configuration Manager sites.

Non-configurable event notifications:


When an update is available for Configuration Manager itself
When lifecycle and maintenance events occur in the environment
Configurable event notifications:
Non-critical site health changes
Messages from Microsoft

This notification is a bar at the top of the console window below the ribbon. It replaces
the previous experience when Configuration Manager updates are available. These in-
console notifications still display critical information, but don't interfere with your work
in the console. You can't dismiss critical notifications. The console displays all
notifications in a new notification area of the title bar.

About console notifications


Notifications follow the permissions of role-based administration. For example, if a user
doesn't have permissions to see Configuration Manager updates, they won't see those
notifications.

Some notifications have a related action. For example, if the console version doesn't
match the site version, select Install the new console version. This action launches the
console installer.

The following notifications reevaluate every five minutes:

Site is in maintenance mode


Site is in recovery mode
Site is in upgrade mode

The following notifications are most applicable to the technical preview branch:

Evaluation version is within 30 days of expiration (Warning): the current date is


within 30 days of the expiration date of the evaluation version
Evaluation version is expired (Critical): the current date is past the expiration date
of the evaluation version
Console version mismatch (Critical): the console version doesn't match the site
version
Site upgrade is available (Warning): there's a new update package available

Most console notifications are per session. The console evaluates queries when a user
launches it. To see changes in the notifications, restart the console. If a user dismisses a
non-critical notification, it notifies again when the console restarts if it's still applicable.

Dismissing or snoozing a notification is persistent for your user across consoles


starting in version 2010.

Console notification improvements

Improvements starting in version 2010


Starting in Configuration Manager 2010, you have an updated look and feel for in-
console notifications. Notifications are more readable and the action link is easier to
find. The age of the notification is displayed to help you find the latest information. If
you dismiss or snooze a notification, that action is now persistent for your user across
consoles.

Right-click or select ... on the notification to take one of the following actions:

Translate text: Launches Bing Translator for the text.


Copy text: Copies the notification text to the clipboard.
Snooze: Snoozes the notification for the specified duration:
One hour
One day
One week
One month
Dismiss: Dismisses the notification.
To see these improvements for notifications, update the Configuration Manager console
to the latest version.

New notifications in version 2010

To help you manage security risk in your environment, you'll be notified in-console
about devices with operating systems that are past the end of support date and that are
no longer eligible to receive security updates.

Environments with the following operating systems installed on client devices receive a
notification:

Windows 7, Windows Server 2008 (non-Azure), and Windows Server 2008 R2 (non-
Azure) without ESU.
Selecting More info takes you to the Management insights Security group to
review the Update clients running Windows 7 and Windows Server 2008 rule.

Versions of Windows 10 Semi-Annual Channel that are past the end-of-support


date for Enterprise and Education and Home and Pro editions.
Selecting More info takes you to the Management insights Simplified
Management group to review the Update clients to a supported Windows 10
version rule.

You can also view the Product Lifecycle Dashboard to see information about which
operating systems are out of support. This information (such as the support lifecycle for
Windows 10 versions) is provided for your convenience and only for use internally within
your company. You should not solely rely on this information to confirm update
compliance. Be sure to verify the accuracy of the information provided to you.

Improvements starting in version 2006


You have an option to receive Messages from Microsoft
If you configure Azure services to cloud-attach your site, you'll see notifications
with an action to renew the secret key. The site evaluates the state of the following
alerts once per hour:
One or more Azure AD app secret keys will expire soon
One or more Azure AD app secret keys have expired

) Important

When you use an imported Azure AD app, you aren't notified of an upcoming
expiration date from console notifications.

Configure a site to show non-critical


notifications
You can configure each site to show non-critical notifications in the properties of the
site.

1. In the Administration workspace, expand Site Configuration, then select the Sites
node.
2. Select the site you want to configure for non-critical notifications.
3. In the ribbon, select Properties.
4. On the Alerts tab, select the option to Enable console notifications for non-
critical site health changes.

If you enable this setting, all console users see critical, warning, and
information notifications. This setting is enabled by default.
If you disable this setting, console users only see critical notifications.

Configure a site to receive messages from


Microsoft
Starting in version 2006, you can choose to receive notifications from Microsoft in the
Configuration Manager console. These notifications help you stay informed about new
or updated features, changes to Configuration Manager and attached services, and
issues that require action to remediate.

7 Note

For push notifications from Microsoft to show in the console, the service
connection point needs access to configmgrbits.azureedge.net . It also needs
access to this endpoint for updates and servicing, so you may have already
allowed it.

Configure notification settings for Microsoft messages


1. Navigate to Administration > Site Configuration > Sites.

2. Select a site, and then in the ribbon, select Properties.

3. In the Alerts tab, enable the notifications by selecting Receive messages from
Microsoft. You can deselect any of the following notifications if you prefer not to
receive them:

Prevent/fix: Known issues affecting your organization that may require you to
take action.

Plan for change: Changes to Configuration Manager that may require you to
take action.

Stay informed: Informs you of new or updated features that are available.

Console extension installation notifications


(Introduced in version 2103)

Users are notified when console extensions are approved for installation. These
notifications occur for users in the following scenarios:

The Configuration Manager console requires a built-in extension, such as


WebView2, to be installed or updated.
Console extensions are approved and notifications are enabled from
Administration > Overview > Updates and Servicing > Console Extensions.
When notifications are enabled, users within the security scope for the
extension receive the following prompts:

1. In the upper-right corner of the console, select the bell icon to display
Configuration Manager console notifications.
2. The notification will say New custom console extensions are available.

3. Select the link Install custom console extensions to launch the install.

4. When the install completes, select Close to restart the console and enable the new
extension.

7 Note

When you upgrade to Configuration Manager 2107, you will be prompted to install
the WebView2 console extension again. For more information about the WebView2
installation, see the WebView2 installation section if the Community hub article.

For more information, see Manage console extensions.

Log files
For more information and troubleshooting assistance, see the SmsAdminUI.log file on
the console computer. By default, this log file is at the following path: C:\Program Files
(x86)\Microsoft Endpoint Manager\AdminConsole\AdminUILog\SmsAdminUI.log .

Next steps
Use the console

Console tips

Accessibility features
Manage Configuration Manager console
extensions
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Starting in Configuration Manager 2103, the Console extensions node allows you to
start managing the approval and installation of console extensions used in your
environment. Having extensions in the console doesn't make them immediately
available. From a high level, the steps are:

1. An administrator has to approve an extension for the site


2. The administrator has to enable notifications for the extension.
3. The console users can then install the extension to their local console.

After you approve an extension, when you open the console, you'll see a console
notification. From the notification, you can start the extension installer, or use the Install
option from the Console extensions node. After the installer completes, the console
restarts automatically, and you can use the extension.

The old style of console extensions will start being phased out in favor of the new style
since they're more secure and centrally managed. The new style of console extensions
has the following benefits:

Centralized management of console extensions for the site instead of manually


placing binaries on individual consoles.
A clear separation of console extensions from different extension providers.
The ability for admins to have more control over which console extensions are
loaded and used in the environment, to keep them more secure.
A hierarchy setting that allows for only using the new style of console extension.

) Important

If this setting is used, your old style extensions that aren't approved through
the Console Extensions node will no longer be able to be used. The setting,
Only allow console extensions that are approved for the hierarchy, is
enabled by default if you installed from the 2103 baseline image. The setting
remains disabled by default, if you upgraded from a version prior to 2103. If
the setting was enabled in error, disabling the setting allows the old style
extensions to be used again.
Prerequisites
The Configuration Manager console needs to be able to connect to the administration
service and the administration service needs to be functional.

About the Console Extensions node


(Introduced in version 2103)

The Console Extensions node is located under Administration > Overview > Updates
and Servicing. Actions for console extensions are grouped in the ribbon and the right-
click menu. Console extensions downloaded from Community hub will be shown here.

Actions for Console Extensions group:

Refresh: Refreshes the node


Import Console Extension: Launches the Import Console Extension wizard (added
in 2111)

Actions for All Sites group:

Approve Installation: Approves the console extension for installation across all
sites. An extension must be approved before notifications are enabled.
Revoke Approval:
Revokes the ability to install the extension from the Console Extensions node.
Notifies then uninstalls existing instances of the extension across the hierarchy
at the next launch of a locally installed console.
Allows for reapproval of the extension at a later date.
Enable Notifications: Upon next launch of the console, notifies users within the
security scope that the extension can be installed.
Disable Notifications: Disables the console notification messages for the
extension. Users within the security scope can still install approved extensions from
the Console Extensions node.
Require Extension (added in 2111): Automatically installs the extension for users
within the security scope on the next launch before connecting to the site. The
user launching the console needs local administrator privileges for the extension
installation.
Make Optional (added in 2111): Removes the requirement for an extension.
Console users can still install the extension locally from the Console Extensions
node.
Delete:
Revokes the ability to install the extension from the Console Extensions node.
Notifies then uninstalls existing instances of the extension across the hierarchy
at the next launch of a locally installed console.
Removes the extension from the Console Extensions node so it can't be
reapproved later.

Classify group:

Set Security Scopes: Set the security scopes to secure the object and limit access.

Local Extension group:

Install: Installs the selected extension for the current local console
Uninstall: Uninstalls the selected extension from the current local console

7 Note

The WebView2 console extension is approved by default to enable using


Community hub. The files are automatically downloaded from
https://developer.microsoft.com/en-us/microsoft-edge/webview2/#download-

section with the other redistributable files.

When you upgrade to Configuration Manager 2107, you will be prompted to


install the WebView2 console extension again.

Enable hierarchy approved console extensions


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select Sites.
2. Select Hierarchy Settings from the ribbon.
3. On the General tab, enable or disable the Only allow console extensions that are
approved for the hierarchy option.
4. Select Ok when done to close the Hierarchy Settings Properties.

2 Warning

If this setting is enabled , your old style extensions that aren't approved through the
Console Extensions node will no longer be able to be used. The setting, Only allow
console extensions that are approved for the hierarchy, is enabled by default if
you installed from the 2103 baseline image. The setting remains disabled by
default, if you upgraded from a version prior to 2103. If the setting was enabled in
error, disabling the setting allows the old style extensions to be used again.

Get console extensions


There are three ways to get the new style of hierarchy approved console extensions into
Configuration Manager:

An extension may come with Configuration Manager, such as WebView2


Download console extensions from Community hub
Import console extensions

Install and test an extension on a local console


1. Change the security scope for the extension. Changing the security scope is
recommended for initial testing of an extension.
a. Go to the Console Extensions node under Administration > Overview >
Updates and Servicing.
b. Select the extension, then select Set Security Scopes from the ribbon.
c. Remove the Default security scope and add a scope that only contains one or
two admins for initial testing.
d. Choose OK to save the security scope for the extension.

2. Approve the extension by selecting Approve Installation from the ribbon or right-
click menu.

If the extension isn't approved, you won't be able to install it or enable in-
console notifications for it.
If you restart your console at this point, a notification about the available
extension won't occur since you haven't enabled the option yet.

3. Install the extension on the local console by choosing Install.


4. Once the extension is installed, verify it displays and you can use it from the local
console.

Enable user notifications for extension


installation
1. If needed, modify the security scopes for the extension to allow access by more
admins. These admins will be targeted with the in-console notification for installing
the extension.
2. Select Enable Notifications.
3. Launch a Configuration Manager console that doesn't have the extension installed.
Ideally, use a test account that you gave access to when you modified the security
scope.
4. Verify that the notification for the extension occurs and that you can install the
extension.

Allow unsigned console extensions for the


hierarchy
(Applies to Configuration Manager version 2107 or later)

Starting in Configuration Manager version 2107, you can choose to allow unsigned
hierarchy approved console extensions. It's a best practice to always used signed
extensions to minimize security risks and to confirm the authenticity of a console
extension. However, in some cases you may need to allow unsigned console extensions
due to an unsigned internally developed extension, or for testing your own custom
extension in a lab. To allow import and install of unsigned hierarchy approved console
extensions, you'll enable a hierarchy setting.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select Sites.
2. Select Hierarchy Settings from the ribbon.
3. On the General tab, enable the Hierarchy approved console extensions can be
unsigned option.
4. Select Ok when done to close the Hierarchy Settings Properties.

7 Note

Currently, when an unsigned extension isn't enabled for user notification, in the
Console Extensions node, the Required column remains blank instead of
populating a value of No.

Require installation of a console extension


(Introduced in 2111)

Starting in Configuration Manager version 2111, you can require a console extension to
be installed before it connects to the site. After you require an extension, it
automatically installs for the local console the next time an admin launches it. To require
the installation of a console extension:

1. In the Configuration Manager console, go to the Administration workspace.


2. Expand Updates and Servicing and select the Console Extensions node.
3. Select the extension, then select Require Extension from either the right-click
menu or the ribbon.

Selecting Make Optional for an extension removes the extension


requirement. Console users can still install it locally from the Console
Extensions node.

4. The next time the console is launched by a user within the extension's security
scope, installation starts automatically.

The user launching the console needs local administrator privileges for the
extension installation.

Console extension installation user


notifications
Users are notified when console extensions are approved for installation. These
notifications occur for users in the following scenarios:

The Configuration Manager console requires a built-in extension, such as


WebView2, to be installed or updated.
Console extensions are approved and notifications are enabled from
Administration > Overview > Updates and Servicing > Console Extensions.
When notifications are enabled, users within the security scope for the
extension receive the following prompts:

1. In the upper-right corner of the console, select the bell icon to display
Configuration Manager console notifications.
2. The notification will say New custom console extensions are available.

3. Select the link Install custom console extensions to launch the install.

4. When the install completes, select Close to restart the console and enable the new
extension.

7 Note

When you upgrade to Configuration Manager 2107, you will be prompted to install
the WebView2 console extension again. For more information about the WebView2
installation, see the WebView2 installation section if the Community hub article.

Status messages for console extensions


(Introduced in 2111)
Starting in version 2111, the site creates status messages for events related to console
extensions. Status messages improve the visibility and transparency of console
extensions that are used with your site. Use these status messages to make sure your
site uses known and trusted console extensions. The status messages have IDs from
54201 to 54208. They all include the following information:

The user that made the change


The ID of the extension
The version of the extension

There are four categories of message events:

Required or optional
Approve or disapprove
Enable or disable
Tombstone or untombstone

For example, the description of status message ID 54201 is User "%1" made console
extension with ID "%2" and version "%3" required.

Next steps
Console extensions from Community hub
Import console extensions
Configuration Manager console notifications
Console tips
Import Configuration Manager console
extensions
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Starting in Configuration Manager 2103, you can import console extensions to be used
in your environment. These extensions show up under the Console extensions node.
Importing and just having extensions in the console doesn't make them immediately
available. An administrator still has to approve the extension for the site and enable
notifications. Then console users can install the extension to their local console. For
more information about managing and installing console extensions, see Manage
Configuration Manager console extensions.

Based on the version of Configuration Manager you're running, different import options
are available. Initially, only signed extensions could be imported through the
administration service. Support for importing unsigned extensions was added later. Then
a wizard that could import both signed and unsigned extensions for you without having
to run a script was introduced in version 2111.

Configuration Manager version 2103 2107 2111 or later

Import a signed extension Yes Yes Yes

Import an unsigned extension No Yes, when you Yes, when you


allow unsigned allow unsigned

Import from the administration service Yes, signed Yes Yes


with a PowerShell script extensions only

Import from the Import Console No No Yes


Extension wizard

How to import console extensions


To import console extensions, you'll follow four basic steps. Exactly how you can import
will be determined by the version of Configuration Manager you're using and if the
extension is signed or not. To import and install a hierarchy approved console extension,
the high-level steps are:

1. Determine if you need to allow unsigned hierarchy approved console extensions


(version 2107 and later).
2. Import the console extension using one of the following methods:

Import a signed console extension with a script (version 2103 and later)
Import an unsigned console extension with a script (version 2107 and later)
Use the Import Console Extension wizard (version 2111 and later)

3. Test the extension in a local console.


4. Enable notifications to allow console users to install the console extension.

Allow unsigned console extensions for the


hierarchy
(Applies to Configuration Manager version 2107 or later)

Starting in Configuration Manager version 2107, you can choose to allow unsigned
hierarchy approved console extensions. It's a best practice to always used signed
extensions to minimize security risks and to confirm the authenticity of a console
extension. However, in some cases you may need to allow unsigned console extensions
due to an unsigned internally developed extension, or for testing your own custom
extension in a lab. To allow import and install of unsigned hierarchy approved console
extensions, you'll enable a hierarchy setting.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select Sites.
2. Select Hierarchy Settings from the ribbon.
3. On the General tab, enable the Hierarchy approved console extensions can be
unsigned option.
4. Select Ok when done to close the Hierarchy Settings Properties.

7 Note

Currently, when an unsigned extension isn't enabled for user notification, in the
Console Extensions node, the Required column remains blank instead of
populating a value of No.

Import a signed console extension with a script


(Applies to Configuration Manager version 2103 or later)

When you have an extension packaged in a signed .cab file, you can import it into
Configuration Manager. You'll do this by posting it through the administration service
using a PowerShell script. Once the extension is inserted into the site, you can approve
and install it locally from the Console Extensions node. To import, run the following
PowerShell script after editing the $adminServiceProvider and $cabFilePath :

$adminServiceProvider - The top-level SMSProvider server where the


administration service is installed
$cabFilePath - Path to the extension's signed .cab file

PowerShell

$adminServiceProvider = "SMSProviderServer.contoso.com"

$cabFilePath = "C:\Testing\MyExtension.cab"

$adminServiceURL =
"https://$adminServiceProvider/AdminService/v1/ConsoleExtensionMetadata/Admi
nService.UploadExtension"

$cabFileName = (Get-Item -Path $cabFilePath).Name

$Data = Get-Content $cabFilePath

$Bytes = [System.IO.File]::ReadAllBytes($cabFilePath)

$base64Content = [Convert]::ToBase64String($Bytes)

$Headers = @{

"Content-Type" = "Application/json"

$Body = @{

CabFile = @{

FileName = $cabFileName

FileContent = $base64Content

} | ConvertTo-Json

$result = Invoke-WebRequest -Method Post -Uri $adminServiceURL -Body


$Body -Headers $Headers -UseDefaultCredentials

if ($result.StatusCode -eq 200) {Write-Host "$cabFileName was published


successfully."}

else {Write-Host "$cabFileName publish failed. Review AdminService.log for


more information."}

Import an unsigned console extension with a


script
(Applies to Configuration Manager version 2107 or later)

Starting in Configuration Manager version 2107, you can choose to allow unsigned
hierarchy approved console extensions. It's a best practice to always used signed
extensions to minimize security risks and to confirm the authenticity of a console
extension. However, in some cases you may need to allow unsigned console extensions
due to an unsigned internally developed extension, or for testing your own custom
extension in a lab.

When you have the .cab file for an extension, you can test it in a Configuration
Manager lab environment. You'll do this by posting it through the administration
service. Once the extension is inserted into the site, you can approve it and install it
locally from the Console Extensions node. To import, run the following PowerShell script
after editing the $adminServiceProvider and $cabFilePath :

$adminServiceProvider - The top-level SMSProvider server where the


administration service is installed
$cabFilePath - Path to the extension's .cab file

PowerShell

$adminServiceProvider = "SMSProviderServer.contoso.com"

$cabFilePath = "C:\Testing\MyExtension.cab"

$adminServiceURL =
"https://$adminServiceProvider/AdminService/v1/ConsoleExtensionMetadata/Admi
nService.UploadExtension"

$cabFileName = (Get-Item -Path $cabFilePath).Name

$Data = Get-Content $cabFilePath

$Bytes = [System.IO.File]::ReadAllBytes($cabFilePath)

$base64Content = [Convert]::ToBase64String($Bytes)

$Headers = @{

"Content-Type" = "Application/json"

$Body = @{

CabFile = @{

FileName = $cabFileName

FileContent = $base64Content

AllowUnsigned = $true
} | ConvertTo-Json

$result = Invoke-WebRequest -Method Post -Uri $adminServiceURL -Body $Body -


Headers $Headers -UseDefaultCredentials

if ($result.StatusCode -eq 200) {Write-Host "$cabFileName was published


successfully."}

else {Write-Host "$cabFileName publish failed. Review AdminService.log for


more information."}

7 Note

Currently, when an unsigned extension isn't enabled for user notification, in the
Console Extensions node, the Required column remains blank instead of
populating a value of No.
Import console extensions wizard
(Applies to Configuration Manager version 2111 or later)

Starting in version 2111, you can use the Import Console Extension wizard to import
console extensions that are managed for the hierarchy. You no longer need to use a
PowerShell script to import a signed or unsigned console extension. To import a console
extension using the wizard:

1. From the Administration workspace, expand Updates and Servicing, then select
the Console Extensions node.
2. Select Import Console Extension from either the ribbon or the right-click menu.
3. When the wizard launches, select Browse and navigate to the extension's cab file.
4. If needed, select the option for Allow extension to be unsigned.
5. Select Next to review the import summary, then complete the wizard to import the
extension.

7 Note

To import unsigned extensions, the Hierarchy approved console extensions can be


unsigned option needs to be enabled in the Hierarchy Settings. For more
information, see Allow unsigned hierarchy approved console extensions.

Install and test an extension on a local console


1. Change the security scope for the extension. Changing the security scope is
recommended for initial testing of an extension.
a. Go to the Console Extensions node under Administration > Overview >
Updates and Servicing.
b. Select the extension, then select Set Security Scopes from the ribbon.
c. Remove the Default security scope and add a scope that only contains one or
two admins for initial testing.
d. Choose OK to save the security scope for the extension.

2. Approve the extension by selecting Approve Installation from the ribbon or right-
click menu.

If the extension isn't approved, you won't be able to install it or enable in-
console notifications for it.
If you restart your console at this point, a notification about the available
extension won't occur since you haven't enabled the option yet.
3. Install the extension on the local console by choosing Install.

4. Once the extension is installed, verify it displays and you can use it from the local
console.

Enable user notifications for extension


installation
1. If needed, modify the security scopes for the extension to allow access by more
admins. These admins will be targeted with the in-console notification for installing
the extension.
2. Select Enable Notifications.
3. Launch a Configuration Manager console that doesn't have the extension installed.
Ideally, use a test account that you gave access to when you modified the security
scope.
4. Verify that the notification for the extension occurs and that you can install the
extension.

Next steps
Manage console extensions
Console extensions from Community hub
Develop custom console extensions
Configuration Manager console changes
and tips
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the information below to find out about changes to the Configuration Manager
console and tips for using the console:

General tips

Console improvements in version 2207


(Introduced in version 2207)

The following improvements were made to the console and user experience:

When using the search bar, the Path criteria is added whenever subfolders are
included in the search. The Path criteria is informational and can't be edited.

Console improvements in version 2203


(Introduced in version 2203)

The following improvements were made to the console and user experience:

When using temporary device nodes, device actions like Run Scripts are now
available to make the experience in the console consistent.
Additional Management Insights rules now have click-through actions
Copy/paste is available for more objects from details panes.
Added the Name property in the details pane for configuration items,
configuration item related policies, and applications.
Software update search results and the search criteria are now cached when you
navigate to another node. When you navigate back to the All Software Updates
node, your search criteria and results are preserved from your last query. Closing
the console will clear the cached query.
Added a search filter to the Products and Classifications tabs in the Software
Update Point Component Properties.
You can now exclude subcontainers when doing Active Directory System
Discovery and Active Directory User Discovery in untrusted domains.
Added a Cloud Sync column to collections to indicate if the collection is
synchronizing with Azure Active Directory.
Added the Collection ID to the collection summary details tab
Increased the size of the Membership Rules pane in the Properties page for
collections.
Added a View Script option for Run PowerShell Script steps when using the View
action for a task sequence.
The console now offers a dark theme. For more information, see How to use the
console.

Export to CSV
(Introduced in version 2111)

Starting in Configuration Manager 2111, you can export the contents of a grid view in
the console along with the column headers to a comma-separated values (CSV) file that
can be used to import to Excel or other applications. While you could previously cut and
paste from a grid view, exporting to CSV makes extracting a large number of rows faster
and easier. You can export either all or selected items from the following nodes:

Device Collections
User Collections
Devices
Users

To export the information, select Export to CSV file from either the ribbon or the right-
click menu. Choose Export selected items to only export items you've already selected,
or you can choose to Export all items.
Enhanced code editor
(Introduced in version 2107)

Starting in Configuration Manager 2107, you can edit scripts in an enhanced editor. The
new editor supports syntax highlighting, code folding, word wrap, line numbers, and
find and replace. The new editor is available in the console wherever scripts and queries
can be viewed or edited. The enhanced editor improves the syntax highlighting and
code folding that was first introduced in version 2010.

Open the new code editor to view or edit scripts and queries from the following
locations:
Configuration item
Scripts
SQL and WQL queries
Detection methods
Application detection scripts
Query statement properties
Create script wizard
Script properties
Orchestration group
pre-installation scripts
post-installation scripts
Task sequence
PowerShell scripts
Query WMI option

The new code editor supports the following features:

Editor mode with syntax highlighting and plain text toggle


Toggle word wrap and line numbers
Code folding
Language selection
Find, Find and Replace, and Go To line number
Font type and size selection
Zoom using buttons or with Ctrl + mouse wheel.
The information bar at the bottom displays:
Number of lines and characters in the script
Cursor position
If the script is read-only
Persistent settings across instances for the code window, such as code folding,
word wrap, and window size.

Syntax highlighting for scripting languages


(Introduced in version 2010)

To assist you when creating scripts and queries in the Configuration Manager console,
you'll now see syntax highlighting and code folding, where available.

Supported scripting languages for syntax highlighting


Supported languages for syntax highlighting include PowerShell, JavaScript/JScript,
VBScript, and SQL/WQL. The below chart shows which languages are supported for
syntax highlighting in each area of the console:

Console area PowerShell VBScript JavaScript/JScript SQL/WQL

Application scripts Yes Yes Yes -

Collection query - - - Yes

Configuration item scripts Yes Yes Yes Yes

Task sequence scripts Yes - - -


Console area PowerShell VBScript JavaScript/JScript SQL/WQL

Create scripts Yes - - -

Fixed-width font now used in some console areas


(Introduced in version 2010)

Various areas in the Configuration Manager console now use the fixed-width font
Consolas. This font provides consistent spacing and makes it easier to read. You'll see
the Consolas font in the following places:

Application scripts
Configuration item scripts
WMI-based collection membership queries
CMPivot queries
Scripts
Run PowerShell Script
Run Command Line

Shortcuts to status messages


(Introduced in version 2010)

You now have an easier way to view status messages for the following objects:

Devices
Users
Content
Deployments
Monitoring workspace
Phased deployments (select Show Deployments from the Phased
Deployments node)
Deployments tab in the details pane for:
Packages
Task sequences

Select one of these objects in the Configuration Manager console, and then select Show
Status Messages from the ribbon. Set the viewing period, and then the status message
viewer opens. The viewer filters the results to the object you selected.

Your user account needs at least Read permission to these objects.

For more information, see Use the status system.

Improvements to console search


Note: The path criteria are not editable and they just show the search criteria.

(Introduced in version 2203)

The default search will now include all subfolders. That is when you navigate to any
node in the console, by default, search results will include items from that node as
well as from all subfolders.
If you want to search only current node, select the Current Node button in the
ribbon. The search results will then include items from current node only.
If you want to search all subfolders, select the All Subfolders button in the ribbon.
The search results will then include items from current node as well as from all
subfolders.

(Introduced in version 1910)

You can use the All Subfolders search option from the Driver Packages and
Queries nodes. Starting in version 2002, also use this option from the
Configuration Items and Configuration Baselines nodes.

When a search returns more than 1,000 results, select the OK button on the notice
bar to view more results.

 Tip

The default limit on search results is 1,000. You can change this default value.
In the Configuration Manager console, go to the Search tab of the ribbon. In
the Options group, select Search Settings. Change the Search Results value.
A larger number of search results might take longer to display.

By default, the upper maximum limit is 100,000. To change this limit, set the
DWORD value QueryResultCountMaximum in the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\ConfigMgr10\AdminUI

The in-console setting corresponds to the QueryResultCountLimit value in


the same key. An administrator can configure these values in the HKLM hive
for all users of the device. The HKCU value overrides the HKLM setting.

Role-based administration for folders


(Introduced in version 1906)

You can set security scopes on folders. If you have access to an object in the folder but
don't have access to the folder, you'll be unable to see the object. Similarly, if you have
access to a folder but not an object within it, you won't see that object. Right-click a
folder, choose Set Security Scopes, then choose the security scopes you want to apply.

Views sort by integer values


We've made improvements to how various views sort data. For example, in the
Deployments node of the Monitoring workspace, the following columns now sort as
numbers instead of string values:

Number Errors
Number In Progress
Number Other
Number Success
Number Unknown

Move the warning for a large number of results


When you select a node in the console that returns more than 1,000 results,
Configuration Manager displays the following warning:

Configuration Manager returned a large number of results. You can narrow your
results by using search. Or, click here to view a maximum of 100000 results.
There's now additional blank space in between this warning and the search field. This
move helps to prevent inadvertently selecting the warning to display more results.

Send feedback
Submit product feedback from the console.

Send a smile: Send feedback on what you liked

Send a frown: Send feedback on what you didn't like

Send a suggestion: Takes you to the product feedback site to share your idea

For more information, see Product Feedback.

Assets and Compliance workspace

Co-management Eligible Devices collection


(Introduced in version 2111)

There's a new built-in device collection for Co-management Eligible Devices. The Co-
management Eligible Devices collection uses incremental updates and a daily full
update to keep the collection up to date.

Collections tab
(Introduced in version 2111)

When you show the members of a device collection, and select a device in the list,
switch to the Collections tab in the details pane. This new view shows the list of
collections of which the selected device is a member. It makes it easier for you to see
this information.
Navigate to collection
(Introduced in version 2107)

You can now navigate to a collection from the Collections tab in the Devices node.
Select View Collection from either the ribbon or the right-click menu in the tab.
Added maintenance window column
(Introduced in version 2107)

A Maintenance window column was added to the Collections tab in the Devices node.

Display assigned users


(Introduced in version 2107)

If a collection deletion fails due to scope assignment, the assigned users are displayed.

Copy discovery data from the console


(Introduced in version 2010)

Copy discovery data from devices and users in the console. Copy the details to the
clipboard, or export them all to a file. These actions make it easier for you to quickly get
this data from the console. For example, copy the MAC address of a device before you
reimage it.
1. In the Configuration Manager console, go to the Assets and Compliance
workspace. Open the properties for a user or device.

2. On the General tab, in the Discovery data list, select one or more properties.

3. Right-click the selection, and choose one of the following actions:

Copy value: Copies just the value. You can also use the keyboard shortcut Ctrl
+ C.

Copy property and value: Copies both the property name and the
corresponding value. You can also use the keyboard shortcut Ctrl + Shift + C.

Select all: Selects all properties and values. You can also use the keyboard
shortcut Ctrl + A.

Save results as: Saves all properties and values to a comma-separated values
(CSV) file that you specify.

Real-time actions from device lists


(Introduced in version 1906)

There are various ways to display a list of devices under the Devices node in the Assets
and Compliance workspace.

In the Assets and Compliance workspace, select the Device Collections node.
Select a device collection, and choose the action to Show members. This action
opens a subnode of the Devices node with a device list for that collection.
When you select the collection subnode, you can now start CMPivot from the
Collection group of the ribbon.

In the Monitoring workspace, select the Deployments node. Select a deployment,


and choose the View Status action in the ribbon. In the deployment status pane,
double-click the total assets to drill-through to a device list.
When you select a device in this list, you can now start CMPivot and Run Scripts
from the Device group of the ribbon.

Collections tab in devices node


(Introduced in version 1906)

In the Assets and Compliance workspace, go to the Devices node, and select a device.
In the details pane, switch to the new Collections tab. This tab lists the collections that
include this device.

7 Note

This tab currently isn't available from a devices subnode under the Device
Collections node. For example, when you select the option to Show Members on a
collection.

This tab may not populate as expected for some users. To see the complete list of
collections a device belongs to, you must have the Full Administrator security role.
This is a known issue.

Add SMBIOS GUID column to device and device


collection nodes
(Introduced in version 1906)

In both the Devices and Device Collections nodes, you can now add a new column for
SMBIOS GUID. This value is the same as the BIOS GUID property of the System
Resource class. It's a unique identifier for the device hardware.

Search device views using MAC address


You can search for a MAC address in a device view of the Configuration Manager
console. This property is useful for OS deployment administrators while troubleshooting
PXE-based deployments. When you view a list of devices, add the MAC Address column
to the view. Use the search field to add the MAC Address search criteria.

View users for a device


The following columns are available in the Devices node:

Primary user(s)

Currently logged on user

7 Note

Viewing the currently logged on user requires user discovery and user device
affinity.

For more information on how to show a non-default column, see How to use the admin
console.

Improvement to device search performance


When searching in a device collection, it doesn't search the keyword against all object
properties. When you're not specific about what to search, it searches across the
following four properties:

Name
Primary user(s)
Currently logged on user
Last logon user name

This behavior significantly improves the time it takes to search by name, especially in a
large environment. Custom searches by specific criteria are unaffected by this change.

Software Library workspace


Folder support for software update nodes
(Introduced in version 2203)

You can organize software update groups and packages by using folders. This change
allows for better categorization and management of software updates. For more
information, see Deploy software updates.

Improvements to console search


(Introduced in version 2107)

You can use the All Subfolders search option for the following nodes:

Boot Images node


Operating System Upgrade Packages node
Operating System Images node

Run software updates evaluation from deployment status


(Introduced in version 2107)

You can right-click and notify devices to run a software updates evaluation cycle from
the software update deployment status. You can target a single device under the Asset
Details pane or select a group of devices based on their deployment status.
1. In the Configuration Manager console, navigate to Monitoring > Overview >
Deployments.
2. Select the software update group or software update for which you want to
monitor the deployment status.
3. On the Home tab, in the Deployment group, select View Status.
4. Right-click on either a specific deployment status for the devices, or on a single
device under Asset Details pane.
5. Select Evaluate Software Update Deployments to send a notification to the
selected devices to run an evaluation cycle for software update deployments.

Import objects to current folder


(Introduced in version 2010)

When you import an object in the Configuration Manager console, it now imports to the
current folder. Previously, Configuration Manager always put imported objects in the
root node. This new behavior applies to applications, packages, driver packages, and
task sequences.

See task sequence size in the console


(Introduced in version 2010)

When you view the list of task sequences in the Configuration Manager console, add the
Size (KB) column. Use this column to identify large task sequences that can cause
problems. For more information, see Reduce the size of task sequence policy.

Order by program name in task sequence


(Introduced in version 1906)

In the Software Library workspace, expand Operating Systems, and select the Task
Sequences node. Edit a task sequence, and select or add the Install Package step. If a
package has more than one program, the drop-down list now sorts the programs
alphabetically.

Task sequences tab in applications node


(Introduced in version 1906)

In the Software Library workspace, expand Application Management, go to the


Applications node, and select an application. In the details pane, switch to the new Task
sequences tab. This tab lists the task sequences that reference this application.

Drill through required updates


(Introduced in version 1906)

1. Go to one of the following places in the Configuration Manager console:

Software Library > Software Updates > All Software Updates


Software Library > Windows Servicing > All Windows Updates
Software Library > Office 365 Client Management > Office 365 Updates

2. Select any update that is required by at least one device.

3. Look at the Summary tab and find the pie chart under Statistics.

4. Select the View Required hyperlink next to the pie chart to drill down into the
device list.

5. This action takes you to a temporary node under Devices where you can see the
devices requiring the update. You can also take actions for the node such as
creating a new collection from the list.

7 Note

Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365
Apps for enterprise. For more information, see Name change for Office 365
ProPlus. You may still see references to the old name in the Configuration Manager
console and supporting documentation while the console is being updated.

Maximize the browse registry window


1. In the Software Library workspace, expand Application Management, and select
the Applications node.
2. Select an application that has a deployment type with a detection method. For
example, a Windows Installer detection method.
3. In the details pane, switch to the Deployment Types tab.
4. Open the properties of a deployment type, and switch to the Detection Method
tab. Select Add Clause.
5. Change the Setting Type to Registry and select Browse to open the Browse
Registry window. You can now maximize this window.
Edit a task sequence by default
In the Software Library workspace, expand Operating Systems, and select the Task
Sequences node. Edit is now the default action when opening a task sequence.
Previously the default action was Properties.

Go to the collection from an application deployment


1. In the Software Library workspace, expand Application Management, and select
the Applications node.
2. Select an application. In the details pane, switch to the Deployments tab.
3. Select a deployment, and then choose the new Collection option in the ribbon on
the Deployment tab. This action switches the view to the collection that's the
target of the deployment.

This action is also available from the right-click context menu on the
deployment in this view.

Monitoring workspace

Collection evaluation time


(Introduced in version 2111)

When viewing a collection, you could previously see the amount of time the site took to
evaluate the collection membership. This data is now also available in the Monitoring
workspace. When you select a collection in either subnode of the Collection Evaluation
node, the details pane displays this collection evaluation time data.

Correct names for client operations


(Introduced in version 1906)

In the Monitoring workspace, select Client Operations. The operation to Switch to next
Software Update Point is now properly named.

Show collection name for scripts


(Introduced in version 1906)

In the Monitoring workspace, select the Script Status node. It now lists the Collection
Name and the ID.

Remove content from monitoring status


1. In the Monitoring workspace, expand Distribution Status, and select Content
Status.
2. Select an item in the list, and choose the View Status option in the ribbon.
3. In the Asset Details pane, right-click a distribution point, and select the new option
Remove. This action removes this content from the selected distribution point.

Copy details in monitoring views


Copy information from the Asset Details pane for the following monitoring nodes:

Content Distribution Status

Deployment Status
Administration workspace

Status message shortcuts


(Introduced in version 2107)

Shortcuts to status messages were added to the Administrative Users node and the
Accounts node. Select an account, then select Show Status Messages.

Enable some security nodes to use the administration


service
Starting in version 1906, you can enable some nodes under the Security node to use the
administration service. This change allows the console to communicate with the SMS
Provider over HTTPS instead of via WMI. For more information, see Set up the
administration service.

Next steps
Use the console
Console notifications
Accessibility features
Fundamentals of Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

If you're new to Configuration Manager current branch, start with the fundamentals.
Before you run setup to install your first site, learn about the basic concepts of
Configuration Manager. If you're already familiar with System Center 2012 Configuration
Manager, then start with What's changed from System Center 2012 Configuration
Manager.

For information about supported operating systems and supported environments,


hardware requirements, and capacity information, see Supported configurations for
Configuration Manager.

See the following articles to learn about fundamental concepts for Configuration
Manager:

Fundamentals of sites and hierarchies

About upgrade, update, and install

Fundamentals of managing devices

Fundamentals of client management tasks

Fundamentals of security

Fundamentals of role-based administration

Fundamentals of content management


Fundamentals of sites and hierarchies
for Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

A Configuration Manager deployment must be installed in an Active Directory domain.


The foundation of this deployment includes one or more Configuration Manager sites
that form a hierarchy of sites. From a single site to a multi-site hierarchy, the type and
location of sites you install provide the ability to scale up (expand) your deployment
when necessary, and deliver key services to managed users and devices.

Hierarchies of sites
When you install Configuration Manager for the first time, the first Configuration
Manager site that you install determines the scope of your hierarchy. The first
Configuration Manager site is the foundation from which you will manage devices and
users in your enterprise. This first site must be either a central administration site or a
stand-alone primary site.

A central administration site is suitable for large-scale deployments, provides a central


point of administration, and provides the flexibility to support devices that are
distributed across a global network infrastructure. After you install a central
administration site, you will need to install one or more primary sites as child sites. This
configuration is necessary because a central administration site does not directly
support management of devices, which is the function of a primary site. A central
administration site supports multiple child-primary sites. The child-primary sites are
used to directly manage devices, and to control network bandwidth when your
managed devices are in different geographical locations.

A stand-alone primary site is suitable for smaller deployments, and can be used to
manage devices without having to install additional sites. Although a stand-alone
primary site can limit the size of your deployment, it does support a scenario to expand
your hierarchy at a later time by installing a new central administration site. With this
site expansion scenario, your stand-alone primary site becomes a child-primary site, and
you can then install additional child-primary sites below your new central administration
site. You can then expand your initial deployment for future growth of your enterprise.

 Tip
A stand-alone primary site and a child-primary site are really the same type of site:
a primary site. The difference in name is based on the hierarchy relationship that is
created when you also use a central administration site. This hierarchy relationship
can also limit the installation of certain site system roles that extend Configuration
Manager functionality. This limitation of roles occurs because certain site system
roles can only be installed on the top-tier site of the hierarchy, a central
administration site, or a stand-alone primary site.

After you install your first site, you can install additional sites. If your first site was a
central administration site, then you can install one or more child-primary sites. After
you install a primary site (stand-alone, or child-primary), you can then install one or
more secondary sites.

A secondary site can only be installed as a child site below a primary site. This site type
extends the reach of a primary site to manage devices in locations that have a slow
network connection to the primary site. Even though a secondary site extends the
primary site, the primary site manages all of the clients. The secondary site provides
support for devices in the remote location. It provides support by compressing and then
managing the transfer of information across your network that you send (deploy) to
clients, and that clients send back to the site.

The following diagrams show some example site designs.


For more information, see the following topics:

Introduction to Configuration Manager

Design a hierarchy of sites for Configuration Manager

Install Configuration Manager sites

Site system servers and site system roles


Each Configuration Manager site installs site system roles that support management
operations. The following roles are installed by default when you install a site:

The site server role is assigned to the computer where you install the site.

The site database server role is assigned to the SQL Server that hosts the site
database.

Other site system roles are optional, and are only used when you want to use the
functionality that is active in a site system role. Any computer that hosts a site system
role is referred to as a site system server.
For a smaller deployment of Configuration Manager, you might initially run all of your
site system roles directly on the site server computer. Then, as your managed
environment and needs grow, you can install additional site system servers to host
additional site system roles to improve the site's efficiency in providing services to more
devices.

For information about the different site system roles, see Site system roles in Plan for
site system servers and site system roles for Configuration Manager.

Publishing site information to Active Directory


Domain Services
To simplify management of Configuration Manager, you can extend the Active Directory
schema to support details that are used by Configuration Manager, and then have sites
publish their key information to Active Directory Domain Services (AD DS). Then the
computers that you want to manage can securely retrieve site-related information from
the trusted source of AD DS. The information clients can retrieve identifies available
sites, site system servers, and the services that those site system servers provide.

Extending the Active Directory schema is done only one time for each forest, and can be
done before or after you install Configuration Manager. When you extend the schema,
you must create a new Active Directory container named System Management in each
domain. The container contains a Configuration Manager site that will publish data for
clients to find. For more information, see Prepare Active Directory for site publishing.

Publishing site data improves the security of your Configuration Manager hierarchy and
reduces administrative overhead, but is not required for basic Configuration Manager
functionality.
About upgrade, update, and install for
site and hierarchy infrastructure
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When managing Configuration Manager sites and hierarchy infrastructure, the terms
upgrade, update, and install are used to describe three separate concepts.

Upgrade
Upgrade or in-place upgrade, is used when converting your Configuration Manager 2012
site or hierarchy to one that runs Configuration Manager current branch.

When you upgrade System Center 2012 Configuration Manager to Configuration


Manager current branch, you continue to use the same servers to host your sites and
site servers, and you retain your existing data and configurations for Configuration
Manager. This is different from Migration which is a way to retain your configurations
and data about managed devices while using new Configuration Manager current
branch sites installed to new hardware.

For more details, see Upgrade to Configuration Manager.

Update
Update is used for installing in-console updates for Configuration Manager, and for out-
of-band updates which are updates that cannot be delivered from within the
Configuration Manager console. In-console updates can modify the version of your
Current Branch site (or Technical Preview site) so that it runs a higher version. For
example, if your site runs version 1806, you can install an update for version 1810.
Updates can also install fixes for a known issue, without modifying the site version.

Typically, updates add security fixes, quality improvements, and new features to your
existing deployment. If you use the Technical Preview branch, an update can install a
newer version of the Technical Preview.

You choose when to install the in-console update, starting at the top-tier site of
your hierarchy.
You can install any update that is available from within the console. For example, if
your site runs version 1802 and both 1806 and 1810 are offered, you should
consider installing version 1810 because each version includes the features that
were first made available in previously released versions.
After a new update completes installation at your top-tier site, child primary sites
automatically start the process to update. However, you can set Service Windows
to control the timing of updates.
Secondary sites do not automatically install updates. Instead, you manually start
the update from within the Configuration Manager console.

For more, see Updates for Configuration Manager, and Technical Preview for
Configuration Manager.

Install
Install is used when creating a new Configuration Manager hierarchy from scratch, or
adding additional sites to an existing hierarchy.

When you install a new primary site or central administration site, the location of
setup.exe and its related source files that you use depends on your installation scenario.

For more, see Prepare to install sites.


Fundamentals of managing devices with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager can manage two broad categories of devices:

Clients are devices like workstations, laptops, servers, and mobile devices where
you install the Configuration Manager client software. Some management
functions, like hardware inventory, require this client software.

Managed devices can include clients, but typically it's a mobile device where the
Configuration Manager client software isn't installed. On this kind of device, you
manage by using the built-in on-premises mobile device management in
Configuration Manager.

You can also group and identify devices based on the user, not just the client type.

Managing devices with the Configuration


Manager client
There are two ways to use the Configuration Manager client software to manage a
device. The first way is to discover the device on your network, and then deploy the
client software to that device. The other way is to manually install the client software on
a new computer, and then have that computer join your site when it joins your network.
To discover devices where the client software is not installed, run one or more of the
built-in discovery methods. After a device is discovered, use one of several methods to
install the client software. For information on using discovery, see Run discovery for
Configuration Manager.

After discovering the devices that are supported to run the Configuration Manager
client software, you can use one of several methods to install the software. After the
software is installed and the client is assigned to a primary site, you can begin to
manage the device. Common installation methods include:

Client push installation

Software update-based installation

Group policy
Manual installation on a computer

Including the client as part of an OS image that you deploy

After the client is installed, you can simplify the tasks of managing devices by using
collections. Collections are groups of devices or users that you create so that you can
manage them as a group. For example, you might want to install a mobile device
application on all mobile devices that Configuration Manager enrolls. If this is the case,
you can use the All Mobile Devices collection.

For more information, see these articles:

Choose a device management solution

Client installation methods

Introduction to collections

Client settings
When you first install Configuration Manager, all clients in the hierarchy are configured
by using the default client settings that you can change. The client settings include these
configuration options:

How frequently the devices communicate with the site.

Whether the client is set up for software updates and other management
operations.

Whether users can enroll their mobile devices so they're managed by


Configuration Manager.

You can create custom client settings and then assign them to collections. Members of
the collection are configured to have the custom settings, and you can create multiple
custom client settings that are applied in the order that you specify (by numerical order).
If there are conflicting settings, the setting that has the lowest order number overrides
the other settings.

The following diagram shows an example of how you create and apply custom client
settings.
To learn more about client settings, see the following articles:

How to configure client settings


About client settings

Managing devices without the Configuration


Manager client
Configuration Manager supports the management of some devices that have not
installed the client software, and aren't managed by Intune. For more information, see
Manage mobile devices with on-premises infrastructure in Configuration Manager and
Manage mobile devices with Configuration Manager and Exchange.

User-based management
Configuration Manager supports collections of Azure Active Directory and Active
Directory Domain Services users. When you use a user collection, you can install
software on all computers that members of the collection use. To make sure that the
software you deploy only installs on the devices that are specified as a user's primary
device, set up user device affinity. A user can have one or more primary devices.

One of the ways that users can control their software deployment experience is to use
the Software Center client interface. The Software Center is automatically installed on
client computers and is run from the Windows Start menu. The Software Center lets
users manage their own software and do the following tasks:

Install software

Schedule software to automatically install outside working hours

Configure when Configuration Manager can install software on a device

Configure the access settings for remote control, if remote control is set up in
Configuration Manager

Configure options for power management, if an administrator sets up this option

Browse for, install, and request software

Configure preference settings

When it's set up, specify a primary device for user device affinity

For more information, see the following articles:

Plan for Software Center


Link users and devices with user device affinity
Software Center user guide
Fundamentals of client management
tasks for Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you install the Configuration Manager clients, there are several tasks that you run
to manage the clients. Some of the tasks are run from the Configuration Manager
console. Other tasks are run from the Configuration Manager client application. The
Configuration Manager client application is installed with the Configuration Manager
client software.

Configuration Manager console tasks


In the Configuration Manager console, you can perform various client management
tasks:

Deploy applications, software updates, maintenance scripts, and operating


systems. Configure installation for a specific date and time, make the software
available for users to install when they are requested, or configure applications to
be uninstalled.

Help protect computers from malware and security threats, and notify you when
problems are detected.

Define client configuration settings that you want to monitor, and remediate if
they are out of compliance.

Collect hardware and software inventory information, which includes monitoring


and reconciling license information from Microsoft.

Troubleshoot computers by using remote control.

Implement power management settings to manage and monitor the power


consumption of computers.

The Configuration Manager console monitors the previous tasks in near real time.
Notification and status information for each task is available in the Configuration
Manager console. To capture data and historical trending, use the integrated reporting
capabilities of SQL Server Reporting Services. Clients submit details to the site as client
status. Client status information provides data about the health of the client and client
activity, and is viewed in the console or by using the built-in reports for Configuration
Manager. This data helps identify computers that are not responding and in some cases,
problems are automatically remediated.

For more information about management tasks for clients, see How to manage clients.
To learn about using reports, see Introduction to reporting.

Configuration Manager client application


When you install the Configuration Manager client software, the Configuration Manager
client application is installed too. Unlike Software Center, the Configuration Manager
client application is designed for the help desk rather than for the end user. Some
configuration options require local administrative permissions, and most options require
technical knowledge about how the Configuration Manager client application works.
You can use this application to perform the following tasks on a client:

View properties about the client, such as the build number, its assigned site, the
management point it is communicating with, and whether the client is using a
public key infrastructure (PKI) certificate or a self-signed certificate.

Confirm that the client has successfully downloaded a client policy after the client
is installed for the first time. Also confirm that the client settings are enabled or
disabled as expected, according to the client settings that are configured in the
Configuration Manager console.

Start client actions. For example, download the client policy if there was a recent
configuration change in the Configuration Manager console, and you do not want
to wait until the next scheduled time.

Manually assign a client to a Configuration Manager site or try to find a site. Then
specify the Domain Name System (DNS) suffix for management points that publish
to DNS.

Configure the client cache that temporarily stores files. Then delete files in the
cache if you require more disk space to install software.

Configure settings for Internet-based client management.

View configuration baselines that were deployed to the client, initiate compliance
evaluation, and view compliance reports.
Fundamentals of security for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article summarizes the following fundamental security components of any


Configuration Manager environment:

Security layers
Role-based administration
Securing client endpoints
Configuration Manager accounts and groups
Privacy

Security layers
Security for Configuration Manager consists of the following layers:

Windows OS and network security


Network infrastructure: firewalls, intrusion detection, public key infrastructure (PKI)
Configuration Manager security controls
SMS Provider
Site database permissions

Windows OS and network security


The first layer is provided by Windows security features for both the OS and the
network. This layer includes the following components:

File sharing to transfer files between Configuration Manager components.

Access Control Lists (ACLs) to help secure files and registry keys.

Internet Protocol Security (IPsec) to help secure communications.

Group policy to set security policy.

Distributed Component Object Model (DCOM) permissions for distributed


applications, like the Configuration Manager console.

Active Directory Domain Services to store security principals.


Windows account security, including some groups that Configuration Manager
creates during setup.

Network infrastructure
Network security components, like firewalls and intrusion detection, help provide
defense for the whole environment. Certificates issued by industry standard public key
infrastructure (PKI) implementations help provide authentication, signing, and
encryption.

Configuration Manager security controls


By default, only local administrators have rights to the files and registry keys that the
Configuration Manager console requires on computers where you install it.

SMS Provider
The next layer of security is based on access to the SMS Provider. The SMS Provider is a
Configuration Manager component that grants a user access to query the site database
for information. The SMS Provider primarily exposes access through Windows
Management Instrumentation (WMI), but also a REST API called the administration
service.

By default, access to the provider is restricted to members of the local SMS Admins
group. This group at first contains only the user who installed Configuration Manager.
To grant other accounts permission to the Common Information Model (CIM) repository
and the SMS Provider, add the other accounts to the SMS Admins group.

You can specify the minimum authentication level for administrators to access
Configuration Manager sites. This feature enforces administrators to sign in to Windows
with the required level. For more information, see Plan for the SMS Provider.

Site database permissions


The final layer of security is based on permissions to objects in the site database. By
default, the Local System account and the user account that you used to install
Configuration Manager can administer all objects in the site database. Grant and restrict
permissions to other administrative users in the Configuration Manager console by
using role-based administration.
Role-based administration
Configuration Manager uses role-based administration to help secure objects like
collections, deployments, and sites. This administration model centrally defines and
manages hierarchy-wide security access settings for all sites and site settings.

An administrator assigns security roles to administrative users and group permissions.


The permissions are connected to different Configuration Manager object types, for
example, to create or change client settings.

Security scopes include specific instances of objects that an administrative user is


responsible to manage. For example, an application that installs the Configuration
Manager console.

The combination of security roles, security scopes, and collections define the objects
that an administrative user can view and manage. Configuration Manager installs some
default security roles for typical management tasks. Create your own security roles to
support your specific business requirements.

For more information, see Fundamentals of role-based administration.

Securing client endpoints


Configuration Manager secures client communication to site system roles by using
either self-signed or PKI certificates, or Azure Active Directory (Azure AD) tokens. Some
scenarios require the use of PKI certificates. For example, internet-based client
management, and for mobile device clients.

You can configure the site system roles to which clients connect for either HTTPS or
HTTP client communication. Client computers always communicate by using the most
secure method that's available. Client computers only fall back to using the less secure
communication method if you have site systems roles that allow HTTP communication.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.

For more information, see Plan for security.


Configuration Manager accounts and groups
Configuration Manager uses the Local System account for most site operations. Some
site operations allow the use of a service account, instead of using the domain computer
account of the site server. Some management tasks might require you to create and
maintain other accounts. For example, to join the domain during an OS deployment task
sequence.

Configuration Manager creates several default groups and SQL Server roles during
setup. You might have to manually add computer or user accounts to the default groups
and SQL Server roles.

For more information, see Accounts used in Configuration Manager.

Privacy
Before you implement Configuration Manager, consider your privacy requirements.
Although enterprise management products offer many advantages because they can
effectively manage lots of clients, this software might affect the privacy of users in your
organization. Configuration Manager includes many tools to collect data and monitor
devices. Some tools might raise privacy concerns in your organization.

For example, when you install the Configuration Manager client, it enables many
management settings by default. This configuration causes the client software to send
information to the Configuration Manager site. The site stores client information in the
site database. The client information isn't directly sent to Microsoft. For more
information, see Diagnostics and usage data.

Next steps
Fundamentals of role-based administration

Plan for security


Fundamentals of role-based
administration for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

With Configuration Manager, you use role-based administration to secure the access
that administrative users need to use Configuration Manager. You also secure access to
the objects that you manage, like collections, deployments, and sites.

The role-based administration model centrally defines and manages hierarchy-wide


security access. This model is for all sites and site settings by using the following items:

Security roles are assigned to administrative users to give them permission to


Configuration Manager objects. For example, permission to create or change client
settings.

Security scopes are used to group specific instances of objects that an


administrative user is responsible to manage. For example, an application that
installs the Configuration Manager console.

Collections are used to specify groups of users and devices that the administrative
user can manage in Configuration Manager.

With the combination of roles, scopes, and collections, you segregate the administrative
assignments that meet your organization's requirements. Used together, they define the
administrative scope of a user. This administrative scope controls the objects that an
administrative user views in the Configuration Manager console, and it controls the
permissions that a user has on those objects.

Benefits
The following items are benefits of role-based administration in Configuration Manager:

Sites aren't used as administrative boundaries. In other words, don't expand a


standalone primary site to a hierarchy with a central administration site to separate
administrative users.

You create administrative users for a hierarchy and only need to assign security to
them one time.
All security assignments are replicated and available throughout the hierarchy.
Role-based administration configurations replicate to each site in the hierarchy as
global data, and then are applied to all administrative connections.

) Important

Intersite replication delays can prevent a site from receiving changes for role-
based administration. For more information about how to monitor intersite
database replication, see Data transfers between sites.

There are built-in security roles that are used to assign the typical administration
tasks. Create your own custom security roles to support your specific business
requirements.

Administrative users see only the objects that they have permissions to manage.

You can audit administrative security actions.

Security roles
Use security roles to grant security permissions to administrative users. Security roles are
groups of security permissions that you assign to administrative users so that they can
do their administrative tasks. These security permissions define the actions that an
administrative user can do and the permissions that are granted for particular object
types. As a security best practice, assign the security roles that provide the least
permissions that are required for the task.

Configuration Manager has several built-in security roles to support typical groupings of
administrative tasks. You can create your own custom security roles to support your
specific business requirements.

The following table summarizes all of the built-in roles:

Name Description

Application Combines the permissions of the Application deployment manager and the
administrator Application author roles. Administrative users in this role can also manage
queries, view site settings, manage collections, edit settings for user device
affinity, and manage App-V virtual environments.

Application Can create, modify, and retire applications. Administrative users in this role can
author also manage applications, packages, and App-V virtual environments.
Name Description

Application Can deploy applications. Administrative users in this role can view a list of
deployment applications. They can manage deployments for applications, alerts, and
manager packages. They can view collections and their members, status messages, queries,
conditional delivery rules, and App-V virtual environments.

Asset Grants permissions to manage the Asset Intelligence synchronization point, Asset
manager Intelligence reporting classes, software inventory, hardware inventory, and
metering rules.

Company Grants permissions to create, manage, and deploy company resource access
resource profiles. For example, Wi-Fi, VPN, Exchange ActiveSync email, and certificate
access profiles.
manager

Compliance Grants permissions to define and monitor compliance settings. Administrative


settings users in this role can create, modify, and delete configuration items and
manager baselines. They can also deploy configuration baselines to collections, start
compliance evaluation, and start remediation for non-compliant computers.

Endpoint Grants permissions to create, modify, and delete endpoint protection policies.
protection They can deploy these policies to collections, create and modify alerts, and
manager monitor endpoint protection status.

Full Grants all permissions in Configuration Manager. The administrative user who
administrator installs Configuration Manager is automatically granted this security role, all
scopes, and all collections.

Infrastructure Grants permissions to create, delete, and modify the Configuration Manager
administrator server infrastructure and to run migration tasks.

Operating Grants permissions to create OS images and deploy them to computers, manage
system OS upgrade packages and images, task sequences, drivers, boot images, and
deployment state migration settings.
manager

Operations Grants permissions for all actions in Configuration Manager except for the
administrator permissions to manage security. This role can't manage administrative users,
security roles, and security scopes.

Read-only Grants permissions to view all Configuration Manager objects.


analyst

Remote tools Grants permissions to run and audit the remote administration tools that help
operator users resolve computer issues. Administrative users in this role can run remote
control, remote assistance, and remote desktop from the Configuration Manager
console.
Name Description

Security Grants permissions to add and remove administrative users and to associate
administrator administrative users with security roles, collections, and security scopes.
Administrative users in this role can also create, modify, and delete security roles
and their assigned security scopes and collections.

Software Grants permissions to define and deploy software updates. Administrative users
update in this role can manage software update groups, deployments, and deployment
manager templates.

 Tip

If you have permissions, you can view the list of all security roles in the
Configuration Manager console. To view the roles, go to the Administration
workspace, expand Security, and then select the Security Roles node.

You can't modify the built-in security roles, other than add administrative users. You can
copy the role, make changes, and then save these changes as a new custom security
role. You can also import security roles that you've exported from another hierarchy like
a lab environment. For more information, see Configure role-based administration.

Review the security roles and their permissions to determine whether you'll use the
built-in security roles, or whether you have to create your own custom security roles.

Role permissions
Each security role has specific permissions for different object types. For example, the
application author role has the following permissions for applications:

Approve
Create
Delete
Modify
Modify folder
Move object
Read
Run report
Set security scope

This role also has permissions for other objects.


For more information on how to view the permissions for a role, or change the
permissions for a custom role, see Configure role-based administration.

Plan for security roles


Use this process to plan for Configuration Manager security roles in your environment:

1. Identify the tasks that administrative users need to do in Configuration Manager.


These tasks might relate to one or more groups of management tasks. For
example, deploying operating systems and settings for compliance.

2. Map these administrative tasks to one or more of the built-in roles.

3. If some of the administrative users do the tasks of multiple roles, assign the users
to the multiple roles. Don't create a custom role that combines the permissions.

4. If the tasks that you identified don't map to the built-in security roles, create and
test custom roles.

For more information, see Create custom security roles and Configure security roles.
Collections
Collections specify the users and devices that an administrative user can view or
manage. For example, to deploy an application to a device, the administrative user
needs to be in a security role that grants access to a collection that contains the device.

For more information about collections, see Introduction to collections.

Before you configure role-based administration, decide whether you have to create new
collections for any of the following reasons:

Functional organization. For example, separate collections of servers and


workstations.
Geographic alignment. For example, separate collections for North America and
Europe.
Security requirements and business processes. For example, separate collections
for production and test computers.
Organization alignment. For example, separate collections for each business unit.

For more information, see Configure collections to manage security.

Security scopes
Use security scopes to provide administrative users with access to securable objects. A
security scope is a named set of securable objects that are assigned to administrator
users as a group. All securable objects are assigned to one or more security scopes.
Configuration Manager has two built-in security scopes:

All: Grants access to all scopes. You can't assign objects to this security scope.

Default: This scope is used for all objects by default. When you install
Configuration Manager, it assigns all objects to this security scope.

If you want to restrict the objects that administrative users can see and manage, create
your own custom security scopes. Security scopes don't support a hierarchical structure
and can't be nested. Security scopes can contain one or more object types, which
include the following items:

Alert subscriptions
Applications and application groups
App-V virtual environments
Boot images
Boundary groups
Configuration items and baselines
Custom client settings
Distribution points and distribution point groups
Driver packages
Endpoint protection policies (all)
Folders
Global conditions
Migration jobs
OneDrive for Business profiles
OS images
OS upgrade packages
Packages
Queries
Remote connection profiles
Scripts
Sites
Software metering rules
Software update groups
Software updates packages
Task sequences
User data and profiles configuration items
Windows Update for Business policies

There are also some objects that you can't include in security scopes because they're
only secured by security roles. Administrative access to these objects can't be limited to
a subset of the available objects. For example, you might have an administrative user
who creates boundary groups that are used for a specific site. Because the boundary
object doesn't support security scopes, you can't assign this user a security scope that
provides access to only the boundaries that might be associated with that site. Because
a boundary object can't be associated to a security scope, when you assign a security
role that includes access to boundary objects to a user, that user can access every
boundary in the hierarchy.

Objects that don't support security scopes include but aren't limited to the following
items:

Active Directory forests


Administrative users
Alerts
Boundaries
Computer associations
Default client settings
Deployment templates
Device drivers
Migration site-to-site mappings
Security roles
Security scopes
Site addresses
Site system roles
Software updates
Status messages
User device affinities

Create security scopes when you have to limit access to separate instances of objects.
For example:

You have a group of administrative users who need to see production applications
and not test applications. Create one security scope for production applications
and another for test applications.

One group of administrative users requires Read permission to specific software


update groups. Another group of administrative users requires Modify and Delete
permissions for other software update groups. Create different security scopes for
these software update groups.

For more information, see Configure security scopes for an object.

Next steps
Configure role-based administration for Configuration Manager
Configuration Manager and Windows as
a service
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager provides comprehensive control over feature updates for


Windows. To fully adopt the Windows as a service model, you also must adopt the
Configuration Manager current branch model. To stay current with Windows, requires
that you stay current with Configuration Manager for the best experience. New versions
of Configuration Manager are required to take full advantage of the exciting new
enterprise features for Windows. This article is intended to be a landing page for the key
articles required to adopt Configuration Manager current branch. Configuration
Manager current branch gets you on your way to Windows as a service.

Configuration Manager current branch


Article Description

Overview of Configuration Provides a brief summary of the key points for the servicing
Manager current branch model for Configuration Manager current branch

Support lifecycle Explains the current branch support and servicing model.

Removed and deprecated Provides early notice about future changes that might affect your
items use of Configuration Manager.

Updates to Configuration Explains the easy in-console method of applying feature updates
Manager current branch to Configuration Manager.

Get available updates Explains the two modes available to get new Configuration
Manager feature updates.

Update checklist Provides update version-specific checklists, if applicable.

Install new Configuration Explains the simple installation steps for feature updates.
Manager feature updates

Support for Windows 11 Provides a support matrix for Windows 11 versions.

Support for Windows 10 Provides a support matrix for Windows 10 versions.

Support for Windows ADK Provides a support matrix for the Windows Assessment and
Deployment Kit (Windows ADK).
Article Description

Technical Previews for Provides information about the Configuration Manager technical
Configuration Manager preview program.

Windows as a service
Article Description

Manage Windows as a service Explains how to use servicing plans to deploy Windows
feature updates.

Upgrade Windows via task sequence The details of creating a task sequence to upgrade
Windows with additional recommendations.

Phased deployments Phased deployments automate a coordinated,


sequenced rollout of a task sequence across multiple
collections.

Optimize Windows update delivery Use Configuration Manager to manage update content
to stay current with Windows.

Use Desktop Analytics Desktop Analytics allows you to assess and analyze the
readiness of devices in your environment for an upgrade
to Windows.

Windows Update for Business Explains how to define and deploy Windows Update for
integration (optional) Business (WUfB) policies using Configuration Manager.

Use co-management with Microsoft Provides an overview of co-management.


Intune and Windows Update for
Business (optional)

Product lifecycle
Another important aspect of staying current with Windows and Configuration Manager
is to monitor product lifecycles. Configuration Manager has built-in features to help:

Be proactive with dashboards for planning:


Product lifecycle dashboard: View the Microsoft Lifecycle Policy for applicable
products.
Windows servicing dashboard: Provides you with information about computers
in your environment, servicing plans, and compliance information.

Be reactive with notifications, management insights, and reports:


Configuration Manager console notifications: Look for in-console notifications
about devices with operating systems that are past the end of support date and
that are no longer eligible to receive security updates.
Management insights
Security: Identify clients with unsupported antimalware client versions or
clients running earlier versions of Windows that don't receive security
updates by default.
Simplified management: Identify clients running an unsupported version of
Windows or with an earlier version of the Configuration Manager client.
Reports:
Data warehouse historical reporting: View computers that are missing
software updates.
OS reports: View computers by OS versions and servicing details.
Software Updates compliance reports: View software update compliance
details.
Power BI sample reports for software updates: Use Power BI to view software
update compliance status.

Next steps
In-place upgrade to Configuration Manager current branch from System Center
2012 Configuration Manager
Plan for migration to Configuration Manager current branch
Use cloud services with Configuration
Manager
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

Configuration Manager supports several cloud-based options. These can supplement


your on-premises infrastructure, and can help solve business problems like:

How to manage clients that roam onto the internet.

How to provide content resources to isolated clients or resources on the intranet,


outside your firewall.

How to scale out infrastructure when physical hardware isn't available, or isn't
logically placed to support your needs.

Provisioning cloud resources isn't something you have to do before you deploy
Configuration Manager. It can be beneficial to understand these options before
progressing too far in a hierarchy design plan. The use of cloud resources might save
you money and time, while solving business problems that on-premises infrastructure
can't.

Cloud-based resources
Each option has different requirements. Investigate each in greater depth to understand
the unique prerequisites, limitations, and potential for additional costs based on use.

Azure virtual machines for cloud-based infrastructure


Configuration Manager supports using computers that run in virtual machines in Azure.
You can use Azure virtual machines in the following scenarios:

Run Configuration Manager in a virtual machine and use it to manage clients


installed in other cloud-based virtual machines.

Run Configuration Manager in a virtual machine and use it to manage clients that
aren't in Azure.

Run different Configuration Manager site system roles in Azure virtual machines.
Run other roles in your on-premises network. Configure appropriate network
connectivity for communications.

The same requirements for networks, operating systems, and hardware requirements
that apply to installing the Configuration Manager on your on-premises network also
apply to the installation of Configuration Manager in Azure.

An Azure subscription is required to use Azure virtual machines. You incur charges based
on the number of virtual machines you use, their configuration, and use of cloud-based
resources.

Additionally, Configuration Manager sites and clients that run in Azure virtual machines
are subject to the same license requirements as on-premises installations.

For more information, see Configuration Manager on Azure FAQ.

Azure services
You can connect the site to Azure for several scenarios:

Azure Active Directory authentication and discovery. For more information, see
Configure Azure services.
Cloud management gateway to manage internet-based clients. For more
information, see Cloud management gateway overview.
Deploy apps from the Microsoft Store for Business and Education. For more
information, see Manage apps from the Microsoft Store for Business and
Education.
Use Windows data to gain insights into apps and drivers to help upgrade devices
to Windows 10. For more information, see What is Desktop Analytics?.
Microsoft Intune tenant attach

These are different than using an Azure virtual machine, on which you deploy a site
system role.

Run as a service in Azure, not on a virtual machine.

Automatically scale to meet increased content requests from clients.

Support clients on the internet and the intranet.

An Azure subscription is required for these scenarios. You incur charges based on the
amount of data that transfers to and from the service.

Additional Configuration Manager capabilities


Some Configuration Manager capabilities can connect to cloud-based services, like:

Windows Server Update Services (WSUS)

Download updates for Configuration Manager

These additional capabilities don't require you to have an Azure subscription. You don't
have to set up specific connections, certificates, or services in the cloud. Instead, they are
automatically managed by Configuration Manager for you. All you need to do is ensure
applicable site systems and devices can access the internet-based URLs.

Security for cloud-based services


Configuration Manager uses certificates to provision and access your content in Azure,
and to manage the services that you use. Configuration Manager encrypts the data that
you store in Azure, but doesn't introduce additional security or data controls beyond
those that Azure provides.

For more information, see the details for the different cloud-based resource scenarios.
Also see an Introduction to Azure security.
Configuration Manager on Azure
FAQ
FAQ

Applies to: Configuration Manager (current branch)

These frequently asked questions (FAQ) about Configuration Manager on Microsoft


Azure can help you understand when to use it and how to configure it.

General questions
Can I move on-premises Configuration Manager
servers to Azure?
Yes, this scenario is supported. For more information, see Support for virtualization
environments.

Should all child primary sites be in Azure with


the central administration site or on-premises?
What about secondary sites?
File-based and database replication for site-to-site communications benefit from the
proximity of being hosted in Azure. However, all client-related traffic would be remote
from site servers and site systems. If you use a fast and reliable network connection
between Azure and your intranet with an unlimited data plan, hosting all your
infrastructure in Azure is an option.

If you use a metered data plan and available bandwidth or cost is a concern, then
consider placing specific sites and site systems on-premises. Then use the bandwidth
controls built into Configuration Manager. Also consider this configuration when the
network connection between Azure and your intranet isn't fast or can be unreliable.

Is Configuration Manager in Azure considered


software as a service (SaaS)?
No, it's infrastructure as a service (IaaS). You host your Configuration Manager
infrastructure servers in Azure virtual machines.
What factors are most important when
considering to move Configuration Manager to
Azure?
1. Networking
2. Availability
3. Performance
4. Cost
5. User Experience

For more information on these factors, see the other questions below.

Can I use Configuration Manager with Azure


Stack Hub?
Yes. Azure Stack Hub supports IaaS virtual machines the same as the Azure cloud. So
Configuration Manager is supported on Azure Stack Hub in the same way as with Azure
IaaS.

Configuration Manager cloud-attached features that rely on specific cloud services


aren't supported with Azure Stack Hub. For example, you can't create a cloud
management gateway (CMG) in Azure Stack Hub.

Networking
Should I use ExpressRoute or an Azure VPN
Gateway?
Microsoft recommends using ExpressRoute. Network speeds and latency can affect
functionality between the site server and remote site systems and between any client
communication to the site systems.

There's no limitation in Configuration Manager for using Azure VPN Gateway. You
should carefully review the following requirements from this infrastructure and then
make your decision:

Performance
Patching
Software distribution
OS deployment
Consider the following aspects for each solution:

ExpressRoute (recommended)
Natural extension to your datacenter and can link together multiple datacenters
Private connections between Azure datacenters and your infrastructure
Doesn't go over the public internet
Offers reliability, fast speeds, lower latency, high security
Offers up to 10 Gbps speeds and unlimited data plan options

VPN Gateway

Site-to-site or point-to-site VPNs


Traffic goes over the public internet
Uses Internet Protocol Security (IPsec) and Internet Key Exchange (IKE)

For more information, see ExpressRoute or Azure VPN .

Which ExpressRoute options should I choose?


It depends. ExpressRoute has many different options like unlimited or metered, different
speed options, and premium add-ons. The options you select depend on the
Configuration Manager functionality you're using and how much data you plan to
distribute. You can control the transfer of Configuration Manager data between site
servers and distribution points, but you can't control site server-to-site server
communication. When you use a metered data plan, if you place specific sites and site
systems on-premises, and use Configuration Manager's built-in bandwidth controls, you
can help control the cost of using Azure.

Do I still need to join my site servers to an Active


Directory domain?
Yes. When you move to Azure, the supported configurations remain the same, including
Active Directory requirements for installing Configuration Manager.

Can I use Azure Active Directory?


No. Azure Active Directory isn't currently supported. Your site servers still need to be
members of a Active Directory domain.
Availability
Can I use high availability options like Azure VM
availability sets with Configuration Manager?
Yes. You can use Azure VM availability sets for redundant site system roles like
distribution points or management points.

You can also use them for the Configuration Manager site servers. For example, central
administration sites and primary sites can all be in the same availability set. This
configuration can help you make sure that they're not rebooted at the same time.

For more information, see Availability options for Azure Virtual Machines and High
availability options for Configuration Manager.

Can I use an Azure SQL Server database?


No. You need to use SQL Server in a VM. Configuration Manager doesn't currently
support Azure SQL Server.

For high availability of the site database server, use SQL Server Always On availability
groups. For more information, see Prepare to use a SQL Server Always On availability
group with Configuration Manager.

Can I use Azure load balancers with site system


roles like management points or software
update points?
Configuration Manager isn't tested with Azure load balancers. If the functionality is
transparent to the application, it shouldn't have any adverse effects on normal
operations.

Performance
What factors affect performance in this scenario?
The following factors are the most important to Configuration Manager performance on
Azure:
Azure VM size and type
Azure VM disks: premium storage is recommended, especially for SQL Server
Network latency and speed

What size VMs should I use?


In general, your compute power (CPU and memory) need to meet the recommended
hardware for Configuration Manager. But there are some differences between regular
computer hardware and Azure VMs, especially when it comes to the disks these VMs
use. The VM size you use depends on the size of your environment.

The following list includes some general recommendations for VM size:

For production deployments of any significant size, use S class Azure VMs. These
VMs can use premium storage disks. Non S class VMs use blob storage and in
general won't meet the performance requirements necessary for an acceptable
production experience.
Use multiple premium storage disks for higher scale, and striped in the Windows
Disk Management console for maximum IOPS.
Use better or multiple premium disks during your initial site deployment. For
example, P30 instead of P20, and two P30 disks in a striped volume, instead of a
single P30. If your site later needs to increase VM size due to additional load, you
can take advantage of the additional CPU and memory that a larger VM size
provides. You'll also already have disks in place that can take advantage of the
additional IOPS throughput that the larger VM size allows.

The following tables list the initial suggested disk counts to use at primary and central
administration sites for various size installations:

Co-located site database

A primary or central administration site with the site database on the site server:

Desktop clients Recommended VM size Recommended disks

< 25,000 DS4_V2 2xP30 (striped)

25,000 to 50,000 DS13_V2 2xP30 (striped)

50,000 to 100,000 DS14_V2 3xP30 (striped)


Remote site database
A primary or central administration site with the site database on a remote server:

Desktop clients Recommended VM size Recommended disks

< 25,000 Site server: F4S Site server: 1xP30


Database server: DS12_V2 Database server: 2xP30 (striped)

25,000 to 50,000 Site server: F4S Site server: 1xP30


Database server: DS13_V2 Database server: 2xP30 (striped)

50,000 to 100,000 Site server: F8S Site server: 2xP30 (striped)


Database server: DS14_V2 Database server: 3xP30 (striped)

Example

This image shows an example disk configuration for the following VM:

A DS14_V2 size VM for a site that manages 50,000 to 100,000 clients


Three P30 disks in a striped volume
Separate logical volumes for the Configuration Manager install and database files
User experience
Why is user experience a main area of
importance?
The decisions you make for networking, availability, performance, and site server
location can directly affect your users. Moving a site to Azure should be transparent to
your users so that they don't experience a change in their day-to-day interactions with
Configuration Manager.

To keep costs low for a single primary site,


should remote site systems be in Azure or on-
premises?
Except for communication from the site server to a distribution point, these server-to-
server communications in a site can occur at any time and don't use mechanisms to
control the use of network bandwidth. Because you can't control the communication
between site systems like management points and software update points, make sure to
consider any costs associated with these communications.

Network speeds and latency are other factors to consider as well. Slow or unreliable
networks could impact functionality between the site server and remote site systems,
and client communication to the site systems. Factor in the number of managed clients
that use a given site system and the features you actively use.

As a starting point, you can use the standard guidance for site systems across WAN
links. Ideally, the network throughput that you select and receive between Azure and
your intranet will be consistent with a WAN that is well-connected with a fast network.

What about content distribution and content


management?
The approach for content management is much the same as for site servers and site
systems.

If you use a fast and reliable network connection between Azure and your intranet
with an unlimited data plan, hosting standard distribution points in Azure could be
an option.

If any of the following factors apply:


You use a metered data plan
Bandwidth cost is a concern
The network connection between Azure and your intranet isn't fast or can be
unreliable

Then you might consider the following other approaches:


Use standard or pull distribution points on-premises.
Enable Windows BranchCache on distribution points or other peer caching
technologies.
Use a content-enabled cloud management gateway (CMG). Note that it doesn't
support software update packages for Microsoft updates. You need to have an
alternate location, or configure the software update deployment need to allow
clients to get update content from the internet.

7 Note
If you require PXE or multicast support, you need an on-premises distribution point
to respond to these boot requests.

To support internet-based clients, what can I do


instead of using an internet-facing management
point?
Use a cloud management gateway (CMG). The CMG provides a simple way to manage
Configuration Manager clients on the internet. You deploy the service to an Azure
subscription, and it connects to your on-premises infrastructure through the cloud
management gateway connector point. Clients can then access on-premises site system
roles whether they're connected to the internal network or on the internet.

Which peer caching technology should I use?


Peer cache is a 100% native Configuration Manager technology. BranchCache and
Delivery Optimization are Windows features. They can all be useful depending upon
your requirements. For more information, including a table to compare features, see
Content management fundamentals - Peer caching technologies.

Cost
Will moving Configuration Manager to Azure be
a cost-effective solution for my organization?
It's hard to say since every environment is different. To estimate the cost for your
environment, use the Azure pricing calculator .

More information
Where I can learn more about these Azure
technologies?

Fundamentals

What is Azure
Azure VM machine types
Azure machine sizes
VM pricing
Storage pricing

Disk performance considerations

Premium storage
Select a disk type of IaaS VMs
Scalability and performance targets for standard storage accounts
Blog post on how premium storage works

Availability

Azure service level agreement (SLA) for virtual machines


Availability options for Azure Virtual Machines

Connectivity
ExpressRoute or Azure VPN
Azure ExpressRoute pricing
What is Azure ExpressRoute?
Frequently asked questions for
Configuration Manager branches
and licensing
FAQ

Applies to: Configuration Manager (current branch) & System Center Configuration
Manager (long-term servicing branch)

This FAQ addresses common licensing questions about Configuration Manager current
branch and the long-term servicing branch (LTSB) versions, available through Microsoft
Volume Licensing programs. This article is for informational purposes. It doesn't
supersede or replace any documentation covering Configuration Manager licensing. For
more information, see the Product Terms . The Product Terms describe the use terms
for all Microsoft products in Volume Licensing.

What's current branch?


The current branch is the production-ready build of Configuration Manager that
provides an active servicing model. This servicing model is like the experience with
Windows. This approach supports customers who are moving at a cloud cadence and
wish to innovate more quickly. With the current branch servicing model, you continue to
receive new features and functionality. For this reason, only customers with active
Software Assurance on Configuration Manager licenses, or with equivalent subscription
rights, may install and use the current branch of Configuration Manager.

What's the long-term servicing branch


(LTSB)?
The LTSB is a production-ready build of Configuration Manager. It's intended for
customers who allow Software Assurance or equivalent subscription rights to expire.
When compared to the current branch, the LTSB has reduced functionality. Customers
who allow Software Assurance or equivalent subscription rights to expire must uninstall
the current branch of Configuration Manager. Customers who have perpetual license
rights to Configuration Manager may then install and use the LTSB build of the
Configuration Manager version that's current at the time of expiration.
What do the acronyms 'SA' and 'L&SA'
mean in regard to Configuration
Manager?
Both Software Assurance (SA) and License and Software Assurance (L&SA) are license
options that grant rights to use Configuration Manager. SA is an option for a customer
that's renewing SA coverage from a prior agreement. L&SA is an option for a customer
buying a new license and SA coverage.

Software Assurance (SA): Customers must have active SA on Configuration


Manager licenses, or equivalent subscription rights, in order to install and use the
current branch option of Configuration Manager.

While SA is optional for some Microsoft products, the only way to get rights to use
Configuration Manager current branch is with SA or equivalent subscription rights.
For more information, see the Software Assurance FAQ .

Microsoft License and Software Assurance (L&SA): Customers buying new


licenses for Configuration Manager must acquire L&SA (the license and SA
coverage).

The SA grants rights to use the current branch.

If your SA expires, and you still have a license for Configuration Manager, you
can no longer use the current branch. For more information, see the FAQ If my
SA expires and I had L&SA, what do I get?

For more information about license offerings, see Ways to buy and Licensing Product
Terms .

What are 'equivalent subscriptions'?


Equivalent subscriptions refer to programs like Enterprise Mobility + Security (EMS) or
Microsoft 365 Enterprise . There can be others, but these programs are the most
common. The Microsoft Volume Licensing Product Terms refers to these programs as
Management License Equivalent Licenses.

Configuration Manager is included in the following plans:

Intune user subscription license (USL)


EMS E3
EMS E5
Microsoft 365 E3
Microsoft 365 E5
Microsoft 365 F3 (formerly Microsoft 365 F1)

) Important

Configuration Manager isn't included in the Microsoft 365 Business Premium


plan.

What changes with licensing for co-


management in the Microsoft Intune
family of products?
The co-management license lets Configuration Manager customers with Software
Assurance get Intune PC management rights without having to purchase and assign
individual Intune licenses to users. This license makes it easier for you to manage
Windows devices with Microsoft Intune and Configuration Manager.

Devices already managed by Configuration Manager that you enroll to Intune for
co-management have almost the same rights as an Intune standalone-managed
PC. If you reset Windows on this device, you can't provision it with Windows
Autopilot. Autopilot requires a full Intune license.

If you enroll a Windows device to Intune by other means, it still requires a full
Intune license. For example, you use Autopilot to provision a device, or a user
manually does self-service enrollment.

For existing Configuration Manager-managed devices to enroll into Intune for co-
management at scale without user interaction, co-management uses an Azure
Active Directory (Azure AD) feature called Windows auto-enrollment. Auto-
enrollment with co-management requires licenses for both Azure AD Premium
(AADP1) and Intune. Starting on December 1, 2019, you no longer need to assign
individual Intune licenses for this scenario. Microsoft Intune and Configuration
Manager each include the licenses for co-management. The separate AADP1
licensing requirement remains the same for this scenario to work. You still need to
assign Intune licenses for other enrollment scenarios.

If you want to use Intune for managing iOS, Android, or macOS devices, then you
need the appropriate Intune subscription through a standalone Intune license,
Enterprise Mobility + Security (EMS), or Microsoft 365.

If you don't have any Intune-related subscription plan, to support co-management


you need to purchase at least one Intune license. This license is for an
administrator to activate the subscription plan and get access to the Microsoft
Intune admin center.

If you use the Microsoft 365 built-in Basic Mobility and Security , you can't use
the new co-management license for a user that also has devices managed by Basic
Mobility and Security. To use the co-management license for the user's
Configuration Manager-managed device, do one of the following actions:
Assign a full Intune license to the user, and manage their devices through
Intune.
Unenroll the devices from Basic Mobility and Security.

The licensing that you previously had for System Center Configuration Manager
still applies to Microsoft Configuration Manager. If installing a new site, use
existing product keys.

Feature Co-management license Full Intune


license

Windows enrollment Yes (only for existing ConfigMgr- Yes


managed devices)

iOS, Android, macOS No Yes


enrollment

Autopilot No Yes

Mobile Application No Yes


Management (MAM)

Conditional access Yes Yes


(additional AADP1 required)

Device profiles Yes Yes

Software update Yes Yes


management
Feature Co-management license Full Intune
license

Inventory Yes Yes

App management Yes Yes

Remote Full/Selective wipe Yes Yes

Remote assistance Yes Yes


(TeamViewer license required)

Desktop analytics Yes N/A


(Windows subscription
licenses required

Tenant attach Yes N/A

Endpoint analytics Yes Yes

For more information, see the following articles:

Co-management prerequisites
Windows Autopilot requirements
Desktop analytics prerequisites
Tenant attach prerequisites
Endpoint analytics licensing prerequisites
Use conditional access with Intune
TeamViewer prerequisites

I have Enterprise Mobility + Security


and it expired, what must I do now?
EMS grants rights to use Configuration Manager current branch and long-term service
branch. When these rights expire, you no longer have rights to use either branch and
must uninstall.
If my SA expires, and I had L&SA, what
do I get?
If your SA expired after October 1, 2016, depending on what program you acquired
L&SA under, you could retain a perpetual license to use the LTSB. If you currently use
the current branch, you must uninstall it, and then install the LTSB. There's no support to
migrate or convert to the LTSB from the current branch.

If your SA expired before October 1, 2016, and you retained a perpetual license to
Configuration Manager, then your only option for ongoing use is to install and use
System Center 2012 R2 Configuration Manager and its available service packs. You're
required to uninstall the current branch when your SA expires, and reinstall that earlier
version of the product. There's no support to migrate to or downgrade from
Configuration Manager current branch to prior versions of Configuration Manager.

If you use System Center Endpoint Protection, and your SA expires, you must uninstall it.
System Center Endpoint Protection offers no L (License) rights, and no perpetual rights.

Do I "own" the current branch?


No. You're licensed to use the current branch while you have active SA. For example, via
L&SA, when SA expires, you then have only L (License) rights, which don't include rights
to use the current branch. If your L provides perpetual rights, you can use the
Configuration Manager LTSB in place of the current branch. If your SA expired prior to
October 1, 2016, you can also use System Center 2012 R2 Configuration Manager.

Can I purchase Configuration Manager


standalone without SA?
No. The only way to get rights to use Configuration Manager is to acquire a license with
SA or through an equivalent subscription. There are developer programs like MSDN
where Configuration Manager is offered for development and test purposes, but not
production usage.

Does a non-production environment for


testing or development require an
explicit license?
If you use the same current branch software as your production environment, you
need an explicit license. Check with your account team to determine if your specific
license agreement covers multiple instances in multiple environments.

Some developer programs like MSDN offer products like Configuration Manager
for development and test, but not production use.

For a temporary environment, you can use the evaluation version for 180 days.

For a lab environment, you can use the technical preview branch. Technical preview
has the same functionality as current branch, but has some limitations in terms of
scale and supported platforms.

Do I have rights to install any update in


the Configuration Manager console?
If you have active SA, you do have rights.

If you don't have active SA, uninstall the current branch, and then install the LTSB of
Configuration Manager. The LTSB doesn't receive updates for incremental versions of
Configuration Manager, but does receive security updates based on the Support
Lifecycle.

I have purchased EMS or Microsoft 365


through a Cloud Solution Provider
(CSP), do I have rights to use
Configuration Manager?
Yes, you have rights to use Configuration Manager to manage clients covered by the
EMS license. First download and install the evaluation software . Then contact your CSP
partner to obtain the license key from the Microsoft Partner Center support team,
specifically CSP. When your CSP partner talks with Microsoft Support, they should ask
them to reference the internal article ID 4033838.

Is my subscription end-date the same as


an SA expiration date?
If SA or your subscription is active, you have use rights for Configuration Manager
current branch. An active subscription is equivalent of having active SA, but no perpetual
"L" (license). Once your subscription is over, uninstall the current branch. At this time,
you don't have rights to use the LTSB.

What are the use rights associated with


the SQL Server technology provided
with Configuration Manager?
Configuration Manager includes SQL Server technology. Microsoft's licensing terms for
this product allows your use of SQL Server technology only to support Configuration
Manager components. SQL Server client access licenses are not required for that use.

Approved use rights for the SQL Server capabilities with Configuration Manager include:

Site database role


Windows Server Update Services (WSUS) for software update point role
SQL Server Reporting Services (SSRS) for reporting point role
Data warehouse service point role
Database replicas for management point roles

The SQL Server license that's included with Configuration Manager supports each
instance of SQL Server that you install to host a database for Configuration Manager.
However, only databases for Configuration Manager in the preceding list can run on
that SQL Server when you use this license. If a database for any additional Microsoft or
third-party product shares the SQL Server, you must have a separate license for that SQL
Server instance.

Does on-premises mobile device


management (MDM) require an Intune
subscription?
No. An Intune connection isn't required for new on-premises MDM deployments. Your
organization still requires Intune licenses to use this feature. For more information, see
the Intune support blog post .
Which branch of Configuration Manager
should I use?
Article • 10/04/2022

Applies to: Configuration Manager (current branch & technical preview branch) & System
Center Configuration Manager (long-term servicing branch)

There are three branches of Configuration Manager available:

Current branch
Long-term servicing branch
Technical preview branch

Use this article to help you choose the right branch.

 Tip

All sites in a hierarchy must run the same branch. It isn't supported to have a
hierarchy with different branches at different sites.

Current branch
This branch is licensed for use in a production environment. Use this branch to get the
latest features and functionalities. If you have one of the following licenses, you can use
this branch:

System Center Datacenter


System Center Standard
System Center Configuration Manager
Equivalent subscription rights

For more information about Software Assurance and licensing options, see Licensing
and branches for Configuration Manager and Frequently asked questions for
Configuration Manager branches and licensing.

Microsoft plans to release updates for Configuration Manager current branch a few
times per year. Each update version remains in support for 18 months from its general
availability (GA) release date. Technical support is provided for the entire period of
support. However, our support structure is dynamic, evolving into two distinct servicing
phases that depend on the availability of the latest current branch version. (For more
information, see Support for Configuration Manager current branch versions. Updates to
newer versions are available as in-console updates.

To install the current branch as a new site, use baseline media. Also use baseline media
to upgrade from System Center 2012 Configuration Manager with Service Pack 2 or
System Center 2012 R2 Configuration Manager with Service Pack 1. Access to this media
depends on how your organization licenses Configuration Manager.

You can also use the baseline media to install a new site that is an evaluation edition of
the current branch. The evaluation edition doesn't require a license. You can use the
evaluation edition for 180 days. It supports upgrade to a licensed edition of the current
branch. To install only an evaluation edition, get it from the Evaluation Center .

Use baseline media to install sites for a new Configuration Manager hierarchy. If you
previously installed a baseline version, use in-console updates to update your sites
to a new version.

Sites that are updated using in-console updates result in sites that are the same as
the new site installed using the baseline media.

For more information, see Updates for Configuration Manager.

Features of the current branch


Receives in-console updates that make new features available for use.
Receives in-console updates that deliver security and quality fixes to existing
features.
Supports out-of-band updates when necessary. For more information, see Use the
update registration tool or Use the hotfix installer.
Integrates with cloud-based services.
Supports migration of data to and from other Configuration Manager installations.
Supports upgrade from previous versions of Configuration Manager.
Supports installation as an evaluation edition, from which you can later upgrade to
a fully licensed installation.

Microsoft recommends that you update to the newest version soon after its release. You
can wait up to 18 months before updating to a newer version. You can also skip an
update to install the newest version available. Because each version is cumulative, if you
skip over an update and install the newest version, you still get access to all features and
improvements from previous versions.

For more information, see Support for current branch versions.


Current branch update options
With active Software Assurance, you can install in-console updates for current
branch versions.
There's no option to convert the current branch to a technical preview branch.
Technical preview branches are separate installations that don't require a license.
There's no option to convert your current branch to the long-term servicing branch
(LTSB). You must uninstall the current branch and then install the LTSB as a new
installation.

Long-term servicing branch


This branch is licensed for use in production for Configuration Manager customers who
are using the current branch and have allowed their Configuration Manager Software
Assurance (SA) or equivalent subscription rights to expire after October 1, 2016. For
more about Software Assurance and licensing options, see Licensing and branches for
Configuration Manager and Frequently asked questions for Configuration Manager
branches and licensing.

The LTSB is based on version 1606. This branch doesn't receive in-console updates that
deliver new features or update existing capabilities. However, critical security fixes are
provided. To install the LTSB, you must use the version 1606 baseline media that you get
with System Center 2016. Later baseline versions don't support install of the LTSB.

To install the LTSB as a new site or as an upgrade from a supported System Center 2012
Configuration Manager site, use the version 1606 baseline media that you get with
System Center 2016. You can use baseline media to install a new site that runs version
1606 of the current branch, or a new site that runs the long-term servicing branch.

 Tip

To learn about System Center 2016, see System Center 2016 documentation. This
documentation also identifies how to get System Center 2016, which requires a
Microsoft license agreement or similar rights.

To find Configuration Manager version 1606 in the Volume Licensing Service Center
(VLSC), go to the Downloads and Keys tab of the VLSC , search for System Center
2016 , and then select either System Center 2016 Datacenter or System Center 2016

Standard.
You can also get an evaluation edition of System Center 2019 from the Evaluation
Center .

Features of the LTSB


Receives in-console updates that deliver critical security fixes.
Provides an installation option when your SA agreement or equivalent rights to
Configuration Manager have expired.
Supports upgrade (conversion) to the current branch when you have a current SA
agreement or equivalent rights to Configuration Manager.

LTSB limitations
The LTSB is based on the current branch version 1606 and has the following limitations:

The LTSB is supported for 10 years of critical security updates after its general
availability (October 2016), after which, support for this branch expires. For more
information about the support lifecycle, see Microsoft Lifecycle Policy .
Supports a limited set list of server and client operating systems and related
technologies, like SQL Server versions. For more information, see Supported
configurations for the long-term servicing branch.
Doesn't receive updates for new features
Doesn't support the following capabilities:
Cloud-attached features like co-management or Desktop Analytics
On-premises MDM
The Windows servicing dashboard, servicing plans, or Windows release channels
Future releases of Windows 10 LTSB and Windows Server
Asset intelligence
Any pre-release features

LTSB update options


You can convert your LTSB install to a current branch installation. Conversion to the
current branch is supported before or after support for the LTSB expires.

To convert, you must have an active Software Assurance agreement with Microsoft.
For more information, see the following articles:
Upgrade the long-term servicing branch to the current branch
Licensing and branches for Configuration Manager
Baseline and update versions
There's no option to convert the LTSB to a technical preview branch. Technical
preview branches are separate installations that don't require a license.

You can't upgrade an evaluation edition of the current branch to an LTSB


installation.

Technical preview branch


The technical preview branch is for use in a lab environment. Learn about and try out
the newest features being developed for Configuration Manager. It isn't supported in a
production environment, and doesn't require you to have a Software Assurance license
agreement.

To install a new site that runs the technical preview branch, use the latest baseline media
for the technical preview branch. After you install the technical preview branch, new
versions are available as in-console updates each month.

Features of the technical preview branch


Based on recent baseline versions of the current branch
Receives in-console updates that update your installation to the latest technical
preview branch version
Includes new features that are being developed, and for which Microsoft wants
your feedback
Receives updates that apply only to the technical preview branch

Technical preview limitations


Support is limited, including only a single primary site and up to 10 clients.
You can't upgrade or migrate it to a current branch or LTSB installation.
Doesn't support the following behaviors:
Use migration to import or export data to another Configuration Manager
installation
Upgrade from a previous version of Configuration Manager
Install as an evaluation edition

Features that are first introduced in a technical preview branch are often added to the
current branch in a later update. Each new technical preview branch version includes the
features from previous technical preview branches, even after those features have been
added to the current branch.
For more information, see the Technical preview for Configuration Manager.

Technical preview update options


You can install any in-console update for a new technical preview branch version.

There's no option to convert a technical preview branch to the current branch or


LTSB.

Identify your version and branch

Version
To check the version of your site, in the console go to About Configuration Manager at
the upper-left corner of the console. This dialog displays the Site version. For a list of
site versions, see Baseline and update versions.

Branch
To confirm the branch of your site, in the console go to Administration > Site
Configuration > Sites, and open Hierarchy Settings. If there's an active option to
convert to the current branch, the site runs the LTSB version. When the site runs the
current branch, the console disables this option.

For more information about the different versions of Configuration Manager, see
Baseline and update versions.
Licensing and branches for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch), & System Center Configuration
Manager (long-term servicing branch)

Use this article to learn about the licensing requirements for the installation options
available with Configuration Manager. These installation options include the following
branches:

Current branch
Long-term servicing branch (LTSB)
Evaluation installation of the current branch
Technical preview branch

Licensing overview
Customers with active Software Assurance (SA) on Configuration Manager licenses or
with equivalent subscription rights as of October 1, 2016 have rights to use the October
2016 version 1606 release of Configuration Manager. Customers with rights to
Configuration Manager on or after October 1, 2016 will find two licensed options upon
installation: current branch and long-term servicing branch (LTSB).

For the complete terms and conditions for the products you purchase through Microsoft
Volume Licensing programs, see Licensing Terms and Documentation .

Licensed branches
This article references the Software Assurance agreement or equivalent subscription
rights. This Microsoft licensing agreement grants rights to install and use Configuration
Manager.

Current branch
The current branch requires an active Software Assurance agreement or equivalent
rights to Configuration Manager. For more information, see Software Assurance and the
Current Branch.
This branch is supported for use in production environments that want to receive
regular quality and feature updates from Microsoft. It provides access to use all features
and improvements.

Beginning with the 1710 release, each update version remains in support for 18 months
from its general availability release date. For more information, see Support for
Configuration Manager current branch versions.

Long-term servicing branch (LTSB)


The LTSB requires a current Software Assurance agreement with Microsoft as of October
1, 2016. For more information, see Software Assurance and the LTSB.

This branch is supported for use in production environments. It's intended for use by
customers that have let their Software Assurance (SA) or equivalent subscriptions rights
to Configuration Manager expire after October 1, 2016. This branch is limited when
compared to the Current Branch.

Critical security updates for Configuration Manager are made available to this branch
but no new features are made available.

Evaluation installation of the current branch


The evaluation version doesn't require a Software Assurance agreement with Microsoft.
Evaluation installs are always the current branch, and you can use them for 180 days.

You can upgrade the evaluation installation to a full installation of the current branch.
You can't upgrade an evaluation installation to the long-term servicing branch.

Technical preview branch


The technical preview branch is also available. This branch is a limited build of
Configuration Manager that lets you try out new features. You install the technical
preview using different media than the licensed versions. For more information, see
Technical Preview.

Software Assurance agreements


The status of Software Assurance on your Configuration Manager licenses, or equivalent
subscription rights, on or after October 1, 2016, determines the branch you can install
and use.
Software Assurance and the current branch
Rights to use Configuration Manager current branch can be provided by:

System Center: Customers with active SA on System Center Standard or


Datacenter licenses can install and use the current branch option of Configuration
Manager.

System Center Configuration Manager: Customers with active SA on


Configuration Manager licenses, or with equivalent subscription rights, can install
and use the current branch option of Configuration Manager.

If you have active SA on Configuration Manager licenses or equivalent subscription


rights on or after October 1, 2016:

You can install and use the current branch.


If you allow SA or subscription to lapse, you must uninstall the current branch.

Software Assurance and the LTSB


If you have an active SA on Configuration Manager licenses or equivalent subscription
rights on or after October 1, 2016:

You can install and use the LTSB. Customers who have perpetual rights to
Configuration Manager, or who allow their SA or subscription to lapse, can install
the version of Configuration Manager LTSB that's current at the time of lapse.

LTSB is based on current branch version 1606, and has the following limitations:

There's no support to convert a current branch to the LTSB. If you currently have a
current branch site, you must install the LTSB as a new site.

LTSB doesn't support all the capabilities of the current branch. For more
information, see Introduction to the long-term servicing branch. These limitations
include a limited feature set, limited upgrade options, and a separate product
support lifecycle.

Software Assurance expiration date


Beginning with the October 2016 release of the version 1606 baseline media for
Configuration Manager, you can specify the expiration date of your Software Assurance
agreement. The Software Assurance expiration date is an optional value as a
convenient reminder. Add it when you run Configuration Manager setup or later from
within the Configuration Manager console.

7 Note

Microsoft doesn't validate the expiration date you specify, and doesn't use this date
for license validation. Use it as a reminder of your expiration date. This value is
useful when Configuration Manager periodically checks for new software updates
offered online. Your Software Assurance license status should be current to be
eligible to use these additional updates.

To specify the Software Assurance expiration date


When you run Setup from the Configuration Manager media, specify the value on
the Product Key page of the Setup wizard.

In the Configuration Manager console, in Hierarchy Settings, specify the value on


the Licensing tab.

Licensing resources
To learn more about product licensing details, use the following resources.

Microsoft Volume Licensing Service Center (VLSC)


Overview of VLSC

Microsoft Volume Licensing Product Terms

Volume license customers can get a summary of their licenses from the Volume
License Service Center . Go to the Licenses menu, and select Licenses Summary.

VLSC videos
For training videos on how VLSC works, go to Microsoft Volume Licensing Service
Center training and resources and select How-to videos.

Where to look up your active Software Assurance agreement (starting at 43


seconds)
How to get permissions for VLSC . You can delegate VLSC read and write
permissions to other people in your organization.

Next steps
Frequently asked questions for Configuration Manager branches and licensing
Use the Configuration Manager client
software for extended interoperability
with future versions of a Current Branch
site
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Business requirements might not allow you to regularly update the Configuration
Manager client on some devices. For example, you need to follow change management
policies, or the device is mission-critical. Accommodate these needs by installing a new
client for long-term use, called the extended interoperability client (EIC). Only use the
EIC for specific devices that can't be frequently updated, like kiosk or point-of-sale
devices. Continue to use automatic client upgrade for most of your clients.

How it works
Typically, when you install a new in-console update for Configuration Manager, clients
automatically update their client software so they can use those new features. With this
scenario, you still update to the current branch receiving the new features and updates.
Most devices update the Configuration Manager client software with each version
update you install. However, on a subset of critical systems that you don't want to
receive client software updates, you install the extended interoperability client. These
clients don't install new client software until you explicitly deploy a new version of the
client software to them.

Supported versions
The following table lists the versions of the Configuration Manager client that are
supported for this scenario:

Version Availability date Support end date

2103
April 5, 2021 No earlier than April 2023
5.00.9049

1902
March 27, 2019 March 27, 2022
5.00.8790
 Tip

The EIC is supported for at least two years from the date of release. For more
information on release dates, see Support for Configuration Manager current
branch versions.

Plan to update the extended interoperability client on devices that you manage with the
current branch before support for the client expires. To do so, download a new version
of the client from Microsoft, and then deploy that updated client software to your
devices that use the current extended interoperability client.

How to use the EIC


1. Add these devices to a collection, and exclude that collection from automatic client
upgrades. For more information, see How to exclude clients from upgrade.

2. Obtain a supported version of the EIC from the \SMSSETUP\Client folder of the
Configuration Manager update installation media. Make sure that you copy the
entire contents of the folder.

3. Manually install the EIC on those devices. For more information, see Manually
install the client.

Limitations
Updates for the extended interoperability client software aren't available by using
in-console updates. For more information on how to update the EIC, see How to
upgrade an excluded client.

The EIC only supports the following features:


Software updates
Hardware and software inventory
Packages and programs

Next steps
How to exclude clients from upgrade

To make sure that clients are installed correctly on the devices you want, see How to
monitor clients.
Introduction to the long-term servicing
branch of Configuration Manager
Article • 10/04/2022

Applies to: System Center Configuration Manager (Long-Term Servicing Branch)

The long-term servicing branch (LTSB) of Configuration Manager is a distinct branch


that's designed as an install option available to all customers. However, it's the only
option for customers who let lapse their Software Assurance (SA) or equivalent
subscription rights for Configuration Manager.

Based on Configuration Manager version 1606, the LTSB has reduced functionality when
compared to the current branch of Configuration Manager.

 Tip

The Configuration Manager LTSB isn't related to the System Center suite long-term
servicing channel (LTSC). For more information, see Overview of System Center
release options.

Features that aren't available


The current branch of Configuration Manager supports the following functionality that
isn't available when you use the LTSB:

In-console updates that add new features and improvements.


Support for newly released operating systems to use as site servers and clients.
On-premises MDM
The Windows servicing dashboard and servicing plans, including support for recent
Windows versions.
Support for future releases of Windows Server and Windows 10 LTSB
Asset Intelligence
Cloud-based distribution points
Exchange Online as an Exchange Connector

Although support for these features isn't available with the LTSB, some features remain
visible in the Configuration Manager console, but can't be selected or used.

Cloud integrations, as well as any features included with Configuration Manager current
branch version 1610 or later, aren't available to the LTSB. These features include, but
aren't limited to the following:

Co-management
Desktop Analytics
Cloud management gateway
Azure Active Directory integration
Apps from the Microsoft Store for Business

Find LTSB documentation


The LTSB is based on current branch version 1606. Use the current branch
documentation, with caveats and limitations that are specific to the LTSB. Those caveats
and limitations are identified in the following articles:

Install the LTSB


Upgrade the LTSB to the current branch
Supported configurations for the LTSB
Manage the LTSB of Configuration Manager

When you reference current branch documentation for the LTSB, details that apply to
version 1606 or earlier also apply to the LTSB. Features or details that are introduced
with version 1610 or later aren't supported by the LTSB.

Licensing overview for the LTSB


Customers with active Software Assurance (SA) on Configuration Manager licenses, or
with equivalent subscription rights as of October 1, 2016, have rights to use the October
2016 version 1606 release of Configuration Manager. Customers with rights to
Configuration Manager on or after October 1, 2016, will find two licensed options upon
installation: current branch and long-term servicing branch (LTSB).

Customers that have perpetual rights to System Center Configuration Manager, or that
allow SA or subscription to lapse after October 1, can install the version of System
Center Configuration Manager LTSB that is current at the time of lapse.

For more information about these licenses, see the Complete terms and conditions for
the products you purchase through Microsoft Volume Licensing programs .

For more information about licensing for Configuration Manager branches, see
Configuration Manager licensing and branches.
Next Steps
If you decide that the Configuration Manager LTSB is the correct branch for your
environment, install a new LTSB site as part of a new hierarchy, or upgrade a System
Center 2012 Configuration Manager site and hierarchy.
Supported Configurations for the Long-
Term Servicing Branch of System Center
Configuration Manager
Article • 10/04/2022

Applies to: System Center Configuration Manager (Long-Term Servicing Branch)

Use the information in this topic to understand what operating systems and product
dependencies are supported by the Long-Term Servicing Branch (LTSB) of Configuration
Manager.
If not stated otherwise in this or the LTSB specific topics, the same
configurations and limitations that apply to the Current Branch version 1606 apply to
the LTSB. When conflicts occur, use the information that applies to the edition you are
using. Typically, the LTSB is more limited than the Current Branch.

General statement of support


The following products and technologies are supported by this branch of Configuration
Manager. However, their inclusion in this content does not express an extension of
support for any product or version beyond that product's individual support lifecycle.
Products that are beyond their support lifecycle are not supported for use with
Configuration Manager. For more information, visit the Microsoft Support Lifecycle
website and read the Microsoft Support Lifecycle Policy FAQ.

Additionally, products and product versions that are not listed in the following topics
are not supported unless they have been announced on the Enterprise Mobility +
Security Blog .

Limitations for future support:


The LTSB has limited support for future server and client
operating systems and product dependencies. The platforms list for the LTSB is fixed for
the life of the release:

Windows:

Only quality and security updates for Windows are supported.


No support is added for current branches (CB), current branches for business
(CBB), or LTSB of Windows 10.
No support for new major versions of Windows Server.

SQL Server:
Only quality and security updates, or minor upgrades like service packs, is
supported for SQL Server.
No support for new major versions of SQL Server.

Site systems and servers


The LTSB supports the use of the following Windows computer operating systems as site
systems. Each operating system has the same requirements and limitations as the same
entry in Supported operating systems for site system servers. For example, the Server
Core installation of Windows 2012 R2 must be an x64 version, is only supported to host
a distribution point, and does not support PXE or Multicast.

Supported operating systems:

Windows Server 2016


Windows Server 2012 R2 (x64): Standard, Datacenter
Windows Server 2012 (x64): Standard, Datacenter
Windows 10 Enterprise 2015 LTSB (x86, x64)
Windows 10 Enterprise 2016 LTSB (x86, x64)
Windows 8.1 (x86, x64): Professional, Enterprise
The Server Core installation of Windows Server 2012
The Server Core installation of Windows Server 2012 R2

Client management
The following sections identify the client operating systems that you can manage with
the LTSB. The LTSB does not support the addition of new operating systems as
supported clients.

Windows computers
You can use the LTSB to manage the following Windows computer operating systems
with the Configuration Manager client software that is included with Configuration
Manager. For more information, see How to deploy clients to Windows computers.

Supported operating systems:

Windows Server 2016


Windows Server 2012 R2 (x64): Standard, Datacenter (Note 1)
Windows Server 2012 (x64): Standard, Datacenter (Note 1)
Windows Storage Server 2012 R2 (x64)
Windows Storage Server 2012 (x64)
Windows 10 Enterprise 2015 LTSB (x86, x64)
Windows 10 Enterprise 2016 LTSB (x86, x64)
Windows 8.1 (x86, x64): Professional, Enterprise
The Server Core installation of Windows Server 2012 R2 (x64) (Note 2)
The Server Core installation of Windows Server 2012 (x64) (Note 2)

(Note 1) Datacenter releases are supported but not certified for Configuration Manager.

(Note 2) To support client push installation, the computer that runs this operating
system version must run the File Server role service for the File and Storage Services
server role. For information about installing Windows features on a Server Core
computer, see Install Server Roles and Features on a Server Core Server.

Windows Embedded
You can use the LTSB to manage the following Windows Embedded devices by installing
the client software on the device. For more information, see Planning for client
deployment to Windows Embedded devices.

Requirements and limitations:

All client features are supported on supported Windows Embedded systems that
do not have write filters enabled.

Clients that use one of the following are supported for all features except power
management:

Enhanced Write Filters (EWF)

RAM File-Based Write Filters (FBWF)

Unified Write Filters (UWF)

Before you can monitor detected malware on Windows Embedded devices based
on Windows XP, you must install the Microsoft Windows WMI scripting package
on the embedded device. Use Windows Embedded Target Designer to install this
package. The WBEMDISP.DLL and WBEMDISP.TLB files must exist and be registered
in the %windir%\System32\WBEM folder on the embedded device to ensure that
detected malware is reported.

Supported operating systems:

Windows 10 Enterprise 2016 LTSB (x86, x64)


Windows 10 Enterprise 2015 LTSB (x86, x64)
Windows Embedded 8.1 Industry (x86, x64)

Exchange Server connector


The LTSB supports limited management of devices that connect to your Exchange Server
instance, without installing client software. For more information, see Manage mobile
devices with Configuration Manager and Exchange.

Requirements and limitations:

Configuration Manager offers limited management for mobile devices. Limited


management is available when you use the Exchange Server connector for
Exchange Active Sync (EAS) capable devices that connect to a server running
Exchange Server or Exchange Online.

For more information about the management functions that Configuration


Manager supports for mobile devices that the Exchange Server connector
manages, see Choose a device management solution for Configuration Manager.

Supported versions of Exchange Server:

Exchange Server 2010 SP1


Exchange Server 2010 SP2
Exchange Server 2013

7 Note

The LTSB does not support the management of devices that connect through an
online service, like Exchange Online (Microsoft 365).

Configuration Manager console


The LTSB supports the following operating systems to run the Configuration Manager
console. Each computer that hosts the console must have a minimum .NET Framework
version of 4.5.2 except for Windows 10, which requires a minimum of .NET Framework
4.6.

Supported operating systems:

Windows Server 2016


Windows Server 2012 R2 (x64): Standard, Datacenter
Windows Server 2012 (x64): Standard, Datacenter
Windows 10 Enterprise 2016 LTSB (x86, x64)
Windows 10 Enterprise 2015 LTSB (x86, x64)
Windows 8.1 (x86, x64): Professional, Enterprise

SQL Server versions supported for the site


database and reporting point
The LTSB supports the following versions of SQL Server to host the site database and
reporting point. For each supported version, the same configuration requirements and
limitations that appear in Support for SQL Server versions for the current branch apply
to the LTSB. This support includes the use of a SQL Server Always On failover cluster
instance or an availability group.

Supported versions:

SQL Server 2016: Standard, Enterprise


SQL Server 2014 SP2: Standard, Enterprise
SQL Server 2014 SP1: Standard, Enterprise
SQL Server 2012 SP3: Standard, Enterprise
SQL Server 2008 R2 SP3: Standard, Enterprise, Datacenter
SQL Server 2016 Express
SQL Server 2014 Express SP2
SQL Server 2014 Express SP1
SQL Server 2012 Express SP3

Support for Active Directory domains


All LTSB site systems must be members of a supported Windows Active Directory
domain. Support for Active Directory domains has the same requirements and
limitations as those that appear in Support for Active Directory domains, but is limited
to the following domain functional levels:

Supported levels:

Windows Server 2008


Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Additional support topics that apply to the
Long-Term Servicing Branch
The information in the following Current Branch topics apply to the LTSB:

Size and scale numbers


Site and site system prerequisites
High availability options
Recommended hardware
Support for Windows features and networks
Support for virtualization environments
Install and upgrade with the version
1606 baseline media
Article • 10/04/2022

Applies to: System Center Configuration Manager (long-term servicing branch)

When you run setup from the version 1606 baseline media for Configuration Manager,
you can install a long-term servicing branch site of System Center Configuration
Manager.

The baseline media is available on DVD as part of Microsoft System Center 2016, or from
the System Center Configuration Manager long-term servicing branch version 1606. To
learn about baseline media, see Baseline and update versions.

When you use the version 1606 baseline media, the site you install or upgrade to is:

A Current Branch site that is equivalent to a site that was first installed using the
1511 baseline media, and then updated to version 1606 plus the 1606 hotfix rollup
- KB3186654.
An LTSB site that is equivalent to the Current Branch site that runs version 1606
plus the 1606 hotfix rollup - KB3186654. The baseline media already includes the
hotfix rollup. But, the LTSB does not support all of the features or capabilities
available with the Current Branch, as detailed in Introduction to the Long-Term
Servicing Branch of System Center Configuration Manager.

If you are not familiar with the different branches of Configuration Manager, see Which
branch of Configuration Manager should I use.

Changes to Setup with the 1606 baseline media


The 1606 baseline media introduces the following changes to Setup for Configuration
Manager.

Branch and edition


When you run Setup, you are now presented with a Licensing page where you can select
the branch of Configuration Manager you want to install. You can choose either the
Current Branch or LTSB as a licensed installation, or you can choose an Evaluation
edition of the Current Branch as a non-licensed installation.

For more information, see Licensing and branches for Configuration Manager.
Software Assurance expiration
During Setup, you have the option to enter the Software Assurance expiration date
value. This is an optional value that you can specify as a convenient reminder.

7 Note

Microsoft does not validate the expiration date you enter and will not use this date
for license validation. Instead, you can use it as a reminder of your expiration date.
This is useful because Configuration Manager periodically checks for new software
updates offered online, and your software assurance license status should be
current to be eligible to use these additional updates.

You can specify the date value on the Product Key page of the Setup Wizard when
you run Setup from the Configuration Manager version 1606 baseline media.
You can also specify this date by selecting Hierarchy Settings Properties >
Licensing in the Configuration Manager console.

For more information, see "Software Assurance agreements" in Licensing and branches
for Configuration Manager.

Additional pre-upgrade configurations


Prior to starting an upgrade of System Center 2012 Configuration Manager to the LTSB,
you must take the following additional steps as part of pre-upgrade checklist.

Uninstall the site system roles that the LTSB does not support:

Asset Intelligence synchronization point


Microsoft Intune connector
Cloud-based distribution points

For more information, see Upgrade to Configuration Manager.

New scripted installation options


The version 1606 baseline media supports a new unattended script file key for scripted
installations of a new top-level site. This applies to installing a new stand-alone primary
site or adding a central administration site as part of a site expansion scenario.

When using an unattended script to install a licensed branch, you must add the
following section, key names, and values to the Options section of your script. You don't
need to use these values to script the install of an Evaluation edition of the Current
Branch:

SABranchOptions

Key Name: SAActive


Values: 0 or 1.
Details: 0 installs a non-licensed Evaluation edition of Current Branch, and 1
installs a licensed edition.

CurrentBranch
Values: 0 or 1.
Details: 0 installs the Long-Term Servicing Branch, and 1 installs the Current
Branch.

For example, to install a licensed Current Branch edition you would use:

Key Name: SABranchOptions

SAActive = 1
CurrentBranch = 1

) Important

SABranchOptions only works with Setup from the baseline media. It does not apply
when you run Setup from the CD.Latest folder of a site you previously installed
using the version 1606 baseline media.

SABranchOptions does not apply to scripted upgrades from System Center 2012
Configuration Manager and always results in the Current Branch.

For more information, see Use a command line to install Configuration Manager sites.

Install a new site


When you use the 1606 baseline media to install a new site of either branch, use the site
planning, preparation, and installation procedures documented in the Installing
Configuration Manager sites topic with the addition of the following considerations for
Setup:

During Setup you must choose the branch of Configuration Manager that you
want to install, and you can specify details for your Software Assurance agreement.
All sites in the same hierarchy must run the same branch. It is not supported to
have a hierarchy with a mix of LTSB and Current Branch at different sites.
New scripted installation. For more information, see "New scripted installation
options" earlier in this article.

Expand a stand-alone primary site


You can expand a stand-alone primary site that runs the LTSB. The process is no
different than that used for a Current Branch site with one caveat:

When installing the new central administration site you must use Setup from the
original source media you used to install the LTSB site. Running Setup from the
CD.Latest folder for this scenario is not supported.

For more information about expanding a site, see "Expand a stand-alone primary site" in
Install a site using the Setup Wizard.

Upgrade from System Center 2012


Configuration Manager
When you upgrade from System Center 2012 Configuration Manager, use the site
planning, preparation, and procedures as documented in the Upgrade to Configuration
Manager topic, but with the following changes:

Upgrade to the Current Branch:

During Setup, you must choose the Current Branch, and you can specify details for
your Software Assurance agreement.
New scripted installation. For more information, see "New scripted installation
options" earlier in this article.

Upgrade to the LTSB:

Additional steps to following in the pre-upgrade checklist.


During Setup you must choose the LTSB, and you can specify details for your
Software Assurance agreement.
You can only upgrade a site that runs System Center 2012 Configuration Manager
with Service Pack 1, System Center 2012 Configuration Manager with Service Pack
2, System Center 2012 R2 Configuration Manager with Service Pack 1, or System
Center 2012 R2 Configuration Manager with no service pack.
In-place upgrade paths for the 1606 baseline media
You can use the 1606 baseline media to upgrade the following to a licensed edition of
Configuration Manager:

System Center 2012 R2 Configuration Manager with Service Pack 1


System Center 2012 R2 Configuration Manager with no service pack (this requires
the use of the baseline media for version 1606 that was rereleased on December
15th, 2016.)
System Center 2012 Configuration Manager with Service Pack 2
System Center 2012 Configuration Manager with Service Pack 1 (this requires the
use of the baseline media for version 1606 that was rereleased on December 15th,
2016.)

You can also use this media to upgrade a non-licensed Evaluation edition of Current
Branch to a fully licensed version of the Current Branch.

This media does not support the upgrade of:

Other versions of System Center 2012 Configuration Manager.


Configuration Manager 2007 or earlier.
A release candidate installation of Configuration Manager.

About the CD.Latest folder and the LTSB


The following are limitations on using the media that Configuration Manager creates in
the CD.Latest folder on the site server. These limits apply to sites that run the LTSB:

Media in the CD.Latest folder is supported for:

Site recovery.
Site maintenance.
Installing additional child primary sites.

Media in the CD.Latest folder is not supported for:

Installing a central administration site as part of a site expansion scenario.

For more information, see the CD.Latest folder.

Backup, recovery, and site maintenance for the


LTSB
To back up, recover, or run site maintenance on a site that runs the LTSB, use the
guidance and procedures from Backup and recovery for Configuration Manager.

Use Configuration Manager Setup from the CD.Latest folder of the backup of your LTSB
site.
Manage the long term servicing branch
of Configuration Manager
Article • 10/04/2022

Applies to: System Center Configuration Manager (long term servicing branch)

When you use the long term servicing branch (LTSB) of Configuration Manager, there
are important changes that affect how you manage your infrastructure.

The LTSB is generally the same as current branch version 1606, with some exceptions
like cloud-attached features. Most tasks you use for planning, deployment,
configuration, and day-to-day management are the same.

For example, the LTSB supports the same number of sites, site types, clients, and general
infrastructure as the current branch. Use the same guidance for site and hierarchy
planning and design as the current branch. Some features are supported by both
branches, like software updates or OS deployment. Use the same guidance as the
current branch, with the understanding that there were feature changes since version
1606 of the current branch.

The following sections provide information about tasks that aren't similar between the
long term servicing branch and the current branch.

Updates and servicing


Only critical security updates are made available as in-console updates in the LTSB.

Regular updates for the current branch are visible in the console, but aren't made
available to the LTSB. They aren't downloaded and can't be installed.

To support in-console updates for critical security fixes, an LTSB site requires the use of
the service connection point. You can configure this site system role in offline or online
mode, the same as for the current branch. The LTSB collects and submits the same
diagnostic and usage data as the current branch.

The LTSB supports the use of the hotfix installer and the update registration tool, as
documented for the current branch.

For general information about updates and servicing, see Updates for Configuration
Manager.
Changes for site expansion and the CD.Latest
folder
When you use the LTSB, and expand a stand-alone primary site with a new central
administration site (CAS), run setup and the source files from the version 1606 baseline
media. For the current branch, you run setup and use source files from the CD.Latest
folder.

Although you don't run setup for site expansion from the CD.Latest folder, continue to
use the CD.Latest folder for the following actions:

Site recovery
Install a new child primary site when your first LTSB site was a CAS

For more information about site expansion, see Expand a stand-alone primary site. For
more information about the CD.Latest folder, see The CD.Latest folder.

Recovery
When you recover a site, you must restore the site or site database to its original branch.
You can't recover a current branch site database to an LTSB installation, or an LTSB site
to a current branch installation.

Next steps
Upgrade the long-term servicing branch to the current branch
Upgrade the long-term servicing branch
to the current branch
Article • 10/04/2022

Applies to: System Center Configuration Manager (Long-Term Servicing Branch)

Use this topic to learn how to upgrade (convert) a site and hierarchy that runs the Long-
Term Servicing Branch (LTSB) of Configuration Manager to the Current Branch.

When you have a current Software Assurance agreement (or similar licensing rights) that
grants you rights to use the Current Branch, you can convert your installation from the
LTSB to the Current Branch. This is a one-way conversion because there is no support for
converting a Current Branch site to the LTSB.

If you have multiple sites, you only need to convert the top-tier site of your hierarchy.
After the top-tier site is converted:

Child primary sites automatically convert.


You must manually update secondary sites from within the Configuration Manager
console.

Run setup to convert the Long-Term Servicing


Branch
On the top-tier site of your hierarchy, you can run Configuration Manager setup from
qualifying baseline media and select Site maintenance. Then, when presented with the
licensing page, select the option for the Current Branch and complete the wizard.

When your site has converted to the Current Branch, previously unavailable features and
capabilities will be available for use.

7 Note

Qualifying baseline media is a media that has a version that is equal to or later than
your LTSB installation.

For example, because the LTSB is based on version 1606, you cannot use the baseline
1511 media to convert to the Current Branch. Instead, you run setup from the same
version 1606 baseline media that you used to install the LTSB site, and choose the
licensing option for the Current Branch. Alternately, if a later baseline of the Current
Branch has been released, you can run setup from that baseline media.

For a list of baseline versions, see Baseline and update versions in Updates for
Configuration Manager.

Use the Configuration Manager console to


convert the long-term servicing branch
If your site runs the LTSB, you can use the following option in the Configuration
Manager console to convert to the Current Branch:

1. In the console, go to Administration > Site Configuration > Sites, and then open
Hierarchy Settings.

2. In Hierarchy Settings, switch to the Licensing tab. Select the option to Convert to
Current Branch, and then choose Apply.

When your site has converted to the Current Branch, previously unavailable features and
capabilities will be available for use.
Get ready for Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the information in the following topics when you're ready to start planning your
Configuration Manager deployment:

Design a hierarchy of sites for Configuration Manager

Fundamentals of role-based administration for Configuration Manager

Fundamental concepts for content management

Understand how clients find site resources and services for Configuration Manager

Prepare your network environment for Configuration Manager

Supported configurations for Configuration Manager


Features and capabilities of
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article summarizes the primary management features of Configuration Manager.


Each feature has its own prerequisites, and how you use each might influence the design
and implementation of your Configuration Manager hierarchy. For example, if you want
to deploy software updates to devices in your hierarchy, you need a software update
point site system role.

Co-management
Co-management is one of the primary ways to attach your existing Configuration
Manager deployment to the Microsoft 365 cloud. It enables you to concurrently manage
Windows devices by using both Configuration Manager and Microsoft Intune. Co-
management lets you cloud-attach your existing investment in Configuration Manager
by adding new functionality like conditional access. For more information, see What is
co-management?

Desktop Analytics
Desktop Analytics is a cloud-based service that integrates with Configuration Manager.
The service provides insight and intelligence for you to make more informed decisions
about the update readiness of your Windows clients. It combines data from your
organization with data aggregated from millions of devices connected to Microsoft
cloud services. For more information, see What is Desktop Analytics?

Cloud-attached management
Use features like the cloud management gateway and Azure Active Directory to manage
internet-based clients.

For more information, see the following articles:

Cloud management gateway overview


Plan for Azure AD
Azure services
Real-time management
Use CMPivot to immediately query online devices, then filter and group the data for
deeper insights. Also use the Configuration Manager console to manage and deploy
Windows PowerShell scripts to clients. For more information, see CMPivot and Create
and run PowerShell scripts.

Application management
Helps you create, manage, deploy, and monitor applications to a range of different
devices that you manage. Deploy, update, and manage Microsoft 365 Apps from the
Configuration Manager console. Additionally, Configuration Manager integrates with
the Microsoft Store for Business and Education to deliver cloud-based apps. For more
information, see Introduction to application management.

OS deployment
Deploy an in-place upgrade of Windows, or capture and deploy OS images. Image
deployment can use PXE, multicast, or bootable media. It can also help redeploy existing
devices using Windows Autopilot. For more information, see Introduction to OS
deployment.

Software updates
Manage, deploy, and monitor software updates in the organization. Integrate with
Windows Delivery Optimization and other peer caching technologies to help control
network usage. For more information, see Introduction to software updates.

Company resource access


Lets you give users in your organization access to data and applications from remote
locations. This feature includes Wi-Fi, VPN, email, and certificate profiles. For more
information, see Protect data and site infrastructure.

Compliance settings
Helps you to assess, track, and remediate the configuration compliance of client devices
in the organization. Additionally, you can use compliance settings to configure a range
of features and security settings on devices you manage. For more information, see
Ensure device compliance.

Endpoint Protection
Provides security, antimalware, and Windows Firewall management for computers in
your organization. This area includes management and integration with the following
Windows Defender suite features:

Windows Defender Antivirus


Microsoft Defender for Endpoint
Windows Defender Exploit Guard
Windows Defender Application Guard
Windows Defender Application Control
Windows Defender Firewall

For more information, see Endpoint Protection.

Inventory
Helps you identify and monitor assets.

Hardware inventory
Collects detailed information about the hardware of devices in your organization. For
more information, see Introduction to hardware inventory.

Software inventory
Collects and reports information about the files that are stored on client computers in
your organization. For more information, see Introduction to software inventory.

Asset Intelligence
Provides tools to collect inventory data and monitor software license usage in your
organization. For more information, see Introduction to Asset Intelligence.

On-premises mobile device management


Enrolls and manages devices by using the on-premises Configuration Manager
infrastructure with the management functionality built into the device platforms. (Typical
management uses a separately installed Configuration Manager client.) This feature
currently supports managing Windows 10 Enterprise and Windows 10 Mobile devices.
For more information, see Manage mobile devices with on-premises infrastructure.

Power management
Manage and monitor the power consumption of client computers in the organization.
Configure power plans, and use Wake-on-LAN to do maintenance outside of business
hours. For more information, see Introduction to power management.

Remote control
Provides tools to remotely administer client computers from the Configuration Manager
console. For more information, see Introduction to remote control.

Reporting
Use the advanced reporting capabilities of SQL Server Reporting Services from the
Configuration Manager console. This feature provides hundreds of default reports. For
more information, see Introduction to reporting.

Software metering
Monitor and collect software usage data from Configuration Manager clients. You can
use this data to determine whether software is used after it's installed. For more
information, see Monitor app usage with software metering.

Next steps
For more information about how to plan and install Configuration Manager to support
these management capabilities in your environment, see Get ready for Configuration
Manager.
What's new in Configuration Manager
incremental versions
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Configuration Manager uses an in-console updates and servicing process. This update
process makes it easy to discover and install Configuration Manager updates. There are
no more service packs or cumulative update versions to track and install. You don't have
to search for the download of the most recent release or updates.

To update the product to a new version of the current branch, use the Configuration
Manager console install then. A few times each year, Microsoft releases new versions
that include product updates. Each version also introduces new features. When you
install an update with new features, you can choose to use those features. For more
information, see Prepare to install in-console updates for Configuration Manager.

Different update versions are identified by year and month. For example, version 1511
identifies November 2015 (the month when Configuration Manager current branch was
first released to manufacturing). Later updates have version names like 2107, which
indicates an update that was created in July 2021. These update versions are key to
understanding the incremental version of your Configuration Manager installation, and
what features are available to enable in your environment.

Supported versions
Use the following links to discover what's new with each supported version:

What's new in version 2303


What's new in version 2211
What's new in version 2207
What's new in version 2203
What's new in version 2111

Each update version remains in support for 18 months from its initial availability date.
Stay current with the most recent update version. For more information, see Support for
Configuration Manager current branch versions.

See also
Release notes
What's new in version 2303 of
Configuration Manager current branch
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Update 2303 for Configuration Manager current branch is available as an in-console


update. Apply this update on sites that run version 2111 or later. When installing a new
site, this version of Configuration Manager will also be available as a baseline version
soon after global availability of the in-console update. This article summarizes the
changes and new features in Configuration Manager, version 2303.

Always review the latest checklist for installing this update. For more information, see
Checklist for installing update 2303. After you update a site, also review the Post-update
checklist.

To take full advantage of new Configuration Manager features, after you update the site,
also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the complete
scenario isn't functional until the client version is also the latest.

Microsoft Configuration Manager product


branding
Starting with Configuration Manager version 2303 Microsoft Endpoint Configuration
Manager is now Microsoft Configuration Manager.
Microsoft Configuration Manager is
an integrated solution for managing all your devices. Microsoft brings together
Configuration Manager and Intune, without a complex migration, and with simplified
licensing. Continue to use your existing Configuration Manager investments, while
taking advantage of the power of the Microsoft cloud at your own pace.

 Tip

Support center tool and client must be upgraded to latest version to move
program files path to new Microsoft configuration Manager start menu path.

For more information, see Microsoft Configuration Manager FAQ


Cloud-attached management

Improvements to Cloud Sync (Collections to Azure Active


Directory Group Synchronization) feature
Starting with Configuration Manager version 2303 collection member sync status
(Success, In Progress, Failed - with reason for failure) is available in the Collection Cloud
Sync dashboard for the chosen collection on the bottom pane. Earlier with Configuration
Manager version 2211, the scalability of this feature has been improved with better
throttling and error handling. Additionally, dedicated dashboards for user collections
and device collections are added in Monitoring workspace to show Cloud Sync
status. The dashboard displays the Cloud Sync status per collection with the mapped
Azure AD group, total member count, synced member count, status (success, failed, in
progress) and last sync details.

For more information, see Synchronize collections to Azure Active Directory Group.

Endpoint Security reports in Intune admin center for


Tenant Attached devices
Starting with Configuration Manager version 2303, you can now opt for Endpoint
Security reports in Intune admin center for tenant attached devices.  
Once you opt in,
Unhealthy endpoints and Active malware operational reports under Endpoint security
node in Intune admin center will start showing data from tenant attached devices. Also,
Antivirus agent status and Detected malware organizational reports under Microsoft
Defender Antivirus in Reports section will show data from tenant attached devices.

For more information, see Tenant attach - Create and deploy Antivirus policies from the
admin center.

Site infrastructure

Authorization failure message in admin service now


shown in Status message viewer
We have introduced audit messages about authorization failure in admin service. You
can now view request details and status messages. These messages are shown in “All
Status Message” at “Status Message Queries” in “Monitoring” ribbon. Previously these
failures were logged in log files.
With the new audit messages, we intend to avoid the inconvenience of log files rollback.
Details about the user, resource access attempts and the number of attempts for all the
authorized requests made by user in a day will now be available. We are also auditing
read operations for HTTPS requests and for cloud-initiated operations. This helps
admins to scope permission and roles of users while also determining if there are any
malicious users. All unauthorized requests are aggregated for 24 hours before being
sent to the status message viewer.

For more information, see Administration Service documentation.

SQL Server 2022 version support added for Configuration


Manager
Starting with 2303, support is added for SQL server 2022 RTM version.
You can use this
version of SQL Server for the following sites:

A central administration site


A primary site
A secondary site

The following table identifies the recommended compatibility levels for Configuration
Manager site databases:

SQL Server version Supported compatibility levels Recommended level

SQL Server 2022 150, 140, 130, 120, 110 150

For more information, see support-for-sql-server-versions.

Software updates

Unified update platform (UUP) GA release


The Unified Update Platform (UUP) servicing is finally here for all Windows 11, version
22H2 updates delivered via Windows Server Update Services (WSUS) and Configuration
Manager! Starting March 28, on-premises Windows 11, version 22H2 devices will receive
quality updates via the Unified Update Platform (UUP). For more information, see What’s
UUP? New update style! .
The Unified Update Platform (UUP) is a single publishing,
hosting, scan, and download model for OS quality and feature updates. It offers
improved delivery technologies in response to IT admin requests for more seamless
updates, more control over installation time, more battery life, and lighter download
size.

7 Note

A one-time 10-GB download to distribution points with your first UUP update. UUP
is becoming the default and only way to download quality updates. This means that
you should plan for an extra 10GB download to distribution points (not endpoint
clients) with the March 28th update. That's a one-time 10GB download for updates
for Windows 11, version 22H2 per architecture (AMD64 and ARM64).

Update to the default value of supersedence age in


months for software updates
With Unified Update Platform (UUP) general availability release, the feature update and
non-feature update supersedence should be greater than 3. For new software update
role installations, we're updating this to 6, existing customers can review and update to
6. 
Update to the default value of supersedence age in months for software updates. 

Known issue
Update to the default value of supersedence age in months for software updates will
not impact existing configurations. Removing SUP role in Admin Console does not reset
the supersedence age property in WMI. As a result, while reconfiguring the role, the
previously configured value is shown in the configuration window. 

Enable Windows features introduced via Windows


servicing that are off by default
The Commercial control for continuous innovation in Windows is now integrated with
Configuration Manager 2303 release. Commercial control for continuous innovation
(Windows 11)

For more information, see client settings in Configuration Manager

Configuration Manager console

Dark theme extended to delete secondary site wizard


The Configuration Manager console now extends the dark theme for the delete
secondary site wizard. This wizard will also have a new look for the normal theme. This is
part of the ongoing effort to make dark theme and overall admin console experience
better.

To use the theme, select the arrow from the top left of the ribbon, then choose the
Switch console theme. Select Switch console theme again to return to the light theme.
For more information, see Dark theme for the console.

Deprecated features

Removed Community hub service and integration with


ConfigMgr
Removed Community Hub configuration from Hierarchy settings and Community Hub
service integration.
Learn about support changes before they're implemented in
removed and deprecated items.

Other updates

Maintenance window schedules


Offset for recurring monthly maintenance window schedules. Based upon your
feedback, you can now offset monthly maintenance window schedules to better align
deployments with the release of monthly security updates. For example, using a
maximum offset of seven days after the second Tuesday of the month, sets the
maintenance window for next Monday.

Removing Microsoft Store for Business and Education


new config capability
As part of Microsoft Store for Business deprecation, we are making these changes to the
customer experience with using this feature:

Removing a user's ability to create new Microsoft Store for Business in


Configuration Manager.

Display a warning message box when user triggers a sync from Microsoft Store for
Business.
Display a warning in the Create Application Wizard when user attempts to create a
new app from Store license information.

For more information, see removed and deprecated items.

Next steps
As of April 24, 2023, version 2303 is globally available for all customers to install.

When you're ready to install this version, see Installing updates for Configuration
Manager and Checklist for installing update 2303.

 Tip

To install a new site, use a baseline version of Configuration Manager.

Learn more about:

Installing new sites


Baseline and update versions

For known significant issues, see the Release notes.

After you update a site, also review the Post-update checklist.


What's new in version 2211 of
Configuration Manager current branch
Article • 03/10/2023

Applies to: Configuration Manager (current branch)

Update 2211 for Configuration Manager current branch is available as an in-console


update. Apply this update on sites that run version 2107 or later. This article summarizes
the changes and new features in Configuration Manager, version 2211.

Always review the latest checklist for installing this update. For more information, see
Checklist for installing update 2211. After you update a site, also review the Post-update
checklist.

To take full advantage of new Configuration Manager features, after you update the site,
also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the complete
scenario isn't functional until the client version is also the latest.

Cloud-attached management

Improvements to Cloud Sync (Collections to Azure Active


Directory Group Synchronization) feature
Starting Configuration Manager version 2211, the scalability of this feature has been
improved with better throttling and error handling. Additionally, dedicated dashboards
for user collections and device collections are added in Monitoring workspace to show
Cloud Sync status. The dashboard displays the Cloud Sync status per collection with the
mapped Azure AD group, total member count, synced member count, status (success,
failed, in progress) and last sync details.

For more information, see Synchronize collections to Azure Active Directory Group.

Site infrastructure

Network Access Account (NAA) account usage alert


If your site is configured with NAA account, you see this new prerequisite warning
added. To improve the security of distribution points configured with NAA account,
review the existing accounts and their relevant permissions. If it has more than minimal
required permission, then remove and add a minimal permission account. Don't
configure any administrator level permission accounts on the NAA. If the site server is
configured with HTTPS / EHTTP, it's recommended to remove the NAA account, which is
unused.

For more information, see the description of this permissions-for-the-network-access-


account

Distribution point content migration


DP content migration support is now available for migrating content from one DP to
another DP using PowerShell cmdlets. You can also monitor the DP migration status
using these PowerShell cmdlets.

For more information, see the description of this content migration

Software Center

Featured Apps in Software Center


We're now adding the Featured tab in Software Center where we are displaying the
featured apps. Using this, IT admins can mark apps as "featured" and encourage end
users to use the app. Currently, this feature is available only for "User Available" apps.
Also, admins can make the Featured tab of Software Center as the default tab from
Client Settings.

For more information, see the Software Center in Configuration Manager.

Configuration Manager console

Enhancements in console search experience


When performing a search on any node in the console, the hint text in the search bar
will now indicate the scope of the search. Also, search experience related issues have
been fixed.
By default, all subfolders are searched when you perform a search in any node that
contains subfolders. You can narrow down the search by selecting the “Current
Node” option from the search toolbar.
If you want to expand the search to include all nodes, then select the “All Objects”
button in the ribbon.

For more information, see Console changes and tips.

Dark theme is now extended to more dashboards


We've extended the dark theme to other components such as buttons, context menus,
and hyperlinks. Enable this feature to experience the dark theme.

In this release we've extended the dark theme to more dashboards, which previously
didn't display the dark theme correctly. For example, the O365 Updates Dashboard,
PCM Dashboard, and Health Attestation dashboard will now display according to the
dark theme, when it's enabled. Pop-ups in the Health attestation dashboard will now
adhere to the dark theme.

For more information, see Dark theme for the console.

Other updates

Resolved duplicate entries for co-managed device in


Intune portal
Previously, device entities of the co-managed devices appeared as two separate entries
on Intune portal. One entry corresponding to Intune and another corresponding to
ConfigMgr appeared after enrollment. The entries were permanent in some cases.
Various scenarios like device entity counts and policy targeting were impacted. The
entries were duplicated because Intune isn't aware of the AAD ID of devices coming
from ConfigMgr. Intune becomes aware only after the daily discovery cycle runs and
reports to Intune via CMGS.

The issue is fixed by propagating correct AAD device ID from ConfigMgr during Intune
enrollment. This leads to merged entities for co-managed devices in a short period of
time (30-40 mins). We no longer have to wait for discovery cycle to run.

Starting with this version, the Configuration Manager


client doesn’t support the following operating system
Windows Server 2008 R2 SP1 Extended Security Updates (ESU Azure Only)
Windows Server 2008 SP2 Extended Security Updates (ESU Azure Only)

If you're running this operating system on machines in your environment, they shouldn't
be upgraded to the 2211 version of the Configuration Manager client. For more
information on supported clients and devices, see supported-operating-systems-for-
clients-and-devices.

Next steps
As of December 19, 2022, version 2211 is globally available for all customers to install.

When you're ready to install this version, see Installing updates for Configuration
Manager and Checklist for installing update 2211.

 Tip

To install a new site, use a baseline version of Configuration Manager.

Learn more about:

Installing new sites


Baseline and update versions

For known significant issues, see the Release notes.

After you update a site, also review the Post-update checklist.


What's new in version 2207 of
Configuration Manager current branch
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

Update 2207 for Configuration Manager current branch is available as an in-console


update. Apply this update on sites that run version 2103 or later. This article summarizes
the changes and new features in Configuration Manager, version 2207.

Always review the latest checklist for installing this update. For more information, see
Checklist for installing update 2207. After you update a site, also review the Post-update
checklist.

To take full advantage of new Configuration Manager features, after you update the site,
also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the complete
scenario isn't functional until the client version is also the latest.

Cloud-attached management

Use Intune role-based access control (RBAC) for tenant


attached devices
You can now use Intune role-based access control (RBAC) when interacting with tenant
attached devices from the Microsoft Intune admin center. For example, when using
Intune as the role-based access control authority, a user with Intune's Help Desk
Operator role doesn't need an assigned security role or additional permissions from
Configuration Manager. For more information, see Intune role-based access control for
tenant attached clients.

Enhanced security for Configuration Manager


administration service
We're introducing a new cloud application with limited access to the administration
service. This feature allows cloud management gateway (CMG) to segment the admin
privileges between a management point, and the administration service. This enables
CMG to restrict access to the administration service. This feature gives admins granular
access controls through which users can have access to the administration service and
to enforce MFA if necessary.

For more information, see Configure Azure services for use with Configuration Manager.

Simplified application deployment approval


An administrator can now approve or deny the request for deploying an application on
a device from anywhere they have internet access by selecting a link in the email
notification. This feature requires admins to manually add the CMG URL in the Azure
Active Directory app as single page application redirect URI.

For more information, see Create an app registration in Azure AD for your app service
app.

Include and prefer a cloud source for a management


point in a default boundary group
Until 2203 current branch, you didn’t have an option to prefer a CMG as a management
point in a default boundary group. The clients falling back to a default boundary group
could only communicate to non-cloud-based management points.

When a site is initially installed, there's a default site boundary group created for each
site, and all the clients use it by default until they're assigned to a custom boundary
group.

Starting in Configuration Manager 2207, you can add options via PowerShell to include
and prefer cloud sources. For instance, you can set the CMG as the preferred
management point for the clients in the default boundary group.

For more information, see Default site boundary group behavior supports cloud source
selection.

Client management

Granular control over compliance settings evaluation


You can now define a Script Execution Timeout (seconds) when configuring client
settings for compliance settings. The timeout value can be set from a minimum of 60
seconds to a maximum of 600 seconds. This new setting allows you more flexibility for
configuration items when you need to run scripts that may exceed the default of 60
seconds.

For more information, see the compliance settings group of client settings.

Software updates

Improved manageability of automatic deployment rules


(ADRs)
You'll now be able to organize ADRs with folders. This improvement helps you with
better categorization and management of ADRs across your organizational hierarchy by
having a structured view across your phased deployments. Folder can also be created
with PowerShell cmdlets.

For more information, see Process to create a folder for automatic deployment rules.

Enhanced control over monthly maintenance windows


Based upon your feedback, we have enhanced monthly maintenance windows
scheduling. You can now set monthly maintenance window schedules to better align
deployments with the release of monthly software updates by configuring offsets. For
example, using an offset of two days after the second Tuesday of the month, sets the
maintenance window for Thursday.

For more information, see How to use maintenance windows in Configuration Manager.

Endpoint Protection

Improved Microsoft Defender for Endpoint (MDE)


onboarding for Windows Server 2012 R2 and Windows
Server 2016
Configuration Manager version 2207 now supports automatic deployment of modern,
unified Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016. Windows
Server 2012 and 2016 devices that are targeted with Microsoft Defender for Endpoint
onboarding policy will use the unified agent versus the existing Microsoft Monitoring
Agent based solution, if configured through Client Settings.

For more information, see Microsoft Defender for Endpoint onboarding.


Enhanced protection for untrusted environments
1. Windows Defender Application Guard is now called Microsoft Defender
Application Guard in the console.

2. The General settings page in the Microsoft Defender Application Guard now allows
you to create policies within Configuration Manager to protect your employees
using Microsoft Edge and isolated Windows environments.

3. The Application Behavior settings page allows you to enable or disable cameras
and microphones, along with certificate matching of the thumbprints to the
isolated container.

4. The following items were removed:

The Enterprise sites can load non-enterprise content, such as third-party


plug-in settings, under the Host interaction page.
The file trust criteria policy, under the File Management page.

For more information, see Create and deploy Microsoft Defender Application Guard
policy.

Configuration Manager console

Improvements to the console


When performing a search on any node in the console, the search bar will now
include a Path criteria to show that subfolders in the node are included in the
search.

The path criteria is informational and can’t be edited.

By default, all subfolders will be searched when you perform a search in any
node that contains subfolders. You can narrow down the search by selecting the
“Current Node” option from the search toolbar.

Improvements to the dark theme


The dark theme has been available as a pre-release feature since 2203. In this release
we've extended the dark theme to additional components such as buttons, context
menus, and hyperlinks. Enable this pre-release feature to experience the dark theme.

For more information, see Console changes and tips.


Other updates
For more information on changes to the Windows PowerShell cmdlets for Configuration
Manager, see version 2207 release notes.

Next steps
At this time, version 2207 is released for the early update ring. To install this update, you
need to opt in. For more information, see Early update ring.

When you're ready to install this version, see Installing updates for Configuration
Manager and Checklist for installing update 2207.

 Tip

To install a new site, use a baseline version of Configuration Manager.

Learn more about:

Installing new sites


Baseline and update versions

For known significant issues, see the Release notes.

After you update a site, also review the Post-update checklist.


What's new in version 2203 of
Configuration Manager current branch
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Update 2203 for Configuration Manager current branch is available as an in-console


update. Apply this update on sites that run version 2010 or later. When installing a new
site, this version of Configuration Manager will also be available as a baseline version
soon after global availability of the in-console update. This article summarizes the
changes and new features in Configuration Manager, version 2203.

Always review the latest checklist for installing this update. For more information, see
Checklist for installing update 2203. After you update a site, also review the Post-update
checklist.

To take full advantage of new Configuration Manager features, after you update the site,
also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the complete
scenario isn't functional until the client version is also the latest.

Cloud-attached management

Prefer cloud-based software update points


Clients now prefer to scan against a cloud management gateway (CMG) software update
point (SUP) over an on-premises SUP when the boundary group uses the Prefer cloud
based source over on-premises source option. To reduce the performance effect of this
change, existing clients don't automatically switch to a cloud-based software update
point.

For more information, see Boundary groups and software update points.

Site infrastructure

Visualize content distribution status


You can now monitor content distribution path and status in a graphical format. The
graph shows distribution point type, distribution state, and associated status messages.
This visualization allows you to more easily understand the status of your content
package distribution. It helps you answer questions like:

Has the site successfully distributed the content?


Is the content distribution in progress?
Which distribution points have already processed the content?

For more information, see Visualize content distribution status.

Improvements to Power BI Report Server integration


We've made the following improvements for Power BI Report Server integration:

You can now use Microsoft Power BI Desktop (Optimized for Power BI Report
Server) versions that were released after January 2021
Configuration Manager now correctly handles Power BI reports saved by Power BI
Desktop (optimized for Power BI Report Server) May 2021 or later.

For more information, see Integrate with Power BI Report Server.

Exclude data warehouse reporting tables from


synchronization
When you install the data warehouse, it synchronizes a set of default tables from the site
database. These tables are required for data warehouse reports. While troubleshooting
issues, you may want to stop synchronizing these default tables. Starting in this release,
you can exclude one or more of these required tables from synchronization.

For more information, see Exclude data warehouse reporting tables from
synchronization.

Improvements to management insights


The following improvements have been made to management insights:

A new management insights group was added to Management Insights. The


Deprecated and unsupported features group contains rules that will help you
manage and remove deprecated features. The prerequisite checker will also check
for deprecated and unsupported features during site installs and upgrades.

A new rule for detecting Windows Server 2012 and 2012 R2 was added to the
Proactive Maintenance group.

For more information, see Management insights for deprecated and unsupported
features and Management insights for proactive maintenance.

Client management

Deployment Status client notification actions


You can now perform client notification actions, including Run Scripts, from the
Deployment Status view.

For more information, see Review deployment details.

Collections

Delete collection references


Previously, when you would delete a collection with dependent collections, you first had
to delete the dependencies. The process of finding and deleting all of these collections
could be difficult and time consuming. Now when you delete a collection, you can
review and delete its dependent collections at the same time.

For more information, see Delete collection references.


Software updates

LEDBAT support for software update points


You can now enable Windows Low Extra Delay Background Transport (LEDBAT) for your
software update points. LEDBAT adjusts download speeds during client scans against
WSUS to help control network congestion.

For more information, see Install a software update point.

Pre-download content for available software updates


You can now pre-download content for software updates that are included in available
deployments. Required deployments already pre-download content by default. Enabling
this new setting reduces installation wait times for clients since installation notifications
won't be visible in Software Center until the content has fully downloaded.

For more information, see Deploy software updates.

Customize maximum run time for other software update


types
Previously, software updates that didn't belong to the following update categories
defaulted to a maximum run time of 60 minutes (or 10 minutes prior to version 2103):

Windows feature updates


Windows non-feature updates
Office 365 updates

You can now customize the maximum run time for all other software updates, which
includes third-party updates.

For more information, see Maximum run time and Install and configure a software
update point.

ADR scheduling improvements for deployments


The Software available time and Installation deadline for deployments created by an
automatic deployment rule (ADR) are now calculated based on the time the ADR
evaluation is scheduled and starts. Previously, these times were calculated based on
when the ADR evaluation completed. This change makes the Software available time
and Installation deadline consistent and predictable for deployments.

For more information, see Automatic deployment rules (ADR).

Added folder support for nodes in the Software Library


You can now organize software update groups and packages by using folders. This
change allows for better categorization and management of software updates.

For more information, see Deploy software updates.

Alerts for orchestration groups


If an orchestration group fails, an alert is now displayed in in Monitoring > Alerts >
Active Alerts. For more information, see Monitor orchestration groups.

OS deployment

Escrow BitLocker recovery password to the site during a


task sequence
You can now configure the Enable BitLocker step of a task sequence to escrow the
BitLocker recovery information for the OS volume to Configuration Manager. Previously,
you had to escrow to Active Directory, or wait for the Configuration Manager client to
receive BitLocker management policy after the task sequence. This new option makes
sure that the device is fully protected by BitLocker when the task sequence completes,
and that you can recover the OS volume immediately.

For more information, see Task sequence steps: Enable BitLocker.

Custom icon support for task sequences and packages


Previously, task sequences and legacy packages would always display a default icon in
Software Center. Based on your feedback, you can now add custom icons for task
sequences and legacy packages. These icons appear in Software Center when you
deploy these objects. Instead of a default icon, a custom icon can improve the user
experience to better identify the software.

For more information, see Manage task sequences and Packages and programs.
Application management

Improvements to implicit uninstall


If you deploy an application or app group to a user collection that's based on a security
group, and you enable implicit uninstall, changes to the security group are now
honored. When the site discovers the change in group membership, Configuration
Manager uninstalls the app for the user that you removed from the security group.

For more information, see implicit uninstall.

Community hub

Delete a contribution you made to Community hub


You can now delete contributions you've made to the Community hub. For more
information, see Contribute to Community hub.

Search filter list


The console now displays a list of filters you can use when searching the Community
hub. For more information, see Filter Community hub content when searching.

Configuration Manager console

Dark theme for the console


The Configuration Manager console now offers a dark theme. For more information, see
How to use the Configuration Manager console.

Improvements for sending feedback


You now have the ability to connect feedback you send to Microsoft through the
Configuration Manager console to an authenticated Azure Active Directory (Azure
AD) user account or Microsoft Account (MSA). User authentication will help
Microsoft ensure the privacy of your feedback and diagnostic data.
The feedback button is now displayed in other console locations.

For more information, see Product feedback.


Improvements to dashboards
Dashboards, such as the Windows Servicing and Microsoft Edge Management
dashboards, now use the Microsoft Edge WebView2 Runtime. To use dashboards, install
the WebView2 console extension, then reopen the console.

For more information, see the WebView2 console extension.

Console and user experience improvements


Based on your feedback, we've made a few improvements to the console and user
experience.

When using temporary device nodes, device actions like Run Scripts are now
available to make the experience in the console consistent.
Other management insights rules now have drill-through actions.
Copy/paste is available for more objects from details panes.
The Name property is added to the details pane for configuration items,
configuration item related policies, and applications.
Software update search results and the search criteria are now cached when you
navigate to another node. When you navigate back to the All Software Updates
node, your search criteria and results are preserved from your last query.
Added a search filter to the Products and Classifications tabs in the Software
Update Point Component Properties
You can now exclude subcontainers when doing Active Directory System
Discovery and Active Directory User Discovery in untrusted domains
Added a Cloud Sync column to collections to indicate if the collection is
synchronizing with Azure Active Directory
Added the Collection ID to the collection summary details tab
Increased the size of the Membership Rules pane in the Properties page for
collections
Added a View Script option for Run PowerShell Script steps when using the View
action for a task sequence

For more information, see Console changes and tips.

Deprecated features
Learn about support changes before they're implemented in removed and deprecated
items.
The following features are deprecated. You can still use them now, but Microsoft plans
to end support in the future.

The Configuration Manager client for macOS and Mac client management. For
more information, see Supported clients: Mac computers
The site system roles for on-premises MDM and macOS clients: enrollment proxy
point and enrollment point

As previously announced, version 2203 drops support for the following features:

The ability to deploy a cloud management gateway (CMG) as a cloud service


(classic). All CMG deployments should use a virtual machine scale set.

The following compliance settings for Company resource access:

Certificate profiles and the certificate registration point site system role

VPN profiles

Wi-Fi profiles

Windows Hello for Business settings

Email profiles

Co-management resource access workload

For more information, see Frequently asked questions about resource access
deprecation.

Other updates
Starting with this version, the following features are no longer pre-release:

Task sequence debugger

For more information on changes to the Windows PowerShell cmdlets for Configuration
Manager, see version 2203 release notes.

Aside from new features, this release also includes other changes such as bug fixes. For
more information, see Summary of changes in Configuration Manager current branch,
version 2203.

Next steps
As of April 26, 2022, version 2203 is globally available for all customers to install.-->

When you're ready to install this version, see Installing updates for Configuration
Manager and Checklist for installing update 2203.

 Tip

To install a new site, use a baseline version of Configuration Manager.

Learn more about:

Installing new sites


Baseline and update versions

For known significant issues, see the Release notes.

After you update a site, also review the Post-update checklist.


What's new in version 2111 of
Configuration Manager current branch
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Update 2111 for Configuration Manager current branch is available as an in-console


update. Apply this update on sites that run version 2006 or later. This article summarizes
the changes and new features in Configuration Manager, version 2111.

Always review the latest checklist for installing this update. For more information, see
Checklist for installing update 2111. After you update a site, also review the Post-update
checklist.

To take full advantage of new Configuration Manager features, after you update the site,
also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the complete
scenario isn't functional until the client version is also the latest.

Application management

Improvements to application groups

 Tip

Starting with this release, app groups are no longer a pre-release feature.

This release includes the following improvements to application groups:

Now when you deploy an app group as required to a device or user collection, you
can specify that it automatically uninstalls when the resource is removed from the
collection.

More app approval behaviors are now supported with app groups.

For more information, see Create application groups.

Implicit uninstall for user collections


In Configuration Manager current branch version 2107, you can enable an application
deployment to support implicit uninstall.

Starting in this release, this behavior also applies to deployments to user collections. If a
user is in a collection, the application installs. Then when you remove the user from the
collection, the application uninstalls.

For more information, see implicit uninstall.

Software updates

Approvals for orchestration group scripts

 Tip

Starting with this release, orchestration groups are no longer a pre-release feature.

Pre and post-scripts for orchestration groups now require approval to take effect. If you
select a script from a file, author, or modify your own script, approval for the script is
required from another admin. When selecting an approved script from the Scripts
library, no other approval is needed. To assist you with script approval, the following two
tabs were added to the details pane for Orchestration Groups:

Summary: Contains information about the selected orchestration group, including


the Approval State of scripts.
Scripts: Lists information about pre and post-scripts, including the timeout,
approver, and approval state for each script.

For more information, see Approvals for orchestration group scripts.

Improvements to ADR search criteria


We've added the following options in the Date Released or Revised search criteria for
automatic deployment rules:

Older than 30 days


Older than 60 days
Older than 90 days
Older than 6 months
Older than 1 year
For more information, see Automatically deploy software updates.

Enable update notifications from Microsoft 365 Apps


You can now configure the end-user experience for Microsoft 365 Apps updates. This
client setting allows you to enable or disable notifications from Microsoft 365 Apps for
these updates. The new Enable update notifications from Microsoft 365 Apps option
has been added to the Software Updates group of client settings.

For more information, see About client settings in Configuration Manager.

Cloud-attached management

Simplified cloud attach configuration


We've simplified the process to cloud attach your Configuration Manager environment.
You can now choose to use a streamlined set of recommended defaults when cloud
attaching your environment. By using the recommended default settings, your eligible
devices will be cloud attached and you'll enable capabilities like rich analytics, cloud
console, and real-time device querying.

For more information, see the Overview for cloud attach and Enable cloud attach.

Improvements to cloud management gateway


Starting in this release, cloud management gateway (CMG) deployments with a virtual
machine scale set support Azure US Government cloud environments.

For more information, see CMG - Virtual machine scale sets.

Site infrastructure

Improvements to external notifications


Starting in Configuration Manager current branch version 2107, you could enable the
site to send notifications to an external system or application. This feature used a
PowerShell script to manage the status filter rules and subscriptions.

This release adds support in the Configuration Manager console to create or edit a
subscription for external notifications. It supports events for status filter rules and
application approval requests.

For more information, see External notifications.

.NET version 4.6.2 prerequisite check is an error


Configuration Manager current branch version 2107 has a warning prerequisite rule that
checks for Microsoft .NET Framework version 4.6.2. This version of .NET is required on
site servers, specific site systems, clients, and the Configuration Manager console.

Starting in this release, this prerequisite rule for .NET 4.6.2 is an error. Until you upgrade
.NET, you can't continue installing or updating the site to this version of Configuration
Manager.

For more information, see List of prerequisite checks for Configuration Manager.

) Important

When the Configuration Manager client updates to version 2111 or later, client
notifications are dependent upon .NET 4.6.2 or later. Until you update .NET to
version 4.6.2 or later, and restart the device, users won't see notifications from
Configuration Manager. Other client-side functionality may be affected until the
device is updated and restarted. For more information, see More details about
Microsoft .NET.

Improvements to VPN boundary types


If you use the VPN boundary type, you can now match the start of a connection name
or description instead of the whole string. Some third-party VPN drivers dynamically
create the connection, which starts with a consistent string but also has a unique
connection identifier. For example, Virtual network adapter #19 . When you use the
Connection name or Connection description options, also use the new Starts with
option.

For more information, see Define network locations as boundaries.

Status messages for console extensions


To improve the visibility and transparency of console extensions, the site now creates
status messages for related events. These status messages have IDs from 54201 to
54208.
For more information, see Manage Configuration Manager console extensions.

Client management

Improvements to client health dashboard


This release includes multiple improvements to the Client health dashboard.

New actions in the ribbon:

Choose Default Collection: Set a persistent user preference

Client Status Settings: Configure the periods of time to evaluate client health

More prominent Overall client health tile

Filters condensed on a single tile

The Combined (All) and Combined (Any) scenarios are replaced by a new tile,
Clients with any failure

New tile for Health trends by scenario

For more information, see Client health dashboard.


Software Center

Software Center notifications display with logo


If you enable Software Center customizations, the logo that you specify for Windows
notifications is separate from the Software Center logo. This logo helps users to trust
these notifications. When you deploy software to a client, the user sees notifications
with your logo. For example:

For more information, see About client settings: Software Center and Plan for Software
Center.

OS deployment

Task sequence check for TPM 2.0


To help you better deploy Windows 11, the Check Readiness step in the task sequence
now includes checks for TPM 2.0.

For more information, see Task sequence steps: Check Readiness.

Improvements to the Windows servicing dashboard


We now display a Windows 11 Latest Feature Updates chart in the Windows Servicing
dashboard. The new chart makes it easier to determine how many of your Windows 11
clients are on the latest feature update. To display the dashboard, go to Software
Library > Overview > Windows Servicing.

For more information, see The Windows servicing dashboard.

Configuration Manager console

Custom properties for devices in the console


In Configuration Manager current branch version 2107, you can use the administration
service to set custom properties on devices. These custom properties let you add
external data to a device to help with deployment targeting, collection building, and
reporting.

Starting in this release, you can create and edit these custom properties in the
Configuration Manager console. This new user interface makes it easier to view and edit
these properties. You can still use the administration service interface to automate the
process from an external system.

For more information, see Custom properties for devices.

Export to CSV
You can now export the contents of a grid view in the console along with the column
headers to a comma-separated values (CSV) file that can be used to import to Excel or
other applications. While you could previously cut and paste from a grid view, exporting
to CSV makes extracting a large number of rows faster and easier.

For more information, see Configuration Manager console changes and tips.

Import console extensions wizard


There's a new wizard for importing console extensions that are managed for the
hierarchy. You no longer need to use a PowerShell script to import a signed or unsigned
console extension.

For more information, see Import Configuration Manager console extensions.

Require installation of a console extension


You can now require a console extension to be installed before it connects to the site.
After you require an extension, it automatically installs for the local console the next
time an admin launches it.

For more information, see Manage Configuration Manager console extensions.

Send product feedback from wizard and property dialogs


Wizards and some property pages now include an icon to provide feedback. When you
select the feedback icon, the Send a smile and Send a frown options are displayed in
the drop-down menu. The other feedback locations allow you to quickly send feedback
right from your current activity. The feedback icon in the admin console's ribbon has
also been updated to the new icon.

For more information, see Product feedback for Configuration Manager.

Power BI sample reports


The following reports were recently added to the Configuration Manager Sample
Power BI Reports:

Client Status
Content Status
Microsoft Edge Management

For more information, see Install Power BI sample reports.

Console improvements
In this release we've made the following improvements to the Configuration Manager
console:

Independent Software Vendors (ISVs) can create applications that extend


Configuration Manager. They can use Configuration Manager to assign a certificate
to an ISV proxy, which enables custom communication with the management
point. To simplify the management of these ISV proxy certificates, you can now
copy its GUID in the Configuration Manager console. For more information, see ISV
proxy solutions and PKI certificates.

When you show the members of a device collection, and select a device in the list,
switch to the Collections tab in the details pane. This new view shows the list of
collections of which the selected device is a member. It makes it easier for you to
see this information. For more information about improvements to the console,
see Configuration Manager console changes and tips.

When viewing a collection, you could previously see the amount of time the site
took to evaluate the collection membership. This data is now also available in the
Monitoring workspace. When you select a collection in either subnode of the
Collection Evaluation node, the details pane displays this collection evaluation
time data. For more information about improvements to the console, see
Configuration Manager console changes and tips.

There's a new built-in device collection for Co-management Eligible Devices. The
Co-management Eligible Devices collection uses incremental updates and a daily
full update to keep the collection up to date. For more information about
improvements to the console, see Configuration Manager console changes and
tips.

Tools

Options for Support Center Data Collector and Client


Tools
New command-line options have been added to the Support Center Data Collector and
Client Tools. The following options were added:

Launch as current user without elevation


Specify machine name
Disable integrated authentication
Display help

For more information, see Support Center.

Improvements to Support Center Log File Viewer and


OneTrace
The Support Center Log File Viewer and OneTrace now display status messages in an
easy to read format. Entries starting with >> are status messages that are automatically
converted into a readable format when a log is opened. Search or filter on the >> string
to find status messages in the log.

For more information, see Support Center log file viewer and Support Center OneTrace.

Deprecated features
Learn about support changes before they're implemented in removed and deprecated
items.

The following features are deprecated. You can still use them now, but Microsoft plans
to end support in the future.

Managing apps from the Microsoft Store for Business and Education with
Configuration Manager

Asset intelligence
On-premises MDM

For more information, see Removed and deprecated features for Configuration
Manager.

As previously announced, version 2111 drops support for the following features:

Third-party add-ons that use Microsoft .NET Framework version 4.6.1 or earlier,
and rely on Configuration Manager libraries. Such add-ons need to use .NET 4.6.2
or later. For more information, see External dependencies require .NET 4.6.2.

Other updates
Starting with this version, the following features are no longer pre-release:

Application groups
Orchestration groups

Similarly, the Microsoft Connected Cache in Configuration Manager is now generally


available for production use.

For more information on changes to the Windows PowerShell cmdlets for Configuration
Manager, see version 2111 release notes.

Aside from new features, this release also includes other changes such as bug fixes. For
more information, see Summary of changes in Configuration Manager current branch,
version 2111.

Next steps
As of December 15, 2021, version 2111 is globally available for all customers to install.

When you're ready to install this version, see Installing updates for Configuration
Manager and Checklist for installing update 2111.

 Tip

To install a new site, use a baseline version of Configuration Manager.

Learn more about:

Installing new sites


Baseline and update versions
For known significant issues, see the Release notes.

After you update a site, also review the Post-update checklist.


What's changed from System Center
2012 Configuration Manager
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

The current branch of Configuration Manager introduces important changes from


System Center 2012 Configuration Manager. This article identifies significant changes
and new capabilities found in the original baseline version 1511 of Configuration
Manager current branch. To learn about changes introduced in recent updates for
Configuration Manager, see What's new in Configuration Manager incremental versions.

7 Note

Since October 2019, Configuration Manager is part of Microsoft Intune family of


products. For more information, see Microsoft Configuration Manager FAQ.

The December 2015 release (version 1511) of Configuration Manager was the initial
release of the current Configuration Manager product from Microsoft. It's typically
referred to as Configuration Manager current branch. Current branch indicates this
version supports incremental updates to the product. It also provides a way to
distinguish between this release and previous releases of Configuration Manager.

Configuration Manager current branch:

Doesn't use a year or product identifier in the product name, unlike past versions
such as Configuration Manager 2007 or System Center 2012 Configuration
Manager.

Supports incremental, in-product updates, also called update versions. The initial
release was version 1511. Later versions are released several times a year as in-
console updates, like version 1910.

Is installed using a baseline version. While 1511 was the original baseline version,
new baseline versions are also released from time to time, like 2203. Baseline
versions can be used to install a new Configuration Manager site and hierarchy, or
to upgrade from a supported version of System Center 2012 Configuration
Manager.

In-console updates
Configuration Manager uses an in-console service method called Updates and
Servicing that makes it easy to locate and install recommended updates.

Some versions are only available as updates for existing sites from within the
Configuration Manager console. You can't use these updates to install a new
Configuration Manager site. For example, the 2111 update is only available from within
the Configuration Manager console. It's used to update a site that already runs a
supported version of Configuration Manager.

Periodically, an update version is also released as a new baseline version. For example,
update version 2203 is also a baseline. Use a baseline version to install a new site or
hierarchy. Don't start with an older baseline version like 2111, and upgrade your way to
the most current version. Always use the latest baseline.

For more information, see the following articles:

Updates for Configuration Manager


Baseline and update versions

Service connection point


Configuration Manager current branch includes a new site system role, the service
connection point:

A point of contact for many cloud-enabled features

Downloads updates for your site

Uploads diagnostics and usage data about your site to the Microsoft cloud

This site system role supports both online and offline modes of operation. For more
information, see About the service connection point.

Diagnostics and usage data


Configuration Manager collects diagnostics and usage data about your sites and
infrastructure. This information is compiled and submitted to the Microsoft cloud service
by the service connection point. Configuration Manager requires this data to download
updates that are applicable for your environment. When you set up the service
connection point, you can specify both the level of data that it collects, and whether
automatically (online) or manually (offline) submits the data.

For more information, see Diagnostics and usage data.


Deprecated functionality
Some features, like native Support for Intel Active Management Technology (AMT)
based-computers, are removed from the Configuration Manager console. Other
features, like Network Access Protection, are removed entirely. Additionally, some older
Microsoft products like Windows Vista, Windows Server 2008, and SQL Server 2008, are
no longer supported.

For a list of deprecated features, see Removed and deprecated items.

For details about supported products, operating systems, and configurations, see
Supported configurations.

Support for Intel Active Management Technology (AMT)


Configuration Manager current branch removes native support for AMT-based
computers from within the Configuration Manager console. AMT-based computers
remain fully managed when you use the Intel SCS Add-on for Microsoft Configuration
Manager . The add-on provides you access to the latest capabilities to manage AMT,
while removing limitations introduced until Configuration Manager could incorporate
those changes.

The removal of integrated AMT for Configuration Manager includes out-of-band


management. The out-of-band management point site system role is no longer
available.

7 Note

This change doesn't affect out-of-band management in System Center 2012


Configuration Manager.

Changes in functionality
The following sections summarize some of the significant changes in feature areas
between System Center 2012 R2 Configuration Manager and the version 1511 version of
Configuration Manager current branch. For more information on more recent changes
in functionality, see What's new in incremental versions.

Client deployment
Configuration Manager introduces a new feature for testing new versions of the
Configuration Manager client before upgrading the rest of site with the new software.
You can set up a pre-production collection in which to pilot a new client. Once you're
satisfied with the new client software in pre-production, you can promote the client to
automatically upgrade the rest of the site with the new version.

For more information on how to test clients, see How to test client upgrades in a pre-
production collection.

OS deployment
Be aware of the following changes to OS deployment:

In the Create Task Sequence Wizard, a new task sequence type is available:
Upgrade an operating system from upgrade package. It creates the steps to
upgrade computers from an earlier version of Windows to Windows 10 or later. For
more information, see Upgrade Windows to the latest version.

Windows PE peer cache is now available when you deploy operating systems.
Computers that run a task sequence to deploy an OS can use Windows PE peer
cache to obtain content from a peer cache source, instead of downloading content
from a distribution point. This behavior helps minimize WAN traffic in branch office
scenarios where there's no local distribution point. For more information, see
Prepare Windows PE peer cache to reduce WAN traffic.

You can now view the state of Windows as a service in your environment. You can
also create servicing plans to form deployment rings, and make sure that Windows
10 or later computers are kept up to date when new builds are released.
Additionally, you can view alerts when Windows clients are near the end of support
for their build. For more information, see Manage Windows as a service.

Application management
Be aware of the following changes to application management:

Configuration Manager lets you deploy Universal Windows Platform (UWP) apps
for devices running Windows 10 and later. For more information, see Creating
Windows applications.

Software Center has a new, modern look. User-available apps that previously only
appeared in the application catalog now appear in Software Center under the
Applications tab. This behavior makes these deployments more discoverable, and
makes it unnecessary for users to refer to the separate application catalog.
Additionally, a Silverlight-enabled browser is no longer required. For more
information, see Plan for and configure application management.

The new Windows Installer through MDM application type lets you create and
deploy Windows Installer-based apps to enrolled PCs that run Windows 10 or later.
For more information, see Creating Windows applications.

In Configuration Manager 2012, to specify a link to an app in the Windows Store,


you could either specify the link directly, or browse to a remote computer that had
the app installed. In Configuration Manager current branch, you can still enter the
link directly, but now, instead of browsing to a reference computer, you can
browse the store for the app directly from the Configuration Manager console.

Software updates
Be aware of the following changes to software updates:

Configuration Manager can now detect the difference between software update
management methods for computers. Specifically, it can differentiate between a
Windows computer that connects to Windows Update for Business (WUfB), and a
computer connected to WSUS. The UseWUServer attribute is new, and specifies
whether the computer is managed with WUfB. You can use this setting in a
collection to remove these computers from software update management. For
more information, see Integration with Windows Update for Business.

You can now schedule and run the WSUS clean-up task from the Configuration
Manager console. In Software Update Point Component properties, when you
select to run the WSUS clean-up task, it runs at the next software updates
synchronization. The expired software updates are set to a status of declined on
the WSUS server, and the Windows Update Agent on computers no longer scans
these software updates. For more information, see Schedule and run the WSUS
clean up task.

Compliance settings
Be aware of the following changes to compliance settings:

Configuration Manager improves the workflow for creating configuration items.


Now, when you create a configuration item, and select supported platforms, only
the settings relevant to that platform are available. See Get started with
compliance settings.
The Create Configuration Item wizard now makes it easier to choose the
configuration item type you want to create. Additionally, new and updated
configuration items are available for:

Windows 10 or later devices managed with the Configuration Manager client

mac OS X devices managed with the Configuration Manager client

Windows desktop and server computers managed with the Configuration


Manager client

Windows 8.1 and Windows 10 or later devices managed without the


Configuration Manager client

For more information, see How to create configuration items.

Support for managing settings on macOS X computers that are managed without
the Configuration Manager client.

On-premises mobile device management


You can now manage mobile devices by using on-premises Configuration Manager
infrastructure. All device and management data are handled on-premises, and isn't part
of Microsoft Intune or other cloud services. This type of device management doesn't
require client software. Configuration Manager manages devices with functionality that's
built into the device OS.

For more information, see Manage mobile devices with on-premises infrastructure.

Next steps
What's new in incremental versions
Removed and deprecated items for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article describes how to use the information about features, products, and
operating systems that are removed from support for Configuration Manager. Items
that are deprecated will be removed in a future update. These articles provide early
notice about future changes that might affect your use of Configuration Manager.

This information is subject to change with future releases, and might not include each
deprecated feature, product, or OS.

How to use this information


When a feature, product, or OS is first listed as deprecated, support for using it with
Configuration Manager is scheduled to be removed in a future update. This information
is provided to help you plan for alternatives to using that feature, product, or OS. When
the first version of Configuration Manager releases in which that support is removed,
this article is updated to indicate that specific version.

7 Note

Unless noted otherwise, a feature, product, or OS that's deprecated in


Configuration Manager typically continues to be fully supported, available, and
usable.

When support is removed for a feature or OS, the feature or OS remains supported
when you use a previous version of Configuration Manager, as long as that version of
Configuration Manager remains in support. However, when you use a version of
Configuration Manager released after the date or version indicated, that version of
Configuration Manager doesn't provide support.

For example, if a feature was scheduled to have its support removed with the first
update released after September 2019, support for that feature would no longer be
included in update 1910, which released in November of 2019.

With Update 1910, the feature is no longer supported.


The article is updated to indicate support was removed with version 1910.
However, if you continue to use an earlier version that supports the feature, like version
1906, you can continue to use that feature until the version you use drops out of
support.

See also
Microsoft Support Lifecycle

Support for current branch versions of Configuration Manager

Next steps
Items that are removed or deprecated are split between three categories:

Removed and deprecated features

Removed and deprecated items for site servers

Removed and deprecated items for clients


Removed and deprecated features for
Configuration Manager
Article • 07/03/2023

Applies to: Configuration Manager (current branch)

This article lists the features that are deprecated or removed from support for
Configuration Manager. Deprecated features will be removed in a future update. These
future changes might affect your use of Configuration Manager.

This information is subject to change with future releases. It might not include each
deprecated Configuration Manager feature.

Deprecated features
The following features are deprecated. You can still use them now, but Microsoft plans
to end support in the future.

Feature Deprecation Planned


first end of
announced support

Community hub service and integration with ConfigMgr October The first
2022 release
after
March 1,
2023

Windows Information Protection July 2022 TBD

Upgrade from any version of System Center 2012 Configuration April 2022 Version
Manager to current branch. For more information, see Upgrade to 2303
Configuration Manager current branch

The Configuration Manager client for macOS and Mac client January 2022 December
management. For more information, see Supported clients: Mac 31, 2022
computers. Migrate management of macOS devices to Microsoft
Intune. For more information, see Deployment guide: Manage
macOS devices in Microsoft Intune.

The site system roles for on-premises MDM and macOS clients: January 2022 December
enrollment proxy point and enrollment point. 31, 2022
Feature Deprecation Planned
first end of
announced support

The Microsoft Store for Business and Education. For more November The first
information, see Manage apps from the Microsoft Store for Business 2021 release
and Education with Configuration Manager. after
March 1,
2023

Asset intelligence. For more information, see Asset intelligence November The first
deprecation. 2021 release
after
November
1, 2022

On-premises MDM. For more information, see On-premises MDM in November The first
Configuration Manager. 2021 release
after
November
1, 2022

Azure Active Directory (Azure AD) Graph API and Azure AD July 2021 June 30,
Authentication Library (ADAL), which is used by Configuration 2022
Manager for some cloud-attached scenarios. If you use cloud-
attached features such as co-management, tenant attach, or Azure
AD discovery, starting June 30, 2022, these features may not work
correctly in Configuration Manager version 2107 or earlier. Stay
current with Configuration Manager to make sure these features
continue to work. For more information, see CMG FAQ.

The BitLocker management implementation for the recovery service March 2021 The first
has changed. The legacy MBAM-based service is replaced by the release
messaging processing engine on the management point. after May
2022

Older style of console extensions that haven't been approved in the April 2021 TBDNote 1
Console Extension node, will no longer be supported. For more
information about new console extensions, see Manage console
extensions.

Sites that allow HTTP client communication. Configure the site for March 2021 The first
HTTPS or Enhanced HTTP. For more information, see Enable the site release
for HTTPS-only or enhanced HTTP. after
November
1, 2022
Feature Deprecation Planned
first end of
announced support

The geographical view in the Site Hierarchy node of the Monitoring August 2020 The first
workspace in the Configuration Manager console. release
after
October
2023

The implementation for sharing content from Azure has changed. February The first
Use a content-enabled cloud management gateway. Starting in 2019 release
version 2107, you can't create a traditional cloud distribution point. after
October 5,
2022

Cloud management gateway and cloud distribution point November The first
deployments with Azure Service Manager using a management 2018 release
certificate. For more information, see Plan for CMG. after
October 5,
2022

Note 1: Support removed TBD


The specific timeframe is to be determined (TBD). Microsoft recommends that you
change to the new process or feature, but you can continue to use the deprecated
process or feature for the near future.

Unsupported and removed features


The following features are no longer supported. In some cases, they're no longer in the
product.

Feature Deprecation Support removed


first
announced

Desktop Analytics. For more information, see Windows November November 30,
compatibility reports in Intune . 2021 2022

The ability to deploy a cloud management gateway (CMG) as September Version 2203
a cloud service (classic). All CMG deployments should use a 2021
virtual machine scale set.
Feature Deprecation Support removed
first
announced

The following compliance settings for Company resource March 2021 Version 2203
access: Certificate profiles, VPN profiles, Wi-Fi profiles,
Windows Hello for Business settings, and email profiles. This
deprecation includes the co-management resource access
workload. Use Microsoft Intune to deploy resource access
profiles. For more information, see Frequently asked
questions about resource access deprecation.

Desktop Analytics data for Windows 7, Windows 8, and July 2021 January 31, 2022
earlier versions of Windows 10 that don't support the
Windows diagnostic data processor configuration.

Third-party add-ons that use Microsoft .NET Framework September Version 2111
version 4.6.1 or earlier, and rely on Configuration Manager 2021
libraries. Such add-ons need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET
4.6.2.

Log Analytics connector for Azure Monitor. This feature is November Version 2107
called the OMS Connector in the Azure Services node. 2020

Microsoft Edge legacy browser profiles. For more March 2021 April 2021
information, see New Microsoft Edge to replace Microsoft
Edge Legacy with April’s Windows 10 Update Tuesday
release

The collection evaluation viewer, which was integrated in November Version 2103
version 2010. 2020

Desktop Analytics tile and page for Security Updates December March 2021
2020

Desktop Analytics option to View recent data for device May 2020 July 2020
enrollment and security updates. For more information, see
Data latency.

Windows Analytics and Upgrade Readiness integration. For October 14, January 31, 2020
more information, see KB 4521815: Windows Analytics 2019
retirement on January 31, 2020 .

Device health attestation assessment for conditional access July 3, 2019 Version 1910
compliance policies For more information, see What
happened to hybrid MDM.

The Configuration Manager Company Portal app May 21, Version 1910
2019
Feature Deprecation Support removed
first
announced

The application catalog, including both site system roles: the May 21, Version 1910
application catalog website point and web service point. For 2019
more information, see Remove the application catalog.

Certificate-based authentication with Windows Hello for December Version 1910


Business settings in Configuration Manager
2017
For more information, see Windows Hello for Business
settings.

System Center Endpoint Protection for Mac and Linux


October December 31,
For more information, see End of support blog post . 2018 2018

On-premises conditional access


January 30, September 1, 2019
For more information, see What happened to hybrid MDM. 2019

Hybrid mobile device management (MDM)


August 14, September 1, 2019
For more information, see What happened to hybrid MDM.
2018

Starting with the 1902 Intune service release, expected at the


end of February 2019, new customers can't create a new
hybrid connection.

Security Content Automation Protocol (SCAP) extensions.


September Version 1810
2018

The Silverlight user experience for the application catalog August 11, Version 1806
website point is no longer supported. Users should use the 2017
new Software Center. For more information, see Configure
Software Center.

The previous version of Software Center.


December Version 1802
13, 2016
For more information about the new Software Center, see
Plan for and configure application management.

Management of Virtual Hard Disks (VHDs) with January 6, Version 1710


Configuration Manager.
2017

This deprecation includes removal of options to create a new


VHD or manage a VHD using a task sequence, and the
removal of the Virtual Hard Disks node from the
Configuration Manager console.

Existing VHDs are not deleted, but are no longer accessible


from within the Configuration Manager console.
Feature Deprecation Support removed
first
announced

Task sequences:
November Version 1710
- Convert Disk to Dynamic
18, 2016
- Install Deployment Tools

Upgrade Assessment Tool


September July 11, 2017
12, 2016
The Upgrade Assessment Tool depends on both
Configuration Manager and the Application Compatibility
Toolkit (ACT) 6.x. The final version of ACT was shipped in the
Windows 10 v1511 ADK. As there are no further updates to
ACT, support for the Upgrade Assessment Tool is
discontinued. Deprecation notice was added to the
download page for UAT on September 12, 2016.

Software update points with a network load balancing (NLB) February 27, Version 1702
cluster 2016

Task sequences:
June 20, Version 1606
- OSDPreserveDriveLetter
2016

During an operating system deployment, by default,


Windows Setup now determines the best drive letter to use
(typically C:). If you want to specify a different drive to use,
you can change the location in the Apply Operating System
task sequence step. Go to the Select the location where you
want to apply this operating system setting. Select Specific
logical drive letter and choose the drive that you want to
use.

Network Access Protection (NAP) - as found in System July 10, 2015 Version 1511
Center 2012 Configuration Manager

Out of Band Management - as found in System Center 2012 October 16, Version 1511
Configuration Manager 2015

System Center Configuration Manager Management Pack - October 16, Version 1511
for System Center Operations Manager is not available for 2015
download

WINS
Windows Internet Name Service (WINS) is a legacy computer name registration and
resolution service. It's a deprecated service. You should replace WINS with Domain
Name System (DNS). For more information, see Windows Internet Name Service (WINS).
Out of Band Management
With Configuration Manager, native support for AMT-based computers from within the
Configuration Manager console has been removed.

AMT-based computers remain fully managed when you use the Intel SCS Add-on
for Configuration Manager . The add-on provides you access to the latest
capabilities to manage AMT, while removing limitations introduced until
Configuration Manager could incorporate those changes.

Out of Band Management in System Center 2012 Configuration Manager is not


affected by this change.

Network Access Protection


Configuration Manager has removed support for Network Access Protection. The
feature has been deprecated in Windows Server 2012 R2, and is removed from Windows
10.

For network access protection alternatives, see the Deprecated functionality section of
Network Policy and Access Services Overview.

See also
Removed and deprecated
Microsoft Support Lifecycle
Support for current branch versions of Configuration Manager
Removed and deprecated for
Configuration Manager site servers
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article describes products and operating systems that are removed from support for
Configuration Manager site servers, or will be removed in a future update (deprecated).
It provides early notice about future changes that might affect your use of Configuration
Manager.

This information may change in the future. It might not include each deprecated feature,
product, or OS.

Server OS
Operating systems Deprecation first announced Support removed

Windows Server 2008 R2 with SP1 July 2015 Version 1702

Windows Server 2008 with SP2 July 2015 Version 1511

SQL Server
SQL Server versions Deprecation first announced Support removed

SQL Server 2012 July 2021 The first release after July 1, 2022

SQL Server 2008 R2 July 2015 Version 1702

SQL Server 2008 July 2015 Version 1511

If you need to upgrade your version of SQL Server, we recommend the following
methods, from easy to more complex:

1. Upgrade SQL Server in-place (recommended).

2. Install a new version of SQL Server on a new computer. Then to point your site
server at the new SQL Server, use the database move option of Configuration
Manager setup.

3. Use backup and recovery.


7 Note

Make sure to also upgrade versions of SQL Server Express at secondary sites.

Next steps
For more information, see the following articles:

Removed and deprecated

Microsoft Support Lifecycle

Support for current branch versions of Configuration Manager


Removed and deprecated items for
Configuration Manager clients
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article describes products and operating systems that are removed from support for
Configuration Manager clients, or will be removed in a future update (deprecated). It
provides early notice about future changes that might affect your use of Configuration
Manager.

This information may change in the future. It might not include each deprecated feature,
product, or operating system.

Deprecated client operating systems


Unless noted otherwise, each supported OS is supported as a Configuration Manager
client until the extended support end date of that OS version. For more information
about extended support end dates, see the Microsoft Support Lifecycle . If
Configuration Manager support for an OS ends before the extended support end date,
this article lists a deprecation date and support removal date for that OS.

The following OS versions are deprecated as a Configuration Manager client. You can
still use them now, but Microsoft plans to end support in the future.

OS version Deprecation first announced Support removed

macOS (all versions) January 2022 December 31, 2022

Unsupported client operating systems


The following OS versions are no longer supported.

OS version Deprecation first Support


announced removed

Windows CE 7.0 July 19, 2019 Version 2006

Windows 10 Mobile July 19, 2019 Version 2006

Windows 10 Mobile Enterprise July 19, 2019 Version 2006


OS version Deprecation first Support
announced removed

Windows 7 January 14, 2020

Windows Server 2008 January 14, 2020

Windows Server 2008 R2 January 14, 2020

Linux and UNIX March 22, 2018 Version 1902

Windows 8: Professional, Enterprise January 12, 2016 Version 1802

Windows Embedded 8 Pro January 12, 2016 Version 1802

Windows Embedded 8 Industry January 12, 2016 Version 1802

Windows XP Embedded
July 10, 2015 Version 1702

Includes all XP-based embedded operating


systems

Windows Vista July 10, 2015 Version 1511

Windows Server 2003 R2 July 10, 2015 Version 1511

Windows Server 2003 July 10, 2015 Version 1511

Windows XP July 10, 2015 Version 1511

macOS X 10.6 - 10.8 July 10, 2015 Version 1511

Windows Mobile 6.0 - 6.5 July 10, 2015 Version 1511

Nokia Symbian Belle July 10, 2015 Version 1511

Windows CE 5.0 - 6.0 July 10, 2015 Version 1511

See also
For more information, see the following articles:

Supported OS versions for clients and devices

Microsoft Support Lifecycle

Support for current branch versions of Configuration Manager


Supported configurations for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

As an on-premises solution, Configuration Manager makes use of your servers, clients,


network configurations, and other products like Microsoft Intune, SQL Server, and Azure.

This information can help you identify key configurations, requirements, and limitations.
Use it to plan, deploy, and maintain a functional Configuration Manager deployment.
This information is specific to the infrastructure for Configuration Manager sites,
hierarchies, and managed devices.

When a Configuration Manager feature or capability requires more specific


configurations, see the feature-specific documentation. It's supplemental to the more
general configuration details.

The products and technologies described in these articles are supported by


Configuration Manager. However, their inclusion in this content doesn't imply an
extension of support for any product beyond that product's individual support lifecycle.
Products that are beyond their support lifecycle aren't supported for use with
Configuration Manager. This statement includes any products that are covered under
the Extended Security Updates (ESU) program. For more information about Extended
Security Updates in Configuration Manager, see Supported OS versions for clients and
devices for Configuration Manager.

7 Note

For more general information, see the Microsoft Support Lifecycle.

Products and product versions that aren't listed in these articles aren't supported with
Configuration Manager unless they're announced on the Configuration Manager blog .
The content on this blog may precede an update to this documentation.

Site and site system prerequisites: Learn about required configurations on a


Windows Server to support different site types and site system roles.

Supported operating systems for site system servers: Learn about which operating
systems you can use as a site server or site system server.
Supported operating systems for clients and devices: Learn about which operating
systems you can manage with Configuration Manager. These include Windows,
Windows Embedded, macOS, and mobile devices.

Support for Windows 11 and Support for Windows 10: Learn about the Windows
11 and Windows 10 versions that are supported as clients.

Support for the Windows ADK: Learn about the Windows Assessment and
Deployment Kit (Windows ADK) version that are supported with Configuration
Manager current branch for OS deployment.

Supported operating systems for the console: Learn about which operating
systems can host the Configuration Manager console.

Support for SQL Server versions: Learn about which versions of SQL Server can
host the site database and reporting database. It also includes required and
optional configurations that you can use with SQL Server.

High-availability options: Learn about the options you can implement when
designing your environment to help maintain a high level of available service for
Configuration Manager.

Support for Active Directory domains: Learn about the supported Active Directory
domain configurations that Configuration Manager requires and supports.

Support for Windows features and networks: Learn about supported Windows
technologies and limitations for use with Configuration Manager. For example,
Windows BranchCache and data deduplication.

Support for virtualization environments: Learn more about how to use supported
virtual machine technologies.

FAQ for Configuration Manager on Azure: Answers to common questions about


using Configuration Manager on an Azure environment.

Use the following articles to understand Configuration Manager size, scale, and
performance:

Size and scale numbers: Learn about how many sites, roles per site, and clients are
supported in different hierarchy designs.

Recommended hardware: Learn about guidelines that can help you identify the
right hardware and configurations to host your Configuration Manager sites and
key services.
Site size and performance guidelines: Site size-related performance test results,
methodology, and guidance.

Site size and performance FAQ: Answers to common Configuration Manager


questions about site sizing and performance.
Site and site system prerequisites for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Windows-based computers require specific configurations to support their use as


Configuration Manager site system servers.

For some products, like Windows Server Update Services (WSUS) for the software
update point, you need to refer to the product documentation to identify additional
prerequisites and limitations for use. Only configurations that directly apply for use with
Configuration Manager are included here.

General requirements and limitations


The following requirements apply to all site system servers:

Each site system server must use a 64-bit OS. The only exception is the distribution
point site system role, which you can install on some 32-bit operating systems.

Site systems aren't supported on Server Core installations of any OS. An exception
is that Server Core installations are supported for the distribution point. For more
information, see Supported operating systems for Configuration Manager site
system servers.

After a site system server is installed, it's not supported to change:

The domain name of the domain where the site system computer is located
(also called a domain rename).

The domain membership of the computer.

The name of the computer.

If you must change any of these items, first remove the site system role from
the computer. Then reinstall the role after the change is complete. For changes
affecting the site server, first uninstall the site. Then reinstall the site after the
change is complete.

Site system roles aren't supported on an instance of a Windows Server cluster. The
only exception is the site database server. For more information, see Use a SQL
Server Always On failover cluster instance for the site database.

The Configuration Manager setup process doesn't block installation of the site
server role on a computer with the Windows role for Failover Clustering. SQL
Server Always On availability groups require this role, so previously you couldn't
colocate the site database on the site server. With this change, you can create a
highly available site with fewer servers by using an availability group and a site
server in passive mode. For more information, see High availability options.

It's not supported to change the startup type or "Log on as" settings for any
Configuration Manager service. If you do, you might prevent key services from
running correctly.

.NET version requirements


Starting in version 2107, site servers and specific site systems require Microsoft .NET
Framework version 4.6.2. Before you run setup to install or update the site, first update
.NET and restart the system. If possible in your environment, install the latest version of
.NET version 4.8.

7 Note

.NET Framework version 4.6.2 is preinstalled with Windows Server 2016. Later
versions of Windows are preinstalled with a later version of the .NET Framework.

.NET Framework version 4.8 isn't supported on some OS versions.

For more information, see .NET Framework system requirements.

Site server
If the site server doesn't have any collocated roles that require .NET, it still requires .NET,
but setup doesn't automatically install it. Make sure the site server itself has at least .NET
version 4.6.2. If possible, install .NET 4.8.

Site systems

) Important

If you're upgrading from System Center 2012 Configuration Manager R2 Service


Pack 1, you need to manually verify that remote site systems have at least .NET
version 4.6.2. Configuration Manager current branch setup skips the check in this
scenario.

During Configuration Manager setup, if site systems have a version earlier than 4.6.2,
you'll see a prerequisite check warning. This check is a warning instead of an error,
because setup will install version 4.6.2. When .NET updates, it usually requires Windows
to restart. Site systems will send status message 4979 when a restart is required.
Configuration Manager suppresses the restart; the system doesn't restart automatically.

The behavior will differ for different types of site roles that require .NET:

The following site system roles support in-place upgrade of .NET. After upgrading
.NET, if a restart is required, it sends status message 4979. The role keeps running
with the earlier .NET version. After Windows restarts, the role starts using the new
.NET version.
Asset Intelligence synchronization point
Management point
Service connection point
Data warehouse service point

The following site systems roles uninstall and reinstall when .NET is upgraded.
During site update, site component manager removes the role, and then updates
.NET. If a restart is required, it sends status message 4979. After restart, site
component manager reinstalls the role with the new .NET version. The role could
be unavailable while it waits for you to restart the server.
SMS Provider for the administration service
Certificate registration point
Enrollment point
Enrollment proxy point
Reporting services point
Software update point

7 Note

Currently, you still need to enable the Windows feature for .NET Framework 3.5 on
site systems that require it.

If site systems have at least version 4.6.2 but earlier than version 4.8, you'll also see a
prerequisite check warning. We recommend that you install the latest version of .NET
version 4.8 to get the latest performance and security improvements. Configuration
Manager setup doesn't automatically install .NET version 4.8. A later version of
Configuration Manager will require .NET version 4.8.

There's also a new management insight to recommend site systems that don't yet have
.NET version 4.8 or later.

Managing system restarts for .NET updates


Whether you update .NET before updating the site, or setup updates it, .NET may
require a restart to complete its installation. After .NET Framework is installed, it may
require other updates. These updates may also require the server to restart.

If you need to manage the device restarts before you update the site, use the following
recommended process:

1. Install the latest baseline .NET version. For example, install .NET version 4.8.
2. Restart the server.
3. Scan for software updates and install the latest .NET cumulative update.
4. Restart the server.
5. Update the site to the latest current branch version.

Central administration site and primary site


servers
For more information on all prerequisites including permissions, see Prerequisites for
installing a primary site or a CAS. The following sections detail the prerequisite
components that you need to install or enable.

Windows Server roles and features for the site server


.NET Framework 3.5

Remote Differential Compression

When you use a software update point on a server other than the site server, install
the WSUS Administration Console on the site server.

.NET Framework for the site server


Enable the Windows feature for .NET Framework 3.5.
Install a supported version of the .NET Framework. For more information, .NET
version requirements.

Windows ADK for the site server


Before you install or upgrade a central administration site or primary site, install
the version of the Windows Assessment and Deployment Kit (ADK) that's required
by the version of Configuration Manager you're installing or upgrading to. For
more information, see Support for the Windows ADK.

For more information about this requirement, see Infrastructure requirements for
OS deployment.

Visual C++ Redistributable for the site server


Starting in version 2107, Configuration Manager installs the Microsoft Visual C++
2015-2019 redistributable package (14.28.29914.0) on each computer that installs
a site server. In version 2103 and earlier, it installs the Visual C++ 2013 version
(12.0.40660.0).

The CAS and primary sites require both the x86 and x64 versions of the applicable
redistributable file.

SQL Server Native Client for the site server


When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.

Secondary site server

Windows Server roles and features for the secondary site


server
.NET Framework 3.5

Remote Differential Compression

.NET Framework for the secondary site server


Enable the Windows feature for .NET Framework 3.5.

Install a supported version of the .NET Framework. For more information, .NET
version requirements.

Visual C++ Redistributable for the secondary site server


Starting in version 2107, Configuration Manager installs the Microsoft Visual C++
2015-2019 redistributable package (14.28.29914.0) on each computer that installs
a secondary site server. In version 2103 and earlier, it installs the Visual C++ 2013
version (12.0.40660.0).

Secondary sites require only the x64 version.

Default site system roles for the secondary site server


By default, a secondary site installs a management point and a distribution point. Make
sure that the secondary site server meets the prerequisites for these site system roles.

SQL Server Native Client for the secondary site server


When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.

Database server

Remote Registry service for the site database server


During installation of the Configuration Manager site, enable the Remote Registry
service on the computer that hosts the site database.

SQL Server for the site database server


Before you install a CAS or primary site, install a supported version of SQL Server
to host the site database. For more information, see Supported SQL Server
versions.

Before you install a secondary site:


You can install a supported version of SQL Server.

You can choose to have Configuration Manager install SQL Server Express. Make
sure that the server meets the requirements to run SQL Server Express.

SQL Server Native Client for the site database server


When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.

SMS Provider server

Windows ADK for the SMS Provider


The server where you install an instance of the SMS Provider must have a
supported version of the Windows ADK. For more information, see Support for the
Windows ADK.

For more information about this requirement, see Infrastructure requirements for
operating system deployment.

Windows Server roles and features for the SMS Provider


Web Server (IIS): Every provider attempts to install the administration service. This
service has a dependency on IIS to bind a certificate to HTTPS port 443. Configuration
Manager uses IIS APIs to check this certificate configuration. If you configure the site for
Enhanced HTTP, Configuration Manager uses IIS APIs to bind the site-generated
certificate. Unless the server already has a PKI-based certificate, the site automatically
uses the site's self-signed certificate.

.NET Framework for the SMS Provider


If you're using the administration service, the server that hosts the SMS Provider role
requires .NET 4.5 or later. Starting in version 2107, this role requires .NET version 4.6.2,
and version 4.8 is recommended. For more information, .NET version requirements.

SQL Server Native Client for the SMS Provider


When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.

Asset Intelligence synchronization point

) Important

Starting in November 2021, this feature of Configuration Manager is deprecated.


For more information, see Asset intelligence deprecation.

.NET Framework for the AISP


Install a supported version of the .NET Framework. For more information, .NET version
requirements.

SQL Server Native Client for the AISP


When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.

Certificate registration point

2 Warning

Starting in version 2203, the certificate registration point is no longer supported.


For more information, see Frequently asked questions about resource access
deprecation.

Windows Server roles and features for the CRP


.NET Framework
HTTP Activation
IIS configuration for the CRP
Application Development:

ASP.NET 3.5 (and automatically selected options)

ASP.NET 4.5 (and automatically selected options)

IIS 6 Management Compatibility:

IIS 6 Metabase Compatibility

IIS 6 WMI Compatibility

.NET Framework for the CRP


Install a supported version of the .NET Framework. For more information, .NET version
requirements.

SQL Server Native Client for the CRP


When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.

Data warehouse service point


For more information on the prerequisites for this role, see The data warehouse service
point.

.NET Framework for the DWSP


Install a supported version of the .NET Framework. For more information, .NET version
requirements.

SQL Server for the DWSP


The data warehouse database requires SQL Server 2012 or later. The edition can be
Standard, Enterprise, or Datacenter. The SQL Server version for the data warehouse
doesn't need to be the same as the site database server or the reporting services point.
Distribution point

Windows Server roles and features for the DP


Remote Differential Compression

7 Note

When the distribution point transfers content, it transfers using the Background
Intelligent Transfer Service (BITS) built into Windows. The distribution point role
doesn't require the optional BITS IIS Server Extension feature to be installed,
because the client doesn't upload information to it.

IIS configuration for the DP


Application Development:
ISAPI Extensions

Security:
Windows Authentication

IIS 6 Management Compatibility:

IIS 6 Metabase Compatibility

IIS 6 WMI Compatibility

By default, IIS uses request filtering to block several file name extensions and folder
locations from access by HTTP or HTTPS communication. On a distribution point, this
configuration prevents clients from downloading packages that have blocked extensions
or folder locations. For more information, see IIS request filtering for distribution points.

Distribution points require that IIS allows the following HTTP verbs:

GET
HEAD
PROPFIND

Visual C++ Redistributable for the DP


Starting in version 2107, Configuration Manager installs the Microsoft Visual C++
2015-2019 redistributable package (14.28.29914.0) on each computer that hosts a
distribution point. In version 2103 and earlier, it installs the Visual C++ 2013
version (12.0.40660.0).

The version that's installed depends on the computer's platform (x86 or x64).

Add PXE support for the DP


There are two options to support PXE on a distribution point:

Enable the Configuration Manager PXE responder without Windows Deployment


Service.

Install and configure the Windows Deployment Services (WDS) Windows Server
role.

7 Note

WDS installs and configures automatically when you enable a distribution


point to support PXE.

For more information, see Install and configure distribution points.

Add multicast support for the DP


Install and configure the Windows Deployment Services (WDS) Windows Server
role.

7 Note

WDS installs and configures automatically when you enable a distribution


point to support multicast.

Make sure the SQL Server Native Client is installed and up to date. For more
information, see Prerequisite checks - SQL Server Native Client.

Endpoint Protection point

Windows Server roles and features for the endpoint


protection point
.NET Framework 3.5

Windows Defender features (Windows Server 2016 or later)

SQL Server Native Client for the endpoint protection


point
When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.

Enrollment point

) Important

With the deprecation of on-premises MDM and the Configuration Manager client
for macOS, this site system role is also deprecated. For more information, see
Removed and deprecated features for Configuration Manager.

Windows Server roles and features for the enrollment


point
.NET Framework 3.5

HTTP Activation (and automatically selected options)

ASP.NET 4.5

Windows Communication Foundation (WCF) Services

IIS configuration for the enrollment point

Common HTTP Features:


Default Document

Application Development:

ASP.NET 3.5 (and automatically selected options)

.NET Extensibility 3.5


ASP.NET 4.5 (and automatically selected options)

.NET Extensibility 4.5

IIS 6 Management Compatibility:


IIS 6 Metabase Compatibility

.NET Framework for the enrollment point


Enable the Windows feature for .NET Framework 3.5.

Install a supported version of the .NET Framework. For more information, .NET
version requirements.

Computer memory for the enrollment point


The computer that hosts this site system role must have a minimum of 5% of the
computer's available memory free to enable the site system role to process
requests.

When this site system role is collocated with another site system role that has this
same requirement, this memory requirement for the computer doesn't increase,
but remains at a minimum of 5%.

SQL Server Native Client


When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.

Enrollment proxy point

) Important

With the deprecation of on-premises MDM and the Configuration Manager client
for macOS, this site system role is also deprecated. For more information, see
Removed and deprecated features for Configuration Manager.
Windows Server roles and features for the enrollment
proxy point
.NET Framework 3.5

IIS configuration for the enrollment proxy point

Common HTTP Features:

Default Document

Static Content

Application Development:

ASP.NET 3.5 (and automatically selected options)

ASP.NET 4.5 (and automatically selected options)

.NET Extensibility 3.5

.NET Extensibility 4.5

Security:
Windows Authentication

IIS 6 Management Compatibility:


IIS 6 Metabase Compatibility

.NET Framework for the enrollment proxy point


Enable the Windows feature for .NET Framework 3.5.

Install a supported version of the .NET Framework. For more information, .NET
version requirements.

Computer memory for the enrollment proxy point


The computer that hosts this site system role must have a minimum of 5% of the
computer's available memory free to enable the site system role to process
requests.

When this site system role is colocated with another site system role that has this
same requirement, this memory requirement for the computer doesn't increase,
but remains at a minimum of 5%.

Fallback status point

Windows Server roles and features for the FSP


Depending upon the version of Windows Server, enable one of the following features:

BITS Server Extensions and the automatically selected options


Background Intelligent Transfer Services (BITS) and the automatically selected
options

IIS configuration

The default IIS configuration is required with the following additions:

IIS 6 Management Compatibility:


IIS 6 Metabase Compatibility

Management point

Windows Server roles and features for the MP


Depending upon the version of Windows Server, enable one of the following features:

BITS Server Extensions and the automatically selected options


Background Intelligent Transfer Services (BITS) and the automatically selected
options

IIS configuration for the MP

Application Development:
ISAPI Extensions

Security:
Windows Authentication

IIS 6 Management Compatibility:

IIS 6 Metabase Compatibility


IIS 6 WMI Compatibility

To make sure that clients can successfully communicate with a management point, make
sure IIS allows the following HTTP verbs:

GET
POST
CCM_POST
HEAD
PROPFIND

.NET Framework for the MP


Install a supported version of the .NET Framework. For more information, .NET version
requirements.

SQL Server Native Client for the MP


When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.

Reporting services point

.NET Framework for the RSP


Install a supported version of the .NET Framework. For more information, .NET version
requirements.

SQL Server Reporting Services for the RSP


Install and configure at least one instance of SQL Server to support SQL Server
Reporting Services.

The instance that you use for SQL Server Reporting Services can be the same
instance you use for the site database.

The instance that you use can be shared with System Center products. The System
Center products can't have restrictions for sharing the instance of SQL Server.
SQL Server Native Client for the RSP
When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.

Service connection point

.NET Framework for the SCP


Enable the Windows feature for .NET Framework 3.5.

Install a supported version of the .NET Framework. For more information, .NET
version requirements.

Visual C++ Redistributable for the SCP


Starting in version 2107, Configuration Manager installs the Microsoft Visual C++
2015-2019 redistributable package (14.28.29914.0) on the service connection
point. In version 2103 and earlier, it installs the Visual C++ 2013 version
(12.0.40660.0).

SQL Server Native Client for the SCP


When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.

Software update point

Windows Server roles and features for the SUP


.NET Framework 3.5

The default IIS configuration is required.

.NET Framework for the SUP


Enable the Windows feature for .NET Framework 3.5.

Install a supported version of the .NET Framework. For more information, .NET
version requirements.

Windows Server Update Services (WSUS) for the SUP


Install the WSUS server role. For more information, see Plan for software updates.

7 Note

When you use a software update point on a remote site system, install the WSUS
Administration Console on the site server.

SQL Server Native Client for the SUP


When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.

State migration point

Windows Server roles and features for the SMP


.NET Framework 3.5

HTTP Activation (and automatically selected options)

ASP.NET 4.5

IIS configuration for the SMP

Common HTTP Features:


Default Document

Application Development:

ASP.NET 3.5 (and automatically selected options)

.NET Extensibility 3.5


ASP.NET 4.5 (and automatically selected options)

.NET Extensibility 4.5

IIS 6 Management Compatibility:


IIS 6 Metabase Compatibility

.NET Framework for the SMP


Enable the Windows feature for .NET Framework 3.5.

Install a supported version of the .NET Framework. For more information, .NET
version requirements.

SQL Server Native Client for the SMP


When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Make sure this component is up to
date. For more information, see Prerequisite checks - SQL Server Native Client.
Supported operating systems for
Configuration Manager site system
servers
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article details the Windows versions that you can use to host a Configuration
Manager site or site system role.

Windows Server 2022


Applies to Datacenter: Azure Edition, Standard and Datacenter editions

Starting in version 2107, this OS version is supported for the following servers.

Site servers:

Central administration site


Primary site
Secondary site

Site system servers:

Asset Intelligence synchronization point


Certificate registration point
Cloud management gateway connection point
Data warehouse service point
Distribution point Note 1
Endpoint Protection point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Reporting services point
Service connection point
Site database server Note 2
SMS Provider
Software update point
State migration point
7 Note

If you're installing a new site, you can use the latest baseline version 2103 on a
Windows Server 2022 site server, and then immediately update the site to version
2107.

Windows Server 2019


Applies to Standard and Datacenter editions

Site servers:

Central administration site


Primary site
Secondary site

Site system servers:

Asset Intelligence synchronization point


Certificate registration point
Cloud management gateway connection point
Data warehouse service point
Distribution point Note 1
Endpoint Protection point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Reporting services point
Service connection point
Site database server Note 2
SMS Provider
Software update point
State migration point

Windows Server 2016


Applies to Standard and Datacenter editions

Site servers:
Central administration site
Primary site
Secondary site

Site system servers:

Asset Intelligence synchronization point


Certificate registration point
Cloud management gateway connection point
Data warehouse service point
Distribution point Note 1
Endpoint Protection point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Reporting services point
Service connection point
Site database server Note 2
SMS Provider
Software update point
State migration point

Windows Storage Server 2016


Site system server:

Distribution point Note 1

Windows Server 2012 R2


Applies to Standard and Datacenter editions

Site servers:

Central administration site


Primary site
Secondary site

Site system servers:

Asset Intelligence synchronization point


Certificate registration point
Cloud management gateway connection point
Data warehouse service point
Distribution point Note 1
Endpoint Protection point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Reporting services point
Service connection point
Site database server Note 2
SMS Provider
Software update point
State migration point

Windows Server 2012


Applies to Standard and Datacenter editions

Site servers:

Central administration site


Primary site
Secondary site

Site system servers:

Asset Intelligence synchronization point


Certificate registration point
Cloud management gateway connection point
Data warehouse service point
Distribution point Note 1
Endpoint Protection point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Reporting services point
Service connection point
Site database server Note 2
SMS Provider
Software update point
State migration point

Client OS versions
The following client OS versions are supported for use as a distribution point Note 1:

Windows 11 (starting in Configuration Manager version 2107)

For more information on supported build versions and editions, see Support for
Windows 11.

Windows 10 (x86, x64)

For more information on supported build versions and editions, see Support for
Windows 10.

Windows 8.1 (x86, x64): Professional and Enterprise

This support has the following limitation:

Distribution points on this OS don't support PXE or multicast with the default
Windows Deployment Services. You can PXE-enable a distribution point on this OS
with the option to Enable a PXE responder without Windows Deployment
Service. For more information, see Install and configure distribution points.

Server core installations


The server core installation of the following server OS versions is supported for use as a
distribution point:

Windows Server 2022


Windows Server 2019
Windows Server, version 1809
Windows Server, version 1803
Windows Server, version 1709
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012

This support has the following limitation:

Distribution points on this OS don't support PXE or multicast with the default
Windows Deployment Services. You can PXE-enable a distribution point on this OS
with the option to Enable a PXE responder without Windows Deployment
Service. For more information, see Install and configure distribution points.

General notes

Note 1: Distribution points


Distribution points support several different configurations that each have different
requirements. In some cases, these configurations support installation not only on
servers, but on client operating systems. For more information, see Manage content and
content infrastructure.

Note 2: Site database servers


Site database servers aren't supported on a read-only domain controller (RODC). For
more information, see SQL Server security considerations: Installing SQL Server on a
domain controller.

Additionally, secondary site servers aren't supported on any domain controller.

Next steps
Supported SQL Server versions

See also:

Recommended hardware
Site and site system prerequisites
Size and scale numbers
Supported OS versions for clients and
devices for Configuration Manager
Article • 03/21/2023

Applies to: Configuration Manager (current branch)

Configuration Manager supports installing client software on Windows and macOS


computers.

General requirements and limitations


Review the following requirements and limitations for all clients:

Changing the startup type or Log on as settings for any Configuration Manager
service isn't supported. This change can prevent key services from running
correctly.

Windows computers
To manage the following Windows OS versions, use the client that's included with
Configuration Manager. For more information, see How to deploy clients to Windows
computers.

Supported client OS versions


Windows 11 (starting in Configuration Manager version 2107)

7 Note

You can continue to use Microsoft Endpoint Manager to manage devices


running Windows 11 the same as with Windows 10. For more information,
including some known issues, see Support for Windows 11.

Windows 10

For more information, see Support for Windows 10.

For more information on the versions of the Windows Assessment and Deployment Kit
(Windows ADK) that Configuration Manager current branch supports, see Support for
the Windows ADK.

Azure Virtual Desktop


Azure Virtual Desktop is a desktop and app virtualization service that runs on Microsoft
Azure. You can use Configuration Manager to manage these virtual devices running
Windows in Azure.

Similar to a terminal server, some of these virtual devices allow multiple concurrent
active user sessions. To help with client performance, Configuration Manager disables
user policies on any device that allows these multiple user sessions. Even if you enable
user policies, the client disables them by default on these devices, which include
Windows Enterprise multi-session and terminal servers.

The client only disables user policy when it detects this type of device during a new
installation. For an existing client of this type that you update to this version, the
previous behavior persists. On an existing device, it configures the user policy setting
even if it detects that the device allows multiple user sessions.

If you require user policy in this scenario, and accept any potential performance impact,
use client settings to enable user policy. In the Client Policy group, configure the
following setting: Enable user policy for multiple user sessions.

Starting in version 2006, the Windows 10 Enterprise multi-session platform is available


in the list of supported OS versions on objects with requirement rules or applicability
lists. Starting in version 2107, the Windows 11 Enterprise multi-session platform is
available.

7 Note

If you previously selected the top-level platform, this action automatically selected
all child platforms. New platforms aren't automatically selected. For example, if you
want to add Windows 10 Enterprise multi-session, manually select it under the
Windows 10 platform.

For more information, see the following articles:

Support for virtualization environments


Manage Configuration Manager clients in a virtual desktop infrastructure (VDI)

Supported server OS versions


Windows Server 2022: IoT, Standard, Datacenter Note 1 (starting in Configuration
Manager version 2107)

Windows Server 2019: IoT, Standard, Datacenter Note 1

Windows Server 2016: Standard, Datacenter Note 1

Windows Storage Server 2016: Workgroup, Standard, IoT

Windows Server 2012 R2 (x64): Standard, Datacenter Note 1

Windows Storage Server 2012 R2 (x64)

Windows Server 2012 (x64): Standard, Datacenter Note 1

Windows Storage Server 2012 (x64)

Server Core

The following versions specifically refer to the Server Core installation of the OS. Note 3

Windows Server semi-annual channel versions are Server Core installations, such as
Windows Server, version 1809. As a Configuration Manager client, they're supported the
same as the associated Windows 11 or Windows 10 semi-annual channel version. For
more information, see Support for Windows 11 or Support for Windows 10.

Windows Server 2022 (x64) Note 2 (starting in version 2107)

Windows Server 2019 (x64) Note 2

Windows Server 2016 (x64) Note 2

Windows Server 2012 R2 (x64) Note 2

Windows Server 2012 (x64) Note 2

Note 1
Configuration Manager tests and supports Windows Server Datacenter editions, but isn't
officially certified for Windows Server. Configuration Manager hotfix support isn't
offered for issues that are specific to Windows Server Datacenter Edition. For more
information on the Windows Server certification program, see Windows Server
Catalog .

Note 2
To support client push installation, add the File Server service of the File and Storage
Services server role. For more information about installing Windows features on Server
Core, see Install roles, role services, and features by using Windows PowerShell cmdlets.

Note 3
The Software Center app isn't supported on any version of Windows Server Core.

Windows Embedded computers


Manage Windows Embedded devices by installing the Configuration Manager client on
the device. For more information, see Planning for client deployment to Windows
Embedded devices.

Requirements and limitations


All client features are supported on Windows Embedded systems that don't have
write filters enabled.

Clients that use one of the following are supported for all features except power
management:

Enhanced Write Filters (EWF)

RAM File-Based Write Filters (FBWF)

Unified Write Filters (UWF)

Supported OS versions
Windows 11 Enterprise

Windows 11 IoT Enterprise Note 4

Windows 10 Enterprise (x86, x64)

Windows 10 IoT Enterprise (x86, x64) Note 4

Windows Embedded 8.1 Industry (x86, x64)

Windows Embedded 8 Standard (x86, x64)

Note 4: Windows IoT Enterprise


This version includes the long-term servicing channel (LTSC). For more information, see
Overview of Windows 10 IoT Enterprise.

Extended Security Updates and Configuration


Manager
The Extended Security Updates (ESU) program is a last resort option for customers who
need to run certain legacy Microsoft products past the end of support. For example,
Windows 7. It includes Critical and/or Important security updates (as defined by the
Microsoft Security Response Center (MSRC) ) for a maximum of three years after the
product's End of Extended Support date.

Products that are beyond their support lifecycle aren't supported for use with
Configuration Manager. This includes any products that are covered under the ESU
program. Security updates released under the ESU program will be published to
Windows Server Update Services (WSUS). These updates will appear in the
Configuration Manager console. While products that are covered under the ESU
program are no longer supported for use with Configuration Manager, the latest
released version of Configuration Manager current branch can be used to deploy and
install Windows security updates released under the program for Windows Server 2012
and 2012 R2 only. No further support is offered for computers running Windows 7 or
Windows Server 2008/ 2008 R2, including customers with an additional further year of
ESU support as noted in KB4522133

Client management features not related to Windows software update management or


OS deployment will no longer be tested on the operating systems covered under the
ESU program and we don't guarantee that they'll continue to function. It's highly
recommended to upgrade or migrate to a current version of the operating systems as
soon as possible to receive client management support.

 Tip

Starting in Configuration Manager 2010, you'll be notified in-console about devices


with operating systems that are past the end of support date and that are no
longer eligible to receive security updates. For more information, see Console
notifications. This information is provided for your convenience and only for use
internally within your company. You should not solely rely on this information to
confirm update or license compliance. Be sure to verify the accuracy of the
information provided to you.
Mac computers

) Important

Starting in January 2022, this feature of Configuration Manager is deprecated. The


macOS client installation package isn't available for new deployments, but existing
deployments are supported until December 31, 2022.

Migrate management of macOS devices to Microsoft Intune:

1. First, uninstall the Configuration Manager client for macOS. For more
information, see Uninstalling the Mac client.
2. Then enroll the device to Intune. For more information, see Deployment
guide: Manage macOS devices in Microsoft Intune.

Manage Apple Mac computers with the Configuration Manager client for macOS.

For more information, see How to deploy clients to Macs.

Requirements and limitations for macOS


Installing or running the Configuration Manager client for macOS on computers
under an account other than root isn't supported. Doing so can prevent key
services from running correctly.

Supported versions
macOS Big Sur (11) (requires Configuration Manager client for macOS version
5.0.9000.1002 or later)

macOS Catalina (10.15) (requires Configuration Manager client for macOS version
5.0.8742.1000 or later)

macOS Mojave (10.14)

On-premises MDM

) Important

Starting in November 2021, this feature of Configuration Manager is deprecated.


Configuration Manager has built-in capabilities for managing mobile devices that are
on-premises without installing client software. For more information, see Manage
mobile devices with on-premises infrastructure.

Supported operating systems


Windows 10 Pro (x86, x64)

Windows 10 Enterprise (x86, x64)

Windows 10 IoT Enterprise (x86, x64)


This version includes the long-term servicing
channel (LTSC). For more information, see Overview of Windows 10 IoT Enterprise.

Windows 10 Team for Surface Hub

Exchange Server connector


Configuration Manager supports limited management of devices that connect to your
Exchange Server, without installing the Configuration Manager client. For more
information, see Manage mobile devices with Configuration Manager and Exchange.

Supported versions of Exchange Server


Exchange Online (Microsoft 365): This version includes Business Productivity
Online Standard Suite

Exchange Server 2016

Exchange Server 2013

Exchange Server 2010 SP1 or Exchange Server 2010 SP2


Support for Windows 11 in
Configuration Manager
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Learn about the Windows 11 versions that Configuration Manager supports as a client.

For more information about support for the Windows Assessment and Deployment Kit
(ADK) for Windows 11, see Support for the Windows ADK.

7 Note

You can continue to use Microsoft Endpoint Manager to manage devices running
Windows 11 the same as with Windows 10. If another article doesn't explicitly
reference Windows 11, assume that feature support for Windows 10 also includes
Windows 11. This article lists some known issues.

Windows 11 versions
Configuration Manager attempts to provide support as a client for each new Windows
11 version soon after it becomes available. Because the products have separate
development and release schedules, the support that Configuration Manager provides
depends on when each becomes available.

A Configuration Manager version drops from the matrix after support for that version
ends. Similarly, Configuration Manager doesn't support Windows 11 versions when their
support lifecycle ends.

The latest version of Configuration Manager current branch receives both security
and critical updates, which can include fixes for Windows 11-specific features.
When Microsoft releases a new version of Configuration Manager current branch,
prior versions only receive security updates. For more information, see Support for
Configuration Manager current branch versions.

7 Note

The best way to stay current with Windows 11 is to stay current with
Configuration Manager. For more information, see Configuration Manager
and Windows as a Service.

This information supplements Supported operating systems for clients and devices.

The following table lists the versions of Windows 11 that you can use as a client with
different versions of Configuration Manager.

Windows 11 ConfigMgr ConfigMgr ConfigMgr ConfigMgr ConfigMgr


version 2111 2203 2207 2211 2303

22H2

(10.0.22621)

21H2

(10.0.22000)

For more information on Windows lifecycle, see the Windows lifecycle fact sheet and
Windows release information.

Key

= Supported

= Not supported

Support notes
Support for Windows 11 versions includes the following editions: Enterprise, Pro,
Education, Pro Education, and Pro for Workstation.

Windows 11 reports the Operating System property as Microsoft Windows NT


Workstation 10.0 , which is identical to Windows 10. To distinguish devices running
Windows 11, use the Operating System Build device property for build number
10.0.22000 or later.

OS deployment images and upgrade packages for Windows 11 show the image
name as Windows 10. For more information, see Using deployment tools with
Windows 11 images.

The 32-bit versions of Windows PE (WinPE) in the WinPE add-ons for Windows 11
and Windows Server 2022 aren't supported. The last supported version of 32-bit
WinPE is available in the WinPE add-on for Windows 10, version 2004. For more
information, see Download and install the Windows ADK.
Configuration Manager supports the use of older versions of Windows PE as boot
images, but you can't customize them in the Configuration Manager console. For
more information, see Customize boot images with Configuration Manager.

Windows 11 on ARM64
Configuration Manager version 2107 with the update rollup supports the client on
Windows 11 ARM64 devices.

The All Windows 11 (ARM64) platform is available in the list of supported OS versions
on objects with requirement rules or applicability lists.

OS deployment isn't supported, except for a feature update task sequence. You can
deploy a task sequence with a feature update to a Windows 11 on ARM64 device. For
more information, see Upgrade Windows to the latest version.

Support for Windows Insider


You can update and service Windows Insider builds. This ability is provided as a
convenience to our customers. While this functionality should work, its support is best
effort. Configuration Manager might not issue a hotfix for this functionality if it doesn't
work.

To provide feedback on Windows Insider, use the Windows Feedback Hub.

Known issues

Desktop Analytics
Desktop Analytics doesn't support Windows 11. For information about Windows 11
hardware readiness, Microsoft recommends that you enable tenant attach and Endpoint
analytics.

Windows servicing dashboard


The Windows Servicing dashboard currently includes Windows 11 devices with the
latest version of Windows 10. It doesn't yet distinguish a version for Windows 11. For
more information on this dashboard, see Manage Windows as a service using
Configuration Manager.
Software Center notifications don't display during quiet
period
By default, Windows 11 enables focus assist for the first hour after a user signs on for
the first time. For more information, see Reaching the Desktop and the Quiet Period.

Software Center notifications are currently suppressed during this time. For more
information, see Turn Focus assist on or off in Windows .

Pre-provisioning BitLocker during task sequence doesn't


own TPM
Applies to: Windows ADK for Windows 11

When you use a Windows 11-based boot image with an OS deployment task sequence
that includes the Pre-provision BitLocker step, the step might fail. You'll see errors
similar to the following strings in the smsts.log:

log

'TakeOwnership' failed (2147942402)

pTpm->TakeOwnership(sOwnerAuth), HRESULT=80070002

Failed to take ownership of TPM. Ensure that Active Directory permissions


are properly configured

The system cannot find the file specified. (Error: 80070002; Source:
Windows)

Process completed with exit code 2147942402

Failed to run the action: Pre-provision BitLocker. Error -2147024894

To work around this issue, add a Run Command Line step to the task sequence before
the Pre-provision BitLocker step. Run the following command:

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\TPM /v OSManagedAuthLevel /t REG_DWORD

/d 2 /f

For more information on this registry key, see Change the TPM owner password.

Configuration Manager console with Windows Hello for


Business authentication
Applies to: Azure Active Directory (Azure AD)-joined devices

If you configure the authentication level for the site to require Windows Hello for
Business authentication, the Configuration Manager console on a Windows 11 device
can't connect to the site. The adminui.log file on the devices shows the following errors:

log

Description = "Current thread is not authenticated with the minimal allowed


level.";

ErrorCode = 2185761792;

Use one of the following options to work around this issue:

Update the device to Windows 11 OS build 22000.282. For more information, see
October 21, 2021—KB5006746 (OS Build 22000.282) Preview .

Install the console on a device running another version of Windows.

Add users to the authentication exclusion list. For more information, see Configure
SMS Provider authentication.

Offline servicing

) Important

This issue is resolved with the March 2022 cumulative update (KB5011493). For any
version of Windows 11, you can successfully use offline servicing with the March
2022 cumulative update.

When you apply software updates to an image for Windows 11, the process will fail.
You'll see errors similar to the following entries in the offline servicing log file,
OfflineServicingMgr.log :

log

InstallUpdate returned code 0x8007007b

Failed to install update with ID 16787962 on the image. ErrorCode = 123

This issue is because DISM doesn't support the .cab files.

To work around this issue, you can manually service the image:

1. Download the update directly from the Microsoft Update Catalog. For example,
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5007215
2. Use DISM to manually inject the downloaded .msu update file into the Windows
11 image. For more information, see Add updates to a Windows image.
3. Manually update the image file in the package source. Then update it on
distribution points.

Next steps
Support for the Windows ADK
Support for Windows 10 in
Configuration Manager
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Learn about the Windows 10 versions that Configuration Manager supports as a client.
For more information about support for later versions of Windows, see Support for
Windows 11.

For more information about support for the Windows Assessment and Deployment Kit
(ADK) for Windows 10, see Support for the Windows ADK.

 Tip

Windows Server builds as a client are supported the same as the associated
Windows 10 version. For example, Windows Server 2016 is the same build version
as Windows 10 LTSB 2016, and Windows Server version 1803 is the same build
version as Windows 10, version 1803.

For more information on Windows Server as a site system, see Supported


operating systems for Configuration Manager site system servers.

Windows 10 versions
Configuration Manager attempts to provide support as a client for each new Windows
10 version as soon as possible after it becomes available. Because the products have
separate development and release schedules, the support that Configuration Manager
provides depends on when each becomes available.

A Configuration Manager version drops from the matrix after support for that version
ends. Similarly, support for Windows 10 versions like the Enterprise 2015 LTSB or 1511
drops from the matrix when they're removed from support.

The latest version of Configuration Manager current branch receives both security
and critical updates, which can include fixes for issues with Windows 10 versions.
When Microsoft releases a new version of Configuration Manager current branch,
prior versions only receive security updates. For more information, see Support for
Configuration Manager current branch versions.
7 Note

The best way to stay current with Windows 10 is to stay current with
Configuration Manager. For more information, see Configuration Manager
and Windows as a Service.

This information supplements Supported operating systems for clients and devices.

If you use the long-term servicing branch of Configuration Manager, see


Supported configurations for the long-term servicing branch.

The following table lists the versions of Windows 10 that you can use as a client with
different versions of Configuration Manager.

Windows 10 ConfigMgr ConfigMgr ConfigMgr ConfigMgr ConfigMgr


version 2111 2203 2207 2211 2303

22H2

(10.0.19045)

21H2

(10.0.19044)

Enterprise LTSC
2021

(10.0.19044)

21H1

(10.0.19043)

20H2 Note

(10.0.19042)

All currently supported versions of Configuration Manager current branch support the
following Windows 10 LTSB/LTSC editions:

Enterprise 2015 LTSB


Enterprise 2016 LTSB
Enterprise LTSC 2019

For more information on Windows lifecycle, see the Windows lifecycle fact sheet and
Windows 10 release information.

Key

= Supported
Key

= Not supported

Support notes
Support for Windows 10 semi-annual channel versions includes the following
editions: Enterprise, Pro, Education, Pro Education, and Pro for Workstation.

OS deployment media shows the build number from the base version. For
example, 10.0.19041 . When Windows is installed, it applies an enablement
package, which updates the build number to what's in the above table. You can
use the revision ID to distinguish the media:

Media version Windows version

10.0.19045.2130 Windows 10, version 22H2

10.0.19041.1288 Windows 10, version 21H2

10.0.19041.844 Windows 10, version 21H1

10.0.19041.508 Windows 10, version 20H2

Windows 10 on ARM64
Configuration Manager supports the client on Windows 10 ARM64 devices.

The All Windows 10 (ARM64) platform is available in the list of supported OS versions
on objects with requirement rules or applicability lists.

7 Note

If you previously selected the top-level Windows 10 platform, this action


automatically selected both All Windows 10 (64-bit) and All Windows 10 (32-bit). If
you want to add All Windows 10 (ARM64), manually select it in the list.

OS deployment isn't supported, except for a feature update task sequence. Starting in
version 2103, you can deploy a task sequence with a feature update to a Windows 10 on
ARM64 device. For more information, see Deploy a feature update with a task sequence.
Support for Windows Insider
You can update and service Windows Insider builds. This ability is provided as a
convenience to our customers. While this functionality should work, the support for it is
best effort. Configuration Manager might not issue a hotfix for this functionality if it
ceases to function.

To provide feedback on Windows Insider, use the Feedback Hub.

Sysprep and Windows 10, version 20H2


If you manually customize a reference computer that runs Windows 10, version 20H2,
and then use capture media, Windows Sysprep fails with the following entry in the
sysprep.log: Failed to clean the package repository database: 0x80070005. This issue
happens when you sign in to the device and create a user profile.

To work around this issue, choose one of the following options:

Use the default image file (install.wim) from the installation media. Use the task
sequence to apply configurations at run time.

Create a task sequence to capture an OS

Remove appx packages for the signed-in user before you use capture media. For
more information, see Sysprep fails after you remove or update Microsoft Store
apps that include built-in Windows images.

Manually run Sysprep, and then boot to the capture media to capture the image.

Next steps
Support for the Windows ADK

Support for Windows 11


Support for the Windows ADK in
Configuration Manager
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

When you deploy operating systems with Configuration Manager, the Windows
Assessment and Deployment Kit (ADK) is a required external dependency. For more
information, see the following articles:

Infrastructure requirements for OS deployment

Download the Windows ADK

) Important

Windows PE is a separate installer. Make sure to download both the Windows


ADK and the Windows PE add-on for the ADK.

Windows ADK versions


The following table lists the versions of the Windows ADK that you can use with
different versions of Configuration Manager.

Windows ADK ConfigMgr ConfigMgr ConfigMgr ConfigMgr ConfigMgr


version 2111 2203 2207 2211 2303

Windows 11

(10.1.22621.1)

Windows 11

(10.1.22000)

Windows Server
2022

(10.1.20348)

Windows 10,
version 2004

(10.1.19041)

Key
Key

= Supported

This table only shows Windows ADK supportability in relation to the version of Configuration
Manager. Microsoft recommends using the Windows ADK that matches the version of Windows
you're deploying. Use the latest Windows ADK version when deploying the latest Windows
version. The latest Windows ADK version may support deployment of older OS versions, such as
Windows 8.1. For more information on Windows ADK component supportability, see DISM
supported platforms, USMT requirements, and Choose the right ADK for your scenario.

= Backward compatible

This combination isn't tested but should work. We'll document any known issues or caveats.

= Not supported

Support notes
Configuration Manager only supports x86 and amd64 components of the Windows
ADK. It doesn't currently support ARM or ARM64 components.

Windows Server builds have the same Windows ADK requirement as the
associated Windows client version. For example, Windows Server 2016 is the same
build version as Windows 10 LTSB 2016.

If you're deploying both Windows 11 and Windows Server 2022, use the Windows
ADK for Windows 11, which is the latest version. If you're deploying Windows
Server 2022 and not Windows 11, you can use either Windows ADK for Windows
Server 2022 or Windows 11.

The 32-bit versions of Windows PE (WinPE) in the WinPE add-ons for Windows 11
and Windows Server 2022 aren't supported. The last supported version of 32-bit
WinPE is available in the WinPE add-on for Windows 10, version 2004. For more
information, see Download and install the Windows ADK.

Configuration Manager supports the use of older versions of Windows PE as boot


images, but you can't customize them in the Configuration Manager console. For
more information, see Customize boot images with Configuration Manager.

Known issues

Pre-provisioning BitLocker during task sequence doesn't


own TPM
Applies to: Windows ADK for Windows 11

When you use a Windows 11-based boot image with an OS deployment task sequence
that includes the Pre-provision BitLocker step, the step might fail. You'll see errors
similar to the following strings in the smsts.log:

log

'TakeOwnership' failed (2147942402)

pTpm->TakeOwnership(sOwnerAuth), HRESULT=80070002

Failed to take ownership of TPM. Ensure that Active Directory permissions


are properly configured

The system cannot find the file specified. (Error: 80070002; Source:
Windows)

Process completed with exit code 2147942402

Failed to run the action: Pre-provision BitLocker. Error -2147024894

To work around this issue, add a Run Command Line step to the task sequence before
the Pre-provision BitLocker step. Run the following command:

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\TPM /v OSManagedAuthLevel /t REG_DWORD

/d 2 /f

For more information on this registry key, see Change the TPM owner password.

Next steps
Support for Windows 11

Support for Windows 10

Supported OS versions for clients


Supported OS versions for
Configuration Manager consoles
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Configuration Manager supports the installation of the console on the following


Windows OS versions:

Windows Server 2022: Standard, Datacenter (starting in version 2107)

Windows Server 2019: Standard, Datacenter

Windows Server 2016: Standard, Datacenter

Windows Server 2012 R2 (x64): Standard, Datacenter

Windows Server 2012 (x64): Standard, Datacenter

Windows 11 (x64): Pro, Enterprise

Windows 10 (x86, x64): Pro, Enterprise

For more information about the Configuration Manager console, see the following
articles:

Install consoles

Using the console


Supported SQL Server versions for
Configuration Manager
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Each Configuration Manager site requires a supported SQL Server version and
configuration to host the site database.

SQL Server instances and locations

Central administration site and primary sites


The site database must use a full installation of SQL Server.

SQL Server can be located on:

The site server computer.


A computer that is remote from the site server.

The following instances are supported:

The default or named instance of SQL Server.

Multiple instance configurations.

A SQL Server Always On failover cluster instance. For more information, see Use a
SQL Server Always On failover cluster instance for the site database.

A SQL Server Always On availability group. For more information, see Prepare to
use a SQL Server Always On availability group.

Secondary sites
The site database can use the default instance of a full installation of SQL Server or SQL
Server Express.

SQL Server must be located on the site server computer.

Limitations to support
The following configurations aren't supported:

A failover cluster instance in a Network Load Balancing (NLB) cluster configuration

A failover cluster instance on a Cluster Shared Volume (CSV)

SQL Server database mirroring technology, and peer-to-peer replication

SQL Server transactional replication is supported only for replicating objects to


management points that are configured to use database replicas.

Supported versions of SQL Server


In a hierarchy with multiple sites, different sites can use different versions of SQL Server
to host the site database. So long as the following items are true:

Configuration Manager supports the versions of SQL Server that you use.
The SQL Server versions you use remain in support by Microsoft.
SQL Server supports replication between the two versions of SQL Server. For more
information, see SQL Server replication backward compatibility.

For SQL Server 2016 and prior, support for each SQL Server version and service pack
follows the Microsoft Lifecycle Policy. Support for a specific SQL Server service pack
includes cumulative updates unless they break backward compatibility to the base
service pack version. Starting with SQL Server 2017, service packs won't be released
since it follows a modern servicing model. The SQL Server team recommends ongoing,
proactive installation of cumulative updates as they become available.

Unless specified otherwise, the following versions of SQL Server are supported with all
active versions of Configuration Manager. If support for a new SQL Server version is
added, the Configuration Manager version that adds that support is noted. Similarly, if
support is deprecated, look for details about affected versions of Configuration
Manager.

) Important

When you use SQL Server Standard for the database at the central administration
site, you limit the total number of clients that a hierarchy can support. See Size and
scale numbers.

SQL Server 2022: Standard, Enterprise


Starting with current branch 2303, support is added for SQL server 2022 version.

You can use this version of SQL Server for the following sites:

A central administration site


A primary site
A secondary site

SQL Server 2019: Standard, Enterprise


You can use this version with cumulative update 5 (CU5) or later, as long as your
cumulative update version is supported by the SQL Server lifecycle. CU5 is the minimum
requirement for SQL Server 2019 as it resolves an issue with scalar UDF inlining.

You can use this version of SQL Server for the following sites:

A central administration site


A primary site
A secondary site

SQL Server 2017: Standard, Enterprise


You can use this version with cumulative update version 2 or higher, as long as your
cumulative update version is supported by the SQL Server lifecycle. You can use this
version of SQL Server for the following sites:

A central administration site


A primary site
A secondary site

SQL Server 2016: Standard, Enterprise


You can use this version with the minimum service pack and cumulative update
supported by the SQL Server lifecycle. You can use this version of SQL Server for the
following sites:

A central administration site


A primary site
A secondary site

SQL Server 2014: Standard, Enterprise


You can use this version with the minimum service pack and cumulative update
supported by the SQL Server lifecycle. You can use this version of SQL Server for the
following sites:

A central administration site


A primary site
A secondary site

SQL Server 2012: Standard, Enterprise


You can use this version with the minimum service pack and cumulative update
supported by the SQL Server lifecycle. You can use this version of SQL Server for the
following sites:

A central administration site


A primary site
A secondary site

) Important

Starting in version 2107, support for SQL Server 2012 is deprecated. Its support
lifecycle ends in July 2022. Plan to upgrade all database servers before that time.
For more information, see SQL Server.

SQL Server 2017 Express


You can use this version with cumulative update version 2 or higher, as long as your
cumulative update version is supported by the SQL Server lifecycle. You can use this
version of SQL Server for the following sites:

A secondary site

SQL Server 2016 Express


You can use this version with the minimum service pack and cumulative update
supported by the SQL Server lifecycle. You can use this version of SQL Server for the
following sites:

A secondary site

SQL Server 2014 Express


You can use this version with the minimum service pack and cumulative update
supported by the SQL Server lifecycle. You can use this version of SQL Server for the
following sites:

A secondary site

SQL Server 2012 Express


You can use this version with the minimum service pack and cumulative update
supported by the SQL Server lifecycle. You can use this version of SQL Server for the
following sites:

A secondary site

) Important

Starting in version 2107, support for SQL Server 2012 is deprecated. Its support
lifecycle ends in July 2022. Plan to upgrade all database servers before that time.
For more information, see SQL Server.

Required configurations for SQL Server


The following configurations are required by all installations of SQL Server that you use
for a site database, including SQL Server Express. When Configuration Manager installs
SQL Server Express as part of a secondary site installation, it automatically creates these
configurations.

SQL Server architecture version


Configuration Manager requires a 64-bit version of SQL Server to host the site database.

Database collation
At each site, both the instance of SQL Server that's used for the site and the site
database must use the following collation: SQL_Latin1_General_CP1_CI_AS.

Configuration Manager supports two exceptions to this collation for the China GB18030
standard. For more information, see International support.

Database compatibility level


Configuration Manager requires that the compatibility level for the site database is no
less than the lowest supported SQL Server version for your Configuration Manager
version.

When you upgrade a site database from an earlier version of SQL Server, the database
keeps its existing cardinality estimation level, if it's at the minimum allowed for that
instance of SQL Server. When you upgrade SQL Server with a database at a compatibility
level lower than the allowed level, it automatically sets the database to the lowest
compatibility level allowed by SQL Server.

The following table identifies the recommended compatibility levels for Configuration
Manager site databases:

SQL Server version Supported compatibility levels Recommended level

SQL Server 2022 150, 140, 130, 120, 110 150

SQL Server 2019 150, 140, 130, 120, 110 150

SQL Server 2017 140, 130, 120, 110 140

SQL Server 2016 130, 120, 110 130

SQL Server 2014 120, 110 110

To identify the SQL Server cardinality estimation compatibility level in use for your site
database, run the following SQL query on the site database server:

SQL

SELECT name, compatibility_level FROM sys.databases

For more information on SQL Server compatibility levels and how to set them, see ALTER
DATABASE Compatibility Level (Transact-SQL).

SQL Server features


Only the Database Engine Services feature is required for each site server.

Configuration Manager database replication doesn't require the SQL Server replication
feature. However, this SQL Server configuration is required when you use database
replicas for management points.

Windows authentication
Configuration Manager requires Windows authentication to validate connections to the
database.

SQL Server instance


Use a dedicated instance of SQL Server for each site. The instance can be a named
instance or the default instance.

SQL Server memory


Reserve memory for SQL Server by using SQL Server Management Studio. Set the
Minimum server memory setting under Server Memory Options. For more information
about how to configure this setting, see SQL Server memory server configuration
options.

For a database server that you install on the same computer as the site server:
Limit the memory for SQL Server to 50 to 80 percent of the available addressable
system memory.

For a dedicated database server that's remote from the site server: Limit the
memory for SQL Server to 80 to 90 percent of the available addressable system
memory.

For a memory reserve for the buffer pool of each SQL Server instance in use:
For a central administration site: Set a minimum of 8 GB.
For a primary site: Set a minimum of 8 GB.
For a secondary site: Set a minimum of 4 GB.

SQL Server nested triggers


SQL Server nested triggers must be enabled. For more information, see Configure the
nested triggers server configuration option

SQL Server CLR integration


The site database requires SQL Server common language runtime (CLR) to be enabled.
This option is enabled automatically when Configuration Manager installs. For more
information about CLR, see Introduction to SQL Server CLR Integration.

SQL Server Service Broker (SSB)


The SQL Server Service Broker is required both for intersite replication as well as for a
single primary site.

TRUSTWORTHY setting
Configuration Manager automatically enables the SQL TRUSTWORTHY database
property. This property is required by Configuration Manager to be ON.

Optional configurations for SQL Server


The following configurations are optional for each database that uses a full SQL Server
installation.

SQL Server service


You can configure the SQL Server service to run using:

A low rights domain user account:


This configuration is a best practice and might require you to manually register
the service principal name (SPN) for the account.

The local system account of the computer that runs SQL Server:
Use the local system account to simplify the configuration process.
When you use the local system account, Configuration Manager automatically
registers the SPN for the SQL Server service.
Using the local system account for the SQL Server service isn't a SQL Server best
practice.

When the computer running SQL Server doesn't use its local system account to run the
SQL Server service, configure the SPN of the account that runs the SQL Server service in
Active Directory Domain Services. (When the system account is used, the SPN is
automatically registered for you.)

For information about SPNs for the site database, see Manage the SPN for the site
database server.

For information about how to change the account that is used by the SQL Server service,
see SCM Services - Change the service startup account.

SQL Server Reporting Services


SQL Server Reporting Services is required for installing a reporting services point that
lets you run reports. Configuration Manager supports the same versions of SQL Server
for reporting as it does for the site database.

For more information, see Prerequisites for reporting in Configuration Manager.

) Important

After you upgrade SQL Server from a previous version, you might see the following
error: Report Builder Does Not Exist.

To resolve this error, you must reinstall the reporting services point site system role.

Data warehouse service point


The data warehouse uses a separate database. You can host it on the site database
server, or a separate SQL Server. For more information, see The data warehouse service
point for Configuration Manager.

SQL Server ports


For communication to the SQL Server database engine and for intersite replication, you
can use the default SQL Server port configurations or specify custom ports:

Intersite communications use the SQL Server Service Broker, which uses port TCP
4022 by default.

Intrasite communications between the SQL Server database engine and various
Configuration Manager site system roles use port TCP 1433 by default. The
following site system roles communicate directly with the SQL Server database:
Management point
SMS Provider computer
Reporting services point
Site server

When a computer running SQL Server hosts a database from more than one site, each
database must use a separate instance of SQL Server. Also, each instance must be
configured to use a unique set of ports.

2 Warning
Configuration Manager doesn't support dynamic ports. Because SQL Server named
instances by default use dynamic ports for connections to the database engine,
when you use a named instance, you must manually configure the static port that
you want to use for intrasite communication.

If you have a firewall enabled on the computer that is running SQL Server, make sure
that it's configured to allow the ports that are being used by your deployment and at
any locations on the network between computers that communicate with the SQL
Server.

For an example of how to configure SQL Server to use a specific port, see Configure a
server to listen on a specific TCP port.

Upgrade options for SQL Server


If you need to upgrade your version of SQL Server, use one of the following methods,
from easy to more complex:

Upgrade SQL Server in-place (recommended)

Install a new version of SQL Server on a new computer, and then use the database
move option of Configuration Manager setup to point your site server to the new
SQL Server

Use backup and recovery. Using backup and recovery for a SQL Server upgrade
scenario is supported. You can ignore the SQL Server versioning requirement when
reviewing Considerations before recovering a site.
Support for Active Directory domains in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

All Configuration Manager site systems must be members of a supported Active


Directory domain. Configuration Manager client computers can be domain members or
workgroup members.

Requirements and limitations


Domain membership also applies to site systems that support internet-based client
management in a perimeter network. (These networks are also known as a DMZ,
demilitarized zone, and screened subnet).

It's not supported to change the following configurations for a computer that
hosts a site system role:

Domain membership, including if you remove a site system from the domain,
and then rejoin the same domain.

Domain name

Computer name

Before making these changes, uninstall the site system role. To make these
changes to a site server, uninstall the site first. You can also consider creating a site
server in passive mode to help manage this change on a site server.

Configuration Manager supports domain and forest functional level of Windows


Server 2008 R2 or later.

Disjoint namespace
You can install Configuration Manager site systems and clients in a domain that has a
disjoint namespace.

In a disjoint namespace, the primary DNS suffix of a computer doesn't match the Active
Directory DNS domain name of that computer. Another disjoint namespace scenario
occurs if the NetBIOS domain name of a domain controller doesn't match the Active
Directory DNS domain name.

Disjoint scenarios
The following sections identify the supported scenarios for a disjoint namespace.

Scenario 1
The primary DNS suffix of the domain controller differs from the Active Directory DNS
domain name. Computers that are members of the domain can be either disjoint or not
disjoint.

The domain controller is disjoint in this scenario. Computers that are members of the
domain, such as site servers and computers, can have a primary DNS suffix that either
matches:

The primary DNS suffix of the domain controller


The Active Directory DNS domain name

Scenario 2
A member computer in an Active Directory domain is disjoint, even though the domain
controller isn't disjoint.

In this scenario, the primary DNS suffix of a site system differs from the Active Directory
DNS domain name. The primary DNS suffix of the domain controller is the same as the
Active Directory DNS domain name. Member computers that are Configuration
Manager clients can have a primary DNS suffix that either matches:

The primary DNS suffix of the disjoint site system server


The Active Directory DNS domain name

Configure disjoint namespace


To allow a computer to access domain controllers that are disjoint, change the msDS-
AllowedDNSSuffixes Active Directory attribute on the domain object container. Add
both DNS suffixes to the attribute.

To make sure that the DNS suffix search list contains all the DNS namespaces in the
organization, configure the search list for each computer in the disjoint domain. Include
the following suffixes in the list of namespaces:
The primary DNS suffix of the domain controller
The DNS domain name
Any additional namespaces for other servers that Configuration Manager might
communicate with

You can use group policy to configure the Domain Name System (DNS) suffix search
list.

) Important

When you reference a computer in Configuration Manager, enter the computer by


using its primary DNS suffix. This suffix should match the fully qualified domain
name that's registered as the dnsHostName attribute in the Active Directory
domain and the service principal name that's associated with the system.

Single label domains


Configuration Manager supports site systems and clients in a single label domain when
the following criteria are met:

Configure the single label domain in Active Directory Domain Services with a
disjoint DNS namespace that has a valid top-level domain.

For example: The single label domain of Contoso is configured to have a disjoint
namespace in DNS of contoso.com. When you specify the DNS suffix in
Configuration Manager for a computer in the Contoso domain, you specify
"Contoso.com" and not "Contoso".

The distributed component object model (DCOM) connections between site


servers in the system context must be successful by using Kerberos authentication.
Support for Windows features and
networks in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article identifies Configuration Manager support for common Windows and
networking features.

BranchCache
Use Windows BranchCache with Configuration Manager when you enable it on
distribution points, and configure clients to use it in distributed cache mode.

Configure the BranchCache settings on a deployment type for applications, on the


deployment for a package, and for task sequences. BranchCache is enabled by default.

When the requirements for BranchCache are met, this feature enables clients in remote
locations to obtain content from local clients that have a current cache of the content.

For example, when the first BranchCache-enabled client requests content from a
distribution point that's configured as a BranchCache server, the client downloads and
caches the content. This content is then made available for clients on the same subnet
that requested this content.

These clients also cache the content. Other clients on the same subnet don't have to
download content from the distribution point. The content is distributed across multiple
clients for future transfers.

Requirements to support BranchCache with


Configuration Manager

Configure distribution points


Add the Windows BranchCache feature to the site system server that's configured as a
distribution point.

Distribution points on servers that are configured to support BranchCache require


no additional configuration.
You can't add Windows BranchCache to a content-enabled cloud management
gateway. CMGs do support the download of content by clients that are configured
for Windows BranchCache.

Configure clients
The clients that can support BranchCache must be configured for BranchCache
distributed cache mode.
The OS setting for BITS client settings must be enabled to support BranchCache.

For information, see configure clients for BranchCache in the Windows documentation.

All Configuration Manager supported versions of Windows support BranchCache by


default.

For more information, see BranchCache for Windows in the Windows Server
documentation.

Computers in workgroups
Configuration Manager provides support for clients in workgroups.

Configuration Manager supports moving a client from a workgroup to a domain or


from a domain to a workgroup. For more information, see How to install
Configuration Manager clients on workgroup computers.

7 Note

Although clients in workgroups are supported, all site systems must be members of
a supported Active Directory domain.

Data deduplication
Configuration Manager supports the use of data deduplication with distribution points
on Windows Server 2012 or later.

) Important

The volume that hosts package source files can't be marked for data deduplication.
This limitation is because data deduplication uses reparse points. Configuration
Manager doesn't support using a content source location with files stored on
reparse points.

For more information, see the following posts:

Configuration Manager distribution points and Windows Server 2012 data


deduplication on the Configuration Manager team blog

Data deduplication overview in the Windows Server documentation

DirectAccess
Configuration Manager supports the DirectAccess feature for communication between
clients and site server systems.

When all the requirements for DirectAccess are met, it enables Configuration
Manager clients on the internet to communicate with their assigned site as if they
were on the intranet.

For server-initiated actions, such as remote control and client push installation, the
initiating computer must be running IPv6. This protocol must be supported on all
intervening networking devices.

Configuration Manager doesn't support the following functionality over DirectAccess:

OS deployment

Communication between Configuration Manager sites

Communication between Configuration Manager site system servers within a site

Dual-boot computers
Configuration Manager can't manage more than one OS on a single computer. If there's
more than one OS on a computer to manage, adjust the site's discovery and client
installation methods to ensure that the Configuration Manager client is installed only on
the OS that has to be managed.

IPv6
In addition to Internet Protocol version 4 (IPv4), Configuration Manager supports
Internet Protocol version 6 (IPv6), with the following exceptions:
Function Exception to IPv6 support

Cloud management IPv4 is required to support Microsoft Azure and the cloud
gateway management gateway.

Network Discovery IPv4 is required when you configure a DHCP server to search in
Network Discovery.

OS deployment Capturing or setting static IP addresses during the task sequence


requires IPv4.

Wake-up proxy IPv4 is required to support the client wake-up proxy packets.
communication

Network Address Translation


Network Address Translation (NAT) isn't supported in Configuration Manager, unless the
site supports clients that are on the internet and the client detects that it's connected to
the internet. For more information about internet-based client management, see Plan
for managing internet-based clients.

Specialized storage technology


Configuration Manager works with any hardware that's certified on the Windows
Hardware Compatibility List for the version of the OS that the Configuration Manager
component is installed on.

Site server roles require NTFS, so that Configuration Manager can set directory and file
permissions. Configuration Manager assumes that it has complete ownership of a
logical drive. Site systems that run on separate computers can't share a logical partition
on any storage technology. However, each computer can use a separate logical partition
on the same physical partition of a shared storage device.

Support considerations
Storage Area Network: A Storage Area Network (SAN) is supported when a
supported Windows-based server is attached directly to the volume that's hosted
by the SAN.

Single Instance Storage: Configuration Manager doesn't support configuration of


distribution point package and signature folders on a Single Instance Storage (SIS)-
enabled volume.
Additionally, the cache of a Configuration Manager client isn't supported on a SIS-
enabled volume.

Removable disk drive: Configuration Manager doesn't support the installation of


Configuration Manager site systems or clients on a removable disk drive.

Next steps
Support for virtualization environments with Configuration Manager
Support for virtualization environments
with Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager supports installing the client and site system roles on supported
operating systems that run as a virtual machine (VM) in certain virtualization
environments. This support exists even when the virtual host (virtualization environment)
isn't supported as a client or site server.

For example, you use Microsoft Hyper-V Server 2016 to host a VM that runs Windows
Server 2019. You can install the client or site system roles on the VM running Windows
Server 2019. You can't install the client on the host running Microsoft Hyper-V Server
2016.

Virtualization environments
Windows Server 2022 (starting in version 2107)
Windows Server 2019
Windows Server 2016 Note 1
Microsoft Hyper-V Server 2016 Note 1
Windows Server 2012 R2
Microsoft Hyper-V Server 2012
Windows Server 2012

7 Note

Configuration Manager doesn't support nested virtualization, which is new with


Windows Server 2016.

Virtualization environment support


Each virtual computer needs the same or greater hardware and software requirements
that you would use for a physical Configuration Manager computer.

To validate that Configuration Manager supports your virtualization environment, use


the Server Virtualization Validation Program. It includes an online Virtualization Program
Support Policy Wizard. For more information, see Windows Server Virtualization
Validation Program .

Configuration Manager can't manage VMs if they're offline. The Configuration Manager
client on the host computer can't manage an offline VM image. For example, it can't
install software updates or collect hardware inventory.

In general, Configuration Manager gives no special consideration to VMs. For example,


if you stop a VM, and don't save its state, Configuration Manager might not determine if
it has to reinstall a software update.

To help with Configuration Manager client performance in virtual environments that


support multiple user sessions, it disables user policy by default. Starting in version
1910, you can enable user policy in this scenario. For more information, see About client
settings - Enable user policy for multiple user sessions.

Microsoft Azure VMs


Configuration Manager can run on infrastructure as a service (IaaS) VMs in Azure just as
it runs on-premises within your data center. Use Configuration Manager with Azure VMs
in the following scenarios:

Scenario 1: Run Configuration Manager on an Azure VM. Use it to manage clients


on other Azure VMs.

Scenario 2: Run Configuration Manager on an Azure VM. Use it to manage clients


that aren't running on Azure.

Scenario 3: Run different Configuration Manager site system roles on Azure VMs.
Run other roles in your on-premises data center, properly connected to Azure.

7 Note

These scenarios also apply to IaaS VMs on Azure Stack Hub.

The same Configuration Manager requirements for networks, supported configurations,


and hardware requirements also apply to Azure VMs.

For more information, see Configuration Manager on Azure FAQ.

) Important
Configuration Manager sites and clients that run on Azure VMs are subject to the
same license requirements as on-premises installations.

Azure Virtual Desktop


Azure Virtual Desktop is a desktop and app virtualization service that runs on Microsoft
Azure. Use Configuration Manager to manage these virtual devices running Windows in
Azure. For more information, see Supported operating systems for clients and devices.

Next steps
Manage Configuration Manager clients in a virtual desktop infrastructure (VDI)
Size and scale numbers for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Each Configuration Manager deployment has a maximum number of sites, site system
roles, and devices that it can support. These numbers vary depending on your hierarchy
structure, what types and numbers of sites you use, and the site system roles that you
deploy. The information in this article can help you determine the number of site system
roles and sites that you need to support the devices you expect to manage.

For more information, see the following articles:

Recommended hardware
Supported operating systems for site system servers
Supported operating systems for clients and devices
Site and site system prerequisites

These support numbers are based on using the recommended hardware for
Configuration Manager. They're also based on the default settings for all available
Configuration Manager features. When you don't use the recommended hardware or
use more aggressive custom settings, the performance of site systems can degrade. The
site systems might not meet the stated levels of support. (An example of more
aggressive client settings is running hardware or software inventory more frequently
than the defaults of once every seven days.)

Site types

Central administration site


A central administration site supports up to 25 child primary sites.

Primary site
Each primary site supports up to 250 secondary sites.

The number of secondary sites per primary site is based on continuously


connected and reliable wide area network (WAN) connections. For locations that
have fewer than 500 clients, consider a distribution point instead of a secondary
site.

For information about the number of clients and devices that a primary site can
support, see Client numbers for sites and hierarchies.

Secondary site
Secondary sites don't support child sites.

Site system roles

Cloud management gateway


Unless otherwise noted, this guidance is the same for all deployment models and VM
sizes.

You can install multiple instances of the cloud management gateway (CMG) at
primary sites, or the central administration site (CAS).

 Tip

In a hierarchy, create the CMG at the CAS.

One CMG supports up to 16 virtual machine (VM) instances in the Azure cloud
service.

Simultaneous client connections per each CMG VM instance depend upon the
deployment model and VM size. When the CMG is under high load with more than
the supported number of clients, it still handles requests but there may be delay.

Virtual machine scale-set (version 2107 and later)


Lab (B2s): 10
Standard (A2_v2): 6,000
Large (A4_v2): 10,000

) Important

The Lab (B2s) size VM is only intended for lab testing and small proof-of-
concept environments. They aren't intended for production use with the
CMG. The B2s VMs are low cost and low performing. The Configuration
Manager technical preview branch only supports 10 clients, which is why
this size supports that number of clients.

Virtual machine scale set (version 2010 and 2103 for Cloud Service Provider
(CSP) subscriptions): 2,000

Cloud service (classic) (version 2111 and earlier): 6,000

) Important

Starting in version 2203, the option to deploy a CMG as a cloud service


(classic) is removed. All CMG deployments should use a virtual machine
scale set. For more information, see Removed and deprecated features.

For more information, see CMG Performance and scale.

Cloud management gateway connection point


This guidance is the same for all deployment models and VM sizes.

You can install multiple instances of the CMG connection point at primary sites.

One CMG connection point can support a CMG with up to four VM instances. If the
CMG has more than four VM instances, add a second CMG connection point for
load balancing. A CMG with 16 VM instances should be linked with four CMG
connection points.

7 Note

When considering hardware requirements for the CMG connection point, see
Recommended hardware for remote site system servers.

For more information, see CMG Performance and scale.

Distribution point
Distribution points per site:

Each primary and secondary site supports up to 250 distribution points.

Each primary and secondary site supports up to 2000 additional distribution


points that are configured as pull-distribution points. For example, a single
primary site supports 2250 distribution points when 2000 of those distribution
points are configured as pull-distribution points.

Each distribution point supports connections from up to 4,000 clients.

A pull-distribution point acts like a client when it accesses content from a source
distribution point.

Each primary site supports a combined total of up to 5,000 distribution points. This
total includes all the distribution points at the primary site and all the distribution
points that belong to the primary site's child secondary sites.

Each distribution point supports a combined total of up to 10,000 packages and


applications.

2 Warning

The actual number of clients that one distribution point can support depends on
the speed of the network and the hardware configuration of the server.

The number of pull-distribution points that one source distribution point can
support similarly depends on the speed of the network and the hardware
configuration of the source distribution point. But this number is also affected by
the amount of content that you've deployed. This effect is because, unlike clients
that typically access content at different times during a deployment, all pull-
distribution points request content at the same time. Pull-distribution points can
request all available content, not just the content that is applicable to them. When
you place a high processing load on a source distribution point, there can be
unexpected delays in distributing the content to the target distribution points.

Fallback status point


Each fallback status point can support up to 100,000 clients.

Management point
Each primary site supports up to 15 management points.

 Tip

Don't install management points on servers that are across a slow link from
the primary site server or the site database server. If the management point is
not in the same data center (also referred to as a fast link), you can experience
latency on state and status messages. If you have a requirement for a remote
management point, consider using a secondary site instead. This will avoid
backlog issues for state and status messages.

Each secondary site supports a single management point that must be installed on
the secondary site server.

For information about the number of clients and devices that a management point can
support, see the Management points section.

7 Note

If you enable the management point to support a cloud management gateway, it


services internet-based client requests per normal. Sizing guidance for a
management point doesn't change whether it services on-premises or internet-
based clients.

Software update point


Use the following recommendations as a baseline. This baseline helps you determine the
information for the software updates capacity planning that is appropriate to your
organization. The actual capacity requirements might vary from the recommendations
listed in this article depending on the following criteria:

Your specific networking environment


The hardware that you use to host the software update point site system
The number of managed clients
The other site system roles installed on the server

7 Note

If you enable the software update point to support a cloud management gateway,
it services internet-based client requests per normal. Sizing guidance for a software
update point doesn't change whether it services on-premises or internet-based
clients.

Capacity planning for the software update point


The number of supported clients depends on the version of Windows Server Update
Services (WSUS) that runs on the software update point. It also depends on whether the
software update point site system role coexists with another site system role:

The software update point can support up to 25,000 clients when WSUS runs on
the software update point server, and the software update point coexists with
another site system role.

The software update point can support up to 150,000 clients when a remote server
meets WSUS requirements, WSUS is used with Configuration Manager, and you
configure the following settings:

IIS Application Pools:

Increase the WsusPool Queue Length to 2000

Increase the WsusPool Private Memory limit x4 times, or set to 0 (unlimited). For
example, if the default limit is 1,843,200 KB, increase it to 7,372,800. For more
information, see WSUS best practices.

For more information about hardware requirements for the software update
point, see Recommended hardware for site systems.

Capacity planning for software updates objects


Use the following capacity information to plan for software updates objects:

Limit of 1000 software updates in a deployment -Limit the number of software


updates to 1000 for each software update deployment. When you create an
automatic deployment rule (ADR), specify criteria that limits the number of
software updates. The ADR fails when the specified criteria returns more than 1000
software updates. Check the status of the ADR from the Automatic Deployment
Rules node in the Configuration Manager console. When you manually deploy
software updates, don't select more than 1000 updates to deploy.

Also limit the number of software updates to 1000 in a configuration baseline. For
more information, see Create configuration baselines.

Limit of 580 security scopes for automatic deployment rules -


Limit the number
of security scopes on automatic deployment rules (ADRs) to less than 580. When
you create an ADR, the security scopes that have access to it are automatically
added. If there are more than 580 security scopes set, the ADR will fail to run and
an error is logged in ruleengine.log.
SMS Provider
Each instance of the SMS Provider supports simultaneous connections from multiple
requests. The only limitations on these connections are the number of server
connections that are available to Windows, and the available resources on the server to
service the connection requests.

For more information, see Plan for the SMS Provider.

The administration service is a REST API on every instance of the SMS Provider. It
supports up to 5,000 requests per second, and 200 requests per client IP address.

Client numbers for sites and hierarchies


Use the following information to determine how many clients and which types of clients
you can support at a site or in a hierarchy.

Hierarchy with a central administration site


A central administration site supports a total number of devices that includes up to the
number of devices listed for the following three groups:

700,000 Windows desktops. Also see support for embedded devices.

25,000 devices that run macOS

100,000 devices that you manage by using on-premises mobile device


management (MDM)

For example, in a hierarchy you can support 700,000 desktops, up to 25,000 macOS
devices, and up to 100,000 devices managed by on-premises MDM. This hierarchy
supports a total of 825,000 devices.

) Important

In a hierarchy where the central administration site uses a Standard edition of SQL
Server, the hierarchy supports a maximum of 50,000 desktops and devices. To
support more than 50,000 desktops and devices, you must use an Enterprise
edition of SQL Server. This requirement applies only to a central administration site.
It doesn't apply to a stand-alone primary site or a child primary site. The edition of
SQL Server you use for a primary site doesn't limit its capacity to support the stated
number of clients.
The edition of SQL Server that is in use at a stand-alone primary site doesn't limit that
site's capacity to support up to the stated number of clients.

Child primary site


Each child primary site in a hierarchy with a central administration site supports the
following number of clients:

150,000 total clients and devices that aren't limited to a specific group or type, as
long as support doesn't exceed the number that is supported for the hierarchy.
Also see, support for embedded devices.

For example, a primary site supports 25,000 macOS devices. That number is the limit for
a hierarchy. This primary site can then support an additional 125,000 desktop
computers. The total number of supported devices for the child primary site is the
supported maximum limit of 150,000.

Stand-alone primary site


A stand-alone primary site supports the following number of devices:

175,000 total clients and devices, not to exceed:

150,000 Windows clients. Also see, support for embedded devices.

25,000 devices that run macOS

50,000 devices that you manage by using on-premises MDM

For example, a stand-alone primary site that supports 150,000 desktops and 10,000
Macs can only support an additional 15,000 mobile devices managed by on-premises
MDM.

Primary sites and Windows Embedded devices


Primary sites support Windows Embedded devices that have File-Based Write Filters
(FBWF) enabled. When embedded devices don't have write filters enabled, a primary site
can support a number of embedded devices up to the allowed number of devices for
that site. When embedded devices have FBWF or Unified Write Filters (UWF) enabled, a
primary site can support a maximum of 10,000 Windows embedded devices. These
devices must be configured with the exceptions listed in the important note found in
the Planning for client deployment to Windows Embedded devices. A primary site
supports only 3,000 Windows Embedded devices that have EWF enabled and that are
not configured for the exceptions.

Secondary sites
Secondary sites support the following number of devices:

15,000 Windows clients

Management points
Each management point can support the following number of devices:

25,000 total clients and devices, not to exceed:

25,000 Windows clients

One of the following (not both):

10,000 devices that are managed by using on-premises MDM

10,000 devices that run macOS


Recommended hardware for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The following recommendations are guidelines to help you scale your Configuration
Manager environment to support more than a very basic deployment of sites, site
systems, and clients. They aren't intended to cover all possible site and hierarchy
configurations.

Use the information in the following sections as a guide to help you plan for hardware.
Make sure your hardware can meet the processing loads for clients and sites that use
the available Configuration Manager features.

Site systems
This section provides recommended hardware configurations for Configuration
Manager site systems. Use these recommendations to support the maximum number of
clients and use most or all Configuration Manager features. If your environment
supports less than the maximum number of clients, and doesn't use all available
features, it might require less resources. In general, the following key factors limit
performance of the overall system:

1. Disk I/O performance

2. Available memory

3. CPU

For best performance, use RAID 10 configurations for all data drives and a 1-Gbps
Ethernet network.

Site servers

Site configuration CPU Memory Memory allocation


(cores) (GB) for SQL Server (%)

Stand-alone primary site server with a database 16 96 80


site role on the same server Note 1
Site configuration CPU Memory Memory allocation
(cores) (GB) for SQL Server (%)

Stand-alone primary site server with a remote site 8 16 -


database

Remote database server for a stand-alone primary 16 72 90


site

Central administration site server with a database 20 128 80


site role on the same server Note 1

Central administration site server with a remote 8 16 -


site database

Remote database server for a central 16 96 90


administration site

Child primary site with a database site role on the 16 96 80


same server

Child primary site server with a remote site 8 16 -


database

Remote database server for a child primary site 16 72 90

Secondary site server 8 16 -

Note 1: Collocated SQL

When you install the site server and SQL Server on the same computer, the deployment
supports the maximum sizing and scale numbers for sites and clients. This configuration
can limit high availability options, like using a SQL Server Always On failover cluster
instance. If you have a larger environment, because of the higher I/O requirements to
support both roles on the same computer, consider using a remote SQL Server.

Remote site system servers


The following guidance is for computers that hold a single site system role. Plan to
adjust when you install multiple site system roles on the same computer.

Site system role CPU Memory Disk space (GB)


(cores) (GB)

Management point 4 8 50
Site system role CPU Memory Disk space (GB)
(cores) (GB)

Distribution point 2 8 As required by the OS and to store content that


you deploy

Software update 8 16 As required by the OS and to store updates


point Note 2 that you deploy

All other site system 4 8 50


roles

Note 2: WSUS configurations


The computer that hosts a software update point requires the following configurations
for IIS application pools:

Increase the WsusPool Queue Length to 2000.

Increase the WsusPool Private Memory limit by four times, or set it to 0


(unlimited).

Disk space for site systems


Disk allocation and configuration contribute to the performance of Configuration
Manager. Because each Configuration Manager environment is different, the values that
you implement can vary from the following guidance.

For the best performance, place each object on a separate, dedicated RAID volume. For
all data volumes for Configuration Manager and its database files, use RAID 10 for the
best performance.

Data usage Minimum 25,000 50,000 100,000 150,000 700,000


disk space clients clients clients clients clients (central
administration
site)

Configuration 25 GB 50 GB 100 GB 200 GB 300 GB 200 GB


Manager application
and log files

Site database .mdf 75 GB for 75 GB 150 GB 300 GB 500 GB 2 TB


file every 25,000
clients
Data usage Minimum 25,000 50,000 100,000 150,000 700,000
disk space clients clients clients clients clients (central
administration
site)

Site database .ldf file 25 GB for 25 GB 50 GB 100 GB 150 GB 100 GB


every 25,000
clients

Temp database files As needed As As As As As needed


(.mdf and .ldf) needed needed needed needed

For the Windows system disk, see sizing guidance for the installed OS version.

For content on distribution points, it depends upon your deployments. This guidance
doesn't include the disk space required for the content library on the site server or
distribution points. For more information, see The content library.

When you plan for disk space requirements, consider the following guidelines:

Each client requires about 5-10 MB of space in the database. This number depends
upon the hierarchy type, the configuration, and the number of clients. The size can
be less for larger environments. Smaller sites have greater database usage per
client.

For the primary site's temp database, plan for a combined size that is 25% to 30%
of the site database .mdf file. The actual size can be smaller or larger. It depends
on the performance of the site server and the volume of incoming data over both
short and long periods of time.

7 Note

When you have 50,000 or more clients at a site, plan to use four or more temp
database .mdf files.

The temp database size for a central administration site is typically much smaller
than for a primary site.

If you use SQL Server Express for the secondary site database, it limits the database
size to 10 GB.

Clients
This section provides recommended hardware configurations for computers that you
manage by using Configuration Manager client software.

Client for Windows computers


The following minimum requirements are for Windows-based computers that you
manage by using Configuration Manager, including embedded editions:

Processor and memory: Refer to the processor and RAM requirements for the OS.

Disk space: 500 MB of available disk space, with 5 GB recommended for the
Configuration Manager client cache. If you use customized settings to install the
Configuration Manager client, less disk space is required.

Use the client.msi property SMSCACHESIZE to set a cache size smaller than the
default of 5120 MB. The minimum size is 1 MB. The following example creates a
2-MB cache: CCMSetup.exe SMSCACHESIZE=2

For more information, see About client installation properties.

 Tip

Installing the client with minimal disk space is useful for Windows
Embedded devices that typically have smaller disk sizes than standard
Windows computers.

The following minimum hardware requirements are for optional functionality in


Configuration Manager:

OS deployment: At least 384 MB of RAM

Software Center: At least a 500-MHz processor

Remote Control: For an optimal experience, at least a Pentium 4 Hyper-Threaded 3


GHz (single core) or comparable CPU, with at least 1-GB RAM.

Configuration Manager console


The following minimum hardware requirements apply to each computer that runs the
Configuration Manager console:

Intel i3 or comparable CPU


2 GB of RAM

2 GB of disk space

DPI setting Minimum resolution

96 / 100% 1024 x 768

120 /125% 1280 x 960

144 / 150% 1600 x 1200

196 / 200% 2500 x 1600

Lab deployments
Use the following minimum hardware recommendations for lab and test deployments of
Configuration Manager. These recommendations apply to all site types, up to 100
clients:

Role CPU (cores) Memory (GB) Disk space (GB)

Site and database server 2-4 8 - 12 100

Site system server 1-4 2-4 50

Client 1-2 1-3 30

Next steps
Site size and performance guidelines

Site size and performance FAQ


Configuration Manager site size and
performance guidelines
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager leads the industry in scale and performance. Other


documentation covers maximum supported scale limits and hardware guidelines for
running sites at the largest environment sizes. This article gives supplemental
performance guidance for environments of all sizes. This guidance can help you more
accurately estimate the hardware you need to deploy Configuration Manager.

This article focuses on the largest contributor to Configuration Manager performance


bottlenecks: the disk input/output subsystem or IOPS.

Presents details and test results focused on IOPS


Documents how to reproduce the tests with your own environments and hardware
Suggests disk IOPS requirements for various size environments

Performance test methodology


You can deploy Configuration Manager in many unique ways, but it's important to
understand a few variables in any sizing discussions. One variable is feature interval,
such as an inventory cycle. Another variable is the number of users, software
deployments, or other objects the system references or deploys. Performance testing
applies these variables as part of a load. The load generates objects at a typical rate for
enterprise customers using production deployments in different size environments.

7 Note

Customer usage data allows for testing current branch builds with the most
common scenarios, configurations, and settings for most customers. The
recommendations in this article are based on these averages. Your experiences may
vary based on your environment size and configuration. In general, Configuration
Manager requires common sense when it comes to objects and intervals. Just
because you can collect every file on a system, or set the interval for a cycle to one
minute, doesn't mean you should.
The following sections highlight some key settings and configurations to use when
testing and modeling processing needs for large enterprises. These guidelines help set
basic system performance expectations for the suggested hardware sizes.

Feature intervals settings


Most testing should use default intervals for the key cycles in the system. For example,
hardware inventory testing occurs once per week with a larger than default .mof file.
Some recurring feature intervals, especially hardware and software inventory cycles, can
have significant effects on an environment's performance characteristics. Environments
that enable aggressive default intervals for data collection need oversized hardware in
direct proportion to the increase in activity. For example, say you have 25,000 desktop
clients and want to collect hardware inventory two times faster than the default interval.
Start by sizing your site's hardware as if you had 50,000 clients.

Objects
Tests should use the upper average of the objects that large enterprises tend to use with
the system. Typical values are thousands of collections and applications, which are
deployed to hundreds of thousands of users or systems. Tests should run simultaneously
on all objects in the system at these limits. Many customers use several features, but
don't generally use all features of the product at these upper limits. Testing with all
product features helps ensure the best possible system-wide performance, and allows a
buffer for features that some customers may use above average.

Loads
Tests should also run on greater than standard average day loads, by doing simulations
that generate peak usage demands on the system. One example is simulating Patch
Tuesday rollouts, to make sure the system can return update compliance data promptly
during these days of peak activity. Another example is simulating site activity during a
widespread malware outbreak, to ensure timely notification and response are possible.
Although deployed machines of the recommended size may be underused on any given
day, more extreme situations require some processing buffer.

Configurations
Run testing on a range of physical, Hyper-V, and Azure hardware, with a mixture of
supported operating systems and SQL Server versions. Always validate the worst cases
for the supported configuration. In general, Hyper-V and Azure return comparable
performance results to equivalent physical hardware when configured similarly. Current
server operating systems tend to have performance that's equal to or better than earlier
OS versions. While all supported platforms meet the minimum requirements, usually the
latest versions of supporting products like Windows and SQL Server produce even
better performance.

The largest variation comes from the SQL Server versions in use. For more information
about SQL Server versions, see What version of SQL Server should I run?.

Key performance determinants


You can test and measure Configuration Manager performance with different kinds of
settings, in different ways, and at different site sizes. The following settings and objects
can dramatically affect performance. Be sure to consider them when testing and
modeling performance in your environment.

U Caution

While few aspects of Configuration Manager have official maximums or user


interface limits that prevent excessive usage, going beyond the guidelines can have
significant adverse effects on a site's performance. Exceeding recommended levels
or ignoring sizing guidance typically requires larger hardware, and may render your
environment unmaintainable until you reduce the frequency or count of various
objects.

Hardware inventory
To test baseline performance, set hardware inventory collection to once per week, with
the default .mof file size plus approximately 20% other properties. Don't enable all
properties, and collect only properties you actually need. Pay special attention when
collecting properties, such as available virtual memory, that will always change with
every inventory cycle. Collecting these properties can cause excessive churn on every
inventory cycle from every client.

Software inventory
To test baseline performance, set software inventory collection to once per week, with
product only details. Collecting many files can place a significant strain on the inventory
subsystem. Avoid specifying filters that could end up collecting thousands of files across
many clients, such as *.exe or *.dll .
Collections
Baseline performance testing can include several thousand collections with different
kinds of scope, size, complexity, and update settings. Site performance isn't a direct
function of the sheer number of collections on a site. Performance is also a cross-
product of collections' query complexity, full and incremental updates and change
frequency, dependencies among collections, and numbers of clients in the collections.

Where possible, minimize collections that have expensive or complicated dynamic rule
queries. For collections that require these types of rules, set appropriate update intervals
and update times to minimize the affect of collection re-evaluation on the system. For
example, update at midnight instead of 8:00 AM.

Enabling incremental updates on collections ensures quick and timely updates to


collection membership. But even though incremental updates are efficient, they still put
load on the system. Balance the change frequency you expect with the need for near
real-time updates on membership. For example, say you expect heavy churn in
collection members, but you don't require near real-time membership updates. It's more
efficient and produces less load on the system to update the collection with a scheduled
full update at some interval, than to enable incremental updates.

When you enable incremental updates, reduce any scheduled full updates on the same
collections. They're only a backup method of evaluation, since incremental updates
should keep your collection membership updated in near real time. Best practices for
collections recommends a maximum number of total collections for incremental
updates, but as the article points out, your experience can vary based on many factors.

Collections with only direct membership rules and with a limiting collection that isn't
doing incremental updates don't need scheduled full updates. Disable update schedules
for these types of collections to prevent unnecessary load on the system. If the limiting
collection uses incremental updates, collections with only direct membership rules may
not reflect membership updates for up to 24 hours, or until a scheduled refresh takes
place.

While not a best practice, some organizations create hundreds or even thousands of
collections as part of various business processes. If you use automation to create
collections, it's important to enable any needed incremental updates correctly. Minimize
and spread out any full update schedules to avoid hot spots of collection evaluation
during a single time period. Establish a regular grooming process to delete unused
collections, especially if you automatically create collections that you no longer need
after some time.
Remember that Configuration Manager creates policies for all objects in your collections
when you target tasks like deployments to them. Membership changes, either through
scheduled refresh or incremental updates, can create much more work for the whole
system. The latest current branch builds have special policy optimizations for the All
Systems and All Users collections. When targeting your entire enterprise, use the built-in
collections instead of a clone of these built-in collections.

To investigate collection performance even deeper, view collection evaluation in the


console. For more information, see How to view collection evaluation.

Discovery methods
For baseline performance testing, run server-based discovery methods once a week,
enabling delta discovery as appropriate to keep the data fresh during the week. The
tests should discover an object quantity proportional to the simulated enterprise size.
The performance baseline test for heartbeat discovery should also run once a week.

Discovery data is global data. A common performance-related problem is to


misconfigure server-based discovery methods in a hierarchy, causing duplicate
discovery of the same resources from multiple primary sites. Carefully configure
discovery methods to optimize communication with the target service, such as Active
Directory domain controllers, while avoiding duplication of the same discovery scope on
multiple primary sites.

General sizing guidelines


Based on the preceding performance test methodology, the following table gives
general minimum hardware requirement guidelines for specific numbers of managed
clients. These values should allow most customers with the specified number of clients
to process objects fast enough to administer the specified site. Computing power
continues to decrease in price every year, and some of the requirements below are small
for modern server hardware configurations. Hardware that exceeds the following
guidelines proportionally increases performance for sites that require more processing
power, or have special product usage patterns.

Desktop Site type/role Cores Memory SQL IOPS: IOPS: Storage


clients Note 1 (GB) Server Inboxes SQL space
memory Note 3 Server required
allocation Note 3 (GB)
Note 2 Note 4
Desktop Site type/role Cores Memory SQL IOPS: IOPS: Storage
clients Note 1 (GB) Server Inboxes SQL space
memory Note 3 Server required
allocation Note 3 (GB)
Note 2 Note 4

25k Primary or CAS with 6 24 65% 600 1700 350


database site role
on the same server

25k Primary or CAS 4 8 600 100

Remote SQL Server 4 16 70% 1700 250

50k Primary or CAS with 8 32 70% 1200 2800 600


database site role
on the same server

50k Primary or CAS 4 8 1200 200

Remote SQL Server 8 24 70% 2800 400

100k Primary or CAS with 12 64 70% 1200 5000 1100


database site role
on the same server

100k Primary or CAS 6 12 1200 300

Remote SQL Server 12 48 80% 5000 800

150k Primary or CAS with 16 96 70% 1800 7400 1600


database site role
on the same server

150k Primary or CAS 8 16 1800 400

Remote SQL Server 16 72 90% 7400 1200

700k CAS with database 20+ 128+ 80% 1800+ 9000+ 5000+
site role on the
same server

700k CAS 8+ 16+ 1800+ 500+

Remote SQL Server 16+ 96+ 90% 9000+ 4500+

5k Secondary Site 4 8 500 - 200


Desktop Site type/role Cores Memory SQL IOPS: IOPS: Storage
clients Note 1 (GB) Server Inboxes SQL space
memory Note 3 Server required
allocation Note 3 (GB)
Note 2 Note 4

15k Secondary Site 8 16 500 - 300

Notes on general sizing guidelines

Note 1: Cores
Configuration Manager runs many simultaneous processes, so needs a certain minimum
number of CPU cores for various site sizes. While cores get faster each year, it's
important to ensure that a certain minimum number of cores work in parallel. In general,
any server-level CPU produced after 2015 meets the basic performance needs for the
cores specified in the table. Configuration Manager takes advantage of other cores
beyond the recommendations. Once you have the minimum suggested cores, prioritize
CPU resource investment to increase the speed of existing cores. Don't add more, slower
cores. For example, Configuration Manager has better performance on key processing
tasks with 16 fast cores than with 24 slower cores. This performance assumes that there
are enough other system resources like disk IOPS.

The relationship between cores and memory is also important. In general, having less
than 3-4 GB of RAM per core reduces the total processing capability on your SQL
Servers. You need more RAM per core when SQL Server is colocated with the site server
components.

7 Note

All testing sets machine power plans to allow maximum CPU power consumption
and performance.

Note 2: SQL Server memory allocation

Use this value to configure the Maximum server memory (in MB) in the properties of
the SQL Server. It's the percentage of the total amount of memory available on the
server.

Don't configure the minimum and maximum values the same. This guidance is
specifically for the maximum memory that you should allow SQL Server to allocate.
Note 3: IOPS: Inboxes and IOPS: SQL
These values refer to the IOPS needs for the Configuration Manager and SQL Server
logical drives. The IOPS: Inboxes column shows the IOPS requirements for the logical
drive with the Configuration Manager inbox directories. The IOPS: SQL column shows
the total IOPS needs for the logical drive(s) that various SQL Server files use. These
columns are different because the two drives should have different formatting. For more
information and examples on suggested SQL Server disk configurations and file best
practices, including details on splitting files across multiple volumes, see the Site sizing
and performance FAQ.

Both of these IOPS columns use data from the industry-standard tool, Diskspd. See How
to measure disk performance for instructions on duplicating these measurements. In
general, once you meet basic CPU and memory requirements, the storage subsystem
has the largest affect on site performance, and improvements here will give the most
payback on investment.

Note 4: Storage space required

These real-world values may differ from other documented recommendations. We


provide these numbers only as a general guideline; individual requirements could vary
widely. Carefully plan for disk space needs before site installation. Assume that some
amount of this storage remains as free disk space most of the time. You may use this
buffer space in a recovery scenario, or for upgrade scenarios that need free disk space
for setup package expansion. Your site may require more storage for large amounts of
data collection, longer periods of data retention, and large amounts of software
distribution content. You can also store these items on separate, lower-throughput
volumes.

How to measure disk performance


You can use the industry-standard tool Diskspd to provide standardized suggestions for
the IOPS that various-sized Configuration Manager environments require. While not
exhaustive, the following test steps and command lines provide a simple and
reproducible way to estimate your servers' disk subsystem throughput. You can compare
your results to the minimum recommended IOPS in the general sizing guidelines table.

For test results from different kinds of hardware configurations in lab environments, see
Example disk configurations. You can use the data for a rough starting point when
designing the storage subsystem for a new environment from scratch.
How to test disk IOPS
1. Download the Diskspd utility .

2. Make sure you have at least 100 GB of free disk space. Disable any apps that might
interfere or cause extra load on the disk, such as active antivirus scanning of the
directory, SQL, or SMSExec.

3. Run Diskspd from an elevated command prompt.

Run the tool twice in sequence for the volume that you want to test. The first test
at 64k size with random write operations for one minute. This test validates
controller cache loading and disk space allocation, in case the volume is
dynamically expanding. Discard the results of the first test. The second test should
immediately follow the first test, and do the same load for five minutes.

For example, use the following specific command lines to test the G: volume.

Command

DiskSpd.exe -r -w100 -t8 -o8 -b64K -c100G -d60 -h -L


G:\\test\testfile.dat

del G:\\test\testfile.dat

DiskSpd.exe -r -w100 -t8 -o8 -b64K -c100G -d300 -h -L


G:\\test\testfile.dat

4. Review the output from the second test to find the total IOPS in the I/O per s
column. In the following example, the total IOPS are 3929.18.

Output

Total IO

| thread | bytes | I/Os | MB/s | I/O per s | AvgLat |


LatStdDev |

|--------|-------------|---------|--------|-----------|--------|-------
----|

| 1 | 9651814400 | 147275 | 30.68 | 490.92 | 16.294 | 10.210


|

| 2 | 9676652544 | 147654 | 30.76 | 492.18 | 16.252 | 9.998


|

| 3 | 9638248448 | 147068 | 30.64 | 490.23 | 16.317 | 10.295


|

| 4 | 9686089728 | 147798 | 30.79 | 492.66 | 16.236 | 10.072


|

| 5 | 9590931456 | 146346 | 30.49 | 487.82 | 16.398 | 10.384


|

| 6 | 9677242368 | 147663 | 30.76 | 492.21 | 16.251 | 10.067


|

| 7 | 9637330944 | 147054 | 30.64 | 490.18 | 16.319 | 10.249


|

| 8 | 9692577792 | 147897 | 30.81 | 492.99 | 16.225 | 10.125


|

| Total: | 77250887680 | 1178755 | 245.57 | 3929.18 | 16.286 | 10.176


|

Example disk configurations


The following tables show results from running the test steps in How to measure disk
performance with various test lab configurations. Use this data for a rough starting point
when designing the storage subsystem for a new environment from scratch.

Physical machines and Hyper-V


Hardware is always improving. Expect newer generations of hardware and different
hardware combinations, like SSDs and SANs, to exceed the performance stated below.
These results are a basic starting point to consider when designing a server or
discussing with your hardware vendor.

The following table shows the test results across various disk subsystems, including
spindle and SSD-based hard drives, in various test lab configurations. All configurations
format the disks with 64k clusters and attach them to an enterprise class disk controller.
In addition to the RAID array disk count, they each have at least one spare disk.

Disk type Disk count, not including +1 spare disk RAID IOPS measured

15k SAS 2 1 620

15k SAS 4 10 1206

15k SAS 6 10 1751

15k SAS 8 10 2322

15k SAS 10 10 2882

15k SAS 12 10 3476

15k SAS 16 10 4236

15k SAS 20 10 5148

15k SAS 30 10 7398

15k SAS 40 10 9913


Disk type Disk count, not including +1 spare disk RAID IOPS measured

SSD SATA 2 1 3300

SSD SATA 4 10 5542

SSD SATA 6 10 7201

SSD SAS 2 1 7539

SSD SAS 4 10 14346

SSD SAS 6 10 15607

The following table lists the specific devices used in this example. This information isn't a
recommendation for any specific hardware model or manufacturer.

Disk type Model RAID controller Cache memory and configuration

15k RPM SAS HD HP EH0300JDYTH Smart Array P822 2 GB, 20% Read / 80% Write

SSD SATA ATA Smart Array P420i 1 GB, 20% Read / 80% Write
MK0200GCTYV

SSD SAS HP MO0800 JEFPB Smart Array P420i 1 GB, 20% Read / 80% Write

Azure machine and disk performance


Azure disk performance depends on several factors, such as the size of the Azure VM,
and the number and type of disks it uses. Azure is also constantly adding new machine
types and disk speeds that are different from the following chart. For more information
about Configuration Manager running on Azure, and additional information on
understanding disk I/O on Azure, see Configuration Manager on Azure frequently asked
questions.

All disks are formatted NTFS 64k cluster size, and rows with more than one disk are
configured as striped volumes via the Windows Disk Management utility.

Azure VM Azure Disk Available IOPS Limiting


disk count space measured factor

DS2/DS11 P20 1 512 GB 965 Azure VM size

DS2/DS11 P20 2 1024 GB 996 Azure VM size

DS2/DS11 P30 1 1024 GB 996 Azure VM size


Azure VM Azure Disk Available IOPS Limiting
disk count space measured factor

DS2/DS11 P30 2 2048 GB 996 Azure VM size

DS3/DS12/F4S P20 1 512 GB 1994 Azure VM size

DS3/DS12/F4S P20 2 1024 GB 1992 Azure VM size

DS3/DS12/F4S P30 1 1024 GB 1993 Azure VM size

DS3/DS12/F4S P30 2 2048 GB 1992 Azure VM size

DS4/DS13/F8S P20 1 512 GB 2334 P20 disk

DS4/DS13/F8S P20 2 1024 GB 3984 Azure VM size

DS4/DS13/F8S P20 3 1536 GB 3984 Azure VM size

DS4/DS13/F8S P30 1 1024 GB 3112 P30 disk

DS4/DS13/F8S P30 2 2048 GB 3984 Azure VM size

DS4/DS13/F8S P30 3 3072 GB 3996 Azure VM size

DS5/DS14/F16S P20 1 512 GB 2335 P20 disk

DS5/DS14/F16S P20 2 1024 GB 4639 P20 disk

DS5/DS14/F16S P20 3 1536 GB 6913 P20 disk

DS5/DS14/F16S P20 4 2048 GB 7966 Azure VM size

DS5/DS14/F16S P30 1 1024 GB 3112 P30 disk

DS5/DS14/F16S P30 2 2048 GB 6182 P30 disk

DS5/DS14/F16S P30 3 3072 GB 7963 Azure VM size

DS5/DS14/F16S P30 4 4096 GB 7968 Azure VM size

DS15 P30 1 1024 GB 3113 P30 disk

DS15 P30 2 2048 GB 6184 P30 disk

DS15 P30 3 3072 GB 9225 P30 disk

DS15 P30 4 4096 GB 10200 Azure VM size

For more information on the currently available disks, see Select a disk type for Azure
IaaS VMs.
See also
Site sizing and performance FAQ
Configuration Manager on Azure frequently asked questions
Size and scale numbers
Recommended hardware
Configuration Manager site sizing
and performance FAQ
FAQ

Applies to: Configuration Manager (current branch)

This document addresses frequently asked questions about Configuration Manager site
sizing guidance and common performance issues.

Machine and disk configuration FAQs


and examples
How should I format the disks on my site server
and SQL Server?
Separate the Configuration Manager inboxes and SQL Server files on at least two
different volumes. This separation lets you optimize cluster allocation sizes for the
different kinds of I/O they perform.

For the volume hosting your sites server inboxes, use NTFS with 4K or 8K allocation
units. ReFS writes 64k even for small files. Configuration Manager has many small files,
so ReFS can produce unnecessary disk overhead.

For disks containing SQL Server database files, use either NTFS or ReFS formatting, with
64K allocation units.

How and where should I lay out my SQL Server


database files?
Modern arrays of solid-state drives (SSD) and Azure Premium Storage can provide high
IOPS on a single volume, with few disks. You typically add more drives to an array for
additional storage, not additional throughput. If you're using physical spindle-based
disks, you may need more IOPS than you can generate on a single volume. You should
allocate 60% of the total recommended IOPS and disk space for the .mdf file, 20% for
the .ldf file, and 20% for the log and data temp files. The .ldf and temp files can all reside
on a single volume with 40% (20% + 20%) of your allocated IOPS.
SQL Server versions earlier than SQL Server 2016 created by default only one temp data
file. You should create more, to avoid SQL Server locks and waiting for access to a single
file. Community opinions vary on the best number of temp data files to create, from four
to eight. Testing reveals little difference between four to eight, so you can create four
equally sized temp data files. Your tempdb data files should be up to 20-25% the size of
your full database.

Are there any other recommendations for disk


setup?
When configurable, set RAID controller memory to 70% allocation for write operations
and 30% for read operations. In general, use a RAID 10 array configuration for the site
database. RAID 1 is also acceptable for small-scale sites with low I/O requirements, or if
you use fast SSDs. With larger disk arrays, configure spare disks to automatically replace
failing disks.

Example: Physical machine with physical disks

Sizing guidelines for a colocated site server and SQL Server with 100,000 clients are 1200
IOPS for site server inboxes and 5000 IOPS for SQL Server files.

Your resulting disk configuration might look like:

Drives1 RAID Format Volume Minimum Approx.


contents IOPS needed IOPS
supplied2

2x10k 1 - Windows -

6x15k 10 NTFS ConfigMgr 1700 1751


8k inboxes

12x15k 10 64k SQL .mdf 60%*5000 = 3476


ReFS 3000

8x15k 10 64k SQL .ldf, 40%*5000 = 2322


ReFS temp files 2000

1. Doesn't include recommended spare disks.


2. This value is from Example disk configurations.
I use Hyper-V on Windows Server. How should I
configure the disks for my Configuration
Manager VMs for best performance?
Hyper-V delivers similar performance to a physical server, if hardware resources (CPU
cores and pass-through storage) are 100% dedicated to the virtual machine (VM). Using
fixed-size .vhd or .vhdx disk files causes a minimal 1-5% I/O performance impact. Using
dynamically expanding .vhd or .vhdx disk files causes up to 25% I/O performance impact
for the Configuration Manager workload. If you need dynamically expanding disks,
compensate by adding an additional 25% IOPS performance to the array.

When running your Configuration Manager site server or SQL Server inside a VM, isolate
the Hyper-V host OS drives from the VM OS and data drives.

For more information about optimizing VMs, see Performance Tuning Hyper-V Servers.

Example: Hyper-V VM-based site server

Sizing guidelines for a colocated site server and SQL Server with 150,000 clients are 1800
IOPS for site server inboxes and 7400 IOPS for SQL Server files.

Your resulting disk configuration might look like:

Drives1 RAID Format2 Volume Minimum Approx.


contents IOPS IOPS
needed supplied3

2x10k 1 - Hyper-V host - -


OS

2x10k 1 - (VM) site - -


server OS

2xSSD 1 NTFS 8k (VM) 1800 7539


SAS ConfigMgr
inboxes

4xSSD 10 64k (VM) Host 7400 14346


SAS ReFS SQL Server
(all files)

1. Doesn't include recommended spare disks.


2. Fixed-size, pass-through .vhdx for the VM drive dedicated to the underlying
volume.
3. This value is from Example disk configurations.

Are there any suggestions for Configuration


Manager environments in Microsoft Azure?
Start by reading the Configuration Manager on Azure frequently asked questions.

Azure infrastructure as a service (IaaS) VMs that leverage Premium Storage-based disks
can have high IOPS. On these VMs, configure additional disks for anticipated disk space
needs, rather than for additional IOPS.

Azure storage is inherently redundant and doesn't require multiple disks for availability.
You can stripe disks in Disk Manager or Storage Spaces to provide additional space and
performance.

For more information and recommendations on how to maximize Premium Storage


performance and run SQL Servers in Azure IaaS VMs, see:

Optimize application performance

Disks guidance

Example: Azure-based site server

Sizing guidelines for a colocated site server and SQL Server with 50,000 clients are eight
cores, 32 GB, and 1200 IOPS for site server inboxes, and 2800 IOPS for SQL Server files.

Your resulting Azure machine might be a DS13v2 (eight cores, 56 GB) with the following
disk configuration:

Drives Format Contains Minimum Approx. IOPS


IOPS needed supplied1

<standard> - Site server OS - -

1xP20 (512 NTFS 8k ConfigMgr 1200 2334


GB) inboxes

1xP30 (1024 64k SQL Server (all 2800 3112


GB) ReFS files2)
1. This value is from Example disk configurations.
2. Azure guidance allows for placing the TempDB on the local, SSD-based D: drive,
given it won't exceed available space and allows for additional disk I/O
distribution.

Example: Azure-based site server (for instant performance increase)

Azure disk throughput is limited by the size of the VM. The configuration in the
preceding Azure example may limit future expansion or additional performance. If you
add additional disks during initial deployment of your Azure VM, you can upsize your
Azure VM for increased processing power in the future, with minimal upfront
investment. It's much simpler to plan ahead to increase site performance as
requirements change, instead of later needing to do a more complicated migration.

Change the disks in the preceding Azure example to see how the IOPS change.

DS13v2

Drives1 Format Contains Minimum Approx. IOPS


IOPS needed supplied2

<standard> - Site server OS - -

2xP20 (1024 NTFS 8k ConfigMgr 1200 3984


GB) inboxes

2xP30 (2048 64k SQL Server (all 2800 3984


GB) ReFS files3)

1. Disks are striped using Storage Spaces.


2. This value is from Example disk configurations. VM size limits performance.
3. Azure guidance allows for placing the TempDB on the local, SSD-based D: drive,
given it won't exceed available space and allows for additional disk I/O
distribution.

If you need more performance in future, you can upsize your VM to a DS14v2, which will
double CPU and memory. The additional disk bandwidth allowed by that VM size will
also instantly boost the available disk IOPS on your previously configured disks.

DS14v2
Drives1 RAID Format Contains Minimum Approx.
IOPS IOPS
needed supplied2

<standard> - Site server - -


OS

2xP20 (1024 NTFS ConfigMgr 1200 4639


GB) 8k inboxes

2xP30 (2048 64k SQL Server 2800 6182


GB) ReFS (all files3)

1. Disks are striped using Storage Spaces.


2. This value is from Example disk configurations. VM size limits performance.
3. Azure guidance allows for placing the TempDB on the local, SSD-based D: drive,
given it won't exceed available space and allows for additional disk I/O
distribution.

Other common SQL Server-related


performance questions
Is it better to run with SQL Server colocated with
the site server, or run it on a remote server?
Both can perform adequately, assuming the single server is appropriately sized, or
network connectivity is sufficient between the two servers.

Remote SQL Server requires the upfront and operational cost of an additional server,
but is typical among the majority of large-scale customers. Benefits of this configuration
include:

Increased site availability options, such as SQL Server Always On


Ability to run heavy reporting with less overheard to site processing
Simpler disaster recovery in some situations
Easier security management
Role separation for SQL Server management, such as with a separate DBA team

Colocated SQL Server requires a single server, and is typical for most small-scale
customers. Benefits of this configuration include:
Lower costs for machines, licenses, and maintenance
Fewer points of failure in the site
Better control for planning downtime

How much RAM should I allocate for SQL?


By default, SQL Server uses all available memory on your server, potentially starving the
OS and other processes on the machine. To avoid potential performance issues, it's
important to allocate memory to SQL Server explicitly. On site servers colocated with
SQL Server, make sure the OS has enough RAM for file caching and other operations.
Make sure there's enough RAM remaining for SMSExec and other Configuration
Manager processes. When running SQL Server on a remote server, you can allocate the
majority of the memory to SQL, but not all. Review the sizing guidelines for initial
guidance.

SQL Server memory allocation should be rounded to whole GB. Also, as RAM increases
to large amounts, you can let SQL Server have a higher percentage. For example, when
256 GB or more of RAM is available, you can configure SQL Server for up to 95%, as that
still preserves plenty of memory for the OS. Monitoring the page file is a good way to
ensure there is enough memory for the OS and any Configuration Manager processes.

Cores are cheap these days. Should I just add a


bunch of them to my SQL Server?
You may run into memory contention issues if there are more than 16 physical cores and
not enough RAM on your SQL Server. The Configuration Manager workload performs
better when at least 3-4 GB of RAM per core is available for SQL. When adding cores to
your SQL Server, be sure to increase RAM in proportional amounts.

Will a SQL Server Always On availability group


impact my performance?
In general, availability groups have negligible effect on performance of the system when
sufficient networking is available between the replica servers. You can have rapid
database log .ldf file growth in a busy availability group environment. However, log file
space is automatically released after a successful database backup. Add a SQL Server job
for the Configuration Manager database to perform a backup, for example every 24
hours, and an .ldf backup every six hours. For more information about availability groups
and Configuration Manager, including more about SQL Server backup strategies, see
Prepare to use a SQL Server Always On availability group.
Should I enable SQL Server compression on my
database?
SQL Server compression isn't recommended for the Configuration Manager database.
While there are no functional issues with enabling compression on a Configuration
Manager database, test results don't show much size savings compared to the potential
sizable performance impact to the system.

Should I enable SQL Server encryption on my


database?
Any secrets in the Configuration Manager database are already stored securely, but
adding SQL Server encryption can add yet another layer of security. There are no
functional issues with enabling encryption on your database, but there can be up to a
25% performance degradation. Therefore, encrypt with caution, especially in large-scale
environments. Also remember to update your backup and recovery plans to ensure you
can successfully recover the encrypted data.

What version of SQL Server should I run?


For supported versions of SQL, see Support for SQL Server versions. From a performance
standpoint, all supported versions of SQL Server meet required performance criteria.
However, SQL Server 2016 or newer tends to outperform SQL Server 2014 in some
aspects of the Configuration Manager workload. Also, running SQL Server 2014 at SQL
Server 2012 compatibility level (110) improves performance in general. At installation
time, Configuration Manager databases running on SQL Server 2014 are set to
compatibility level 110. SQL Server 2016 or newer is set to that SQL Server version's
default compatibility level, such as 130 for SQL Server 2016. Upgrading SQL Server in
place doesn't update compatibility levels until you install the next major Configuration
Manager current branch version.

If you see unusual timeouts or slowness on certain SQL queries on SQL Server 2016 or
later, such as when using RBAC in the Admin Console, try changing the SQL Server
compatibility level on the Configuration Manager database to 110. Running at SQL
Server compatibility level 110 on SQL Server 2014 and newer versions of SQL Server is
fully supported. For more information, see SQL query times out or console slow on
certain Configuration Manager database queries .

As of January 2018, you should avoid the following SQL Server versions, because of
various known performance-related or other potential issues:
SQL Server 2012 SP3 CU1 to CU5
SQL Server 2014 SP1 CU6 to SP2 CU2
SQL Server 2016 RTM to CU3, SP1 CU3 to CU5

Should I implement any additional SQL Server


indexing tasks?
Yes, update indexes as often as once a week and statistics as often as once a day to
improve SQL Server performance. Third-party scripts and additional information
available from the Configuration Manager and SQL Server communities can help
optimize these tasks.

In large sites, some SQL Server tables, such as CI_CurrentComplianceStatusDetails,


HinvChangeLog, might be large, depending on your usage patterns. You may need to
reduce or alter your maintenance approach for them one by one.

When should I use full SQL Server instead of SQL


Server Express on my secondary sites?
SQL Server Express doesn't have any significant performance implications on secondary
sites, and it's adequate for most customers. It's also easy to deploy and manage, and is
the recommended configuration for nearly all customers at any size.

There's one situation where a full SQL Server installation might be needed. If you have a
large number of distribution points and packages or sources in your environment, it's
possible to exceed the 10-GB size limit of SQL Server Express. If the number of packages
times the number of distribution points is more than 4,000,000, such as 2,000 DPs with
2,000 pieces of content, consider using full SQL Server at your secondary sites.

Should I change MaxDOP settings on my


database?
Leaving your setting at 0 (use all available processors) is optimal for overall processing
performance in most circumstances.

Many Configuration Manager administrators follow the guidance at Recommendations


and guidelines for the "max degree of parallelism" configuration option in SQL Server .
On most modern large hardware, this guidance leads to a suggested maximum setting
of eight. However, if you run many smaller queries compared to your number of
processors, it may help to set it to a higher number. Limiting yourself to eight isn't
necessarily the best setting on larger sites when more cores are available.

On SQL Servers with greater than eight cores, start with a setting of 0, and only make
changes if you experience performance issues or excessive locking. If you need to
change MaxDOP because you are encountering performance issues at 0, start with a
new value at least greater than or equal to the minimum recommended number of
cores for that site's SQL Server sizing. Going lower than this value nearly always has
negative performance implications. For example, a remote SQL Server for a 100,000
client site needs at least 12 cores. If your SQL Server has 16 cores, start testing your
MaxDOP setting with a value of 12.

Other common performance-related


questions
Which folders on the site server (or other roles)
should I exclude for antivirus software?
Take care when disabling antivirus protection on any system. In high volume and secure
environments, we recommend disabling active monitoring for optimum performance.

For more information about recommended antivirus exclusions, see Recommended


antivirus exclusions for Configuration Manager 2012 and Current Branch Site Servers,
Site Systems, and Clients .

What can I do to make WSUS perform better


when it's used with Configuration Manager?
Changing a few key IIS settings, such as WsusPool Queue Length and WsusPool Private
Memory limit, can improve WSUS performance, even on smaller installations. For more
information, see Recommended hardware.

Also make sure you have the latest updates installed for the operating system running
WSUS:

Windows Server 2012: Any non "Security only" cumulative update released
October 2017 or later. (KB4041690 )
Windows Server 2012 R2: Any non "Security only" cumulative update released
August 2017 or later. (KB4039871 )
Window Server 2016: any non "Security only" cumulative update released August
2017 or later. (KB4039396 )

What type of maintenance should I run on my


WSUS servers?
See The complete guide to Microsoft WSUS and Configuration Manager SUP
maintenance .

I want to set up basic performance monitoring


for my site. What should I watch?
Traditional server performance monitoring works effectively for general Configuration
Manager. You can also leverage the various System Center Operations Manager
management packs for Configuration Manager, SQL Server, and Windows Server to
monitor basic health of your servers. You can also directly monitor the Windows
Performance Monitor (PerfMon) counters Configuration Manager provides. Monitor the
backlogs in the various inboxes for early warning signs of potential site performance
issues or backlogs.

See also
Site sizing and performance guidelines
Configuration Manager on Azure frequently asked questions
Choose a device management solution
Article • 03/31/2023

Microsoft offers different solutions for managing PCs, servers, and devices. These
solutions are available on-premises, cloud-based, or a combination of both. Choose the
solution that's right for the business requirements of your organization. Base your
decision on the device platforms you need to manage and the management
functionality you need.

Overview
There are several Microsoft solutions that might work best for you in different scenarios.
You don't need to choose just one.

For a small organization, a tool like the Windows administration center may be a
great fit.
Approximately 75% of IT organizations use Configuration Manager to manage
their devices.
Microsoft Azure provides various solutions from the cloud or on-premises with
Azure Arc and Azure Stack that primarily target server management.
Microsoft Intune provides cloud management of clients.
You can combine Configuration Manager and Intune with co-management.
You can use Security Management for Microsoft Defender for Endpoint (MDE) to
manage security settings for devices utilizing Microsoft Defender for Endpoint.

Use the following table to help compare these management technologies:

Cloud-only Cloud-attached On-premises Disconnected

Hyper-V Not applicable - Azure Stack


- Azure Stack
- Azure Stack

host - Windows Admin - Windows Admin - Windows


Center
Center
Admin Center

- Security - Virtual Machine - Virtual


Management for Manager Machine
MDE
Manager
- Virtual Machine
Manager
Cloud-only Cloud-attached On-premises Disconnected

Windows - Azure Arc


- Azure Arc
- Azure Arc
Configuration
Server - Configuration - Configuration - Configuration Manager
Manager
Manager Manager
- Security - Security
Management for Management for
MDE MDE

Linux Server Azure Arc Azure Arc Azure Arc

Windows - Intune
- Intune
- Intune
Configuration
10/11 - Configuration - Configuration - Configuration Manager
Manager
Manager
Manager

- Security - Security - Security


Management for Management for Management for
MDE MDE MDE

Windows 7 Configuration Configuration Configuration Configuration


or 8.1 Manager Manager Manager Manager

Azure Configuration Not applicable Not applicable Not applicable


Virtual Manager
Desktop

For more information, see the following articles:

What is Azure Stack?


What is Windows Admin Center?
What is Virtual Machine Manager?
Azure Arc products
What is Azure Virtual Desktop?
Security Management for Microsoft Defender for Endpoint (MDE)

For more information on the Configuration Manager and Intune solutions, continue to
the next section.

Client management
This section compares the following four client management solutions:

Configuration Manager client


Co-management with Microsoft Intune
Microsoft Exchange
You can use these solutions by themselves or in combination with each other. For
example, use the client-based management approach to manage the computers and
servers in your organization, and also use co-management to manage internet-based
laptops. By combining approaches this way, you can cover all of your device
management needs.

There are also two tables that compare the management solutions by the following
factors:

Compare by supported platforms


Compare by management functionality

Configuration Manager client


This option requires installation of the Configuration Manager client on devices. It
provides the most features for managing PCs, servers, and other devices in your
environment.

For more information, see Client installation methods.

Security Management for Microsoft Defender for


Endpoint
This options requires utilizing Microsoft Defender for Endpoint on your devices and is
intended to provide security management capability in circumstances where Microsoft
Intune or Microsoft Configuration Manager are not present. This uses the Microsoft
Defender for Endpoint client to communicate directly with Intune and apply security
management policy.

For more information, see Security Management for Microsoft Defender for Endpoint
(MDE).

Co-management with Microsoft Intune


Co-management is one of the primary ways to attach your existing Configuration
Manager deployment to the Microsoft 365 cloud. It enables you to concurrently manage
Windows devices by using both Configuration Manager and Microsoft Intune. Co-
management lets you cloud-attach your existing investment in Configuration Manager
by adding new functionality.

For more information, see What is co-management?.


Microsoft Exchange
This option uses the Exchange Server connector to connect multiple Exchange servers to
Configuration Manager. It centralizes management of devices that can connect to
Exchange ActiveSync. You can configure Exchange mobile device management features
from the Configuration Manager console. Example features include remote device wipe
and the settings control for multiple Exchange servers.

For more information, see Manage mobile devices with Configuration Manager and
Exchange.

Compare solutions by supported platforms

Platform Configuration On- Configuration Manager Intune


Manager client premises with Exchange
MDM

Android Yes Yes

iOS Yes Yes

macOS X Yes Yes Yes

Windows 10/11 Yes Yes Yes Yes

Windows 10 Yes Yes Yes


Mobile

Windows Yes Yes


(previous
versions)

Windows Server Yes Yes

Windows Yes
Embedded

For a complete list of supported platforms, see the following articles:

Supported operating systems for clients and devices for Configuration Manager
Intune supported configurations

Microsoft recommends using Intune to manage Android, iOS, and Windows 10/11
mobile devices. For more information, see What is Microsoft Intune?.

Compare solutions by management functionality


Management functionality Configuration On- Configuration
Manager client premises Manager with
MDM Exchange

Certificate-based mutual authentication Yes Yes

Client installation Yes

Support over the internet Yes

Discovery Yes Yes

Hardware inventory Yes Yes Yes

Software inventory Yes Yes

Settings Yes Yes Yes

Software deployment Yes Yes

Software update management Yes

OS deployment Yes

Block from Configuration Manager Yes Yes

Quarantine and block from Exchange Yes


Server (and Configuration Manager)

Remote wipe Yes Yes


Design a hierarchy of sites for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Before installing the first site of a new Configuration Manager hierarchy, it's a good idea
to understand:

The available topologies for Configuration Manager

The types of available sites and their relationships with each other

The scope of management that each type of site provides

The content management options that can reduce the number of sites you need to
install

Then plan a topology that efficiently serves your current business needs and can later
expand to manage future growth.

When planning, keep in mind limitations for adding additional sites to a hierarchy or a
stand-alone site:

Install a new primary site below a central administration site, up to the supported
number of primary sites for the hierarchy.

Expand a standalone primary site to install a new central administration site, to


then install additional primary sites.

Install new secondary sites below a primary site, up to the supported limit for the
primary site and overall hierarchy.

You can't add a previously installed site to an existing hierarchy to merge two
standalone sites. Configuration Manager only supports installation of new sites to
an existing hierarchy of sites.

7 Note

When planning a new installation of Configuration Manager, be aware of the


release notes, which detail current issues in the active versions. The release notes
apply to all branches of Configuration Manager. When you use the technical
preview branch, find issues specific to that branch in the documentation for each
version of the technical preview.

Hierarchy topology
Hierarchy topologies range from:

Simplest: A single standalone primary site

Most complex: A group of connected primary and secondary sites with a central
administration site at the top-level site of the hierarchy

The key driver of the type and count of sites that you use in a hierarchy is usually the
number and type of devices you must support.

Standalone primary site


Use a standalone primary site when it can support management of all devices and users.
For more information, see Sizing and scale numbers. This topology is also successful
when your company's geographic locations can be served by a single primary site. To
help manage network traffic, use multiple management points in boundary groups, and
a carefully planned content infrastructure. For more information, see Configure
boundary groups and Fundamental concepts for content management.

This topology provides the following benefits:

Simplified administrative overhead

Simplified client site assignment and discovery of available resources and services

Elimination of possible delays introduced by database replication between sites

Option to expand a standalone primary site into a larger hierarchy with a central
administration site. This option enables you to then install new primary sites to
expand the scale of your deployment.

Central administration site with one or more child


primary sites
Use this topology when you require more than one primary site to support
management of all your devices and users. It's required when you need to use more
than a single primary site.
This topology provides the following benefits:

It supports up to 25 primary sites that enable you to extend the scale of your
hierarchy.

You always use the central administration site, unless you reinstall your sites. This
option is permanent. You can't detach a child primary site to make it a standalone
primary site.

Determine when to use a central administration


site
Use a central administration site to configure hierarchy-wide settings and to monitor all
sites and objects in the hierarchy. This site type doesn't manage clients directly. It
coordinates site-to-site data replication, which includes the configuration of sites and
clients throughout the hierarchy.

The following information can help you decide when to install a central administration
site:

The central administration site is the top-level site in a hierarchy.

When you configure a hierarchy that has more than one primary site, install a
central administration site.

If you immediately need two or more primary sites, install the central
administration site first.

When you already have a primary site, and want to then install a central
administration site, expand the stand-alone primary site to install the central
administration site.

The central administration site supports only primary sites as child sites.

The central administration site can't have clients assigned to it.

The central administration site doesn't support site system roles that directly
support clients, such as management points and distribution points.

Manage all clients in the hierarchy and perform all site management tasks from the
Configuration Manager console that is connected to the central administration site.
These tasks include installing management points or other site system roles at
child primary or secondary sites.
When you use a central administration site, it's the only place where you see site
data from all sites in your hierarchy. This data includes information such as
inventory data and status messages.

Configure discovery operations throughout the hierarchy from the central


administration site. From the central administration site, assign discovery methods
to run at individual primary sites.

Manage security throughout the hierarchy by assigning different security roles,


security scopes, and collections to different administrative users. These
configurations apply at each site in the hierarchy.

Configure replication to control communication between sites in the hierarchy.


Schedule database replication for site data, and managing the bandwidth for the
transfer of file-based data between sites.

Determine when to use a primary site


Use primary sites to manage clients. Install a primary site as a child site below a central
administration site, or as the first site of a new hierarchy. A primary site that's the first
site of a hierarchy creates a standalone primary site. Both child primary sites and
standalone primary sites support secondary sites.

Consider adding additional primary sites for the following reasons:

To increase the number of devices, manage with a single hierarchy.

To meet organizational management requirements. For example, you might install


a primary site at a remote location to manage the transfer of deployment content
across a low-bandwidth network.
Consider instead using options to throttle the network bandwidth when
transferring data to a distribution point. That content management capability
can replace the need to install additional sites.

The following information can help you decide when to install a primary site:

A primary site can be a standalone primary site or a child primary site in a larger
hierarchy. When a primary site is a member of a hierarchy with a central
administration site, the sites use database replication to replicate data between the
sites. Unless you need to support more clients and devices than a single primary
site supports, consider installing a standalone primary site. After you install a
standalone primary site, expand it if needed in the future to report to a new central
administration site to scale up your deployment.
A primary site supports only a central administration site as a parent site.

A primary site supports only secondary sites as child sites, and supports multiple
secondary sites.

Primary sites are responsible for processing all client data from their assigned
clients.

Primary sites use database replication to communicate directly to their central


administration site. This behavior is configured automatically when a new site
installs.

Determine when to use a secondary site


Use secondary sites to manage the transfer of deployment content and client data
across low-bandwidth networks.

You manage a secondary site from a central administration site or the secondary site's
direct parent primary site. Secondary sites are attached to a primary site. You can't move
them to a different parent site without uninstalling them and then reinstalling them as a
child site below the new primary site.

However, you can route content between two peer secondary sites to help manage the
file-based replication of deployment content. To transfer client data to a primary site,
the secondary site uses file-based replication. A secondary site also uses database
replication to communicate with its parent primary site.

Consider installing a secondary site if any of the following conditions apply:

You don't require a local point of connectivity for an administrative user.

You're required to manage the transfer of deployment content to sites lower in the
hierarchy.

You're required to manage client information that's sent to sites higher in the
hierarchy.

If you don't want to install a secondary site, and you have clients in remote locations,
consider the following options:

Use peer-to-peer technologies such as Windows BranchCache

Enable distribution points for bandwidth control and scheduling


Use these content management options with or without secondary sites. They help
reduce the size of your Configuration Manager infrastructure. For more information
about content management options in Configuration Manager, see Determine when to
use content management options.

The following information can help you decide when to install a secondary site:

If a local instance of SQL Server isn't available, secondary site servers automatically
install SQL Server Express during site installation.

Secondary site installation is initiated from the Configuration Manager console,


instead of running setup directly on a computer.

Secondary sites use a subset of the information in the site database. This behavior
reduces the amount of data that SQL Server replicates between the parent primary
site and secondary site.

Secondary sites support the routing of file-based content to other secondary sites
that have a common parent primary site.

Secondary site installations automatically install the management point and


distribution point site system roles on the secondary site server.

Determine when to use content management


options
If you have clients in remote network locations, consider using one or more content
management options instead of a primary or secondary site. The following options often
remove the need to install a site:

Windows Delivery Optimization

Configuration Manager peer cache

Windows BranchCache

Configure distribution points for bandwidth control

Manually copy content to distribution points (prestage content)

If any of the following conditions apply, consider deploying a distribution point instead
of installing another site:

Your network bandwidth is sufficient for client computers at the remote location to
communicate with a management point at the primary site. Clients communicate
with a management point to download client policy, send inventory, send
reporting status, and send discovery information.

Background Intelligent Transfer Service (BITS) doesn't provide sufficient bandwidth


control for your network requirements.

For more information about content management options in Configuration Manager,


see Fundamental concepts for content management.

Beyond hierarchy topology


Along with your initial hierarchy topology, also consider the following questions:

Which site system roles provide services or capabilities from different sites in the
hierarchy?

How are you managing hierarchy-wide configurations and capabilities in your


infrastructure?

The following common considerations are covered in separate articles. This information
is important to influence or be influenced by your hierarchy design:

When you're preparing to Manage computers and devices, consider whether the
devices are on-premises, in the cloud, or include user-owned devices (BYOD).
Additionally, consider how you'll manage devices that support multiple
management options. For example, manage Windows devices with Configuration
Manager or though integration with Microsoft Intune. For more information, see
Choose a device management solution.

Understand how your available network infrastructure might affect the flow of data
between remote locations. For more information, see Prepare your network
environment. Also consider the geographic location of your users and devices, and
whether they access your infrastructure through your on-premises network or the
internet.

Plan for a content infrastructure to efficiently distribute the content you deploy to
devices you manage. This content may be applications, software updates, or
operating systems. For more information, see Manage content and content
infrastructure.

Determine which features and capabilities of Configuration Manager you plan to


use. Different features require different site system roles or Windows infrastructure.
In a multiple site hierarchy, decide where you deploy them for the most efficient
use of your network and server resources.
Consider security for data and devices, including the use of a public key
infrastructure (PKI). For more information, see PKI certificate requirements.

Next steps
Review the following articles for site-specific configurations:

Plan for the SMS Provider

Plan for the site database

Plan for site system servers and site system roles

Plan for security

Managing network bandwidth when deploying content within a site

Consider configurations that span sites and hierarchies

High availability options for sites and hierarchies

Extend the Active Directory schema and configure sites to publish site data

Data transfers between sites

Fundamentals of role-based administration

Manage clients on the internet


Plan for the SMS Provider
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To manage Configuration Manager, you use a Configuration Manager console that


connects to an instance of the SMS Provider. By default, an SMS Provider installs on the
site server when you install a central administration site (CAS) or primary site.

About
The SMS Provider is a Windows Management Instrumentation (WMI) provider that
assigns read and write access to the Configuration Manager database at a site.

Each CAS and primary site require at least one SMS Provider. You can install more
providers as needed.

The SMS Admins security group provides access to the SMS Provider.
Configuration Manager automatically creates this group on the site server, and on
each computer where you install an instance of the SMS Provider. For more
information, see SMS Admins.

Secondary sites don't support the SMS Provider role.

Configuration Manager administrative users use an SMS Provider to access information


that's stored in the database. To do so, admins can use the Configuration Manager
console, Resource Explorer, tools, and custom scripts. The SMS Provider doesn't interact
with Configuration Manager clients. When a Configuration Manager console connects to
a site, it queries WMI on the site server to locate an instance of the SMS Provider to use.

The SMS Provider helps enforce Configuration Manager security. It returns only the
information that the console user is authorized to view.

The SMS Provider also provides API interoperability access over HTTPS, called the
administration service. This REST API can be used in place of a custom web service to
access information from the site. For more information, see What is the administration
service?.

) Important

When each instance of the SMS Provider for a site is offline, Configuration Manager
consoles can't connect to the site.
For more information about how to manage the SMS Provider, see Manage the SMS
Provider.

Prerequisites
The SMS Provider has the following prerequisites:

In the same domain as the site server and the site database site systems

Can't have a site system role from a different site

Can't already have an SMS Provider from any site

Run a supported OS version

At least 650 MB of free disk space to support the Windows ADK components. For
more information about Windows ADK and the SMS Provider, see OS deployment
requirements.

For the administration service REST API:

Starting in version 2107, the SMS Provider requires .NET version 4.6.2, and
version 4.8 is recommended. In version 2103 and earlier, this role requires .NET
4.5 or later. For more information, Site and site system prerequisites.

In version 2006 and earlier, enable the Windows server role Web Server (IIS).
Starting in version 2010, this role is no longer required.

7 Note

Every SMS Provider attempts to install the administration service, which


requires a certificate. This service has a dependency on IIS to bind that
certificate to HTTPS port 443. If you enable Enhanced HTTP, then the site
binds that certificate using IIS APIs. If your site uses PKI, you need to
manually bind a PKI certificate in IIS on the SMS Provider. Unless the server
already has a PKI-based certificate, the site automatically uses the site's
self-signed certificate.

Locations
When you install a site, you automatically install the first SMS Provider for the site. You
can specify any of the following supported locations for the SMS Provider:

The site server

The site database server

Another server, which meets the installation prerequisites

To view the locations of each SMS Provider for a site:

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and then select the Sites node.

2. Select a site from the list, and then choose Properties in the ribbon.

3. On the General tab of the site Properties, view the SMS Provider location field.

Each SMS Provider supports simultaneous connections from multiple requests. The only
limitations on these connections are the number of server connections that are available
to Windows, and the available resources on the server to service the connection
requests.

After you install a site, you can run Configuration Manager setup on the site server
again. Use setup to change the location of an existing SMS Provider, or to install more
SMS Providers at that site. Install only one SMS Provider on a computer. A computer
can't host an SMS Provider from more than one site.

Choosing a location
The following sections describe the advantages and disadvantages of installing an SMS
Provider on each supported location:

Configuration Manager site server


Advantages:

The SMS Provider doesn't use the system resources of the site database
computer.

This location can provide better performance than an SMS Provider located on a
computer other than the site server or site database computer.

Disadvantages:
The SMS Provider uses system and network resources that could be dedicated
to site server operations.

SQL Server that hosts the site database

Advantages:

The SMS Provider doesn't use system resources on the site server.

This location can provide the best performance of the three locations, if
sufficient server resources are available.

Disadvantages:

The SMS Provider uses system and network resources that could be dedicated
to site database operations.

When the site database is hosted on a clustered instance of SQL Server, you
can't use this location.

Computer other than the site server or site database server


Advantages:

SMS Provider doesn't use site server or site database system resources.

This type of location lets you deploy more SMS Providers to provide high
availability for connections.

Disadvantages:

The SMS Provider performance might be reduced. This behavior is because of


the more network activity that it requires to coordinate with the site server and
the site database computer.

This server must be always accessible to the site database server, and to all
computers with the Configuration Manager console installed.

This location can use system resources that would otherwise be dedicated to
other services.

Authentication
You can specify the minimum authentication level for administrators to access
Configuration Manager sites. This feature enforces administrators to sign in to Windows
with the required level before they can access Configuration Manager. It applies to all
components that access the SMS Provider. For example, the Configuration Manager
console, SDK methods, and Windows PowerShell cmdlets.

Configuration Manager supports the following authentication levels:

Windows authentication: Require authentication with Active Directory domain


credentials. This setting is the previous behavior, and the current default setting.

Certificate authentication: Require authentication with a valid certificate that's


issued by a trusted PKI certificate authority. You don't configure this certificate in
Configuration Manager. Configuration Manager requires the administrator to be
signed into Windows using PKI.

Windows Hello for Business authentication: Require authentication with strong


two-factor authentication that's tied to a device and uses biometrics or a PIN. For
more information, see Windows Hello for Business.

) Important

When you select this setting, the SMS Provider and administration service
require the user's authentication token to contain a multi-factor
authentication (MFA) claim from Windows Hello for Business. In other words,
a user of the console, SDK, PowerShell, or administration service has to
authenticate to Windows with their Windows Hello for Business PIN or
biometric. Otherwise the site rejects the user's action.

This behavior is for Windows Hello for Business, not Windows Hello.

For more information on how to configure this setting, see Configure SMS Provider
authentication.

SMS Provider languages


The SMS Provider operates independently of the display language of the server where
you install it.

When an administrative user or Configuration Manager process requests data by using


the SMS Provider, it attempts to return that data in a format that matches the OS
language of the requesting computer.
The way it attempts to match the language is indirect. The SMS Provider doesn't
translate information from one language to another. When it returns data for display in
the Configuration Manager console, the display language of the data depends on the
source of the object and type of storage.

When Configuration Manager stores data for an object in the database, the available
languages depend on the following factors:

Configuration Manager stores objects that it creates by using support for multiple
languages. It stores the object in the site database by using the languages that you
configure for the site when you run setup. The Configuration Manager console
displays these objects in the display language of the requesting computer, when
that language is available for the object. If the console can't display the object in
the display language of the requesting computer, it displays the object in the
default language, which is English.

Configuration Manager stores objects that an administrative user creates by using


the language that was used to create the object. These objects display in the
Configuration Manager console in this same language. The SMS Provider can't
translate them, and they don't have multiple language options.

Use multiple SMS Providers


After a site completes installation, you can install more SMS Providers for the site. To
install more SMS Providers, run Configuration Manager setup on the site server.

Consider installing more SMS Providers when any of the following are true:

Many administrative users need to use the Configuration Manager console and
connect to a site at the same time.

You use the Configuration Manager SDK, or other products, that might introduce
frequent calls to the SMS Provider.

You have a business requirement for high availability of the SMS Provider.

When you install multiple SMS Providers at a site, and a connection request is made, the
site randomly assigns each new connection request to use an installed SMS Provider.
You can't specify the SMS Provider to use with a specific connection session.

7 Note
Consider the advantages and disadvantages of each SMS Provider location. For
more information, see Locations. Balance these considerations with the information
that you can't control which SMS Provider is used for each new connection.

When you first connect a Configuration Manager console to a site, the connection
queries WMI on the site server. This query identifies an instance of the SMS Provider
that the console uses. This specific instance of the SMS Provider remains in use by the
console until the session ends. If the session ends because the SMS Provider server is
unavailable on the network, when you reconnect the console to the site, it repeats the
initial query. It's possible the site assigns the same SMS Provider instance that's not
available. If this behavior occurs, attempt to reconnect the console until the site returns
an available SMS Provider.

SMS Provider namespace


The Configuration Manager WMI schema defines the structure of the SMS Provider.
Schema namespaces describe the location of Configuration Manager data within the
SMS Provider schema. The following table contains some of the common namespaces
that the SMS Provider uses:

Namespace Description

Root\SMS\site_<site code> The SMS Provider, which is extensively used by the


Configuration Manager console, Resource Explorer,
Configuration Manager tools, and scripts.

Root\SMS\SMS_ProviderLocation The location of the SMS Provider computers for a site.

Root\CIMv2 The location inventoried for WMI namespace information


during hardware and software inventory.

Root\CCM Configuration Manager client configuration policies and client


data.

Root\CIMv2\SMS The location of inventory reporting classes that the inventory


client agent collects. Clients compile these settings during
computer policy evaluation. These settings are based on the
client settings configuration for the computer.

OS deployment requirements
The computer where you install an instance of the SMS Provider requires a supported
version of the Windows ADK.
For more information about this requirement, see Infrastructure requirements for OS
deployment and Support for the Windows ADK.

When you manage OS deployments, the Windows ADK allows the SMS Provider to
complete various tasks, such as:

View WIM file details

Add driver files to existing boot images

Create boot ISO files

The Windows ADK installation can require up to 650 MB of free disk space on each
computer that installs the SMS Provider. This high disk space requirement is necessary
for Configuration Manager to install the Windows PE boot images.

Administration service
The SMS Provider provides API interoperability access over an HTTPS OData connection,
called the administration service. This REST API can be used in place of a custom web
service to access information from the site.

For more information, see What is the administration service?

Next steps
Manage the SMS Provider

Configure authentication for the SMS Provider

Plan for the site database


Plan for the site database for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The site database server is a computer that runs a supported version of Microsoft SQL
Server. SQL Server is used to store information for Configuration Manager sites. Each
site in a Configuration Manager hierarchy contains a site database and a server that is
assigned the site database server role.

For central administration sites and primary sites, you can install SQL Server on the
site server, or you can install SQL Server on a computer other than the site server.

For secondary sites, you can use SQL Server Express instead of a full SQL Server
installation. The database server must, however, be run on the secondary site
server.

For SQL Server Always On availability groups, set the database recovery model to
FULL.

For non-availability group configurations, set the database recovery model to


SIMPLE.

Further information on SQL Server Recovery Modes can be found in Recovery Models
(SQL Server).

The following SQL Server configurations can be used to host the site database:

The default instance of SQL Server

A named instance on a single computer running SQL Server

A named instance on a failover cluster instance of SQL Server

A SQL Server Always On availability group

To host the site database, the SQL Server must meet the requirements detailed in
Support for SQL Server versions for Configuration Manager.

Remote database server location


considerations
If you use a remote database server computer, ensure that the intervening network
connection is a high-availability, high-bandwidth network connection. The site server
and some site system roles must constantly communicate with the remote server that is
hosting the site database.

The amount of bandwidth required for communications to the database server


depends on a combination of many different site and client configurations.
Therefore, the actual bandwidth required cannot be adequately predicted.

Each computer that runs the SMS Provider and that connects to the site database
increases network bandwidth requirements.

The computer that runs SQL Server must be located in a domain that has two-way
trust with the site server and all computers running the SMS Provider.

You can't use a failover cluster instance of SQL Server for the site database server
when the site database is co-located with the site server.

Typically, a site system server supports site system roles from only a single Configuration
Manager site. You can, however, use different instances of SQL Server to host a database
from different Configuration Manager sites. To support databases from different sites,
configure each instance of SQL Server to use unique ports for communication.
Plan for site system servers and site
system roles in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Each Configuration Manager site you install includes a site server that's a site system
server. The site can also include additional site system servers on computers that are
remote from the site server. Site system servers (the site server or a remote site system
server) support site system roles.

Site system servers


When you install a site system role on a computer, that computer becomes a site system
server. At each site, you can install one or more additional site system servers. You don't
have to install additional site system servers, and can choose to run all site system roles
directly on the site server computer. Each site system server supports one or more site
system roles. Additional servers can help expand the capabilities and capacity of a site
by sharing the processing load that site system roles place on a server.

When considering the addition of a site system server, ensure the server meets
prerequisites for the intended use. Also add it on a network location that has sufficient
bandwidth to communicate with expected endpoints. These endpoints include the site
server, domain resources, a cloud-based location, site system servers, and clients.

Site system roles


Install site system roles on a server to provide additional capabilities to the site.
Examples include:

Additional management points so that the site can support more devices, up to
the site's supported capacity.

Additional distribution points to expand your content infrastructure, improving the


performance of content distributions to devices.

One or more feature-specific site system roles. For example, a software update
point lets you manage software updates for managed devices. A reporting services
point lets you run reports to monitor, understand, and share information about
your environment.
Different Configuration Manager sites can support different sets of site system roles. The
supported set of site system roles depends on the type of site. (The types of sites
include a central administration site, primary sites, or secondary sites.) The topology of
your hierarchy can limit the placement of some roles at certain site types. For example,
the service connection point is only supported at the top-tier site of the hierarchy. The
top-tier site might be a central administration site or a standalone primary site. This role
isn't supported at a child primary site or at secondary sites.

After a site installs, you can move the location of some site system roles from their
default location on the site server to another server. For example, the management
point or distribution point roles install by default on a primary or secondary site server.
Also install additional instances of some site system roles to expand the capabilities of
your site, and to meet your business requirements. Some roles are required, while others
are optional.

Configuration Manager site server


This role identifies the server where Configuration Manager setup is run to install a site,
or the server on which you install a secondary site. You can't move or uninstall this role
until the site is uninstalled.

Configuration Manager site system


This role is assigned to any computer on which you either install a site or install a site
system role. You can't move or uninstall this role until you remove the last site system
role from the computer.

Configuration Manager component site system role


This role identifies a site system that runs an instance of the SMS Executive service. It's
required to support other roles, like management points. You can't move or uninstall
this role until you remove the last applicable site system role from the computer.

Configuration Manager site database server


The site assigns this role to site system servers that hold an instance of the site
database. Only move this role to a new server by running setup to modify the site to use
a different instance of SQL Server to host the site database.

SMS Provider
The site assigns this role to each computer that hosts an instance of the SMS Provider.
The provider is the interface between a Configuration Manager console and the site
database. By default, this role automatically installs on the site server of a central
administration site and primary sites. Install additional instances at each site to provide
access to additional administrative users or for redundancy.

To install additional providers, run Configuration Manager setup to Manage the SMS
Provider. Then install additional providers on additional computers. Only install one
instance of the SMS Provider on a computer. That computer must be in the same
domain as the site server.

Asset Intelligence synchronization point

) Important

Starting in November 2021, this feature of Configuration Manager is deprecated.


For more information, see Asset intelligence deprecation.

A site system role that connects to Microsoft to download information for the Asset
Intelligence catalog. This role also uploads uncategorized titles, so that Microsoft can
consider them for future inclusion in the catalog. A hierarchy supports only a single
instance of this role at the top-tier site of your hierarchy. If you expand a standalone
primary site into a larger hierarchy, uninstall this role from the primary site. Then install
it at the central administration site.

For more information, see Asset Intelligence in Configuration Manager.

Certificate registration point

2 Warning

Starting in version 2203, the certificate registration point is no longer supported.


For more information, see Frequently asked questions about resource access
deprecation.

A site system role that communicates with a server that runs the Network Device
Enrollment Service (NDES). This role manages device certificate requests that use the
Simple Certificate Enrollment Protocol (SCEP). This role is supported only at primary sites
and the central administration site.
Although a single certificate registration point can provide functionality to an entire
hierarchy, you may want to install multiple instances of this role at a site, and at multiple
sites in the same hierarchy. This design helps with load balancing. When multiple
instances exist in a hierarchy, clients are randomly assigned to one of the certificate
registration points.

Each certificate registration point requires access to a separate NDES instance. You can't
configure two or more certificate registration points to use the same NDES instance.
Additionally, don't install the certificate registration point on the same server that runs
NDES.

Cloud management gateway connection point


A site system role for communicating with the cloud management gateway.

Data warehouse service point


Use the data warehouse service point to store and report on long-term historical data in
your Configuration Manager environment. For more information, see Data warehouse.

Distribution point
A site system role that contains source files for clients to download, for example:

Application content
Software packages
Software updates
OS images
Boot images

By default, this role installs on the site server when you install a new primary or
secondary site. This role isn't supported at a central administration site. Install multiple
instances of this role at a supported site, and at multiple sites in the same hierarchy. For
more information, see Fundamental concepts for content management, and Manage
content and content infrastructure.

Endpoint Protection point


A site system role that Configuration Manager uses to accept the Endpoint Protection
license terms, and to configure the default membership for Cloud Protection Service. A
hierarchy only supports a single instance of this role, and that must be at the top-tier
site. If you expand a standalone primary site into a larger hierarchy, uninstall this role
from the primary site, and then install it at the central administration site. For more
information, see Endpoint Protection in Configuration Manager.

Enrollment point

) Important

With the deprecation of on-premises MDM and the Configuration Manager client
for macOS, this site system role is also deprecated. For more information, see
Removed and deprecated features for Configuration Manager.

A site system role that uses PKI certificates for Configuration Manager to enroll mobile
devices and macOS computers. Although this role is supported only at primary sites, you
can install multiple instances of this role at a site, or at multiple sites in the same
hierarchy.

If a user enrolls mobile devices by using Configuration Manager, and the user's Active
Directory account is in a forest that's untrusted by the site server's forest, install an
enrollment point in the user's forest. Then Configuration Manager can authenticate the
user.

Enrollment proxy point

) Important

With the deprecation of on-premises MDM and the Configuration Manager client
for macOS, this site system role is also deprecated. For more information, see
Removed and deprecated features for Configuration Manager.

A site system role that manages Configuration Manager enrollment requests from
mobile devices and macOS computers. Although this role is supported only at primary
sites, you can install multiple instances of this role at a site, or at multiple sites in the
same hierarchy.

When you support mobile devices on the internet, install an enrollment proxy point in a
perimeter network, and install one on the intranet.

Exchange Server connector


For information about this role, see Manage mobile devices with Configuration Manager
and Exchange.

Fallback status point


A site system role that helps you monitor client installation. It identifies clients that are
unmanaged because they can't communicate with their management point. Although
this role is supported only at primary sites, you can install multiple instances of this role
at a site, and at multiple sites in the same hierarchy.

Management point
A site system role that provides policy and service location information to clients. It also
receives configuration data from clients.

By default, this role installs on the site server when you install a new primary or
secondary site. Primary sites support multiple instances of this role. Secondary sites
support a single management point. Also referred to as a proxy management point, this
role at a secondary site provides a local point of contact for clients to obtain computer
and user policies.

Set up management points to support either HTTP or HTTPs. They can also support
mobile devices that you manage with Configuration Manager on-premises mobile
device management (MDM). To help reduce the processing load placed on the site
database server by management points as they service requests from clients, use
Database replicas for management points.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Reporting services point


A site system role that integrates with SQL Server Reporting Services to create and
manage reports for Configuration Manager. This role is supported at primary sites and
the central administration site, and you can install multiple instances of this role at a
supported site. For more information, see Planning for reporting.
Service connection point
A site system role that uploads usage data from your site, and is required to make
updates for Configuration Manager available in the console. A hierarchy only supports a
single instance of this role, and that must be at the top-tier site of your hierarchy. If you
expand a standalone primary site into a larger hierarchy, uninstall this role from the
primary site, and then install it at the central administration site. For more information,
see About the service connection point.

Software update point


A site system role that integrates with Windows Server Update Services (WSUS) to
provide software updates to Configuration Manager clients. This role is supported at all
sites:

Install this site system at the central administration site to synchronize with WSUS.

Set up each instance of this role at child primary sites to synchronize with the
central administration site.

When data transfer across the network is slow, consider installing a software
update point in secondary sites.

For more information, see Plan for software updates.

State migration point


When you migrate a computer to a new operating system, this site system role stores
user state data. This role is supported at primary sites and at secondary sites. Install
multiple instances of this role at a site, and at multiple sites in the same hierarchy. For
more information about storing user state when you deploy an OS, see Manage user
state.

Next steps
Some Configuration Manager site system roles require connections to the internet. If
your environment requires internet traffic to use a proxy server, configure these site
system roles to use the proxy. For more information, see Proxy server support.
Fundamental concepts for content
management in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager supports a robust system of tools and options to manage


software content. Software deployments such as applications, packages, software
updates, and OS deployments all need content. Configuration Manager stores the
content on both site servers and distribution points. This content requires a large
amount of network bandwidth when it's being transferred between locations. To plan
and use the content management infrastructure effectively, first understand the
available options and configurations. Then consider how to use them to best fit your
networking environment and content deployment needs.

 Tip

For more information about the content distribution process and to find help in
diagnosing and resolving general content distribution problems, see
Understanding and Troubleshooting Content Distribution in Microsoft
Configuration Manager .

The following sections are key concepts for content management. When a concept
requires additional or complex information, links are provided to direct you to those
details.

Accounts used for content management


The following accounts can be used with content management:

Network access account


Used by clients to connect to a distribution point and access content. If allowed, the
client first tries anonymous authentication. Then it tries Windows-integrated
authentication with the computer account or network access account. For more
information, see Client to distribution point communication.

This account is also used by pull-distribution points to download content from a source
distribution point in a remote forest.
Some scenarios no longer require a network access account. You can enable the site to
use Enhanced HTTP with Azure Active Directory authentication.

For more information, see Network access account.

Package access account


By default, Configuration Manager grants access to content on a distribution point to
the generic access accounts Users and Administrators. However, you can configure
additional permissions to restrict access.

For more information, see Package access account.

Bandwidth throttling and scheduling


Both throttling and scheduling are options that help you control when content is
distributed from a site server to distribution points. These capabilities are similar to, but
not directly related to bandwidth controls for site-to-site file-based replication.

For more information, see Manage network bandwidth.

Binary differential replication


Configuration Manager uses binary differential replication (BDR) to update content that
you previously distributed to other sites or to remote distribution points. To support
BDR's reduction of bandwidth usage, install the Remote Differential Compression
feature on distribution points. For more information, see Distribution point
prerequisites.

BDR minimizes the network bandwidth used to send updates for distributed content. It
resends only the new or changed content instead of sending the entire set of content
source files each time you change those files.

When BDR is used, Configuration Manager identifies the changes that occur to source
files for each set of content that you previously distributed.

When files in the source content change, the site creates a new incremental version
of the content. It then replicates only the changed files to destination sites and
distribution points. A file is considered changed if you renamed or moved it, or if
you changed the contents of the file. For example, if you replace a single driver file
for a driver package that you previously distributed to several sites, only the
changed driver file is replicated.
Configuration Manager supports up to five incremental versions of a content set
before it resends the entire content set. After the fifth update, the next change to
the content set causes the site to create a new version of the content set.
Configuration Manager then distributes the new version of the content set to
replace the previous set and any of its incremental versions. After the new content
set is distributed, later incremental changes to the source files are again replicated
by BDR.

BDR is supported between each parent and child site in a hierarchy. BDR is supported
within a site between the site server and its regular distribution points. However, pull-
distribution points and content-enabled cloud management gateways don't support
BDR to transfer content. Pull-distribution points support file-level deltas, transferring
new files, but not blocks within a file.

Applications always use binary differential replication. BDR is optional for packages and
isn't enabled by default. To use BDR for packages, enable this functionality for each
package. Select the option Enable binary differential replication when you create or
edit a package.

BDR or delta replication


The following lists summarize the differences between binary differential replication
(BDR) and delta replication.

Summary of binary differential replication


Configuration Manager's term for Windows Remote Differential Compression
Block-level differences
Always enabled for apps
Optional on legacy packages
If a file already exists on the distribution point, and there's a change, the site uses
BDR to replicate the block-level change instead of the entire file. This behavior
only applies when you enable the object to use BDR.

Summary of delta replication

File-level differences
On by default, not configurable
When a package changes, the site checks for changes to the individual files instead
of the entire package.
If a file changes, use BDR to do the work
If there's a new file, copy the new file

Peer caching technologies


Configuration Manager supports several options for managing content between peer
devices on the same network:

BranchCache
Delivery Optimization
Configuration Manager peer cache

Use the following table to compare major features of these technologies:

Feature Peer cache Delivery Optimization BranchCache

Across subnets Yes Yes No

Throttle Yes (BITS) Yes (native) Yes (BITS)


bandwidth

Partial content Yes Yes Yes

Control cache Yes Yes Yes


size on disk

Peer source Manual (client setting) Automatic Automatic


discovery

Peer discovery Via management point using DO cloud service Broadcast


boundary groups

Reporting Client data sources dashboard Client data sources Client data sources
dashboard dashboard

WAN usage Boundary groups DO GroupID Subnet only


control

Supported All ConfigMgr content Windows updates, All ConfigMgr


content drivers, store apps content

Policy control Client agent settings Client agent settings Client agent
(partial) settings

Recommendations
Modern management: If you're already using modern tools such as Intune,
implement Delivery Optimization
Configuration Manager and co-management: Use a combination of peer cache
and Delivery Optimization. Use peer cache with on-premises distribution points,
and use Delivery Optimization for cloud scenarios.

Existing BranchCache implemented: Use all three technologies in parallel. Use peer
cache and Delivery Optimization for scenarios that aren't supported by
BranchCache.

BranchCache
BranchCache is a Windows technology. Clients that support BranchCache, and have
downloaded a deployment that you configure for BranchCache, then serve as a content
source to other BranchCache-enabled clients.

For example, you have a distribution point that runs Windows Server 2012 or later, and
is configured as a BranchCache server. When the first BranchCache-enabled client
requests content from this server, the client downloads that content and caches it.

That client then makes the content available for additional BranchCache-enabled
clients on the same subnet that also cache the content.
Other clients on the same subnet don't have to download content from the
distribution point.
The content is distributed across multiple clients for future transfers.

For more information, see Support for Windows BranchCache.

Delivery Optimization
You use Configuration Manager boundary groups to define and regulate content
distribution across your corporate network and to remote offices. Windows Delivery
Optimization is a cloud-based, peer-to-peer technology to share content between
Windows 10 or later devices. Configure Delivery Optimization to use your boundary
groups when sharing content among peers. Client settings apply the boundary group
identifier as the Delivery Optimization group identifier on the client. When the client
communicates with the Delivery Optimization cloud service, it uses this identifier to
locate peers with the content. For more information, see delivery optimization client
settings.

Delivery Optimization is the recommended technology to optimize Windows update


delivery of express installation files for Windows quality updates. Internet access to the
Delivery Optimization cloud service is a requirement to utilize its peer-to-peer
functionality. For information about the needed internet endpoints, see Frequently
asked questions for Delivery Optimization. Optimization can be used for all Windows
updates. For more information, see optimize Windows update delivery.

Microsoft Connected Cache


You can install a Microsoft Connected Cache server on your distribution points. By
caching this content on-premises, your clients can benefit from the Delivery
Optimization feature, but you can help to protect WAN links.

7 Note

This feature was previously known as Delivery Optimization In-Network Cache.

This cache server acts as an on-demand transparent cache for content downloaded by
Delivery Optimization. Use client settings to make sure this server is offered only to the
members of the local Configuration Manager boundary group.

This cache is separate from Configuration Manager's distribution point content. If you
choose the same drive as the distribution point role, it stores content separately.

For more information, see Microsoft Connected Cache in Configuration Manager.

Peer cache
Client peer cache helps you manage deployment of content to clients in remote
locations. Peer cache is a built-in Configuration Manager solution that enables clients to
share content with other clients directly from their local cache.

First deploy client settings that enable peer cache to a collection. Then members of that
collection can act as a peer content source for other clients in the same boundary
group.

Client peer cache sources can divide content into parts. These parts minimize the
network transfer to reduce WAN utilization. The management point provides more
detailed tracking of the content parts. It tries to eliminate more than one download of
the same content per boundary group.

For more information, see Peer cache for Configuration Manager clients.

Windows PE peer cache


When you deploy a new OS with Configuration Manager, computers that run the task
sequence can use Windows PE peer cache. They download content from a peer cache
source instead of from a distribution point. This behavior helps minimize WAN traffic in
branch office scenarios where there's no local distribution point.

For more information, see Windows PE peer cache.

Windows LEDBAT
Windows Low Extra Delay Background Transport (LEDBAT) is a network congestion
control feature of Windows Server to help manage background network transfers. For
distribution points running on supported versions of Windows Server, enable an option
to help adjust network traffic. Then clients only use network bandwidth when it's
available.

For more information on Windows LEDBAT in general, see the New transport
advancements blog post.

For more information on how to use Windows LEDBAT with Configuration Manager
distribution points, see the setting to Adjust the download speed to use the unused
network bandwidth (Windows LEDBAT) when you Configure the general settings of a
distribution point.

7 Note

Staring in Configuration Manager version 2203, you can use LEDBAT with your
software update points. If a site system has both the distribution point and
software update point roles, you can configure LEDBAT independently on the roles.
For more information, see the setting Adjust the download speed to use the
unused network bandwidth (Windows LEDBAT) setting for Installing software
update points.

Client locations
The following are locations that clients access content from:

Intranet (on-premises):

Distribution points can use HTTP or HTTPs.


Only use a content-enabled cloud management gateway for fallback when on-
premises distribution points aren't available.

Internet:

Requires internet-facing distribution points to accept HTTPS.

Can use a content-enabled cloud management gateway.

Workgroup:

Requires distribution points to accept HTTPS.

Can use a content-enabled cloud management gateway.

Content source priority


When a client needs content, it makes a content location request to the management
point. The management point returns a list of source locations that are valid for the
requested content. This list varies depending upon the specific scenario, technologies in
use, site design, boundary groups, and deployment settings. For example, when a task
sequence runs, the full Configuration Manager client isn't always running, so the
behaviors may differ.

The following list contains all of the possible content source locations that the
Configuration Manager client can use, in the order in which it prioritizes them:

1. The distribution point on the same computer as the client


2. A peer source in the same network subnet
3. A distribution point in the same network subnet
4. A peer source in the same boundary group
5. A distribution point in the current boundary group
6. A distribution point in a neighbor boundary group configured for fallback
7. A distribution point in the default site boundary group
8. The Windows Update cloud service
9. An internet-facing distribution point
10. A content-enabled cloud management gateway in Azure

Delivery Optimization isn't applicable to this source prioritization. This list is how the
Configuration Manager client finds content. The Windows Update Agent downloads
content for Delivery Optimization. If the Windows Update Agent can't find the content,
then the Configuration Manager client uses this list to search for it.
BranchCache applies to this list only when you enable a distribution point for
BranchCache. For example, if a client gets to option #3 in the prioritization list, it first
asks the distribution point for BranchCache metadata. The BranchCache-enabled
distribution point is what provides the client information for BranchCache peer
discovery. The client will download content from a BranchCache peer if it can. If it can't
download the content via BranchCache, it then tries the distribution point itself, before
continuing down the list of content sources. This behavior applies at any point in the
priority list where the client uses a BranchCache-enabled distribution point.

The configuration of boundary group options can modify the sort order of this priority
list.

Content library
The content library is the single-instance store of content in Configuration Manager.
This library reduces the overall size of content that you distribute.

Learn more about the content library.


Use the content library cleanup tool to remove content that is no longer
associated with an application.

Distribution points
Configuration Manager uses distribution points to store files that are required for
software to run on client computers. Clients must have access to at least one
distribution point from which they can download the files for content that you deploy.

The basic (non-specialized) distribution point is commonly referred to as a standard


distribution point. There are two variations on the standard distribution point that
receive special attention:

Pull-distribution point: A variation of a distribution point where the distribution


point obtains content from another distribution point (a source distribution point).
This process is similar to how clients download content from distribution points.
Pull-distribution points can help you avoid network bandwidth bottlenecks that
occur when the site server must directly distribute content to each distribution
point. For more information, see Use a pull-distribution point.

Content-enabled cloud management gateway: A variation of a distribution point


that's installed on Microsoft Azure. For more information, see Cloud management
gateway overview.
Standard distribution points support a range of configurations and features:

Use controls such as schedules or bandwidth throttling to help control this


transfer.

Use other options, including prestaged content, and pull-distribution points to


minimize and control network consumption.

BranchCache, peer cache, and Delivery Optimization are peer-to-peer


technologies to reduce the network bandwidth that's used when you deploy
content.

There are different configurations for OS deployments, such as PXE and Multicast

Options for mobile devices

Cloud and pull distribution points support many of these same configurations, but have
limitations that are specific to each distribution point variation.

Distribution point groups


Distribution point groups are logical groupings of distribution points that can simplify
content distribution.

For more information, see Manage distribution point groups.

Distribution point priority


The distribution point priority value is based on how long it took to transfer previous
deployments to that distribution point.

This value is self-tuning. It's set on each distribution point to help Configuration
Manager more quickly transfer content to more distribution points.

When you distribute content to multiple distributions points at the same time, or
to a distribution point group, the site first sends the content to the server with the
highest priority. Then it sends that same content to a distribution point with a
lower priority.

Distribution point priority doesn't replace the distribution priority for packages.
Package priority remains the deciding factor of when the site sends different
content.
For example, you have a package that has a high package priority. You distribute it to a
server with a low distribution point priority. This high priority package always transfers
before a package that has a lower priority. The package priority applies even if the site
distributes lower priority packages to servers with higher distribution point priorities.

The high priority of the package ensures that Configuration Manager distributes that
content to distribution points before it sends any packages with a lower priority.

7 Note

Pull-distribution points also use a concept of priority to order the sequence of their
source distribution points.

The distribution point priority for content transfers to the server is distinct
from the priority that pull-distribution points use. Pull-distribution points use
their priority when they search for content from a source distribution point.
For more information, see Use a pull-distribution point.

Fallback
Several things have changed with Configuration Manager current branch in the way that
clients find a distribution point that has content, including fallback.

Clients that can't find content from a distribution point that's associated with their
current boundary group fall back to use content source locations associated with
neighbor boundary groups. To be used for fallback, a neighbor boundary group must
have a defined relationship with the client's current boundary group. This relationship
includes a configured time that must pass before a client that can't find content locally
includes content sources from the neighbor boundary group as part of its search.

The concepts of preferred distribution points are no longer used, and settings for Allow
fallback source locations for content are no longer available or enforced.

For more information, see Boundary groups.

Network bandwidth
To help manage the amount of network bandwidth that's used when you distribute
content, you can use the following options:
Prestaged content: Transferring content to a distribution point without distributing
the content across the network.

Scheduling and throttling: Configurations that help you control when and how
content is distributed to distribution points.

For more information, see Manage network bandwidth.

Network connection speed to content source


Several things have changed with Configuration Manager current branch in the way that
clients find a distribution point that has content. These changes include the network
speed to a content source.

Network connection speeds that define a distribution point as Fast or Slow are no
longer used. Instead, each site system that's associated with a boundary group is treated
the same.

For more information, see Boundary groups.

On-demand content distribution


On-demand content distribution is an option for individual applications and packages.
This option enables on-demand content distribution to preferred servers.

To enable On-Demand content distribution for a package/application, do the


following :

In the Distribution Point properties, inside the Boundary Groups tab, select :
Enable for on-demand distribution.

Inside the distribution settings tab for package/application properties, select :


Enable for on-demand distribution.

When you enable this option for a deployment, and a client requests that content
but the content isn't available on any of the client's preferred distribution points,
Configuration Manager automatically distributes that content to the client's
preferred distribution points.

Although this triggers Configuration Manager to automatically distribute the


content to that client's preferred distribution points, the client might obtain that
content from other distribution points before the preferred distribution points for
the client receive the deployment. When this behavior occurs, the content will then
be present on that distribution point for use by the next client that seeks that
deployment.

For more information, see Boundary groups.

Package transfer manager


Package transfer manager is the site server component that transfers content to
distribution points on other computers.

For more information, see Package transfer manager.

Prestage content
Prestaging content is a process of transferring content to a distribution point without
distributing the content across the network.

For more information, see Manage network bandwidth.


Use a pull-distribution point with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you distribute content to a standard distribution point in the Configuration


Manager console, the site server pushes the content to the distribution point. A pull-
distribution point gets content by downloading it from a source location like a client.

When you distribute content to many distribution points, pull-distribution points help
reduce the processing load on the site server. They can also speed the content transfer
to each server. Normally the distribution manager component on the site server sends
content to each distribution point. Instead, the site offloads the process of transferring
the content to the pull-distribution points.

You configure individual distribution points to be pull-distribution points. For each pull-
distribution point, specify one or more source distribution points from which it can get
content. A pull-distribution point can only download content from a distribution point
that you specify as a source distribution point.

When you distribute content to a pull-distribution point in the console, the site server
sends it a notification. The pull-distribution point then downloads the content from a
source distribution point. A pull-distribution point manages the content transfer by
downloading from a distribution point that already has a copy of the content.

Pull-distribution points support the same configurations and functionality as typical


distribution points. For example, a pull-distribution point supports:

Multicast and PXE configurations


Content validation
On-demand content distribution
HTTP or HTTPS communications from clients
The same certificate options as other distribution points
Manage individually or as a member of a distribution point group

Configure a pull-distribution point when you install the distribution point. After you
create a distribution point, configure it as a pull-distribution point by editing the role
properties. For more information on how to enable a distribution point as a pull-
distribution point, see Pull-distribution point.
Remove the configuration to be a pull-distribution point by editing the properties of the
distribution point. When you remove the configuration as a pull-distribution point, it
returns to normal operation. The site server manages future content transfers to the
distribution point.

Distribution process
When you distribute content to a pull-distribution point, the following sequence of
events occurs:

Once you distribute content to a pull-distribution point in the console, the Package
Transfer Manager component on the site server checks the site database to
confirm if the content is available on a source distribution point. If it can't confirm
that the content is on a source distribution point for the pull-distribution point, it
repeats the check every 20 minutes until the content is available.

When the Package Transfer Manager confirms that the content is available, it
notifies the pull-distribution point to download the content. If this notification fails,
it retries based on the Software Distribution component Retry settings for pull-
distribution points. When the pull-distribution point receives this notification, it
tries to download the content from its source distribution points.

While the pull-distribution point downloads the content, the Package Transfer
Manager polls the status based on the Software Distribution component Status
polling settings for pull-distribution points. When the pull-distribution point
completes the download of content, it submits this status to a management point.

Configure site component settings


When you use a pull-distribution point, review and configure the following site
component settings:

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node.

2. Select the site. In the ribbon, select Configure Site Components, and select
Software Distribution.

3. Switch to the Pull Distribution Point tab.

4. In the Retry settings group, review the following values:


Number of retries: The number of times that the Package Transfer Manager
tries to notify the pull-distribution point to download the content. After it
tries this number of times, the Package Transfer Manager cancels the transfer.
This value is 30 by default.

Delay before retrying (minutes): The number of minutes that the Package
Transfer Manager waits between attempts. This value is 20 by default.

5. In the Status polling settings group, review the following values:

Number of polls: The number of times that the Package Transfer Manager
contacts the pull-distribution point to retrieve the job status. If it tries this
number of times before the job completes, the Package Transfer Manager
cancels the transfer. This value is 72 by default.

Delay before retrying (minutes): The number of minutes that the Package
Transfer Manager waits between attempts. This value is 60 by default.

7 Note

When the Package Transfer Manager cancels a job because it exceeds the
number of polling retries, the pull-distribution point continues to download
the content. When it finishes, the pull-distribution point sends the appropriate
status message, and the console reflects the new status.

Limitations
You can't configure a content-enabled cloud management gateway as a pull-
distribution point.

You can't configure the distribution point role on a site server as a pull-distribution
point.

The prestage content configuration overrides the pull-distribution point


configuration. If you turn on the option to Enable this distribution point for
prestaged content on a pull-distribution point, it waits for the content. It doesn't
pull content from the source distribution point. Like a standard distribution point
enabled for prestaged content, it doesn't receive content from the site server. For
more information, see Prestaged content.

A pull-distribution point doesn't use schedule or rate limit configurations. When


you configure a previously installed distribution point to be a pull-distribution
point, configurations for schedule and rate limits are saved, but not used. If you
later remove the pull-distribution point configuration, the schedule and rate limit
configurations are implemented as previously configured.

7 Note

The Schedule and Rate Limits tabs aren't visible in the properties of the
distribution point.

Pull-distribution points don't use the settings on the General tab of the Software
Distribution Component Properties for each site. These settings include
Concurrent distribution and Multicast retry.

To transfer content from a source distribution point in a remote forest, install the
Configuration Manager client on the pull-distribution point. Also configure a
network access account that can access the source distribution point. If you enable
the site option to Use Configuration Manager-generated certificates for HTTP
site systems, then you don't need a network access account.

If the pull-distribution point is also a Configuration Manager client, the client


version must be the same as the Configuration Manager site that installs the pull-
distribution point. The pull-distribution point uses the CCMFramework that is
common to both the pull-distribution point and the Configuration Manager client.

About source distribution points


When you configure the pull-distribution point, specify one or more source distribution
points:

The wizard only displays distribution points that qualify to be source distribution
points.

A pull-distribution point can be specified as a source distribution point for another


pull-distribution point.

Only distribution points that support HTTP can be specified as source distribution
points when you use the Configuration Manager console.

To use a source distribution point that's configured for HTTPS, install the
Configuration Manager client on the pull-distribution point.

If your remote offices have a better connection to the internet, or to reduce load
on your WAN links, use a content-enabled cloud management gateway (CMG) in
Microsoft Azure as the source. The pull-distribution point needs internet access to
communicate with Microsoft Azure. The content must be distributed to the source
CMG.

7 Note

This feature does incur charges to your Azure subscription for data storage
and network egress. For more information, see the Cost of CMG.

 Tip

When a pull-distribution point downloads content from a source distribution point,


that pull-distribution point is counted as a client in the Client Accessed (Unique)
column of the Distribution point usage summary report.

Source priorities
Assign a separate priority to each source distribution point, or assign multiple
source distribution points to the same priority.

The priority determines the order in which the pull-distribution point requests
content from its source distribution points.

Pull-distribution points initially contact a source distribution point with the lowest
value for priority. If there are multiple source distribution points with the same
priority, the pull-distribution point randomly selects one of the sources with that
priority.

If the content isn't available on a selected source, the pull-distribution point then
tries to download the content from another distribution point with that same
priority.

If none of the distribution points with a given priority has the content, the pull-
distribution point tries to download the content from a source distribution point
with the next priority level. It continues this search until the content is located.

If none of the assigned source distribution points have the content, the pull-
distribution point waits for 30 minutes, and then starts the process again.

Inside the pull-distribution point


To manage the transfer of content, pull-distribution points use the CCMFramework
component. The Configuration Manager client includes this component.

When you enable the pull-distribution point, the site installs pulldp.msi. This
installer also adds the CCMFramework component. The framework doesn't require
the Configuration Manager client.

After the pull-distribution point is installed, it primarily uses the CCMExec service
to function.

When the pull-distribution point transfers content, it uses the Background


Intelligent Transfer Service (BITS) built into Windows. A pull-distribution point
doesn't require that you install the BITS Extension for IIS Server.

7 Note

If you install a pull-distribution point on a workstation OS, the client enables


BITS with the default settings. This behavior happens even if the client settings
are set to disable BITS. These default settings may not be optimum for a pull-
distribution point. Review the client settings and group policies for BITS that
you apply to devices that you enable as a pull-distribution point.

For operational details, see the following log files on the pull-distribution point:
DataTransferService.log
PullDP.log

 Tip

If you see HTTP 403 errors in the log files after you add up a pull-distribution point,
make the following change:

1. On the source distribution point, set the following registry value:


HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL,

ClientAuthTrustMode = 2 (REG_DWORD)

2. Restart the source distribution point server.

Then the pull distribution point should start downloading content from the source.
For more information on this registry key, see Overview of TLS - SSL (Schannel
SSP).
See also
Fundamental concepts for content management
The content library in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The content library is a single-instance store of content in Configuration Manager. The


site uses it to reduce the overall size of the combined body of content that you
distribute. The content library stores all content files for software deployments, for
example: software updates, applications, and OS deployments.

The site automatically creates and maintains a copy of the content library on each
site server and each distribution point.

Before Configuration Manager adds content files to the site server or copies the
files to distribution points, it verifies whether each content file is already in the
content library.

If the content file is available, Configuration Manager doesn't copy the file. It
instead associates the existing content file with the application or package.

On distribution point servers, configure the following options:

One or more disk drives on which you want to create the content library.

A priority for each drive that you use.

Configuration Manager copies content files to the drive with the highest priority until
that drive contains less than a minimum amount of free space that you specify.

You configure the drive settings during the distribution point installation.

You can't configure the drive settings in the distribution point properties after the
installation has finished.

For more information about how to configure the drive settings for the distribution
point, see Manage content and content infrastructure.

7 Note

To move the content library to a different location on a distribution point after the
installation, use the Content Library Transfer tool in the Configuration Manager
tools. For more information, see the Content Library Transfer tool.
About the content library on the CAS
By default, Configuration Manager creates a content library on the central
administration site (CAS) when the site is installed. The content library is placed on the
drive of the site server that has the most free disk space. Because you can't install a
distribution point on the CAS, you can't prioritize the drives for use by the content
library. Similar to the content library on other site servers and on distribution points,
when the drive that contains the content library runs out of available disk space, the
content library automatically spans to the next available drive.

Configuration Manager uses the content library on the CAS in the following scenarios:

You create content on the CAS.

You migrate content from another Configuration Manager site, and assign the CAS
as the site that manages that content.

7 Note

When you create content at a primary site, and then distribute it to a different
primary site or a secondary site below a different primary site, the CAS temporarily
stores that content in its scheduler inbox. It doesn't add that content to its content
library.

Use the following options to manage the content library on the CAS:

To prevent the content library from being installed on a specific drive, create an
empty file named NO_SMS_ON_DRIVE.SMS. Copy it to the root of the drive before
the content library is created.

After the content library has been created, use the Content Library Transfer tool
from the Configuration Manager tools to manage the location of the content
library. For more information, see the Content Library Transfer tool.

7 Note

Content-enabled cloud management gateways don't use single-instance storage.


The site encrypts packages before sending to Azure, and each package has a
unique encrypted key. Even if two files were identical, the encrypted versions
wouldn't be the same.
Inside the content library

2 Warning

The following section is provided for informational purposes only. Don't alter, add,
or remove any files or folders in the content library. Doing so could corrupt
packages, contents, or the content library as a whole. If you suspect any missing,
corrupt, or otherwise invalid data, use the validation feature in the Configuration
Manager console to detect such issues. Then redistribute the affected content to
correct the issues.

By default, the content library is stored on the root of a drive in a folder called
SCCMContentLib. This folder is shared by default as SCCMContentLib$. The folder and
share have restricted permissions to prevent accidental damage. All changes should be
made from the Configuration Manager console. Within this folder are the following
objects:

The package library (PkgLib folder): Information about what packages are present
on the distribution point.

The data library (DataLib folder): Information about the original structure of the
packages.

The file library (FileLib folder): The original files in the package. This folder is
typically what uses the bulk of the storage.

 Tip

Use the Content Library Explorer tool from the Configuration Manager tools to
browse the contents of the content library. You can't use this tool to modify the
contents. It provides insight into what's present, as well as allowing validation and
redistribution. For more information, see the Content Library Explorer.

Package library
The package library folder, PkgLib, includes one file for each package distributed to the
distribution point. The file name is the package ID, for example, ABC00001.INI . In this file
under the [Packages] section is a list of content IDs that are part of the package, as well
as other information such as the version. For example, ABC00001 is a legacy package at
version 1. The content ID in this file is ABC00001.1 .
Data library
The data library folder, DataLib, includes one file and one folder for each of the contents
in each package. For example, this file and folder are named ABC00001.1.INI and
ABC00001.1 , respectively. The file includes information for validation. The folder

recreates the folder structure from the original package.

The files in the data library are replaced by INI files with the name of the original file in
the package. For example, MyFile.exe.INI . These files include information about the
original file, such as the size, time modified, and the hash. Use the first four characters of
the hash to locate the original file in the file library. For example, the hash in
MyFile.exe.INI is DEF98765, and the first four characters are DEF9.

File library
If the content library spans across multiple drives, the package files could be in the file
library folder, FileLib, on any of these drives.

Locate a specific file using the first four characters from the hash found in the data
library. Inside the file library folder are many folders, each with a four-character name.
Find the folder that matches the first four characters from the hash. Once you find this
folder, it includes one or more sets of three files. These files share the same name, but
one has the extension INI, one has the extension SIG, and one has no file extension. The
original file is the one with no extension whose name is equal to the hash from the data
library.

For example, folder DEF9 includes DEF98765.INI , DEF98765.SIG , and DEF98765 . DEF98765
is the original MyFile.exe . The INI file includes a list of "users" or content IDs that share
the same file. The site doesn't remove a file unless all of these contents are also
removed.

Drive spanning
The content library can be spanned across multiple drives. You choose these drives
when creating the distribution point. By default, Configuration Manager automatically
chooses the drives when spanning the content library.

When you choose the drives, select a primary and secondary drive. The site stores all
metadata on the primary drive. It only spans the file library across to the secondary
drive. The folder's share name for secondary drives includes the drive letter. For
example, if D: and E: are secondary drives for the content library, the share names are
SCCMContentLibD$ and SCCMContentLibE$.
If you chose the Automatic option, Configuration Manager selects the drive with the
most available free space as its primary drive. It stores all of the metadata on this drive.
The site only spans the file library across to secondary drives.

You specify a reserve space amount during configuration. Configuration Manager


attempts to use a secondary disk once the best available disk has only this reserve space
amount left free. Each time a new drive is selected for use, the drive with the most
available free space is selected.

You can't specify that a distribution point should use all drives except for a specific set.
Prevent this behavior by creating an empty file on the root of the drive, called
NO_SMS_ON_DRIVE.SMS . Place this file before Configuration Manager selects the drive for

use. If Configuration Manager detects this file on the root of the drive, it doesn't use the
drive for the content library.

Troubleshoot
The following tips may help you troubleshoot issues with the content library:

Review the logs on the site server (distmgr.log and PkgXferMgr.log) and the
distribution point (smsdpprov.log) for any pointers to the failures.

Use the Content Library Explorer tool.

Check for file locks by other processes, such as antivirus software. Exclude the
content library on all drives from automatic antivirus scans, as well as the
temporary staging directory, SMS_DP$, on each drive.

To see if there are any hash mismatches, validate the package from the
Configuration Manager console.

As a last option, redistribute the content. This action should resolve most issues.

For more in-depth information, see Understand and troubleshoot content distribution.

Next steps
Configure a remote content library for the site server

Flowchart - Manage content library


Configure a remote content library for
the site server
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To configure site server high availability or to free up hard drive space on your central
administration or primary site servers, relocate the content library to another storage
location. Move the content library to another drive on the site server, a separate server,
or fault-tolerant disks in a storage area network (SAN). A SAN is recommended, because
it's highly available, and provides elastic storage that grows or shrinks over time to meet
your changing content requirements. For more information, see High availability
options.

A remote content library is a prerequisite for site server high availability.

This action only moves the content library on the site server. It doesn't impact the
location of the content library on distribution points.

 Tip

Also plan for managing package source content, which is external to the content
library. Every software object in Configuration Manager has a package source on a
network share. Consider centralizing all sources to a single share, but make sure
this location is redundant and highly available.

If you move the content library to the same storage volume as your package
sources, you can't mark this volume for data deduplication. While the content
library supports data deduplication, the package sources volume doesn't support it.
For more information, see Data deduplication.

Prerequisites
The site server computer account needs Full control permissions to the network
path to which you're moving the content library. This permission applies to both
the share and the file system. No components are installed on the remote system.

The site server can't have the distribution point role. The distribution point also
uses the content library, and this role doesn't support a remote content library.
After moving the content library, you can't add the distribution point role to the
site server.

7 Note

The Manage Content Library option isn't available if the distribution point
role exists on the site server. To enable the option, remove the distribution
point role from the site server.

The remote system for the content library needs to be in a trusted domain.

) Important

Don't reuse a shared network location between multiple sites. For example, don't
use the same path for both a central administration site and a child primary site.
This configuration has the potential to corrupt the content library, and require you
to rebuild it.

Manage the content library


1. Create a folder in a network share as the target for the content library. For
example, \\server\share\folder .

2 Warning

Don't reuse an existing folder with content. For example, don't use the same
folder as your package sources. Before copying the content library,
Configuration Manager removes any existing content from the location you
specify.

2. In the Configuration Manager console, switch to the Administration workspace.


Expand Site Configuration, select the Sites node, and select the site. On the
Summary tab at the bottom of the details pane, notice a new column for the
Content Library.

3. Select Manage Content Library on the ribbon.

4. In the Manage Content Library window, the Current Location field shows the local
drive and path. Enter a valid network path for the New Location. This path is the
location to which the site moves the content library. It must include a folder name
that already exists on the share, for example, \\server\share\folder . Select OK.

5. Note the Status value in the Content Library column on the Summary tab of the
details pane. It updates to show the site's progress in moving the content library.

While In progress, the Move Progress (%) value displays the percentage
complete.

7 Note

If you have a large content library, you may see 0% progress in the
console for a while. For example, with a 1 TB library, it has to copy 10 GB
before it shows 1% . Review distmgr.log, which shows the number of files
and bytes copied. The log file also shows an estimated time remaining.

If there's an error state, the status displays the error. Common errors include
access denied or disk full.

When complete it displays Complete.

See the distmgr.log for details. For more information, see Site server and site
system server logs.

7 Note

Starting in version 2010, you can enable verbose logging to troubleshoot the
content library move process. Set the following registry key on the site server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP, LibraryMoveVerboseLog = 1

(REG_DWORD) .

For more information on this process, see Flowchart - Manage content library.

The site actually copies the content library files to the remote location. This process
doesn't delete the content library files at the original location on the site server. To free
up space, an administrator must manually delete these original files.

If the original content library spans two drives, it's merged into a single folder at the
new destination.

During the copy process, the Despooler and Distribution manager components don't
process new packages. This action makes sure that content isn't added to the library
while it's moving. Regardless, schedule this change during a system maintenance.

If you need to move the content library back to the site server, repeat this process, but
enter a local drive and path for the New Location. It must include a folder name that
already exists on the drive, for example, D:\SCCMContentLib . When the original content
still exists, the process quickly moves the configuration to the location local to the site
server.

 Tip

To move the content to another drive on the site server, use the Content Library
Transfer tool. For more information, see the Content Library Transfer tool.

Support untrusted domains


If your environment has distribution points in untrusted domains, you need to make
other configuration changes.

1. On the computer that will host the distribution point role in the untrusted domain:

a. Create a local user account.

b. When you add the distribution point role to this computer, use this local
account as the site system installation account. For example,
COMPUTER.UNTRUSTEDDOMAIN\LocalAccount .

2. On the server that hosts the remote content library for the site, create a local user
account. This account should have the same name and password as the account in
the first step.

When the distribution manager component distributes content to the server in the
untrusted domain, it will use the local user account. During content distribution, this
component gets the files from the content library server in the context of the
distribution point's local account. Since this same account exists on the content library
server, distribution manager can authenticate to read the content files and copy to the
remote distribution point.

Next steps
Flowchart - Manage content library
Flowchart - Manage content library
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This flowchart diagram shows the process by which the site moves the content library to
a remote location. For more information, see the following articles:

The content library


Site server high availability
Content library cleanup tool
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the content library cleanup command-line tool to remove content that's no longer
associated with an object on a distribution point. This type of content is called orphaned
content. This tool replaces older versions of similar tools released for past Configuration
Manager products.

The tool only affects the content on the distribution point that you specify when you run
the tool. The tool can't remove content from the content library on the site server.

If you remove content from a distribution point while the site system is offline, an
orphaned record can exist in WMI. Over time, this behavior can eventually lead to a
warning status on the distribution point. To mitigate the issue in version 2006 and
earlier, you had to manually remove the orphaned entries from WMI. Making a mistake
during this process could cause more severe issues with the server. Starting in version
2010, the tool can also remove orphaned content records from the WMI provider on a
distribution point.

Find ContentLibraryCleanup.exe in CD.Latest\SMSSETUP\TOOLS\ContentLibraryCleanup


on the site server. For more information on this location, see The CD.Latest folder.

Requirements
Only run the tool against a single distribution point at a time.

Run it directly on the server that hosts the distribution point to clean up, or
remotely from another computer.

The tool doesn't support removing content from the site server, which has a single
content library. When the site server also has the distribution point role, if a
package isn't targeted to the server, the package is still in the single content
library.

The tool doesn't support a content-enabled cloud management gateway.

The user account that runs the tool must have permissions the same as the Full
Administrator security role in Configuration Manager.
Modes of operation
Run the tool in the following two modes: What-if and Delete.

 Tip

Start with the what-if mode. When you're satisfied with the results, then run the
tool in delete mode.

What-if mode
If you don't specify the /delete parameter, the tool runs in what-if mode. This mode
identifies the content that would be deleted from the distribution point.

When run in this mode, the tool doesn't delete any data.

The tool writes to the log file information about the content that it would delete.
You're not prompted to confirm each potential deletion.

Delete mode
When you run the tool with the /delete parameter, the tool runs in delete mode.

When run in this mode, orphaned content that it finds on the specified distribution
point can be deleted from the distribution point's content library.

Starting in version 2010, it can also remove orphaned content records from the
WMI provider on the distribution point.

Before deleting each file, confirm that the tool should delete it. Select Y for yes, N
for no, or Yes to all to skip further prompts and delete all orphaned content.

Log file
When the tool runs in either mode, it automatically creates a log file. It names the file
with the following information:

The mode the tool runs in


The name of the distribution point
The date and time of operation

When the tool finishes, it automatically opens the log file in Windows.
By default, the tool writes the log file to the temp folder of the user account that runs
the tool. This location is on the computer where you run the tool, which isn't always the
target of the tool. Use the /log parameter to redirect the log file to another location,
including a network share.

Run the tool


To run the tool:

1. Open a command prompt as an administrator. Change directory to the folder that


contains ContentLibraryCleanup.exe.

2. Enter a command line that includes the required command-line parameters, and
any optional parameters you want to use.

Command-line parameters
Use these command-line parameters in any order.

Required parameters

Parameter Details

/dp Specify the fully qualified domain name (FQDN) of the distribution point to clean.
<distribution
point FQDN>

/ps <primary Required only when cleaning content from a distribution point at a secondary
site FQDN> site. The tool connects to the parent primary site to run queries against the SMS
Provider. These queries let the tool determine what content should be on the
distribution point. It can then identify the orphaned content to remove. This
connection to the parent primary site must be made for distribution points at a
secondary site because the required details aren't available directly from the
secondary site.

/sc <primary Required only when cleaning content from a distribution point at a secondary
site code> site. Specify the site code of the parent primary site.

Example: Scan and log what content it would delete (what-if)


ContentLibraryCleanup.exe /dp server1.contoso.com
Example: Scan and log content for a DP at a secondary site
ContentLibraryCleanup.exe /dp server1.contoso.com /ps siteserver1.contoso.com /sc

ABC

Optional parameters

Parameter Details

/delete Use this parameter when you're ready to delete content from the distribution point.
It prompts you before it deletes content.

When you don't use this parameter, the tool logs results about what content it
would delete. Without this parameter, it doesn't actually delete any content from
the distribution point.

/q This parameter runs the tool in a quiet mode that suppresses all prompts. These
prompts include when it deletes content. It also doesn't automatically open the log
file.

/ps Optional only when cleaning content from a distribution point at a primary site.
<primary Specify the FQDN of the primary site that the distribution point belongs to.
site FQDN>

/sc Optional only when cleaning content from a distribution point at a primary site.
<primary Specify the site code of the primary site that the distribution point belongs to.
site code>

/log <log Specify the location where the tool writes the log file. This location can be a local
file drive or a network share.

directory>
When you don't use this parameter, the tool places the log file in the user's temp
directory on the computer where the tool runs.

Example: Delete content


ContentLibraryCleanup.exe /dp server1.contoso.com /delete

Example: Delete content without prompts


ContentLibraryCleanup.exe /q /dp server1.contoso.com /delete

Example: Log to local drive


ContentLibraryCleanup.exe /dp server1.contoso.com /log

C:\Users\Administrator\Desktop

Example: Log to network share

ContentLibraryCleanup.exe /dp server1.contoso.com /log \\server\share

Known issue
In version 2103 and earlier, when any package or deployment has failed, or is in
progress, the tool might return the following error:

System.InvalidOperationException: This content library cannot be cleaned up right

now because package <packageID> is not fully installed.

To work around this issue, update the site to version 2107. The tool can't reliably identify
orphaned files, but will display a warning and continue.
Peer cache for Configuration Manager
clients
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use peer cache to help manage deployment of content to clients in remote locations.
Peer cache is a built-in Configuration Manager solution that enables clients to share
content with other clients directly from their local cache.

Overview
Definitions:

Peer cache client: Any Configuration Manager client that downloads content from
a peer.

Peer cache source: A Configuration Manager client that you enable for peer cache,
and that has content to share with other clients.

Use client settings to enable clients to be peer cache sources. You don't need to enable
peer cache clients. When you enable clients as peer cache sources, the management
point includes them in the list of content location sources. For more information on this
process, see Operations.

A peer cache source must be a member of the current boundary group of the peer
cache client. The management point doesn't include peer cache sources from a
neighbor boundary group in the list of content sources it provides the client. It only
includes distribution points from a neighbor boundary group. For more information
about current and neighbor boundary groups, see Boundary groups.

The Configuration Manager client uses peer cache to serve to other clients every type of
content in the cache. This content includes:

Microsoft 365 Apps for enterprise files


Express installation files

Peer cache doesn't replace the use of other solutions like Windows BranchCache or
Delivery Optimization. Peer cache works along with other solutions. These technologies
give you more options for extending traditional content deployment solutions such as
distribution points. Peer cache is a custom solution with no reliance on BranchCache. If
you don't enable or use BranchCache, peer cache still works.

7 Note

Windows BranchCache is always enabled on deployments. If the distribution point


supports it, and it's enabled in client settings, clients use BranchCache. For more
information, see Configure BranchCache.

Operations
To enable peer cache, deploy the client settings to a collection. Then members of that
collection act as a peer cache source for other clients in the same boundary group.

A client that operates as a peer content source submits a list of available cached
content to its management point using state messages. A peer content source
client also sends a state message to the management point when it removes
content from its local cache.

7 Note

For the list of applicable peer content source state messages, see State
messages in Configuration Manager. Specifically those with state message
IDs of 7200, 7201, 7202, and 7203.

Another client in the same boundary group makes a content location request to
the management point. The server returns the list of potential content sources.
This list includes each peer cache source that has the content and is online. It also
includes the distribution points and other content source locations in that
boundary group. For more information, see Content source priority.

As usual, the client that's seeking the content selects one source from the provided
list. The client then attempts to get the content.

Boundary groups include settings to give you more control over content distribution in
your environment. For more information, see Boundary group options for peer
downloads.

7 Note
If the client falls back to a neighbor boundary group for content, the management
point doesn't add the peer cache sources from the neighbor boundary group to
the list of potential content source locations.

Choose only clients best suited as peer cache sources. Evaluate client suitability based
on attributes such as chassis type, disk space, and network connectivity. For more
information that can help you select the best clients to use for peer cache, see this blog
by a Microsoft consultant .

7 Note

By default, if the first 25 peer cache sources are offline or unreachable, a peer cache
client may fail to download the content. You can configure this setting with the site
definition properties SuperPeerLocationCount and SuperPeerLocationCountMax . Their
default values are 25 and 50 . For more information, see How to read and write to
the site control file by using WMI.

You can also reduce these values, for example, 5 and 10 . This configuration causes
the client to more quickly fall back to other content locations. For more
information, see Content source priority.

Limited access to a peer cache source


A peer cache source rejects requests for content when it meets any of the following
conditions at the time a peer requests content:

Low battery mode

Processor load exceeds 80%

Disk I/O has an AvgDiskQueueLength that exceeds 10

There are no more available connections to the computer

 Tip

Configure these settings using the client configuration server WMI class for the
peer source feature ( SMS_WinPEPeerCacheConfig ) in the Configuration Manager SDK.

When the peer cache source rejects a request for the content, the peer cache client
continues to seek content from its list of content source locations.
Requirements
Peer cache supports all Windows versions listed as supported in Supported
operating systems for clients and devices. Non-Windows operating systems aren't
supported as peer cache sources or peer cache clients.

A peer cache source must be a domain-joined Configuration Manager client.


However, a client that's not domain-joined can get content from a domain-joined
peer cache source.

Clients can only download content from peer cache sources in their current
boundary group.

7 Note

Configuration Manager determines if a peer cache source has roamed to


another location. This behavior makes sure the management point offers it as
a content source to clients in the new location and not the old location.

A network access account isn't required with the following exception:

Configure a network access account in the site when a peer cache-enabled


client runs a task sequence from Software Center, and it reboots to a boot
image. When the device is in Windows PE, it uses the network access account to
get content from the peer cache source.

When required, the peer cache source uses the network access account to
authenticate download requests from peers. This account requires only domain
user permissions for this purpose.

Before attempting to download content, the management point first validates that
the peer cache source is online. This validation happens via the "fast channel" for
client notification, which uses TCP port 10123.

7 Note

To take advantage of new Configuration Manager features, first update clients to


the latest version. While new functionality appears in the Configuration Manager
console when you update the site and console, the complete scenario isn't
functional until the client version is also the latest.
Client settings
For more information about the peer cache client settings, see Client cache settings.

For more information on configuring these settings, see How to configure client
settings.

On peer cache-enabled clients that use the Windows Firewall, Configuration Manager
configures the firewall ports that you specify in client settings.

Partial download support


Client peer cache sources can divide content into parts. These parts minimize the
network transfer to reduce WAN usage. The management point provides more detailed
tracking of the content parts. It tries to eliminate more than one download of the same
content per boundary group.

Example scenario
Contoso has a single primary site with two boundary groups: Headquarters (HQ) and
Branch Office. There's a 30-minute fallback relationship between the boundary groups.
The management point and distribution point for the site are only in the HQ boundary.
The branch office location has no local distribution point. Two of the four clients at the
branch office are configured as peer cache sources.
1. You target a deployment with content to all four clients in the branch office. You
only distributed the content to the distribution point.

2. Client3 and Client4 don't have a local source for the deployment. The management
point instructs the clients to wait 30 minutes before falling back to the remote
boundary group.

3. Client1 (PCS1) is the first peer cache source to refresh policy with the management
point. Because this client is enabled as a peer cache source, the management point
instructs it to immediately start downloading part A from the distribution point.

4. When Client2 (PCS2) contacts the management point, as part A is already in


progress but not yet complete, the management point instructs it to immediately
start downloading part B from the distribution point.

5. PCS1 finishes downloading part A, and immediately notifies the management


point. As part B is already in progress but not yet complete, the management point
instructs it to start downloading part C from the distribution point.

6. PCS2 finishes downloading part B, and immediately notifies the management


point. The management point instructs it to start downloading part D from the
distribution point.
7. PCS1 finishes downloading part C, and immediately notifies the management
point. The management point informs it that there are no more parts available
from the remote distribution point. The management point instructs it to
download part B from its local peer, PCS2.

8. This process continues until both client peer cache sources have all of the parts
from each other. The management point prioritizes parts from the remote
distribution point before instructing the peer cache sources to download parts
from local peers.

9. Client3 is the first to refresh policy after the 30-minute fallback period expires. It
now checks back with the management point, which informs the client of new local
sources. Instead of downloading the content in full from the distribution point
across the WAN, it downloads the content in full from one of the client peer cache
sources. Clients prioritize local peer sources.

7 Note

If the number of client peer cache sources is greater than the number of content
parts, then the management point instructs the additional peer cache sources to
wait for fallback like a normal client.

Configure partial download


1. Set up boundary groups and peer cache sources per normal.

2. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select Sites. Select Hierarchy Settings in the
ribbon.

3. On the General tab, enable the option to Configure client peer cache sources to
divide content into parts.

4. Create a required deployment with content.

7 Note

This functionality only works when the client downloads content in the
background, such as with a required deployment. On-demand downloads,
such as when the user installs an available deployment in Software Center,
behaves as usual.
To see them handling the download of content in parts, examine the
ContentTransferManager.log on the client peer cache source and the MP_Location.log
on the management point.

Guidance for cache management


Peer cache relies on the Configuration Manager client cache to share content. Consider
the following points for managing the client cache in your environment:

The Configuration Manager client cache isn't like the content library on a
distribution point. While you manage the content that you distribute to a
distribution point, the Configuration Manager client automatically manages the
content in its cache. There are settings and methods to help control what content
is in the cache of a peer cache source. For more information, see Configure the
client cache.

Size and maintenance of the cache applies to peer cache sources. For more
information, see Configure client cache size. Consider the size of larger content
such as OS upgrade packages or Windows express update files. Compare your
need for this content against the available disk space on peer cache sources.

The peer cache source client updates the last referenced time of content in the
cache when a peer downloads it. The client uses this timestamp when it
automatically maintains its cache, removing older content first. So it should wait to
remove content that peer cache clients more frequently download, if at all.

If necessary, during an OS deployment task sequence, use the


SMSTSPreserveContent variable to keep content in the client cache. For more
information, see Task sequence variables.

If necessary, when creating the following software, use the option to Persist
content in the client cache:
Applications
Packages
OS images
OS upgrade packages
Boot images

Monitoring
To help you understand the use of peer cache, view the Client Data Sources dashboard.
For more information, see Client data sources dashboard.
Also use reports to view peer cache use. In the console, go to the Monitoring
workspace, expand Reporting, and select the Reports node. The following reports all
have a type of Software Distribution Content:

Peer cache source content rejection: How often the peer cache sources in a
boundary group reject a content request.

7 Note

Known issue: When drilling down on results like MaxCPULoad or MaxDiskIO,


you might receive an error that suggests the report or details can't be found.
To work around this issue, use the other two reports that directly show the
results.

Peer cache source content rejection by condition: Shows rejection details for a
specified boundary group or rejection type.

7 Note

Known issue: You can't select from available parameters and instead must
enter them manually. Enter the values for Boundary Group Name and
Rejection Type as seen in the Peer cache source content rejection report. For
example, for Rejection Type you might enter MaxCPULoad or MaxDiskIO.

Peer cache source content rejection details: Show the content that the client was
requesting when rejected.

7 Note

Known issue: You can't select from available parameters and instead must
enter them manually. Enter the value for Rejection Type as displayed in the
Peer cache source content rejection report. Then enter the Resource ID for
the content source about which you want more information.

To find the Resource ID of the content source:

1. Find the computer name that displays as the Peer cache source in the
results of the Peer cache source content rejection by condition report.

2. Go to the Assets and Compliance workspace, select the Devices node,


and search for that computer's name. Use the value from the Resource
ID column.

Next steps
Microsoft Connected Cache in Configuration Manager

Support for Windows BranchCache

Peer caching technologies


Package Transfer Manager in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

In a Configuration Manager site, the Package Transfer Manager is a component of the


SMS_Executive service that manages the transfer of content from a site server computer
to remote distribution points in a site. (A remote distribution point is one that is not
located on the site server computer.) The Package Transfer Manager does not support
configurations by the admin, but understanding how it operates can help you plan your
content management infrastructure. It can also help you resolve problems with content
distribution.

When you distribute content to one or more remote distribution points at a site, the
Distribution Manager creates a content transfer job. It then notifies the Package
Transfer Manager on primary and secondary site servers to transfer the content to the
remote distribution points.

Package Transfer Manager logs its actions in the pkgxfermgr.log file on the site server.
The log file is the only location where you can view the activities of the Package Transfer
Manager.

7 Note

In previous versions of Configuration Manager, the Distribution Manager manages


the transfer of content to a remote distribution point. Distribution Manager also
manages the transfer of content between sites. With the Configuration Manager,
Distribution Manager continues to manage the transfer of content between two
sites. However, the Package Transfer Manager now manages the transfer of content
to large numbers of distribution points. This helps to increase the overall
performance of content deployment both between sites and to distribution points
within a site.

To transfer content to a standard distribution point, Package Transfer Manager operates


the same as the Distribution Manager operates in previous versions of Configuration
Manager. That is, it actively manages the transfer of files to each remote distribution
point. However, to distribute content to a pull-distribution point, the Package Transfer
Manager notifies the pull-distribution point that content is available. The pull-
distribution point then takes over the transfer process.
The following information describes how Package Transfer Manager manages the
transfer of content to standard distribution points, and to distribution points configured
as pull-distribution points:

1. Admin deploys content to one or more distribution points at a site.

Standard distribution point: Distribution Manager creates a content transfer


job for that content.

Pull-distribution point: Distribution Manager creates a content transfer job


for that content.

2. Distribution Manager runs preliminary checks.

Standard distribution point: Distribution Manager runs a basic check to


confirm that each distribution point is ready to receive the content. After this
check, Distribution Manager notifies Package Transfer Manager to start the
transfer of content to the distribution point.

Pull-distribution point: Distribution Manager starts Package Transfer


Manager, which then notifies the pull-distribution point that there is a new
content transfer job. Distribution Manager does not check on the status of
remote distribution points that are pull-distribution points, because each
pull-distribution point manages its own content transfers.

3. Package Transfer Manager prepares to transfer content.

Standard distribution point: Package Transfer Manager examines the single


instance content store of each specified remote distribution point. The
purpose of this is to identify any files that are already on that distribution
point. Then, Package Transfer Manager queues up for transfer only those files
that are not already present.

7 Note

To copy each file in the distribution to the distribution point, even if the
files are already present in the single instance store of the distribution
point, use the Redistribute action for content.

Pull-distribution point: For each pull-distribution point in the distribution,


Package Transfer Manager checks the pull-distribution points source
distribution points, to confirm if the content is available.
When the content is available on at least one source distribution point,
Package Transfer Manager sends a notification to that pull-distribution
point. The notification directs that distribution point to begin the process
of transferring content. The notification includes file names and sizes,
attributes, and hash values.

When the content is not yet available, Package Transfer Manager does not
send a notification to the distribution point. Instead, it repeats the check
every 20 minutes until the content is available. Then, when the content is
available, Package Transfer Manager sends the notification to that pull-
distribution point.

7 Note

For the pull-distribution point to copy each file in the distribution to the
distribution point, even if the files are already present in the single
instance store of the pull-distribution point, use the Redistribute action
for content.

4. Content begins to transfer.

Standard distribution point: Package Transfer Manager copies files to each


remote distribution point. During the transfer to a standard distribution point:

By default, Package Transfer Manager can simultaneously process three


unique packages, and distribute them to five distribution points in parallel.
Collectively, these are called Concurrent distribution settings. To set up
concurrent distribution, in the Software Distribution Component
Properties for each site, go to the General tab.

Package Transfer Manager uses the scheduling and network bandwidth


configurations of each distribution point when transferring content to that
distribution point. To configure these settings, in the Properties of each
remote distribution point, go to the Schedule and Rate Limits tabs. For
more information, see Manage content and content infrastructure for
Configuration Manager.

Pull-distribution point: When a pull-distribution point receives a notification


file, the distribution point begins the process to transfer the content. The
transfer process runs independently on each pull-distribution point:

a. The pull-distribution identifies the files in the content distribution that it


does not already have in its single instance store, and prepares to
download that content from one of its source distribution points.

b. Next, the pull-distribution point checks with each of its source distribution
points, in order, until it locates a source distribution point that has the
content available. When the pull-distribution point identifies a source
distribution point with the content, it begins the download of that content.

7 Note

The process to download content by the pull-distribution point is the


same as that used by Configuration Manager clients. For the transfer of
content by the pull-distribution point, concurrent transfer settings aren't
used. Scheduling and throttling options that you configure for standard
distribution points aren't used either.

5. Content transfer completes.

Standard distribution point: After the Package Transfer Manager is done


transferring files to each designated remote distribution point, it verifies the
hash of the content on the distribution point. Then it notifies Distribution
Manager that the distribution is complete.

Pull-distribution point: After the pull-distribution point completes the


content download, the distribution point verifies the hash of the content.
Then it submits a status message to the site management point to indicate
success. If, after 60 minutes, this status is not received, the Package Transfer
Manager wakes up again. It checks with the pull-distribution point to confirm
whether the pull-distribution point has downloaded the content. If the
content download is in progress, the Package Transfer Manager sleeps for
another 60 minutes before it checks with the pull-distribution point again.
This cycle continues until the pull-distribution point completes the content
transfer.
Manage network bandwidth for content
Article • 10/04/2022

To help you manage network bandwidth that is used for the content management
process of Configuration Manager, you can use built-in controls for scheduling and
throttling. You can also use prestaged content. The following sections describe these
options in more detail.

Scheduling and throttling


When you create a package, change the source path for the content, or update content
on the distribution point, the files are copied from the source path to the content library
on the site server. Then, the content is copied from the content library on the site server
to the content library on the distribution points. When content source files are updated,
and the source files have already been distributed, Configuration Manager retrieves only
the new or updated files, and then sends them to the distribution point.

You can use scheduling and throttling controls for site-to-site communication, and for
communication between a site server and a remote distribution point. If network
bandwidth is limited even after you set up the scheduling and throttling controls, you
might consider prestaging the content on the distribution point.

In Configuration Manager, you can set up a schedule and specify throttling settings on
remote distribution points that determine when and how content distribution is
performed. Each remote distribution point can have different configurations that help
address network bandwidth limitations from the site server to the remote distribution
point. The controls for scheduling and throttling to the remote distribution point are
similar to the settings for a standard sender address. In this case, the settings are used
by a new component, called Package Transfer Manager.

Package Transfer Manager distributes content from a site server, as a primary site or
secondary site, to a distribution point that is installed on a site system. The throttling
settings are specified on the Rate Limits tab, and the scheduling settings are specified
on the Schedule tab, for a distribution point that is not on a site server. The time
settings are based on the time zone from the sending site, not the distribution point.

) Important

The Rate Limits and Schedule tabs are displayed only in the properties for
distribution points that are not installed on a site server.
For more information, see Install and configure distribution points for Configuration
Manager.

Prestaged content
You can prestage content to add the content files to the content library on a site server
or distribution point, before you distribute the content. Because the content files are
already in the content library, they do not transfer over the network when you distribute
the content. You can prestage content files for applications and packages.

In the Configuration Manager console, select the content that you want to prestage, and
then use the Create Prestaged Content File Wizard. This creates a compressed,
prestaged content file that contains the files and associated metadata for the content.
Then, you can manually import the content at a site server or distribution point. Note
the following points:

When you import the prestaged content file on a site server, the content files are
added to the content library on the site server, and then registered in the site
server database.

When you import the prestaged content file on a distribution point, the content
files are added to the content library on the distribution point. A status message is
sent to the site server that informs the site that the content is available on the
distribution point.

You can optionally configure the distribution point as prestaged to help manage
content distribution. Then, when you distribute content, you can choose whether you
want to:

Always prestage the content on the distribution point.

Prestage the initial content for the package, and then use the standard content
distribution process when there are updates to the content.

Always use the standard content distribution process for the content in the
package.

Determine whether to prestage content


Consider prestaging content for applications and packages in the following scenarios:

To address the issue of limited network bandwidth from the site server to a
distribution point. If scheduling and throttling aren't enough to satisfy your
concerns about bandwidth, consider prestaging the content on the distribution
point. Each distribution point has the Enable this distribution point for prestaged
content setting that you can choose in the distribution point properties. When you
enable this option, the distribution point is identified as a prestaged distribution
point, and you can choose how to manage the content on a per-package basis.

The following settings are available in the properties for an application, package,
driver package, boot image, operating system installer, and image. These settings
let you choose how content distribution is managed on remote distribution points
that are identified as prestaged:

Automatically download content when packages are assigned to distribution


points: Use this option when you have smaller packages, and the scheduling
and throttling settings provide enough control for content distribution.

Download only content changes to the distribution point: Use this option
when you expect future updates to the content in the package to be generally
smaller than the initial package. For example, you might prestage an application
like Microsoft 365 Apps, because the initial package size is over 700 MB and is
too large to send over the network. However, content updates to this package
might be less than 10 MB, and are acceptable to distribute over the network.
Another example might be driver packages, where the initial package size is
large, but incremental driver additions to the package might be small.

Manually copy the content in this package to the distribution point: Use this
option when you have large packages, with content such as an operating
system, and you never want to use the network to distribute the content to the
distribution point. When you select this option, you must prestage the content
on the distribution point.

) Important

The preceding options are applicable on a per-package basis, and are only
used when a distribution point is identified as prestaged. Distribution points
that have not been identified as prestaged ignore these settings. In this case,
content always is distributed over the network from the site server to the
distribution points.

To restore the content library on a site server. When a site server fails, information
about packages and applications that is contained in the content library is restored
to the site database as part of the restore process, but the content library files are
not restored as part of the process. If you do not have a file system backup to
restore the content library, you can create a prestaged content file from another
site that contains the packages and applications that you have to have. You can
then extract the prestaged content file on the recovered site server. For more
information about site server backup and recovery, see Backup and recovery for
Configuration Manager.
Security and privacy for content
management in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article contains security and privacy information for content management in
Configuration Manager.

Security guidance

Advantages and disadvantages of HTTPS or HTTP for


intranet distribution points
For distribution points on the intranet, consider the advantages and disadvantages of
using HTTPS or HTTP. In most scenarios, using HTTP and package access accounts for
authorization provides more security than using HTTPS with encryption but without
authorization. However, if you have sensitive data in your content that you want to
encrypt during transfer, use HTTPS.

When you use HTTPS for a distribution point: Configuration Manager doesn't use
package access accounts to authorize access to the content. The content is
encrypted when it's transferred over the network.

When you use HTTP for a distribution point: You can use package access accounts
for authorization. The content isn't encrypted when it's transferred over the
network.

Consider enabling Enhanced HTTP for the site. This feature allows clients to use Azure
Active Directory (Azure AD) authentication to securely communicate with an HTTP
distribution point. For more information, see Enhanced HTTP.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.
Protect the client authentication certificate file
If you use a PKI client authentication certificate rather than a self-signed certificate for
the distribution point, protect the certificate file (.pfx) with a strong password. If you
store the file on the network, secure the network channel when you import the file into
Configuration Manager.

When you require a password to import the client authentication certificate that the
distribution point uses to communicate with management points, this configuration
helps to protect the certificate from an attacker. To prevent an attacker from tampering
with the certificate file, use server message block (SMB) signing or IPsec between the
network location and the site server.

Remove the distribution point role from the site server


By default, Configuration Manager setup installs a distribution point on the site server.
Clients don't have to communicate directly with the site server. To reduce the attack
surface, assign the distribution point role to other site systems and remove it from the
site server.

Secure content at the package access level


The distribution point share allows read access to all users. To restrict which users can
access the content, use package access accounts when the distribution point is
configured for HTTP. This configuration doesn't apply to content-enabled cloud
management gateways, which don't support package access accounts.

For more information, see Package access accounts.

Configure IIS on the distribution point role


If Configuration Manager installs IIS when you add a distribution point site system role,
remove HTTP redirection and IIS Management Scripts and Tools when the distribution
point installation is complete. The distribution point doesn't require these components.
To reduce the attack surface, remove these role services for the web server role.

For more information about the role services for the web server role for distribution
points, see Site and site system prerequisites.

Set package access permissions when you create the


package
Because changes to the access accounts on the package files become effective only
when you redistribute the package, set the package access permissions carefully when
you first create the package. This configuration is important when the package is large
or distributed to many distribution points, and when the network bandwidth capacity for
content distribution is limited.

Implement access controls to protect media that contains


prestaged content
Prestaged content is compressed but not encrypted. An attacker could read and modify
the files that are downloaded to devices. Configuration Manager clients reject content
that's tampered with, but they still download it.

Import prestaged content with ExtractContent


Only import prestaged content by using the ExtractContent.exe command-line tool. To
avoid tampering and elevation of privileges, use only the authorized command-line tool
that comes with Configuration Manager.

For more information, see Deploy and manage content.

Secure the communication channel between the site


server and the package source location
Use IPsec or SMB signing between the site server and the package source location when
you create applications, package, and other objects with content. This configuration
helps to prevent an attacker from tampering with the source files.

Remove default virtual directories for custom website


with the distribution point role
If you change the site configuration option to use a custom website rather than the
default website after installing a distribution point role, remove the default virtual
directories. When you switch from the default website to a custom website,
Configuration Manager doesn't remove the old virtual directories. Remove the following
virtual directories that Configuration Manager originally created under the default
website:

SMS_DP_SMSPKG$

SMS_DP_SMSSIG$
NOCERT_SMS_DP_SMSPKG$

NOCERT_SMS_DP_SMSSIG$

For more information about using a custom website, see Websites for site system
servers.

For content-enabled cloud management gateways,


protect your Azure subscription details and certificates
When you use content-enabled cloud management gateways (CMGs), protect the
following high-value items:

The user name and password for your Azure subscription


The secret keys for Azure app registrations
The server authentication certificate

Store the certificates securely. If you browse to them over the network when you
configure the CMG, use IPsec or SMB signing between the site system server and the
source location.

For service continuity, monitor the expiry date of the


CMG certificates
Configuration Manager doesn't warn you when the imported certificates for the CMG
are about to expire. Monitor the expiry dates independently from Configuration
Manager. Make sure that you renew and then import the new certificates before the
expiry date. This action is important if you acquire a server authentication certificate
from an external, public provider, because you might need more time to acquire a
renewed certificate.

If a certificate expires, the Configuration Manager cloud services manager generates a


status message with ID 9425. The CloudMgr.log file contains an entry to indicate that
the certificate is in expired state, with the expiry date also logged in UTC.

Security considerations
Clients don't validate content until after it's downloaded. Configuration Manager
clients validate the hash on content only after it's downloaded to their client cache.
If an attacker tampers with the list of files to download or with the content itself,
the download process can take up considerable network bandwidth. Then the
client discards the content when it finds the invalid hash.

When you use content-enabled cloud management gateways:

It automatically restricts access to the content to your organization. You can't


restrict it further to selected users or groups.

The management point first authenticates the client. Then the client uses a
Configuration Manager token to access cloud storage. The token is valid for
eight hours. This behavior means that if you block a client because it's no longer
trusted, it can continue to download content from cloud storage until this token
expires. The management point won't issue another token for the client because
it's blocked.

To avoid a blocked client from downloading content within this eight-hour


window, stop the cloud service. In the Configuration Manager console, go to the
Administration workspace, expand Cloud Services, and select the Cloud
Management Gateway node.

Privacy information
Configuration Manager doesn't include any user data in content files, although an
administrative user might choose to do this action.

Next steps
Fundamental concepts for content management

Security and privacy for application management

Security and privacy for software updates

Security and privacy for OS deployment


Data transfers between sites
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager uses file-based replication and database replication to transfer


different types of information between sites. Learn about how Configuration Manager
moves data between sites, and how you can manage the transfer of data across your
network.

Types of replication

File-based replication
Configuration Manager uses file-based replication to transfer file-based data between
sites in your hierarchy. This data includes applications and packages that you want to
deploy to distribution points in child sites. It also handles unprocessed discovery data
records that the site transfers to its parent site and then processes.

For more information, see File-based replication.

Database replication
Configuration Manager database replication uses SQL Server to transfer data. It uses this
method to merge changes in its site database with the information from the database at
other sites in the hierarchy.

For more information, see Database replication.

For help with troubleshooting SQL Server replication, see Troubleshoot SQL Server
replication.

See also
Monitor replication
File-based replication
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager uses file-based replication to transfer file-based data between


sites in your hierarchy. This data includes applications and packages that you want to
deploy to distribution points in child sites. It also handles unprocessed discovery data
records that the site transfers to its parent site and then processes.

File-based communication between sites uses the server message block (SMB) protocol
on TCP/IP port 445. To control the amount of data the site transfers across the network,
specify bandwidth throttling and pulse mode. Use schedules to control when to send
data across the network.

Routes
The following information can help you set up and use file replication routes.

File replication route


Each file replication route identifies a destination site to which a site transfers file-based
data. Each site supports one file replication route to a specific destination site.

To manage a file replication route, go to the Administration workspace. Expand the


Hierarchy Configuration node, and then select File Replication.

You can change the following settings for file replication routes:

File replication account


This account connects to the destination site, and writes data to that site's SMS_Site
share. The receiving site processes the data written to this share. By default, when you
add a site to the hierarchy, Configuration Manager assigns the new site server's
computer account as its file replication account. It then adds this account to the
destination site's SMS_SiteToSiteConnection_<sitecode> group. This group is local to the
computer that grants access to the SMS_Site share. You can change this account to be a
Windows user account. If you change the account, make sure you add the new account
to the destination site's SMS_SiteToSiteConnection_<sitecode> group.
7 Note

Secondary sites always use the computer account of the secondary site server as
the File Replication Account.

Schedule
Set the schedule for each file replication route. This action restricts the type of data and
time when data can transfer to the destination site.

Rate limits

Specify rate limits for each file replication route. This action controls the network
bandwidth the site uses when it transfers data to the destination site:

Pulse mode: Specify the size of the data blocks that the site sends to the
destination site. You can also specify a time delay between sending each data
block. Use this option when you must send data across a low-bandwidth network
connection to the destination site.

For example, you have constraints to send 1 KB of data every five seconds, but not
1 KB every three seconds. This constraint is regardless of the speed of the link or
its usage at a given time.

Limited to maximum transfer rates by hour: The site sends data to a destination
site by using only the percentage of time that you specify. Configuration Manager
doesn't identify the network's available bandwidth. It divides the time it can send
data into slices of time. It then sends the data in a short block of time, which is
followed by blocks of time when it doesn't send data.

For example, you set the maximum rate to 50%. Configuration Manager transmits
data for an amount of time followed by an equal period of time when it doesn't
send any data. It doesn't manage the actual size of the data block that it sends.
The site only manages the amount of time during which it sends data.

U Caution

By default, a site can use up to three concurrent sendings to transfer data to


a destination site. When you enable rate limits for a file replication route, it
limits the concurrent sendings to that site to one. This behavior applies even
when the Limit available bandwidth (%) is set to 100%. For example, if you
use the default settings for the sender, this reduces the transfer rate to the
destination site to be one-third of the default capacity.

Routes between secondary sites

Configure a file replication route between two secondary sites to route file-based
content between those sites.

Sender
Each site has one sender. The sender manages the network connection from one site to
a destination site. It can establish connections to multiple sites at the same time. To
connect to a site, the sender uses the file replication route to the site and identifies the
account it uses to establish the network connection. The sender also uses this account
to write data to the destination site's SMS_Site share.

By default, the sender writes data to a destination site by using multiple concurrent
sendings, or a thread. Each thread can transfer a different file-based object to the
destination site. When the sender begins to send an object, it continues to write blocks
of data for that object until it sends the entire object. After it sends all the data for the
object, a new object can begin to send on that thread.

To manage the sender for a site, go to the Administration workspace, and expand the
Site Configuration node. Select the Sites node, and then select Properties for the site
you want to manage. Switch to the Sender tab to change the sender settings.

You can change the following settings for a sender:

Maximum concurrent sendings


By default, each site uses five concurrent sendings (threads). Three threads are available
for use when it sends data to any one destination site. When you increase this number,
you can increase the throughput of data between sites. More threads mean that
Configuration Manager can transfer more files at the same time. Increasing this number
also increases the demand for network bandwidth between sites.

Retry settings

By default, each site retries a problem connection two times, with a one-minute delay
between connection attempts. You can modify the number of connection attempts the
site makes, and how long to wait between attempts.
Next steps
Database replication
Database replication
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager database replication uses SQL Server to transfer data. It uses this
method to merge changes in its site database with the information from the database at
other sites in the hierarchy.

Note the following points about database replication:

All sites share the same information.

When you install a site in a hierarchy, Configuration Manager automatically


establishes database replication between the new site and its parent site.

When the site installation finishes, database replication automatically starts.

When you add a new site to a hierarchy, Configuration Manager creates a generic
database at the new site. The parent site creates a snapshot of the relevant data in its
database. It then transfers the snapshot to the new site using file-based replication. The
new site then uses the SQL Server Bulk Copy Program (BCP) to load the information into
its local copy of the Configuration Manager database. After the snapshot loads, each
site conducts database replication with the other site.

To replicate data between sites, Configuration Manager uses its own database
replication service. The database replication service uses SQL Server change tracking to
monitor the local site database for changes. It then replicates the changes to other sites
by using SQL Server Service Broker (SSB). By default, this process uses TCP port 4022.

Replication groups
Configuration Manager groups data that replicates by database replication into different
replication groups. Each replication group has a separate, fixed replication schedule. The
site uses this schedule to determine how frequently it replicates changes to other sites.

For example, a change to a role-based administration configuration replicates quickly to


other sites. This behavior makes sure that the other site can quickly enforce these
changes. A lower-priority configuration change, such as a request to install a new
secondary site, replicates with less urgency. It can take several minutes for a new site
request to reach the destination primary site.
Settings
You can modify the following settings for database replication:

Database replication links: Control when specific traffic traverses the network.

Distributed views: When a central administration site (CAS) requests selected site
data, it can access the data directly from the database at a child primary site.

Schedules: Specify when a replication link is used, and when different types of site
data replicate.

Summarization: Change settings for data summarization about network traffic that
traverses replication links. By default, summarization occurs every 15 minutes. It's
used in reports for database replication.

Database replication thresholds: Define when the site reports links as degraded or
failed. You can also configure when Configuration Manager raises alerts about
replication links that have a degraded or failed status.

Types of data
Configuration Manager primarily classifies the data that it replicates as either global data
or site data. When database replication occurs, the site transfers changes to global data
and site data across the database replication link. Global data replicates to a parent or
child site. Site data replicates only to a parent site. A third data type, local data, doesn't
replicate to other sites. Local data is information that other sites don't require.

Global data
Global data is administrator-created objects that replicate to all sites throughout the
hierarchy. Secondary sites only receive a subset of global data, as global proxy data. You
create global data at the CAS and primary sites. This type includes the following data:

Software deployments
Software updates
Collection definitions
Role-based administration security scopes

Site data
Site data is operational information created by Configuration Manager primary sites and
their assigned clients. Site data replicates to the CAS, but not to other primary sites. Site
data is only viewable at the CAS and at the primary site where the data originates. You
can only modify site data at the primary site where you created it. This type includes the
following data:

Hardware inventory
Status messages
Alerts
The results of query-based collections

All site data replicates to the CAS. The CAS does administration and reporting for the
entire site hierarchy.

Database replication links


When you install a new site in a hierarchy, Configuration Manager automatically creates
a database replication link between the parent site and the new site. It creates a single
link to connect the two sites.

To control the transfer of data across the replication link, change settings for each link.
Each replication link supports separate configurations. Each database replication link
includes the following controls:

Stop the replication of selected site data from a primary site to the CAS. This action
causes the CAS to access this data directly from the database of the primary site.

Schedule selected site data to transfer from a child primary site to the CAS.

Define the settings that determine when a database replication link has a
degraded or failed status.

Specify when to raise alerts for a failed replication link.

Specify how frequently Configuration Manager summarizes data about the


replication traffic that uses the replication link. It uses this data in reports.

To configure a database replication link, in the Configuration Manager console, go to


the Monitoring workspace. Select the Database Replication node, and edit the
properties for the link. This node is also in the Administration workspace, under the
Hierarchy Configuration node. Edit a replication link from either the parent site or the
child site of the replication link.
 Tip

You can edit database replication links from the Database Replication node in
either workspace. However, when you use the Database Replication node in the
Monitoring workspace, you can also view the status of database replication. It also
provides access to the Replication Link Analyzer tool. Use this tool to help
investigate problems with database replication.

For more information about how to configure replication links, see Site database
replication controls. For more information about how to monitor replication, see
Monitor database replication.

Distributed views
Through distributed views, when you make a request at the CAS for selected site data, it
directly accesses the database at the child primary site. This direct access replaces the
need to replicate site data from the primary site to the CAS. Because each replication
link is independent from other replication links, you can use distributed views on the
replication links that you choose. You can't use distributed views between a primary site
and a secondary site.

Distributed views provide the following benefits:

Reduce the CPU load to process database changes at the CAS and primary sites

Reduce the amount of data that transfers across the network to the CAS

Improve the performance of the SQL Server that hosts the CAS database

Reduce the disk space used by the CAS database

Consider using distributed views when a primary site is closely located to the CAS on the
network, the two sites are always on, and always connected. Distributed views replace
the replication of the selected data between the sites with direct connections between
the site database servers at each site. The CAS makes a direct connection each time you
request this data.

The site requests distributed view data in the following example scenarios:

When you run reports or queries


When you view information in Resource Explorer
Collection evaluation for collections that include site data-based rules
By default, distributed views are turned off for each replication link. When you turn on
distributed views, you select site data that won't replicate to the CAS across that link.
The CAS accesses this data directly from the database of the child primary site that
shares the link. You can configure the following types of site data for distributed views:

Hardware inventory data from clients


Software inventory and software metering data from clients
Status messages from clients, the primary site, and all secondary sites

When you view data in the Configuration Manager console or in reports, distributed
views are operationally invisible to you. When you request data that's enabled for
distributed views, the CAS site database server directly accesses the child primary site's
database to retrieve the information.

For example, you use a Configuration Manager console connected to the CAS. You
request information about hardware inventory from two primary sites: ABC and XYZ. You
only enabled hardware inventory for distributed views at site ABC. The CAS retrieves
inventory information for XYZ clients from its own database. The CAS retrieves inventory
information for ABC clients directly from the database at site ABC. This information
appears in the Configuration Manager console or in a report without identifying the
source.

If a replication link has a type of data enabled for distributed views, the child primary
site doesn't replicate that data to the CAS. When you turn off distributed views for a
type of data, the child primary site resumes normal data replication to the CAS. Before
this data is available at the CAS, the replication groups for this data must reinitialize
between the primary site and the CAS. After you uninstall a primary site that has
distributed views turned on, the CAS must complete reinitialization of its data before
you can access data that you enabled for distributed views on the CAS.

) Important

When you use distributed views on any replication link in the site hierarchy, before
you uninstall any primary site, turn off distributed views for all replication links. For
more information, see Uninstall a primary site that uses distributed views.

Prerequisites and limitations for distributed views


Only use distributed views on replication links between the CAS and a primary site.

The CAS must use SQL Server Enterprise edition. The primary site doesn't have this
requirement.
The CAS can have only one instance of the SMS Provider. Install that single
instance on the site database server. This configuration supports Kerberos
authentication. The SQL Server at the CAS requires Kerberos to access the SQL
Server at the child primary site. There are no limitations on the SMS Provider at the
child primary site.

You can only install one reporting services point at the CAS. Install SQL Server
Reporting Services on the site database server. This configuration supports
Kerberos authentication. The SQL Server at the CAS requires Kerberos to access the
SQL Server at the child primary site.

You can host the site database on a SQL Server Always On failover cluster instance,
if it has the following configurations:
The CAS database is on a single SQL Server with a local SMS Provider.
The primary site listener is on port 1433.

The computer account of the CAS database server requires Read permissions on
the primary site database.

) Important

Distributed views and schedules for when data can replicate are mutually exclusive
settings for a database replication link.

Schedule transfers of site data


To help you control the network bandwidth that's used to replicate site data from a child
primary site to the CAS, schedule when a replication link is used. Then specify when
different types of site data replicate. You can control when the primary site replicates
status messages, inventory, and metering data. Database replication links from
secondary sites don't support schedules for site data. You can't schedule the transfer of
global data.

When you configure a database replication link schedule, you can restrict the transfer of
selected site data from the primary site to the CAS. You can also configure different
times to replicate different types of site data.

) Important

Distributed views and schedules for when data can replicate are mutually exclusive
configurations for a database replication link.
Summarization of traffic
Each site periodically summarizes data about the network traffic that traverses database
replication links for the site. The site uses summarized data in reports for database
replication. Both sites on a replication link summarize the network traffic that traverses
the replication link. The site database server summarizes the data. After it summarizes
data, the information replicates to other sites as global data.

By default, summarization occurs every 15 minutes. To modify the frequency of


summarization for network traffic, in the properties of the database replication link, edit
the Summarization interval. The frequency of summarization affects the information
that you view in reports about database replication. You can choose an interval from 5
to 60 minutes. When you increase the frequency of summarization, you increase the
processing load on the SQL Server at each site on the replication link.

Database replication thresholds


Database replication thresholds define when Configuration Manager reports the status
of a database replication link as either degraded or failed. By default, it sets a link as
degraded when any one replication group fails to complete replication for 12
consecutive attempts. It sets the link as failed when any replication group fails to
replicate in 24 consecutive attempts.

You can specify custom values for degraded or failed status. If you adjust these values,
you can more accurately monitor the health of database replication across the links.

One or more replication groups can fail to replicate while other replication groups
continue to successfully replicate. Plan to review the replication status of a link when it
first reports as degraded.

Consider modifying the retry values for the degraded or failed status of the link in the
following situations:

There are recurring delays for specific replication groups, and their delay isn't a
problem

The network link between sites has low available bandwidth

When you increase the number of retries before the site sets the link to degraded or
failed, you can eliminate false warnings for known issues. This action lets you more
accurately track the status of the link.
To understand how frequently replication of that group occurs, consider the replication
sync interval for each replication group. To view the Synchronization Interval for
replication groups, go to the Monitoring workspace in the Configuration Manager
console. In the Database Replication node, select the Replication Detail tab of a
replication link.

For more information about how to monitor database replication, including how to view
the replication status, see Monitor database replication.

Site database replication controls


To help you control the network bandwidth used for database replication, change the
settings for each site database. The settings apply only to the site database in which you
configure the settings. The settings are always used when the site replicates any data by
database replication to any other site.

You can modify the following replication controls for each site database:

The SSB port.

The period of time to wait before replication failures trigger the site to reinitialize
its copy of the site database.

Compress the data that a site replicates. It only compresses the data for transfer
between sites, and not for storage in the site database at either site.

To change the settings for the replication controls for a site database, in the
Configuration Manager console, on the Database Replication node, edit the properties
of the site database. This node appears under the Hierarchy Configuration node in the
Administration workspace, and also appears in the Monitoring workspace. To edit the
properties of the site database, select the replication link between the sites, and then
open either Parent Database Properties or Child Database Properties.

 Tip

You can configure database replication controls from the Database Replication
node in either workspace. However, when you use the Database Replication node
in the Monitoring workspace, you can also view the status of database replication
for a replication link, and access the Replication Link Analyzer tool to help you
investigate problems with replication.
Next steps
Monitor replication

Troubleshoot SQL Server replication


How clients find site resources and
services
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager clients use a process called service location to locate site system
servers. Clients can communicate with these servers and they provide services that
clients can use. To better configure your sites to successfully support client tasks, you
need to understand how and when clients use service location to find site resources.
These configurations can require the site to interact with domain and network
configurations like Active Directory Domain Services and DNS. They can also require you
to configure more complex alternatives.

Some examples of site system roles that provide services include:

The core site system server for clients.


The management point.
Other site system servers that the client can communicate with, like distribution
points and software update points.

Fundamentals of service location


When a client uses service location to find a management point to communicate with, it
evaluates the following aspects:

Current network location


Communication protocol preference
Assigned site

Client communication with a management point


A client communicates with a management point (MP) to:

Download information about other management points for the site. It then builds
a list of known management points for future service location cycles. This list is
also known as the MP list.

Upload configuration details, like inventory and status.


Download a policy that sets configurations on the client, informs it of software to
install, and other related tasks.

Request information about other site system roles that provide services that the
client can use. For example, distribution points for software that the client can
install, or a software update point for metadata about software updates.

Client service location requests


A Configuration Manager client makes a service location request:

Every 25 hours of continuous operation.

When the client detects a change in its network configuration or location.

When the ccmexec.exe service on the computer starts. This Windows service is the
core client service.

When the client needs to locate a site system role that provides a required service.

Client requests for site system roles


When a client attempts to find servers that host roles, it uses service location. It tries to
find a role that supports its communication protocol, either HTTP or HTTPS. By default,
clients use the most secure method available to them.

To use HTTPS, you need a public key infrastructure (PKI) and install PKI certificates
on clients and servers. For more information, see PKI certificate requirements for
Configuration Manager.

For roles that use IIS and support client communication, you configure them for
HTTP or HTTPS. If you use HTTP, also consider signing and encryption choices. For
more information, see Planning for signing and encryption.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Determine assigned management point


Primary sites support multiple management points. Each client independently identifies
a management point as its default. When a client first assigns to a primary site, it selects
its default management point. This default management point then becomes that
client's assigned management point.

 Tip

You can use client installation properties to set the assigned management point for
a client. For more information, see Client installation properties.

A client selects a management point to communicate with based on the client's current
network location and boundary group configurations. Even though it has an assigned
management point, this server may not be the management point that the client uses.

7 Note

A client always uses the assigned management point for registration messages and
certain policy messages. This behavior happens even when other communications
are sent to a proxy or local management point.

You can use preferred management points. Preferred management points are
management points from a client's assigned site that are associated with a boundary
group that the client uses to find site system servers. A preferred management point's
association with a boundary group is similar to how distribution points or state
migration points are associated with a boundary group. If you enable preferred
management points for the hierarchy, when a client uses a management point from its
assigned site, it tries to use a preferred management point before using other
management points from its assigned site.

 Tip

You can configure management point affinity with a registry key configuration on
the client. Management point affinity overrides the default behavior for assigned
management points and lets the client use one or more specific management
points. For more information, see this blog post from a Microsoft Premier
engineer.

Each time a client needs to contact a management point, it first checks the MP list. The
client creates an initial MP list when it installs. The client then periodically updates the
list with details about each management point in the hierarchy.
When the client can't find a valid management point in its MP list, it searches the service
location sources. It uses the following sources in order, until it finds a management
point that it can use:

1. Management point
2. Active Directory Domain Services (AD DS)
3. DNS

After a client successfully locates and contacts a management point, it downloads the
current list of available management points. It then updates its own local MP list.

This process is the same for all clients. For example, when a Configuration Manager
client that's on the internet connects to an internet-based management point, the
management point sends that client a list of available internet-based management
points. A client that's not on the internet only gets a list of internal management points.

The MP list
The MP list is the preferred service location source for a client. It's a prioritized list of
management points that the client previously identified. The client sorts its MP list
based on its current network location. It stores the list locally in WMI.

Build the initial MP list


During installation of the client, the client uses the following rules to build its initial MP
list:

Include management points specified during client installation. For example, when
you use the SMSMP property or /mp parameter.

Query AD DS for published management points. The client identifies management


points from AD DS that are in its assigned site and the same product version.

If it doesn't get any management points from the first two rules, the client checks
DNS for published management points.

MP list categories
Clients organize their list of management points by using the following categories:

Proxy: A management point at a secondary site.


Local: Any management point that's associated with the client's current network
location, as defined by site boundaries.

When a client belongs to more than one boundary group, it determines the list
of local management points from the union of all boundaries that include the
current network location of the client.

Local management points are typically a subset of a client's assigned


management points. Unless the client is in a network location that's associated
with another site with management points servicing its boundary groups.

Assigned: Any management point that's in the client's assigned site.

You can use preferred management points. Management points at a site that aren't
associated with a boundary group, or that aren't in a boundary group associated with a
client's current network location, aren't considered preferred. The client uses these
management points when it can't find an available preferred management point.

Select a management point to use


For typical communications, a client tries to use a management point in the following
order, based on the client's network location:

1. Proxy
2. Local
3. Assigned

The client always uses the assigned management point for registration messages and
certain policy messages. This behavior happens even when it sends other
communication to a proxy or local management point.

Within each category, the client attempts to use a management point based on
preferences, in the following order:

1. When the client is configured for HTTPS communication:


a. HTTPS-capable in a trusted or local forest
b. HTTPS-capable not in a trusted or local forest
2. HTTP-capable in a trusted or local forest
3. HTTP-capable not in a trusted or local forest

From the set of management points sorted by preference, the client attempts to use the
first management point on the list. This sorted list of management points is otherwise
randomized and can't be ordered any further. The order of the list can change each time
the client updates its MP list.
When a client can't contact the first management point, it tries each successive
management point on its list. It tries each preferred management point in the category
before trying the non-preferred management points. If a client can't successfully
communicate with any management point in the category, it attempts to contact a
preferred management point from the next category, until it finds a management point
to use.

After a client establishes communication with a management point, it continues to use


that same management point until:

25 hours have passed.

The client is unable to communicate with the management point for five attempts
over a period of 10 minutes.

The client then randomly selects a new management point to use.

Active Directory
Domain-joined clients can use AD DS for service location. This behavior requires sites to
publish data to Active Directory.

A client can use AD DS for service location when all the following conditions are true:

You extended the Active Directory schema.

You configured the Active Directory forest for publishing, and you configured the
Configuration Manager site to publish.

The client computer is a member of an Active Directory domain and can access a
global catalog server.

If a client can't find a management point to use for service location from AD DS, it
attempts to use DNS.

DNS
Clients on the intranet can use DNS for service location. This behavior requires at least
one site in a hierarchy to publish information about management points to DNS.

Consider using DNS for service location when any of the following conditions are true:

You haven't extended the AD DS schema to support Configuration Manager.


Clients on the intranet are in a forest that you haven't enabled for Configuration
Manager publishing.

You have clients on workgroup computers, and you haven't configured those
clients for internet-only client management. A workgroup client configured for the
internet communicates only with internet-facing management points and won't
use DNS for service location.

You can configure clients to find management points from DNS.

When a site publishes service location records for management points to DNS:

Publishing is applicable only to management points that accept client connections


from the intranet.

Publishing adds a service location resource record (SRV RR) in the DNS zone of the
management point server. That server needs a corresponding host entry in DNS.

By default, domain-joined clients search DNS for management point records from the
client's local domain. You can configure a client installation property to specify another
domain suffix.

For more information, see How to configure client computers to find management
points by using DNS publishing.

Publish management points to DNS


To publish management points to DNS, the following two conditions must be true:

Your DNS servers support service location resource records, by using a version of
BIND that's at least 8.1.2.

The specified intranet FQDNs for the management points in Configuration


Manager have host entries (A records) in DNS.

) Important

Configuration Manager DNS publishing doesn't support a disjointed namespace. If


you have a disjointed namespace, you can manually publish management points to
DNS. You can also use one of the other service location methods.

DNS configuration scenarios


The DNS server supports automatic updates

You can configure Configuration Manager to automatically publish management points


on the intranet to DNS, or you can manually publish these records to DNS. When
Configuration Manager publishes management points to DNS, it adds their intranet
FQDN and port number in the service location (SRV) record. You configure DNS
publishing in the site's Management Point Component Properties. For more
information, see Site components - Management point.

The DNS zone is set to "Secure only" for dynamic updates

With default permissions, only the first management point can successfully publish to
DNS.

If only one management point can successfully publish and change its DNS record,
clients can get the full MP list from that management point. As long as that one
published management point is healthy, clients can then find their preferred
management point.

The DNS server doesn't support automatic updates but supports


service location records

In this scenario, manually publish management points to DNS. Manually configure the
service location resource record (SRV RR). Configuration Manager supports RFC 2782 for
service location records. These records have the following format:
_Service._Protocol.Name TTL Class SRV Priority Weight Port Target

To publish a management point to Configuration Manager, specify the following values:

_Service: _mssms_mp_<sitecode> . For example, _mssms_mp_xyz


._Protocol: ._tcp
.Name: Specify the DNS suffix of the management point, for example contoso.com
TTL: Use 14400 for four hours.
Class: Specify IN for RFC 1035.
Priority: Configuration Manager doesn't use this field.
Weight: Configuration Manager doesn't use this field.
Port: Specify the port number that the management point uses. For example, 443
by default for HTTPS.
Target: Specify the intranet FQDN of the site system server with the management
point role.
Configure Windows Server DNS
If you use Windows Server DNS, use the following procedures to enter this DNS record
for intranet management points.

Configure automatic publishing for a site

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node.

2. Select the site to configure publishing. In the ribbon, select Configure Site
Components and choose Management Point.

3. Select the management points that you want to publish. This selection applies to
publishing for AD DS and DNS.

4. Enable the option to Publish selected intranet management points in DNS.

Manually publish management points to DNS on Windows Server

1. In the DNS management console, select the DNS zone for the management point
computer.

2. Verify that there's a host record (A or AAAA) for the intranet FQDN of the site
system. If this record doesn't exist, create it.

3. Select New Other Records, choose Service Location (SRV), and then choose
Create Record.

4. Specify the following information, and then select Done:

Domain: If necessary, enter the DNS suffix of the management point, for
example contoso.com .
Service: _mssms_mp_<sitecode> . For example, _mssms_mp_xyz
Protocol: ._tcp
Priority: Configuration Manager doesn't use this field.
Weight: Configuration Manager doesn't use this field.
Port: Specify the port number that the management point uses. For example,
443 by default for HTTPS.

Host offering this service: Specify the intranet FQDN of the site system
server with the management point role.

Repeat these steps for each management point on the intranet that you want to publish
to DNS.
Security and privacy for site
administration in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article contains security and privacy information for Configuration Manager sites
and the hierarchy.

Security guidance for site administration


Use the following guidance to help you secure Configuration Manager sites and the
hierarchy.

Run setup from a trusted source and secure


communication
To help prevent someone from tampering with the source files, run Configuration
Manager setup from a trusted source. If you store the files on the network, secure the
network location.

If you do run setup from a network location, to help prevent an attacker from tampering
with the files as they're transmitted over the network, use IPsec or SMB signing between
the source location of the setup files and the site server.

If you use the Setup Downloader to download the files that are required by setup, make
sure that you secure the location where these files are stored. Also secure the
communication channel for this location when you run setup.

Extend the Active Directory schema and publish sites to


the domain
Schema extensions aren't required to run Configuration Manager, but they do create a
more secure environment. Clients and site servers can retrieve information from a
trusted source.

If clients are in an untrusted domain, deploy the following site system roles in the
clients' domains:
Management point

Distribution point

7 Note

A trusted domain for Configuration Manager requires Kerberos authentication. If


clients are in another forest that doesn't have a two-way forest trust with the site
server's forest, these clients are considered to be in an untrusted domain. An
external trust isn't sufficient for this purpose.

Use IPsec to secure communications


Although Configuration Manager does secure communication between the site server
and the computer that runs SQL Server, Configuration Manager doesn't secure
communications between site system roles and SQL Server. You can only configure
some site systems with HTTPS for intrasite communication.

If you don't use additional controls to secure these server-to-server channels, attackers
can use various spoofing and man-in-the-middle attacks against site systems. Use SMB
signing when you can't use IPsec.

) Important

Secure the communication channel between the site server and the package source
server. This communication uses SMB. If you can't use IPsec to secure this
communication, use SMB signing to make sure that the files aren't tampered with
before clients download and run them.

Don't change the default security groups


Don't change the following security groups that Configuration Manager creates and
manages for site system communication:

SMS_SiteSystemToSiteServerConnection_MP_<SiteCode>

SMS_SiteSystemToSiteServerConnection_SMSProv_<SiteCode>

SMS_SiteSystemToSiteServerConnection_Stat_<SiteCode>
Configuration Manager automatically creates and manages these security groups. This
behavior includes removing computer accounts when a site system role is removed.

To make sure service continuity and least privileges, don't manually edit these groups.

Manage the trusted root key provisioning process


If clients can't query the global catalog for Configuration Manager information, they
must rely on the trusted root key to authenticate valid management points. The trusted
root key is stored in the client registry. It can be set by using group policy or manual
configuration.

If the client doesn't have a copy of the trusted root key before it contacts a
management point for the first time, it trusts the first management point it
communicates with. To reduce the risk of an attacker misdirecting clients to an
unauthorized management point, you can pre-provision the clients with the trusted root
key. For more information, see Planning for the trusted root key.

Use non-default port numbers


Using non-default port numbers can provide additional security. They make it harder for
attackers to explore the environment in preparation for an attack. If you decide to use
non-default ports, plan for them before you install Configuration Manager. Use them
consistently across all sites in the hierarchy. Client request ports and Wake On LAN are
examples where you can use non-default port numbers.

Use role separation on site systems


Although you can install all the site system roles on a single computer, this practice is
rarely used on production networks. It creates a single point of failure.

Reduce the attack profile


Isolating each site system role on a different server reduces the chance that an attack
against vulnerabilities on one site system can be used against a different site system.
Many roles require the installation of Internet Information Services (IIS) on the site
system, and this need increases the attack surface. If you must combine roles to reduce
hardware expenditure, combine IIS roles only with other roles that require IIS.

) Important
The fallback status point role is an exception. Because this site system role accepts
unauthenticated data from clients, don't assign the fallback status point role to any
other Configuration Manager site system role.

Configure static IP addresses for site systems


Static IP addresses are easier to protect from name resolution attacks.

Static IP addresses also make the configuration of IPsec easier. Using IPsec is a security
best practice for securing communication between site systems in Configuration
Manager.

Don't install other applications on site system servers


When you install other applications on site system servers, you increase the attack
surface for Configuration Manager. You also risk incompatibility issues.

Require signing and enable encryption as a site option


Enable the signing and encryption options for the site. Ensure that all clients can support
the SHA-256 hash algorithm, and then enable the option to Require SHA-256.

Restrict and monitor administrative users


Grant administrative access to Configuration Manager only to users that you trust. Then
grant them minimum permissions by using the built-in security roles or by customizing
the security roles. Administrative users who can create, modify, and deploy software and
configurations can potentially control devices in the Configuration Manager hierarchy.

Periodically audit administrative user assignments and their authorization level to verify
required changes.

For more information, see Configure role-based administration.

Secure Configuration Manager backups


When you back up Configuration Manager, this information includes certificates and
other sensitive data that could be used by an attacker for impersonation.

Use SMB signing or IPsec when you transfer this data over the network, and secure the
backup location.
Secure locations for exported objects
Whenever you export or import objects from the Configuration Manager console to a
network location, secure the location and secure the network channel.

Restrict who can access the network folder.

To prevent an attacker from tampering with the exported data, use SMB signing or IPsec
between the network location and the site server. Also secure the communication
between the computer that runs the Configuration Manager console and site server. Use
IPsec to encrypt the data on the network to prevent information disclosure.

Manually remove certificates from failed servers


If a site system isn't uninstalled properly, or stops functioning and can't be restored,
manually remove the Configuration Manager certificates for this server from other
Configuration Manager servers.

To remove the peer trust that was originally established with the site system and site
system roles, manually remove the Configuration Manager certificates for the failed
server in the Trusted People certificate store on other site system servers. This action is
important if you reuse the server without reformatting it.

For more information, see Cryptographic controls for server communication.

Don't configure internet-based site systems to bridge the


perimeter network
Don't configure site system servers to be multi-homed so that they connect to the
perimeter network and the intranet. Although this configuration allows internet-based
site systems to accept client connections from the internet and the intranet, it eliminates
a security boundary between the perimeter network and the intranet.

Configure the site server to initiate connections to


perimeter networks
If a site system is on an untrusted network, such as a perimeter network, configure the
site server to initiate connections to the site system.

By default, site systems initiate connections to the site server to transfer data. This
configuration can be a security risk when the connection initiation is from an untrusted
network to the trusted network. When site systems accept connections from the
internet, or reside in an untrusted forest, configure the site system option to Require the
site server to initiate connections to this site system. After the installation of the site
system and any roles, all connections are initiated by the site server from the trusted
network.

Use SSL bridging and termination with authentication


If you use a web proxy server for internet-based client management, use SSL bridging to
SSL, by using termination with authentication.

When you configure SSL termination at the proxy web server, packets from the internet
are subject to inspection before they're forwarded to the internal network. The proxy
web server authenticates the connection from the client, terminates it, and then opens a
new authenticated connection to the internet-based site systems.

When Configuration Manager client computers use a proxy web server to connect to
internet-based site systems, the client identity (GUID) is securely contained within the
packet payload. Then the management point doesn't consider the proxy web server to
be the client.

If your proxy web server can't support the requirements for SSL bridging, SSL tunneling
is also supported. This option is less secure. The SSL packets from the internet are
forwarded to the site systems without termination. Then they can't be inspected for
malicious content.

2 Warning

Mobile devices that are enrolled by Configuration Manager can't use SSL bridging.
They must use SSL tunneling only.

Configurations to use if you configure the site to wake up


computers to install software
If you use traditional wake-up packets, use unicast rather than subnet-directed
broadcasts.

If you must use subnet-directed broadcasts, configure routers to allow IP-directed


broadcasts only from the site server and only on a non-default port number.

For more information about the different Wake On LAN technologies, see Planning how
to wake up clients.
If you use email notification, configure authenticated
access to the SMTP mail server
Whenever possible, use a mail server that supports authenticated access. Use the
computer account of the site server for authentication. If you must specify a user
account for authentication, use an account that has the least privileges.

Enforce LDAP channel binding and LDAP signing


The security of Active Directory domain controllers can be improved by configuring the
server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not
request signing or to reject LDAP simple binds that are performed on a clear text
connection. Starting in version 1910, Configuration Manager supports enforcing LDAP
channel binding and LDAP signing. For more information, see 2020 LDAP channel
binding and LDAP signing requirements for Windows .

Security guidance for the site server


Use the following guidance to help you secure the Configuration Manager site server.

Install Configuration Manager on a member server


instead of a domain controller
The Configuration Manager site server and site systems don't require installation on a
domain controller. Domain controllers don't have a local Security Accounts
Management (SAM) database other than the domain database. When you install
Configuration Manager on a member server, you can maintain Configuration Manager
accounts in the local SAM database rather than in the domain database.

This practice also lowers the attack surface on your domain controllers.

Install secondary sites without copying the files over the


network
When you run setup and create a secondary site, don't select the option to copy the
files from the parent site to the secondary site. Also don't use a network source location.
When you copy files over the network, a skilled attacker could hijack the secondary site
installation package and tamper with the files before they're installed. Timing this attack
would be difficult. This attack can be mitigated by using IPsec or SMB when you transfer
the files.
Instead of copying the files over the network, on the secondary site server, copy the
source files from media folder to a local folder. Then, when you run setup to create a
secondary site, on the Installation Source Files page, select Use the source files at the
following location on the secondary site computer (most secure), and specify this
folder.

For more information, see Install a secondary site.

Site role installation inherits permissions from drive root


Make sure to properly configure the system drive permissions before you install the first
site system role to any server. For example, C:\SMS_CCM inherits permissions from C:\ . If
the root of the drive isn't properly secured, then low rights users may be able to access
or modify content in the Configuration Manager folder.

Security guidance for SQL Server


Configuration Manager uses SQL Server as the back-end database. If the database is
compromised, attackers could bypass Configuration Manager. If they access SQL Server
directly, they can launch attacks through Configuration Manager. Consider attacks
against SQL Server to be high risk and mitigate appropriately.

Use the following security guidance to help you secure SQL Server for Configuration
Manager.

Don't use the Configuration Manager site database server


to run other SQL Server applications
When you increase the access to the Configuration Manager site database server, this
action increases the risk to your Configuration Manager data. If the Configuration
Manager site database is compromised, other applications on the same SQL Server
computer are then also put at risk.

Configure SQL Server to use Windows authentication


Although Configuration Manager accesses the site database by using a Windows
account and Windows authentication, it's still possible to configure SQL Server to use
SQL Server mixed mode. SQL Server mixed mode allows additional SQL Server sign-ins
to access the database. This configuration isn't required and increases the attack surface.
Update SQL Server Express at secondary sites
When you install a primary site, Configuration Manager downloads SQL Server Express
from the Microsoft Download Center. It then copies the files to the primary site server.
When you install a secondary site and select the option that installs SQL Server Express,
Configuration Manager installs the previously downloaded version. It doesn't check
whether new versions are available. To make sure that the secondary site has the latest
versions, do one of the following tasks:

After you install the secondary site, run Windows Update on the secondary site
server.

Before you install the secondary site, manually install SQL Server Express on the
secondary site server. Make sure that you install the latest version and any
software updates. Then install the secondary site, and select the option to use an
existing SQL Server instance.

Periodically run Windows Update for all installed versions of SQL Server. This practice
makes sure that they have the latest software updates.

Follow general guidance for SQL Server


Identify and follow the general guidance for your version of SQL Server. However, take
into consideration the following requirements for Configuration Manager:

The computer account of the site server must be a member of the Administrators
group on the computer that runs SQL Server. If you follow the SQL Server
recommendation of "provision administrator principals explicitly", the account that
you use to run setup on the site server must be a member of the SQL Server Users
group.

If you install SQL Server by using a domain user account, make sure that the site
server computer account is configured for a Service Principal Name (SPN) that's
published to Active Directory Domain Services. Without the SPN, Kerberos
authentication fails and Configuration Manager setup fails.

Security guidance for site systems that run IIS


Several site system roles in Configuration Manager require IIS. The process of securing
IIS enables Configuration Manager to operate correctly and reduces the risk of security
attacks. When practical, minimize the number of servers that require IIS. For example,
run only the number of management points that you require to support your client
base, taking into consideration high availability and network isolation for internet-based
client management.

Use the following guidance to help you secure the site systems that run IIS.

Disable IIS functions that you don't require


Install only the minimum IIS features for the site system role that you install. For more
information, see Site and site system prerequisites.

Configure the site system roles to require HTTPS


When clients connect to a site system by using HTTP rather than by using HTTPS, they
use Windows authentication. This behavior might fall back to using NTLM
authentication rather than Kerberos authentication. When NTLM authentication is used,
clients might connect to a rogue server.

The exception to this guidance might be distribution points. Package access accounts
don't work when the distribution point is configured for HTTPS. Package access
accounts provide authorization to the content, so that you can restrict which users can
access the content. For more information, see Security guidance for content
management.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Configure a certificate trust list (CTL) in IIS for site system


roles
Site system roles:

A distribution point that you configure for HTTPS

A management point that you configure for HTTPS and enable to support mobile
devices

A CTL is a defined list of trusted root certification authorities (CAs). When you use a CTL
with group policy and a public key infrastructure (PKI) deployment, a CTL enables you to
supplement the existing trusted root CAs that are configured on your network. For
example, CAs that are automatically installed with Microsoft Windows or added through
Windows enterprise root CAs. When a CTL is configured in IIS, it defines a subset of
those trusted root CAs.

This subset provides you with more control over security. The CTL restricts the client
certificates that are accepted to only those certificates that are issued from the list of
CAs in the CTL. For example, Windows comes with a number of well-known, third-party
CA certificates.

By default, the computer that runs IIS trusts certificates that chain to these well-known
CAs. When you don't configure IIS with a CTL for the listed site system roles, the site
accepts as a valid client any device that has a certificate issued from these CAs. If you
configure IIS with a CTL that didn't include these CAs, the site refuses client connections,
if the certificate chains to these CAs. For Configuration Manager clients to be accepted
for the listed site system roles, you must configure IIS with a CTL that specifies the CAs
that are used by Configuration Manager clients.

7 Note

Only the listed site system roles require you to configure a CTL in IIS. The certificate
issuers list that Configuration Manager uses for management points provides the
same functionality for client computers when they connect to HTTPS management
points.

For more information about how to configure a list of trusted CAs in IIS, see the IIS
documentation.

Don't put the site server on a computer with IIS


Role separation helps to reduce the attack profile and improve recoverability. The
computer account of the site server typically has administrative privileges on all site
system roles. It may also have these privileges on Configuration Manager clients, if you
use client push installation.

Use dedicated IIS servers for Configuration Manager


Although you can host multiple web-based applications on the IIS servers that are also
used by Configuration Manager, this practice can significantly increase your attack
surface. A poorly configured application could allow an attacker to gain control of a
Configuration Manager site system. This breach could allow an attacker to gain control
of the hierarchy.

If you must run other web-based applications on Configuration Manager site systems,
create a custom web site for Configuration Manager site systems.

Use a custom website


For site systems that run IIS, configure Configuration Manager to use a custom website
instead of the default website. If you have to run other web applications on the site
system, you must use a custom website. This setting is a site-wide setting rather than a
setting for a specific site system.

When you use custom websites, remove the default


virtual directories
When you change from using the default website to using a custom website,
Configuration Manager doesn't remove the old virtual directories. Remove the virtual
directories that Configuration Manager originally created under the default website.

For example, remove the following virtual directories for a distribution point:

SMS_DP_SMSPKG$

SMS_DP_SMSSIG$

NOCERT_SMS_DP_SMSPKG$

NOCERT_SMS_DP_SMSSIG$

Follow IIS Server security guidance


Identify and follow the general guidance for your version of IIS Server. Take into
consideration any requirements that Configuration Manager has for specific site system
roles. For more information, see Site and site system prerequisites.

Configure IIS custom headers


Configure the following custom headers to disable MIME sniffing:

x-content-type-options: nosniff

For more information, see Custom Headers.


If other services use the same IIS instance, make sure these custom headers are
compatible.

Security guidance for the management point


Management points are the primary interface between devices and Configuration
Manager. Consider attacks against the management point and the server that it runs on
to be high risk, and mitigate appropriately. Apply all appropriate security guidance and
monitor for unusual activity.

Use the following guidance to help secure a management point in Configuration


Manager.

Assign the client on a management point to the same site


Avoid the scenario where you assign the Configuration Manager client that's on a
management point to a site other than the management point's site.

If you migrate from an earlier version to Configuration Manager current branch, migrate
the client on the management point to the new site as soon as possible.

Security guidance for the fallback status point


If you install a fallback status point in Configuration Manager, use the following security
guidance:

For more information about the security considerations when you install a fallback
status point, see Determine whether you require a fallback status point.

Don't run any other roles on the same site system


The fallback status point is designed to accept unauthenticated communication from
any computer. If you run this site system role with other roles or a domain controller,
the risk to that server greatly increases.

Install the fallback status point before you install clients


with PKI certificates
If Configuration Manager site systems don't accept HTTP client communication, you
might not know that clients are unmanaged because of PKI-related certificate issues. If
you assign clients to a fallback status point, they report these certificate issues through
the fallback status point.

For security reasons, you can't assign a fallback status point to clients after they're
installed. You can only assign this role during client installation.

Avoid using the fallback status point in the perimeter


network
By design, the fallback status point accepts data from any client. Although a fallback
status point in the perimeter network could help you to troubleshoot internet-based
clients, balance the troubleshooting benefits with the risk of a site system that accepts
unauthenticated data in a publicly accessible network.

If you do install the fallback status point in the perimeter network or any untrusted
network, configure the site server to initiate data transfers. Don't use the default setting
that allows the fallback status point to initiate a connection to the site server.

Security issues for site administration


Review the following security issues for Configuration Manager:

Configuration Manager has no defense against an authorized administrative user


who uses Configuration Manager to attack the network. Unauthorized
administrative users are a high security risk. They could launch many attacks, which
include the following strategies:

Use software deployment to automatically install and run malicious software on


every Configuration Manager client computer in the organization.

Remotely control a Configuration Manager client without client permission.

Configure rapid polling intervals and extreme amounts of inventory. This action
creates denial of service attacks against the clients and servers.

Use one site in the hierarchy to write data to another site's Active Directory
data.

The site hierarchy is the security boundary. Consider sites to be management


boundaries only.

Audit all administrative user activity and routinely review the audit logs. Require all
Configuration Manager administrative users to undergo a background check
before they're hired. Require periodic rechecks as a condition of employment.

If the enrollment point is compromised, an attacker could obtain certificates for


authentication. They could steal the credentials of users who enroll their mobile
devices.

The enrollment point communicates with a CA. It can create, modify, and delete
Active Directory objects. Never install the enrollment point in the perimeter
network. Always monitor for unusual activity.

If you allow user policies for internet-based client management, you increase your
attack profile.

In addition to using PKI certificates for client-to-server connections, these


configurations require Windows authentication. They might fall back to using
NTLM authentication rather than Kerberos. NTLM authentication is vulnerable to
impersonation and replay attacks. To successfully authenticate a user on the
internet, you need to allow a connection from the internet-based site system to a
domain controller.

The Admin$ share is required on site system servers.

The Configuration Manager site server uses the Admin$ share to connect to and
do service operations on site systems. Don't disable or remove this share.

Configuration Manager uses name resolution services to connect to other


computers. These services are hard to secure against the following security attacks:
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege

Identify and follow any security guidance for the version of DNS that you use for
name resolution.

Privacy information for discovery


Discovery creates records for network resources and stores them in the Configuration
Manager database. Discovery data records contain computer information such as IP
addresses, OS versions, and computer names. You can also configure Active Directory
discovery methods to return any information that your organization stores in Active
Directory Domain Services.

The only discovery method that Configuration Manager enables by default is Heartbeat
Discovery. This method only discovers computers that already have the Configuration
Manager client software installed.

Discovery information isn't directly sent to Microsoft. It's stored in the Configuration
Manager database. Configuration Manager retains information in the database until it
deletes the data. This process happens every 90 days by the site maintenance task
Delete Aged Discovery Data.
Network infrastructure considerations
for Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To prepare your network to support Configuration Manager, you may need to configure
some infrastructure components. For example, open firewall ports to pass the
communications used by Configuration Manager.

Ports and protocols


Different Configuration Manager features use different network ports. Some ports are
required, and some you can customize.

Most Configuration Manager communications use common ports like port 80 for HTTP
or 443 for HTTPS. Some site system roles support the use of custom websites and
custom ports. For more information, see Websites for site system servers.

Before you deploy Configuration Manager, identify the ports that you plan to use, and
set up firewalls as needed.

After you install Configuration Manager, if you need to change a port, don't forget to
update firewalls on devices and the network. Also change the configuration of the port
in Configuration Manager.

For more information, see the following articles:

How to configure client communication ports


Ports used in Configuration Manager

Internet access requirements


Some Configuration Manager features rely on internet connectivity for full functionality.
If your organization restricts network communication with the internet using a firewall or
proxy device, make sure to allow the necessary endpoints.

For more information, see Internet access requirements

Proxy servers
You can specify separate proxy servers for different site system servers and clients. You
make these configurations when you install a site system role or client, or change them
later as needed.

For more information, see Proxy server support.


Ports used in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article lists the network ports that Configuration Manager uses. Some connections
use ports that aren't configurable, and some support custom ports that you specify. If
you use any port filtering technology, verify that the required ports are available. These
port filtering technologies include firewalls, routers, proxy servers, or IPsec.

7 Note

If you support internet-based clients by using SSL bridging, in addition to port


requirements, you might also have to allow some HTTP verbs and headers to
traverse your firewall.

Ports you can configure


Configuration Manager enables you to configure the ports for the following types of
communication:

Enrollment proxy point to enrollment point

Client-to-site systems that run IIS

Client to internet (as proxy server settings)

Software update point to internet (as proxy server settings)

Software update point to WSUS server

Site server to site database server

Site server to WSUS database server

Reporting services points

7 Note

You configure the ports for the reporting services point in SQL Server
Reporting Services. Configuration Manager then uses these ports during
communications to the reporting services point. Be sure to review these ports
that define the IP filter information for IPsec policies or for configuring
firewalls.

By default, the HTTP port that's used for client-to-site system communication is port 80,
and 443 for HTTPS. You can change these ports during setup or in the site properties.

Non-configurable ports
Configuration Manager doesn't allow you to configure ports for the following types of
communication:

Site to site

Site server to site system

Configuration Manager console to SMS Provider

Configuration Manager console to the internet

Connections to cloud services, such as Microsoft Azure

Ports used by clients and site systems


The following sections detail the ports that are used for communication in Configuration
Manager. The arrows in the section title show the direction of the communication:

--> Indicates that one computer starts communication and the other computer
always responds

<--> Indicates that either computer can start communication

Asset Intelligence synchronization point --> Microsoft

Description UDP TCP

HTTPS -- 443

Asset Intelligence synchronization point --> SQL Server

Description UDP TCP

SQL over TCP -- 1433 Note 2 Alternate port available


Client --> Client
Wake-up proxy also uses ICMP echo request messages from one client to another client.
Clients use this communication to confirm whether the other client is awake on the
network. ICMP is sometimes referred to as ping commands. ICMP doesn't have a UDP or
TCP protocol number, and so it isn't listed in the below table. However, any host-based
firewalls on these client computers or intervening network devices within the subnet
must permit ICMP traffic for wake-up proxy communication to succeed.

Description UDP TCP

Wake On LAN 9 Note 2 Alternate port available --

Wake-up proxy 25536 Note 2 Alternate port available --

Windows PE Peer cache broadcast 8004 --

Windows PE Peer cache download -- 8003

For more information, see Windows PE Peer Cache.

Client --> Configuration Manager Network Device


Enrollment Service (NDES) policy module

Description UDP TCP

HTTP 80

HTTPS -- 443

Client --> Cloud distribution point

Description UDP TCP

HTTPS -- 443

For more information, see Ports and data flow.

Client --> Cloud management gateway (CMG)

Description UDP TCP

HTTPS -- 443
For more information, see CMG data flow.

Client --> Distribution point, both standard and pull

Description UDP TCP

HTTP -- 80 Note 2 Alternate port available

HTTPS -- 443 Note 2 Alternate port available

Express updates -- 8005 Note 2 Alternate port available

7 Note

Use client settings to configure the alternate port for express updates. For more
information, see Port that clients use to receive requests for delta content.

Client --> Distribution point configured for multicast,


both standard and pull

Description UDP TCP

Server Message Block (SMB) -- 445

Multicast protocol 63000-64000 --

Client --> Distribution point configured for PXE, both


standard and pull

Description UDP TCP

DHCP 67 and 68 --

TFTP 69 Note 4 --

Boot Information Negotiation Layer (BINL) 4011 --

DHCPv6 for PXE responder without WDS 547 --

) Important
If you enable a host-based firewall, make sure that the rules allow the server to
send and receive on these ports. When you enable a distribution point for PXE,
Configuration Manager can enable the inbound (receive) rules on the Windows
Firewall. It doesn't configure the outbound (send) rules.

Client --> Fallback status point

Description UDP TCP

HTTP -- 80 Note 2 Alternate port available

Client --> Global catalog domain controller


A Configuration Manager client doesn't contact a global catalog server when it's a
workgroup computer or when it's configured for internet-only communication.

Description UDP TCP

Global catalog LDAP -- 3268

Client --> Management point

Description UDP TCP

Client notification (default communication before falling back to -- 10123 Note 2 Alternate port
HTTP or HTTPS) available

HTTP -- 80 Note 2 Alternate port


available

HTTPS -- 443 Note 2 Alternate port


available

Client --> Software update point

Description UDP TCP

HTTP -- 80 or 8530 Note 3

HTTPS -- 443 or 8531 Note 3


Client --> State migration point

Description UDP TCP

HTTP -- 80 Note 2 Alternate port available

HTTPS -- 443 Note 2 Alternate port available

Server Message Block (SMB) -- 445

CMG connection point --> CMG virtual machine scale set


Configuration Manager uses these connections to build the CMG channel. For more
information, see CMG data flow.

Description UDP TCP

HTTPS (one VM) -- 443

HTTPS (two or more VMs) -- 10124-10139

CMG connection point --> CMG classic cloud service


Configuration Manager uses these connections to build the CMG channel. For more
information, see CMG data flow.

Description UDP TCP

TCP-TLS (preferred) -- 10140-10155

HTTPS (fallback with one VM) -- 443

HTTPS (fallback with two or more VMs) -- 10124-10139

CMG connection point --> Management point

Description UDP TCP

HTTPS -- 443

HTTP -- 80

The specific port required depends upon the management point configuration. For
more information, see CMG data flow.
CMG connection point --> Software update point
The specific port depends upon the software update point configuration.

Description UDP TCP

HTTPS -- 443/8531

HTTP -- 80/8530

For more information, see CMG data flow.

Configuration Manager console --> Client

Description UDP TCP

Remote Control (control) -- 2701

Remote Assistance (RDP and RTC) -- 3389

Configuration Manager console --> internet

Description UDP TCP

HTTP -- 80

HTTPS -- 443

The Configuration Manager console uses internet access for the following actions:

Downloading software updates from Microsoft Update for deployment packages.


The Feedback item in the ribbon.
Links to documentation within the console.
Downloading items from Community hub

Configuration Manager console --> Reporting services


point

Description UDP TCP

HTTP -- 80 Note 2 Alternate port available

HTTPS -- 443 Note 2 Alternate port available


Configuration Manager console --> Site server

Description UDP TCP

RPC (initial connection to WMI to locate provider system) -- 135

Configuration Manager console --> SMS Provider

Description UDP TCP

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6

HTTPS -- 443 *Note

Note for administration service

Any device that makes a call to the administration service on the SMS Provider uses
HTTPS port 443. For more information, see What is the administration service?

Configuration Manager Network Device Enrollment


Service (NDES) policy module --> Certificate registration
point

Description UDP TCP

HTTPS -- 443 Note 2 Alternate port available

Data warehouse service point --> SQL Server

Description UDP TCP

SQL over TCP -- 1433 Note 2 Alternate port available

Distribution point, both standard and pull -->


Management point
A distribution point communicates to the management point in the following scenarios:

To report the status of prestaged content


To report usage summary data

To report content validation

To report the status of package downloads, only for pull-distribution points

Description UDP TCP

HTTP -- 80 Note 2 Alternate port available

HTTPS -- 443 Note 2 Alternate port available

Endpoint Protection point --> internet

Description UDP TCP

HTTP -- 80

Endpoint Protection point --> SQL Server

Description UDP TCP

SQL over TCP -- 1433 Note 2 Alternate port available

Enrollment proxy point --> Enrollment point

Description UDP TCP

HTTPS -- 443 Note 2 Alternate port available

Enrollment point --> SQL Server

Description UDP TCP

SQL over TCP -- 1433 Note 2 Alternate port available

Exchange Server Connector --> Exchange Online

Description UDP TCP

Windows Remote Management over HTTPS -- 5986


Exchange Server Connector --> On-premises Exchange
Server

Description UDP TCP

Windows Remote Management over HTTP -- 5985

Mac computer --> Enrollment proxy point

Description UDP TCP

HTTPS -- 443

Management point --> Domain controller

Description UDP TCP

Lightweight Directory Access Protocol (LDAP) 389 389

Secure LDAP (LDAPS, for signing and binding) 636 636

Global catalog LDAP -- 3268

RPC Endpoint Mapper -- 135

RPC -- DYNAMIC Note 6

Management point <--> Site server


Note 5

Description UDP TCP

RPC Endpoint mapper -- 135

RPC -- DYNAMIC Note 6

Server Message Block (SMB) -- 445

Management point --> SQL Server

Description UDP TCP


Description UDP TCP

SQL over TCP -- 1433 Note 2 Alternate port available

Mobile device --> Enrollment proxy point

Description UDP TCP

HTTPS -- 443

Pull-Distribution point --> Distribution point configured


as source

Description UDP TCP

HTTP -- 80 Note 2 Alternate port available

HTTPS -- 443 Note 2 Alternate port available

Express updates -- 8005 Note 2 Alternate port available

Reporting Services point --> SQL Server

Description UDP TCP

SQL over TCP -- 1433 Note 2 Alternate port available

Service connection point --> Azure (CMG)

Description UDP TCP

HTTPS for CMG service deployment -- 443

For more information, see CMG data flow.

Service connection point --> Azure Logic App

Description UDP TCP

HTTPS for external notification -- 443

For more information, see External notifications.


Site server <--> Asset Intelligence synchronization point

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6

Site server --> Client

Description UDP TCP

Wake On LAN 9 Note 2 Alternate port available --

Site server --> Cloud distribution point

Description UDP TCP

HTTPS -- 443

For more information, see Ports and data flow.

Site server --> Distribution point, both standard and pull


Note 5

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6

Site server --> Domain controller

Description UDP TCP

Lightweight Directory Access Protocol (LDAP) 389 389

Secure LDAP (LDAPS, for signing and binding) 636 636


Description UDP TCP

Global catalog LDAP -- 3268

RPC Endpoint Mapper -- 135

RPC -- DYNAMIC Note 6

Site server <--> Certificate registration point

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6

Site server <--> CMG connection point

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6

Site server <--> Endpoint Protection point

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6

Site server <--> Enrollment point

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135


Description UDP TCP

RPC -- DYNAMIC Note 6

Site server <--> Enrollment proxy point

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6

Site server <--> Fallback status point


Note 5

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6

Site server --> internet

Description UDP TCP

HTTP -- 80 Note 1

HTTPS -- 443

Site server <--> Issuing certification authority (CA)


This communication is used when you deploy certificate profiles by using the certificate
registration point. The communication isn't used for every site server in the hierarchy.
Instead, it's used only for the site server at the top of the hierarchy.

Description UDP TCP

RPC Endpoint Mapper 135 135


Description UDP TCP

RPC (DCOM) -- DYNAMIC Note 6

Site server --> Server hosting remote content library


share
You can move the content library to another storage location to free up hard drive space
on your central administration or primary site servers. For more information, see
Configure a remote content library for the site server.

Description UDP TCP

Server Message Block (SMB) -- 445

Site server <--> Service connection point

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6

Site server <--> Reporting services point


Note 5

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6

Site server <--> Site server

Description UDP TCP

Server Message Block (SMB) -- 445


Site server --> SQL Server

Description UDP TCP

SQL over TCP -- 1433 Note 2 Alternate port available

During the installation of a site that uses a remote SQL Server to host the site database,
open the following ports between the site server and the SQL Server:

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6

Site server --> SQL Server for WSUS

Description UDP TCP

SQL over TCP -- 1433 Note 3 Alternate port available

Site server --> SMS Provider

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6

Site server <--> Software update point


Note 5

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC Note 6


Description UDP TCP

HTTP -- 80 or 8530 Note 3

HTTPS -- 443 or 8531 Note 3

Site server <--> State migration point


Note 5

Description UDP TCP

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

SMS Provider --> SQL Server

Description UDP TCP

SQL over TCP -- 1433 Note 2 Alternate port available

Software update point --> internet

Description UDP TCP

HTTP -- 80 Note 1

Software update point --> Upstream WSUS server

Description UDP TCP

HTTP -- 80 or 8530 Note 3

HTTPS -- 443 or 8531 Note 3

SQL Server --> SQL Server


Intersite database replication requires the SQL Server at one site to communicate
directly with the SQL Server at its parent or child site.

Description UDP TCP


Description UDP TCP

SQL Server service -- 1433 Note 2 Alternate port available

SQL Server Service Broker -- 4022 Note 2 Alternate port available

 Tip

Configuration Manager doesn't require the SQL Server Browser, which uses port
UDP 1434.

State migration point --> SQL Server

Description UDP TCP

SQL over TCP -- 1433 Note 2 Alternate port available

Notes for ports used by clients and site systems

Note 1: Proxy server port


This port can't be configured but can be routed through a configured proxy server.

Note 2: Alternate port available


You can define an alternate port in Configuration Manager for this value. If you define a
custom port, use that custom port in the IP filter information for IPsec policies or to
configure firewalls.

Note 3: Windows Server Update Services (WSUS)


Since Windows Server 2012, by default WSUS uses port 8530 for HTTP and port 8531 for
HTTPS.

After installation, you can change the port. You don't have to use the same port number
throughout the site hierarchy.

If the HTTP port is 80, the HTTPS port must be 443.

If the HTTP port is anything else, the HTTPS port must be 1 or higher, for example,
8530 and 8531.
7 Note

When you configure the software update point to use HTTPS, the HTTP port
must also be open. Unencrypted data, such as the EULA for specific updates,
uses the HTTP port.

The site server makes a connection to the SQL Server hosting the SUSDB when you
enable the following options for WSUS cleanup:
Add non-clustered indexes to the WSUS database to improve WSUS cleanup
performance
Remove obsolete updates from the WSUS database

If you change the default SQL Server port to an alternate port with SQL Server
Configuration Manager, make sure the site server can connect using the defined port.
Configuration Manager doesn't support dynamic ports. By default, SQL Server named
instances use dynamic ports for connections to the database engine. When you use a
named instance, manually configure the static port.

Note 4: Trivial FTP (TFTP) Daemon

The Trivial FTP (TFTP) Daemon system service doesn't require a user name or password
and is an integral part of Windows Deployment Services (WDS). The Trivial FTP Daemon
service implements support for the TFTP protocol that's defined by the following RFCs:

RFC 1350: TFTP

RFC 2347: Option extension

RFC 2348: Block size option

RFC 2349: Time-out interval and transfer size options

TFTP is designed to support diskless boot environments. TFTP Daemons listen on UDP
port 69 but respond from a dynamically allocated high port. If you enable this port, the
TFTP service can receive incoming TFTP requests, but the selected server can't respond
to those requests. You can't enable the selected server to respond to inbound TFTP
requests unless you configure the TFTP server to respond from port 69.

The PXE-enabled distribution point and the client in Windows PE select dynamically
allocated high ports for TFTP transfers. These ports are defined by Microsoft between
49152 and 65535. For more information, see Service overview and network port
requirements for Windows.
However, during the actual PXE boot, the network card on the device selects the
dynamically allocated high port it uses during the TFTP transfer. The network card on
the device isn't bound to the dynamically allocated high ports defined by Microsoft. It's
only bound to the ports defined in RFC 1350. This port can be any from 0 to 65535. For
more information about what dynamically allocated high ports the network card uses,
contact the device hardware manufacturer.

Note 5: Communication between the site server and site systems


By default, communication between the site server and site systems is bi-directional. The
site server starts communication to configure the site system, and then most site
systems connect back to the site server to send status information. Reporting service
points and distribution points don't send status information. If you select Require the
site server to initiate connections to this site system on the site system properties after
the site system has been installed, the site system won't start communication with the
site server. Instead, the site server starts the communication. It uses the site system
installation account for authentication to the site system server.

Note 6: Dynamic ports


Dynamic ports use a range of port numbers that's defined by the OS version. These
ports are also known as ephemeral ports. For more information about the default port
ranges, see Service overview and network port requirements for Windows.

Other ports
The following sections provide more information about ports that Configuration
Manager uses.

Client to server shares


Clients use Server Message Block (SMB) whenever they connect to UNC shares. For
example:

Manual client installation that specifies the CCMSetup.exe /source: command-line


property

Endpoint Protection clients that download definition files from a UNC path

Description UDP TCP


Description UDP TCP

Server Message Block (SMB) -- 445

Connections to SQL Server


For communication to the SQL Server database engine and for intersite replication, you
can use the default SQL Server port or specify custom ports:

Intersite communications use:

SQL Server Service Broker, which defaults to port TCP 4022.

SQL Server service, which defaults to port TCP 1433.

Intrasite communication between the SQL Server database engine and various
Configuration Manager site system roles defaults to port TCP 1433.

Configuration Manager uses the same ports and protocols to communicate with
each SQL Server Always On availability group replica that hosts the site database
as if the replica was a standalone SQL Server instance.

When you use Azure and the site database is behind an internal or external load
balancer, configure the following components:

Firewall exceptions on each replica


Load-balancing rules

Configure the following ports:

SQL over TCP: TCP 1433


SQL Server Service Broker: TCP 4022
Server Message Block (SMB): TCP 445
RPC Endpoint Mapper: TCP 135

2 Warning

Configuration Manager doesn't support dynamic ports. By default, SQL Server


named instances use dynamic ports for connections to the database engine. When
you use a named instance, manually configure the static port for intrasite
communication.

The following site system roles communicate directly with the SQL Server database:
Certificate registration point role

Enrollment point role

Management point

Site server

Reporting Services point

SMS Provider

SQL Server --> SQL Server

When a SQL Server hosts a database from more than one site, each database must use a
separate instance of SQL Server. Configure each instance with a unique set of ports.

If you enable a host-based firewall on the SQL Server, configure it to allow the correct
ports. Also configure network firewalls in between computers that communicate with
the SQL Server.

For an example of how to configure SQL Server to use a specific port, see Configure a
server to listen on a specific TCP port.

Discovery and publishing


Configuration Manager uses the following ports for the discovery and publishing of site
information:

Lightweight Directory Access Protocol (LDAP): 389


Secure LDAP (LDAPS, for signing and binding): 636
Global catalog LDAP: 3268
RPC Endpoint Mapper: 135
RPC: Dynamically allocated high TCP ports
TCP: 1024: 5000
TCP: 49152: 65535

External connections made by Configuration Manager


On-premises Configuration Manager clients or site systems can make the following
external connections:

Asset Intelligence synchronization point --> Microsoft

Endpoint Protection point --> internet


Client --> Global catalog domain controller

Configuration Manager console --> internet

Management point --> Domain controller

Site server --> Domain controller

Site server <--> Issuing Certification Authority (CA)

Software update point --> internet

Software update point --> Upstream WSUS Server

Service connection point --> Azure

Service connection point --> Azure Logic App

CMG connection point --> CMG cloud service

Installation requirements for site systems that support


internet-based clients

7 Note

This section only applies to internet-based client management (IBCM). It doesn't


apply to the cloud management gateway. For more information, see Manage
clients on the internet.

Internet-based management points, distribution points that support internet-based


clients, the software update point, and the fallback status point use the following ports
for installation and repair:

Site server --> Site system: RPC endpoint mapper using UDP and TCP port 135

Site server --> Site system: RPC dynamic TCP ports

Site server <--> Site system: Server message blocks (SMB) using TCP port 445

Application and package installations on distribution points require the following RPC
ports:

Site server --> Distribution point: RPC endpoint mapper using UDP and TCP port
135
Site server --> Distribution point: RPC dynamic TCP ports

Use IPsec to help secure the traffic between the site server and site systems. If you must
restrict the dynamic ports that are used with RPC, you can use the Microsoft RPC
configuration tool (rpccfg.exe). Use the tool to configure a limited range of ports for
these RPC packets. For more information, see How to configure RPC to use certain ports
and how to help secure those ports by using IPsec .

) Important

Before you install these site systems, make sure that the remote registry service is
running on the site system server and that you have specified a site system
installation account if the site system is in a different Active Directory forest without
a trust relationship. For example, the remote registry service is used on servers
running site systems such as distribution points (both pull and standard) and
remote SQL Servers.

Ports used by Configuration Manager client installation


The ports that Configuration Manager uses during client installation depends on the
deployment method:

For a list of ports for each client deployment method, see Ports used during
Configuration Manager client deployment

For more information about how to configure Windows Firewall on the client for
client installation and post-installation communication, see Windows Firewall and
port settings for clients

Ports used by migration


The site server that runs migration uses several ports to connect to applicable sites in
the source hierarchy. For more information, see Required configurations for migration.

Ports used by Windows Server


The following table lists some of the key ports used by Windows Server.

Description UDP TCP

DNS 53 53
Description UDP TCP

DHCP 67 and 68 --

NetBIOS Name Resolution 137 --

NetBIOS Datagram Service 138 --

NetBIOS Session Service -- 139

Kerberos authentication -- 88

For more information, see the following articles:

Service overview and network port requirements for Windows

How to configure a firewall for domains and trusts

Diagram
The following diagram shows the connections between the main components that are in
a typical Configuration Manager site. It currently doesn't include all connections.

Next steps
Proxy server support
Internet access requirements
Proxy server support in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Some Configuration Manager components require connections to the internet. If your


environment requires internet traffic to use a proxy server, configure these systems to
use the proxy.

A computer that hosts a site system server supports a single proxy server
configuration. All site system roles on that computer share this same proxy
configuration. If you need separate proxy servers for different roles or instances of
a role, place those roles on separate site system servers.

When you configure new proxy server settings for a site system server that already
has a proxy server configuration, the original configuration is overwritten.

By default, connections to the proxy use the System account of the computer that
hosts the site system role.

If the computer account can't authenticate, the site system server can store user
credentials to connect to the proxy server. These credentials are the site system
proxy server account.

If you install the Configuration Manager console on administrative workstations,


some connections will use the proxy configuration.

Site system roles that use a proxy


The following site system roles connect to the internet, and if necessary, can use a proxy
server:

Asset Intelligence synchronization point

) Important

Starting in November 2021, this feature of Configuration Manager is deprecated.


For more information, see Asset intelligence deprecation.
This site system role connects to Microsoft and uses a proxy server configuration on the
computer that hosts the Asset Intelligence synchronization point.

Cloud distribution point

7 Note

The cloud-based distribution point (CDP) is deprecated. Starting in version 2107,


you can't create new CDP instances. To provide content to internet-based devices,
enable a cloud management gateway (CMG) to distribute content. For more
information, see Deprecated features.

The cloud distribution point role runs in Microsoft Azure. You don't configure this site
system role to use a proxy. Set the proxy configuration on the primary site server that
manages the cloud distribution point.

For this configuration, the primary site server:

Must be able to connect to Microsoft Azure to set up, monitor, and distribute
content to the cloud distribution point.

By default, uses the computer's System account to make the connection. It can
also use the site system proxy server account, if necessary.

Uses Windows web browser APIs.

Cloud management gateway connection point


The cloud management gateway (CMG) connection point is an on-premises role that
communicates with the CMG service in Azure. For more information, see Overview of
CMG.

Distribution point
If you enable a Configuration Manager distribution point for Microsoft Connected
Cache, it can communicate through an unauthenticated proxy server for internet access.
For more information, see Microsoft Connected Cache.

Exchange Server connector


This site system role connects to an Exchange Server. It uses a proxy server
configuration on the computer that hosts the Exchange Server connector.

Service connection point


This site system role connects to the Configuration Manager cloud service to download
version updates for Configuration Manager. It uses a proxy server that's configured on
the computer that hosts the service connection point.

Software update point


This site system role uses the proxy when it connects to Microsoft Update to download
patches and synchronize information about updates. Like every other site system role,
first configure the site system proxy settings. Then configure the following options
specific to the software update point:

Use a proxy server when synchronizing software updates

Use a proxy server when downloading content by using automatic deployment


rules

7 Note

While available for use, this setting isn't used by software update points at
secondary sites.

These settings are on the Proxy and Account Settings tab of the software update point
properties.

7 Note

By default, when the automatic deployment rules run, the System account on the
site server of the site on which an automatic deployment rule was created is used
to connect to the internet and download software updates. Alternatively, configure
and use the site system proxy server account.

When this account cannot access the internet, software updates fail to download.
The following entry is logged to ruleengine.log:
Failed to download the update
from internet. Error = 12007.
Other features that use the proxy
The following features use the proxy of the site system that hosts the service connection
point role:

Azure Active Directory (Azure AD) user discovery


Azure AD user group discovery
Synchronizing collection membership results to Azure Active Directory groups

Configure the proxy for a site system server


1. In the Configuration Manager console, go to the Administration workspace.
Expand Site Configuration, and then select the Servers and Site System Roles
node.

2. Select the site system server that you want to edit. In the details pane, right-click
the Site system role, and select Properties.

3. In Site system Properties, switch to the Proxy tab. Configure the following proxy
settings:

Use a proxy server when synchronizing information from the internet:


Select this option to enable the site system server to use a proxy server.

Proxy server name: Specify the hostname or FQDN of the proxy server in
your environment.

Port: Specify the network port on which to communicate with the proxy
server. By default, it uses port 80.

Use credentials to connect to the proxy server: Many proxy servers require a
user to authenticate. By default, the site system server uses its computer
account to connect to the proxy server. If necessary, enable this option, click
Set, and then choose an Existing Account or specify a New Account. These
credentials are the site system proxy server account. For more information,
see Accounts used in Configuration Manager.

4. Choose OK to save the new proxy server configuration.

Configuration Manager console


If you install the Configuration Manager console on an administrative workstation, some
connections will use the proxy configuration. The console may fail to connect to the site
because of a proxy configuration. To help troubleshoot, you can modify the console
configuration file, Microsoft.ConfigurationManagement.exe.config . By default, this file is
located in C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin . Open
it in Windows Notepad or another XML editor.

Change this original setting:

XML

<system.net>

<defaultProxy useDefaultCredentials="true" />

</system.net>

Add the following element with the defaultProxy element: <proxy


usesystemdefault="False"/></defaultProxy>

For example:

XML

<system.net>

<defaultProxy useDefaultCredentials="true"><proxy
usesystemdefault="False"/></defaultProxy>

</system.net>

Next steps
If your organization restricts network communication with the internet using a firewall or
proxy device, you need to allow access to internet endpoints. For more information, see
internet access requirements.
Internet access requirements
Article • 01/13/2023

Some Configuration Manager features rely on internet connectivity for full functionality.
If your organization restricts network communication with the internet using a firewall or
proxy device, make sure to allow these endpoints.

Configuration Manager uses the following Microsoft URL forwarding services


throughout the product:

https://aka.ms
https://go.microsoft.com

Even if they're not explicitly listed in the sections below, you should always allow these
endpoints.

Service connection point


For more information, see About the service connection point.

These configurations apply to the server that hosts the service connection point and any
firewalls between that server and the internet. Allow communication through outgoing
HTTPS port TCP 443 to the internet locations.

The service connection point supports using a web proxy with or without authentication
to use these locations. For more information, see Proxy server support.

If the Configuration Manager site fails to connect to required endpoints for a cloud
service, it raises a critical status message ID 11488. When it can't connect to the service,
the SMS_SERVICE_CONNECTOR component status changes to critical. View detailed
status in the Component Status node of the Configuration Manager console.

Starting in version 2010, the service connection point validates important internet
endpoints for Desktop Analytics and tenant attach. These checks help make sure that
the cloud-connected services are available. It also helps you troubleshoot issues by
quickly determining if network connectivity is a problem. For more information, see
Validate internet access.

The specific URLs required by the service connection point vary by Configuration
Manager feature:

Updates and servicing


Windows servicing
Azure services
Microsoft Store for Business
Cloud services
Configuration Manager console
Desktop Analytics
Tenant attach
External notifications

 Tip

The service connection point uses the Microsoft Intune service when it connects to
go.microsoft.com or manage.microsoft.com . There's a known issue in which the

Intune connector experiences connectivity issues if the Baltimore CyberTrust Root


Certificate isn't installed, is expired, or is corrupted on the service connection point.
For more information, see Service connection point doesn't download updates.

Updates and servicing


For more information, see Updates and servicing.

 Tip

Enable these endpoints for the management insight rule, Connect the site to the
Microsoft cloud for Configuration Manager updates.

*.akamaiedge.net

*.akamaitechnologies.com

*.manage.microsoft.com

go.microsoft.com

download.microsoft.com

download.windowsupdate.com

download.visualstudio.microsoft.com

sccmconnected-a01.cloudapp.net
definitionupdates.microsoft.com

configmgrbits.azureedge.net

) Important

This Azure endpoint only supports TLS 1.2 with specific cipher suites. Make
sure your environment supports these Azure configurations. For more
information, see Azure Front Door: TLS configuration FAQ.

ceuswatcab01.blob.core.windows.net

ceuswatcab02.blob.core.windows.net

eaus2watcab01.blob.core.windows.net

eaus2watcab02.blob.core.windows.net

weus2watcab01.blob.core.windows.net

weus2watcab02.blob.core.windows.net

umwatsonc.events.data.microsoft.com

*-umwatsonc.events.data.microsoft.com

Windows servicing
For more information, see Manage Windows as a service.

download.microsoft.com

https://go.microsoft.com/fwlink/?LinkID=619849

dl.delivery.mp.microsoft.com

Azure services
For more information, see Configure Azure services for use with Configuration Manager.

management.azure.com (Azure public cloud)

management.usgovcloudapi.net (Azure US Government cloud)


Co-management
If you enroll Windows devices to Microsoft Intune for co-management, make sure those
devices can access the endpoints required by Intune. For more information, see Network
endpoints for Microsoft Intune.

Microsoft Store for Business


If you integrate Configuration Manager with the Microsoft Store for Business, make sure
the service connection point and targeted devices can access the cloud service. For
more information, see Microsoft Store for Business proxy configuration.

Delivery optimization
If you use delivery optimization, clients need to communicate with its cloud service:
*.do.dsp.mp.microsoft.com

Distribution points that support Microsoft Connected Cache also require these
endpoints.

For more information, see the following articles:

Delivery optimization FAQ


Fundamental concepts for content management in Configuration Manager
Microsoft Connected Cache in Configuration Manager

Cloud services
For more information on the cloud management gateway (CMG), see Plan for CMG.

This section covers the following features:

Cloud management gateway (CMG)

Azure Active Directory (Azure AD) integration

Azure AD-based discovery

Cloud distribution point (CDP)

7 Note
The cloud-based distribution point (CDP) is deprecated. Starting in version
2107, you can't create new CDP instances. To provide content to internet-
based devices, enable the CMG to distribute content.

The following sections list the endpoints by role. Some endpoints refer to a service by
<prefix> , which is the prefix name of the CMG. For example, if your CMG is

GraniteFalls.WestUS.CloudApp.Azure.Com , then the actual storage endpoint is

GraniteFalls.blob.core.windows.net .

 Tip

To clarify some terminology:

CMG service name: The common name (CN) of the CMG server authentication
certificate. Clients and the CMG connection point site system role
communicate with this service name. For example, GraniteFalls.contoso.com
or GraniteFalls.WestUS.CloudApp.Azure.Com .

CMG deployment name: The first part of the service name plus the Azure
location for the cloud service deployment. The cloud service manager
component of the service connection point uses this name when it deploys
the CMG in Azure. The deployment name is always in an Azure domain. The
Azure location depends upon the deployment method, for example:
Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
Classic deployment: GraniteFalls.CloudApp.Net

This article uses examples with a virtual machine scale set as the recommended
deployment method in version 2107 and later. If you use a classic deployment, note
the difference as you read this article and configure internet access.

Service connection point for cloud services


For Configuration Manager to deploy the CMG service in Azure, the service connection
point needs access to:

Specific Azure endpoints, which are different per environment depending upon the
configuration. Configuration Manager stores these endpoints in the site database.
Query the AzureEnvironments table in SQL Server for the list of Azure endpoints.

Azure services:
management.azure.com (Azure public cloud)

management.usgovcloudapi.net (Azure US Government cloud)

For Azure AD user discovery: Microsoft Graph endpoint


https://graph.microsoft.com/

CMG connection point for cloud services


The CMG connection point needs access to the following endpoints:

Type Azure public cloud Azure US Government cloud

Service name <prefix>. <prefix>.usgovcloudapp.net


<region>.cloudapp.azure.com

Storage <prefix>.blob.core.windows.net <prefix>.blob.core.usgovcloudapi.net


endpoint 1

Storage <prefix>.table.core.windows.net <prefix>.table.core.usgovcloudapi.net


endpoint 2

Key vault <prefix>.vault.azure.net <prefix>.vault.usgovcloudapi.net

The CMG connection point site system supports using a web proxy. For more
information on configuring this role for a proxy, see Proxy server support.

The CMG connection point only needs to connect to the CMG service endpoints. It
doesn't need access to other Azure endpoints.

Configuration Manager client for cloud services


Any Configuration Manager client that needs to communicate with a CMG needs access
to the following endpoints:

Type Azure public cloud Azure US Government cloud

Deployment <prefix>. <prefix>.usgovcloudapp.net


name <region>.cloudapp.azure.com

Storage <prefix>.blob.core.windows.net <prefix>.blob.core.usgovcloudapi.net


endpoint

Azure AD login.microsoftonline.com login.microsoftonline.us


endpoint
Configuration Manager console for cloud services
Any device with the Configuration Manager console needs access to the following
endpoints:

Type Azure public cloud Azure US Government cloud

Azure AD endpoints login.microsoftonline.com


login.microsoftonline.us
aadcdn.msauth.net

aadcdn.msftauth.net

Software updates
Allow the active software update point to access the following endpoints so that WSUS
and Automatic Updates can communicate with the Microsoft Update cloud service:

http://windowsupdate.microsoft.com

http://*.windowsupdate.microsoft.com

https://*.windowsupdate.microsoft.com

http://*.update.microsoft.com

https://*.update.microsoft.com

http://*.windowsupdate.com

http://download.windowsupdate.com

http://download.microsoft.com

http://*.download.windowsupdate.com

http://ntservicepack.microsoft.com

For more information on software updates, see Plan for software updates.

Intranet firewall
You might need to add endpoints to a firewall that's between two site systems in the
following cases:

If child sites have a software update point


If there's a remote active internet-based software update point at a site
Software update point on the child site
http://<FQDN for software update point on child site>

https://<FQDN for software update point on child site>

http://<FQDN for software update point on parent site>

https://<FQDN for software update point on parent site>

Manage Microsoft 365 Apps

7 Note

Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365
Apps for enterprise. For more information, see Name change for Office 365
ProPlus. You may still see references to the old name in the Configuration Manager
console and supporting documentation while the console is being updated.

If you use Configuration Manager to deploy and update Microsoft 365 Apps for
enterprise, allow the following endpoints:

officecdn.microsoft.com to synchronize the software update point for Microsoft

365 Apps for enterprise client updates

config.office.com to create custom configurations for Microsoft 365 Apps for


enterprise deployments

https://clients.config.office.net and https://go.microsoft.com/fwlink/?


linkid=2190568 to support deploying updates for Microsoft 365 Apps for

enterprise

contentstorage.osi.office.net to support the evaluation of Office add-in


readiness

Your top-level site server needs access to the following endpoint to download the
Microsoft Apps 365 readiness file:

Starting March 2, 2021:


https://omex.cdn.office.net/mirrored/sccmreadiness/SOT_SCCM_AddinReadiness.CA
B
Location prior to March 2, 2021:
https://contentstorage.osi.office.net/sccmreadinessppe/sot_sccm_addinreadin
ess.cab

7 Note

The location of this file is changing March 2, 2021 . For more information, see
Download location change for Microsoft 365 Apps readiness file .

Configuration Manager console


Computers with the Configuration Manager console require access to the following
internet endpoints for specific features:

7 Note

For push notifications from Microsoft to show in the console, the service
connection point needs access to configmgrbits.azureedge.net . It also needs
access to this endpoint for updates and servicing, so you may have already
allowed it.

In-console feedback
On the computer where you run the console, allow it to access the following internet
endpoints to send diagnostic data to Microsoft:

petrol.office.microsoft.com

ceuswatcab01.blob.core.windows.net

ceuswatcab02.blob.core.windows.net

eaus2watcab01.blob.core.windows.net

eaus2watcab02.blob.core.windows.net

weus2watcab01.blob.core.windows.net

weus2watcab02.blob.core.windows.net

umwatsonc.events.data.microsoft.com
*-umwatsonc.events.data.microsoft.com

For more information on this feature, see Product feedback.

Community workspace

Documentation node

For more information on this console node, see Using the Configuration Manager
console.

https://aka.ms

https://raw.githubusercontent.com

Community hub
For more information on this feature, see Community hub.

https://github.com

https://communityhub.microsoft.com

Desktop Analytics
For more information, see Enable data sharing.

Server connectivity endpoints


The service connection point needs to communicate with the following endpoints:

Endpoint Function

https://aka.ms Used to locate the service

https://graph.windows.net Used to automatically retrieve settings like


CommercialId when attaching your hierarchy to Desktop
Analytics (on Configuration Manager Server role). For
more information, see Configure the proxy for a site
system server.
Endpoint Function

https://*.manage.microsoft.com Used to synch device collection memberships,


deployment plans, and device readiness status with
Desktop Analytics (on Configuration Manager Server
role only). For more information, see Configure the
proxy for a site system server.

https://dc.services.visualstudio.com For diagnostic data from on-premises service connector


to gain insights about the health of cloud-connected
services.

User experience and diagnostic component endpoints


Client devices need to communicate with the following endpoints:

Endpoint Function

https://v10c.events.data.microsoft.com Connected user experience and diagnostic


component endpoint. Used by devices running
Windows 10, version 1809 or later, or version 1803
with the 2018-09 cumulative update or later installed.

https://v10.events.data.microsoft.com Connected user experience and diagnostic


component endpoint. Used by devices running
Windows 10, version 1803 without the 2018-09
cumulative update installed.

https://v10.vortex- Connected user experience and diagnostic


win.data.microsoft.com component endpoint. Used by devices running
Windows 10, version 1709 or earlier.

https://vortex-win.data.microsoft.com Connected user experience and diagnostic


component endpoint. Used by devices running
Windows 7 and Windows 8.1

Client connectivity endpoints


Client devices need to communicate with the following endpoints:

Index Endpoint Function

1 https://settings-win.data.microsoft.com Enables the compatibility update to


send data to Microsoft.
Index Endpoint Function

2 http://adl.windows.com Allows the compatibility update to


receive the latest compatibility data
from Microsoft.

3 https://watson.telemetry.microsoft.com Windows Error Reporting (WER).


Required to monitor deployment health
in Windows 10, version 1803 or earlier.

4 https://umwatsonc.events.data.microsoft.com Windows Error Reporting (WER).


Required for device health reports in
Windows 10, version 1809 or later.

5 https://ceuswatcab01.blob.core.windows.net Windows Error Reporting (WER).


Required to monitor deployment health
in Windows 10, version 1809 or later.

6 https://ceuswatcab02.blob.core.windows.net Windows Error Reporting (WER).


Required to monitor deployment health
in Windows 10, version 1809 or later.

7 https://eaus2watcab01.blob.core.windows.net Windows Error Reporting (WER).


Required to monitor deployment health
in Windows 10, version 1809 or later.

8 https://eaus2watcab02.blob.core.windows.net Windows Error Reporting (WER).


Required to monitor deployment health
in Windows 10, version 1809 or later.

9 https://weus2watcab01.blob.core.windows.net Windows Error Reporting (WER).


Required to monitor deployment health
in Windows 10, version 1809 or later.

10 https://weus2watcab02.blob.core.windows.net Windows Error Reporting (WER).


Required to monitor deployment health
in Windows 10, version 1809 or later.

11 https://kmwatsonc.events.data.microsoft.com Online Crash Analysis (OCA). Required


for device health reports in Windows 10,
version 1809 or later.

12 https://oca.telemetry.microsoft.com Online Crash Analysis (OCA). Required


to monitor deployment health in
Windows 10, version 1803 or earlier.
Index Endpoint Function

13 https://login.live.com Required to provide a more reliable


device identity for Desktop Analytics.

To disable end-user Microsoft account


access, use policy settings instead of
blocking this endpoint. For more
information, see The Microsoft account
in the enterprise.

14 https://v20.events.data.microsoft.com Connected user experience and


diagnostic component endpoint.

Tenant attach
For more information, see Enable tenant attach.

https://aka.ms/configmgrgateway

https://*.manage.microsoft.com for Azure public cloud customers

https://*.manage.microsoft.us for US Government cloud customers on version


2107 or later

https://dc.services.visualstudio.com

The service connection point makes a long standing outgoing connection to the
notification service hosted on https://*.manage.microsoft.com . Verify the proxy used for
the service connection point doesn't time out outgoing connections too quickly. We
recommend 3 minutes for outgoing connections to this internet endpoint.

If your environment has proxy rules to allow only specific certificate revocation lists
(CRLs) or online certificate status protocol (OCSP) verification locations, also allow the
following CRL and OCSP URLs:

http://crl3.digicert.com
http://crl4.digicert.com

http://ocsp.digicert.com

http://www.d-trust.net
http://root-c3-ca2-2009.ocsp.d-trust.net

http://crl.microsoft.com
http://oneocsp.microsoft.com

http://ocsp.msocsp.com
http://www.microsoft.com/pkiops

Endpoint analytics
For more information, see Endpoint analytics proxy configuration.

Endpoints required for Configuration Manager-managed


devices
Configuration Manager-managed devices send data to Intune via the connector on the
Configuration Manager role and they don't need directly access to the Microsoft public
cloud.

Endpoint Function

https://graph.windows.net Used to automatically retrieve settings when attaching your


hierarchy to Endpoint analytics on Configuration Manager
server role. For more information, see Configure the proxy for
a site system server.

https://*.manage.microsoft.com Used to synch device collection and devices with Endpoint


analytics on Configuration Manager server role only. For more
information, see Configure the proxy for a site system server.

Endpoints required for Intune-managed devices


To enroll devices to Endpoint analytics, they need to send required functional data to
Microsoft public cloud. Endpoint Analytics uses the Windows client and Windows Server
Connected User Experiences and Telemetry component (DiagTrack) to collect the data
from Intune-managed devices. Make sure that the Connected User Experiences and
Telemetry service on the device is running.

Endpoint Function

https://*.events.data.microsoft.com Used by Intune-managed devices to send required


functional data to the Intune data collection endpoint.

Asset intelligence
If you use asset intelligence, allow the following endpoints for the service to
synchronize:
https://sc.microsoft.com

https://ssu2.manage.microsoft.com

Deploy Microsoft Edge


The device running the Configuration Manager console needs access to the following
endpoints for deploying Microsoft Edge:

Location Use

https://aka.ms/cmedgeapi Information about releases of


Microsoft Edge

https://edgeupdates.microsoft.com/api/products? Information about releases of


view=enterprise Microsoft Edge

http://dl.delivery.mp.microsoft.com Content for Microsoft Edge releases

External notifications
For more information, see External notifications.

The service connection point needs to communicate with the notification service, for
example Azure Logic Apps. The access endpoint for the logic app typically has the
following format: https://*.<RegionName>.logic.azure.com:443 . For example:
https://prod1.westus2.logic.azure.com:443

To get the access endpoint for the logic app, as well as the associated IP addresses, use
the following process:

1. In the Azure portal, under Logic Apps, select the logic app for your notification. For
more information, see Manage logic apps in the Azure portal.
2. In the app's menu, in the Settings section, select Properties.
3. View or copy the values for the Access endpoint and the Access endpoint IP
addresses.

Microsoft public IP addresses


For more information on the Microsoft IP address ranges, see Microsoft Public IP
Space . These addresses update regularly. There's no granularity by service, any IP
address in these ranges could be used.
Next steps
Ports used in Configuration Manager

Proxy server support in Configuration Manager


About schema extensions for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can extend the Active Directory schema to support Configuration Manager. This
action edits a forest's Active Directory schema to add a new container and several
attributes. Configuration Manager sites use these extensions to publish key information
in Active Directory where clients can securely access it. This information can simplify the
deployment and configuration of clients. It also helps clients locate site resources like
servers with deployed content or that provide different services to clients.

Microsoft recommends that you extend your Active Directory schema for Configuration
Manager, but it's not required.

Before you extend the Active Directory schema, you should be familiar with Active
Directory Domain Services and comfortable with modifying the Active Directory schema.

Considerations
There are no new Active Directory schema extensions for Configuration Manager
current branch. They haven't changed since Configuration Manager 2007. If you
previously extended the schema an earlier version, you don't have to extend the
schema again.

Extending the schema is a forest-wide, one-time, irreversible action.

Only a member of the Schema Admins group can extend the schema. It can also
be a user with delegated permissions to change the schema.

You can extend the schema before or after you install a Configuration Manager
site. However, it's best to extend the schema before you start to configure your
sites and hierarchy settings. This action can simplify many of the later
configuration steps.

After you extend the schema, the Active Directory global catalog replicates
throughout the forest. Plan to extend the schema when the replication traffic won't
adversely affect other network-dependent processes. Active Directory only
replicates the newly added attributes.
Devices and clients that don't use the Active Directory
schema
Mobile devices that are managed by the Exchange Server connector

The client for macOS computers

Mobile devices that are enrolled by Configuration Manager on-premises MDM

Windows clients that you configure for internet-only client management

Windows clients that Configuration Manager detects to be on the internet

Features that benefit


The following Configuration Manager features benefit from extending the Active
Directory schema.

Client computer installation and site assignment


When you install a new client on a Windows computer, it searches Active Directory
Domain Services for installation properties.

If you don't extend the schema, use one of the following options to provide
configuration details:

Use client push installation. This method uses the client installation properties that
you configure in the Configuration Manager console.

Use manual installation. Provide at least the following client installation properties
on the command line:

Specify a management point or source path from which the computer can
download the installation files. Use the CCMSetup property /mp or /source .

Specify a list of initial management points for the client to use. It uses this initial
management point to assign to the site and download client policy and site
settings. Use the CCMSetup Client.msi property SMSMP .

For more information, see About client installation parameters and properties.

Publish the management point in DNS. Configure clients to use this service
location method.
Port configuration for client-to-server communication
When a client installs, it uses the port information from Active Directory. If you later
change the client-to-server communication port for a site, clients get this new port
setting from Active Directory.

If you don't extend the schema, use one of the following options to provide new port
configurations to existing clients:

Reinstall clients. Use options that configure the new port.

Deploy a custom script to clients that updates the communication port. If clients
can't communicate with a site because of a port change, you can't use
Configuration Manager to deploy this script. For example, you could use group
policy.

Content deployment scenarios


When you create content at one site, and then deploy that content to another site in the
hierarchy, the receiving site tries to verify the signature of the signed content data. This
behavior requires access to the public key of the source site where you create this
content. When you extend the Active Directory schema for Configuration Manager, a
site's public key is available to all sites in the hierarchy.

If you don't extend the schema, use the hierarchy maintenance tool, preinst.exe, to
exchange the secure key information between sites.

For example, you plan to create content at a primary site and then deploy that content
to a secondary site below a different primary site. If you extend the Active Directory
schema, the secondary site automatically gets the source primary site's public key.
Otherwise, use preinst.exe to share keys between the two sites directly.

Active Directory attributes and classes


When you extend the schema for Configuration Manager, the following classes and
attributes are added to the schema and available to all Configuration Manager sites in
that Active Directory forest.

Attributes Classes
Attributes Classes

cn=mS-SMS-Assignment-Site-Code
cn=MS-SMS-Management-Point

cn=mS-SMS-Capabilities
cn=MS-SMS-Roaming-Boundary-Range

cn=MS-SMS-Default-MP
cn=MS-SMS-Server-Locator-Point

cn=mS-SMS-Device-Management-Point
cn=MS-SMS-Site
cn=mS-SMS-Health-State

cn=MS-SMS-MP-Address

cn=MS-SMS-MP-Name

cn=MS-SMS-Ranged-IP-High

cn=MS-SMS-Ranged-IP-Low

cn=MS-SMS-Roaming-Boundaries

cn=MS-SMS-Site-Boundaries

cn=MS-SMS-Site-Code

cn=mS-SMS-Source-Forest

cn=mS-SMS-Version

7 Note

The schema extensions might include attributes and classes from previous versions
of the product but not used by the latest version. For example:

Attribute: cn=MS-SMS-Site-Boundaries
Class: cn=MS-SMS-Server-Locator-Point

You can view these settings in the ConfigMgr_ad_schema.LDF file from the
\SMSSETUP\BIN\x64 folder of the Configuration Manager installation media.

Next steps
Prepare Active Directory for site publishing
Prepare Active Directory for site
publishing
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you extend the Active Directory schema for Configuration Manager, you
introduce new structures to Active Directory. Configuration Manager sites use these new
structures to publish key information in a secure location where clients can easily access
it.

When you manage on-premises clients, you should extend the Active Directory schema
for Configuration Manager. An extended schema can simplify the process of deploying
and setting up clients. An extended schema also lets clients efficiently locate resources
like content servers. Extending the schema is a one-time action for any forest.

If you're not familiar with the benefits of an extended schema for Configuration
Manager, see Schema extensions for Configuration Manager.

When you don't use an extended schema, you can set up other methods like DNS to
locate services and site system servers. These methods of service location require other
configurations and aren't the preferred method for service location by clients. For more
information, see Understand how clients find site resources and services for
Configuration Manager.

If your Active Directory schema was extended for Configuration Manager 2007 or
System Center 2012 Configuration Manager, then you don't need to do more. The
schema extensions are unchanged and are already in place.

Step 1: Extend the schema


To extend the schema for Configuration Manager:

Use an account that's a member of the Schema Admins security group.

Sign in with that account to the schema master domain controller.

Then use one of the following options to add the new classes and attributes to the
Active Directory schema.

Option A: Use the extadsch.exe tool


This tool is in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation
media.

1. Open a command line, and run extadsch.exe.

 Tip

Run this tool from a command line to view feedback while it runs.

2. To verify that the schema extension was successful, review extadsch.log in the root
of the system drive.

Option B: Use the LDIF file


This file is in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation
media.

1. Make a copy of the ConfigMgr_ad_schema.ldf file. Edit it in Notepad, and define


the Active Directory root domain that you want to extend. Replace all instances of
the text DC=x in the file with the full name of the domain to extend. For example, if
the full name of the domain to extend is named widgets.contoso.com, change all
instances of DC=x in the file to DC=widgets, DC=contoso, DC=com .

2. Use the LDIFDE command-line utility to import the contents of the


ConfigMgr_ad_schema.ldf file to Active Directory Domain Services. For example,
the following command-line imports the schema extensions, turns on verbose
logging, and creates a log file in the temp directory:

ldifde -i -f ConfigMgr_ad_schema.ldf -v -j "%temp%"

For more information, see Command-line reference: Ldifde.

3. To verify that the schema extension was successful, review the ldifde log file.

Step 2: The System Management container


After you extend the schema, create a container named System Management in Active
Directory Domain Services. Create this container once in each domain that has a
Configuration site that will publish data to Active Directory. For each container, you
need to grant permissions to the computer account of each site server that will publish
data to that domain.
1. Use an account that has the Create All Child Objects permission on the System
container in Active Directory Domain Services.

2. Run ADSI Edit (adsiedit.msc), and connect to the site server's domain.

3. Create the container:

a. Expand the fully qualified domain name, and expand the distinguished name.
Right-click CN=System, choose New, and then select Object.

b. In the Create Object window, select Container, and then select Next.

c. In the Value box, enter System Management , and then select Next.

4. Assign permissions:

7 Note

If you prefer, you can use other tools like the Active Directory Users and
Computers administrative tool (dsa.msc) to add permissions to the container.

a. Right-click CN=System Management, and select Properties.

b. Switch to the Security tab. Select Add, and then add the site server's computer
account with the Full Control permission.

Add the computer account for each Configuration Manager site server in this
domain. If you use site server high availability, make sure to include the
computer account of the site server in passive mode.

c. Select Advanced, select the site server's computer account, and then select Edit.

d. In the Apply onto list, select This object and all descendant objects.

e. Select OK to save the configuration.

Next steps
After you create the container and grant permissions, configure the Configuration
Manager site to publish data to Active Directory.

Publish site data for Configuration Manager


Prepare Windows Servers to support
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Before you can use a Windows computer as a site system server for Configuration
Manager, it must meet the prerequisites for its intended use. These prerequisites often
include one or more Windows features or roles. Because the method to enable Windows
features and roles differs among OS versions, refer to the documentation for your OS
version for detailed information.

The information in this article provides an overview of the types of Windows


configurations that are required to support Configuration Manager site systems. For
configuration details for specific site system roles, see Site and site system prerequisites.

Windows features and roles


When you set up Windows features and roles on a computer, you might be required to
reboot the computer to complete that configuration. So before you install a
Configuration Manager site or site system server, identify computers that will host
specific site system roles.

Features
The following Windows features are required on certain site system servers. Set them up
before you install a site system role on that computer.

.NET Framework: Different site system roles require different versions of .NET
Framework.

Background Intelligent Transfer Services (BITS): Management points require BITS


to support communication with managed devices. This feature includes all
automatically selected options.

BranchCache: Distribution points can be set up with BranchCache to support


clients.

Data Deduplication: Distribution points can be set up with and benefit from data
deduplication.
Remote Differential Compression (RDC): Each computer that hosts a site server or
a distribution point requires RDC. RDC is used to generate package signatures and
compare digital signatures.

Roles
The following Windows roles are required to support specific functionality, like software
updates and OS deployments. IIS is required by the most common site system roles.

Network Device Enrollment Service (under Active Directory Certificate Services):


This Windows role is a prerequisite to use certificate profiles in Configuration
Manager.

Web server (IIS): The following site system roles use IIS:
Distribution point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Software update point
State migration point

The minimum version of IIS that's required is the version that's supplied with the
OS of the site server.

Windows Deployment Services: This role is used with OS deployment.

Windows Server Update Services: This role is required for software updates.

IIS request filtering for distribution points


By default, IIS uses request filtering to block several file name extensions and folder
locations from access by HTTP or HTTPS communication. On a distribution point, this
configuration prevents clients from downloading packages that have blocked extensions
or folder locations.

When your package source files have extensions that are blocked in IIS by your request
filtering configuration, set up request filtering to allow them. Use the IIS Manager to edit
the request filtering feature on your distribution point computers.

Additionally, the following file name extensions are used by Configuration Manager for
packages and applications. Make sure that your request filtering configurations don't
block these file extensions:
.PCK
.PKG
.STA
.TAR

For example, source files for a software deployment might include a folder named bin or
have a file that has the .mdb file name extension.

By default, IIS request filtering blocks access to these elements. Bin is blocked as a
Hidden Segment and .mdb is blocked as a file name extension.

When you use the default IIS configuration on a distribution point, clients that use
BITS fail to download this software deployment from the distribution point and
indicate that they're waiting for content.

To let the clients download this content, on each applicable distribution point, edit
Request Filtering in IIS Manager. Allow access to the file extensions and folders
that are in the packages and applications that you deploy.

) Important

Edits to the request filter can increase the attack surface of the computer.

Edits that you make at the server level apply to all websites on the server.
Edits that you make to individual websites apply to only that website.

For best security, run Configuration Manager on a dedicated web server. If you
need to run other applications on the web server, use a custom website for
Configuration Manager. For information, see Websites for site system servers.

HTTP verbs
For more information, see Configure request filtering in IIS.

Management points
To make sure that clients can successfully communicate with a management point, on
the management point server make sure IIS allows the following HTTP verbs:

GET
POST
CCM_POST
HEAD
PROPFIND

Distribution points
Distribution points require that IIS allows the following HTTP verbs:

GET
HEAD
PROPFIND
Websites for site system servers in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Several Configuration Manager site system roles require the use of Internet Information
Services (IIS). By default, they use the default IIS website to host site system services.
When you run other web applications on the same server, and settings aren't
compatible with Configuration Manager, consider using a custom website for
Configuration Manager.

 Tip

For improved security, dedicate a server for the Configuration Manager site
systems that require IIS. When you run other applications on a Configuration
Manager site system, you increase the attack surface of that computer.

Choosing to use custom websites


By default, site system roles use the Default Web Site in IIS. This configuration is set up
automatically when the site system role installs. However, at primary sites, you can
choose to use custom websites instead.

When you use custom websites:

They're enabled for the entire site instead of for individual site system servers or
roles.

At primary sites, for each computer that will host an applicable site system role,
configure it with a custom website named SMSWEB. Until you create this website,
and set up site system roles on that computer to use the custom website, clients
can't communicate with site system roles on that computer.

Secondary sites are automatically set up to use a custom website when their
primary parent site uses it. Create custom websites in IIS on each secondary site
system server that requires IIS.

Prerequisites for using custom websites


Before you enable the option to use custom websites at a site:

Create a custom website named SMSWEB in IIS on each site system server that
requires IIS. Set this configuration at the primary site and at any child secondary
sites.

Set up the custom website to respond to the same port that you set up for
Configuration Manager client communication. This port is known as the client
request port.

For each custom or default website that uses a custom folder, place a copy of the
default document type that you use in the root folder that hosts the website. For
example, with the typical default configuration, iisstart.htm is one of several
default document types that are available. You can find this file in the root of the
default website. Place a copy of this file or other default document in the root
folder that hosts the SMSWEB custom website. For more information about default
document types, see Default Document for IIS.

About IIS requirements


The following site system roles require IIS and a website to host the site system services:

Distribution point

Enrollment point

Enrollment proxy point

Fallback status point

Management point

Software update point

State migration point

Other considerations:

When a primary site has custom websites enabled, clients that are assigned to that
site are directed to communicate with the custom websites instead of the default
websites.

If you use custom websites for one primary site, consider custom websites for all
primary sites in your hierarchy. This configuration makes sure that clients can
successfully roam within the hierarchy. Roaming is when a client computer moves
to a new network segment that is managed by a different site. Roaming can affect
resources that a client can access locally instead of across a WAN link.

Site system roles that use IIS but don't accept client connections also use the
SMSWEB website instead of the default website. For example, the reporting
services point.

Custom websites require you to assign port numbers that differ from the
computer's default website. A default website and custom website can't run at the
same time if both websites try to use the same TCP/IP ports.

The TCP/IP ports that you set up in IIS for the custom website must match the
client request ports for the site.

Switch between default and custom websites


Although you can check or uncheck the box for using custom websites at a primary site
at any time, plan carefully before you make this change. When this configuration
changes, all applicable site system roles at the primary site and child secondary sites
uninstall and then reinstall.

The following roles reinstall automatically:

Management point

Distribution point

Software update point

Fallback status point

State migration point

You need to manually reinstall the following roles:

Enrollment point

Enrollment proxy point

When you change from the default website to use a custom website, Configuration
Manager doesn't remove the old virtual directories. If you want to remove the files that
Configuration Manager used, manually delete the virtual directories that were created
under the default website.
If you change the site to use custom websites, clients that are already assigned to the
site need to be reconfigured to use the new client request ports for the custom
websites. For more information, see How to configure client communication ports.

Set up custom websites


The steps to create a custom website vary for different OS versions. For exact steps, refer
to the documentation for your OS version.

Use the following general information when applicable:

The website name is SMSWEB.

When you set up HTTPS, specify a PKI certificate before you can save the
configuration.

After you create the custom website, remove the custom website ports that you
use from other websites in IIS:

1. Edit the Bindings of the other websites to remove ports that match the ports
that are assigned to the SMSWEB website.

2. Start the SMSWEB website.

3. Restart the SMS_SITE_COMPONENT_MANAGER service on the site server of


the site.

Next steps
To configure the site to use a custom web site, enable the setting Use custom web site
on the Ports tab of the site properties. For more information, see Configure client
communication ports.
Diagnostics and usage data for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager collects diagnostics and usage data about itself, which is used
by Microsoft to improve the installation experience, quality, and security of future
releases.

Each Configuration Manager hierarchy enables diagnostics and usage data. It consists of
SQL Server queries that run on a weekly basis on each primary site and at the central
administration site (CAS). When the hierarchy uses a CAS, child primary sites replicate
their data to that CAS. At the top-level site of your hierarchy, the service connection
point submits this information when it checks for updates. If the service connection
point is in offline mode, you transfer the information by using the service connection
tool.

7 Note

Configuration Manager collects data only from the site's SQL Server database, and
it doesn't collect data directly from clients or site servers.

For more information, see the Microsoft privacy statement .

Next, learn about how Microsoft uses the diagnostics and usage data that Configuration
Manager collects:

How Microsoft uses diagnostics and usage data

 Tip

The ConfigurationManager PowerShell module also collects usage data. For more
information, see Configuration Manager cmdlet library privacy statement.

Some of the tools that are included with Configuration Manager collect usage data.
For more information, see Diagnostic usage data for tools.
How Microsoft uses Configuration
Manager diagnostics and usage data
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Diagnostic and usage data that Configuration Manager collects provides Microsoft
nearly immediate feedback about how the product is working and is used to adjust
future updates. Microsoft can also see configuration data that helps them engineer and
test the configurations that you use in production. For example:

The Windows server versions used on site servers

Installed language packs

The delta of the SQL Server schema against the product default

This data helps the engineering team plan future tests to make sure you have the best
experience with the most common configurations. This data is crucial to quickly adjust
and adapt with a frequent release cycle.

Equally important is how the diagnostics and usage data isn't used. Microsoft doesn't
use this data for:

Licensing audits, such as comparing customer usage against license agreements

Auditing of products that are out of support

Advertising based on available data such as feature usage or geolocation (time


zone)

Microsoft uses available data to improve the product. For example:

The initial support offered by the current branch of Configuration Manager limited
the support timeline for Windows Server 2008 R2. Microsoft examined the usage
data from customers who had upgraded to the Configuration Manager current
branch. They then identified the need to revise and extend this timeline to support
customers who still use this OS.

Microsoft improved the prerequisite checks for installing an update. They removed
obsolete rules, accounted for additional cases, and automatically remediated some
issues.
Next, learn about how Configuration Manager collects diagnostics and usage data
about itself:

How Configuration Manager collects data


How Configuration Manager collects
diagnostics and usage data
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To collect diagnostics and usage data for Configuration Manager, each primary site runs
SQL Server queries on a weekly basis. In a multi-site hierarchy, the data is replicated to
the central administration site.

At the top-level site of a hierarchy, the service connection point submits this information
when it checks for updates. The mode of the service connection point determines how
the data is transferred:

Online: Once a week, the service connection point automatically sends diagnostics
and usage data to the cloud service.

Offline: You manually transfer diagnostics and usage data with the service
connection tool.

For more information, see About the service connection point.

Next, you can view diagnostic and usage data to confirm that your Configuration
Manager hierarchy contains no sensitive information:

How to view diagnostics and usage data

 Tip

The ConfigurationManager PowerShell module also collects usage data. For more
information, see Configuration Manager cmdlet library privacy statement.

Some of the tools that are included with Configuration Manager collect usage data.
For more information, see Diagnostic usage data for tools.
How to view diagnostics and usage data
for Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can view diagnostic and usage data from your Configuration Manager hierarchy to
confirm that it includes no sensitive or identifiable information. The site summarizes and
stores its diagnostic data in the TEL_TelemetryResults table of the site database. It
formats the data to be programmatically usable and efficient.

The information in this article gives you a view of the exact data sent to Microsoft. It's
not intended to be used for other purposes, like data analysis.

View data in database


Use the following SQL command to view the contents of this table and show the exact
data that's sent:

SQL

SELECT * FROM TEL_TelemetryResults

Export the data


When the service connection point is in offline mode, use the service connection tool to
export the current data to a comma-separated values (CSV) file. Run the service
connection tool on the service connection point with the -Export parameter.

For more information, see Use the service connection tool.

One-way hashes
Some data consists of strings of random alphanumeric characters. Configuration
Manager uses the SHA-256 algorithm to create one-way hashes. This process makes
sure that Microsoft doesn't collect potentially sensitive data. The hashed data can still be
used for correlation and comparison purposes.
For example, instead of collecting the names of tables in the site database, it captures
the one-way hash for each table name. This behavior makes sure that any custom table
names aren't visible. Microsoft then does the same one-way hash process of the default
SQL Server table names. Comparing the results of the two queries determines the
deviation of your database schema from the product default. This information is then
used to improve updates that require changes to the SQL Server schema.

When you view the raw data, a common hashed value appears in each row of data. This
hash is the support ID, also known as the hierarchy ID. It's used to correlate data with
the same hierarchy without identifying the customer or source.

How the one-way hash works


1. Get your support ID from the Configuration Manager console. Select the arrow in
the upper left corner of the ribbon, and then choose About Configuration
Manager. You can select and copy the support ID from the window that opens.

2. Use the following Windows PowerShell script to do the one-way hash of your
support ID.

PowerShell

Param( [Parameter(Mandatory=$True)] [string]$value )

$guid = [System.Guid]::NewGuid()

if( [System.Guid]::TryParse($value,[ref] $guid) -eq $true ) {

#many of the values we hash are Guids

$bytesToHash = $guid.ToByteArray()

} else {

#otherwise hash as string (unicode)

$ue = New-Object System.Text.UnicodeEncoding

$bytesToHash = $ue.GetBytes($value)

# Load Hash Provider (https://en.wikipedia.org/wiki/SHA-2)

$hashAlgorithm = [System.Security.Cryptography.SHA256Cng]::Create()

# Hash the input

$hashedBytes = $hashAlgorithm.ComputeHash($bytesToHash)

# Base64 encode the result for transport

$result = [Convert]::ToBase64String($hashedBytes)

return $result

3. Compare the script output against the GUID in the raw data. This process shows
how the data is obscured.

Next steps
Next, learn about the levels of diagnostics and usage data that Configuration Manager
collects:

Levels of diagnostic usage data


Diagnostic usage data for tools
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Some of the tools that are included with Configuration Manager collect usage data.
Microsoft uses this data to improve the quality of these tools, and better understand
customer usage. Microsoft collects data for the following Configuration Manager tools:

Client tools
Server tools
Support Center
CMTrace

For more general information about these tools, see Configuration Manager Tools.

7 Note

The ConfigurationManager PowerShell module also collects usage data. For more
information, see Configuration Manager cmdlet library privacy statement.

The following data is collected for these tools:

Version
Start and stop times to calculate duration of use

Because these tools can run on any Windows device, they all use the Windows
diagnostic data channel. They don't rely on Configuration Manager diagnostic data
collection. The device on which the tool runs needs to be configured for at least
Optional diagnostic data. If you configure the device for any other setting, Windows
won't collect data for these Configuration Manager tools. For more information on these
Windows diagnostic data levels, see the following articles:

Windows 10, version 1709 and newer optional diagnostic data


Configure Windows diagnostic data in your organization

Next, see the frequently asked questions about diagnostic and usage data for
Configuration Manager:

Frequently asked questions


Levels of diagnostic usage data
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Configuration Manager collects three levels of diagnostics and usage data: Basic,
Enhanced, and Full. By default, this feature is set at the Enhanced level.

) Important

Configuration Manager doesn't collect site codes, sites names, IP addresses, user
names, computer names, physical addresses, or email addresses on the Basic or
Enhanced levels. Any collection of this information on the Full level isn't purposeful.
It's potentially included in advanced diagnostic information like log files or memory
snapshots. Microsoft doesn't use this information to identify you, contact you, or
develop advertising.

Levels

Basic
The Basic level includes data about your hierarchy. It's required to help improve your
installation or upgrade experience. This data also helps determine the Configuration
Manager updates that are applicable for your hierarchy.

Enhanced
The Enhanced level is the default after setup finishes. This level includes data that's
collected in the Basic level and feature-specific data. It shows frequency and duration of
use of different features. It also includes Configuration Manager client settings data:
component name, state, and certain settings like polling intervals. Information about
software updates is basic on feature usage, it doesn't include data about update
compliance at this level.

Microsoft recommends this level because it provides the minimum data to make
product and service improvements.

Some examples of data that this level doesn't collect include:

Names of sites, users, computer, or other objects


Details of security-related objects

Vulnerabilities like counts of systems that require software updates

Full
The Full level includes all data in the Basic and Enhanced levels. It also includes
additional information about Endpoint Protection, update compliance percentages, and
software update information. This level can also include advanced diagnostic
information like system files and memory snapshots. This advanced data might include
personal information exists in memory or log files at the time of capture.

How to change the level


To change the data collection level, you need Modify permissions on the Site object
class.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node.

2. Select Hierarchy Settings in the ribbon.

3. Switch to the Diagnostic and Usage Data tab, then choose the data level.

Version-specific details
The following articles detail the specific data that Configuration Manager collects at
each level with each supported version:

Diagnostic and usage data for 2303


Diagnostic and usage data for 2211
Diagnostic and usage data for 2207
Diagnostic and usage data for 2203
Diagnostic and usage data for 2111

Next steps
Next, learn about the diagnostics and usage data that Configuration Manager collects
for its tools:

Diagnostic usage data for tools


Diagnostic and usage data for version
2303
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

The following sections provide additional detail about data collected at each level. For
more information on the levels and how to change them, see Levels of diagnostic usage
data.

Changes from previous versions are noted with [New], [Updated], [Removed], or
[Moved].

) Important

Configuration Manager doesn't collect IP addresses, user names, computer names,


physical addresses, or email addresses on the Basic or Enhanced levels. Any
collection of this information on the Full level is not purposeful. It is potentially
included in advanced diagnostic information like log files or memory snapshots.
Microsoft doesn't use this information to identify you, contact you, or develop
advertising.

Level 1 - Basic
For Configuration Manager version 2303, this level includes the following data:

Application management (Level 1)


Basic application and deployment type counts: total apps, total apps with multiple
deployment types, total apps with dependencies, total superseded apps, and count
of deployment technologies in use

Count of Microsoft Edge installations

Count of clients by default and preferred browser

Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions

Count of Windows 10 and later devices by branch, build, and unique Active
Directory forest

Count of clients joined to Azure Active Directory (Azure AD)

Count of extended interoperability clients

Count of clients by Windows OS age, to the nearest three-month interval

Top 10 processor names used on clients and servers

Use of the bulk registration token

Count of clients by identity source and registration method. For example, Active
Directory, Azure AD, or PKI client authentication certificate.

Count of clients by OS type and version that are joined to Azure AD or hybrid-
joined

Count of clients by OS and system processor type

Statistics for the number of collections and machines with power configuration
management settings assigned

Cloud services (Level 1)


[New] Count of existing and new devices that are cloud attached since the last
data collection

Count of clients by co-management enrollment method

Error statistics for co-management enrollment

Aggregated usage statistics of co-management: number of clients ever enrolled,


number of enrolled clients, number of clients pending enrollment, clients receiving
policy, workload states, pilot/exclusion collection sizes, and enrollment errors

Count of clients piloting or using each co-management workload

Count of Azure AD applications and services connected to Configuration Manager

Cloud attach and detach actions

Status of last sync with Intune cloud service


Configuration and usage statistics of cloud management gateway: counts of
regions and environments, and authentication/authorization statistics

Summarized count of Endpoint Analytics event

Aggregated statistics on Desktop Analytics enrollment errors and usage

Count of clients by OS type and version that are co-managed, cloud-attached, or


use a cloud management gateway (CMG)

Configuration Manager console (Level 1)


Statistics about Configuration Manager console connections: OS version, language,
SKU and architecture, system memory, logical processor count, connect site ID,
installed .NET versions, console language packs, and capable authentication level

Hashed list of extensions to Configuration Manager console property pages and


wizards

Configuration Manager console crash locations

Configuration Manager console usage statistics

Configuration Manager console notification configuration and status

Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions

Existence of Microsoft BitLocker Administration and Monitoring (MBAM) server-


side extensions

BitLocker management client counts summarized by enrollment and TPM state

Setup (Level 1)
Build, install type, language packs, features that you enabled

Pre-release use, setup media type, branch type

Software Assurance expiration date

Update pack deployment status and errors, download progress, and prerequisite
errors
Use of early update ring

Version of post-upgrade script

Central administration site removal status

Site database (Level 1)


Basic database configuration: processors, memory size, memory settings,
Configuration Manager database configuration, Configuration Manager database
size, cluster configuration, configuration of distributed views, and change tracking
version

Database performance metrics: replication processing information, top SQL Server


stored procedures by processor, and disk usage

SQL Server version, service pack level, edition, collation ID, and character set

Hashed list of top SQL queries by memory usage and lock count

SQL Server Always On availability group replica information, usage, and health
status

Site infrastructure (Level 1)


[New] Count of Azure Active Directory users and Windows users requesting in
Admin Service

Basic Configuration Manager site hierarchy data: site list, type, version, status,
client count, time zone, and health status

Basic discovery statistics: discovery count, minimum/maximum/average group


sizes, and when the site is running entirely with Azure Active Directory Services

Basic site system server information: site system roles used, internet and SSL status,
OS, processors, physical or virtual machine, and usage of site server high
availability

Configured level for diagnostics and usage data, online or offline mode, and fast
update configuration

Distribution point and management point types and basic configuration


information: protected, prestaged, PXE, multicast, SSL state, pull/peer distribution
points, MDM-enabled, and SSL-enabled
Diagnostics and usage data statistics: when run, runtime, errors

Hashed list of hardware inventory properties longer than 255 characters

Count and processing rates of key Configuration Manager objects: data discovery
records (DDR), state messages, status messages, hardware inventory, software
inventory, and overall count of files in inboxes

Site server disk and processor performance information

Uptime and memory usage information for Configuration Manager site server
processes

Count of crashes for Configuration Manager site server processes, and Watson
signature ID, if available

[Updated] Hash of key site attributes (site ID, site codes, sites names, SQL Server
broker ID, and site exchange key)

Status and health of the administration service

Counts of errors from administration service

Site health information

Site health check configuration and status

Version of Visual Studio redistributable and .NET Framework installed on clients


and site system servers

Summarized hierarchy health and activity status

Miscellaneous (Level 1)
Basic OS deployment counts of images

Count of Windows clients that use Windows Update for Business

Count of operating systems for managed devices and policies set by the Exchange
Connector

Count of phased deployments created by type

Count of categorized and uncategorized applications for asset intelligence

Aggregated count of upgrade readiness assessments


Number of software updates referenced by task sequence

Level 2 - Enhanced
For Configuration Manager version 2303, this level includes the following data:

Application management (Level 2)


App requirements: count of built-in conditions referenced by deployment
technology

App supersedence, maximum depth of chain

Application approval statistics and usage frequency

Application content size statistics

Application deployment information: use of install versus uninstall, requires


approval, user interaction enabled/disabled, dependency, supersedence, and usage
count of install behavior feature

Application policy size and complexity statistics

Available application request statistics

Basic configuration information for packages and programs: deployment options


and program flags

Basic usage/targeting information for deployment types: user versus device


targeted, required versus available, and universal apps

Count of application applicability by OS

Count of applications referenced in a task sequence

Count of distinct branding for application catalog

Count of Microsoft 365 Apps applications created using dashboard

Count of packages by type

Count of package/program deployments

Count of Windows 10 and later licensed application licenses

Count of Windows Installer deployment types by uninstall content settings


Count of Microsoft Store for Business apps and sync statistics: summarized types
of apps, licensed app status, and number of online and offline licensed apps

Maintenance window type and duration

Minimum/maximum/average number of application deployments per user/device


per time period

Most common application installation error codes by deployment technology

MSI configuration options and counts

Statistics on end-user interaction with notification for required software


deployments

Universal Data Access usage, how created

Aggregated user device affinity statistics

Max and average primary users per device

Application global condition usage by type

Software Center customization configuration, including use of settings to configure


Software Center and notification branding

Package Conversion Manager readiness and counts

Count of application detection methods by type

Count of application enforcement errors

MSI installer properties

Statistics of user install requests

Aggregated statistics on the use of the email approval feature

File count, content size, services count, and custom action count of MSIs in
application catalog

Count of devices by Office ProPlus readiness state

Aggregated statistics on the use of application groups

Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and
counts of clients with Microsoft 365 Apps
Aggregated statistics on Office add-in health

Count and size of Office Pro Plus pilot collections

Number of Office Pro Plus devices sending Office health data

Count of the type of actions used on apps over time

Client (Level 2)
Active Management Technology (AMT) client version

BIOS age in years, and distribution of ages in months

Count of devices with Secure Boot enabled

Count of devices by TPM state

Client auto-upgrade: deployment configuration including client piloting and


exclusion usage (extended interoperability client)

Client deployment download errors

Client health statistics and top issue summary by client version, component, OS,
and workload

Client notification operation action status: how many times each is run, max
number of targeted clients, and average success rate

Count of client installations from each source location type

Count of client installation failures

Count of devices virtualized by Hyper-V or Azure

Count of Software Center actions

Count of UEFI-enabled devices

Deployment methods used for client and count of clients per deployment method

List/count of enabled client agents

OS age in months

Number of hardware inventory classes, software inventory rules, file collection


rules, and overall health status
Statistics for device health attestation: most common error codes, number of on-
premises servers, and counts of devices in various states

Count of devices by default browser

Count of Configuration Manager-generated server authentication certificates

Count of Microsoft Surface devices by model

Count of client health check failures by issue type

Count of status (total/approved/blocked) for client certificate types

Client counts for different user/device relationship types

Count of clients in VPN boundaries

Power plans with their peak and non-peak usage statistics

Power plan peak usage statistics

Power plan setting options usage statistics

Cloud services (Level 2)


Azure AD discovery statistics

Count of collections synced to Azure Log Analytics

Count of Upgrade Analytics Connectors

Whether the Azure Log Analytics cloud connector is enabled

Count of pull-distribution points with a cloud distribution point as a source


location

Usage of the cloud services onboarding wizard

Cloud services configuration onboarding properties

Cloud services endpoint connectivity and component health

Usage of the cloud-attach wizard

Cloud Distribution Point usage statistics

CMPivot (Level 2)
CMPivot usage statistics

Count of saved CMPivot queries

Count of queries by entity type

Co-management (Level 2)
Enrollment schedule and historical statistics

Count of clients eligible for co-management

Associated Microsoft Intune tenant

Collections (Level 2)
Collection ID usage (not running out of IDs)

Collection evaluation statistics: query time, assigned versus unassigned counts,


counts by type, ID rollover, and rule usage

Collections without a deployment

Count of collections synchronized to Azure AD, including type and size

Statistics for collection member counts and collection rule counts

Statistics about the collection rule WMI class query dependencies

Compliance settings (Level 2)


Basic configuration baseline information: count, number of deployments, number
of references, and frequency of changes

Compliance policy error statistics

Count of configuration items by type

Count of deployments that reference built-in settings, including remediate setting

Count of rules and deployments created for custom settings, including remediate
setting

Count of deployed Simple Certificate Enrollment Protocol (SCEP), VPN, Wi-Fi,


certificate (.pfx), and compliance policy templates
Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy
deployments by platform

Windows Hello for Business policy (created, deployed)

Count of deployed Microsoft Edge Legacy browser policies

Count of OneDrive policies (created, deployed)

Count of compliance settings deployed by category, OS, and source (cloud vs on-
premises)

Company resource access profile settings usage

Configuration Manager console (Level 2)


Counts of active and viewed console notification messages by type

Count of folders by object type

Console performance information

25 most common actions, wizards, property sheets, and tree nodes accessed in the
console

List of installed console extensions, and whether they're enabled, required, or


approved

Summary of size and count of admin persisted settings

Selected console usage information

Unsigned extension policy

Console dark mode usage

Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and
fallback relationships

Boundary group information: count of boundaries and site systems that are
assigned to each boundary group

Boundary group relationships and fallback configuration


Client content download statistics

Count of boundaries by type

Count of peer cache clients, usage statistic, and partial download statistics

Distribution Manager configuration information: threads, retry delay, number of


retries, and pull distribution point settings

Distribution point configuration information: use of branch cache and distribution


point monitoring

Distribution point group information: count of packages and distribution points


that are assigned to each distribution point group

Content library type, whether local or remote

Count of boundary groups by configuration

Count of subnets excluded from peer cache

Count and type of operations on the SMSDPProvider service for distribution points

Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender
for Endpoint): count of policies, and whether policies are deployed.

Count of alerts that are configured for Endpoint Protection feature

Count of collections that are selected to appear in Endpoint Protection dashboard

Count of Windows Defender Exploit Guard policies, deployments, and targeted


clients

Endpoint Protection deployment errors, count of Endpoint Protection policy


deployment error codes

Endpoint Protection antimalware and Windows Firewall policy usage (number of


unique policies assigned to group). This data doesn't include any information
about the settings included in the policy.

Aggregated statistics for Microsoft Defender for Endpoint policies

Count of Microsoft Defender Application Guard policies, deployments, and


targeted clients
Count of Microsoft Defender Application Control policies, deployments, and
targeted clients

Migration (Level 2)
Count of migrated objects (use of migration wizard)

Mobile device management (MDM) (Level 2)


Count of issued mobile device actions: lock, pin rest, wipe, retire, and sync now
commands

Count of mobile device policies

Count of mobile devices Configuration Manager manages, and how you enrolled
them (bulk, user-based)

Count of users who have multiple enrolled mobile devices

Mobile device polling schedule and statistics for mobile device check-in duration

On-premises mobile device management (MDM) (Level 2)


Count of Windows bulk enrollment packages and profiles

Deployment success/failure statistics for on-premises MDM application


deployments

OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution
points, PXE-enabled distribution points, and task sequences

Count of boot images by Configuration Manager client version

Count of boot images by Windows PE version

Count of edition upgrade policies

Count of hardware identifiers excluded from PXE

Count of OS deployment by OS version

Count of OS upgrades over time


Count of task sequence deployments using option to pre-download content

Counts of task sequence step usage

Version of Windows ADK installed

Count of image servicing tasks

Count of imported machines

Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded
from PXE and client registration

Count of task sequences by type (OS deployment or generic task sequence)

Count of packages with pre-cache content settings

Grouped sizes of task sequence policies

Count of error codes from feature upgrades for Windows clients

Count of supported and unsupported OS versions

Count of task sequences and legacy packages with custom icons

Site updates (Level 2)


Versions of installed Configuration Manager hotfixes

Software updates (Level 2)


Available and deadline deltas that are used in automatic deployment rules

Average and maximum number of assignments per update

Client update evaluation and scan schedules

Classifications synced by the software update point

Cluster patching statistics

Configuration of Windows express updates

Configurations that are used for active Windows servicing plans

Count of deployed Microsoft 365 Apps updates


Count of Microsoft Surface drivers synced

Count of update groups and assignments

Count of update packages and the maximum/minimum/average number of


distribution points that are targeted with packages

Count of updates that are created and deployed with System Center Update
Publisher

Count of Windows Update for Business policies created and deployed

Aggregated statistics of Windows Update for Business configurations

Number of automatic deployment rules that are tied to synchronization

Number of automatic deployment rules that create new or add updates to an


existing group

Number of automatic deployment rules that have multiple deployments

Number of update groups and minimum/maximum/average number of updates


per group

Number of updates and percentage of updates that are deployed, expired,


superseded, downloaded, and contain EULAs

Software update point load-balancing statistics

Software update point synchronization schedule

Total/average number of collections that have software update deployments and


the maximum/average number of deployed updates

Update scan error codes and machine count

Windows servicing dashboard content versions

Count of third-party software update catalog subscriptions and usage

Count of software updates deployed with and without content

Aggregated statistics on the number of UUP updates that are required, deployed,
expired, superseded, and downloaded

Use of UUP product categories


Count of clients that have deployed at least one UUP quality update or UUP
feature update

Top UUP error codes and count of affected devices

List of subscriptions to third-party software update catalogs

Use of WSUS maintenance settings

Orchestration group usage

Windows Update fallback configuration settings

Type, size, and timeout settings of orchestration group scripts

Software Update Point setting options statistics

SQL/performance data (Level 2)


Configuration and duration of site summarization

Count of largest database tables

Discovery operational statistics (count of objects found)

Discovery types, enabled, and schedule (full, incremental)

SQL Server change tracking performance issues, retention period, and autocleanup
state

SQL Server change tracking retention period

State and status message performance statistics including most common and most
expensive message types

Management point traffic statistics (total bytes sent and received by endpoint)

Management point performance counter measurements

Aggregated performance statistics of calls made to Software Center endpoints on


the management point

SQL Server maintenance task configuration and status

Status of recent re-initialization requests

Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule,
average time, and use of customized tables feature

Count of scripts and run/edit statistics

Count of sites with Wake On LAN (WOL)

Reporting usage and performance statistics

Phased deployment usage statistics

Management insights item counts and progress

Count of crashes for unique non-Configuration Manager processes on the site


server, and Watson signature ID, if available

Aggregated system boot time statistics by OS, form-factor, and drive type

Usage of the Azure migration tool

Count of clients with browser usage

Summary of how many site systems have the proxy enabled and how many are
authenticated proxy, including configuration, usage patterns, and traffic patterns

Usage information for the last seven days of in-console product feedback

Count of site-to-site accounts by type

Usage statistics for user and device custom properties

Count and type of edits to asset intelligence categories

Level 3 - Full
For Configuration Manager version 2303, this level includes the following data:

Automatic deployment rule evaluation schedule information

ATP health summary

Collection evaluation and refresh statistics

Compliance policy statistics on compliance and errors

Compliance settings: SCEP, VPN, Wi-Fi, and compliance policy template


configuration details
DCM config pack for Configuration Manager usage

Detailed client deployment installation errors

Endpoint Protection health summary: including count of protected, at risk,


unknown, and unsupported clients

Endpoint Protection policy configuration

List of processes configured with installation behavior for applications

Minimum/maximum/average number of hours since last software update scan

Minimum/maximum/average number of inactive clients in software update


deployment collections

Minimum/maximum/average number of software updates per package

MSI product code deployment statistics

Overall compliance of software update deployments

Count of groups that have expired software updates

Software update deployment error codes and counts

Software update deployment information: percentage of deployments that are


targeted with client versus UTC time, required versus optional versus silent, and
reboot suppression

Software update products synced by software update point

Software update scan success percentages

Top 50 CPUs in the environment

Type of Exchange Active Sync (EAS) conditional access policies (block or


quarantine) for devices that Microsoft Intune manages

Microsoft Store for Business application details: non-aggregate list of synced


applications including AppID, online state or offline state, and total purchased
license counts

Count of clients pushed with option to not allow fallback to NTLM

List of Configuration Manager console extensions


Diagnostic and usage data for version
2211
Article • 12/05/2022

Applies to: Configuration Manager (current branch)

The following sections provide additional detail about data collected at each level. For
more information on the levels and how to change them, see Levels of diagnostic usage
data.

Changes from previous versions are noted with [New], [Updated], [Removed], or
[Moved].

) Important

Configuration Manager doesn't collect IP addresses, user names, computer names,


physical addresses, or email addresses on the Basic or Enhanced levels. Any
collection of this information on the Full level is not purposeful. It is potentially
included in advanced diagnostic information like log files or memory snapshots.
Microsoft doesn't use this information to identify you, contact you, or develop
advertising.

Level 1 - Basic
For Configuration Manager version 2211, this level includes the following data:

Application management (Level 1)


Basic application and deployment type counts: total apps, total apps with multiple
deployment types, total apps with dependencies, total superseded apps, and count
of deployment technologies in use

Count of Microsoft Edge installations

Count of clients by default and preferred browser

Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions

Count of Windows 10 and later devices by branch, build, and unique Active
Directory forest

Count of clients joined to Azure Active Directory (Azure AD)

Count of extended interoperability clients

Count of clients by Windows OS age, to the nearest three-month interval

Top 10 processor names used on clients and servers

Use of the bulk registration token

Count of clients by identity source and registration method. For example, Active
Directory, Azure AD, or PKI client authentication certificate.

Count of clients by OS type and version that are joined to Azure AD or hybrid-
joined

Count of clients by OS and system processor type

Statistics for the number of collections and machines with power configuration
management settings assigned

Cloud services (Level 1)


Count of clients by co-management enrollment method

Error statistics for co-management enrollment

Aggregated usage statistics of co-management: number of clients ever enrolled,


number of enrolled clients, number of clients pending enrollment, clients receiving
policy, workload states, pilot/exclusion collection sizes, and enrollment errors

Count of clients piloting or using each co-management workload

Count of Azure AD applications and services connected to Configuration Manager

Cloud attach and detach actions

Status of last sync with Intune cloud service

Configuration and usage statistics of cloud management gateway: counts of


regions and environments, and authentication/authorization statistics
Summarized count of Endpoint Analytics event

Aggregated statistics on Desktop Analytics enrollment errors and usage

Count of clients by OS type and version that are co-managed, cloud-attached, or


use a cloud management gateway (CMG)

Configuration Manager console (Level 1)


Statistics about Configuration Manager console connections: OS version, language,
SKU and architecture, system memory, logical processor count, connect site ID,
installed .NET versions, console language packs, and capable authentication level

Hashed list of extensions to Configuration Manager console property pages and


wizards

Configuration Manager console crash locations

Configuration Manager console usage statistics

Configuration Manager console notification configuration and status

Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions

Existence of Microsoft BitLocker Administration and Monitoring (MBAM) server-


side extensions

BitLocker management client counts summarized by enrollment and TPM state

Setup (Level 1)
Build, install type, language packs, features that you enabled

Pre-release use, setup media type, branch type

Software Assurance expiration date

Update pack deployment status and errors, download progress, and prerequisite
errors

Use of early update ring

Version of post-upgrade script


Central administration site removal status

Site database (Level 1)


Basic database configuration: processors, memory size, memory settings,
Configuration Manager database configuration, Configuration Manager database
size, cluster configuration, configuration of distributed views, and change tracking
version

Database performance metrics: replication processing information, top SQL Server


stored procedures by processor, and disk usage

SQL Server version, service pack level, edition, collation ID, and character set

Hashed list of top SQL queries by memory usage and lock count

SQL Server Always On availability group replica information, usage, and health
status

Site infrastructure (Level 1)


Basic Configuration Manager site hierarchy data: site list, type, version, status,
client count, time zone, and health status

Basic discovery statistics: discovery count, minimum/maximum/average group


sizes, and when the site is running entirely with Azure Active Directory Services

Basic site system server information: site system roles used, internet and SSL status,
OS, processors, physical or virtual machine, and usage of site server high
availability

Configured level for diagnostics and usage data, online or offline mode, and fast
update configuration

Distribution point and management point types and basic configuration


information: protected, prestaged, PXE, multicast, SSL state, pull/peer distribution
points, MDM-enabled, and SSL-enabled

Diagnostics and usage data statistics: when run, runtime, errors

Hashed list of hardware inventory properties longer than 255 characters

Count and processing rates of key Configuration Manager objects: data discovery
records (DDR), state messages, status messages, hardware inventory, software
inventory, and overall count of files in inboxes

Site server disk and processor performance information

Uptime and memory usage information for Configuration Manager site server
processes

Count of crashes for Configuration Manager site server processes, and Watson
signature ID, if available

[Updated] Hash of key site attributes (site ID, site codes, sites names, SQL Server
broker ID, and site exchange key)

Status and health of the administration service

Counts of errors from administration service

Site health information

Site health check configuration and status

Version of Visual Studio redistributable and .NET Framework installed on clients


and site system servers

Summarized hierarchy health and activity status

Miscellaneous (Level 1)
Basic OS deployment counts of images

Count of Windows clients that use Windows Update for Business

Count of operating systems for managed devices and policies set by the Exchange
Connector

Count of phased deployments created by type

Count of categorized and uncategorized applications for asset intelligence

Aggregated count of upgrade readiness assessments

Number of software updates referenced by task sequence

Level 2 - Enhanced
For Configuration Manager version 2211, this level includes the following data:
Application management (Level 2)
App requirements: count of built-in conditions referenced by deployment
technology

App supersedence, maximum depth of chain

Application approval statistics and usage frequency

Application content size statistics

Application deployment information: use of install versus uninstall, requires


approval, user interaction enabled/disabled, dependency, supersedence, and usage
count of install behavior feature

Application policy size and complexity statistics

Available application request statistics

Basic configuration information for packages and programs: deployment options


and program flags

Basic usage/targeting information for deployment types: user versus device


targeted, required versus available, and universal apps

Count of application applicability by OS

Count of applications referenced in a task sequence

Count of distinct branding for application catalog

Count of Microsoft 365 Apps applications created using dashboard

Count of packages by type

Count of package/program deployments

Count of Windows 10 and later licensed application licenses

Count of Windows Installer deployment types by uninstall content settings

Count of Microsoft Store for Business apps and sync statistics: summarized types
of apps, licensed app status, and number of online and offline licensed apps

Maintenance window type and duration

Minimum/maximum/average number of application deployments per user/device


per time period
Most common application installation error codes by deployment technology

MSI configuration options and counts

Statistics on end-user interaction with notification for required software


deployments

Universal Data Access usage, how created

Aggregated user device affinity statistics

Max and average primary users per device

Application global condition usage by type

Software Center customization configuration, including use of settings to configure


Software Center and notification branding

Package Conversion Manager readiness and counts

Count of application detection methods by type

Count of application enforcement errors

MSI installer properties

Statistics of user install requests

Aggregated statistics on the use of the email approval feature

File count, content size, services count, and custom action count of MSIs in
application catalog

Count of devices by Office ProPlus readiness state

Aggregated statistics on the use of application groups

Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and
counts of clients with Microsoft 365 Apps

Aggregated statistics on Office add-in health

Count and size of Office Pro Plus pilot collections

Number of Office Pro Plus devices sending Office health data

Count of the type of actions used on apps over time


Client (Level 2)
Active Management Technology (AMT) client version

BIOS age in years, and distribution of ages in months

Count of devices with Secure Boot enabled

Count of devices by TPM state

Client auto-upgrade: deployment configuration including client piloting and


exclusion usage (extended interoperability client)

Client deployment download errors

Client health statistics and top issue summary by client version, component, OS,
and workload

Client notification operation action status: how many times each is run, max
number of targeted clients, and average success rate

Count of client installations from each source location type

Count of client installation failures

Count of devices virtualized by Hyper-V or Azure

Count of Software Center actions

Count of UEFI-enabled devices

Deployment methods used for client and count of clients per deployment method

List/count of enabled client agents

OS age in months

Number of hardware inventory classes, software inventory rules, file collection


rules, and overall health status

Statistics for device health attestation: most common error codes, number of on-
premises servers, and counts of devices in various states

Count of devices by default browser

Count of Configuration Manager-generated server authentication certificates

Count of Microsoft Surface devices by model


Count of client health check failures by issue type

Count of status (total/approved/blocked) for client certificate types

Client counts for different user/device relationship types

Count of clients in VPN boundaries

Power plans with their peak and non-peak usage statistics

Power plan peak usage statistics

Power plan setting options usage statistics

Cloud services (Level 2)


Azure AD discovery statistics

Count of collections synced to Azure Log Analytics

Count of Upgrade Analytics Connectors

Whether the Azure Log Analytics cloud connector is enabled

Count of pull-distribution points with a cloud distribution point as a source


location

Usage of the cloud services onboarding wizard

Cloud services configuration onboarding properties

Cloud services endpoint connectivity and component health

Usage of the cloud-attach wizard

Cloud Distribution Point usage statistics

CMPivot (Level 2)
CMPivot usage statistics

Count of saved CMPivot queries

Count of queries by entity type

Co-management (Level 2)
Enrollment schedule and historical statistics

Count of clients eligible for co-management

Associated Microsoft Intune tenant

Collections (Level 2)
Collection ID usage (not running out of IDs)

Collection evaluation statistics: query time, assigned versus unassigned counts,


counts by type, ID rollover, and rule usage

Collections without a deployment

Count of collections synchronized to Azure AD, including type and size

Statistics for collection member counts and collection rule counts

Statistics about the collection rule WMI class query dependencies

Compliance settings (Level 2)


Basic configuration baseline information: count, number of deployments, number
of references, and frequency of changes

Compliance policy error statistics

Count of configuration items by type

Count of deployments that reference built-in settings, including remediate setting

Count of rules and deployments created for custom settings, including remediate
setting

Count of deployed Simple Certificate Enrollment Protocol (SCEP), VPN, Wi-Fi,


certificate (.pfx), and compliance policy templates

Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy
deployments by platform

Windows Hello for Business policy (created, deployed)

Count of deployed Microsoft Edge Legacy browser policies

Count of OneDrive policies (created, deployed)


Count of compliance settings deployed by category, OS, and source (cloud vs on-
premises)

Company resource access profile settings usage

Configuration Manager console (Level 2)


Counts of active and viewed console notification messages by type

Count of folders by object type

Console performance information

25 most common actions, wizards, property sheets, and tree nodes accessed in the
console

List of installed console extensions, and whether they're enabled, required, or


approved

Summary of size and count of admin persisted settings

Selected console usage information

Unsigned extension policy

Console dark mode usage

Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and
fallback relationships

Boundary group information: count of boundaries and site systems that are
assigned to each boundary group

Boundary group relationships and fallback configuration

Client content download statistics

Count of boundaries by type

Count of peer cache clients, usage statistic, and partial download statistics

Distribution Manager configuration information: threads, retry delay, number of


retries, and pull distribution point settings
Distribution point configuration information: use of branch cache and distribution
point monitoring

Distribution point group information: count of packages and distribution points


that are assigned to each distribution point group

Content library type, whether local or remote

Count of boundary groups by configuration

Count of subnets excluded from peer cache

Count and type of operations on the SMSDPProvider service for distribution points

Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender
for Endpoint): count of policies, and whether policies are deployed.

Count of alerts that are configured for Endpoint Protection feature

Count of collections that are selected to appear in Endpoint Protection dashboard

Count of Windows Defender Exploit Guard policies, deployments, and targeted


clients

Endpoint Protection deployment errors, count of Endpoint Protection policy


deployment error codes

Endpoint Protection antimalware and Windows Firewall policy usage (number of


unique policies assigned to group). This data doesn't include any information
about the settings included in the policy.

Aggregated statistics for Microsoft Defender for Endpoint policies

[New] Count of Microsoft Defender Application Guard policies, deployments, and


targeted clients

[New] Count of Microsoft Defender Application Control policies, deployments, and


targeted clients

Migration (Level 2)
Count of migrated objects (use of migration wizard)
Mobile device management (MDM) (Level 2)
Count of issued mobile device actions: lock, pin rest, wipe, retire, and sync now
commands

Count of mobile device policies

Count of mobile devices Configuration Manager manages, and how you enrolled
them (bulk, user-based)

Count of users who have multiple enrolled mobile devices

Mobile device polling schedule and statistics for mobile device check-in duration

On-premises mobile device management (MDM) (Level 2)


Count of Windows bulk enrollment packages and profiles

Deployment success/failure statistics for on-premises MDM application


deployments

OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution
points, PXE-enabled distribution points, and task sequences

Count of boot images by Configuration Manager client version

Count of boot images by Windows PE version

Count of edition upgrade policies

Count of hardware identifiers excluded from PXE

Count of OS deployment by OS version

Count of OS upgrades over time

Count of task sequence deployments using option to pre-download content

Counts of task sequence step usage

Version of Windows ADK installed

Count of image servicing tasks


Count of imported machines

Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded
from PXE and client registration

Count of task sequences by type (OS deployment or generic task sequence)

Count of packages with pre-cache content settings

Grouped sizes of task sequence policies

Count of error codes from feature upgrades for Windows clients

Count of supported and unsupported OS versions

Count of task sequences and legacy packages with custom icons

Site updates (Level 2)


Versions of installed Configuration Manager hotfixes

Software updates (Level 2)


Available and deadline deltas that are used in automatic deployment rules

Average and maximum number of assignments per update

Client update evaluation and scan schedules

Classifications synced by the software update point

Cluster patching statistics

Configuration of Windows express updates

Configurations that are used for active Windows servicing plans

Count of deployed Microsoft 365 Apps updates

Count of Microsoft Surface drivers synced

Count of update groups and assignments

Count of update packages and the maximum/minimum/average number of


distribution points that are targeted with packages
Count of updates that are created and deployed with System Center Update
Publisher

Count of Windows Update for Business policies created and deployed

Aggregated statistics of Windows Update for Business configurations

Number of automatic deployment rules that are tied to synchronization

Number of automatic deployment rules that create new or add updates to an


existing group

Number of automatic deployment rules that have multiple deployments

Number of update groups and minimum/maximum/average number of updates


per group

Number of updates and percentage of updates that are deployed, expired,


superseded, downloaded, and contain EULAs

Software update point load-balancing statistics

Software update point synchronization schedule

Total/average number of collections that have software update deployments and


the maximum/average number of deployed updates

Update scan error codes and machine count

Windows servicing dashboard content versions

Count of third-party software update catalog subscriptions and usage

Count of software updates deployed with and without content

Aggregated statistics on the number of UUP updates that are required, deployed,
expired, superseded, and downloaded

Use of UUP product categories

Count of clients that have deployed at least one UUP quality update or UUP
feature update

Top UUP error codes and count of affected devices

List of subscriptions to third-party software update catalogs

Use of WSUS maintenance settings


Orchestration group usage

Windows Update fallback configuration settings

Type, size, and timeout settings of orchestration group scripts

Software Update Point setting options statistics

SQL/performance data (Level 2)


Configuration and duration of site summarization

Count of largest database tables

Discovery operational statistics (count of objects found)

Discovery types, enabled, and schedule (full, incremental)

SQL Server change tracking performance issues, retention period, and autocleanup
state

SQL Server change tracking retention period

State and status message performance statistics including most common and most
expensive message types

Management point traffic statistics (total bytes sent and received by endpoint)

Management point performance counter measurements

Aggregated performance statistics of calls made to Software Center endpoints on


the management point

SQL Server maintenance task configuration and status

Status of recent re-initialization requests

Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule,
average time, and use of customized tables feature

Count of scripts and run/edit statistics

Count of sites with Wake On LAN (WOL)

Reporting usage and performance statistics


Phased deployment usage statistics

Management insights item counts and progress

Count of crashes for unique non-Configuration Manager processes on the site


server, and Watson signature ID, if available

Aggregated system boot time statistics by OS, form-factor, and drive type

Usage of the Azure migration tool

Count of clients with browser usage

Summary of how many site systems have the proxy enabled and how many are
authenticated proxy, including configuration, usage patterns, and traffic patterns

Usage information for the last seven days of in-console product feedback

Count of site-to-site accounts by type

Usage statistics for user and device custom properties

Count and type of edits to asset intelligence categories

Level 3 - Full
For Configuration Manager version 2211, this level includes the following data:

Automatic deployment rule evaluation schedule information

ATP health summary

Collection evaluation and refresh statistics

Compliance policy statistics on compliance and errors

Compliance settings: SCEP, VPN, Wi-Fi, and compliance policy template


configuration details

DCM config pack for Configuration Manager usage

Detailed client deployment installation errors

Endpoint Protection health summary: including count of protected, at risk,


unknown, and unsupported clients

Endpoint Protection policy configuration


List of processes configured with installation behavior for applications

Minimum/maximum/average number of hours since last software update scan

Minimum/maximum/average number of inactive clients in software update


deployment collections

Minimum/maximum/average number of software updates per package

MSI product code deployment statistics

Overall compliance of software update deployments

Count of groups that have expired software updates

Software update deployment error codes and counts

Software update deployment information: percentage of deployments that are


targeted with client versus UTC time, required versus optional versus silent, and
reboot suppression

Software update products synced by software update point

Software update scan success percentages

Top 50 CPUs in the environment

Type of Exchange Active Sync (EAS) conditional access policies (block or


quarantine) for devices that Microsoft Intune manages

Microsoft Store for Business application details: non-aggregate list of synced


applications including AppID, online state or offline state, and total purchased
license counts

Count of clients pushed with option to not allow fallback to NTLM

List of Configuration Manager console extensions


Diagnostic and usage data for version
2207
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The following sections provide additional detail about data collected at each level. For
more information on the levels and how to change them, see Levels of diagnostic usage
data.

Changes from previous versions are noted with [New], [Updated], [Removed], or
[Moved].

) Important

Configuration Manager doesn't collect site codes, sites names, IP addresses, user
names, computer names, physical addresses, or email addresses on the Basic or
Enhanced levels. Any collection of this information on the Full level is not
purposeful. It is potentially included in advanced diagnostic information like log
files or memory snapshots. Microsoft doesn't use this information to identify you,
contact you, or develop advertising.

Level 1 - Basic
For Configuration Manager version 2207, this level includes the following data:

Application management (Level 1)


Basic application and deployment type counts: total apps, total apps with multiple
deployment types, total apps with dependencies, total superseded apps, and count
of deployment technologies in use

Count of Microsoft Edge installations

Count of clients by default and preferred browser

Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions

Count of Windows 10 and later devices by branch, build, and unique Active
Directory forest

Count of clients joined to Azure Active Directory (Azure AD)

Count of extended interoperability clients

Count of clients by Windows OS age, to the nearest three-month interval

Top 10 processor names used on clients and servers

Use of the bulk registration token

Count of clients by identity source and registration method. For example, Active
Directory, Azure AD, or PKI client authentication certificate.

Count of clients by OS type and version that are joined to Azure AD or hybrid-
joined

Count of clients by OS and system processor type

[New] Statistics for the number of collections and machines with power
configuration management settings assigned

Cloud services (Level 1)


Count of clients by co-management enrollment method

Error statistics for co-management enrollment

Aggregated usage statistics of co-management: number of clients ever enrolled,


number of enrolled clients, number of clients pending enrollment, clients receiving
policy, workload states, pilot/exclusion collection sizes, and enrollment errors

Count of clients piloting or using each co-management workload

Count of Azure AD applications and services connected to Configuration Manager

Cloud attach and detach actions

Status of last sync with Intune cloud service

Configuration and usage statistics of cloud management gateway: counts of


regions and environments, and authentication/authorization statistics
Summarized count of Endpoint Analytics event

Aggregated statistics on Desktop Analytics enrollment errors and usage

Count of clients by OS type and version that are co-managed, cloud-attached, or


use a cloud management gateway (CMG)

Configuration Manager console (Level 1)


Statistics about Configuration Manager console connections: OS version, language,
SKU and architecture, system memory, logical processor count, connect site ID,
installed .NET versions, console language packs, and capable authentication level

Hashed list of extensions to Configuration Manager console property pages and


wizards

Configuration Manager console crash locations

Configuration Manager console usage statistics

Configuration Manager console notification configuration and status

Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions

Existence of Microsoft BitLocker Administration and Monitoring (MBAM) server-


side extensions

BitLocker management client counts summarized by enrollment and TPM state

Setup (Level 1)
Build, install type, language packs, features that you enabled

Pre-release use, setup media type, branch type

Software Assurance expiration date

Update pack deployment status and errors, download progress, and prerequisite
errors

Use of early update ring

Version of post-upgrade script


Central administration site removal status

Site database (Level 1)


Basic database configuration: processors, memory size, memory settings,
Configuration Manager database configuration, Configuration Manager database
size, cluster configuration, configuration of distributed views, and change tracking
version

Database performance metrics: replication processing information, top SQL Server


stored procedures by processor, and disk usage

SQL Server version, service pack level, edition, collation ID, and character set

Hashed list of top SQL queries by memory usage and lock count

SQL Server Always On availability group replica information, usage, and health
status

Site infrastructure (Level 1)


Basic Configuration Manager site hierarchy data: site list, type, version, status,
client count, time zone, and health status

Basic discovery statistics: discovery count, minimum/maximum/average group


sizes, and when the site is running entirely with Azure Active Directory Services

Basic site system server information: site system roles used, internet and SSL status,
OS, processors, physical or virtual machine, and usage of site server high
availability

Configured level for diagnostics and usage data, online or offline mode, and fast
update configuration

Distribution point and management point types and basic configuration


information: protected, prestaged, PXE, multicast, SSL state, pull/peer distribution
points, MDM-enabled, and SSL-enabled

Diagnostics and usage data statistics: when run, runtime, errors

Hashed list of hardware inventory properties longer than 255 characters

Count and processing rates of key Configuration Manager objects: data discovery
records (DDR), state messages, status messages, hardware inventory, software
inventory, and overall count of files in inboxes

Site server disk and processor performance information

Uptime and memory usage information for Configuration Manager site server
processes

Count of crashes for Configuration Manager site server processes, and Watson
signature ID, if available

Hash of key site attributes (site ID, SQL Server broker ID, and site exchange key)

Status and health of the administration service

Counts of errors from administration service

Site health information

Site health check configuration and status

Version of Visual Studio redistributable and .NET Framework installed on clients


and site system servers

Summarized hierarchy health and activity status

Miscellaneous (Level 1)
Basic OS deployment counts of images

Count of Windows clients that use Windows Update for Business

Count of operating systems for managed devices and policies set by the Exchange
Connector

Count of phased deployments created by type

Count of categorized and uncategorized applications for asset intelligence

Aggregated count of upgrade readiness assessments

Number of software updates referenced by task sequence

Level 2 - Enhanced
For Configuration Manager version 2207, this level includes the following data:
Application management (Level 2)
App requirements: count of built-in conditions referenced by deployment
technology

App supersedence, maximum depth of chain

Application approval statistics and usage frequency

Application content size statistics

Application deployment information: use of install versus uninstall, requires


approval, user interaction enabled/disabled, dependency, supersedence, and usage
count of install behavior feature

Application policy size and complexity statistics

Available application request statistics

Basic configuration information for packages and programs: deployment options


and program flags

Basic usage/targeting information for deployment types: user versus device


targeted, required versus available, and universal apps

Count of application applicability by OS

Count of applications referenced in a task sequence

Count of distinct branding for application catalog

Count of Microsoft 365 Apps applications created using dashboard

Count of packages by type

Count of package/program deployments

Count of Windows 10 and later licensed application licenses

Count of Windows Installer deployment types by uninstall content settings

Count of Microsoft Store for Business apps and sync statistics: summarized types
of apps, licensed app status, and number of online and offline licensed apps

Maintenance window type and duration

Minimum/maximum/average number of application deployments per user/device


per time period
Most common application installation error codes by deployment technology

MSI configuration options and counts

Statistics on end-user interaction with notification for required software


deployments

Universal Data Access usage, how created

Aggregated user device affinity statistics

Max and average primary users per device

Application global condition usage by type

Software Center customization configuration, including use of settings to configure


Software Center and notification branding

Package Conversion Manager readiness and counts

Count of application detection methods by type

Count of application enforcement errors

MSI installer properties

Statistics of user install requests

Aggregated statistics on the use of the email approval feature

File count, content size, services count, and custom action count of MSIs in
application catalog

Count of devices by Office ProPlus readiness state

Aggregated statistics on the use of application groups

Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and
counts of clients with Microsoft 365 Apps

Aggregated statistics on Office add-in health

Count and size of Office Pro Plus pilot collections

Number of Office Pro Plus devices sending Office health data

Count of the type of actions used on apps over time


Client (Level 2)
Active Management Technology (AMT) client version

BIOS age in years, and distribution of ages in months

Count of devices with Secure Boot enabled

Count of devices by TPM state

Client auto-upgrade: deployment configuration including client piloting and


exclusion usage (extended interoperability client)

Client deployment download errors

Client health statistics and top issue summary by client version, component, OS,
and workload

Client notification operation action status: how many times each is run, max
number of targeted clients, and average success rate

Count of client installations from each source location type

Count of client installation failures

Count of devices virtualized by Hyper-V or Azure

Count of Software Center actions

Count of UEFI-enabled devices

Deployment methods used for client and count of clients per deployment method

List/count of enabled client agents

OS age in months

Number of hardware inventory classes, software inventory rules, file collection


rules, and overall health status

Statistics for device health attestation: most common error codes, number of on-
premises servers, and counts of devices in various states

Count of devices by default browser

Count of Configuration Manager-generated server authentication certificates

Count of Microsoft Surface devices by model


Count of client health check failures by issue type

Count of status (total/approved/blocked) for client certificate types

Client counts for different user/device relationship types

Count of clients in VPN boundaries

[New] Power plans with their peak and non-peak usage statistics

[New] Power plan peak usage statistics

[New] Power plan setting options usage statistics

Cloud services (Level 2)


Azure AD discovery statistics

Count of collections synced to Azure Log Analytics

Count of Upgrade Analytics Connectors

Whether the Azure Log Analytics cloud connector is enabled

Count of pull-distribution points with a cloud distribution point as a source


location

Usage of the cloud services onboarding wizard

Cloud services configuration onboarding properties

Cloud services endpoint connectivity and component health

Usage of the cloud-attach wizard

[New] Cloud Distribution Point usage statistics

CMPivot (Level 2)
CMPivot usage statistics

Count of saved CMPivot queries

Count of queries by entity type

Co-management (Level 2)
Enrollment schedule and historical statistics

Count of clients eligible for co-management

Associated Microsoft Intune tenant

Collections (Level 2)
Collection ID usage (not running out of IDs)

Collection evaluation statistics: query time, assigned versus unassigned counts,


counts by type, ID rollover, and rule usage

Collections without a deployment

Count of collections synchronized to Azure AD, including type and size

[New] Statistics for collection member counts and collection rule counts

[New] Statistics about the collection rule WMI class query dependencies

Compliance settings (Level 2)


Basic configuration baseline information: count, number of deployments, number
of references, and frequency of changes

Compliance policy error statistics

Count of configuration items by type

Count of deployments that reference built-in settings, including remediate setting

Count of rules and deployments created for custom settings, including remediate
setting

Count of deployed Simple Certificate Enrollment Protocol (SCEP), VPN, Wi-Fi,


certificate (.pfx), and compliance policy templates

Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy
deployments by platform

Windows Hello for Business policy (created, deployed)

Count of deployed Microsoft Edge Legacy browser policies

Count of OneDrive policies (created, deployed)


Count of compliance settings deployed by category, OS, and source (cloud vs on-
premises)

[New] Company resource access profile settings usage

Configuration Manager console (Level 2)


Counts of active and viewed console notification messages by type

Count of folders by object type

Console performance information

25 most common actions, wizards, property sheets, and tree nodes accessed in the
console

List of installed console extensions, and whether they're enabled, required, or


approved

Summary of size and count of admin persisted settings

Selected console usage information

Unsigned extension policy

[New] Console dark mode usage

Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and
fallback relationships

Boundary group information: count of boundaries and site systems that are
assigned to each boundary group

Boundary group relationships and fallback configuration

Client content download statistics

Count of boundaries by type

Count of peer cache clients, usage statistic, and partial download statistics

Distribution Manager configuration information: threads, retry delay, number of


retries, and pull distribution point settings
Distribution point configuration information: use of branch cache and distribution
point monitoring

Distribution point group information: count of packages and distribution points


that are assigned to each distribution point group

Content library type, whether local or remote

Count of boundary groups by configuration

Count of subnets excluded from peer cache

Count and type of operations on the SMSDPProvider service for distribution points

Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender
for Endpoint): count of policies, and whether policies are deployed.

Count of alerts that are configured for Endpoint Protection feature

Count of collections that are selected to appear in Endpoint Protection dashboard

Count of Windows Defender Exploit Guard policies, deployments, and targeted


clients

Endpoint Protection deployment errors, count of Endpoint Protection policy


deployment error codes

Endpoint Protection antimalware and Windows Firewall policy usage (number of


unique policies assigned to group). This data doesn't include any information
about the settings included in the policy.

Aggregated statistics for Microsoft Defender for Endpoint policies

Migration (Level 2)
Count of migrated objects (use of migration wizard)

Mobile device management (MDM) (Level 2)


Count of issued mobile device actions: lock, pin rest, wipe, retire, and sync now
commands

Count of mobile device policies


Count of mobile devices Configuration Manager manages, and how you enrolled
them (bulk, user-based)

Count of users who have multiple enrolled mobile devices

Mobile device polling schedule and statistics for mobile device check-in duration

On-premises mobile device management (MDM) (Level 2)


Count of Windows bulk enrollment packages and profiles

Deployment success/failure statistics for on-premises MDM application


deployments

OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution
points, PXE-enabled distribution points, and task sequences

Count of boot images by Configuration Manager client version

Count of boot images by Windows PE version

Count of edition upgrade policies

Count of hardware identifiers excluded from PXE

Count of OS deployment by OS version

Count of OS upgrades over time

Count of task sequence deployments using option to pre-download content

Counts of task sequence step usage

Version of Windows ADK installed

Count of image servicing tasks

Count of imported machines

Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded
from PXE and client registration

Count of task sequences by type (OS deployment or generic task sequence)

Count of packages with pre-cache content settings


Grouped sizes of task sequence policies

Count of error codes from feature upgrades for Windows clients

Count of supported and unsupported OS versions

Count of task sequences and legacy packages with custom icons

Site updates (Level 2)


Versions of installed Configuration Manager hotfixes

Software updates (Level 2)


Available and deadline deltas that are used in automatic deployment rules

Average and maximum number of assignments per update

Client update evaluation and scan schedules

Classifications synced by the software update point

Cluster patching statistics

Configuration of Windows express updates

Configurations that are used for active Windows servicing plans

Count of deployed Microsoft 365 Apps updates

Count of Microsoft Surface drivers synced

Count of update groups and assignments

Count of update packages and the maximum/minimum/average number of


distribution points that are targeted with packages

Count of updates that are created and deployed with System Center Update
Publisher

Count of Windows Update for Business policies created and deployed

Aggregated statistics of Windows Update for Business configurations

Number of automatic deployment rules that are tied to synchronization


Number of automatic deployment rules that create new or add updates to an
existing group

Number of automatic deployment rules that have multiple deployments

Number of update groups and minimum/maximum/average number of updates


per group

Number of updates and percentage of updates that are deployed, expired,


superseded, downloaded, and contain EULAs

Software update point load-balancing statistics

Software update point synchronization schedule

Total/average number of collections that have software update deployments and


the maximum/average number of deployed updates

Update scan error codes and machine count

Windows servicing dashboard content versions

Count of third-party software update catalog subscriptions and usage

Count of software updates deployed with and without content

Aggregated statistics on the number of UUP updates that are required, deployed,
expired, superseded, and downloaded

Use of UUP product categories

Count of clients that have deployed at least one UUP quality update or UUP
feature update

Top UUP error codes and count of affected devices

List of subscriptions to third-party software update catalogs

Use of WSUS maintenance settings

Orchestration group usage

Windows Update fallback configuration settings

Type, size, and timeout settings of orchestration group scripts

[New] Software Update Point setting options statistics


SQL/performance data (Level 2)
Configuration and duration of site summarization

Count of largest database tables

Discovery operational statistics (count of objects found)

Discovery types, enabled, and schedule (full, incremental)

SQL Server change tracking performance issues, retention period, and autocleanup
state

SQL Server change tracking retention period

State and status message performance statistics including most common and most
expensive message types

Management point traffic statistics (total bytes sent and received by endpoint)

Management point performance counter measurements

Aggregated performance statistics of calls made to Software Center endpoints on


the management point

SQL Server maintenance task configuration and status

Status of recent re-initialization requests

Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule,
average time, and use of customized tables feature

Count of scripts and run/edit statistics

Count of sites with Wake On LAN (WOL)

Reporting usage and performance statistics

Phased deployment usage statistics

Management insights item counts and progress

Count of crashes for unique non-Configuration Manager processes on the site


server, and Watson signature ID, if available
Aggregated system boot time statistics by OS, form-factor, and drive type

Usage of the Azure migration tool

Count of clients with browser usage

Summary of how many site systems have the proxy enabled and how many are
authenticated proxy, including configuration, usage patterns, and traffic patterns

Usage information for the last seven days of in-console product feedback

Count of site-to-site accounts by type

Usage statistics for user and device custom properties

Count and type of edits to asset intelligence categories

Level 3 - Full
For Configuration Manager version 2207, this level includes the following data:

Automatic deployment rule evaluation schedule information

ATP health summary

Collection evaluation and refresh statistics

Compliance policy statistics on compliance and errors

Compliance settings: SCEP, VPN, Wi-Fi, and compliance policy template


configuration details

DCM config pack for Configuration Manager usage

Detailed client deployment installation errors

Endpoint Protection health summary: including count of protected, at risk,


unknown, and unsupported clients

Endpoint Protection policy configuration

List of processes configured with installation behavior for applications

Minimum/maximum/average number of hours since last software update scan

Minimum/maximum/average number of inactive clients in software update


deployment collections
Minimum/maximum/average number of software updates per package

MSI product code deployment statistics

Overall compliance of software update deployments

Count of groups that have expired software updates

Software update deployment error codes and counts

Software update deployment information: percentage of deployments that are


targeted with client versus UTC time, required versus optional versus silent, and
reboot suppression

Software update products synced by software update point

Software update scan success percentages

Top 50 CPUs in the environment

Type of Exchange Active Sync (EAS) conditional access policies (block or


quarantine) for devices that Microsoft Intune manages

Microsoft Store for Business application details: non-aggregate list of synced


applications including AppID, online state or offline state, and total purchased
license counts

Count of clients pushed with option to not allow fallback to NTLM

List of Configuration Manager console extensions


Diagnostic and usage data for version
2203
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The following sections provide additional detail about data collected at each level. For
more information on the levels and how to change them, see Levels of diagnostic usage
data.

Changes from previous versions are noted with [New], [Updated], [Removed], or
[Moved].

) Important

Configuration Manager doesn't collect site codes, sites names, IP addresses, user
names, computer names, physical addresses, or email addresses on the Basic or
Enhanced levels. Any collection of this information on the Full level is not
purposeful. It is potentially included in advanced diagnostic information like log
files or memory snapshots. Microsoft doesn't use this information to identify you,
contact you, or develop advertising.

Level 1 - Basic
For Configuration Manager version 2203, this level includes the following data:

Application management (Level 1)


Basic application and deployment type counts: total apps, total apps with multiple
deployment types, total apps with dependencies, total superseded apps, and count
of deployment technologies in use

Count of Microsoft Edge installations

Count of clients by default and preferred browser

Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions

Count of Windows 10 and later devices by branch, build, and unique Active
Directory forest

Count of clients joined to Azure Active Directory (Azure AD)

Count of extended interoperability clients

Count of clients by Windows OS age, to the nearest three-month interval

Top 10 processor names used on clients and servers

Use of the bulk registration token

Count of clients by identity source and registration method. For example, Active
Directory, Azure AD, or PKI client authentication certificate.

Count of clients by OS type and version that are joined to Azure AD or hybrid-
joined

[New] Count of clients by OS and system processor type

Cloud services (Level 1)


Count of clients by co-management enrollment method

Error statistics for co-management enrollment

Aggregated usage statistics of co-management: number of clients ever enrolled,


number of enrolled clients, number of clients pending enrollment, clients receiving
policy, workload states, pilot/exclusion collection sizes, and enrollment errors

[New] Count of clients piloting or using each co-management workload

Count of Azure AD applications and services connected to Configuration Manager

Cloud attach and detach actions

Status of last sync with Intune cloud service

Configuration and usage statistics of cloud management gateway: counts of


regions and environments, and authentication/authorization statistics

Summarized count of Endpoint Analytics event

Aggregated statistics on Desktop Analytics enrollment errors and usage


[Updated] Count of clients by OS type and version that are co-managed, cloud-
attached, or use a cloud management gateway (CMG)

Configuration Manager console (Level 1)


Statistics about Configuration Manager console connections: OS version, language,
SKU and architecture, system memory, logical processor count, connect site ID,
installed .NET versions, console language packs, and capable authentication level

Hashed list of extensions to Configuration Manager console property pages and


wizards

Configuration Manager console crash locations

Configuration Manager console usage statistics

Configuration Manager console notification configuration and status

Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions

Existence of Microsoft BitLocker Administration and Monitoring (MBAM) server-


side extensions

BitLocker management client counts summarized by enrollment and TPM state

Setup (Level 1)
Build, install type, language packs, features that you enabled

Pre-release use, setup media type, branch type

Software Assurance expiration date

Update pack deployment status and errors, download progress, and prerequisite
errors

Use of early update ring

Version of post-upgrade script

Central administration site removal status


Site database (Level 1)
Basic database configuration: processors, memory size, memory settings,
Configuration Manager database configuration, Configuration Manager database
size, cluster configuration, configuration of distributed views, and change tracking
version

Database performance metrics: replication processing information, top SQL Server


stored procedures by processor, and disk usage

SQL Server version, service pack level, edition, collation ID, and character set

Hashed list of top SQL queries by memory usage and lock count

SQL Server Always On availability group replica information, usage, and health
status

Site infrastructure (Level 1)


Basic Configuration Manager site hierarchy data: site list, type, version, status,
client count, time zone, and health status

Basic discovery statistics: discovery count, minimum/maximum/average group


sizes, and when the site is running entirely with Azure Active Directory Services

Basic site system server information: site system roles used, internet and SSL status,
OS, processors, physical or virtual machine, and usage of site server high
availability

Configured level for diagnostics and usage data, online or offline mode, and fast
update configuration

Distribution point and management point types and basic configuration


information: protected, prestaged, PXE, multicast, SSL state, pull/peer distribution
points, MDM-enabled, and SSL-enabled

Diagnostics and usage data statistics: when run, runtime, errors

Hashed list of hardware inventory properties longer than 255 characters

Count and processing rates of key Configuration Manager objects: data discovery
records (DDR), state messages, status messages, hardware inventory, software
inventory, and overall count of files in inboxes

Site server disk and processor performance information


Uptime and memory usage information for Configuration Manager site server
processes

Count of crashes for Configuration Manager site server processes, and Watson
signature ID, if available

Hash of key site attributes (site ID, SQL Server broker ID, and site exchange key)

Status and health of the administration service

Counts of errors from administration service

Site health information

Site health check configuration and status

Version of Visual Studio redistributable and .NET Framework installed on clients


and site system servers

Summarized hierarchy health and activity status

Miscellaneous (Level 1)
Basic OS deployment counts of images

Count of Windows clients that use Windows Update for Business

Count of operating systems for managed devices and policies set by the Exchange
Connector

Count of phased deployments created by type

Count of categorized and uncategorized applications for asset intelligence

Aggregated count of upgrade readiness assessments

Number of software updates referenced by task sequence

Level 2 - Enhanced
For Configuration Manager version 2203, this level includes the following data:

Application management (Level 2)


App requirements: count of built-in conditions referenced by deployment
technology

App supersedence, maximum depth of chain

Application approval statistics and usage frequency

Application content size statistics

Application deployment information: use of install versus uninstall, requires


approval, user interaction enabled/disabled, dependency, supersedence, and usage
count of install behavior feature

Application policy size and complexity statistics

Available application request statistics

Basic configuration information for packages and programs: deployment options


and program flags

Basic usage/targeting information for deployment types: user versus device


targeted, required versus available, and universal apps

Count of application applicability by OS

Count of applications referenced in a task sequence

Count of distinct branding for application catalog

Count of Microsoft 365 Apps applications created using dashboard

Count of packages by type

Count of package/program deployments

Count of Windows 10 and later licensed application licenses

Count of Windows Installer deployment types by uninstall content settings

Count of Microsoft Store for Business apps and sync statistics: summarized types
of apps, licensed app status, and number of online and offline licensed apps

Maintenance window type and duration

Minimum/maximum/average number of application deployments per user/device


per time period

Most common application installation error codes by deployment technology


MSI configuration options and counts

Statistics on end-user interaction with notification for required software


deployments

Universal Data Access usage, how created

Aggregated user device affinity statistics

Max and average primary users per device

Application global condition usage by type

Software Center customization configuration, including use of settings to configure


Software Center and notification branding

Package Conversion Manager readiness and counts

Count of application detection methods by type

Count of application enforcement errors

MSI installer properties

Statistics of user install requests

Aggregated statistics on the use of the email approval feature

File count, content size, services count, and custom action count of MSIs in
application catalog

Count of devices by Office ProPlus readiness state

Aggregated statistics on the use of application groups

Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and
counts of clients with Microsoft 365 Apps

Aggregated statistics on Office add-in health

Count and size of Office Pro Plus pilot collections

Number of Office Pro Plus devices sending Office health data

Count of the type of actions used on apps over time

Client (Level 2)
Active Management Technology (AMT) client version

[Updated] BIOS age in years, and distribution of ages in months

Count of devices with Secure Boot enabled

Count of devices by TPM state

Client auto-upgrade: deployment configuration including client piloting and


exclusion usage (extended interoperability client)

Client deployment download errors

Client health statistics and top issue summary by client version, component, OS,
and workload

Client notification operation action status: how many times each is run, max
number of targeted clients, and average success rate

Count of client installations from each source location type

Count of client installation failures

Count of devices virtualized by Hyper-V or Azure

Count of Software Center actions

Count of UEFI-enabled devices

Deployment methods used for client and count of clients per deployment method

List/count of enabled client agents

OS age in months

Number of hardware inventory classes, software inventory rules, file collection


rules, and overall health status

Statistics for device health attestation: most common error codes, number of on-
premises servers, and counts of devices in various states

Count of devices by default browser

Count of Configuration Manager-generated server authentication certificates

Count of Microsoft Surface devices by model

Count of client health check failures by issue type


Count of status (total/approved/blocked) for client certificate types

Client counts for different user/device relationship types

Count of clients in VPN boundaries

Cloud services (Level 2)


Azure AD discovery statistics

Count of collections synced to Azure Log Analytics

Count of Upgrade Analytics Connectors

Whether the Azure Log Analytics cloud connector is enabled

Count of pull-distribution points with a cloud distribution point as a source


location

Usage of the cloud services onboarding wizard

Cloud services configuration onboarding properties

Cloud services endpoint connectivity and component health

Usage of the cloud-attach wizard

CMPivot (Level 2)
CMPivot usage statistics

Count of saved CMPivot queries

Count of queries by entity type

Co-management (Level 2)
Enrollment schedule and historical statistics

Count of clients eligible for co-management

Associated Microsoft Intune tenant

Collections (Level 2)
Collection ID usage (not running out of IDs)

Collection evaluation statistics: query time, assigned versus unassigned counts,


counts by type, ID rollover, and rule usage

Collections without a deployment

[Updated] Count of collections synchronized to Azure AD, including type and size

Compliance settings (Level 2)


Basic configuration baseline information: count, number of deployments, number
of references, and frequency of changes

Compliance policy error statistics

Count of configuration items by type

Count of deployments that reference built-in settings, including remediate setting

Count of rules and deployments created for custom settings, including remediate
setting

Count of deployed Simple Certificate Enrollment Protocol (SCEP), VPN, Wi-Fi,


certificate (.pfx), and compliance policy templates

Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy
deployments by platform

Windows Hello for Business policy (created, deployed)

Count of deployed Microsoft Edge Legacy browser policies

Count of OneDrive policies (created, deployed)

Count of compliance settings deployed by category, OS, and source (cloud vs on-
premises)

Configuration Manager console (Level 2)


Counts of active and viewed console notification messages by type

[Updated] Count of folders by object type

Console performance information


25 most common actions, wizards, property sheets, and tree nodes accessed in the
console

List of installed console extensions, and whether they're enabled, required, or


approved

Summary of size and count of admin persisted settings

Selected console usage information

Unsigned extension policy

Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and
fallback relationships

Boundary group information: count of boundaries and site systems that are
assigned to each boundary group

Boundary group relationships and fallback configuration

Client content download statistics

Count of boundaries by type

Count of peer cache clients, usage statistic, and partial download statistics

Distribution Manager configuration information: threads, retry delay, number of


retries, and pull distribution point settings

Distribution point configuration information: use of branch cache and distribution


point monitoring

Distribution point group information: count of packages and distribution points


that are assigned to each distribution point group

Content library type, whether local or remote

Count of boundary groups by configuration

Count of subnets excluded from peer cache

[New] Count and type of operations on the SMSDPProvider service for distribution
points
Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender
for Endpoint): count of policies, and whether policies are deployed.

Count of alerts that are configured for Endpoint Protection feature

Count of collections that are selected to appear in Endpoint Protection dashboard

Count of Windows Defender Exploit Guard policies, deployments, and targeted


clients

Endpoint Protection deployment errors, count of Endpoint Protection policy


deployment error codes

Endpoint Protection antimalware and Windows Firewall policy usage (number of


unique policies assigned to group). This data doesn't include any information
about the settings included in the policy.

Aggregated statistics for Microsoft Defender for Endpoint policies

Migration (Level 2)
Count of migrated objects (use of migration wizard)

Mobile device management (MDM) (Level 2)


Count of issued mobile device actions: lock, pin rest, wipe, retire, and sync now
commands

Count of mobile device policies

Count of mobile devices Configuration Manager manages, and how you enrolled
them (bulk, user-based)

Count of users who have multiple enrolled mobile devices

Mobile device polling schedule and statistics for mobile device check-in duration

On-premises mobile device management (MDM) (Level 2)


Count of Windows bulk enrollment packages and profiles
Deployment success/failure statistics for on-premises MDM application
deployments

OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution
points, PXE-enabled distribution points, and task sequences

Count of boot images by Configuration Manager client version

Count of boot images by Windows PE version

Count of edition upgrade policies

Count of hardware identifiers excluded from PXE

Count of OS deployment by OS version

Count of OS upgrades over time

Count of task sequence deployments using option to pre-download content

Counts of task sequence step usage

Version of Windows ADK installed

Count of image servicing tasks

Count of imported machines

Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded
from PXE and client registration

Count of task sequences by type (OS deployment or generic task sequence)

Count of packages with pre-cache content settings

Grouped sizes of task sequence policies

Count of error codes from feature upgrades for Windows clients

Count of supported and unsupported OS versions

[New] Count of task sequences and legacy packages with custom icons

Site updates (Level 2)


Versions of installed Configuration Manager hotfixes

Software updates (Level 2)


Available and deadline deltas that are used in automatic deployment rules

Average and maximum number of assignments per update

Client update evaluation and scan schedules

Classifications synced by the software update point

Cluster patching statistics

Configuration of Windows express updates

Configurations that are used for active Windows servicing plans

Count of deployed Microsoft 365 Apps updates

Count of Microsoft Surface drivers synced

Count of update groups and assignments

Count of update packages and the maximum/minimum/average number of


distribution points that are targeted with packages

Count of updates that are created and deployed with System Center Update
Publisher

Count of Windows Update for Business policies created and deployed

Aggregated statistics of Windows Update for Business configurations

Number of automatic deployment rules that are tied to synchronization

Number of automatic deployment rules that create new or add updates to an


existing group

Number of automatic deployment rules that have multiple deployments

Number of update groups and minimum/maximum/average number of updates


per group

Number of updates and percentage of updates that are deployed, expired,


superseded, downloaded, and contain EULAs

Software update point load-balancing statistics


Software update point synchronization schedule

Total/average number of collections that have software update deployments and


the maximum/average number of deployed updates

Update scan error codes and machine count

Windows servicing dashboard content versions

Count of third-party software update catalog subscriptions and usage

Count of software updates deployed with and without content

Aggregated statistics on the number of UUP updates that are required, deployed,
expired, superseded, and downloaded

Use of UUP product categories

Count of clients that have deployed at least one UUP quality update or UUP
feature update

Top UUP error codes and count of affected devices

List of subscriptions to third-party software update catalogs

Use of WSUS maintenance settings

Orchestration group usage

Windows Update fallback configuration settings

Type, size, and timeout settings of orchestration group scripts

SQL/performance data (Level 2)


Configuration and duration of site summarization

Count of largest database tables

Discovery operational statistics (count of objects found)

Discovery types, enabled, and schedule (full, incremental)

SQL Server change tracking performance issues, retention period, and autocleanup
state

SQL Server change tracking retention period


State and status message performance statistics including most common and most
expensive message types

Management point traffic statistics (total bytes sent and received by endpoint)

Management point performance counter measurements

Aggregated performance statistics of calls made to Software Center endpoints on


the management point

SQL Server maintenance task configuration and status

Status of recent re-initialization requests

Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule,
average time, and use of customized tables feature

Count of scripts and run/edit statistics

Count of sites with Wake On LAN (WOL)

Reporting usage and performance statistics

Phased deployment usage statistics

Management insights item counts and progress

Count of crashes for unique non-Configuration Manager processes on the site


server, and Watson signature ID, if available

Aggregated system boot time statistics by OS, form-factor, and drive type

Usage of the Azure migration tool

Count of clients with browser usage

Summary of how many site systems have the proxy enabled and how many are
authenticated proxy, including configuration, usage patterns, and traffic patterns

Usage information for the last seven days of in-console product feedback

Count of site-to-site accounts by type

Usage statistics for user and device custom properties

[New] Count and type of edits to asset intelligence categories


Level 3 - Full
For Configuration Manager version 2203, this level includes the following data:

Automatic deployment rule evaluation schedule information

ATP health summary

Collection evaluation and refresh statistics

Compliance policy statistics on compliance and errors

Compliance settings: SCEP, VPN, Wi-Fi, and compliance policy template


configuration details

DCM config pack for Configuration Manager usage

Detailed client deployment installation errors

Endpoint Protection health summary: including count of protected, at risk,


unknown, and unsupported clients

Endpoint Protection policy configuration

List of processes configured with installation behavior for applications

Minimum/maximum/average number of hours since last software update scan

Minimum/maximum/average number of inactive clients in software update


deployment collections

Minimum/maximum/average number of software updates per package

MSI product code deployment statistics

Overall compliance of software update deployments

Count of groups that have expired software updates

Software update deployment error codes and counts

Software update deployment information: percentage of deployments that are


targeted with client versus UTC time, required versus optional versus silent, and
reboot suppression

Software update products synced by software update point

Software update scan success percentages


Top 50 CPUs in the environment

Type of Exchange Active Sync (EAS) conditional access policies (block or


quarantine) for devices that Microsoft Intune manages

Microsoft Store for Business application details: non-aggregate list of synced


applications including AppID, online state or offline state, and total purchased
license counts

Count of clients pushed with option to not allow fallback to NTLM

List of Configuration Manager console extensions


Diagnostic and usage data for version
2111
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The following sections provide additional detail about data collected at each level. For
more information on the levels and how to change them, see Levels of diagnostic usage
data.

Changes from previous versions are noted with [New], [Updated], [Removed], or
[Moved].

) Important

Configuration Manager doesn't collect site codes, sites names, IP addresses, user
names, computer names, physical addresses, or email addresses on the Basic or
Enhanced levels. Any collection of this information on the Full level is not
purposeful. It is potentially included in advanced diagnostic information like log
files or memory snapshots. Microsoft doesn't use this information to identify you,
contact you, or develop advertising.

Level 1 - Basic
For Configuration Manager version 2111, this level includes the following data:

Application management (Level 1)


Basic application and deployment type counts: total apps, total apps with multiple
deployment types, total apps with dependencies, total superseded apps, and count
of deployment technologies in use

Count of Microsoft Edge installations

Count of clients by default and preferred browser

Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions

Count of Windows 10 and later devices by branch, build, and unique Active
Directory forest

Count of clients joined to Azure Active Directory (Azure AD)

Count of extended interoperability clients

Count of clients by Windows OS age, to the nearest three-month interval

Top 10 processor names used on clients and servers

Use of the bulk registration token

Count of clients by identity source and registration method. For example, Active
Directory, Azure AD, or PKI client authentication certificate.

[New] Count of clients by OS type and version that are joined to Azure AD or
hybrid-joined

Cloud services (Level 1)


Count of clients by co-management enrollment method

Error statistics for co-management enrollment

Aggregated usage statistics of co-management: number of clients ever enrolled,


number of enrolled clients, number of clients pending enrollment, clients receiving
policy, workload states, pilot/exclusion collection sizes, and enrollment errors

Count of Azure AD applications and services connected to Configuration Manager

Cloud attach and detach actions

Status of last sync with Intune cloud service

Configuration and usage statistics of cloud management gateway: counts of


regions and environments, and authentication/authorization statistics

Summarized count of Endpoint Analytics event

Aggregated statistics on Desktop Analytics enrollment errors and usage

[New] Count of clients by OS type and version that are co-managed, cloud-
attached, or both
Configuration Manager console (Level 1)
Statistics about Configuration Manager console connections: OS version, language,
SKU and architecture, system memory, logical processor count, connect site ID,
installed .NET versions, console language packs, and capable authentication level

Hashed list of extensions to Configuration Manager console property pages and


wizards

Configuration Manager console crash locations

Configuration Manager console usage statistics

Configuration Manager console notification configuration and status

Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions

Existence of Microsoft BitLocker Administration and Monitoring (MBAM) server-


side extensions

BitLocker management client counts summarized by enrollment and TPM state

Setup (Level 1)
Build, install type, language packs, features that you enabled

Pre-release use, setup media type, branch type

Software Assurance expiration date

Update pack deployment status and errors, download progress, and prerequisite
errors

Use of early update ring

Version of post-upgrade script

Central administration site removal status

Site database (Level 1)


Basic database configuration: processors, memory size, memory settings,
Configuration Manager database configuration, Configuration Manager database
size, cluster configuration, configuration of distributed views, and change tracking
version

Database performance metrics: replication processing information, top SQL Server


stored procedures by processor, and disk usage

SQL Server version, service pack level, edition, collation ID, and character set

Hashed list of top SQL queries by memory usage and lock count

SQL Server Always On availability group replica information, usage, and health
status

Site infrastructure (Level 1)


Basic Configuration Manager site hierarchy data: site list, type, version, status,
client count, time zone, and health status

Basic discovery statistics: discovery count, minimum/maximum/average group


sizes, and when the site is running entirely with Azure Active Directory Services

Basic site system server information: site system roles used, internet and SSL status,
OS, processors, physical or virtual machine, and usage of site server high
availability

Configured level for diagnostics and usage data, online or offline mode, and fast
update configuration

Distribution point and management point types and basic configuration


information: protected, prestaged, PXE, multicast, SSL state, pull/peer distribution
points, MDM-enabled, and SSL-enabled

Diagnostics and usage data statistics: when run, runtime, errors

Hashed list of hardware inventory properties longer than 255 characters

Count and processing rates of key Configuration Manager objects: data discovery
records (DDR), state messages, status messages, hardware inventory, software
inventory, and overall count of files in inboxes

Site server disk and processor performance information

Uptime and memory usage information for Configuration Manager site server
processes
Count of crashes for Configuration Manager site server processes, and Watson
signature ID, if available

Hash of key site attributes (site ID, SQL Server broker ID, and site exchange key)

Status and health of the administration service

Counts of errors from administration service

Site health information

Site health check configuration and status

Version of Visual Studio redistributable and .NET Framework installed on clients


and site system servers

Summarized hierarchy health and activity status

Miscellaneous (Level 1)
Basic OS deployment counts of images

Count of Windows clients that use Windows Update for Business

Count of operating systems for managed devices and policies set by the Exchange
Connector

Count of phased deployments created by type

Count of categorized and uncategorized applications for asset intelligence

Aggregated count of upgrade readiness assessments

Number of software updates referenced by task sequence

Level 2 - Enhanced
For Configuration Manager version 2111, this level includes the following data:

Application management (Level 2)


App requirements: count of built-in conditions referenced by deployment
technology

App supersedence, maximum depth of chain


Application approval statistics and usage frequency

Application content size statistics

Application deployment information: use of install versus uninstall, requires


approval, user interaction enabled/disabled, dependency, supersedence, and usage
count of install behavior feature

Application policy size and complexity statistics

Available application request statistics

Basic configuration information for packages and programs: deployment options


and program flags

Basic usage/targeting information for deployment types: user versus device


targeted, required versus available, and universal apps

Count of application applicability by OS

Count of applications referenced in a task sequence

Count of distinct branding for application catalog

Count of Microsoft 365 Apps applications created using dashboard

Count of packages by type

Count of package/program deployments

Count of Windows 10 and later licensed application licenses

Count of Windows Installer deployment types by uninstall content settings

Count of Microsoft Store for Business apps and sync statistics: summarized types
of apps, licensed app status, and number of online and offline licensed apps

Maintenance window type and duration

Minimum/maximum/average number of application deployments per user/device


per time period

Most common application installation error codes by deployment technology

MSI configuration options and counts

Statistics on end-user interaction with notification for required software


deployments
Universal Data Access usage, how created

Aggregated user device affinity statistics

Max and average primary users per device

Application global condition usage by type

[Updated] Software Center customization configuration, including use of settings


to configure Software Center and notification branding

Package Conversion Manager readiness and counts

Count of application detection methods by type

Count of application enforcement errors

MSI installer properties

Statistics of user install requests

Aggregated statistics on the use of the email approval feature

File count, content size, services count, and custom action count of MSIs in
application catalog

Count of devices by Office ProPlus readiness state

Aggregated statistics on the use of application groups

Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and
counts of clients with Microsoft 365 Apps

Aggregated statistics on Office add-in health

Count and size of Office Pro Plus pilot collections

Number of Office Pro Plus devices sending Office health data

[New] Count of the type of actions used on apps over time

Client (Level 2)
Active Management Technology (AMT) client version

BIOS age in years

Count of devices with Secure Boot enabled


Count of devices by TPM state

Client auto-upgrade: deployment configuration including client piloting and


exclusion usage (extended interoperability client)

Client deployment download errors

Client health statistics and top issue summary by client version, component, OS,
and workload

Client notification operation action status: how many times each is run, max
number of targeted clients, and average success rate

Count of client installations from each source location type

Count of client installation failures

Count of devices virtualized by Hyper-V or Azure

Count of Software Center actions

Count of UEFI-enabled devices

Deployment methods used for client and count of clients per deployment method

List/count of enabled client agents

OS age in months

Number of hardware inventory classes, software inventory rules, file collection


rules, and overall health status

Statistics for device health attestation: most common error codes, number of on-
premises servers, and counts of devices in various states

Count of devices by default browser

Count of Configuration Manager-generated server authentication certificates

Count of Microsoft Surface devices by model

Count of client health check failures by issue type

Count of status (total/approved/blocked) for client certificate types

Client counts for different user/device relationship types

Count of clients in VPN boundaries


Cloud services (Level 2)
Azure AD discovery statistics

Count of collections synced to Azure Log Analytics

Count of Upgrade Analytics Connectors

Whether the Azure Log Analytics cloud connector is enabled

Count of pull-distribution points with a cloud distribution point as a source


location

Usage of the cloud services onboarding wizard

Cloud services configuration onboarding properties

Cloud services endpoint connectivity and component health

[New] Usage of the cloud-attach wizard

CMPivot (Level 2)
CMPivot usage statistics

Count of saved CMPivot queries

Count of queries by entity type

Co-management (Level 2)
Enrollment schedule and historical statistics

Count of clients eligible for co-management

Associated Microsoft Intune tenant

Collections (Level 2)
Collection ID usage (not running out of IDs)

Collection evaluation statistics: query time, assigned versus unassigned counts,


counts by type, ID rollover, and rule usage

Collections without a deployment


Count of collections synchronized to Azure AD

Compliance settings (Level 2)


Basic configuration baseline information: count, number of deployments, number
of references, and frequency of changes

Compliance policy error statistics

Count of configuration items by type

Count of deployments that reference built-in settings, including remediate setting

Count of rules and deployments created for custom settings, including remediate
setting

Count of deployed Simple Certificate Enrollment Protocol (SCEP), VPN, Wi-Fi,


certificate (.pfx), and compliance policy templates

Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy
deployments by platform

Windows Hello for Business policy (created, deployed)

Count of deployed Microsoft Edge Legacy browser policies

Count of OneDrive policies (created, deployed)

Count of compliance settings deployed by category, OS, and source (cloud vs on-
premises)

Configuration Manager console (Level 2)


Counts of active and viewed console notification messages by type

Count of folders

Console performance information

25 most common actions, wizards, property sheets, and tree nodes accessed in the
console

[Updated] List of installed console extensions, and whether they're enabled,


required, or approved

Summary of size and count of admin persisted settings


Selected console usage information

Unsigned extension policy

Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and
fallback relationships

Boundary group information: count of boundaries and site systems that are
assigned to each boundary group

Boundary group relationships and fallback configuration

Client content download statistics

Count of boundaries by type

Count of peer cache clients, usage statistic, and partial download statistics

Distribution Manager configuration information: threads, retry delay, number of


retries, and pull distribution point settings

Distribution point configuration information: use of branch cache and distribution


point monitoring

Distribution point group information: count of packages and distribution points


that are assigned to each distribution point group

Content library type, whether local or remote

Count of boundary groups by configuration

Count of subnets excluded from peer cache

Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender
for Endpoint): count of policies, and whether policies are deployed.

Count of alerts that are configured for Endpoint Protection feature

Count of collections that are selected to appear in Endpoint Protection dashboard

Count of Windows Defender Exploit Guard policies, deployments, and targeted


clients
Endpoint Protection deployment errors, count of Endpoint Protection policy
deployment error codes

Endpoint Protection antimalware and Windows Firewall policy usage (number of


unique policies assigned to group). This data doesn't include any information
about the settings included in the policy.

Aggregated statistics for Microsoft Defender for Endpoint policies

Migration (Level 2)
Count of migrated objects (use of migration wizard)

Mobile device management (MDM) (Level 2)


Count of issued mobile device actions: lock, pin rest, wipe, retire, and sync now
commands

Count of mobile device policies

Count of mobile devices Configuration Manager manages, and how you enrolled
them (bulk, user-based)

Count of users who have multiple enrolled mobile devices

Mobile device polling schedule and statistics for mobile device check-in duration

On-premises mobile device management (MDM) (Level 2)


Count of Windows bulk enrollment packages and profiles

Deployment success/failure statistics for on-premises MDM application


deployments

OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution
points, PXE-enabled distribution points, and task sequences

Count of boot images by Configuration Manager client version

Count of boot images by Windows PE version

Count of edition upgrade policies


Count of hardware identifiers excluded from PXE

Count of OS deployment by OS version

Count of OS upgrades over time

Count of task sequence deployments using option to pre-download content

Counts of task sequence step usage

Version of Windows ADK installed

Count of image servicing tasks

Count of imported machines

Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded
from PXE and client registration

Count of task sequences by type (OS deployment or generic task sequence)

Count of packages with pre-cache content settings

Grouped sizes of task sequence policies

Count of error codes from feature upgrades for Windows clients

Count of supported and unsupported OS versions

Site updates (Level 2)


Versions of installed Configuration Manager hotfixes

Software updates (Level 2)


Available and deadline deltas that are used in automatic deployment rules

Average and maximum number of assignments per update

Client update evaluation and scan schedules

Classifications synced by the software update point

Cluster patching statistics

Configuration of Windows express updates


Configurations that are used for active Windows servicing plans

Count of deployed Microsoft 365 Apps updates

Count of Microsoft Surface drivers synced

Count of update groups and assignments

Count of update packages and the maximum/minimum/average number of


distribution points that are targeted with packages

Count of updates that are created and deployed with System Center Update
Publisher

Count of Windows Update for Business policies created and deployed

Aggregated statistics of Windows Update for Business configurations

Number of automatic deployment rules that are tied to synchronization

Number of automatic deployment rules that create new or add updates to an


existing group

Number of automatic deployment rules that have multiple deployments

Number of update groups and minimum/maximum/average number of updates


per group

Number of updates and percentage of updates that are deployed, expired,


superseded, downloaded, and contain EULAs

Software update point load-balancing statistics

Software update point synchronization schedule

Total/average number of collections that have software update deployments and


the maximum/average number of deployed updates

Update scan error codes and machine count

Windows servicing dashboard content versions

Count of third-party software update catalog subscriptions and usage

Count of software updates deployed with and without content

Aggregated statistics on the number of UUP updates that are required, deployed,
expired, superseded, and downloaded
Use of UUP product categories

Count of clients that have deployed at least one UUP quality update or UUP
feature update

Top UUP error codes and count of affected devices

List of subscriptions to third-party software update catalogs

Use of WSUS maintenance settings

Orchestration group usage

Windows Update fallback configuration settings

[New] Type, size, and timeout settings of orchestration group scripts

SQL/performance data (Level 2)


Configuration and duration of site summarization

Count of largest database tables

Discovery operational statistics (count of objects found)

Discovery types, enabled, and schedule (full, incremental)

SQL Server change tracking performance issues, retention period, and autocleanup
state

SQL Server change tracking retention period

State and status message performance statistics including most common and most
expensive message types

Management point traffic statistics (total bytes sent and received by endpoint)

Management point performance counter measurements

Aggregated performance statistics of calls made to Software Center endpoints on


the management point

SQL Server maintenance task configuration and status

Status of recent re-initialization requests

Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule,
average time, and use of customized tables feature

Count of scripts and run/edit statistics

Count of sites with Wake On LAN (WOL)

Reporting usage and performance statistics

Phased deployment usage statistics

Management insights item counts and progress

Count of crashes for unique non-Configuration Manager processes on the site


server, and Watson signature ID, if available

Aggregated system boot time statistics by OS, form-factor, and drive type

Usage of the Azure migration tool

Count of clients with browser usage

[Updated] Summary of how many site systems have the proxy enabled and how
many are authenticated proxy, including configuration, usage patterns, and traffic
patterns

Usage information for the last seven days of in-console product feedback

Count of site-to-site accounts by type

Usage statistics for user and device custom properties

Level 3 - Full
For Configuration Manager version 2111, this level includes the following data:

Automatic deployment rule evaluation schedule information

ATP health summary

Collection evaluation and refresh statistics

Compliance policy statistics on compliance and errors

Compliance settings: SCEP, VPN, Wi-Fi, and compliance policy template


configuration details
DCM config pack for Configuration Manager usage

Detailed client deployment installation errors

Endpoint Protection health summary: including count of protected, at risk,


unknown, and unsupported clients

Endpoint Protection policy configuration

List of processes configured with installation behavior for applications

Minimum/maximum/average number of hours since last software update scan

Minimum/maximum/average number of inactive clients in software update


deployment collections

Minimum/maximum/average number of software updates per package

MSI product code deployment statistics

Overall compliance of software update deployments

Count of groups that have expired software updates

Software update deployment error codes and counts

Software update deployment information: percentage of deployments that are


targeted with client versus UTC time, required versus optional versus silent, and
reboot suppression

Software update products synced by software update point

Software update scan success percentages

Top 50 CPUs in the environment

Type of Exchange Active Sync (EAS) conditional access policies (block or


quarantine) for devices that Microsoft Intune manages

Microsoft Store for Business application details: non-aggregate list of synced


applications including AppID, online state or offline state, and total purchased
license counts

Count of clients pushed with option to not allow fallback to NTLM

List of Configuration Manager console extensions


Frequently asked questions about
diagnostics and usage data
FAQ

Applies to: Configuration Manager (current branch)

This article provides answers to frequently asked questions about diagnostic and usage
data in Configuration Manager.

Can I turn off diagnostic and usage


data?
To help manage when the site sends data, use the service connection point in offline
mode. Then use the service connection tool to manually send data. For more
information, see the following articles:

About the service connection point


Use the service connection tool

To support new versions of Windows and cloud services like Microsoft Intune, you need
to update the current branch of Configuration Manager on a regular basis. Microsoft
requires at least the basic level of diagnostic and usage data. This data is used to keep
the product up to date, improve the update experience, and improve the quality and
security of the product.

No data is sent to the service when the service connection point is in offline mode.
When you switch to online mode or use the service connection tool, it sends data to the
service to check for updates.

You can also choose the level of data that Configuration Manager collects. For more
information, see Levels of diagnostic usage data.

What is the data retention period?


Microsoft stores Configuration Manager diagnostic and usage data for one year.

Is diagnostics and usage data sent when


setup runs?
No. Diagnostics and usage data is only sent after the site is installed and operational.

How frequently is the data sent?


The SQL Server stored procedures run every seven days from the date you installed the
site.

In online mode, the service connection point uploads the data after the queries
run.

In offline mode, you use the service connection tool to upload the data. (The data
isn't initially available for offline use until seven days after you install the site.)

Can the data be used to form a network


map?
No. This data doesn't include any network details, such as IP addresses or detailed
geographic information. For more information, see Levels of diagnostic usage data, and
find more detail for the version you're using.

The data does include time zone information from each site. This information can
provide insight into the broad geolocation and global dispersion of sites in a hierarchy.

Can you see data in custom SQL Server


tables?
No. Configuration Manager collects diagnostics and usage data via SQL Server stored
procedures. These stored procedures run against default product tables in the database.
All of these SQL Server tables are prefixed with TEL_. As part of the SQL Server schema
detection query, all table names are hashed for comparison against the known defaults.
This behavior determines that custom tables exist in the database. The presence of
custom tables informs Microsoft that you extended the database schema from the
default. It doesn't include any of the data stored within those tables.

Can you see other databases?


No. The stored procedures to collect data are limited to the Configuration Manager site
database. Microsoft can't see the names of other databases, or any data in other
databases.
Is any data sent to other integrated
cloud services?
Yes, when you integrate those services with Configuration Manager. As part of the
interaction with any cloud service, Configuration Manager sends some data to that
service. This data is specific to that cloud service, and separate from Configuration
Manager diagnostics and usage data. For more information on the specific data used in
the interaction with another cloud service, see the documentation for that service.

For example, the following cloud services are a part of Microsoft Intune family of
products:

Desktop Analytics data privacy


Tenant attach data collection
Endpoint analytics data collection
Privacy and personal data in Intune
Windows Autopilot requirements

Does Configuration Manager collect any


personal data?
No. Configuration doesn't collect or transmit any personal data or customer data. It's an
on-premises product that you directly deploy, manage, and operate. The diagnostics
and usage data that Microsoft collects improves the installation experience, quality, and
security of future releases.

For more information about Configuration Manager data, see Levels of diagnostic usage
data.
Plan for security in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article describes the following concepts for you to consider when planning for
security with your Configuration Manager implementation:

Certificates (self-signed and PKI)

The trusted root key

Signing and encryption

Role-based administration

Azure Active Directory

SMS Provider authentication

Before you start, make sure you're familiar with the fundamentals of security in
Configuration Manager.

Certificates
Configuration Manager uses a combination of self-signed and public key infrastructure
(PKI) digital certificates. Use PKI certificates whenever possible. Some scenarios require
PKI certificates. When PKI certificates aren't available, the site automatically generates
self-signed certificates. Some scenarios always use self-signed certificates.

For more information, see Plan for certificates.

The trusted root key


The Configuration Manager trusted root key provides a mechanism for Configuration
Manager clients to verify that site systems belong to their hierarchy. Every site server
generates a site exchange key to communicate with other sites. The site exchange key
from the top-level site in the hierarchy is called the trusted root key.

The function of the trusted root key in Configuration Manager resembles a root
certificate in a public key infrastructure. Anything signed by the private key of the
trusted root key is trusted further down the hierarchy. Clients store a copy of the site's
trusted root key in the root\ccm\locationservices WMI namespace.

For example, the site issues a certificate to the management point, which it signs with
the private key of the trusted root key. The site shares with clients the public key of its
trusted root key. Then clients can differentiate between management points that are in
their hierarchy and management points that aren't in their hierarchy.

Clients automatically get the public copy of the trusted root key by using two
mechanisms:

You extend the Active Directory schema for Configuration Manager, and publish
the site to Active Directory Domain Services. Then clients retrieve this site
information from a global catalog server. For more information, see Prepare Active
Directory for site publishing.

When you install clients using the client push installation method. For more
information, see Client push installation.

If clients can't get the trusted root key by using one of these mechanisms, they trust the
trusted root key that's provided by the first management point that they communicate
with. In this scenario, a client might be misdirected to an attacker's management point
where it would receive policy from the rogue management point. This action requires a
sophisticated attacker. This attack is limited to the short time before the client retrieves
the trusted root key from a valid management point. To reduce this risk of an attacker
misdirecting clients to a rogue management point, pre-provision the clients with the
trusted root key.

For more information and procedures to manage the trusted root key, see Configure
security.

Signing and encryption


When you use PKI certificates for all client communications, you don't have to plan for
signing and encryption to help secure client data communication. If you set up any site
systems that run IIS to allow HTTP client connections, decide how to help secure the
client communication for the site.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.

To help protect the data that clients send to management points, you can require clients
to sign the data. You can also require the SHA-256 algorithm for signing. This
configuration is more secure, but don't require SHA-256 unless all clients support it.
Many operating systems natively support this algorithm, but older operating systems
might require an update or hotfix.

While signing helps protect the data from tampering, encryption helps protect the data
from information disclosure. You can enable encryption for the inventory data and state
messages that clients send to management points in the site. You don't have to install
any updates on clients to support this option. Clients and management points require
more CPU usage for encryption and decryption.

7 Note

To encrypt the data, the client uses the public key of the management point's
encryption certificate. Only the management point has the corresponding private
key, so only it can decrypt the data.

The client bootstraps this certificate with the management point's signing
certificate, which it bootstraps with the site's trusted root key. Make sure to
securely provision the trusted root key on clients. For more information, see The
trusted root key.

For more information about how to configure the settings for signing and encryption,
see Configure signing and encryption.

For more information on the cryptographic algorithms used for signing and encryption,
see Cryptographic controls technical reference.

Role-based administration
With Configuration Manager, you use role-based administration to secure the access
that administrative users need to use Configuration Manager. You also secure access to
the objects that you manage, like collections, deployments, and sites.

With the combination of security roles, security scopes, and collections, you segregate
the administrative assignments that meet your organization's requirements. Used
together, they define the administrative scope of a user. This administrative scope
controls the objects that an administrative user views in the Configuration Manager
console, and it controls the permissions that a user has on those objects.

For more information, see Fundamentals of role-based administration.

Azure Active Directory


Configuration Manager integrates with Azure Active Directory (Azure AD) to enable the
site and clients to use modern authentication.

For more information about Azure AD, see Azure Active Directory documentation.

Onboarding your site with Azure AD supports the following Configuration Manager
scenarios:

Client scenarios
Manage clients on the internet via cloud management gateway

Manage cloud domain-joined devices

Co-management

Deploy user-available apps

Microsoft Store for Business online apps

Manage Microsoft 365 Apps for enterprise

Server scenarios
Desktop Analytics

Tenant attach

Endpoint analytics

Azure Log Analytics

Community Hub

User discovery

SMS Provider authentication


You can specify the minimum authentication level for administrators to access
Configuration Manager sites. This feature enforces administrators to sign in to Windows
with the required level before they can access Configuration Manager. It applies to all
components that access the SMS Provider. For example, the Configuration Manager
console, SDK methods, and Windows PowerShell cmdlets.

Configuration Manager supports the following authentication levels:

Windows authentication: Require authentication with Active Directory domain


credentials. This setting is the previous behavior, and the current default setting.

Certificate authentication: Require authentication with a valid certificate that's


issued by a trusted PKI certificate authority. You don't configure this certificate in
Configuration Manager. Configuration Manager requires the administrator to be
signed into Windows using PKI.

Windows Hello for Business authentication: Require authentication with strong


two-factor authentication that's tied to a device and uses biometrics or a PIN. For
more information, see Windows Hello for Business.

) Important

When you select this setting, the SMS Provider and administration service
require the user's authentication token to contain a multi-factor
authentication (MFA) claim from Windows Hello for Business. In other words,
a user of the console, SDK, PowerShell, or administration service has to
authenticate to Windows with their Windows Hello for Business PIN or
biometric. Otherwise the site rejects the user's action.

This behavior is for Windows Hello for Business, not Windows Hello.

For more information on how to configure this setting, see Configure SMS Provider
authentication.

Next steps
Certificates in Configuration Manager

Plan for PKI certificates

Configure security

Cryptographic controls technical reference


Configure security in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the information in this article to help you set up security-related options for
Configuration Manager. Before you start, make sure you have a Plan for security.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Client PKI certificates


If you want to use public key infrastructure (PKI) certificates for client connections to site
systems that use Internet Information Services (IIS), use the following procedure to
configure settings for these certificates.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node. Select the primary site to
configure.

2. In the ribbon, choose Properties. Then switch to the Communication Security tab.

3. Select the settings for site systems that use IIS.

HTTPS only: Clients that are assigned to the site always use a client PKI
certificate when they connect to site systems that use IIS. For example, a
management point and distribution point.

HTTPS or HTTP: You don't require clients to use PKI certificates.

Use Configuration Manager-generated certificates for HTTP site systems:


For more information on this setting, see Enhanced HTTP.

4. Select the settings for client computers.


Use client PKI certificate (client authentication capability) when available: If
you chose the HTTPS or HTTP site server setting, choose this option to use a
client PKI certificate for HTTP connections. The client uses this certificate
instead of a self-signed certificate to authenticate itself to site systems. If you
chose HTTPS only, this option is automatically chosen.

When more than one valid PKI client certificate is available on a client, select
Modify to configure the client certificate selection methods. For more
information about the client certificate selection method, see Planning for PKI
client certificate selection.

Clients check the certificate revocation list (CRL) for site systems: Enable
this setting for clients to check your organization's CRL for revoked
certificates. For more information about CRL checking for clients, see
Planning for PKI certificate revocation.

5. To import, view, and delete the certificates for trusted root certification authorities,
select Set. For more information, see Planning for the PKI trusted root certificates
and the certificate issuers List.

Repeat this procedure for all primary sites in the hierarchy.

Manage the trusted root key


Use these procedures to pre-provision and verify the trusted root key for a
Configuration Manager client.

7 Note

If clients can get the trusted root key from Active Directory Domain Services or
client push, you don't have to pre-provision it.

When clients use HTTPS communication to management points, you don't have to
pre-provision the trusted root key. They establish trust by the PKI certificates.

For more information on the trusted root key, see Plan for security.

Pre-provision a client with the trusted root key by using a


file
1. On the site server, browse to the Configuration Manager installation directory. In
the \bin\<platform> subfolder, open the following file in a text editor:
mobileclient.tcf

2. Locate the entry, SMSPublicRootKey . Copy the value from that line, and close the
file without saving any changes.

3. Create a new text file, and paste the key value that you copied from the
mobileclient.tcf file.

4. Save the file in a location where all computers can access it, but where the file is
safe from tampering.

5. Install the client by using any installation method that accepts client.msi properties.
Specify the following property: SMSROOTKEYPATH=<full path and file name>

) Important

When you specify the trusted root key during client installation, also specify
the site code. Use the following client.msi property: SMSSITECODE=<site code>

Pre-provision a client with the trusted root key without


using a file
1. On the site server, browse to the Configuration Manager installation directory. In
the \bin\<platform> subfolder, open the following file in a text editor:
mobileclient.tcf

2. Locate the entry, SMSPublicRootKey . Copy the value from that line, and close the
file without saving any changes.

3. Install the client by using any installation method that accepts client.msi properties.
Specify the following client.msi property: SMSPublicRootKey=<key> where <key> is
the string that you copied from mobileclient.tcf.

) Important

When you specify the trusted root key during client installation, also specify
the site code. Use the following client.msi property: SMSSITECODE=<site code>
Verify the trusted root key on a client
1. Open a Windows PowerShell console as an administrator.

2. Run the following command:

PowerShell

(Get-WmiObject -Namespace root\ccm\locationservices -Class


TrustedRootKey).TrustedRootKey

The returned string is the trusted root key. Verify that it matches the SMSPublicRootKey
value in the mobileclient.tcf file on the site server.

Remove or replace the trusted root key


Remove the trusted root key from a client by using the client.msi property,
RESETKEYINFORMATION = TRUE .

To replace the trusted root key, reinstall the client together with the new trusted root
key. For example, use client push, or specify the client.msi property SMSPublicRootKey.

For more information on these installation properties, see About client installation
parameters and properties.

Signing and encryption


Configure the most secure signing and encryption settings for site systems that all
clients in the site can support. These settings are especially important when you let
clients communicate with site systems by using self-signed certificates over HTTP.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node. Select the primary site to
configure.

2. In the ribbon, select Properties, and then switch to the Signing and Encryption
tab.

This tab is available on a primary site only. If you don't see the Signing and
Encryption tab, make sure that you're not connected to a central administration
site or a secondary site.
3. Configure the signing and encryption options for clients to communicate with the
site.

Require signing: Clients sign data before sending to the management point.

Require SHA-256: Clients use the SHA-256 algorithm when signing data.

2 Warning

Don't Require SHA-256 without first confirming that all clients support
this hash algorithm. These clients include ones that might be assigned to
the site in the future.

If you choose this option, and clients with self-signed certificates can't
support SHA-256, Configuration Manager rejects them. The
SMS_MP_CONTROL_MANAGER component logs the message ID 5443.

Use encryption: Clients encrypt client inventory data and status messages
before sending to the management point.

Repeat this procedure for all primary sites in the hierarchy.

Role-based administration
Role-based administration combines security roles, security scopes, and assigned
collections to define the administrative scope for each administrative user. A scope
includes the objects that a user can view in the console, and the tasks related to those
objects that they have permission to do. Role-based administration configurations are
applied at each site in a hierarchy.

For more information, see Configure role-based administration. This article details the
following actions:

Create custom security roles

Configure security roles

Configure security scopes for an object

Configure collections to manage security

Create a new administrative user

Modify the administrative scope of an administrative user


) Important

Your own administrative scope defines the objects and settings that you can assign
when you configure role-based administration for another administrative user. For
information about planning for role-based administration, see Fundamentals of
role-based administration.

Manage accounts
Configuration Manager supports Windows accounts for many different tasks and uses.
To view accounts that are configured for different tasks, and to manage the password
that Configuration Manager uses for each account, use the following procedure:

1. In the Configuration Manager console, go to the Administration workspace,


expand Security, and then choose the Accounts node.

2. To change the password for an account, select the account in the list. Then choose
Properties in the ribbon.

3. Choose Set to open the Windows User Account dialog box. Specify the new
password for Configuration Manager to use for this account.

7 Note

The password that you specify must match this account's password in Active
Directory.

For more information, see Accounts used in Configuration Manager.

Azure Active Directory


Integrate Configuration Manager with Azure Active Directory (Azure AD) to simplify and
cloud-enable your environment. Enable the site and clients to authenticate by using
Azure AD.

For more information, see the Cloud Management service in Configure Azure services.

SMS Provider authentication


You can specify the minimum authentication level for administrators to access
Configuration Manager sites. This feature enforces administrators to sign in to Windows
with the required level before they can access Configuration Manager. For more
information, see Plan for SMS Provider authentication.

) Important

This configuration is a hierarchy-wide setting. Before you change this setting, make
sure that all Configuration Manager administrators can sign in to Windows with the
required authentication level.

To configure this setting, use the following steps:

1. First sign in to Windows with the intended authentication level.

2. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node.

3. Select Hierarchy Settings in the ribbon.

4. Switch to the Authentication tab. Select the desired authentication level, and then
select OK.

Only when necessary, select Add to exclude specific users or groups. For
more information, see Exclusions.

Exclusions
From the Authentication tab of Hierarchy Settings, you can also exclude certain users or
groups. Use this option sparingly. For example, when specific users require access to the
Configuration Manager console, but can't authenticate to Windows at the required level.
It may also be necessary for automation or services that run under the context of a
system account.

Next steps
How to enable TLS 1.2

Cryptographic controls technical reference

Communication between endpoints


Cryptographic controls technical
reference
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager uses signing and encryption to help protect the management of
the devices in the Configuration Manager hierarchy. With signing, if data has been
altered in transit, it's discarded. Encryption helps prevent an attacker from reading the
data by using a network protocol analyzer.

The primary hashing algorithm that Configuration Manager uses for signing is SHA-256.
When two Configuration Manager sites communicate with each other, they sign their
communications with SHA-256.

Starting in version 2107, the primary encryption algorithm that Configuration Manager
uses is AES-256. Encryption mainly happens in the following two areas:

If you enable the site to Use encryption, the client encrypts its inventory data and
state messages that it sends to the management point.

When the client downloads secret policies, the management point always encrypts
these policies. For example, an OS deployment task sequence that includes
passwords.

For clients on version 2103 and earlier, the primary encryption algorithm is 3DES.

7 Note

If you configure HTTPS communication, these messages are encrypted twice. The
message is encrypted with AES, then the HTTPS transport is encrypted with AES.

When you use client communication over HTTPS, configure your public key
infrastructure (PKI) to use certificates with the maximum hashing algorithms and key
lengths. When using CNG v3 certificates, Configuration Manager clients only support
certificates that use the RSA cryptographic algorithm. For more information, see PKI
certificate requirements and CNG v3 certificates overview.

For transport security, anything that uses TLS supports AES. This support includes when
you configure the site for enhanced HTTP or HTTPS. For on-premises site systems, you
can control the TLS cipher suites. For cloud-based roles like the cloud management
gateway (CMG), if you enable TLS 1.2, Configuration Manager configures the cipher
suites.

For most cryptographic operations with Windows-based operating systems,


Configuration Manager uses these algorithms from the Windows CryptoAPI library
rsaenh.dll.

For more information about specific functionality, see Site operations.

Site operations
Information in Configuration Manager can be signed and encrypted. It supports these
operations with or without PKI certificates.

Policy signing and encryption


The site signs client policy assignments with its self-signed certificate. This behavior
helps prevent the security risk of a compromised management point from sending
tampered policies. If you use internet-based client management, this behavior is
important because it requires an internet-facing management point.

When policy contains sensitive data, starting in version 2107, the management point
encrypts it with AES-256. In version 2103 and earlier, it uses 3DES. Policy that contains
sensitive data is only sent to authorized clients. The site doesn't encrypt policy that
doesn't have sensitive data.

When a client stores policy, it encrypts the policy using the Windows data protection
application programming interface (DPAPI).

Policy hashing
When a client requests policy, it first gets a policy assignment. Then it knows which
policies apply to it, and it can request only those policy bodies. Each policy assignment
contains the calculated hash for the corresponding policy body. The client downloads
the applicable policy bodies and then calculates the hash for each policy body. If the
hash on the policy body doesn't match the hash in the policy assignment, the client
discards the policy body.

The hashing algorithm for policy is SHA-256.

Content hashing
The distribution manager service on the site server hashes the content files for all
packages. The policy provider includes the hash in the software distribution policy.
When the Configuration Manager client downloads the content, the client regenerates
the hash locally and compares it to the one supplied in the policy. If the hashes match,
the content isn't altered, and the client installs it. If a single byte of the content is
altered, the hashes won't match, and the client doesn't install the software. This check
helps to make sure that the correct software is installed because the actual content is
compared with the policy.

The default hashing algorithm for content is SHA-256.

Not all devices can support content hashing. The exceptions include:

Windows clients when they stream App-V content.

Windows Mobile clients, though these clients verify the signature of an application
that's signed by a trusted source.

Inventory signing and encryption


When a client sends hardware or software inventory to a management point, it always
signs the inventory. It doesn't matter if the client communicates with the management
point over HTTP or HTTPS. If they use HTTP, you can also choose to encrypt this data,
which is recommended.

State migration encryption


When a task sequence captures data from a client for OS deployment, it always encrypts
the data. In version 2103 and later, the task sequence runs the User State Migration Tool
(USMT) with the AES-256 encryption algorithm. In version 2010 and earlier, it uses 3DES.

Encryption for multicast packages


For every OS deployment package, you can enable encryption when you use multicast.
This encryption uses the AES algorithm. If you enable encryption, no other certificate
configuration is required. The multicast-enabled distribution point automatically
generates symmetric keys to encrypt the package. Each package has a different
encryption key. The key is stored on the multicast-enabled distribution point by using
standard Windows APIs.

When the client connects to the multicast session, the key exchange occurs over an
encrypted channel. If the client uses HTTPS, it uses the PKI-issued client authentication
certificate. If the client uses HTTP, it uses the self-signed certificate. The client only
stores the encryption key in memory during the multicast session.

Encryption for OS deployment media


When you use media to deploy operating systems, you should always specify a
password to protect the media. With a password, the task sequence environment
variables are encrypted with AES-128. Other data on the media, including packages and
content for applications, isn't encrypted.

Encryption for cloud-based content


When you enable a cloud management gateway (CMG) to store content, the content is
encrypted with AES-256. The content is encrypted whenever you update it. When clients
download the content, it's encrypted and protected by the HTTPS connection.

Signing in software updates


All software updates must be signed by a trusted publisher to protect against
tampering. On client computers, the Windows Update Agent (WUA) scans for the
updates from the catalog. It won't install the update if it can't locate the digital
certificate in the Trusted Publishers store on the local computer.

When you publish software updates with System Center Updates Publisher, a digital
certificate signs the software updates. You can either specify a PKI certificate or
configure Updates Publisher to generate a self-signed certificate to sign the software
update. If you use a self-signed certificate to publish the updates catalog, such as WSUS
Publishers Self-signed, the certificate must also be in the Trusted Root Certification
Authorities certificate store on the local computer. WUA also checks whether the Allow
signed content from intranet Microsoft update service location group policy setting is
enabled on the local computer. This policy setting must be enabled for WUA to scan for
the updates that were created and published with System Center Updates Publisher.

Signed configuration data for compliance settings


When you import configuration data, Configuration Manager verifies the file's digital
signature. If the files aren't signed, or if the signature check fails, the console warns you
to continue with the import. Only import the configuration data if you explicitly trust the
publisher and the integrity of the files.
Encryption and hashing for client notification
If you use client notification, all communication uses TLS and the highest algorithms that
the server and client can negotiate. For example, all supported Windows OS versions
can use at least AES-128 encryption. The same negotiation occurs for hashing the
packets that are transferred during client notification, which uses SHA-2.

Certificates
For a list of the public key infrastructure (PKI) certificates that can be used by
Configuration Manager, any special requirements or limitations, and how the certificates
are used, see PKI certificate requirements. This list includes the supported hash
algorithms and key lengths. Most certificates support SHA-256 and 2048-bits key
length.

Most Configuration Manager operations that use certificates also support v3 certificates.
For more information, see CNG v3 certificates overview.

7 Note

All certificates that Configuration Manager uses must contain only single-byte
characters in the subject name or subject alternative name.

Configuration Manager requires PKI certificates for the following scenarios:

When you manage Configuration Manager clients on the internet

When you manage Configuration Manager clients on mobile devices

When you manage macOS computers

When you use a cloud management gateway (CMG)

For most other communication that requires certificates for authentication, signing, or
encryption, Configuration Manager automatically uses PKI certificates if available. If they
aren't available, Configuration Manager generates self-signed certificates.

Configuration Manager doesn't use PKI certificates when it manages mobile devices by
using the Exchange Server connector.

Mobile device management and PKI certificates


If the mobile device isn't locked by the mobile operator, you can use Configuration
Manager to request and install a client certificate. This certificate provides mutual
authentication between the client on the mobile device and Configuration Manager site
systems. If the mobile device is locked, you can't use Configuration Manager to deploy
certificates.

If you enable hardware inventory for mobile devices, Configuration Manager also
inventories the certificates that are installed on the mobile device.

OS deployment and PKI certificates


When you use Configuration Manager to deploy operating systems, and a management
point requires HTTPS client connections, the client needs a certificate to communicate
with the management point. This requirement is even when the client is in a transitional
phase such as booting from task sequence media or a PXE-enabled distribution point.
To support this scenario, create a PKI client authentication certificate, and export it with
the private key. Then import it to the site server properties and also add the
management point's trusted root CA certificate.

If you create bootable media, you import the client authentication certificate when you
create the bootable media. To help protect the private key and other sensitive data
configured in the task sequence, configure a password on the bootable media. Every
computer that boots from the bootable media uses the same certificate with the
management point as required for client functions such as requesting client policy.

If you use PXE, import the client authentication certificate to the PXE-enabled
distribution point. It uses the same certificate for every client that boots from that PXE-
enabled distribution point. To help protect the private key and other sensitive data in
the task sequences, require a password for PXE.

If either of these client authentication certificates is compromised, block the certificates


in the Certificates node in the Administration workspace, Security node. To manage
these certificates, you need the permission to Manage operating system deployment
certificate.

After Configuration Manager deploys the OS installs the client, the client requires its
own PKI client authentication certificate for HTTPS client communication.

ISV proxy solutions and PKI certificates


Independent Software Vendors (ISVs) can create applications that extend Configuration
Manager. For example, an ISV could create extensions to support non-Windows client
platforms such as macOS. However, if the site systems require HTTPS client connections,
these clients must also use PKI certificates for communication with the site.
Configuration Manager includes the ability to assign a certificate to the ISV proxy that
enables communications between the ISV proxy clients and the management point. If
you use extensions that require ISV proxy certificates, consult the documentation for
that product.

If the ISV certificate is compromised, block the certificate in the Certificates node in the
Administration workspace, Security node.

Copy GUID for ISV proxy certificate


Starting in version 2111, to simplify the management of these ISV proxy certificates, you
can now copy its GUID in the Configuration Manager console.

1. In the Configuration Manager console, go to the Administration workspace.

2. Expand Security, and select the Certificates node.

3. Sort the list of the certificates by the Type column.

4. Select a certificate of type ISV Proxy.

5. In the ribbon, select Copy Certificate GUID.

This action copies this certificate's GUID, for example: aa05bf38-5cd6-43ea-ac61-


ab101f943987

Asset Intelligence and certificates


Configuration Manager installs with an X.509 certificate that the Asset Intelligence
synchronization point uses to connect to Microsoft. Configuration Manager uses this
certificate to request a client authentication certificate from the Microsoft certificate
service. The client authentication certificate is installed on the Asset Intelligence
synchronization point and it's used to authenticate the server to Microsoft.
Configuration Manager uses the client authentication certificate to download the Asset
Intelligence catalog and to upload software titles.

This certificate has a key length of 1024 bits.

Azure services and certificates


The cloud management gateway (CMG) requires server authentication certificates. These
certificates allow the service to provide HTTPS communication to clients over the
internet. For more information, see CMG server authentication certificate.

Clients require another type of authentication to communicate with a CMG and the on-
premises management point. They can use Azure Active Directory, a PKI certificate, or a
site token. For more information, see Configure client authentication for cloud
management gateway.

Clients don't require a client PKI certificate to use cloud-based storage. After they
authenticate to the management point, the management point issues a Configuration
Manager access token to the client. The client presents this token to the CMG to access
the content. The token is valid for eight hours.

CRL checking for PKI certificates


A PKI certificate revocation list (CRL) increases overall security, but does require some
administrative and processing overhead. If you enable CRL checking, but clients can't
access the CRL, the PKI connection fails.

IIS enables CRL checking by default. If you use a CRL with your PKI deployment, you
don't need to configure most site systems that run IIS. The exception is for software
updates, which requires a manual step to enable CRL checking to verify the signatures
on software update files.

When a client uses HTTPS, it enables CRL checking by default. For macOS clients, you
can't disable CRL checking.

The following connections don't support CRL checking in Configuration Manager:

Server-to-server connections

Mobile devices that are enrolled by Configuration Manager.

Server communication
Configuration Manager uses the following cryptographic controls for server
communication.

Server communication within a site


Each site system server uses a certificate to transfer data to other site systems in the
same Configuration Manager site. Some site system roles also use certificates for
authentication. For example, if you install the enrollment proxy point on one server, and
the enrollment point on another server, they can authenticate one another by using this
identity certificate.

When Configuration Manager uses a certificate for this communication, if there's a PKI
certificate available with server authentication capability, Configuration Manager
automatically uses it. If not, Configuration Manager generates a self-signed certificate.
This self-signed certificate has server authentication capability, uses SHA-256, and has a
key length of 2048 bits. Configuration Manager copies the certificate to the Trusted
People store on other site system servers that might need to trust the site system. Site
systems can then trust one another by using these certificates and PeerTrust.

In addition to this certificate for each site system server, Configuration Manager
generates a self-signed certificate for most site system roles. When there is more than
one instance of the site system role in the same site, they share the same certificate. For
example, you might have multiple management points in the same site. This self-signed
certificate uses SHA-256 and has a key length of 2048 bits. It's copied to the Trusted
People Store on site system servers that might need to trust it. The following site system
roles generate this certificate:

Asset Intelligence synchronization point

Certificate registration point

Endpoint Protection point

Enrollment point

Fallback status point

Management point

Multicast-enabled distribution point

Reporting services point

Software update point

State migration point

Configuration Manager automatically generates and manages these certificates.

To send status messages from the distribution point to the management point,
Configuration Manager uses a client authentication certificate. When you configure the
management point for HTTPS, it requires a PKI certificate. If the management point
accepts HTTP connections, you can use a PKI certificate. It can also use a self-signed
certificate with client authentication capability, uses SHA-256, and has a key length of
2048 bits.

Server communication between sites


Configuration Manager transfers data between sites by using database replication and
file-based replication. For more information, see Data transfers between sites and
Communications between endpoints.

Configuration Manager automatically configures the database replication between sites.


If available, it uses PKI certificates with server authentication capability. If not available,
Configuration Manager creates self-signed certificates for server authentication. In both
cases, it authenticates between sites by using certificates in the Trusted People store that
uses PeerTrust. It uses this certificate store to make sure that only the Configuration
Manager hierarchy SQL Servers participate in site-to-site replication.

Site servers establish site-to-site communication by using a secure key exchange that
happens automatically. The sending site server generates a hash and signs it with its
private key. The receiving site server checks the signature by using the public key and
compares the hash with a locally generated value. If they match, the receiving site
accepts the replicated data. If the values don't match, Configuration Manager rejects the
replication data.

Database replication in Configuration Manager uses the SQL Server Service Broker to
transfer data between sites. It uses the following mechanisms:

SQL Server to SQL Server: This connection uses Windows credentials for server
authentication and self-signed certificates with 1024 bits to sign and encrypt the
data with the AES algorithm. If available, it uses PKI certificates with server
authentication capability. It only uses certificates in the computer's Personal
certificate store.

SQL Service Broker: This service uses self-signed certificates with 2048 bits for
authentication and to sign and encrypt the data with the AES algorithm. It only
uses certificates in the SQL Server master database.

File-based replication uses the server message block (SMB) protocol. It uses SHA-256 to
sign data that isn't encrypted and doesn't contain any sensitive data. To encrypt this
data, use IPsec, which you implement independently from Configuration Manager.

Clients that use HTTPS


When site system roles accept client connections, you can configure them to accept
HTTPS and HTTP connections, or only HTTPS connections. Site system roles that accept
connections from the internet only accept client connections over HTTPS.

Client connections over HTTPS offer a higher level of security by integrating with a
public key infrastructure (PKI) to help protect client-to-server communication. However,
configuring HTTPS client connections without a thorough understanding of PKI
planning, deployment, and operations could still leave you vulnerable. For example, if
you don't secure your root certificate authority (CA), attackers could compromise the
trust of your entire PKI infrastructure. Failing to deploy and manage the PKI certificates
by using controlled and secured processes might result in unmanaged clients that can't
receive critical software updates or packages.

) Important

The PKI certificates that Configuration Manager uses for client communication
protect the communication only between the client and some site systems. They
don't protect the communication channel between the site server and site systems
or between site servers.

Unencrypted communication when clients use HTTPS


When clients communicate with site systems over HTTPS, most traffic is encrypted. In
the following situations, clients communicate with site systems without using
encryption:

Client fails to make an HTTPS connection on the intranet and falls back to using
HTTP when site systems allow this configuration.

Communication to the following site system roles:

Client sends state messages to the fallback status point.

Client sends PXE requests to a PXE-enabled distribution point.

Client sends notification data to a management point.

You configure reporting services points to use HTTP or HTTPS independently from the
client communication mode.

Clients that use HTTP


When clients use HTTP communication to site system roles, they can use PKI certificates
for client authentication, or self-signed certificates that Configuration Manager
generates. When Configuration Manager generates self-signed certificates, they have a
custom object identifier for signing and encryption. These certificates are used to
uniquely identify the client. These self-signed certificates use SHA-256, and have a key
length of 2048 bits.

OS deployment and self-signed certificates


When you use Configuration Manager to deploy operating systems with self-signed
certificates, the client must also have a certificate to communicate with the management
point. This requirement is even if the computer is in a transitional phase such as booting
from task sequence media or a PXE-enabled distribution point. To support this scenario
for HTTP client connections, Configuration Manager generates self-signed certificates
that have a custom object identifier for signing and encryption. These certificates are
used to uniquely identify the client. These self-signed certificates use SHA-256, and
have a key length of 2048 bits. If these self-signed certificates are compromised, prevent
attackers from using them to impersonate trusted clients. Block the certificates in the
Certificates node in the Administration workspace, Security node.

Client and server authentication


When clients connect over HTTP, they authenticate the management points by using
either Active Directory Domain Services or by using the Configuration Manager trusted
root key. Clients don't authenticate other site system roles, such as state migration
points or software update points.

When a management point first authenticates a client by using the self-signed client
certificate, this mechanism provides minimal security because any computer can
generate a self-signed certificate. Use client approval to enhance this process. Only
approve trusted computers, either automatically by Configuration Manager, or manually
by an administrative user. For more information, see Manage clients.

About SSL vulnerabilities


To improve the security of your Configuration Manager clients and servers, do the
following actions:

Enable TLS 1.2 across all devices and services. To enable TLS 1.2 for Configuration
Manager, see How to enable TLS 1.2 for Configuration Manager.
Disable SSL 3.0, TLS 1.0, and TLS 1.1.

Reorder the TLS-related cipher suites.

For more information, see the following articles:

Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll


Prioritizing Schannel cipher suites

These procedures don't affect Configuration Manager functionality.

7 Note

Updates to Configuration Manager download from the Azure content delivery


network (CDN), which has cipher suite requirements. For more information, see
Azure Front Door: TLS configuration FAQ..
Certificates in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager uses a combination of self-signed and public key infrastructure


(PKI) digital certificates.

Use PKI certificates whenever possible. For more information, see PKI certificate
requirements. When Configuration Manager requests PKI certificates during enrollment
for mobile devices, use Active Directory Domain Services and an enterprise certification
authority. For all other PKI certificates, deploy and manage them independently from
Configuration Manager.

PKI certificates are required when client computers connect to internet-based site
systems. The cloud management gateway also requires certificates. For more
information, see Manage clients on the internet.

When you use a PKI, you can also use IPsec to help secure the server-to-server
communication between site systems in a site, between sites, and for other data transfer
between computers. Implementation of IPsec is independent from Configuration
Manager.

When PKI certificates aren't available, Configuration Manager automatically generates


self-signed certificates. Some certificates in Configuration Manager are always self-
signed. In most cases, Configuration Manager automatically manages the self-signed
certificates, and you don't have to take another action. One example is the site server
signing certificate. This certificate is always self-signed. It makes sure that the policies
that clients download from the management point were sent from the site server and
weren't tampered with. As another example, when you enable the site for Enhanced
HTTP, the site issues self-signed certificates to site server roles.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.

CNG v3 certificates
Configuration Manager supports Cryptography: Next Generation (CNG) v3 certificates.
Configuration Manager clients can use a PKI client authentication certificate with private
key in a CNG Key Storage Provider (KSP). With KSP support, Configuration Manager
clients support hardware-based private keys, such as a TPM KSP for PKI client
authentication certificates.

For more information, see CNG v3 certificates overview.

Enhanced HTTP
Using HTTPS communication is recommended for all Configuration Manager
communication paths, but is challenging for some customers because of the overhead
of managing PKI certificates. The introduction of Azure Active Directory (Azure AD)
integration reduces some but not all of the certificate requirements. You can instead
enable the site to use enhanced HTTP. This configuration supports HTTPS on site
systems by using self-signed certificates, along with Azure AD for some scenarios. It
doesn't require PKI.

For more information, see Enhanced HTTP.

Certificates for CMG


Managing clients on the internet via the cloud management gateway (CMG) requires the
use of certificates. The number and type of certificates varies depending upon your
specific scenarios.

For more information, see CMG set up checklist.

7 Note

The cloud-based distribution point (CDP) is deprecated. Starting in version 2107,


you can't create new CDP instances. To provide content to internet-based devices,
enable the CMG to distribute content. For more information, see Deprecated
features.

For more information about certificates for a CDP, see Certificates for the cloud
distribution point.

The site server signing certificate


The site server always creates a self-signed certificate. It uses this certificate for several
purposes.

Clients can securely get a copy of the site server signing certificate from Active Directory
Domain Services and from client push installation. If clients can't get a copy of this
certificate by one of these mechanisms, install it when you install the client. This process
is especially important if the client's first communication with the site is with an internet-
based management point. Because this server is connected to an untrusted network, it's
more vulnerable to attack. If you don't take this other step, clients automatically
download a copy of the site server signing certificate from the management point.

Clients can't securely get a copy of the site server certificate in the following scenarios:

You don't install the client by using client push, and:

You haven't extended the Active Directory schema for Configuration Manager.

You haven't published the client's site to Active Directory Domain Services.

The client is from an untrusted forest or a workgroup.

You're using internet-based client management and you install the client when it's
on the internet.

For more information on how to install clients with a copy of the site server signing
certificate, use the SMSSIGNCERT command-line property. For more information, see
About client installation parameters and properties.

Hardware-bound key storage provider


Configuration Manager uses self-signed certificates for client identity and to help
protect communication between the client and site systems. When you update the site
and clients to version 2107 or later, the client stores its certificate from the site in a
hardware-bound key storage provider (KSP). This KSP is typically the trusted platform
module (TPM) at least version 2.0. The certificate is also marked non-exportable.

If the client also has a PKI-based certificate, it continues to use that certificate for TLS
HTTPS communication. It uses its self-signed certificate for signing messages with the
site. For more information, see PKI certificate requirements.

7 Note

For clients that also have a PKI certificate, the Configuration Manager console
displays the Client certificate property as Self-signed. The client control panel
Client certificate property shows PKI.

When you update to version 2107 or later, clients with PKI certificates will recreate self-
signed certificates, but don't reregister with the site. Clients without a PKI certificate will
reregister with the site, which can cause extra processing at the site. Make sure that your
process to update clients allows for randomization. If you simultaneously update lots of
clients, it may cause a backlog on the site server.

Configuration Manager doesn't use TPMs that are known vulnerable. For example, the
TPM version is earlier than 2.0. If a device has a vulnerable TPM, the client falls back to
using a software-based KSP. The certificate is still not exportable.

OS deployment media doesn't use hardware-bound certificates, it continues to use self-


signed certificates from the site. You create the media on a device that has the console,
but then it can run on any client.

To troubleshoot certificate behaviors, use the CertificateMaintenance.log on the client.

Next steps
Plan for PKI certificates in Configuration Manager

Configure security

Cryptographic controls technical reference


Plan for PKI certificates in Configuration
Manager
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Configuration Manager uses public key infrastructure (PKI)-based digital certificates


when available. Use of these certificates is recommended for greater security, but not
required for most scenarios. You need to deploy and manage these certificates
independently from Configuration Manager.

This article provides information about PKI certificates in Configuration Manager to help
you plan your implementation. For more general information about the use of
certificates in Configuration Manager, see Certificates in Configuration Manager.

PKI certificate revocation


When you use PKI certificates with Configuration Manager, plan for use of a certificate
revocation list (CRL). Devices use the CRL to verify the certificate on the connecting
computer. The CRL is a file that a certificate authority (CA) creates and signs. It has a list
of certificates that the CA has issued but revoked. When a certificate administrator
revokes certificates, its thumbprint is added to the CRL. For example, if an issued
certificate is known or suspected to be compromised.

) Important

Because the location of the CRL is added to a certificate when a CA issues it, make
sure that you plan for the CRL before you deploy any PKI certificates that
Configuration Manager uses.

IIS always checks the CRL for client certificates, and you can't change this configuration
in Configuration Manager. By default, Configuration Manager clients always check the
CRL for site systems. Disable this setting by specifying a site property and by specifying
a CCMSetup property.

Computers that use certificate revocation checking but can't locate the CRL behave as if
all certificates in the certification chain are revoked. This behavior is because they can't
verify if the certificates are in the certificate revocation list. In this scenario, all
connections fail that require certificates and include CRL checking. When validating that
your CRL is accessible by browsing to its HTTP location, it's important to note that the
Configuration Manager client runs as LOCAL SYSTEM. Testing CRL accessibility with a
web browser under a user context may succeed, but the computer account may be
blocked when attempting to make an HTTP connection to the same CRL URL. For
example, it can be blocked because of an internal web filtering solution like a proxy. Add
the CRL URL to the approved list for any web filtering solutions.

Checking the CRL every time that a certificate is used offers more security against using
a certificate that's revoked. It does introduce a connection delay and more processing
on the client. Your organization may require this security check for clients on the
internet or an untrusted network.

Consult your PKI administrators before you decide whether Configuration Manager
clients need to check the CRL. When both of the following conditions are true, consider
keeping this option enabled in Configuration Manager:

Your PKI infrastructure supports a CRL, and it's published where all Configuration
Manager clients can locate it. These clients might include devices on the internet,
and ones in untrusted forests.

The requirement to check the CRL for each connection to a site system that's
configured to use a PKI certificate is greater than the following requirements:
Faster connections
Efficient processing on the client
The risk of clients failing to connect to servers if they can't locate the CRL

PKI trusted root certificates


If your IIS site systems use PKI client certificates for client authentication over HTTP, or
for client authentication and encryption over HTTPS, you might have to import root CA
certificates as a site property. Here are the two scenarios:

You deploy operating systems by using Configuration Manager, and the


management points only accept HTTPS client connections.

You use PKI client certificates that don't chain to a root certificate that the
management points trust.

7 Note

When you issue client PKI certificates from the same CA hierarchy that issues
the server certificates that you use for management points, you don't have to
specify this root CA certificate. However, if you use multiple CA hierarchies
and you aren't sure whether they trust each other, import the root CA for the
clients' CA hierarchy.

If you need to import root CA certificates for Configuration Manager, export them from
the issuing CA or from the client computer. If you export the certificate from the issuing
CA that's also the root CA, don't export the private key. Store the exported certificate file
in a secure location to prevent tampering. You need access to the file when you set up
the site. If you access the file over the network, make sure the communication is
protected from tampering by using IPsec.

If any root CA certificate that you import are renewed, import the renewed certificate.

These imported root CA certificates and the root CA certificate of each management
point create the certificate issuers list. Configuration Manager computers use this list in
the following ways:

When clients connect to management points, the management point verifies that
the client certificate is chained to a trusted root certificate in the site's certificate
issuers list. If it doesn't, the certificate is rejected, and the PKI connection fails.

When clients select a PKI certificate and have a certificate issuers list, they select a
certificate that chains to a trusted root certificate in the certificate issuers list. If
there's no match, the client doesn't select a PKI certificate. For more information,
see PKI client certificate selection.

PKI client certificate selection


If your IIS site systems use PKI client certificates for client authentication over HTTP or
for client authentication and encryption over HTTPS, plan for how Windows clients
select the certificate to use for Configuration Manager.

7 Note

Some devices don't support a certificate selection method. Instead, they


automatically select the first certificate that fulfills the certificate requirements. For
example, clients on macOS computers and mobile devices don't support a
certificate selection method.

In many cases, the default configuration and behavior are sufficient. The Configuration
Manager client on Windows computers filters multiple certificates by using these criteria
in this order:

1. The certificate issuers list: The certificate chains to a root CA that's trusted by the
management point.

2. The certificate is in the default certificate store of Personal.

3. The certificate is valid, not revoked, and not expired. The validity check also verifies
that the private key is accessible.

4. The certificate has client authentication capability.

5. The certificate Subject Name contains the local computer name as a substring.

6. The certificate has the longest validity period.

Configure clients to use the certificate issuers list by using the following mechanisms:

Publish it with Configuration Manager site information to Active Directory Domain


Services.

Install clients by using client push.

Clients download it from the management point after they're successfully assigned
to their site.

Specify it during client installation as a CCMSetup client.msi property of


CCMCERTISSUERS.

If clients don't have the certificate issuers list when they're first installed, and aren't yet
assigned to the site, they skip this check. When clients do have the certificate issuers list,
and don't have a PKI certificate that chains to a trusted root certificate in the certificate
issuers list, certificate selection fails. Clients don't continue with the other certificate
selection criteria.

In most cases, the Configuration Manager client correctly identifies a unique and
appropriate PKI certificate. When this behavior isn't the case, instead of selecting the
certificate based on the client authentication capability, you can set up two alternative
selection methods:

A partial string match on the client certificate subject name. This method is a case-
insensitive match. It's appropriate if you're using the fully qualified domain name
(FQDN) of a computer in the subject field and want the certificate selection to be
based on the domain suffix, for example contoso.com. You can use this selection
method to identify any string of sequential characters in the certificate subject
name that differentiates the certificate from others in the client certificate store.
7 Note

You can't use the partial string match with the subject alternative name (SAN)
as a site setting. Although you can specify a partial string match for the SAN
by using CCMSetup, it'll be overwritten by the site properties in the following
scenarios:
Clients retrieve site information that's published to Active Directory
Domain Services.
Clients are installed by using client push installation.

Use a partial string match in the SAN only when you install clients manually
and when they don't retrieve site information from Active Directory Domain
Services. For example, these conditions apply to internet-only clients.

A match on the client certificate subject name attribute values or the subject
alternative name (SAN) attribute values. This method is a case-sensitive match. It's
appropriate if you're using an X500 distinguished name or equivalent object
identifiers (OIDs) in compliance with RFC 3280, and you want the certificate
selection to be based on the attribute values. You can specify only the attributes
and their values that you require to uniquely identify or validate the certificate and
differentiate the certificate from others in the certificate store.

The following table shows the attribute values that Configuration Manager supports for
the client certificate selection criteria:

OID Attribute Distinguished name attribute Attribute definition

0.9.2342.19200300.100.1.25 DC Domain component

1.2.840.113549.1.9.1 E or E-mail Email address

2.5.4.3 CN Common name

2.5.4.4 SN Subject name

2.5.4.5 SERIALNUMBER Serial number

2.5.4.6 C Country code

2.5.4.7 L Locality

2.5.4.8 S or ST State or province name

2.5.4.9 STREET Street address


OID Attribute Distinguished name attribute Attribute definition

2.5.4.10 O Organization name

2.5.4.11 OU Organizational unit

2.5.4.12 T or Title Title

2.5.4.42 G or GN or GivenName Given name

2.5.4.43 I or Initials Initials

2.5.29.17 (no value) Subject Alternative Name

7 Note

If you configure either of the above alternate certificate selection methods, the
certificate Subject Name doesn't need to contain the local computer name.

If more than one appropriate certificate is located after the selection criteria are applied,
you can override the default configuration to select the certificate that has the longest
validity period. Instead, you can specify that no certificate is selected. In this scenario,
the client can't communicate with IIS site systems with a PKI certificate. The client sends
an error message to its assigned fallback status point to alert you to the certificate
selection failure. Then you can change or refine your certificate selection criteria.

The client behavior then depends on whether the failed connection was over HTTPS or
HTTP:

If the failed connection was over HTTPS: The client tries to connect over HTTP and
uses the client self-signed certificate.

If the failed connection was over HTTP: The client tries to connect again over HTTP
by using the self-signed client certificate.

To help identify a unique PKI client certificate, you can also specify a custom store other
than the default of Personal in the Computer store. Create a custom certificate store
outside of Configuration Manager. You need to be able to deploy certificates to this
custom store and renew them before the validity period expires.

For more information, see Configure settings for client PKI certificates.

Transition strategy for PKI certificates


The flexible configuration options in Configuration Manager let you gradually transition
clients and the site to use PKI certificates to help secure client endpoints. PKI certificates
provide better security and enable you to manage internet clients.

This plan first introduces PKI certificates for authentication only over HTTP, and then for
authentication and encryption over HTTPS. When you follow this plan to gradually
introduce these certificates, you reduce the risk that clients become unmanaged. You'll
also benefit from the highest security that Configuration Manager supports.

Because of the number of configuration options and choices in Configuration Manager,


there's no single way to transition a site so that all clients use HTTPS connections. The
following steps provide general guidance:

1. Install the Configuration Manager site and configure it so that site systems accept
client connections over HTTPS and HTTP.

2. Configure the Communication Security tab in the site properties. Set Site System
Settings to HTTP or HTTPS and select Use PKI client certificate (client
authentication capability) when available. For more information, see Configure
settings for client PKI certificates.

3. Pilot a PKI rollout for client certificates. For an example deployment, see Deploy
the client certificate for Windows computers.

4. Install clients by using the client push installation method. For more information,
see the How to install Configuration Manager clients by using client push.

5. Monitor client deployment and status by using the reports and information in the
Configuration Manager console.

6. Track how many clients are using a client PKI certificate by viewing the Client
Certificate column in the Assets and Compliance workspace, Devices node.

7 Note

For clients that also have a PKI certificate, the Configuration Manager console
displays the Client certificate property as Self-signed. The client control panel
Client certificate property shows PKI.

You can also deploy the Configuration Manager HTTPS Readiness Assessment Tool
(CMHttpsReadiness.exe) to computers. Then use the reports to view how many
computers can use a client PKI certificate with Configuration Manager.
7 Note

When you install the Configuration Manager client, it installs the


CMHttpsReadiness.exe tool in the %windir%\CCM folder. The following
command-line options are available when you run this tool:

/Store:<Certificate store name> : This option is the same as the

CCMCERTSTORE client.msi property


- /Issuers:<Case-sensitive issuer
common name> : This option is the same as the CCMCERTISSUERS

client.msi property
/Criteria:<Selection criteria> : This option is the same as the

CCMCERTSEL client.msi property


/SelectFirstCert : This option is the same as the CCMFIRSTCERT

client.msi property

The tool outputs information to the CMHttpsReadiness.log in the CCM\Logs


directory.

For more information, see About client installation properties.

7. When you're confident that enough clients are successfully using their client PKI
certificate for authentication over HTTP, follow these steps:

a. Deploy a PKI web server certificate to a member server that runs another
management point for the site, and configure that certificate in IIS. For more
information, see Deploy the web server certificate for site systems that run IIS.

b. Install the management point role on this server. Configure the Client
connections option in the management point properties for HTTPS.

8. Monitor and verify that clients that have a PKI certificate use the new management
point by using HTTPS. You can use IIS logging or performance counters to verify.

9. Reconfigure other site system roles to use HTTPS client connections. If you want to
manage clients on the internet, make sure that site systems have an internet
FQDN. Configure individual management points and distribution points to accept
client connections from the internet.

) Important
Before you set up site system roles to accept connections from the internet,
review the planning information and prerequisites for internet-based client
management. For more information, see Communications between
endpoints.

10. Extend the PKI certificate rollout for clients and for site systems that run IIS. Set up
the site system roles for HTTPS client connections and internet connections, as
required.

11. For the highest security: When you're confident that all clients are using a client
PKI certificate for authentication and encryption, change the site properties to use
HTTPS only.

Next steps
Configure security

Cryptographic controls technical reference

PKI certificate requirements


CNG v3 certificates overview
Article • 10/04/2022

Configuration Manager supports Cryptography: Next Generation (CNG) certificates.


Configuration Manager clients can use a PKI client authentication certificate with the
private key generated and stored in a CNG Key Storage Provider (KSP). With KSP
support, Configuration Manager clients support hardware-based private keys, such as a
TPM KSP for PKI client authentication certificates.

7 Note

When using CNG certificates, Configuration Manager clients only support


certificates that use the RSA cryptographic algorithm.

Supported scenarios
You can use Cryptography API: Next Generation (CNG) v3 certificate templates for the
following scenarios:

Client registration and communication with an HTTPS management point


Software distribution and application deployment with an HTTPS distribution point
OS deployment
Client messaging SDK (with latest update) and ISV Proxy
Cloud management gateway (CMG) configuration
User-targeted available applications in Software Center

Also use CNG v3 certificates for the following HTTPS-enabled server roles:

Management point
Distribution point
Software update point
State migration point
Certificate registration point, including the NDES server with the Configuration
Manager policy module

7 Note

CNG is backward compatible with Crypto API (CAPI). CAPI certificates continue to
be supported even when CNG support is enabled on the client.
Unsupported scenarios
The following scenarios currently aren't supported:

The following server roles aren't operational when installed in HTTPS mode with a
CNG v3 certificate bound to the web site in Internet Information Services (IIS):
Enrollment point
Enrollment proxy point

To use CNG certificates


To use CNG v3 certificates, your certification authority (CA) needs to provide CNG
certificate templates for target machines. Template details vary according to the
scenario; however, the following properties are required:

Compatibility tab

Certificate Authority must be Windows Server 2008 or later. (Windows Server


2012 is recommended.)

Certificate recipient must be Windows Vista/Server 2008 or later. (Windows


8/Windows Server 2012 is recommended.)

Cryptography tab

Provider Category must be Key Storage Provider. (required)

Algorithm name must be RSA. (required)

Request must use one of the following providers: must be Microsoft Software
Key Storage Provider.

7 Note

The requirements for your environment or organization may be different. Contact


your PKI expert. The important point to consider is a certificate template must use a
Key Storage Provider to take advantage of CNG.

For best results, we recommend building the Subject Name from Active Directory
information. Use the DNS Name for Subject name format and include the DNS name in
the alternate subject name. Otherwise, you must provide this information when the
device enrolls into the certificate profile.
PKI certificate requirements for
Configuration Manager
Article • 03/22/2023

Applies to: Configuration Manager (current branch)

The public key infrastructure (PKI) certificates that you might require for Configuration
Manager are listed in the following tables. This information assumes basic knowledge of
PKI certificates.

You can use any PKI to create, deploy, and manage most certificates in Configuration
Manager. For client certificates that Configuration Manager enrolls on mobile devices
and Mac computers, they require use of Active Directory Certificate Services.

When you use Active Directory Certificate Services and certificate templates, this
Microsoft PKI solution can ease the management of certificates. Use the Microsoft
certificate template reference in the sections below to identify the certificate template
that most closely matches the certificate requirements. Only an enterprise certification
authority (CA) that runs on the Enterprise or Datacenter editions of Windows server can
use template-based certificates.

For more information, see the following articles:

Step-by-step example deployment of the PKI certificates for Configuration


Manager: Windows Server 2008 Certification Authority

Active Directory Certificate Services Overview

How to enable Transport Layer Security (TLS) 1.2

Supported certificate types

Secure Hash Algorithm 2 (SHA-2) certificates


Issue new server and client authentication certificates that are signed with SHA-2, which
includes SHA-256 and SHA-512. All internet-facing services should use an SHA-2
certificate. For example, if you purchase a public certificate for use with a cloud
management gateway, make sure that you purchase an SHA-2 certificate.

Windows doesn't trust certificates signed with SHA-1. For more information, see
Windows Enforcement of SHA1 certificates .
CNG v3 certificates
Configuration Manager supports Cryptography: Next Generation (CNG) v3 certificates.
Configuration Manager clients can use a PKI client authentication certificate with private
key in a CNG Key Storage Provider (KSP). With KSP support, Configuration Manager
clients support hardware-based private keys, such as a TPM KSP for PKI client
authentication certificates.

For more information, see CNG v3 certificates overview.

PKI certificates for servers

Site systems that run IIS and support HTTPS client


connections
This web server certificate is used to:

Authenticate the servers to the client


Encrypt all data that's transferred between the client and these servers with TLS.

Applies to:

Management point
Distribution point
Software update point
State migration point
Enrollment point
Enrollment proxy point
Certificate registration point

Certificate requirements:

Certificate purpose: Server authentication

Microsoft certificate template: Web Server

The Enhanced Key Usage value must contain Server Authentication


(1.3.6.1.5.5.7.3.1)

Subject Name:

If the site system accepts connections from the internet, the Subject Name or
Subject Alternative Name must contain the internet fully qualified domain
name (FQDN).

If the site system accepts connections from the intranet, the Subject Name or
Subject Alternative Name must contain either the intranet FQDN
(recommended) or the computer's name, depending on how the site system is
set up.

If the site system accepts connections from both the internet and the intranet,
both the internet FQDN and the intranet FQDN (or computer name) must be
specified. Use the ampersand ( & ) symbol delimiter between the two names.

7 Note

When the software update point accepts client connections from the internet
only, the certificate must contain both the internet FQDN and the intranet
FQDN.

Key length: Configuration Manager doesn't specify a maximum supported key


length for this certificate. Consult your PKI and IIS documentation for any key-size
related issues for this certificate.

Most site system roles support key storage providers for certificate private keys (v3). For
more information, see CNG v3 certificates overview.

This certificate must be in the Personal store in the Computer certificate store.

Cloud management gateway (CMG)


This service certificate is used to:

Authenticate the CMG service in Azure to Configuration Manager clients

Encrypt all data transferred between them by using TLS.

Export this certificate in a Public Key Certificate Standard (PKCS #12) format. You need to
know the password, so that you can import the certificate when you create the CMG.

Certificate requirements:

Certificate purpose: Server authentication

Microsoft certificate template: Web Server


The Enhanced Key Usage value must contain Server Authentication
(1.3.6.1.5.5.7.3.1)

The Subject Name must contain a customer-defined service name as the Common
Name for the specific instance of the cloud management gateway.

The private key must be exportable.

Supported key lengths: 2048-bit or 4096-bit

This certificate supports key storage providers for certificate private keys (v3).

For more information, see CMG server authentication certificate.

Site system servers that run Microsoft SQL Server


This certificate is used for server-to-server authentication.

Certificate requirements:

Certificate purpose: Server authentication

Microsoft certificate template: Web Server

The Enhanced Key Usage value must contain Server Authentication


(1.3.6.1.5.5.7.3.1)

The Subject Name must contain the intranet fully qualified domain name (FQDN)

Maximum supported key length is 2,048 bits.

This certificate must be in the Personal store in the Computer certificate store.
Configuration Manager automatically copies it to the Trusted People Store for servers in
the Configuration Manager hierarchy that might have to establish trust with the server.

SQL Server Always On failover cluster instance


This certificate is used for server-to-server authentication.

Certificate requirements:

Certificate purpose: Server authentication

Microsoft certificate template: Web Server


The Enhanced Key Usage value must contain Server Authentication
(1.3.6.1.5.5.7.3.1)

The Subject Name must contain the intranet fully qualified domain name (FQDN)
of the cluster

The private key must be exportable

The certificate must have a validity period of at least two years when you configure
Configuration Manager to use the failover cluster instance

Maximum supported key length is 2,048 bits.

Request and install this certificate on one node in the cluster. Then export the certificate
and import it to the other nodes.

This certificate must be in the Personal store in the Computer certificate store.
Configuration Manager automatically copies it to the Trusted People Store for servers in
the Configuration Manager hierarchy that might have to establish trust with the server.

Site system monitoring


Applies to:

Management point
State migration point

Certificate requirements:

Certificate purpose: Client authentication

Microsoft certificate template: Workstation Authentication

The Enhanced Key Usage value must contain Client Authentication


(1.3.6.1.5.5.7.3.2)

Computers must have a unique value in the Subject Name field or in the Subject
Alternative Name field.

7 Note

If you use multiple values for the Subject Alternative Name, it only uses the
first value.
Maximum supported key length is 2,048 bits.

This certificate is required on the listed site system servers, even if the Configuration
Manager client isn't installed. This configuration allows the site to monitor and report on
the health of these site system roles.

The certificate for these site systems must be in the Personal store of the Computer
certificate store.

Servers running the Configuration Manager Policy


Module with the Network Device Enrollment Service
(NDES) role service
Certificate requirements:

Certificate purpose: Client authentication

Microsoft certificate template: Workstation Authentication

The Enhanced Key Usage value must contain Client Authentication


(1.3.6.1.5.5.7.3.2)

There are no specific requirements for the certificate Subject Name or Subject
Alternative Name (SAN). You can use the same certificate for multiple servers
running the Network Device Enrollment Service.

Supported key lengths: 1,024 bits and 2,048 bits.

Site systems that have a distribution point installed


This certificate has two purposes:

It authenticates the distribution point to an HTTPS-enabled management point


before the distribution point sends status messages.

7 Note

When you configure all management points for HTTPS, then HTTPS-enabled
distribution points must use a PKI-issued certificate. Don't use self-signed
certificates on distribution points when management points use certificates.
Issues may occur otherwise. For example, distribution points won't sent state
messages.
A PXE-enabled distribution point sends this certificate to computers. If the task
sequence includes client actions like client policy retrieval or sending inventory
information, the computer can connect to an HTTPS-enabled management point
during the OS deployment process.

7 Note

For this PXE scenario, this certificate is only used during the OS deployment
process. It isn't installed on the client. Because of this temporary use, you can
use the same certificate for every OS deployment if you don't want to use
multiple client certificates.

The requirements for this certificate are the same as the client certificate for
task sequence media. Because the requirements are the same, you can use the
same certificate file.

The certificate that you specify to HTTPS-enable a distribution point applies to


all content distribution operations, not just OS deployment.

Certificate requirements:

Certificate purpose: Client authentication

Microsoft certificate template: Workstation Authentication

The Enhanced Key Usage value must contain Client Authentication


(1.3.6.1.5.5.7.3.2)

There are no specific requirements for the certificate Subject Name or Subject
Alternative Name (SAN). It's recommended to use a different certificate for each
distribution point, but you can use the same certificate.

The private key must be exportable.

Maximum supported key length is 2,048 bits.

Export this certificate in a Public Key Certificate Standard (PKCS #12) format. You need to
know the password, so that you can import the certificate to the distribution point
properties.

Proxy web servers for internet-based client management


If the site supports internet-based client management, and you use a proxy web server
by using SSL termination (bridging) for incoming internet connections, the proxy web
server has the following certificate requirements:

7 Note

If you use a proxy web server without SSL termination (tunneling), no additional
certificates are required on the proxy web server.

Certificate requirements:

Certificate purpose: Server authentication and Client authentication

Microsoft certificate template: Web Server and Workstation Authentication

Internet FQDN in the Subject Name or Subject Alternative Name field. If you use
Microsoft certificate templates, the Subject Alternative Name is only available with
the workstation template.

This certificate is used to authenticate the following servers to internet clients and to
encrypt all data transferred between the client and this server with TLS:

Internet-based management point


Internet-based distribution point
Internet-based software update point

The client authentication is used to bridge client connections between the Configuration
Manager clients and the internet-based site systems.

PKI certificates for clients

Windows client computers


Except for the software update point, this certificate authenticates the client to site
systems that run IIS and support HTTPS client connections.

Certificate requirements:

Certificate purpose: Client authentication

Microsoft certificate template: Workstation Authentication


The Enhanced Key Usage value must contain Client Authentication
(1.3.6.1.5.5.7.3.2)

The Key Usage value must contain Digital Signature, Key Encipherment (a0)

Client computers must have a unique value in the Subject Name or Subject
Alternative Name field. If used, the Subject Name field must contain the local
computer name unless an alternative certificate selection criteria is specified. For
more information, see Plan for PKI client certificate selection.

7 Note

If you use multiple values for the Subject Alternative Name, it only uses the
first value.

There's no maximum supported key length.

By default, Configuration Manager looks for computer certificates in the Personal store
in the Computer certificate store.

Task sequence media for deploying operating systems


This certificate is used by an OSD task sequence and allows the computer to connect to
an HTTPS-enabled management point and distribution point during the OS deployment
process. Connections to the management point and to the distribution point may
include such actions such as client policy retrieval from the management point and
downloading of content from the distribution point.

This certificate is only used during the OS deployment process. It isn't used as part of
the client installation properties when the the client is installed during the Setup
Windows and ConfigMgr task nor is it installed on the device. Because of this
temporary use, you can use the same certificate for every OS deployment if you don't
want to use multiple client certificates.

When you have an environment that's HTTPS-only, the task sequence media must have
a valid certificate. This certificate allows the device to communicate with the site and for
the deployment to continue. After the task sequence completes, when the device is
joined to Active Directory, the client can automatically generate a PKI certificate via a
GPO, or you can install a PKI certificate by using another method.

7 Note
The requirements for this certificate are the same as the server certificate for site
systems with the distribution point role. Because the requirements are the same,
you can use the same certificate file.

Certificate requirements:

Certificate purpose: Client authentication

Microsoft certificate template: Workstation Authentication

The Enhanced Key Usage value must contain Client Authentication


(1.3.6.1.5.5.7.3.2)

There are no specific requirements for the certificate Subject Name or Subject
Alternative Name (SAN) fields. You can use the same certificate for all task
sequence media.

The private key must be exportable.

Maximum supported key length is 2,048 bits.

Export this certificate in a Public Key Certificate Standard (PKCS #12) format. You need to
know the password, so that you can import the certificate when creating the task
sequence media.

) Important

Boot images don't contain PKI certificates to communicate with the site. Instead,
boot images use the PKI certificate added to the task sequence media to
communicate with the site.

For more information on adding a PKI certificate to task sequence media, see Create
bootable media and Create prestaged media.

macOS client computers


This certificate authenticates the macOS client computer to the site system servers that
it communicates with. For example, management points and distribution points.

Certificate requirements:

Certificate purpose: Client authentication

Microsoft certificate template:


For Configuration Manager enrollment: Authenticated Session
For certificate installation independent from Configuration Manager:
Workstation Authentication

The Enhanced Key Usage value must contain Client Authentication


(1.3.6.1.5.5.7.3.2)

Subject Name:
For Configuration Manager that creates a User certificate, the certificate Subject
value is automatically populated with the user name of the person who enrolls
the macOS computer.
For certificate installation that doesn't use Configuration Manager enrollment,
but deploys a Computer certificate independently from Configuration Manager,
the certificate Subject value must be unique. For example, specify the FQDN of
the computer.
The Subject Alternative Name field isn't supported.

Maximum supported key length is 2,048 bits.

Mobile device clients


This certificate authenticates the mobile device client to the site system servers that it
communicates with. For example, management points and distribution points.

Certificate requirements:

Certificate purpose: Client authentication

Microsoft certificate template: Authenticated Session

The Enhanced Key Usage value must contain Client Authentication


(1.3.6.1.5.5.7.3.2)

Maximum supported key length is 2,048 bits.

These certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509
format. Base64 encoded X.509 format isn't supported.

Root certification authority (CA) certificates


This certificate is a standard root CA certificate.

Applies to:
OS deployment
Client certificate authentication
Mobile device enrollment

Certificate purpose: Certificate chain to a trusted source

The root CA certificate must be provided when clients have to chain the certificates of
the communicating server to a trusted source. The root CA certificate for clients must be
provided if the client certificates are issued by a different CA hierarchy than the CA
hierarchy that issued the management point certificate.
Step-by-step example deployment of
the PKI certificates for Configuration
Manager: Windows Server 2008
certification authority
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This step-by-step example deployment, which uses a Windows Server 2008 certification
authority (CA), has procedures that show you how to create and deploy the public key
infrastructure (PKI) certificates that Configuration Manager uses. These procedures use
an enterprise certification authority (CA) and certificate templates. The steps are
appropriate for a test network only, as a proof of concept.

Because there's no single method of deployment for the required certificates, consult
your particular PKI deployment documentation for the required procedures and best
practices to deploy the required certificates for a production environment. For more
about the certificate requirements, see PKI certificate requirements for Configuration
Manager.

 Tip

You can adapt the instructions in this topic for operating systems that aren't
documented in the Test Network Requirements section. However, if you are
running the issuing CA on Windows Server 2012, you're not prompted for the
certificate template version. Instead, specify this on the Compatibility tab of the
template properties:

Certification Authority: Windows Server 2003


Certificate recipient: Windows XP / Server 2003

Test network requirements


The step-by-step instructions have the following requirements:

The test network is running Active Directory Domain Services with Windows Server
2008, and it is installed as a single domain, single forest.
You have a member server running Windows Server 2008 Enterprise Edition, which
has the Active Directory Certificate Services role installed on it, and it is set up as
an enterprise root certification authority (CA).

You have one computer that has Windows Server 2008 (Standard Edition or
Enterprise Edition, R2 or later) installed on it, that computer is designated as a
member server, and Internet Information Services (IIS) is installed on it. This
computer will be the Configuration Manager site system server that you will
configure with an intranet fully qualified domain name (FQDN) to support client
connections on the intranet and an internet FQDN if you must support mobile
devices that are enrolled by Configuration Manager and clients on the internet.

You have one Windows Vista client that has the latest service pack installed, and
this computer is set up with a computer name that comprises ASCII characters and
is joined to the domain. This computer will be a Configuration Manager client
computer.

You can sign in with a root domain administrator account or an enterprise domain
administrator account and use this account for all procedures in this example
deployment.

Overview of the certificates


The following table lists the types of PKI certificates that might be required for
Configuration Manager and describes how they are used.

Certificate Certificate Description


Requirement

Web server This certificate is used to encrypt data and authenticate the server to clients. It
certificate for must be installed externally from Configuration Manager on site systems
site systems servers that run Internet Information Services (IIS) and that are set up in
that run IIS Configuration Manager to use HTTPS.

For the steps to set up and install this certificate, see Deploy the web server
certificate for site systems that run IIS in this topic.

Service For the steps to configure and install this certificate, see Deploy the service
certificate for certificate for cloud-based distribution points in this topic.

clients to
connect to Important: This certificate is used in conjunction with the Windows Azure
cloud-based management certificate. For more about the management certificate, see How
distribution to Create a Management Certificate and How to Add a Management Certificate
points to a Windows Azure Subscription.
Certificate Certificate Description
Requirement

Client This certificate is used to authenticate Configuration Manager client computers


certificate for to site systems that are set up to use HTTPS. It can also be used for
Windows management points and state migration points to monitor their operational
computers status when they are set up to use HTTPS. It must be installed externally from
Configuration Manager on computers.

For the steps to set up and install this certificate, see Deploy the client
certificate for Windows computers in this topic.

Client This certificate has two purposes:

certificate for
distribution The certificate is used to authenticate the distribution point to an HTTPS-
points enabled management point before the distribution point sends status
messages.

When the Enable PXE support for clients distribution point option is selected,
the certificate is sent to computers that PXE boot so that they can connect to a
HTTPS-enabled management point during the deployment of the operating
system.

For the steps to set up and install this certificate, see Deploy the client
certificate for distribution points in this topic.

Enrollment This certificate is used to authenticate Configuration Manager mobile device


certificate for clients to site systems that are set up to use HTTPS. It must be installed as part
mobile devices of mobile device enrollment in Configuration Manager, and you choose the
configured certificate template as a mobile device client setting.

For the steps to set up this certificate, see Deploy the enrollment certificate for
mobile devices in this topic.

Client You can request and install this certificate from a Mac computer when you use
certificate for Configuration Manager enrollment and choose the configured certificate
Mac computers template as a mobile device client setting.

For the steps to set up this certificate, see Deploy the client certificate for Mac
computers in this topic.

Deploy the web server certificate for site


systems that run IIS
This certificate deployment has the following procedures:

Create and issue the web server certificate template on the certification authority
Request the web server certificate

Configure IIS to use the web server certificate

Create and issue the web server certificate template on


the certification authority
This procedure creates a certificate template for Configuration Manager site systems
and adds it to the certification authority.

To create and issue the web server certificate template on the


certification authority

1. Create a security group named ConfigMgr IIS Servers that has the member servers
to install Configuration Manager site systems that will run IIS.

2. On the member server that has Certificate Services installed, in the Certification
Authority console, right-click Certificate Templates and then choose Manage to
load the Certificate Templates console.

3. In the results pane, right-click the entry that has Web Server in the Template
Display Name column, and then choose Duplicate Template.

4. In the Duplicate Template dialog box, ensure that Windows 2003 Server,
Enterprise Edition is selected, and then choose OK.

) Important

Do not select Windows 2008 Server, Enterprise Edition.

5. In the Properties of New Template dialog box, on the General tab, enter a
template name, like ConfigMgr Web Server Certificate, to generate the web
certificates that will be used on Configuration Manager site systems.

6. Choose the Subject Name tab, and make sure that Supply in the request is
selected.

7. Choose the Security tab, and then remove the Enroll permission from the Domain
Admins and Enterprise Admins security groups.

8. Choose Add, enter ConfigMgr IIS Servers in the text box, and then choose OK.

9. Choose the Enroll permission for this group, and do not clear the Read permission.
10. Choose OK, and then close the Certificate Templates Console.

11. In the Certification Authority console, right-click Certificate Templates, choose


New, and then choose Certificate Template to Issue.

12. In the Enable Certificate Templates dialog box, choose the new template that you
just created, ConfigMgr Web Server Certificate, and then choose OK.

13. If you do not need to create and issue more certificates, close Certification
Authority.

Request the web server certificate


This procedure lets you specify the intranet and internet FQDN values that will be set up
in the site system server properties and then installs the web server certificate on to the
member server that runs IIS.

To request the web server certificate

1. Restart the member server that runs IIS to ensure that the computer can access the
certificate template that you created by using the Read and Enroll permissions that
you configured.

2. Choose Start, choose Run, and then type mmc.exe. In the empty console, choose
File, and then choose Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box, choose Certificates from the list of
Available snap-ins, and then choose Add.

4. In the Certificate snap-in dialog box, choose Computer account, and then choose
Next.

5. In the Select Computer dialog box, ensure that Local computer: (the computer
this console is running on) is selected, and then choose Finish.

6. In the Add or Remove Snap-ins dialog box, choose OK.

7. In the console, expand Certificates (Local Computer), and then choose Personal.

8. Right-click Certificates, choose All Tasks, and then choose Request New
Certificate.

9. On the Before You Begin page, choose Next.

10. If you see the Select Certificate Enrollment Policy page, choose Next.
11. On the Request Certificates page, identify the ConfigMgr Web Server Certificate
from the list of available certificates, and then choose More information is
required to enroll for this certificate. Click here to configure settings.

12. In the Certificate Properties dialog box, in the Subject tab, do not make any
changes to Subject name. This means that the Value box for the Subject name
section remains blank. Instead, from the Alternative name section, choose the
Type drop-down list, and then choose DNS.

13. In the Value box, specify the FQDN values that you will specify in the Configuration
Manager site system properties, and then choose OK to close the Certificate
Properties dialog box.

Examples:

If the site system will only accept client connections from the intranet, and
the intranet FQDN of the site system server is server1.internal.contoso.com,
enter server1.internal.contoso.com, and then choose Add.

If the site system will accept client connections from the intranet and the
internet, and the intranet FQDN of the site system server is
server1.internal.contoso.com and the internet FQDN of the site system server
is server.contoso.com:

a. Enter server1.internal.contoso.com, and then choose Add.

b. Enter server.contoso.com, and then choose Add.

7 Note

You can specify the FQDNs for Configuration Manager in any order.
However, check that all devices that will use the certificate, such as
mobile devices and proxy web servers, can use a certificate subject
alternative name (SAN) and multiple values in the SAN. If devices have
limited support for SAN values in certificates, you might have to change
the order of the FQDNs or use the Subject value instead.

14. On the Request Certificates page, choose ConfigMgr Web Server Certificate from
the list of available certificates, and then choose Enroll.

15. On the Certificates Installation Results page, wait until the certificate is installed,
and then choose Finish.

16. Close Certificates (Local Computer).


Configure IIS to use the web server certificate
This procedure binds the installed certificate to the IIS Default Web Site.

To set up IIS to use the web server certificate

1. On the member server that has IIS installed, choose Start, choose Programs,
choose Administrative Tools, and then choose Internet Information Services (IIS)
Manager.

2. Expand Sites, right-click Default Web Site, and then choose Edit Bindings.

3. Choose the https entry, and then choose Edit.

4. In the Edit Site Binding dialog box, select the certificate that you requested by
using the ConfigMgr Web Server Certificates template, and then choose OK.

7 Note

If you are not sure which is the correct certificate, choose one, and then
choose View. This lets you compare the selected certificate details to the
certificates in the Certificates snap-in. For example, the Certificates snap-in
shows the certificate template that was used to request the certificate. You
can then compare the certificate thumbprint of the certificate that was
requested by using the ConfigMgr Web Server Certificates template to the
certificate thumbprint of the certificate currently selected in the Edit Site
Binding dialog box.

5. Choose OK in the Edit Site Binding dialog box, and then choose Close.

6. Close Internet Information Services (IIS) Manager.

The member server is now set up with a Configuration Manager web server
certificate.

) Important

When you install the Configuration Manager site system server on this computer,
make sure that you specify the same FQDNs in the site system properties as you
specified when you requested the certificate.
Deploy the service certificate for cloud-based
distribution points
This certificate deployment has the following procedures:

Create and issue a custom web server certificate template on the certification
authority

Request the custom web server certificate

Export the custom web server certificate for cloud-based distribution points

Create and issue a custom web server certificate template


on the certification authority
This procedure creates a custom certificate template that is based on the web server
certificate template. The certificate is for Configuration Manager cloud-based
distribution points and the private key must be exportable. After the certificate template
is created, it is added to the certification authority.

7 Note

This procedure uses a different certificate template from the web server certificate
template that you created for site systems that run IIS. Although both certificates
require server authentication capability, the certificate for cloud-based distribution
points requires you to enter a custom-defined value for the Subject Name and the
private key must be exported. As a security best practice, do not set up certificate
templates so that the private key can be exported unless this configuration is
required. The cloud-based distribution point requires this configuration because
you must import the certificate as a file, rather than choose it from the certificate
store.

When you create a new certificate template for this certificate, you can restrict the
computers that can request a certificate whose private key can be exported. On a
production network, you might also consider adding the following changes for this
certificate:

Require approval to install the certificate for additional security.


Increase the certificate validity period. Because you must export and import
the certificate each time before it expires, an increase of the validity period
reduces how often you must repeat this procedure. However, an increase
of the validity period also decreases the security of the certificate because
it provides more time for an attacker to decrypt the private key and steal
the certificate.
Use a custom value in the certificate Subject Alternative Name (SAN) to
help identify this certificate from standard web server certificates that you
use with IIS.

To create and issue the custom web server certificate template on


the certification authority

1. Create a security group named ConfigMgr Site Servers that has the member
servers to install Configuration Manager primary site servers that will manage
cloud-based distribution points.

2. On the member server that is running the Certification Authority console, right-
click Certificate Templates, and then choose Manage to load the Certificate
Templates management console.

3. In the results pane, right-click the entry that has Web Server in the Template
Display Name column, and then choose Duplicate Template.

4. In the Duplicate Template dialog box, ensure that Windows 2003 Server,
Enterprise Edition is selected, and then choose OK.

) Important

Do not select Windows 2008 Server, Enterprise Edition.

5. In the Properties of New Template dialog box, on the General tab, enter a
template name, like ConfigMgr Cloud-Based Distribution Point Certificate, to
generate the web server certificate for cloud-based distribution points.

6. Choose the Request Handling tab, and then choose Allow private key to be
exported.

7. Choose the Security tab, and then remove the Enroll permission from the
Enterprise Admins security group.

8. Choose Add, enter ConfigMgr Site Servers in the text box, and then choose OK.

9. Select the Enroll permission for this group, and do not clear the Read permission.
10. Choose the Cryptography tab and ensure that Minimum key size has been set to
2048.

11. Choose OK, and then close Certificate Templates Console.

12. In the Certification Authority console, right-click Certificate Templates, choose


New, and then choose Certificate Template to Issue.

13. In the Enable Certificate Templates dialog box, choose the new template that you
just created, ConfigMgr Cloud-Based Distribution Point Certificate, and then
choose OK.

14. If you do not have to create and issue more certificates, close Certification
Authority.

Request the custom web server certificate


This procedure requests and then installs the custom web server certificate on the
member server that will run the site server.

To request the custom web server certificate

1. Restart the member server after you create and configure the ConfigMgr Site
Servers security group to ensure that the computer can access the certificate
template that you created by using the Read and Enroll permissions that you
configured.

2. Choose Start, choose Run, and then enter mmc.exe. In the empty console, choose
File, and then choose Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box, choose Certificates from the list of
Available snap-ins, and then choose Add.

4. In the Certificate snap-in dialog box, choose Computer account, and then choose
Next.

5. In the Select Computer dialog box, ensure that Local computer: (the computer
this console is running on) is selected, and then choose Finish.

6. In the Add or Remove Snap-ins dialog box, choose OK.

7. In the console, expand Certificates (Local Computer), and then choose Personal.

8. Right-click Certificates, choose All Tasks, and then choose Request New
Certificate.
9. On the Before You Begin page, choose Next.

10. If you see the Select Certificate Enrollment Policy page, choose Next.

11. On the Request Certificates page, identify the ConfigMgr Cloud-Based


Distribution Point Certificate from the list of available certificates, and then
choose More information is required to enroll for this certificate. choose here to
configure settings.

12. In the Certificate Properties dialog box, in the Subject tab, for the Subject name,
choose Common name as the Type.

13. In the Value box, specify your choice of service name and your domain name by
using an FQDN format. For example: clouddp1.contoso.com.

7 Note

Make the service name unique in your namespace. You will use DNS to create
an alias (CNAME record) to map this service name to an automatically
generated identifier (GUID) and an IP address from Windows Azure.

14. Choose Add, and then choose OK to close the Certificate Properties dialog box.

15. On the Request Certificates page, choose ConfigMgr Cloud-Based Distribution


Point Certificate from the list of available certificates, and then choose Enroll.

16. On the Certificates Installation Results page, wait until the certificate is installed,
and then choose Finish.

17. Close Certificates (Local Computer).

Export the custom web server certificate for cloud-based


distribution points
This procedure exports the custom web server certificate to a file, so that it can be
imported when you create the cloud-based distribution point.

To export the custom web server certificate for cloud-based


distribution points

1. In the Certificates (Local Computer) console, right-click the certificate that you just
installed, choose All Tasks, and then choose Export.
2. In the Certificates Export Wizard, choose Next.

3. On the Export Private Key page, choose Yes, export the private key, and then
choose Next.

7 Note

If this option is not available, the certificate has been created without the
option to export the private key. In this scenario, you cannot export the
certificate in the required format. You must set up the certificate template so
that the private key can be exported, and then request the certificate again.

4. On the Export File Format page, ensure that the Personal Information Exchange -
PKCS #12 (.PFX) option is selected.

5. On the Password page, specify a strong password to protect the exported


certificate with its private key, and then choose Next.

6. On the File to Export page, specify the name of the file that you want to export,
and then choose Next.

7. To close the wizard, choose Finish in the Certificate Export Wizard page, and then
choose OK in the confirmation dialog box.

8. Close Certificates (Local Computer).

9. Store the file securely and ensure that you can access it from the Configuration
Manager console.

The certificate is now ready to be imported when you create a cloud-based


distribution point.

Deploy the client certificate for Windows


computers
This certificate deployment has the following procedures:

Create and issue the Workstation Authentication certificate template on the


certification authority

Configure autoenrollment of the Workstation Authentication template by using


Group Policy
Automatically enroll the Workstation Authentication certificate and verify its
installation on computers

Create and issue the Workstation Authentication


certificate template on the certification authority
This procedure creates a certificate template for Configuration Manager client
computers and adds it to the certification authority.

To create and issue the Workstation Authentication certificate


template on the certification authority

1. On the member server that is running the Certification Authority console, right-
click Certificate Templates, and then choose Manage to load the Certificate
Templates management console.

2. In the results pane, right-click the entry that has Workstation Authentication in
the Template Display Name column, and then choose Duplicate Template.

3. In the Duplicate Template dialog box, ensure that Windows 2003 Server,
Enterprise Edition is selected, and then choose OK.

) Important

Do not select Windows 2008 Server, Enterprise Edition.

4. In the Properties of New Template dialog box, on the General tab, enter a
template name, like ConfigMgr Client Certificate, to generate the client certificates
that will be used on Configuration Manager client computers.

5. Choose the Security tab, select the Domain Computers group, and then select the
additional permissions of Read and Autoenroll. Do not clear Enroll.

6. Choose OK, and then close Certificate Templates Console.

7. In the Certification Authority console, right-click Certificate Templates, choose


New, and then choose Certificate Template to Issue.

8. In the Enable Certificate Templates dialog box, choose the new template that you
just created, ConfigMgr Client Certificate, and then choose OK.

9. If you do not need to create and issue more certificates, close Certification
Authority.
Configure autoenrollment of the Workstation
Authentication template by using Group Policy
This procedure sets up Group Policy to autoenroll the client certificate on computers.

To set up autoenrollment of the Workstation Authentication


template by using Group Policy

1. On the domain controller, choose Start, choose Administrative Tools, and then
choose Group Policy Management.

2. Go to your domain, right-click the domain, and then choose Create a GPO in this
domain, and Link it here.

7 Note

This step uses the best practice of creating a new Group Policy for custom
settings rather than editing the Default Domain Policy that is installed with
Active Directory Domain Services. When you assign this Group Policy at the
domain level, you will apply it to all computers in the domain. In a production
environment, you can restrict the autoenrollment so that it enrolls on only
selected computers. You can assign the Group Policy at an organizational unit
level, or you can filter the domain Group Policy with a security group so that it
applies only to the computers in the group. If you restrict autoenrollment,
remember to include the server that is set up as the management point.

3. In the New GPO dialog box, enter a name, like Autoenroll Certificates, for the new
Group Policy, and then choose OK.

4. In the results pane, on the Linked Group Policy Objects tab, right-click the new
Group Policy, and then choose Edit.

5. In the Group Policy Management Editor, expand Policies under Computer


Configuration, and then go to Windows Settings / Security Settings / Public Key
Policies.

6. Right-click the object type named Certificate Services Client - Auto-enrollment,


and then choose Properties.

7. From the Configuration Model drop-down list, choose Enabled, choose Renew
expired certificates, update pending certificates, remove revoked certificates,
choose Update certificates that use certificate templates, and then choose OK.
8. Close Group Policy Management.

Automatically enroll the Workstation Authentication


certificate and verify its installation on computers
This procedure installs the client certificate on computers and verifies the installation.

To automatically enroll the Workstation Authentication certificate


and verify its installation on the client computer

1. Restart the workstation computer, and wait a few minutes before you sign in.

7 Note

Restarting a computer is the most reliable method of ensuring success with


certificate autoenrollment.

2. Sign in with an account that has administrative privileges.

3. In the search box, enter mmc.exe., and then press Enter.

4. In the empty management console, choose File, and then choose Add/Remove
Snap-in.

5. In the Add or Remove Snap-ins dialog box, choose Certificates from the list of
Available snap-ins, and then choose Add.

6. In the Certificate snap-in dialog box, choose Computer account, and then choose
Next.

7. In the Select Computer dialog box, ensure that Local computer: (the computer
this console is running on) is selected, and then choose Finish.

8. In the Add or Remove Snap-ins dialog box, choose OK.

9. In the console, expand Certificates (Local Computer), expand Personal, and then
choose Certificates.

10. In the results pane, confirm that a certificate has Client Authentication in the
Intended Purpose column, and that ConfigMgr Client Certificate is in the
Certificate Template column.

11. Close Certificates (Local Computer).


12. Repeat steps 1 through 11 for the member server to verify that the server that will
be set up as the management point also has a client certificate.

The computer is now set up with a Configuration Manager client certificate.

Deploy the client certificate for distribution


points

7 Note

This certificate can also be used for media images that do not use PXE boot,
because the certificate requirements are the same.

This certificate deployment has the following procedures:

Create and issue a custom Workstation Authentication certificate template on the


certification authority

Request the custom Workstation Authentication certificate

Export the client certificate for distribution points

Create and issue a custom Workstation Authentication


certificate template on the certification authority
This procedure creates a custom certificate template for Configuration Manager
distribution points so that the private key can be exported and adds the certificate
template to the certification authority.

7 Note

This procedure uses a different certificate template from the certificate template
that you created for client computers. Although both certificates require client
authentication capability, the certificate for distribution points requires that the
private key is exported. As a security best practice, do not set up certificate
templates so the private key can be exported unless this configuration is required.
The distribution point requires this configuration because you must import the
certificate as a file rather than choose it from the certificate store.

When you create a new certificate template for this certificate, you can restrict the
computers that can request a certificate whose private key can be exported. In our
example deployment, this will be the security group that you previously created for
Configuration Manager site system servers that run IIS. On a production network
that distributes the IIS site system roles, consider creating a new security group for
the servers that run distribution points so that you can restrict the certificate to just
these site system servers. You might also consider adding the following
modifications for this certificate:

Require approval to install the certificate for additional security.


Increase the certificate validity period. Because you must export and import
the certificate each time before it expires, an increase of the validity period
reduces how often you must repeat this procedure. However, an increase
of the validity period also decreases the security of the certificate because
it provides more time for an attacker to decrypt the private key and steal
the certificate.
Use a custom value in the certificate Subject field or Subject Alternative
Name (SAN) to help identify this certificate from standard client certificates.
This can be particularly helpful if you will use the same certificate for
multiple distribution points.

To create and issue the custom Workstation Authentication


certificate template on the certification authority

1. On the member server that is running the Certification Authority console, right-
click Certificate Templates, and then choose Manage to load the Certificate
Templates management console.

2. In the results pane, right-click the entry that has Workstation Authentication in
the Template Display Name column, and then choose Duplicate Template.

3. In the Duplicate Template dialog box, ensure that Windows 2003 Server,
Enterprise Edition is selected, and then choose OK.

) Important

Do not select Windows 2008 Server, Enterprise Edition.

4. In the Properties of New Template dialog box, on the General tab, enter a
template name, like ConfigMgr Client Distribution Point Certificate, to generate
the client authentication certificate for distribution points.
5. Choose the Request Handling tab, and then choose Allow private key to be
exported.

6. Choose the Security tab, and then remove the Enroll permission from the
Enterprise Admins security group.

7. Choose Add, enter ConfigMgr IIS Servers in the text box, and then choose OK.

8. Select the Enroll permission for this group, and do not clear the Read permission.

9. Choose OK, and then close Certificate Templates Console.

10. In the Certification Authority console, right-click Certificate Templates, choose


New, and then choose Certificate Template to Issue.

11. In the Enable Certificate Templates dialog box, choose the new template that you
just created, ConfigMgr Client Distribution Point Certificate, and then choose OK.

12. If you do not have to create and issue more certificates, close Certification
Authority.

Request the custom Workstation Authentication


certificate
This procedure requests and then installs the custom client certificate on to the member
server that runs IIS and that will be set up as a distribution point.

To request the custom Workstation Authentication certificate

1. Choose Start, choose Run, and then enter mmc.exe. In the empty console, choose
File, and then choose Add/Remove Snap-in.

2. In the Add or Remove Snap-ins dialog box, choose Certificates from the list of
Available snap-ins, and then choose Add.

3. In the Certificate snap-in dialog box, choose Computer account, and then choose
Next.

4. In the Select Computer dialog box, ensure that Local computer: (the computer
this console is running on) is selected, and then choose Finish.

5. In the Add or Remove Snap-ins dialog box, choose OK.

6. In the console, expand Certificates (Local Computer), and then choose Personal.
7. Right-click Certificates, choose All Tasks, and then choose Request New
Certificate.

8. On the Before You Begin page, choose Next.

9. If you see the Select Certificate Enrollment Policy page, choose Next.

10. On the Request Certificates page, choose ConfigMgr Client Distribution Point
Certificate from the list of available certificates, and then choose Enroll.

11. On the Certificates Installation Results page, wait until the certificate is installed,
and then choose Finish.

12. In the results pane, confirm that a certificate has Client Authentication in the
Intended Purpose column and that ConfigMgr Client Distribution Point
Certificate is in the Certificate Template column.

13. Do not close Certificates (Local Computer).

Export the client certificate for distribution points


This procedure exports the custom Workstation Authentication certificate to a file so
that it can be imported in the distribution point properties.

To export the client certificate for distribution points

1. In the Certificates (Local Computer) console, right-click the certificate that you just
installed, choose All Tasks, and then choose Export.

2. In the Certificates Export Wizard, choose Next.

3. On the Export Private Key page, choose Yes, export the private key, and then
choose Next.

7 Note

If this option is not available, the certificate has been created without the
option to export the private key. In this scenario, you cannot export the
certificate in the required format. You must set up the certificate template so
that the private key can be exported and then request the certificate again.

4. On the Export File Format page, ensure that the Personal Information Exchange -
PKCS #12 (.PFX) option is selected.
5. On the Password page, specify a strong password to protect the exported
certificate with its private key, and then choose Next.

6. On the File to Export page, specify the name of the file that you want to export,
and then choose Next.

7. To close the wizard, choose Finish on the Certificate Export Wizard page, and
choose OK in the confirmation dialog box.

8. Close Certificates (Local Computer).

9. Store the file securely and ensure that you can access it from the Configuration
Manager console.

The certificate is now ready to be imported when you set up the distribution point.

 Tip

You can use the same certificate file when you set up media images for an
operating system deployment that does not use PXE boot, and the task sequence
to install the image must contact a management point that requires HTTPS client
connections.

Deploy the enrollment certificate for mobile


devices
This certificate deployment has a single procedure to create and issue the enrollment
certificate template on the certification authority.

Create and issue the enrollment certificate template on


the certification authority
This procedure creates an enrollment certificate template for Configuration Manager
mobile devices and adds it to the certification authority.

To create and issue the enrollment certificate template on the


certification authority

1. Create a security group that has users who will enroll mobile devices in
Configuration Manager.
2. On the member server that has Certificate Services installed, in the Certification
Authority console, right-click Certificate Templates, and then choose Manage to
load the Certificate Templates management console.

3. In the results pane, right-click the entry that has Authenticated Session in the
Template Display Name column, and then choose Duplicate Template.

4. In the Duplicate Template dialog box, ensure that Windows 2003 Server,
Enterprise Edition is selected, and then choose OK.

) Important

Do not select Windows 2008 Server, Enterprise Edition.

5. In the Properties of New Template dialog box, on the General tab, enter a
template name, like ConfigMgr Mobile Device Enrollment Certificate, to generate
the enrollment certificates for the mobile devices to be managed by Configuration
Manager.

6. Choose the Subject Name tab, make sure that Build from this Active Directory
information is selected, select Common name for the Subject name format:, and
then clear User principal name (UPN) from Include this information in alternate
subject name.

7. Choose the Security tab, choose the security group that has users who have
mobile devices to enroll, and then choose the additional permission of Enroll. Do
not clear Read.

8. Choose OK, and then close Certificate Templates Console.

9. In the Certification Authority console, right-click Certificate Templates, choose


New, and then choose Certificate Template to Issue.

10. In the Enable Certificate Templates dialog box, choose the new template that you
just created, ConfigMgr Mobile Device Enrollment Certificate, and then choose
OK.

11. If you do not need to create and issue more certificates, close the Certification
Authority console.

The mobile device enrollment certificate template is now ready to be selected


when you set up a mobile device enrollment profile in the client settings.
Deploy the client certificate for Mac computers
This certificate deployment has a single procedure to create and issue the enrollment
certificate template on the certification authority.

Create and issue a Mac client certificate template on the


certification authority
This procedure creates a custom certificate template for Configuration Manager Mac
computers and adds the certificate template to the certification authority.

7 Note

This procedure uses a different certificate template from the certificate template
that you might have created for Windows client computers or for distribution
points.

When you create a new certificate template for this certificate, you can restrict the
certificate request to authorized users.

To create and issue the Mac client certificate template on the


certification authority

1. Create a security group that has user accounts for administrative users who will
enroll the certificate on the Mac computer by using Configuration Manager.

2. On the member server that is running the Certification Authority console, right-
click Certificate Templates, and then choose Manage to load the Certificate
Templates management console.

3. In the results pane, right-click the entry that displays Authenticated Session in the
Template Display Name column, and then choose Duplicate Template.

4. In the Duplicate Template dialog box, ensure that Windows 2003 Server,
Enterprise Edition is selected, and then choose OK.

) Important

Do not select Windows 2008 Server, Enterprise Edition.


5. In the Properties of New Template dialog box, on the General tab, enter a
template name, like ConfigMgr Mac Client Certificate, to generate the Mac client
certificate.

6. Choose the Subject Name tab, make sure that Build from this Active Directory
information is selected, choose Common name for the Subject name format:, and
then clear User principal name (UPN) from Include this information in alternate
subject name.

7. Choose the Security tab, and then remove the Enroll permission from the Domain
Admins and Enterprise Admins security groups.

8. Choose Add, specify the security group that you created in step one, and then
choose OK.

9. Choose the Enroll permission for this group, and do not clear the Read permission.

10. Choose OK, and then close Certificate Templates Console.

11. In the Certification Authority console, right-click Certificate Templates, choose


New, and then choose Certificate Template to Issue.

12. In the Enable Certificate Templates dialog box, choose the new template that you
just created, ConfigMgr Mac Client Certificate, and then choose OK.

13. If you do not have to create and issue more certificates, close Certification
Authority.

The Mac client certificate template is now ready to be selected when you set up
client settings for enrollment.
Additional information about privacy
for Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Updates and servicing


Configuration Manager uses an update model that helps keep your environment current
with the latest updates and features. This feature uses a site system role called the
service connection point. You choose the server where to install this role.

For more information about collected information and how it's used, see Usage data.

Usage data
Configuration Manager collects diagnostics and usage data about itself, which Microsoft
uses to improve the installation experience, quality, and security of future releases.
Diagnostics and usage data is enabled for each Configuration Manager hierarchy. It
consists of SQL Server queries that run on a weekly basis on each primary site and at the
central administration site. When the hierarchy uses a central administration site, the
data from primary sites is then replicated to that site. At the top-level site of your
hierarchy, the service connection point submits this information when it checks for
updates. If the service connection point is in offline mode, the information is transferred
by using the service connection tool.

Configuration Manager collects data only from the site's SQL Server database, and it
doesn't collect data directly from clients or site servers.

Administrators can change the level of data that's collected by going to the Usage Data
section of the Configuration Manager console.

For more information about usage data levels and settings, see Diagnostics and usage
data.

Log Analytics Connector


The Log Analytics Connector syncs data, such as collections, from Configuration
Manager to the Azure cloud service. The Azure subscription ID and secret key are stored
in the Configuration Manager database when an admin configures the feature. Both the
Azure Active Directory client secret and the Azure workspace shared key are stored in
the on-premises Configuration Manager database. All communications between
Configuration Manager and Azure use HTTPS. No additional information about the
collections is provided to Microsoft outside of randomized diagnostics and usage data.

For more information about the information that Log Analytics collects, see Log
analytics data security.

Asset Intelligence
Asset Intelligence lets administrators define, track, and proactively manage conformity
with configuration standards. Metering and reporting on the deployment and use of
both physical and virtual applications helps organizations make better business
decisions about software licensing and maintain compliance with licensing agreements.
After collecting usage data from Configuration Manager clients, you can use different
features to view the data, including collections, queries, and reporting.

During each synchronization, a catalog of known software is downloaded from


Microsoft. You can choose to send Microsoft information about uncategorized software
titles that are discovered within your organization to be researched and added to the
catalog. Prior to uploading this information, a dialog box shows data that's going to be
uploaded. Uploaded data can't be recalled. Asset Intelligence doesn't send information
about users and computers or license usage to Microsoft.

After a software title is uploaded, Microsoft researchers identify, categorize, and then
make that knowledge available to all other customers who use this feature and other
consumers of the catalog. Any uploaded software title becomes public. The application
and its categorization become part of the catalog and then can be downloaded to other
consumers of the catalog. Before you configure Asset Intelligence data collection and
decide whether to submit information to Microsoft, consider the privacy requirements of
your organization.

Asset Intelligence isn't enabled by default in Configuration Manager. Uploading


uncategorized titles never occurs automatically, and the system isn't designed to
automate this task. You must manually select and approve the upload of each software
title.

Endpoint Protection
Microsoft Cloud Protection Service was formerly known as Microsoft Active Protection
Service or MAPS.

The applicable products are System Center Endpoint Protection and the Endpoint
Protection feature of Configuration Manager (to manage System Center Endpoint
Protection and Windows Defender for Windows 10 or later).

The Microsoft Cloud Protection Service antimalware community is a voluntary


worldwide online community that includes System Center Endpoint Protection users.
When you join Microsoft Cloud Protection Service, System Center Endpoint Protection
automatically sends information to Microsoft. Microsoft uses the information to
determine software to investigate for potential threats and to help improve the
effectiveness of System Center Endpoint Protection. This community helps stop the
spread of new malicious software infections. If a Microsoft Cloud Protection Service
report includes details about malware or potentially unwanted software that the
Endpoint Protection client may be able to remove, Microsoft Cloud Protection Service
downloads the latest signature to address it. Microsoft Cloud Protection Service can also
find "false positives" and fix them. (False positives are where something originally
identified as malware turns out not to be.)

Microsoft Cloud Protection Service reports include information about potential malware
files, like file names, cryptographic hash, vendor, size, and date stamps. In addition,
Microsoft Cloud Protection Service might collect full URLs to indicate the origin of the
file. These URLs might occasionally have personal information like search terms or data
that was entered in forms. Reports might also include actions that you took when
Endpoint Protection notified you about unwanted software. Microsoft Cloud Protection
Service reports include this information to help Microsoft gauge how effectively
Endpoint Protection can detect and remove malware and potentially unwanted software
and to attempt to identify new malware.

You can join Microsoft Cloud Protection Service if you have a basic or advanced
membership. Basic member reports have the information described previously.
Advanced member reports are more comprehensive and may include additional details
about the software that Endpoint Protection detects, like the location of such software,
file names, how the software operates, and how it has affected your computer. These
reports and reports from other Endpoint Protection users who participate in Microsoft
Cloud Protection Service help Microsoft researchers discover new threats more rapidly.
Malware definitions are then created for programs that meet the analysis criteria, and
the updated definitions are made available to all users through Microsoft Update.

To help detect and fix certain kinds of malware infections, the product regularly sends
Microsoft Cloud Protection Service information about the security state of your PC. This
information includes information about your PC's security settings and log files that
describe the drivers and other software that load while your PC boots.

A number that uniquely identifies your PC is also sent. Also, Microsoft Cloud Protection
Service may collect the IP addresses that the potential malware files connect to.

Microsoft Cloud Protection Service reports are used to improve Microsoft software and
services. The reports might also be used for statistical or other testing or analytical
purposes and to generate definitions. Only Microsoft employees, contractors, partners,
and vendors who have a business need to use the reports can access them.

Microsoft Cloud Protection Service does not intentionally collect personal information.
To the extent that Microsoft Cloud Protection Service collects any personal information,
Microsoft does not use the information to identify you or contact you.

For more information, see Endpoint Protection.

Site Hierarchy – Geographical View with Bing


Maps

) Important

Starting in August 2020, this feature is deprecated. Use the Hierarchy Diagram
option.

In the Configuration Manager console, go to the Monitoring workspace, select the Site
Hierarchy node, and switch to the Geographical View. This view lets you use maps that
Microsoft Bing Maps provides to view your Configuration Manager physical server
topology. To enable this feature, location information that you provide is sent from your
server to the Bing Maps Web service.

Microsoft uses the information to operate and improve Microsoft Bing Maps and other
Microsoft sites and services. For more information, see the Microsoft Privacy
Statement .

You can choose not to use the Geographical View for the Site Hierarchy. The default
Hierarchy Diagram view lets you see the hierarchy and doesn't use the Bing Maps
service.
How to enable TLS 1.2
Article • 10/04/2022

Applies to: Configuration Manager (Current Branch)

Transport Layer Security (TLS), like Secure Sockets Layer (SSL), is an encryption protocol
intended to keep data secure when being transferred over a network. These articles
describe steps required to ensure that Configuration Manager secure communication
uses the TLS 1.2 protocol. These articles also describe update requirements for
commonly used components and troubleshooting common problems.

Enabling TLS 1.2


Configuration Manager relies on many different components for secure communication.
The protocol that's used for a given connection depends on the capabilities of the
relevant components on both the client and server side. If any component is out-of-date
or not properly configured, the communication might use an older, less secure protocol.
To correctly enable Configuration Manager to support TLS 1.2 for all secure
communications, you must enable TLS 1.2 for all required components. The required
components depend on your environment and the Configuration Manager features that
you use.

) Important

Start this process with the clients, especially previous versions of Windows. Before
enabling TLS 1.2 and disabling the older protocols on the Configuration Manager
servers, make sure that all clients support TLS 1.2. Otherwise, the clients can't
communicate with the servers and can be orphaned.

Tasks for Configuration Manager clients, site


servers, and remote site systems
To enable TLS 1.2 for components that Configuration Manager depends on for secure
communication, you'll need to do multiple tasks on both the clients and the site servers.

Enable TLS 1.2 for Configuration Manager clients


Update Windows and WinHTTP on Windows 8.0, Windows Server 2012 (non-R2)
and earlier
Ensure that TLS 1.2 is enabled as a protocol for SChannel at the OS level
Update and configure the .NET Framework to support TLS 1.2

Enable TLS 1.2 for Configuration Manager site servers and


remote site systems
Ensure that TLS 1.2 is enabled as a protocol for SChannel at the OS level
Update and configure the .NET Framework to support TLS 1.2
Update SQL Server and the SQL Server Native Client
Update Windows Server Update Services (WSUS)

Features and scenario dependencies


This section describes the dependencies for specific Configuration Manager features
and scenarios. To determine the next steps, locate the items that apply to your
environment.

Feature or Update tasks


scenario

Site servers - Update .NET Framework

(central, primary, - Verify strong cryptography settings


or secondary)

Site database Update SQL Server and its client components


server

Secondary site Update SQL Server and its client components to a compliant version of SQL
servers Server Express

Site system roles - Update .NET Framework and verify strong cryptography settings
- Update SQL Server and its client components on roles that require it,
including the SQL Server Native Client

Reporting - Update .NET Framework on the site server, the SQL Server Reporting
services point Services servers, and any computer with the console

- Restart the SMS_Executive service as necessary

Software update Update WSUS


point

Cloud Enforce TLS 1.2


management
gateway
Feature or Update tasks
scenario

Configuration - Update .NET Framework

Manager console - Verify strong cryptography settings

Configuration Update Windows to support TLS 1.2 for client-server communications by


Manager client using WinHTTP
with HTTPS site
system roles

Software Center - Update .NET Framework

- Verify strong cryptography settings

Windows 7 Before you enable TLS 1.2 on any server components, update Windows to
clients support TLS 1.2 for client-server communications by using WinHTTP. If you
enable TLS 1.2 on server components first, you can orphan earlier versions of
clients.

Frequently asked questions

Why use TLS 1.2 with Configuration Manager?


TLS 1.2 is more secure than the previous cryptographic protocols such as SSL 2.0, SSL
3.0, TLS 1.0, and TLS 1.1. Essentially, TLS 1.2 keeps data being transferred across the
network more secure.

Where does Configuration Manager use encryption


protocols like TLS 1.2?
There are basically five areas that Configuration Manager uses encryption protocols like
TLS 1.2:

Client communications to IIS-based site server roles when the role is configured to
use HTTPS. Examples of these roles include distribution points, software update
points, and management points.
Management point, SMS Executive, and SMS Provider communications with SQL.
Configuration Manager always encrypts SQL Server communications.
Site Server to WSUS communications if WSUS is configured to use HTTPS.
The Configuration Manager console to SQL Server Reporting Services (SSRS) if
SSRS is configured to use HTTPS.
Any connections to internet-based services. Examples include the cloud
management gateway (CMG), the service connection point sync, and sync of
update metadata from Microsoft Update.

What determines which encryption protocol is used?


HTTPS will always negotiate the highest protocol version that is supported by both the
client and server in an encrypted conversation. On establishing a connection, the client
sends a message to the server with its highest available protocol. If the server supports
the same version, it sends a message using that version. This negotiated version is the
one that is used for the connection. If the server doesn't support the version presented
by the client, the server message will specify the highest version it can use. For more
information about the TLS Handshake protocol, see Establishing a Secure Session by
using TLS.

What determines which protocol version the client and


server can use?
Generally, the following items can determine which protocol version is used:

The application can dictate which specific protocol versions to negotiate.


Best practice dictates to avoid hard coding specific protocol versions at the
application level and to follow the configuration defined at the component and
OS protocol level.
Configuration Manager follows this best practice.
For applications written using the .NET Framework, the default protocol versions
depend on the version of the framework they were compiled upon.
.NET versions before 4.6.3 did not include TLS 1.1 and 1.2 in the list of protocols
for negotiation, by default.
Applications that use WinHTTP for HTTPS communications, like the Configuration
Manager client, depend on the OS version, patch level, and configuration for
protocol version support.

Additional resources
Cryptographic controls technical reference
Transport layer security (TLS) best practices with the .NET Framework
KB 3135244: TLS 1.2 support for Microsoft SQL Server

Next steps
Enable TLS 1.2 on clients
Enable TLS 1.2 on the site servers
How to enable TLS 1.2 on clients
Article • 10/04/2022

Applies to: Configuration Manager (Current Branch)

When enabling TLS 1.2 for your Configuration Manager environment, start by ensuring
the clients are capable and properly configured to use TLS 1.2 before enabling TLS 1.2
and disabling the older protocols on the site servers and remote site systems. There are
three tasks for enabling TLS 1.2 on clients:

Update Windows and WinHTTP


Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system
level
Update and configure the .NET Framework to support TLS 1.2

For more information about dependencies for specific Configuration Manager features
and scenarios, see About enabling TLS 1.2.

Update Windows and WinHTTP


Windows 8.1, Windows Server 2012 R2, Windows 10, Windows Server 2016, and later
versions of Windows natively support TLS 1.2 for client-server communications over
WinHTTP.

Earlier versions of Windows, such as Windows 7 or Windows Server 2012, don't enable
TLS 1.1 or TLS 1.2 by default for secure communications using WinHTTP. For these
earlier versions of Windows, install Update 3140245 to enable the registry value
below, which can be set to add TLS 1.1 and TLS 1.2 to the default secure protocols list
for WinHTTP. With the patch installed, create the following registry values:

) Important

Enable these settings on all clients running earlier versions of Windows before
enabling TLS 1.2 and disabling the older protocols on the Configuration Manager
servers. Otherwise, you can inadvertently orphan them.

Verify the value of the DefaultSecureProtocols registry setting, for example:

Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\WinHttp\

DefaultSecureProtocols = (DWORD): 0xAA0

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Int
ernet Settings\WinHttp\

DefaultSecureProtocols = (DWORD): 0xAA0

If you change this value, restart the computer.

The example above shows the value of 0xAA0 for the WinHTTP DefaultSecureProtocols
setting. Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in
Windows lists the hexadecimal value for each protocol. By default in Windows, this
value is 0x0A0 to enable SSL 3.0 and TLS 1.0 for WinHTTP. The above example keeps
these defaults, and also enables TLS 1.1 and TLS 1.2 for WinHTTP. This configuration
ensures that the change doesn't break any other application that might still rely on SSL
3.0 or TLS 1.0. You can use the value of 0xA00 to only enable TLS 1.1 and TLS 1.2.
Configuration Manager supports the most secure protocol that Windows negotiates
between both devices.

If you want to completely disable SSL 3.0 and TLS 1.0, use the SChannel disabled
protocols setting in Windows. For more information, see Restrict the use of certain
cryptographic algorithms and protocols in Schannel.dll.

Ensure that TLS 1.2 is enabled as a protocol for


SChannel at the operating system level
For the most part, protocol usage is controlled at three levels, the operating system
level, the framework or platform level, and the application level. TLS 1.2 is enabled by
default at the operating system level. Once you ensure that the .NET registry values are
set to enable TLS 1.2 and verify the environment is properly utilizing TLS 1.2 on the
network, you may want to edit the SChannel\Protocols registry key to disable the older,
less secure protocols. For more information on disabling TLS 1.0 and 1.1, see
Configuring Schannel protocols in the Windows Registry.

Update and configure the .NET Framework to


support TLS 1.2

Determine .NET version


First, determine the installed .NET versions. For more information, see Determine which
versions and service pack levels of .NET Framework are installed.

Install .NET updates


Install the .NET updates so you can enable strong cryptography. Some versions of .NET
Framework might require updates to enable strong cryptography. Use these guidelines:

NET Framework 4.6.2 and later supports TLS 1.1 and TLS 1.2. Confirm the registry
settings, but no additional changes are required.

7 Note

Starting in version 2107, Configuration Manager requires Microsoft .NET


Framework version 4.6.2 for site servers, specific site systems, clients, and the
console. If possible in your environment, install the latest version of .NET
version 4.8.

Update NET Framework 4.6 and earlier versions to support TLS 1.1 and TLS 1.2. For
more information, see .NET Framework versions and dependencies.

If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows Server
2012 R2, or Windows Server 2012, it's highly recommended that you install the
latest security updates for the .Net Framework 4.5.1 and 4.5.2 to ensure TLS 1.2 can
be enabled properly.

For your reference, TLS 1.2 was first introduced into .Net Framework 4.5.1 and 4.5.2
with the following hotfix rollups:
For Windows 8.1 and Server 2012 R2: Hotfix rollup 3099842
For Windows Server 2012: Hotfix rollup 3099844

Configure for strong cryptography


Configure .NET Framework to support strong cryptography. Set the SchUseStrongCrypto
registry setting to DWORD:00000001 . This value disables the RC4 stream cipher and
requires a restart. For more information about this setting, see Microsoft Security
Advisory 296038.

Make sure to set the following registry keys on any computer that communicates across
the network with a TLS 1.2-enabled system. For example, Configuration Manager clients,
remote site system roles not installed on the site server, and the site server itself.
For 32-bit applications that are running on 32-bit OSs and for 64-bit applications that
are running on 64-bit OSs, update the following subkey values:

Registry

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions" = dword:00000001

"SchUseStrongCrypto" = dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions" = dword:00000001

"SchUseStrongCrypto" = dword:00000001

For 32-bit applications that are running on 64-bit OSs, update the following subkey
values:

Registry

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions" = dword:00000001

"SchUseStrongCrypto" = dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions" = dword:00000001

"SchUseStrongCrypto" = dword:00000001

7 Note

The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The
SystemDefaultTlsVersions setting allows .NET to use the OS configuration. For

more information, see TLS best practices with the .NET Framework.

Next steps
Enable TLS 1.2 on the site servers and remote site systems
Common issues when enabling TLS 1.2
How to enable TLS 1.2 on the site
servers and remote site systems
Article • 01/30/2023

Applies to: Configuration Manager (Current Branch)

When enabling TLS 1.2 for your Configuration Manager environment, start with enabling
TLS 1.2 for the clients first. Then, enable TLS 1.2 on the site servers and remote site
systems second. Finally, test client to site system communications before potentially
disabling the older protocols on the server side. The following tasks are needed for
enabling TLS 1.2 on the site servers and remote site systems:

Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system
level
Update and configure the .NET Framework to support TLS 1.2
Update SQL Server and client components
Update Windows Server Update Services (WSUS)

For more information about dependencies for specific Configuration Manager features
and scenarios, see About enabling TLS 1.2.

Ensure that TLS 1.2 is enabled as a protocol for


SChannel at the operating system level
For the most part, protocol usage is controlled at three levels, the operating system
level, the framework or platform level, and the application level. TLS 1.2 is enabled by
default at the operating system level. Once you ensure that the .NET registry values are
set to enable TLS 1.2 and verify the environment is properly utilizing TLS 1.2 on the
network, you may want to edit the SChannel\Protocols registry key to disable the older,
less secure protocols. For more information on disabling TLS 1.0 and 1.1, see
Configuring Schannel protocols in the Windows Registry.

Update and configure the .NET Framework to


support TLS 1.2

Determine .NET version


First, determine the installed .NET versions. For more information, see Determine which
versions and service pack levels of .NET Framework are installed.

Install .NET updates


Install the .NET updates so you can enable strong cryptography. Some versions of .NET
Framework might require updates to enable strong cryptography. Use these guidelines:

NET Framework 4.6.2 and later supports TLS 1.1 and TLS 1.2. Confirm the registry
settings, but no additional changes are required.

7 Note

Starting in version 2107, Configuration Manager requires Microsoft .NET


Framework version 4.6.2 for site servers, specific site systems, clients, and the
console. If possible in your environment, install the latest version of .NET
version 4.8.

Update NET Framework 4.6 and earlier versions to support TLS 1.1 and TLS 1.2. For
more information, see .NET Framework versions and dependencies.

If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows Server
2012 R2, or Windows Server 2012, it's highly recommended that you install the
latest security updates for the .Net Framework 4.5.1 and 4.5.2 to ensure TLS 1.2 can
be enabled properly.

For your reference, TLS 1.2 was first introduced into .Net Framework 4.5.1 and 4.5.2
with the following hotfix rollups:
For Windows 8.1 and Server 2012 R2: Hotfix rollup 3099842
For Windows Server 2012: Hotfix rollup 3099844

Configure for strong cryptography


Configure .NET Framework to support strong cryptography. Set the SchUseStrongCrypto
registry setting to DWORD:00000001 . This value disables the RC4 stream cipher and
requires a restart. For more information about this setting, see Microsoft Security
Advisory 296038.

Make sure to set the following registry keys on any computer that communicates across
the network with a TLS 1.2-enabled system. For example, Configuration Manager clients,
remote site system roles not installed on the site server, and the site server itself.
For 32-bit applications that are running on 32-bit OSs and for 64-bit applications that
are running on 64-bit OSs, update the following subkey values:

Registry

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions" = dword:00000001

"SchUseStrongCrypto" = dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions" = dword:00000001

"SchUseStrongCrypto" = dword:00000001

For 32-bit applications that are running on 64-bit OSs, update the following subkey
values:

Registry

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions" = dword:00000001

"SchUseStrongCrypto" = dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions" = dword:00000001

"SchUseStrongCrypto" = dword:00000001

7 Note

The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The
SystemDefaultTlsVersions setting allows .NET to use the OS configuration. For

more information, see TLS best practices with the .NET Framework.

Update SQL Server and client components


Microsoft SQL Server 2016 and later support TLS 1.1 and TLS 1.2. Earlier versions and
dependent libraries might require updates. For more information, see KB 3135244: TLS
1.2 support for Microsoft SQL Server .

Secondary site servers need to use at least SQL Server 2016 Express with Service Pack 2
(13.2.50.26) or later.

SQL Server Native Client

7 Note
KB 3135244 also describes requirements for SQL Server client components.

Make sure to also update the SQL Server Native Client to at least version SQL Server
2012 SP4 (11.*.7001.0). This requirement is a prerequisite check (warning).

Configuration Manager uses SQL Server Native Client on the following site system roles:

Site database server


Site server: central administration site, primary site, or secondary site
Management point
Device management point
State migration point
SMS Provider
Software update point
Multicast-enabled distribution point
Asset Intelligence update service point
Reporting services point
Enrollment point
Endpoint Protection point
Service connection point
Certificate registration point
Data warehouse service point

Enable TLS 1.2 at-scale using Automanage


Machine Configuration and Azure Arc
Automatically configures TLS 1.2 across both client and server for machines running in
Azure, on-prem, or multi-cloud environments. To get started configuring TLS 1.2 across
your machines, connect them to Azure using Azure Arc-enabled servers, which comes
with the Machine Configuration prerequisite by default. Once connected, TLS 1.2 can be
configured with point-and-click simplicity by deploying the built-in policy definition in
Azure Portal: Configure secure communication protocols (TLS 1.1 or TLS 1.2) on
Windows servers . The policy scope can be assigned at the subscription, resource
group, or management group level, as well as exclude any resources from the policy
definition.

After the configuration has been assigned, the compliance status of your resources can
be viewed in detail by navigating to the Guest Assignments page and scoping down to
the impacted resources.
For a detailed, step-by-step tutorial, see Consistently upgrade your server TLS protocol
using Azure Arc and Automanage Machine Configuration .

Update Windows Server Update Services


(WSUS)
To support TLS 1.2 in earlier versions of WSUS, install the following update on the WSUS
server:

For WSUS server that's running Windows Server 2012, install update 4022721 or
a later rollup update.

For WSUS server that's running Windows Server 2012 R2, install update 4022720
or a later rollup update.

Starting in Windows Server 2016, TLS 1.2 is supported by default for WSUS. TLS 1.2
updates are only needed on Windows Server 2012 and Windows Server 2012 R2 WSUS
servers.

Next steps
Common issues when enabling TLS 1.2
Common issues when enabling TLS 1.2
Article • 02/22/2023

This article provides advice for common issues that occur when you enable TLS 1.2
support in Configuration Manager.

Unsupported platforms
The following client platforms are supported by Configuration Manager but aren't
supported in a TLS 1.2 environment:

Apple OS X
Windows devices managed with on-premises MDM

Reports don't show in the console


If reports don't show in the Configuration Manager console, make sure to update the
computer on which you're running the console. Update the .NET Framework, and enable
strong cryptography.

FIPS security policy enabled


If you enable the FIPS security policy setting for either the client or a server, Secure
Channel (Schannel) negotiation can cause them to use TLS 1.0. This behavior happens
even if you disable the protocol in the registry.

To investigate, enable Secure Channel event logging, and then review Schannel events in
the system log. For more information, see Restrict the use of certain cryptographic
algorithms and protocols in Schannel.dll.

SQL Server communication failure


If SQL Server communication fails and returns an SslSecurityError error, verify the
following settings:

Update .NET Framework, and enable strong cryptography on each machine


Update SQL Server on the host server
Update SQL Server client components on all systems that communicate with SQL.
For example, the site servers, SMS provider, and site role servers.
Configuration Manager client communication
failures
If the Configuration Manager client doesn't communicate with site roles, verify that you
updated Windows to support TLS 1.2 for client-server communication by using
WinHTTP. Common site roles include distribution points, management points, and state
migration points.

Reporting services point fails and returns an


expected error
If the reporting services point doesn't configure reports, check the SRSRP.log for the
following error entry:

The underlying connection was closed:


An expected error occurred on a receive.

To resolve this issue, follow these steps:

1. Update .NET Framework, and enable strong cryptography on all relevant


computers.

2. After you install any updates, restart the SMS_Executive service.

Service connection point upload failures


If the service connection point doesn't upload data to SCCMConnectedService, update
the .NET Framework, and enable strong cryptography on each computer. After you
make the changes, remember to restart the computers.

Configuration Manager console displays Intune


onboarding dialog box
If the Intune onboarding dialog box appears when the console tries to connect to the
Microsoft Intune admin center, update the .NET Framework, and enable strong
cryptography on each computer. After you make the changes, remember to restart the
computers.
Configuration Manager console displays failure
to sign in to Azure
When you try to create applications in Azure Active Directory (Azure AD), if the Azure
Services onboarding dialog box immediately fails after you select Sign in, update the
.NET Framework, and enable strong cryptography. After you make the changes,
remember to restart the computers.

Configuration Manager cloud services and TLS


1.2
The Azure virtual machines used by the cloud management gateway support TLS 1.2.
Supported client versions automatically use TLS 1.2.

The SMSAdminui.log may contain an error similar to the following example:

Log

Microsoft.ConfigurationManager.CloudBase.AAD.AADAuthenticationException

Service returned error. Check InnerException for more details

at
Microsoft.ConfigurationManager.CloudBase.AAD.AADAuthenticationContext.GetAAD
AuthResultObject

...

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException

Service returned error. Check InnerException for more details

at
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsy
ncTask

...

System.Net.WebException

The underlying connection was closed: An unexpected error occurred on a


receive.

at System.Net.HttpWebRequest.GetResponse

In the System EventLog, SChannel EventID 36874 may be logged with the following
description: An TLS 1.2 connection request was received from a remote client
application, but none of the cipher suites supported by the client application are

supported by the server. The TLS connection request has failed.

Additional resources
Transport layer security (TLS) best practices with the .NET Framework
KB 3135244: TLS 1.2 support for Microsoft SQL Server
Cryptographic controls technical reference

Next steps
Enable TLS 1.2 on clients
Enable TLS 1.2 on the site servers and remote site systems
Security documentation
Configuration Manager is secure by default. Learn more about how to configure and use
features to help keep your environment secure.

Fundamentals

e OVERVIEW

Security in Configuration Manager

Role-based administration

Plan

b GET STARTED

Plan for security

Certificates overview

Configure security

Resources

i REFERENCE

Enable TLS 1.2

Cryptographic controls technical reference

Accounts

Ports

Feature guidance

p CONCEPT

OS deployment
App management

Software update management


Evaluate Configuration Manager by
building your own lab environment
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Learn how to create a lab environment to evaluate Configuration Manager for use in
your organization.

Configuration Manager is a complex and powerful tool to manage your users, devices,
and software. It's a good idea to thoroughly evaluate Configuration Manager before full
deployment, so that you can marry conceptual understanding with hands-on exercises.

This guide is primarily meant for admins who are evaluating the use of Configuration
Manager in corporate environments:

Admins who want a solution to fully manage PCs, servers, and mobile devices

Admins in high-security industries that require the security of on-premises device


management with the flexibility of cloud-based device management

Admins who want to manage the scaling-up of their on-premises server


architecture

What this lab does


The main goal of creating this lab environment is to give you the general knowledge to
start working with Configuration Manager, and to enhance your understanding of
Configuration Manager. You'll walk through an expedited assembly of the current
version of Configuration Manager, by using two servers:

One that hosts Active Directory, the domain controller, and the DNS server

One that hosts Configuration Manager and all associated SQL Server components

Client machines are installed within Hyper-V. The lab itself can also be run as a fully
virtualized system on a single server.

What this lab does not do


This lab will not take you through all Configuration Manager scenarios. It is not
designed to be immediately migrated into an active environment.

When you build this lab, you will have a functional environment to work in. But this
environment will not be optimized for factors like system performance, hard disk space
management, and SQL Server storage.

Recommended reading before you build the


lab
There is a wealth of content available in Documentation for Configuration Manager. We
recommend that you read the following topics from this library before you start to build
the lab:

Learn core concepts about the Configuration Manager console, end-user portals,
and example scenarios in Introduction to Configuration Manager.

Learn about the primary management capabilities of Configuration Manager in


Features and capabilities of Configuration Manager.

Bolster your knowledge with Fundamentals of Configuration Manager.

Learn the importance of security roles in Fundamentals of role-based


administration for Configuration Manager.

Learn about content management in Concepts for content management.

Learn how to successfully support daily tasks throughout your deployment in


Understand how clients find site resources and services for Configuration Manager.
Set up a Configuration Manager lab
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Following the guidance in this topic will enable you to set up a lab for evaluating
Configuration Manager with simulated real-life activities.

7 Note

Microsoft offers a pre-configured version of this lab using an evaluation version of


Configuration Manager. For more information, see Microsoft Intune and
Configuration Manager evaluation lab kit .

Core components
Setting up your environment for Configuration Manager requires some core
components to support the installation of Configuration Manager.

The lab environment uses Windows Server 2012 R2, into which we will install
Configuration Manager.

You can download an evaluation version of Windows Server 2012 R2 from the
Evaluation Center .

Consider modifying or disabling Internet Explorer Enhanced Security Configuration


in order to more easily access some of the downloads referenced throughout the
course of these exercises. For more information, see Internet Explorer: Enhanced
Security Configuration.

The lab environment uses SQL Server 2012 SP2 for the site database.

You can download an evaluation version of SQL Server 2012 from the Microsoft
Download Center .

SQL Server has Supported versions of SQL Server that must be met for use with
Configuration Manager.

Configuration Manager requires a 64-bit version of SQL Server to host the site
database.

SQL_Latin1_General_CP1_CI_AS as the SQL Collation class.


Windows authentication, rather than SQL Server authentication, is required.

A dedicated SQL Server instance is required.

Do not limit the system addressable memory for SQL Server.

Configure the SQL Server service account to run using a low rights domain user
account.

You must install SQL Server reporting services.

Intersite communications use the SQL Server Service Broker on default port
TCP 4022.

Intrasite communications between the SQL Server database engine and select
Configuration Manager site system roles use default port TCP 1433.

The domain controller uses Windows Server 2008 R2 with Active Directory
Domain Services installed. The domain controller also functions as the host for the
DHCP and the DNS servers for use with a fully qualified domain name.

For more information, see overview of Active Directory Domain Services.

Hyper-V is used with a few virtual machines to verify that the management steps
taken in these exercises are functioning as expected. A minimum of three virtual
machines is recommended, with Windows 10 installed.

For more information, see overview of Hyper-V.

Administrator permissions will be required for all of these components.

Configuration Manager requires an administrator with local permissions within


the Windows Server environment

Active Directory requires an administrator with permissions to modify the


schema

Virtual machines require local permissions on the machines themselves

Though not required for this lab, you can review Supported configurations for
Configuration Manager for additional information on requirements for implementing
Configuration Manager. Refer to documentation for software versions other than those
referenced here.

Once you have installed all of these components, there are additional steps you must
take to configure your Windows environment for Configuration Manager:
Prepare Active Directory content for the lab
For this lab, you will create a security group, then add a domain user to it.

Security group: Evaluation

Group scope: Universal

Group type: Security

Domain user: ConfigUser

Under normal circumstances, you wouldn't grant universal access to all users
within your environment. You are doing so with this user in order to streamline
bringing your lab online.

The next steps required to enable Configuration Manager clients to query Active
Directory Domain Services to locate site resources are listed over the next procedures.

Create the System Management container


Configuration Manager won't automatically create the required System Management
container in Active Directory Domain Services when the schema is extended. Therefore,
you will create this for your lab. This step will require you to install ADSI Edit.

Ensure that you are logged on as an account that has Create All Child Objects
permission on the System Container in Active Directory Domain Services.

To create the System Management container:


1. Run ADSI Edit, and connect to the domain in which the site server resides.

2. Expand Domain<computer fully qualified domain name>, expand


<distinguished name>, right-click CN=System, click New, and then click Object.

3. In the Create Object dialog box, select Container, and then click Next.

4. In the Value box, type System Management, and then click Next.

5. Click Finish to complete the procedure.

Set security permissions for the System


Management container
Grant the site server's computer account the permissions that are required to publish
site information to the container. You will use ADSI Edit for this task as well.

) Important

Confirm that you are connected to the site server's domain prior to beginning the
following procedure.

To set security permissions for the System Management container:


1. In the console pane, expand the site server's domain, expand DC=<server
distinguished name>, and then expand CN=System. Right-click CN=System
Management, and then click Properties.

2. In the CN=System Management Properties dialog box, click the Security tab, and
then click Add to add the site server computer account. Grant the account Full
Control permissions.

3. Click Advanced, select the site server's computer account, and then click Edit.

4. In the Apply onto list, select This object and all descendant objects.

5. Click OK to close the ADSI Edit console and complete the procedure.

For more information, see Extend the Active Directory schema for Configuration
Manager

Extend the Active Directory schema using


extadsch.exe
You will extend the Active Directory schema for this lab, as this allows you to use all
Configuration Manager features and functionality with the least amount of
administrative overhead. Extending the Active Directory schema is a forest-wide
configuration that is done one time per forest. Extending the schema permanently
modifies the set of classes and attributes in your base Active Directory configuration.
This action is irreversible. Extending the schema allows Configuration Manager to access
components that will allow it to function most effectively within your lab environment.

) Important
Ensure that you are logged on to the schema master domain controller with an
account that is a member of the Schema Admins security group. Attempting to use
alternate credentials will fail.

To extend the Active Directory schema using extadsch.exe:


1. Create a backup of the schema master domain controller's system state. For more
information about backing up master domain controller, see Windows Server
Backup

2. Navigate to \SMSSETUP\BIN\X64 in the installation media.

3. Run extadsch.exe.

4. Verify that the schema extension was successful by reviewing the extadsch.log
located in the root folder of the system drive.

For more information, see Extend the Active Directory schema for Configuration
Manager.

Other required tasks


You will also need to complete the following tasks prior to installation.

Create a folder for storing all downloads

There will be multiple downloads required for components of the installation media
throughout this exercise. Before beginning any installation procedures, determine a
location that will not require you to move these files until you wish to decommission
your lab. A single folder with separate subfolders to store these downloads is
recommended.

Install .NET and activate Windows Communication Foundation

You will need to install two .NET Frameworks: first, .NET 3.5.1 and then .NET 4.5.2+. You
will also need to activate Windows Communication Foundation (WCF). WCF is designed
to offer a manageable approach to distributed computing, broad interoperability, and
direct support for service orientation, and simplifies development of connected
applications through a service-oriented programming model. For more information, see
What Is Windows Communication Foundation?.

To install .NET and activate Windows Communication Foundation:


1. Open Server Manager, then navigate to Manage. Click Add Roles and Features to
open the Add Roles and Features Wizard.

2. Review the information provided in the Before You Begin panel, then click Next.

3. Select Role-based or feature-based installation, then click Next.

4. Select your server from the Server Pool, then click Next.

5. Review the Server Roles panel, then click Next.

6. Add the following Features by selecting them from the list:

.NET Framework 3.5 Features


.NET Framework 3.5 (includes .NET 2.0 and 3.0)

.NET Framework 4.5 Features

.NET Framework 4.5

ASP.NET 4.5

WCF Services

HTTP Activation

TCP Port Sharing

7. Review the Web Server Role (IIS) and Role Services screen, then click Next.

8. Review the Confirmation screen, then click Next.

9. Click Install and verify that the installation completed properly in the Notifications
pane of Server Manager.

10. After the base installation of .NET completes, navigate to the Microsoft Download
Center to obtain the web installer for the .NET Framework 4.5.2. Click the
Download button, then Run the installer. It will automatically detect and install the
required components in your selected language.

Enable BITS, IIS, and RDC

The Background Intelligent Transfer Service (BITS) is used for applications that need to
transfer files asynchronously between a client and a server. By metering the flow of the
transfers in the foreground and background, BITS preserves the responsiveness of other
network applications. It will also automatically resume file transfers if a transfer session
is interrupted.
You will install BITS for this lab, as this site server will also be used as a management
point.

Internet Information Services (IIS) is a flexible, scalable web server that can be used to
host anything on the web. It is used by Configuration Manager for a number of site
system roles. For additional information on IIS, review Websites for site system servers.

Remote Differential Compression (RDC) is a set of APIs that applications can use to
determine if any changes have been made to a set of files. RDC enables the application
to replicate only the changed portions of a file, keeping network traffic to a minimum.

To enable BITS, IIS, and RDC site server roles:


1. On your site server, open Server Manager. Navigate to Manage. Click Add Roles
and Features to open the Add Roles and Features Wizard.

2. Review the information provided in the Before You Begin panel, then click Next.

3. Select Role-based or feature-based installation, then click Next.

4. Select your server from the Server Pool, then click Next.

5. Add the following Server Roles by selecting them from the list:

Web Server (IIS)

Common HTTP Features

Default Document

Directory Browsing

HTTP Errors

Static Content

HTTP Redirection

Health and Diagnostics

HTTP Logging

Logging Tools

Request Monitor

Tracing
Performance

Static Content Compression

Dynamic Content Compression

Security

Request Filtering

Basic Authentication

Client Certificate Mapping Authentication

IP and Domain Restrictions

URL Authorization

Windows Authentication

Application Development

.NET Extensibility 3.5

.NET Extensibility 4.5

ASP

ASP.NET 3.5

ASP.NET 4.5

ISAPI Extensions

ISAPI Filters

Server Side Includes

FTP Server
FTP Service

Management Tools

IIS Management Console

IIS 6 Management Compatibility

IIS 6 Metabase Compatibility


IIS 6 Management Console

IIS 6 Scripting Tools

IIS 6 WMI Compatibility

IIS 6 Management Scripts and Tools

Management Service

6. Add the following Features by selecting them from the list:

Background Intelligent Transfer Service (BITS)


IIS Server Extension

Remote Server Administration Tools

Feature Administration Tools

BITS Server Extensions Tools

7. Click Install and verify that the installation completed properly in the Notifications
pane of Server Manager.

By default, IIS blocks several types of file extensions and locations from access by HTTP
or HTTPS communication. To enable these files to be distributed to client systems, you
will need to configure request filtering for IIS on your distribution point. For more
information, see IIS Request Filtering for distribution points.

To configure IIS filtering on distribution points:

1. Open IIS Manager and select the name of your server in the sidebar. This will take
you to the Home screen.

2. Verify that Features View is selected at the bottom of the Home screen. Navigate
to IIS and open Request Filtering.

3. In the Actions pane, click Allow File Name Extension...

4. Type .msi into the dialog box and click OK.

Installing Configuration Manager


You will create a Determine when to use a primary site to manage clients directly. This
will allow your lab environment to support management for Site system scale of
potential devices.

During this process, you will also install the Configuration Manager console, which will
be used to manage your evaluation devices going forward.

Before you begin the installation, launch the Prerequisite Checker on the server using
Windows Server 2012 to confirm that all settings have been correctly enabled.

To download and install Configuration Manager:


1. Navigate to the Evaluation Center page to download the newest evaluation
version of Configuration Manager.

2. Decompress the download media into your predefined location.

3. Follow the installation procedure listed at Install a site using the Configuration
Manager Setup Wizard. Within that procedure, you will input the following:

Step in site Selection


installation
procedure

Step 4: the Select Evaluation.


Product Key page

Step 7: Select Download required files and specify your predefined location.
Prerequisite
Downloads

Step 10: Site and - Site code:LAB

Installation - Site name:Evaluation

Settings - Installation folder: specify your predefined location.

Step 11: Primary Select Install the primary site as a stand-alone site, then click Next.
Site Installation

Step 12: Database - SQL Server name (FQDN): input your FQDN here.

Installation - Instance name: leave this blank, as you will use the default instance
of SQL Server that you previously installed.

- Service Broker Port: leave as default port of 4022.

Step 13: Database Leave these settings as default.


Installation

Step 14: SMS Leave these settings as default.


Provider
Step in site Selection
installation
procedure

Step 15: Client Confirm that All site system roles accept only HTTPS communication
Communication from clients is not selected
Settings

Step 16: Site Input your FQDN and confirm that your selection of All site system
System Roles roles accept only HTTPS communication from clients is still
deselected.

Enable publishing for the Configuration


Manager site
Each Configuration Manager site publishes its own site-specific information to the
System Management container within its domain partition in the Active Directory
schema. Bidirectional channels for communication between Active Directory and
Configuration Manager must be opened to handle this traffic. You will also additionally
enable Forest Discovery to determine certain components of your Active Directory and
network infrastructure.

To configure Active Directory forests for publishing:


1. In the bottom-left corner of the Configuration Manager console, click
Administration.

2. In the Administration workspace, expand Hierarchy Configuration, then click


Discovery Methods.

3. Select Active Directory Forest Discovery and click Properties.

4. In the Properties dialog box, select Enable Active Directory Forest Discovery.
Once this is active, select Automatically create Active Directory site boundaries
when they are discovered. A dialog box will appear that states Do you want to
run full discovery as soon as possible? Click Yes.

5. In the Discovery Method group at the top of the screen, click Run Forest
Discovery Now, then navigate to Active Directory Forests in the sidebar. Your
Active Directory forest should be shown in the list of discovered forests.

6. Navigate to the top of the screen, to the General tab.


7. In the Administration workspace, expand Hierarchy Configuration, then click
Active Directory Forests.

To enable a Configuration Manager site to publish site information


to your Active Directory forest:
1. In the Configuration Manager console, click Administration.

2. You will configure a new forest that has not yet been discovered.

3. In the Administration workspace, click Active Directory Forests.

4. On the Publishing tab of the site properties, select your connected forest, then
click Ok to save the configuration.
Create a Configuration Manager lab in
Azure
Article • 10/04/2022

Applies to: Configuration Manager (current branch, technical preview branch)

This guide describes how to build a Configuration Manager lab environment in


Microsoft Azure. It uses Azure templates to simplify and automate the creation of a lab
using Azure resources. Two Azure templates are provided:

Configuration Manager technical preview Azure template installs the latest version
of the Configuration Manager technical preview branch.
Configuration Manager current branch Azure template installs the evaluation of
the latest version of Configuration Manager current branch.

For more information, see Configuration Manager on Azure.

Prerequisites
This process requires an Azure subscription in which you can create the following
objects:

Two Standard_B2s virtual machines for domain controller, management point, and
distribution point.
Zero to three virtual machines for client devices.
One Standard_B2ms virtual machine for the primary site server and the SQL Server
database server
If you choose to create a hierarchy, one other Standard_B2ms virtual machine for
the central administration site.
Standard_LRS storage account.

 Tip

To help determine potential costs, see the Azure pricing calculator .

Process
1. Go to the Configuration Manager technical preview template or Configuration
Manager current branch template .
2. Select Deploy to Azure, which opens the Azure portal.

3. Complete the Azure quickstart template with the following information:

Basics

Subscription: The name of the subscription in which to create the VMs

Resource group: Select a resource group to use for these VMs

Location: Select an Azure data center to host this lab environment

Settings

Prefix: The prefix name of the machines. For more information, see Azure
VM info.

Admin Username: The name of a user on the VMs with administrative


rights. You use this user to sign in to the VMs.

Admin Password: The password must meet the Azure complexity


requirements. For more information, see adminPassword.

Configuration: You can choose "Standalone" or "Hierarchy". This setting is


available for the current branch template only.

) Important

The following settings are required by Azure. Use the default values. Don't
change these values.

_artifacts Location: The location of the scripts for this template

_artifacts Location Sas Token: The sasToken is required to access the


artifacts location

Location: The location for all resources

7 Note

If you edited the Azure template before you deployed it, then you need to
change the _artifactsLocation value.
For the technical preview template, the value is
https://raw.githubusercontent.com/Azure/azure-quickstart-

templates/master/application-workloads/sccm/sccm-

technicalpreview/azuredeploy.json

For the current branch template, the value is


https://raw.githubusercontent.com/Azure/azure-quickstart-

templates/master/application-workloads/sccm/sccm-

currentbranch/azuredeploy.json

4. Read the terms and conditions. If you agree, select I agree to the terms and
conditions stated above. Then select Purchase to continue.

Azure validates the settings, and then begins the deployment. Check the status of the
deployment in the Azure portal.

7 Note

The process can take 2-4 hours. Even when the Azure portal shows successful
deployment, configuration scripts continue to run. Don't restart the VMs during the
process.

To see the status of the configuration scripts, connect to the <prefix>PS01 server, and
view the following file: %windir%\TEMP\ProvisionScript\PS01.json . If it shows all steps as
complete, the process is done.

7 Note

When you use the current branch template, it uses the CAS.json file at the same
location on the <prefix>CS01 server.

To connect to the VMs, first get from the Azure portal the public IP addresses for each
VM. When you connect to the VM, the domain name is contoso.com . Use the credentials
that you specified in the deployment template. For more information, see How to
connect and log on to an Azure virtual machine running Windows.

Azure VM info
All VMs have the following specifications:
150 GB of disk space
Both a public and private IP address. The public IPs are in a network security group
that only allows remote desktop connections on TCP port 3389.

The prefix that you specified in the deployment template is the VM name prefix. For
example, if you set "contoso" as the prefix, then the domain controller machine name is
contosoDC .

<prefix>DC01

Active Directory domain controller


Standard_B2s, which has two processors and 4 GB of memory
Windows Server 2022 Datacenter edition

Windows features and roles


Active Directory Domain Services (ADDS)
.NET
Remote Differential Compression (RDC)

<prefix>PS01

Standard_B2ms, which has two processors and 8 GB of memory


Windows Server 2019 Datacenter edition
SQL Server
Windows 10 ADK with Windows PE
Configuration Manager primary site

Windows features and roles


.NET
Remote Differential Compression (RDC)
Internet Information Service (IIS)

<prefix>DPMP01

Standard_B2s, which has two processors and 4 GB of memory


Windows Server 2019 Datacenter edition
Distribution point
Management point
Windows features and roles
.NET
Remote Differential Compression (RDC)
Internet Information Service (IIS)
Background intelligent transfer service (BITS)

<prefix>CL01

Only for Configuration Manager current branch evaluation template


Windows 10
Configuration Manager client
Technical preview for Configuration
Manager
Article • 07/31/2023

Applies to: Configuration Manager (technical preview branch)

This article provides details about the monthly technical preview branch of
Configuration Manager. The technical preview introduces new functionality that
Microsoft is working on. It introduces new features that aren't yet included in the
current branch of Configuration Manager. These features might eventually be included
in an update to the current branch. Before we finalize the features, we want you to try
them out and give us feedback.

Because this release is a technical preview, details and functionality are subject to
change.

This information applies to all versions of the Configuration Manager technical preview
branch. This article lists each new feature along with the technical preview version in
which it first appears. For example, version 2201 for January ( 01 ) of 2022 ( 22 ). Separate
articles dedicated to each preview version detail the individual features.

For information about what's new in the current branch of Configuration Manager, see
What's new in Configuration Manager incremental versions.

 Tip

You can use RSS to be notified when this page is updated. For more information,
see How to use the docs.

Requirements and limitations

) Important

The technical preview is licensed for use only in a lab environment. Microsoft may
not provide support services and certain features may not be available in technical
previews. Additionally, technical preview software may have reduced or different
security, privacy, accessibility, availability, and reliability standards relative to
commercially provided software.
For most product prerequisites, use the information in the Supported configurations.
The following exceptions apply to the technical preview branch:

Each install is active for 180 days before it becomes inactive.

English is the only language supported.

It only supports the following setup command-line parameters:


/silent
/testdbupgrade

The service connection point installs to online mode. It doesn't support offline
mode.

7 Note

You may need to allow specific internet URLs, some of which are specific to
the technical preview branch. For more information, see Internet access
requirements.

The separate articles for each specific version of the technical preview include
additional limitations or requirements, as applicable.

The following features aren't supported with the technical preview branch:

Migration to or from this preview branch.

Upgrade to this preview branch.

Site recovery from the cd.latest folder.

There's no support for updating to current branch from this preview branch.

7 Note

When updates are available for a preview version, you still find and install
them from the Updates and Servicing node of the Configuration Manager
console. For a video of the in-console upgrade process, see Installing
Configuration Manager update packages on youtube.com.

It only supports a standalone primary site. There's no support for a central


administration site, multiple primary sites, or secondary sites.
The technical preview branch of Configuration Manager supports the following products
and technologies:

Unless otherwise noted, the technical preview branch supports the same versions
of SQL Server as the current branch. For more information, see Supported SQL
Server versions.

The site supports up to 10 clients, which can run any supported client OS version.

7 Note

The inclusion of these products in this content doesn't imply an extension of


support for a version that's beyond its support lifecycle. Configuration Manager
doesn't support products that are beyond their support lifecycle. For more
information, see Microsoft Lifecycle Policy .

Install and update


The Configuration Manager technical preview branch for lab use is distinct from the
Configuration Manager current branch for production use.

First install a baseline version of the technical preview branch. After installing a baseline
version, then use in-console updates to bring your installation up to date with the most
recent preview version. Typically, new versions of the technical preview are available
each month.

Microsoft supports each technical preview version up until three successive versions are
available. For example, when version 1908 released, version 1904 was no longer in
support. Versions 1905, 1906, and 1907 remained in support. When a baseline falls out
of support, it's still supported for installing a new technical preview site, assuming you
immediately update to a supported version. The older baseline is supported until a new
baseline version is available. Update to the latest available version from the baseline,
and then repeat the update process until you install the latest technical preview version.

 Tip

When you install an update to the technical preview, you update your preview
installation to that new technical preview version. A technical preview installation
never has the option to upgrade to a current branch installation. It also never
receives updates from the current branch release.
Several times throughout the year, there are technical preview branch and current
branch versions with the same version number. For example, there is a technical
preview version 2006 and a current branch version 2006.

Active baseline versions


Install a baseline version for up to one year after its release. When you install a new
technical preview site, use the latest baseline version:

Technical preview version 2305

Download a baseline version from the Evaluation Center .

Providing feedback
We love to hear your feedback about the new features in the technical preview. For
more information, see Product feedback.

If you have ideas about new features you would like to see, let us know! Submit new
ideas and vote on the ideas by others: Feedback for Configuration Manager .

Features in the most recent version


The following features are available with the most recent Configuration Manager
technical preview version:

Technical preview version 2307


Windows 11 Edition Upgrade using Configuration Manager policy settings
Windows 11 Upgrade Readiness Dashboard
Option to schedule scripts' runtime
External service notification Run details from Azure Logic application
Maintenance window creation using PS cmdlet
Update Orchestrator Service (USO) for Windows 11 22H2 or later with windows
native reboot experience

7 Note

Features that were available in a previous version of the technical preview remain
available in later versions. Similarly, features that are added to the Configuration
Manager current branch remain available in the technical preview branch.

Features in recent technical previews


The following features were released with previous versions of the Configuration
Manager technical preview branch since the latest current branch version:

 Tip

When a new current branch version is available, features that are available in that
version are listed in the latest What's new article. For more information, see What's
new in incremental versions.

Technical preview version 2305


OSD preferred MP option for PXE boot scenario
New Site Maintenance task “Delete Aged Task Execution Status Messages” is now
available on primary servers to cleanup data older than 30 days or configured
number of days
CMG creation using 3rd PartyApp via Console
CMG creation using 3rd Party ServerApp via PowerShell
Attack Surface Reduction (ASR) capability now marks Server SKU as compliant only
after enforcement
Enhancing security for External service notifications URL
Enable Bitlocker through ProvisionTS
Client certificate state in console (self-signed) to match state in control panel(PKI)

Technical preview version 2303


SQL Server 2022 version support added for Configuration Manager
Dark theme extended to one customer voice (OCV) wizard
Prerequisites for the site server roles now include ODBC driver for SQL Server

Technical preview version 2302


Dark theme extended to delete secondary site wizard
Enable Windows features introduced via Windows servicing that are off by default
Technical preview version 2301
Removing Microsoft Store for Business and Education new config capability
Update to the default value of supersedence age in months for software updates
Microsoft Configuration Manager product branding
Improvements to Cloud Sync (Collections to Azure Active Directory Group
Synchronization) feature

Technical preview version 2211


Authorization failure message in admin service now shown in Status message
viewer
Network Access Account (NAA) account usage alert
Improvements to Cloud Sync (Collections to Azure Active Directory Group
Synchronization) feature

Technical preview version 2210


Featured Apps in Software Center

Technical preview version 2209


Improvements to the console
Improvements to the dark theme
Other Updates

Technical preview version 2208


Intune RBAC for tenant attached devices
Dark theme is now extended to additional dashboards

Technical preview version 2207


Distribution point content migration
Improvements to Configuration Manager policies for Microsoft Defender
Application Guard
PowerShell release notes preview

Technical preview version 2206


Default site boundary group behavior to support cloud source selection
PowerShell release notes preview

Technical preview version 2205


Offset for reoccurring monthly maintenance window schedules
Improvements to cloud management gateway (CMG) workflow
Script execution timeout for compliance settings
Microsoft Defender for Endpoint onboarding for Windows Server 2012 R2 and
Windows Server 2016
PowerShell release notes preview

Technical preview version 2204


Administration Service Management option
Folders for automatic deployment rules (ADRs)

Technical preview version 2203


Dark theme for the console
Escrow BitLocker recovery password to the site during a task sequence
PowerShell release notes preview

Technical preview version 2202


Delete collection references
Pre-download content for available software updates
Added folder support for nodes in the Software Library
New client health checks
Improvements to implicit uninstall
Improvements for sending feedback
Improvements to Management Insights
Improvements to dashboards
ADR scheduling improvements for deployments
Console improvements
PowerShell release notes preview

Next steps
For more information, see the following articles:
Evaluate Configuration Manager in a lab
What's new in Configuration Manager incremental versions
Introduction to Configuration Manager

 Tip

For more information on current branch features that require consent to enable,
see pre-release features.

For more information on current branch features that you must enable first, see
Enable optional features from updates.
Features in Configuration Manager
technical preview version 2307
Article • 07/28/2023

Applies to: Configuration Manager (technical preview branch)

This article introduces the features that are available in the technical preview for
Configuration Manager, version 2307. Install this version to update and add new
features to your technical preview site.

Review the technical preview article before installing this update. That article familiarizes
you with the general requirements and limitations for using a technical preview, how to
update between versions, and how to provide feedback.

The following sections describe the new features to try out in this version:

Windows 11 Edition Upgrade using


Configuration Manager policy settings
Administrator can now create a policy using edition upgrade in Configuration Manager
to update the Windows 11 edition.

Windows 11 Upgrade Readiness Dashboard


Administrators can use this dashboard to devise their Windows 11 upgrade strategy and
discover the devices in the organization, which are ready for Windows 11 Upgrade. This
Dashboard also provides a count by installed Feature update version and a view of all
Windows devices inside the organization. Administrators can create a collection of
Windows 11 ready for upgrading devices and roll out feature updates to them.

Following four charts are offered in this dashboard:

Windows Device Information- Shows count of Windows 7, 8 , 10 and 11 devices in


your organization.
Feature Update Version – Shows count of each feature update Version in your
organization.
Upgrade Experience Indicators – Shows information for each device, which can be
in any of these states:
Cannot Upgrade (Red Color) devices that cannot be upgraded to windows 11.
App Upgrade/Uninstall required (Yellow Color) devices that need an application
update or uninstall before upgrading to Windows 11.
App/Driver upgrade required (Orange Color) devices that need application
upgrade to windows 11.
Ready for Upgrade (Green Color) devices that are capable of Windows 11
upgrade.
Windows 11 Minimum Hardware Requirement – Showcases the minimum
hardware and software requirements needed to support Windows 11.

Option to schedule scripts' runtime


The Run Script wizard now offers a scheduling option which enables administrators to
schedule the future execution time of the scripts. It provides a convenient way to
automate the running of scripts on managed devices according to specified schedules.

External service notification Run details from


Azure Logic application
This integration enables the monitoring and management of Azure Logic App
notifications directly within the Configuration Manager console, providing a centralized
location for tracking critical events, taking appropriate actions and maintains a high level
of operational efficiency.

7 Note

To use this feature a valid Azure AD web app is required. Please deploy the Azure
services for Administration service management under
\Administration\Overview\Cloud Services\Azure Services. If the service is already
deployed, admin can use the existing web application to view Run details from
Azure logic app.

View Status wizard


Known issue :- An unexpected error can occur while configuring the Azure service
web app for Administration service management which can be ignored as it does
not affect the service creation.

Maintenance window creation using PS cmdlet


Maintenance windows are recurring periods of time when the Configuration Manager
client can run tasks. PowerShell Commandlet: New-CMMaintenanceWindow is used to create
a maintenance window for a collection. Earlier the Offset parameter could be set only
between 0 and 4. Now it has been extended between 0 to 7.
Update Orchestrator Service (USO) for
Windows 11 22H2 or later with windows native
reboot experience
When installing software updates from Configuration Manager, administrators can now
choose to use the native Windows Update restart experience. To use this feature, client
devices must be running Windows build 22H2 or later. From the Computer Restart client
device settings, ensure that Windows is selected as the restart experience. Branding
information will be included in the Windows restart notification for updates that require
restart.

Steps to enable Client settings

Reboot Notification

Next steps
For more information about installing or updating the technical preview branch, see
Technical preview.

For more information about the different branches of Configuration Manager, see
Which branch of Configuration Manager should I use?.
Features in Configuration Manager
technical preview version 2305
Article • 05/25/2023

Applies to: Configuration Manager (technical preview branch)

This article introduces the features that are available in the technical preview for
Configuration Manager, version 2305. Install this version to update and add new
features to your technical preview site.

Review the technical preview article before installing this update. That article familiarizes
you with the general requirements and limitations for using a technical preview, how to
update between versions, and how to provide feedback.

The following sections describe the new features to try out in this version:

OSD preferred MP option for PXE boot scenario


Preferred Management Point (MP) option will now allow PXE clients to communicate to
an initial lookup MP and receive the list of MP(s) to be used for further communication.
When the option is enabled, it allows an MP to redirect the PXE client to another MP,
based on the client location in the site boundaries.
!

New Site Maintenance task “Delete Aged Task


Execution Status Messages” is now available on
primary servers to clean up data older than 30
days or configured number of days
You can enable this feature by utilizing the Site Maintenance Window or using
PowerShell Commandlet. By default, it has been set to run on Saturday and delete the
data older than 30 days. It does so by cleaning up [dbo].TaskExecutionStatus Table

Example : Set-CMSiteMaintenanceTask -Sitecode "XXX" -MaintenanceTaskName "Delete


Aged Task Execution Status Messages" -DaysOfWeek Friday
CMG creation using third PartyApp via Console
We have deprecated the use of first party app for the creation of CMG. Now, CMG uses
a third party server app to get bearer tokens. For CMG creation, users can select tenant
and the app name using the Azure AD tenant name. After selecting tenant and app
name the sign-in button appears. Existing Customers, must update their server app as
current version, doesn't have the Redirect to- "http://localhost"

To update the server app, you can navigate to Azure Active Directory Tenants node -->
select the tenant --> select the server app --> click on "update application settings".

CMG creation using third Party ServerApp via


PowerShell
To create CMG using third party Server app via PowerShell cmdlet, you need to specify
TenantID in the argument:

PowerShell Commandlet: Set-UpdateServerApplication – TenantID

If you're utilizing the existing Azure AD server app, when existing (nonupdated) Azure
AD server app is used, ensure that the server app has RedirectUrl="http://localhost”
added in Azure portal and in TableAAD_Application_EX in Database.

If you try to create the CMG before updating RedirectUrl, you get an error
"Your server Application needs to be updated".

Run this PowerShell command:  Set-
UpdateServerApplication  to update your App, and then try again to create CMG.

7 Note

For new customers, before creating CMG, create Azure AD server app that contains
the RedirectUrl="http://localhost” in your App. Once redirect URL and database
settings are complete, you can execute the new PowerShell commandlet script.

Attack Surface Reduction (ASR) capability now


marks Server SKU as compliant only after
enforcement
Prior to the Attack Surface Reduction capability in Windows Server, rules were marked
compliant by default. As this rule setting becomes available to Server SKU, it's enforced
through Config Manager. Now the Server SKU will be marked as compliant for an Attack
Surface Reduction rule, only after enforcement of the rule.

Enhancing security for External service


notifications URL
This feature avoids the risk of directing the subscription logic to an untrusted URL,
resulting in information leakage. The upgrade prevents information from being sent to
an HTTPS URL with an untrusted certificate. This method ensures that the data is
protected by a trusted SSL certificate. For a secure connection, we recommend using SSL
certificates from trusted Certification Authorities. This security feature only allows
connections to URLs that have trusted certificates for enhanced security.
Enable BitLocker through ProvisionTS
ProvisionTS is the task sequence that is executed at the time of provisioning the device.
Escrowing recovery key to Config Manager Database is now supported using
ProvisionTS. As a result, a device can escrow the key to Config Manager Database
instantly.

Client certificate state in console (self-signed)


to match state in control panel (PKI)
For clients that have a PKI certificate, the Configuration Manager console displays the
Client certificate property as self-signed. The client control panel Client certificate
property shows PKI. After this release, Configuration Manager console and client control
panel Client certificate will be in sync and shows same state.

Next steps
For more information about installing or updating the technical preview branch, see
Technical preview.

For more information about the different branches of Configuration Manager, see
Which branch of Configuration Manager should I use?.
Features in Configuration Manager
technical preview version 2303
Article • 03/28/2023

Applies to: Configuration Manager (technical preview branch)

This article introduces the features that are available in the technical preview for
Configuration Manager, version 2303. Install this version to update and add new
features to your technical preview site.

Review the technical preview article before installing this update. That article familiarizes
you with the general requirements and limitations for using a technical preview, how to
update between versions, and how to provide feedback.

The following sections describe the new features to try out in this version:

SQL Server 2022 version support added for


Configuration Manager
Starting with technical preview 2303, support is added for SQL server 2022 RTM version.

You can use this version of SQL Server for the following sites:

A central administration site


A primary site
A secondary site

The following table identifies the recommended compatibility levels for Configuration
Manager site databases:

SQL Server version Supported compatibility levels Recommended level

SQL Server 2022 150, 140, 130, 120, 110 150

Dark theme extended to one customer voice


(OCV) wizard
The Configuration Manager console now extends the dark theme for the one customer
voice (OCV) wizards. All 'Send a smile' and 'Send a frown' wizards will adhere to dark
theme starting in Technical Preview 2303. This is part of the ongoing effort to make dark
theme and overall admin console experience better.

To use the theme, select the arrow from the top left of the ribbon, then choose Switch
console theme. Select Switch console theme again to return to the light theme.

Known issue
Console restart is required on doing the theme switch, as the node navigation pane
might not properly render when you move to a new workspace.

Prerequisites for the site server roles now


include ODBC driver for SQL Server
Starting with technical preview 2303, Configuration Manager requires the installation of
the ODBC driver for SQL server as a prerequisite. This prerequisite is required when you
create a new site or update an existing one.

Configuration Manager doesn't manage the updates for the ODBC driver. Ensure that
this component is up to date.

Next steps
For more information about installing or updating the technical preview branch, see
Technical preview.

For more information about the different branches of Configuration Manager, see
Which branch of Configuration Manager should I use?.
Features in Configuration Manager
technical preview version 2302
Article • 02/22/2023

Applies to: Configuration Manager (technical preview branch)

This article introduces the features that are available in the technical preview for
Configuration Manager, version 2302. Install this version to update and add new
features to your technical preview site.

Review the technical preview article before installing this update. That article familiarizes
you with the general requirements and limitations for using a technical preview, how to
update between versions, and how to provide feedback.

The following sections describe the new features to try out in this version:

Dark theme extended to delete secondary site


wizard
The Configuration Manager console now extends the dark theme for the delete
secondary site wizard. This wizard will also have a new look for the normal theme. This is
part of the ongoing effort to make dark theme and overall admin console experience
better.
To use the theme, select the arrow from the top left of the ribbon, then choose Switch
console theme. Select Switch console theme again to return to the light theme.

Known issue
Console restart is required on doing the theme switch, as the node navigation pane
might not properly render when you move to a new workspace.

Enable Windows features introduced via


Windows servicing that are off by default
To learn more about the settings: “Enable Windows features introduced via Windows
servicing that are off by default”, please read this blog . The post describes the
Commercial control for continuous innovation in Windows. The setting for this policy is
now integrated with the Configuration Manager 2302 Technical Preview. More
information on the Commercial control timeline and versions of Windows 11 supported
by the setting can be found in the blog.

The Windows features that the policy will control will be released in later part of 2023.
This ConfigMgr Technical Preview feature is for awareness and not for testing in
February 2023.

Next steps
For more information about installing or updating the technical preview branch, see
Technical preview.

For more information about the different branches of Configuration Manager, see
Which branch of Configuration Manager should I use?.
Migrate data between hierarchies in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use migration to transfer data from a supported source hierarchy to your Configuration
Manager (current branch) destination hierarchy. When you migrate data from a source
hierarchy:

You access data from the site databases in the source infrastructure, and then
transfer that data to your current environment.

Migration doesn't change the data in the source hierarchy. Instead it discovers the
data and stores a copy in the database of the destination hierarchy.

Consider the following points when you plan your migration strategy:

You can migrate an existing Configuration Manager 2007 SP2 infrastructure to


Configuration Manager (current branch).

You can migrate some or all of the supported data from a source site.

You can migrate the data from a single source site to several different sites in the
destination hierarchy.

You can move data from multiple source sites to a single site in the destination
hierarchy.

The following video discusses and demonstrates two common migration scenarios. It
also includes options for including Microsoft Azure in migration plans.
https://www.youtube-nocookie.com/embed/6_0EwW-5b4E

Concepts
Configuration Manager uses the following concepts and terms during migration.

Source hierarchy

A hierarchy that runs a supported version of Configuration Manager and has data that
you want to migrate. When you set up migration, you identify the source hierarchy
when you specify the top-level site of a source hierarchy. After you specify a source
hierarchy, the top-level site of the destination hierarchy gathers data from the database
of the designated source site to identify the data that you can migrate.

For more information, see Source hierarchies.

Source sites
The sites in the source hierarchy that have data that you can migrate to your destination
hierarchy.

For more information, see Source sites.

Destination hierarchy
A Configuration Manager (current branch) hierarchy where migration runs to import
data from a source hierarchy.

Data gathering
The ongoing process of identifying the information in a source hierarchy that you can
migrate to your destination hierarchy. Configuration Manager checks the source
hierarchy on a schedule. This process identifies any changes to information in the source
hierarchy that you previously migrated and that you might want to update in the
destination hierarchy.

For more information, see Data gathering.

Migration jobs
The process of configuring the specific objects to migrate, and then managing the
migration of those objects to the destination hierarchy.

For more information, see Planning a migration job strategy.

Client migration
The process of transferring information that clients use from the database of the source
site to the database of the destination hierarchy. This migration of data is then followed
by an upgrade of client software on devices to the client software version from the
destination hierarchy.

For more information, see Planning a client migration strategy.


Shared distribution points
The distribution points from the source hierarchy that Configuration Manager shares
with the destination hierarchy during the migration period.

During the migration period, clients assigned to sites in the destination hierarchy can
get content from shared distribution points.

For more information, see Share distribution points between source and destination
hierarchies.

Monitoring migration
The process of monitoring migration activities. You monitor migration progress and
success from the Migration node in the Administration workspace.

For more information, see Planning to monitor migration activity.

Stop gathering data

The process of stopping data gathering from source sites. When you no longer have
data to migrate from a source hierarchy, or if you want to pause migration-related
activities, you can configure the destination hierarchy to stop gathering data from the
source hierarchy.

For more information, see Data gathering.

Clean up migration data


The process of finishing migration from a source hierarchy by removing information
about the migration from the destination hierarchies database.

For more information, see Planning to complete migration.

Typical workflow
To set up a workflow for migration:

1. Specify a supported source hierarchy.

2. Set up data gathering. Data gathering enables Configuration Manager to collect


information about data that can migrate from the source hierarchy.
Configuration Manager automatically repeats the process to collect data on a
simple schedule until you stop the data gathering process. By default, the data
gathering process repeats every four hours so that Configuration Manager can
identify changes to data in the source hierarchy. Data gathering is also necessary
to share distribution points.

3. Create migration jobs to migrate data between the source and destination
hierarchy.

4. You can stop the data gathering process at any time by using the Stop Gathering
Data action. When you stop data gathering, Configuration Manager no longer
identifies changes to data in the source hierarchy and can no longer share
distribution points. Typically, you use this action when you no longer plan to
migrate data or share distribution points from the source hierarchy.

5. Optionally, after data gathering has stopped at all sites for the source hierarchy,
you can clean up the migration data by using the Clean Up Migration Data action.
This action deletes the historical data about migration from a source hierarchy
from the database of the destination hierarchy.

After you migrate data, and you no longer need the source hierarchy to manage devices
in your environment, you can decommission that source hierarchy and infrastructure.

Scenarios
Configuration Manager supports the following migration scenarios:

Migration from Configuration Manager 2007 hierarchies


Migration from Configuration Manager 2012 or another Configuration Manager
hierarchy

7 Note

The expansion of a hierarchy that has a standalone site into a hierarchy that has a
central administration site isn't categorized as a migration. For information about
hierarchy expansion, see Expand a stand-alone primary site.

Migration from Configuration Manager 2007 hierarchies


When you use migration to migrate data from Configuration Manager 2007, you can
maintain your investment in your existing site infrastructure and gain the following
benefits:

Site database improvements


The Configuration Manager (current branch) database supports full Unicode.

Database replication between sites


Replication in Configuration Manager (current branch) is based on Microsoft SQL Server.
This behavior improves the performance of site-to-site data transfer.

User-centric management

Users are the focus of management tasks in Configuration Manager (current branch).
For example, you can distribute software to a user even if you don't know the device
name for that user. Additionally, Configuration Manager gives users much more control
over what software is installed on their devices and when that software is installed.

Hierarchy simplification

Configuration Manager (current branch) lets you build a simpler site hierarchy. This
improvement is due to the introduction of the central administration site type and
changes to the behavior of primary and secondary sites. Configuration Manager (current
branch) uses less network bandwidth and requires fewer servers than previous versions.

Role-based administration
This central security model in Configuration Manager (current branch) offers hierarchy-
wide security and management that corresponds to your administrative and business
requirements.

7 Note

Because of design changes that were first introduced in System Center 2012
Configuration Manager, you can't upgrade Configuration Manager 2007 to
Configuration Manager (current branch). In-place upgrade is supported from
System Center 2012 Configuration Manager to Configuration Manager (current
branch).
Migration from Configuration Manager 2012 or another
Configuration Manager hierarchy
The process of migrating data from a System Center 2012 Configuration Manager or
Configuration Manager hierarchy is the same. This process includes migrating data from
multiple source hierarchies into a single destination hierarchy. You might use this
process when your company gets additional resources that are already managed by
Configuration Manager. Additionally, you can migrate data from a test environment to
your Configuration Manager production environment. This process lets you maintain
your investment in the Configuration Manager test environment.

See also
Planning for migration to Configuration Manager

Configuring source hierarchies and source sites for migration

Operations for migration

Security and privacy for migration

Start using Configuration Manager


Plan for migration to Configuration
Manager current branch
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Before you migrate data to a Configuration Manager current branch destination


hierarchy, make sure that you are familiar with sites and hierarchies in Configuration
Manager. For more about sites and hierarchies, see Fundamentals of Configuration
Manager.

Install a Configuration Manager current branch hierarchy to be the destination hierarchy


before you migrate data from a supported source hierarchy.

After you install the destination hierarchy, set up the management features and
functions that you want to use in your destination hierarchy before you start to migrate
data.

Additionally, you might have to plan for overlap between the source hierarchy and your
destination hierarchy. For example, you might set up the source hierarchy to use the
same network locations or boundaries as your destination hierarchy, and you then install
new clients to your destination hierarchy and use automatic site assignment. In this
scenario, because a newly installed Configuration Manager client can select a site to join
from either hierarchy, the client might incorrectly assign to your source hierarchy.
Therefore, plan to assign each new client in the destination hierarchy to a specific site in
that hierarchy instead of using automatic site assignment.

For more about site assignments, see Client site assignment considerations in
Interoperability between different versions of Configuration Manager.

Use the following articles to help you plan how to migrate a supported source hierarchy
to a Configuration Manager destination hierarchy:

Prerequisites for migration

Administrator checklists for migration planning

Determine whether to migrate data to Configuration Manager current branch

Plan a source hierarchy strategy

Administrator checklists for migration planning


Plan a client migration strategy

Plan a content deployment migration strategy

Plan for the migration of Configuration Manager objects to Configuration Manager


current branch

Plan to monitor migration activity

Plan to complete migration


Prerequisites for migration in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To migrate from a supported source hierarchy, you must have access to each applicable
Configuration Manager source site, and permissions within the Configuration Manager
destination site to configure and run migration operations.

Use the information in the following sections to help you understand the versions of
Configuration Manager that are supported for migration, and the required
configurations.

Versions of Configuration Manager that are supported for migration

Source site languages that are supported for migration

Required configurations for migration

Versions of Configuration Manager that are


supported for migration
You can migrate data from a source hierarchy that runs any of the following versions of
Configuration Manager:

Configuration Manager 2007 SP2 (For the purpose of migration, Configuration


Manager 2007 R2 or R3 on the source site are not a consideration. So long as the
source site runs SP2, sites with either the R2 or R3 add-on installed are supported
for migration to Configuration Manager current branch).

System Center 2012 Configuration Manager SP2 or System Center 2012 R2


Configuration Manager SP1.

 Tip

In addition to migration, you can use an in-place upgrade of sites that run
System Center 2012 Configuration Manager to Configuration Manager current
branch.
A Configuration Manager hierarchy of the same or lesser version of Configuration
Manager.

For example, if you have a destination hierarchy that runs Configuration Manager
current branch 1606, you could use migration to copy data from a source hierarchy
that runs version 1606 or 1602. However you could not migrate data from a source
hierarchy that runs 1610.

Source site languages that are supported for


migration
When you migrate data between Configuration Manager hierarchies, the data is stored
in the destination hierarchy in the language neutral format for Configuration Manager.
Because Configuration Manager 2007 does not store data in a language neutral format,
the migration process must convert objects to this format during migration from
Configuration Manager 2007. Therefore, only Configuration Manager 2007 source sites
that are installed with the following languages are supported for migration:

English

French

German

Japanese

Korean

Russian

Simplified Chinese

Traditional Chinese

When you migrate data from a System Center 2012 Configuration Manager or
Configuration Manager current branch hierarchy, there are no source site language
limitations. Objects in the source site database are already in a language neutral format.

Required configurations for migration


The following are required configurations for using migration and migration operations:

To configure, run, and monitor migration in the Configuration Manager console:


In the destination site, your account must be assigned the role-based
administration security role of Infrastructure Administrator. This security role
grants permissions to manage all migration operations, which includes the creation
of migration jobs, clean up, monitoring, and the action to share and upgrade
distribution points.

Data Gathering:

To enable the destination site to gather data, you must configure the following two
source site access accounts for use with each source site:

Source Site Account: This account is used to access the SMS Provider of the
source site.

For a Configuration Manager 2007 SP2 source site, this account requires
Read permission to all source site objects.

For a System Center 2012 Configuration Manager or Configuration Manager


current branch source site, this account requires Read permission to all
source site objects, You grant this permission to the account by using role-
based administration. For information about how to use role-based
administration, see Fundamentals of role-based administration for
Configuration Manager.

Source Site Database Account: This account is used to access the SQL Server
database of the source site and requires Connect, Execute, and Select
permissions to the source site database.

You can configure these accounts when you configure a new source hierarchy, data
gathering for an additional source site, or when you reconfigure the credentials for
a source site. These accounts can use a domain user account, or you can specify
the computer account of the top-level site of the destination hierarchy.

) Important

If you use the Configuration Manager computer account for either access
account, ensure that this account is a member of the security group
Distributed COM Users in the domain where the source site resides.

When gathering data, the following network protocols and ports are used:

NetBIOS/SMB - 445 (TCP)

RPC (WMI) - 135 (TCP & UDP)


Dynamic RPC. Dynamic ports use a range of port numbers that are defined by
the OS version. These ports are also known as ephemeral ports. For more
information about the default port ranges, see Service overview and network
port requirements for Windows .

SQL Server - The TCP ports in use by both the source and destination site
databases.

Migrate Software Updates:

Before you migrate software updates, you must configure the destination hierarchy
with a software update point. For more information, see Planning to migrate
software updates.

Share distribution points:

To successfully share any distribution points from a source site, at least one
primary site or the central administration site in the destination hierarchy must use
the same port numbers for client requests as the source site. For information about
client request ports, see How to configure client communication ports

For each source site, only the distribution points that are installed on site system
servers that are configured with a FQDN are shared.

In addition, to share a distribution point from a System Center 2012 Configuration


Manager or Configuration Manager current branch source site, the Source Site
Account (which accesses the SMS Provider for the source site server), must have
Modify permissions to the Site object on the source site. You grant this permission
to the account by using role-based administration. For information about how to
use role-based administration, see Fundamentals of role-based administration for
Configuration Manager.

Upgrade or reassign distribution points:

The Source Site Access Account configured to gather data from the SMS Provider
of the source site must have the following permissions:

To upgrade a Configuration Manager 2007 distribution point, the account


requires Read, Execute, and Delete permissions to the Site class on the
Configuration Manager2007 site server to successfully remove the distribution
point from the Configuration Manager2007 source site

To reassign a System Center 2012 Configuration Manager or Configuration


Manager current branch distribution point, the account must have Modify
permission to the Site object on the source site. You grant this permission to the
account by using role-based administration. For information about how to use
role-based administration, see Fundamentals of role-based administration for
Configuration Manager.

To successfully upgrade or reassign a distribution point to a new hierarchy, the


ports that are configured for client requests at the site that manages the
distribution point in the source hierarchy must match the ports that are
configured for client requests at the destination site that will manage the
distribution point. For information about client request ports, see How to
configure client communication ports.
Administrator checklists for migration
planning in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the following administrator checklists to help you plan your migration strategy to
Configuration Manager current branch.

Administrator checklist for migration planning


Use the following checklist for pre-migration planning steps.

Assess the current environment:

Identify existing business requirements that are met by the source hierarchy and
develop plans to continue to meet those requirements in the destination hierarchy.

Review the functionality and changes that are available with the version of
Configuration Manager that you use, and use this information to help you
design your destination hierarchy:

For more information, see Fundamentals of Configuration Manager and What's


new.

Determine the administrative security model to use for role-based


administration:

For more information, see Fundamentals of role-based administration for


Configuration Manager.

Assess your network and Active Directory topology:


Review your existing domain
structure and network topology and consider how this influences your hierarchy
design and migration tasks.

Finalize your destination hierarchy design:

Decide upon the placement of a central administration site, primary sites,


secondary sites, and content distribution options.

Map your hierarchy to the computers that you will use for sites and site servers
in the destination hierarchy:
Identify the computers that sites and site system servers will use in the destination
hierarchy, and then ensure that they have sufficient capacity to meet existing and
future operational requirements.

Plan your object migration strategy:

Plan to use the available migration jobs to migrate different objects, including site
boundaries, collections, advertisements, and deployments. For more information,
see Types of migration jobs in Planning a migration job strategy

Configuration Manager migrates only the objects that you select. Any objects that
are not migrated and that are required in the destination hierarchy must be re-
created in the destination hierarchy.

Objects that can migrate are displayed when you configure migration jobs.

Plan your client migration strategy:

Plan to migrate clients by using a controlled approach that limits the network
bandwidth and server processing requirements when you migrate clients to the
destination hierarchy. For more about planning a client migration strategy, see
Planning a client migration strategy.

Plan for inventory and compliance data:

Configuration Manager does not support migrating hardware inventory, software


inventory, or desired configuration management compliance data for software
updates or clients.

Instead, after the client migrates to its new site in the destination hierarchy and
receives policy for these configurations, the client submits this information to its
assigned site. This action populates the destination site database with current
inventory and compliance data.

Plan for the completion of migration from the source hierarchy:

Decide when objects and clients will be migrated. After migration completes, you
can plan to decommission the site servers in the source hierarchy.

Administrator checklist for hierarchy migration


Use the following checklist to help you plan a destination hierarchy before you start
migration.

Identify the computers to use in the destination hierarchy:


Configuration Manager does not support an in-place upgrade from Configuration
Manager 2007 infrastructure. Instead you use migration to move data from
Configuration Manager 2007 to Configuration Manager current branch. This
requires you to use a side-by-side deployment and install Configuration Manager
on new computers.

Similarly, when you migrate from another Configuration Manager hierarchy, you
must install a new destination hierarchy that is a side-by-side deployment to your
source hierarchy.

Create your destination hierarchy:

To prepare for migration, install and configure a Configuration Manager


destination hierarchy that includes a primary site. For example:

Install a central administration site and then install at least one child primary.

Install a stand-alone primary if you do not plan to use a central administration


site.

If you want to migrate information that is related to software updates, configure


a software update point in the destination hierarchy and synchronize software
updates:

You must configure and synchronize software updates in the destination hierarchy
before you can migrate software updates information from the source hierarchy.

Install and configure additional site system roles in the destination hierarchy:

Configure additional site system roles and site systems that you require.

Check operational functionality in the destination hierarchy:

Check the following:

If the destination hierarchy includes multiple sites, confirm that database


replication is working between sites. Database replication is not applicable to
stand-alone primary sites.

Check that all installed site system roles are operational.

Check that the Configuration Manager clients you install to the destination
hierarchy can communicate successfully with their assigned site.

Administrator checklist for migration


Use the following checklist to migrate data from the source hierarchy to the destination
hierarchy.

Enable migration in the destination hierarchy:

Configure a source hierarchy by specifying the top-level site of the source


hierarchy. For more about specifying the source site, see Planning a source
hierarchy strategy.

When the source hierarchy runs Configuration Manager 2007 SP2, select and
configure additional sites in the source hierarchy:

For each additional site in the Configuration Manager 2007 SP2 source hierarchy
that you want to collect data from, you must configure credentials for data
gathering. When you configure each source site, the data-gathering process
begins immediately and continues throughout the migration period until you stop
data gathering for that site. Data gathering ensures that you can migrate objects
from the source hierarchy that are updated or added after a previous data-
gathering process.

7 Note

When the source hierarchy runs System Center 2012 Configuration Manager
or later, you do not need to configure additional source sites.

Configure distribution point sharing:

You can share distribution points between the two hierarchies to make content for
objects that you migrate available to clients in the destination hierarchy. This
ensures that the same content remains available for clients in both hierarchies and
that you can maintain this content until you stop gathering data and finish the
migration.

For information about shared distribution points, see Share distribution points
between source and destination hierarchies in Planning a content deployment
migration strategy.

Create and run migration jobs to migrate objects associated with the clients in
the source hierarchy:

Create migration jobs to migrate objects between hierarchies. The required


configurations for each migration job can vary depending on what data the job
migrates.
For example, when you migrate content, regardless of the migration job you use,
you must assign a site in the destination hierarchy to own management of that
content. The assigned site will access the original source file location for the
content and is responsible for distributing that content to distribution points in the
destination hierarchy.

For more information, see Create and edit migration jobs for Configuration
Manager in Operations for migrating to Configuration Manager current branch.

Migrate clients to the destination hierarchy:

The process of migrating clients depends on your migration scenario:

When you migrate clients that have a client version that is not the same as the
destination hierarchy, you must upgrade the client software. Upgrade requires
the removal of the current Configuration Manager client, followed by the
installation of the new client version that matches the destination site.

When you migrate clients that have a client version that matches the version of
the destination hierarchy, the client does not upgrade or reinstall. Instead, the
client reassigns to a primary site in the destination hierarchy.

When you migrate a client to the destination hierarchy, the client is associated with
its data that you previously migrated to that destination hierarchy.

For more information, see Planning a client migration strategy.

Upgrade or reassign shared distribution points:

When you no longer have to support clients in your source hierarchy, you can
upgrade shared distribution points from a Configuration Manager 2007 source
site, or reassign shared distribution points from a System Center 2012
Configuration Manager or Configuration Manager current branch source site.
When you upgrade or reassign a distribution point, the site system role transfers to
a primary site in the destination hierarchy and the distribution point is removed
from the source site in the source hierarchy. When you upgrade or reassign a
shared distribution point, the content remains on the distribution point computer
and you do not have to redeploy the content to new distribution points in the
destination hierarchy.

You can also upgrade a distribution point that is co-located on a Configuration


Manager 2007 secondary site server. This removes the secondary site and results in
only a distribution point in the destination hierarchy.
For information about shared distribution points, see Share distribution points
between source and destination hierarchies in Planning a content deployment
migration strategy.

Finish migration:

After you have migrated data and clients from all sites in the source hierarchy and
you have upgraded applicable distribution points, you can finish migration. To
finish migration you stop gathering data for each source site in the source
hierarchy. You can then remove migration information that you do not need and
decommission your source hierarchy infrastructure. For more information, see
Planning to complete migration.
Determine whether to migrate data to
Configuration Manager current branch
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

In Configuration Manager current branch, migration provides a process for transferring


data and configurations that you've created from supported versions of Configuration
Manager to your new hierarchy. You can use this to:

Combine multiple hierarchies into one.

Move data and configurations from a lab deployment into your production
deployment.

Move data and configuration from a prior version of Configuration Manager, like
Configuration Manager 2007, which has no upgrade path to Configuration
Manager current branch, or from System Center 2012 Configuration Manager
(which does support an upgrade path to Configuration Manager current branch).

With the exception of the distribution point site system role and the computers that
host distribution points, no infrastructure (which includes sites, site system roles, or
computers that host a site system role), migrates, transfers, or can be shared between
hierarchies.

Although you cannot migrate server infrastructure, you can migrate Configuration
Manager clients between hierarchies. Client migration involves migrating the data that
clients use from the source hierarchy to the destination hierarchy, and then installing or
reassigning the client software so that the client then reports to the new hierarchy.

After you install a client to the new hierarchy and the client submits its data, its unique
Configuration Manager ID helps Configuration Manager associate the data that you
previously migrated with each client computer.

The functionality that's provided by migration helps you maintain investments that you
have made in configurations and deployments while letting you take full advantage of
core changes in the product first (which was first introduced in System Center 2012
Configuration Manager and then continued in Configuration Manager). These changes
include a simplified Configuration Manager hierarchy that uses fewer sites and
resources, and the improved processing that comes from using native 64-bit code that
runs on 64-bit hardware.
For information about the versions of Configuration Manager that migration supports,
see Prerequisites for migration.

Data that you can migrate to Configuration


Manager current branch
Migration can migrate most objects between supported Configuration Manager
hierarchies. The migrated instances of some objects from a supported version of
Configuration Manager 2007 must be modified to conform to the System Center 2012
Configuration Manager schema and object format.

These modifications don't affect the data in the source site database. Objects that are
migrated from a supported version of System Center 2012 Configuration Manager or
Configuration Manager current branch don't require modification.

The following are objects that can migrate based on the version of Configuration
Manager in the source hierarchy. Some objects, like queries, do not migrate. If you want
to continue to use these objects that do not migrate you must recreate them in the new
hierarchy. Other objects, including some client data, are automatically recreated in the
new hierarchy when you manage clients in that hierarchy.

Objects that you can migrate from System Center 2012


Configuration Manager or Configuration Manager
current branch
Applications for System Center 2012 Configuration Manager and later versions

App-V Virtual Environment from System Center 2012 Configuration Manager and
later versions

Asset Intelligence customizations

Boundaries

Collections: To migrate collections from a supported version of System Center 2012


Configuration Manager or Configuration Manager current branch, you use an
object migration job.

Compliance settings:

Configuration baselines

Configuration items
Deployments

Operating system deployment:

Boot images

Driver packages

Drivers

Images

Packages

Task sequences

Search results: Saved search criteria

Software updates:

Deployments

Deployment packages

Templates

Software update lists

Software distribution packages

Software metering rules

Virtual application packages

Objects that you can migrate from Configuration


Manager 2007 SP2
Advertisements

Applications for System Center 2012 Configuration Manager and later versions

App-V Virtual Environment from System Center 2012 Configuration Manager and
later versions

Asset Intelligence customizations

Boundaries
Collections: You migrate collections from a supported version of Configuration
Manager 2007 by using a collection migration job.

Compliance settings (referred to as desired configuration management in


Configuration Manager 2007):

Configuration baselines

Configuration items

Operating system deployment:

Boot images

Driver packages

Drivers

Images

Packages

Task sequences

Search results: Search folders

Software updates:

Deployments

Deployment packages

Templates

Software update lists

Software distribution packages

Software metering rules

Virtual application packages

Data that you can't migrate to Configuration


Manager current branch
You cannot migrate the following types of objects:
AMT client provisioning information

Files on clients, including:

Client inventory and history data

Files in the client cache

Queries

Configuration Manager 2007 security rights and instances for the site and objects

Configuration Manager 2007 reports from SQL Server Reporting Services

Configuration Manager 2007 web reports

System Center 2012 Configuration Manager and Configuration Manager current


branch reports

System Center 2012 Configuration Manager and Configuration Manager current


branch role-based administration:

Security roles

Security scopes
Plan a source hierarchy strategy in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Before you set up a migration job in your Configuration Manager environment, you
must configure a source hierarchy and gather data from at least one source site in that
hierarchy. Use the following sections to help you plan for configuring source hierarchies,
configuring source sites, and determining how Configuration Manager gathers
information from the source sites in the source hierarchy.

Source hierarchies
A source hierarchy is a Configuration Manager hierarchy that has data that you want to
migrate. When you set up migration and specify a source hierarchy, you specify the top-
level site of the source hierarchy. This site is also called a source site. Additional sites
that you can migrate data from in the source hierarchy are also called source sites.

When you set up a migration job to migrate data from a Configuration Manager
2007 source hierarchy, you configure it to migrate data from one or more specific
source sites in the source hierarchy.

When you set up a migration job to migrate data from a source hierarchy that runs
System Center 2012 Configuration Manager or later, you only need to specify the
top-level site.

You can set up only one source hierarchy at a time.

If you set up a new source hierarchy, that hierarchy automatically becomes the
current source hierarchy replacing the previous source hierarchy.

When you set up a source hierarchy, you must specify the top-level site of the
source hierarchy and specify credentials for Configuration Manager to use to
connect to the SMS Provider and site database of that source site.

Configuration Manager uses these credentials to run data gathering to retrieve


information about the objects and distribution points from the source site.

As part of the data gathering process, child sites in the source hierarchy are
identified.
If the source hierarchy is a Configuration Manager 2007 hierarchy, you can set up
those additional sites as source sites with separate credentials for each source site.

Although you can set up multiple source hierarchies in succession, migration is active for
only one source hierarchy at a time.

If you set up an additional source hierarchy before you complete migration from
the current source hierarchy, Configuration Manager cancels any active migration
jobs and postpones any scheduled migration jobs for the current source hierarchy.

The newly configured source hierarchy then becomes the current source hierarchy,
and the original source hierarchy is now inactive.

You can then set up connection credentials, additional source sites, and migration
jobs for the new source hierarchy.

If you restore an inactive source hierarchy and have not previously used Cleanup
Migration Data, you can view the previously configured migration jobs for that source
hierarchy. However, before you can continue migration from that hierarchy, you must
reconfigure the credentials to connect to applicable source sites in the hierarchy, and
then reschedule any migration jobs that did not finish.

U Caution

If you migrate data from more than a single source hierarchy, each additional
source hierarchy must contain a unique set of site codes.

Source and destination hierarchies also requires different set of site codes.

For more about configuring a source hierarchy, see Configuring source hierarchies and
source sites for migration to Configuration Manager current branch

Source sites
Source sites are the sites in the source hierarchy that have the data that you want to
migrate. The top-level site of the source hierarchy is always the first source site. When
migration collects data from the first source site of a new source hierarchy, it discovers
information about additional sites in that hierarchy.

After data gathering completes for the initial source site, the actions you take next
depend on the product version of the source hierarchy.

Source sites that run Configuration Manager 2007 SP2


After data is gathered from the initial source site of the Configuration Manager 2007
SP2 hierarchy, you do not have to set up additional source sites before you create
migration jobs. However, before you can migrate data from additional sites, you must
set up additional sites as source sites, and Configuration Manager must successfully
gather data from those sites.

To gather data from additional sites, you individually set up each site as a source site.
This requires you to specify the credentials for Configuration Manager to connect to the
SMS Provider and site database of each source site. After you set up the credentials for
a source site, the data gathering process for that site begins.

When you set up additional source sites in a Configuration Manager 2007 SP2 source
hierarchy, you must set up source sites from the top down, which means you set up the
bottom-tier sites last. You can configure source sites in a branch of the hierarchy at any
time, but you must set up a site as a source site before you set up any of its child sites
as source sites.

7 Note

Only primary sites in a Configuration Manager 2007 SP2 hierarchy are supported
for migration.

Source sites that run System Center 2012 Configuration


Manager or later
After data is gathered from the initial source site of the System Center 2012
Configuration Manager or later hierarchy, you do not have to set up additional source
sites in that source hierarchy. This is because unlike Configuration Manager 2007, these
versions of Configuration Manager use a shared database, and the shared database lets
you identify and then migrate all available objects from the initial source site.

When you set up the access accounts to gather data, you might need to grant the
Source Site SMS Provider Account access to multiple computers in the source
hierarchy. This might be needed when the source site supports multiple instances of the
SMS Provider, each on a different computer. When data gathering begins, the top-level
site of the destination hierarchy contacts the top-level site in the source hierarchy to
identify the locations of the SMS Provider for that site. Only the first instance of the SMS
provider is identified. If the data gathering process cannot access the SMS Provider at
the location it identifies, the process fails and does not try to connect to additional
computers that run an instance of SMS Provider for that site.
Data gathering
Immediately after you specify a source hierarchy, set up credentials for each additional
source site in a source hierarchy, or share the distribution points for a source site,
Configuration Manager starts to gather data from the source site.

The data gathering process then repeats itself on a simple schedule to maintain
synchronization with any changes to data in the source site. By default, the process
repeats every four hours. You can change the schedule for this cycle by editing the
Properties of the source site. The initial data gathering process must review all objects
in the Configuration Manager database and can take a long time to finish. Subsequent
data gathering processes identify only changes to the data and require less time to
finish.

To gather data, the top-level site in the destination hierarchy connects to the SMS
Provider and the site database of the source site to retrieve a list of objects and
distribution points. These connections use the source site access accounts. For
information about required configurations for gathering data, see Prerequisites for
migration.

You can start and stop the data gathering process by using Gather Data Now and Stop
Gathering Data in the Configuration Manager console.

After you use Stop Gathering Data for a source site for any reason, you must
reconfigure credentials for the site before you can gather data from that site again. Until
you reconfigure the source site, Configuration Manager cannot identify new objects or
changes to previously migrated objects at that site.

7 Note

Before you expand a standalone primary site into a hierarchy with a central
administration site, you must stop all data gathering. You can reconfigure data
gathering after the site expansion completes.

Gather Data Now


After the initial data gathering process runs for a site, this process repeats itself to
identify objects that have updated since the last data gathering cycle. You can also use
the Gather Data Now action in the Configuration Manager console to immediately start
the process and to reset the start time of the next cycle.
After a data gathering process successfully finishes for a source site, you can share the
distribution points from the source site and configure migration jobs to migrate data
from the site. Data gathering is a repeating process for migration, and it continues until
you change the source hierarchy or use Stop Gathering Data to end the data gathering
process for that site.

Stop Gathering Data


You can use Stop Gathering Data to end the data gathering process for a source site
when you no longer want Configuration Manager to identify new or changed objects
from that site. This action also prevents Configuration Manager from offering clients in
the destination hierarchy any shared distribution points from the source as content
locations for the content that you have migrated.

To stop gathering data from each source site, you must run Stop Gathering Data on the
bottom-tier source sites, and then repeat the process at each parent site. The top-level
site of the source hierarchy must be the last site on which you stop gathering data. You
must stop data gathering at each child site before performing this action at a parent
site. Typically, you only stop gathering data when you are ready to complete the
migration process.

After you stop gathering data for a source site, information previously gathered about
objects and collections from that site remain available to use when you set up new
migration jobs. However, you do not see any new objects or collections, nor do you see
changes that were made to existing objects. If you reconfigure the source site and begin
gathering data again, you will see information and status about previously migrated
objects.
Plan a migration job strategy in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use migration jobs to configure the specific data that you want to migrate to your
Configuration Manager current branch environment. Migration jobs identify the objects
that you plan to migrate, and they run at the top-level site in your destination hierarchy.
You can set up one or more migration jobs per source site. This lets you migrate all
objects at one time or limited subsets of data with each job.

You can create migration jobs after Configuration Manager has successfully gathered
data from one or more sites from the source hierarchy. You can migrate data in any
sequence from the source sites that have gathered data. With a Configuration Manager
2007 source site, you can migrate data only from the site where an object was created.
With source sites that run System Center 2012 Configuration Manager or later, all data
that you can migrate is available at the top-level site of the source hierarchy.

Before you migrate clients between hierarchies, ensure that the objects that clients use
have migrated and that these objects are available in the destination hierarchy. For
example, when you migrate from a Configuration Manager 2007 SP2 source hierarchy,
you might have an advertisement for content that is deployed to a custom collection
that has a client. In this scenario, we recommend that you migrate the collection, the
advertisement, and the associated content before you migrate the client. This data
cannot be associated with the client in the destination hierarchy if the content,
collection, and advertisement are not migrated before the client migrates. If a client is
not associated with the data related to a previously run advertisement and content, the
client can be offered the content for installation in the destination hierarchy, which
might be unnecessary. When the client migrates after the data has migrated, the client is
associated with this content and advertisement, and unless the advertisement is
recurring, is not offered this content for the migrated advertisement again.

Some objects require more than the migration of data from the source hierarchy to the
destination hierarchy. For example, to successfully migrate software updates for your
clients to your destination hierarchy, you must deploy an active software update point,
configure the catalog of products, and synchronize the software update point with
Windows Server Update Services (WSUS) in the destination hierarchy.

Types of migration jobs


Configuration Manager supports the following types of migration jobs. Each job type is
designed to help define the objects that you can include in that job.

Collection migration (only supported when migrating from Configuration Manager


2007 SP2): Migrate objects that are related to collections you select. By default,
collection migration includes all objects that are associated with members of the
collection. You can exclude specific object instances when you use a collection migration
job.

Object migration: Migrate individual objects that you select. You select only the specific
data that you want to migrate.

Previously migrated object migration: Migrate objects that you previously migrated
when they have updated in the source hierarchy after they were last migrated.

Objects that you can migrate


Not every object can migrate by a specific type of migration job. The following list
identifies the type of objects that you can migrate with each type of migration job.

7 Note

Collection migration jobs are available only when you migrate objects from a
Configuration Manager 2007 SP2 source hierarchy.

Job types you can use to migrate each object

Advertisements (available to migrate from supported Configuration Manager 2007


source sites)
Collection migration

Asset Intelligence catalog

Object migration

Previously migrated object migration

Asset Intelligence hardware requirements

Object migration

Previously migrated object migration

Asset Intelligence software list


Object migration

Previously migrated object migration

Boundaries

Object migration

Previously migrated object migration

Configuration baselines

Collection migration

Object migration

Previously migrated object migration

Configuration items

Collection migration

Object migration

Previously migrated object migration

Maintenance windows
Collection migration

Operating system deployment boot images

Collection migration

Object migration

Previously migrated object migration

Operating system deployment driver packages

Collection migration

Object migration

Previously migrated object migration

Operating system deployment drivers

Collection migration
Object migration

Previously migrated object migration

Operating system deployment images

Collection migration

Object migration

Previously migrated object migration

Operating system deployment packages

Collection migration

Object migration

Previously migrated object migration

Software distribution packages

Collection migration

Object migration

Previously migrated object migration

Software metering rules

Object migration

Previously migrated object migration

Software update deployment packages

Collection migration

Object migration

Previously migrated object migration

Software update deployment templates

Collection migration

Object migration

Previously migrated object migration


Software update deployments
Collection migration

Software update lists

Object migration

Previously migrated object migration

Task sequences

Collection migration

Object migration

Previously migrated object migration

Virtual application packages

Collection migration

Object migration

) Important

Although you can migrate a virtual application package by using object


migration, the packages cannot be migrated by using the migration job type
of Previously Migrated Object Migration. Instead, you must delete the
migrated virtual application package from the destination site and then create
a new migration job to migrate the virtual application.

General planning for all migration jobs


Use the Create Migration Job wizard to create a migration job to migrate objects to your
destination hierarchy. The type of the migration job that you create determines which
objects are available to migrate. You can create and use multiple migration jobs to
migrate data from the same source site or from multiple source sites. The use of one
type of migration job does not block the use of a different type of migration job.

After a migration job runs successfully, its status is listed as Completed and it cannot be
run again. However, you can create a new migration job to migrate any of the objects
that were migrated by the original job, and the new migration job can include additional
objects as well. When you create additional migration jobs, the objects that have been
previously migrated show the state of Migrated. You can select these objects to migrate
them again, but unless the object has been updated in the source hierarchy, migrating
these objects again is not necessary. If the object has been updated in the source
hierarchy after it was originally migrated, you can identify that object when you use the
migration job type of Objects modified after migration.

You can delete a migration job before it runs. However, after a migration job finishes, it
remains visible in the Configuration Manager console and cannot be deleted. Each
migration job that has finished or has not yet run remains visible in the Configuration
Manager console until you finish the migration process and clean up migration data.

7 Note

After you have finished migration by using the Clean Up Migration Data action,
you can reconfigure the same hierarchy as the current source hierarchy to restore
visibility to the objects you previously migrated.

You can view the objects contained in any migration job in the Configuration Manager
console by selecting the migration job and then choosing the Objects in Job tab.

Use the information in the following sections to help you plan for all migration jobs.

Data selection
When you create a collection migration job, you must select one or more collections.
After you select the collections, the Create Migration Job wizard shows the objects that
are associated with the collections. By default, all objects associated with the selected
collections are migrated, but you can uncheck the objects that you do not want to
migrate with that job. When you uncheck an object that has dependent objects, those
dependent objects are also unchecked. All unchecked objects are added to an exclusion
list. Objects on an exclusion list are removed from automatic selection for future
migration jobs. You must manually edit the exclusion list to remove objects that you
want to have automatically selected for migration in migration jobs you create in the
future.

Site ownership for migrated content


When you migrate content for deployments, you must assign the content object to a
site in the destination hierarchy. This site then becomes the owner for that content in
the destination hierarchy. Although the top-level site of your destination hierarchy is the
site that actually migrates the metadata for content, it is the assigned site that accesses
the original source files for the content across the network.
To minimize the network bandwidth that is used during migration, consider transferring
ownership of content to the closest available site. Because information about the
content is shared globally in Configuration Manager, it will be available at every site.

Information about content is shared to all sites in the destination hierarchy by using
database replication. However, any content that you assign to a primary site and then
deploy to distribution points at other primary sites transfers by using file-based
replication. This transfer is routed through the central administration site and then to
each additional primary site. By centralizing packages that you plan to distribute to
multiple primary sites before or during migration when you assign a site as the content
owner, you can reduce data transfers across low-bandwidth networks.

Role-based administration security scopes for migrated


data
When you migrate data to a destination hierarchy, you must assign one or more role-
based administration security scopes to the objects whose data is migrated. This ensures
that only the appropriate administrative users have access to this data after it is
migrated. The security scopes that you specify are defined by the migration job and are
applied to each object that is migrated by that job. If you require different security
scopes to be applied to different sets of objects and you want to assign those scopes
during migration, you must migrate the different sets of objects by using different
migration jobs.

Before you set up a migration job, review how role-based administration works in
Configuration Manager. If necessary, set up one or more security scopes for the data
that you migrate to control who will have access to the migrated objects in the
destination hierarchy.

For more about security scopes and role-based administration, see Fundamentals of
role-based administration for Configuration Manager.

Review migration actions


When you set up a migration job, the Create Migration Job wizard shows a list of actions
that you must take to ensure a successful migration and a list of actions that
Configuration Manager takes during the migration of the selected data. Review this
information carefully to check the expected outcome.

Schedule migration jobs


By default, a migration job runs immediately after it is created. However, you can specify
when the migration job runs when you create the job or by editing the properties of the
job. You can schedule the migration job to run as follows:

Run the job now

Run the job at a specific start time

Not run the job

Specify conflict resolution for migrated data


By default, migration jobs do not overwrite data in the destination database unless you
configure the migration job to skip or overwrite data that has previously been migrated
to the destination database.

Plan for collection migration jobs


Collection migration jobs are available only when you migrate data from a source
hierarchy that runs a supported version of Configuration Manager 2007. You must
specify one or more collections to migrate when you migrate by collection. For each
collection that you specify, the migration job automatically selects all related objects for
migration. For example, if you select a specific collection of users, the collection
members are then identified, and you can migrate the deployments associated with that
collection. Optionally, you can select other deployment objects to migrate that are
associated with those members. All these selected items are added to the list of objects
that can be migrated.

When you migrate a collection, Configuration Manager also migrates collection settings,
including maintenance windows and collection variables, but it cannot migrate
collection settings for AMT client provisioning.

Use the information in the following sections to learn about additional configurations
that can apply to collection-based migration jobs.

Exclude objects from collection migration jobs


You can exclude specific objects from a collection migration job. When you exclude a
specific object from a collection migration job, that object is added to a global exclusion
list that has all the objects that you have excluded from migration jobs created for any
source site in the current source hierarchy. Objects on the exclusion list are still available
for migration in future jobs but are not automatically included when you create a new
collection-based migration job.

You can edit the exclusion list to remove objects that you have previously excluded.
After you remove an object from the exclusion list, it is then automatically selected when
an associated collection is specified during the creation of a new migration job.

Unsupported collections
Configuration Manager can migrate any of the default user collections, device
collections, and most custom collections from a Configuration Manager 2007 source
hierarchy. However, Configuration Manager cannot migrate collections that contain
users and devices in the same collection.

The following collections cannot be migrated:

A collection that has users and devices.

A collection that has a reference to a collection of a different resource type. For


example, a device-based collection that has either a subcollection or a link to a
user-based collection. In this example, only the top-level collection migrates.

A collection that has a rule to include unknown computers. The collection


migrates, but the rule to include unknown computers does not migrate.

Empty collections
An empty collection is a collection that has no resources associated with it. When
Configuration Manager migrates an empty collection, it converts the collection to an
organizational folder that has no users or devices. This folder is created with the name
of the empty collection under the User Collections or Device Collections node in the
Assets and Compliance workspace in the Configuration Manager console.

Linked collections and subcollections


When you migrate collections that are linked to other collections or that have
subcollections, Configuration Manager creates a folder under the User Collections or
Device Collections node in addition to the linked collections and subcollections.

Collection dependencies and include objects


When you specify a collection to migrate in the Create Migration Job wizard, any
dependent collections are automatically selected to be included with the job. This
behavior ensures that all necessary resources are available after migration.

For example: You select a collection for devices that run Windows 10 and is named
Win_10. This collection is limited to a collection that has all your client operating systems
and is named All_Clients. The collection All_Clients will be automatically selected for
migration.

Collection limiting
With Configuration Manager current branch, collections are global data and are
evaluated at each site in the hierarchy. Therefore, plan how to limit the scope of a
collection after it is migrated. During migration, you can identify a collection from the
destination hierarchy to use to limit the scope of the collection that you are migrating
so that the migrated collection does not include unanticipated members.

For example, in Configuration Manager 2007, collections are evaluated at the site that
creates them and at child sites. An advertisement might be deployed to only a child site,
and this would limit the scope for that advertisement to that child site. In comparison,
with Configuration Manager current branch, collections are evaluated at each site and
associated advertisements are then evaluated for each site. Collection limiting lets you
refine the collection members based on another collection to avoid the addition of
unexpected collection members.

Site code replacement


When you migrate a collection that has criteria that identifies a Configuration Manager
2007 site, you must specify a specific site in the destination hierarchy. This ensures that
the migrated collection remains functional in your destination hierarchy and does not
increase in scope.

Specify behavior for migrated advertisements


By default, collection-based migration jobs disable advertisements that migrate to the
destination hierarchy. This includes any programs that are associated with the
advertisement. When you create a collection-based migration job that has
advertisements, you see the Enable programs for deployment in Configuration
Manager after an advertisement is migrated option on the Settings page of the Create
Migration Job wizard. If you select this option, programs that are associated with the
advertisements are enabled after they have migrated. As a best practice, do not select
this option. Instead, enable the programs after they have migrated when you can verify
the clients that will receive them.

7 Note

You see the Enable programs for deployment in Configuration Manager after an
advertisement is migrated option only when you are creating a collection-based
migration job and the migration job contains advertisements.

To enable a program after migration, clear Disable this program on computers where it
is advertised on the Advanced tab of the program properties.

Plan for object migration jobs


Unlike collection migration, you must select each object and object instance that you
want to migrate. You can select the individual objects (like advertisements from a
Configuration Manager 2007 hierarchy or a publication from a System Center 2012
Configuration Manager or Configuration Manager current branch hierarchy) to add to
the list of objects to migrate for a specific migration job. Any objects that you do not
add to the migration list are not migrated to the destination site by the object migration
job.

Object-based migration jobs do not have any additional configurations to plan for
beyond those applicable to all migration jobs.

Plan for previously migrated object migration


jobs
When an object that you have already migrated to the destination hierarchy is updated
in the source hierarchy, you can migrate that object again by using the Objects
modified after migration job type. For example, when you rename or update the source
files for a package in the source hierarchy, the package version increments in the source
hierarchy. After the package version increments, the package can be identified for
migration by this job type.

This job type is similar to the object migration type except that when you select objects
to migrate, you can only select from objects that have been updated after they were
migrated by a previous migration job.
When you select this job type, the conflict resolution behavior on the Settings page of
the Create Migration Job wizard is configured to overwrite previously migrated objects.
This setting cannot be changed.

7 Note

This migration job can identify objects that are automatically updated by the source
hierarchy and objects that an administrative user updates.
Plan a client migration strategy in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To migrate clients from the source hierarchy to a Configuration Manager current branch
destination hierarchy, you must do two tasks. You must migrate the objects that are
associated with the client and you must then reinstall or reassign the clients from the
source hierarchy to the destination hierarchy. You migrate the objects first so that they
are available when the clients are migrated. The objects associated with the client are
migrated by using migration jobs. For information about how to migrate the objects
that are associated with the client, see Planning a migration job strategy.

Use the following sections to help you plan to migrate clients to the destination
hierarchy.

Plan to migrate clients to the destination hierarchy

Plan to handle data maintained on clients during migration

Plan for inventory and compliance data during migration

Plan to migrate clients to the destination


hierarchy
When you migrate clients from a source hierarchy, the client software on the client
computer upgrades to match the product version of the destination hierarchy.

A Configuration Manager 2007 source hierarchy: When you migrate clients from
a source hierarchy that runs a supported version of Configuration Manager, the
client software upgrades to the client version for the destination hierarchy.

A System Center 2012 Configuration Manager or later source hierarchy: When


you migrate clients between hierarchies that are of the same product version, the
client software does not change or upgrade. Instead, the client reassigns from the
source hierarchy to a site in the destination hierarchy.

7 Note
When the product version of a hierarchy is not supported for migration to
your destination hierarchy, upgrade all sites and clients in the source hierarchy
to a compatible product version. After the source hierarchy upgrades to a
supported product version, you can migrate between the hierarchies. For
more information, see Versions of Configuration Manager that are
supported for migration in Prerequisites for migration.

Use the following information to help you plan the client migration:

To upgrade or reassign clients from a source site to a destination site, you can use
any client deployment method that is supported for deploying clients in the
destination hierarchy. Typical client deployment methods include client push
installation, software distribution, Group Policy, and software update-based client
installation. For more information, see Client installation methods.

Ensure that the device that runs the client software in the source hierarchy meets
the minimum hardware requirements and runs an operating system that is
supported by the version of Configuration Manager in the destination hierarchy.

Before you migrate a client, run a migration job to migrate the information that
the client will use in the destination hierarchy.

Clients that upgrade retain their run history for deployments. This prevents
deployments from rerunning unnecessarily in the destination hierarchy.

For Configuration Manager 2007 clients, advertisement run history is retained.

For clients from System Center 2012 Configuration Manager or Configuration


Manager current branch, deployment run history is retained.

You can migrate clients from sites in the source hierarchy in any order that you
choose. However, consider migrating limited numbers of clients in phases rather
than migrating large numbers of clients at a single time. A phased migration
reduces the network bandwidth requirements and server processing when each
newly upgraded client submits its initial full inventory and compliance data to its
assigned site.

When you migrate Configuration Manager 2007 clients, the existing client software
is uninstalled from the client computer and the new client software is installed.

Configuration Manager cannot migrate a Configuration Manager 2007 client that


has the App-V client installed unless the App-V client version is 4.6 SP1 or later.
You can monitor the client migration process in the Migration node of the
Administration workspace in the Configuration Manager console.

After you migrate the client to the destination hierarchy, you can no longer manage that
device by using your source hierarchy, and you should consider removing the client
from the source hierarchy. Although this is not a requirement when you migrate
hierarchies, it can help prevent identification of a migrated client in a source hierarchy
report, or an incorrect count of resources between the two hierarchies during the
migration. For example, when a migrated client remains in the source site database, you
might run a software updates report that incorrectly identifies the computer as an
unmanaged resource when it is now managed by the destination hierarchy.

Plan to handle data maintained on clients


during migration
When you migrate a client from its source hierarchy to the destination hierarchy, some
information is retained on the device, while other information is not available on the
device after migration.

The following information is retained on the client device:

The unique identifier (GUID), which associates a client with its information in the
Configuration Manager database.

The advertisement or deployment history, which prevents clients from


unnecessarily rerunning advertisements or deployments in the destination
hierarchy.

The following information is not retained on the client device:

The files in the client cache. If the client requires these files to install software, the
client downloads them again from the destination hierarchy.

Information from the source hierarchy about any advertisements or deployments


that have not yet run. If you want the client to run the advertisements or
deployments after it migrates, you must redeploy them to the client in the
destination hierarchy.

Information about inventory. The client resends this information to its assigned site
in the destination hierarchy after the client migrates and the new client data has
been generated.
Compliance data. The client resends this information to its assigned site in the
destination hierarchy after the client migrates and the new client data has been
generated.

When a client migrates, information that is stored in the Configuration Manager client
registry and file path is not retained. After migration, reapply these settings. Typical
settings include the following:

Power schemes

Logging settings

Local policy settings

Additionally, you might have to reinstall some applications.

Plan for inventory and compliance data during


migration
Client inventory and compliance data is not saved when you migrate a client to the
destination hierarchy. Instead, this information is recreated in the destination hierarchy
when a client first sends its information to its assigned site. To help reduce the resulting
network bandwidth requirements and server processing, consider migrating a small
number of clients in phases rather than migrating a large number of clients at a single
time.

Additionally, you cannot migrate customizations for hardware inventory from a source
hierarchy. You must introduce these to the destination hierarchy independently from
migration. For information about how to extend hardware inventory, see How to
configure hardware inventory.
Plan a content deployment migration
strategy in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

While you actively migrate data to a Configuration Manager current branch destination
hierarchy, Configuration Manager clients in both the source and destination hierarchies
can maintain access to content that you deployed in the source hierarchy. You can also
use migration to upgrade or reassign distribution points from the source hierarchy to
become distribution points in the destination hierarchy. When you share and upgrade or
reassign distribution points, this strategy can help you avoid having to redeploy content
to new servers in the destination hierarchy for the clients that you migrate.

Although you can recreate and distribute content in the destination hierarchy, you can
also use the following options to manage this content:

Share distribution points in the source hierarchy with clients in the destination
hierarchy.

Upgrade standalone Configuration Manager 2007 distribution points or


Configuration Manager 2007 secondary sites in the source hierarchy to become
distribution points in the destination hierarchy.

Reassign distribution points from a Configuration Manager source hierarchy to a


site in the destination hierarchy.

Share distribution points between source and


destination hierarchies
During migration, you can share distribution points from a source hierarchy with the
destination hierarchy. You can use shared distribution points to make content that you
have migrated from a source hierarchy immediately available to clients in the
destination hierarchy without having to recreate that content, and then distribute it to
new distribution points in the destination hierarchy. When clients in the destination
hierarchy request content that is deployed to distribution points that you have shared,
the shared distribution points can be offered to the clients as valid content locations.

In addition to being a valid content location for clients in the destination hierarchy while
migration from the source hierarchy remains active, it is possible to upgrade or reassign
a distribution point to the destination hierarchy. You can upgrade Configuration
Manager 2007 shared distribution points and reassign System Center 2012
Configuration Manager shared distribution points. When you upgrade or reassign a
shared distribution point, the distribution point is removed from the source hierarchy
and becomes a distribution point in the destination hierarchy. After you upgrade or
reassign a shared distribution point, you can continue to use the distribution point in
the destination hierarchy after migration from the source hierarchy is finished. For more
about how to upgrade a shared distribution point, see Plan to upgrade Configuration
Manager 2007 shared distribution points. For more about how to reassign a shared
distribution point, see Plan to reassign Configuration Manager distribution points.

You can choose to share distribution points from any source site in your source
hierarchy. When you share distribution points for a source site, child secondary sites are
shared at each qualifying distribution point at that primary site and at each of the
primary sites. To qualify to be a shared distribution point, the site system server that
hosts the distribution point must be set up with a fully qualified domain name (FQDN).
Any distribution points that are set up with a NetBIOS name are disregarded.

 Tip

Configuration Manager 2007 does not require you to set up an FQDN for site
system servers.

Use the following information to help you plan for shared distribution points:

Distribution points that you share must meet the prerequisites for shared
distribution points. For more about these prerequisites, see Required
configurations for migration in Prerequisites for migration.

The share distribution point action is a site-wide setting that shares all qualifying
distribution points at a source site and at any direct child secondary sites. You
cannot select individual distribution points to share when you enable distribution
point sharing.

Clients in the destination hierarchy can receive content location information for
packages that are distributed to distribution points that are shared from the source
hierarchy. For distribution points from a Configuration Manager 2007 source
hierarchy, this includes branch distribution points, distribution points on server
shares, and standard distribution points.

2 Warning
If you change the source hierarchy, shared distribution points from the
original source hierarchy are no longer available and cannot be offered as
content locations to clients in the destination hierarchy. If you reconfigure
migration to use the original source hierarchy, the previously shared
distribution points are restored as valid content location servers.

When you migrate a package that is hosted on a shared distribution point, the
package version must remain the same in the source and destination hierarchies.
When a package version is not the same in the source and destination hierarchy,
clients in the destination hierarchy cannot retrieve that content from the shared
distribution point. Therefore, if you update a package in the source hierarchy, you
must re-migrate the package data before clients in the destination hierarchy can
retrieve that content from a shared distribution point.

7 Note

When you view details for a package that is hosted on a shared distribution
point, the number of packages that display as Hosted Migrated Packages on
the source site's Shared Distribution Points tab is not updated until the next
data gathering cycle is finished.

You can view shared distribution points and their properties in the Source
Hierarchy node of the Administration workspace in the Configuration Manager
console that connects to the destination hierarchy.

You cannot use a shared distribution point from a Configuration Manager 2007
source hierarchy to host packages for Microsoft Application Virtualization (App-V).
App-V packages must migrate and be converted for use by clients in the
destination hierarchy. However, you can use a shared distribution point from a
System Center 2012 Configuration Manager or Configuration Manager current
branch source hierarchy to host App-V packages for clients in a destination
hierarchy.

When you share a protected distribution point from a Configuration Manager 2007
source hierarchy, the destination hierarchy creates a boundary group that includes
the protected network locations of that distribution point. You cannot change this
boundary group in the destination hierarchy. However, if you change the protected
boundary information for the distribution point in the Configuration Manager 2007
source hierarchy, that change is reflected in the destination hierarchy after the next
data gathering cycle finishes.
7 Note

System Center 2012 Configuration Manager and Configuration Manager


current branch sites use the concept of preferred distribution points instead
of protected distribution points. This condition only applies to distribution
points that are shared from Configuration Manager 2007 source sites.

The eligible distribution points are not visible in the Configuration Manager console
before you share distribution points from a source site. After you share distribution
points, only the distribution points that are successfully shared are listed.

After you have shared distribution points, you can change the configuration of any
shared distribution point in the source hierarchy. Changes that you make to the
configuration of a distribution point are reflected in the destination hierarchy after the
next data gathering cycle. Distribution points that you updated to qualify for sharing are
shared automatically, while those that no longer qualify stop sharing distribution points.
For example, you might have a distribution point that is not set up with an intranet
FQDN and was not initially shared with the destination hierarchy. After you set up the
FQDN for that distribution point, the next data gathering cycle identifies this
configuration, and the distribution point is then shared with the destination hierarchy.

Plan to upgrade Configuration Manager 2007


shared distribution points
When you migrate from a Configuration Manager 2007 source hierarchy, you can
upgrade a shared distribution point to make it a Configuration Manager current branch
distribution point. You can upgrade distribution points at primary sites and secondary
sites. The upgrade process removes the distribution point from the Configuration
Manager 2007 hierarchy and makes it a site system server in the destination hierarchy.
This process also copies the existing content that is on the distribution point to a new
location on the distribution point computer. The upgrade process then modifies the
copy of the content to create the single instance store for use with content deployment
in the destination hierarchy. Therefore, when you upgrade a distribution point, you do
not have to redistribute migrated content that was hosted on the Configuration
Manager 2007 distribution point.

After Configuration Manager converts the content to the single instance store,
Configuration Manager deletes the original source content on the distribution point
computer to free up disk space. Configuration Manager does not use the original source
content location.
Not all Configuration Manager 2007 distribution points that you can share are eligible
for upgrade to Configuration Manager current branch. To be eligible for upgrade, a
Configuration Manager 2007 distribution point must meet the conditions for upgrade.
These conditions include the site system server on which the distribution point is
installed and the type of Configuration Manager 2007 distribution point that is installed.
For example, you cannot upgrade any type of distribution point that is installed on the
site server computer at a primary site, but you can upgrade a standard distribution point
that is installed on the site server computer at a secondary site.

7 Note

You can upgrade only those Configuration Manager 2007 shared distribution points
that are on a computer that runs an operating system version that is supported for
distribution points in the destination hierarchy. For example, although you can
share a Configuration Manager 2007 distribution point that is on a computer that
runs Windows Vista, you cannot upgrade this shared distribution point because the
operating system is not supported by Configuration Manager current branch for
use as a distribution point.

The following table lists the supported locations for each type of Configuration Manager
2007 distribution point that you can upgrade.

Type of Distribution point on a Distribution point on a site system Distribution


distribution site system computer computer other than the site server point on a
point other than the site and hosting other site system roles secondary
server site server

Standard Yes No Yes


distribution
point

Distribution Yes No No
point on
server
shares1

Branch Yes No No
distribution
point

1
Configuration Manager current branch does not support server shares for site systems,
but it does support the upgrade of a Configuration Manager 2007 distribution point
that is on a server share. When you upgrade a Configuration Manager 2007 distribution
point that is on a server share, the distribution point type is automatically converted to a
server, and you must select the drive on the distribution point computer that will store
the single instance content store.

2 Warning

Before you upgrade a branch distribution point, uninstall the Configuration


Manager 2007 client software. When you upgrade a branch distribution point that
has the Configuration Manager 2007 client software installed, the content that was
previously deployed to the computer is removed from the computer, and the
upgrade of the distribution point fails.

To identify distribution points that are eligible for upgrade in the Configuration Manager
console in the Source Hierarchy node, select a source site, and then select the Shared
Distribution Points tab. Eligible distribution points display Yes in the Eligible for
Upgrade column.

When you upgrade a distribution point that is installed on a Configuration Manager


2007 secondary site server, the secondary site is uninstalled from the source hierarchy.
Although this scenario is called a secondary site upgrade, this applies only to the
distribution point site system role. The result is that the secondary site is not upgraded
and instead is uninstalled. This leaves a distribution point from the destination hierarchy
on the computer that was the secondary site server. If you plan to upgrade the
distribution point on a secondary site, see Plan to upgrade Configuration Manager 2007
secondary sites in this topic.

Distribution point upgrade process


You can use the Configuration Manager console to upgrade Configuration Manager
2007 distribution points that you have shared with the destination hierarchy. When you
upgrade a shared distribution point, the distribution point is uninstalled from the
Configuration Manager 2007 site. It is then installed as a distribution point that is
attached to a primary or secondary site that you specify in the destination hierarchy. The
upgrade process creates a copy of the migrated content that is stored on the
distribution point, and then converts this copy to the single instance content store.
When Configuration Manager converts a package to the single instance content store, it
deletes that package from the SMSPKG share on the distribution point computer unless
the package has one or more advertisements that are set to Run program from
distribution point.

To upgrade the distribution point, Configuration Manager uses the Source Site Access
Account that is set up to gather data from the SMS Provider of the source site. Although
this account requires only Read permission for site objects to gather data from the
source site, it must also have Delete and Modify permission to the Site class to
successfully remove the distribution point from the Configuration Manager 2007 site
during the upgrade.

7 Note

Configuration Manager can convert content to the single instance store on only
one distribution point at a time. When you set up multiple distribution point
upgrades, the distribution points are queued for upgrade and processed one at a
time.

Before you upgrade a shared distribution point, ensure that all content that is deployed
to the distribution point is migrated. Content that you do not migrate before you
upgrade the distribution point is not available in the destination hierarchy after the
upgrade. When you upgrade a distribution point, the content in the migrated packages
is converted into a format that is compatible with the single instance store of the
destination hierarchy.

To upgrade a distribution point from within the Configuration Manager console, the
Configuration Manager 2007 site system server must meet the following conditions:

The distribution point configuration and location must be eligible for upgrade.

The distribution point computer must have sufficient disk space for the content to
be converted from the Configuration Manager 2007 content storage format to the
single instance store format. This conversion requires available free disk space
equal to the size of the largest package that is stored on the distribution point.

The distribution point computer must run an operating system version that is
supported as a distribution point in the destination hierarchy.

7 Note

When Configuration Manager checks for the eligibility of a distribution point


for upgrade, it does not validate the operating system version of the
distribution point computer.

To upgrade a distribution point, in the Administration workspace, expand Migration,


expand the Source Hierarchy node, and then select the site that has the distribution
point that you want to upgrade. Next, in the details pane, on the Shared Distribution
Points tab, select the distribution point that you want to upgrade.
You can confirm that the distribution point is ready for upgrade by viewing the status in
the Eligible for Reassignment column. Next, on the Configuration Manager console
ribbon, on the Distribution Points tab, in the Distribution Point group, select Reassign.
This opens a wizard that you use to finish the upgrade of the distribution point.

When you upgrade a shared distribution point, you must assign the distribution point to
a primary or secondary site of your choice in the destination hierarchy. After the
distribution point is upgraded, manage the distribution point as a distribution point in
the destination hierarchy like any other distribution point.

You can monitor the progress of a distribution point upgrade in the Configuration
Manager console by selecting the Distribution Point Migration node under the
Migration node of the Administration workspace. You can also view information in the
Migmctrl.log on the central administration site server of the destination hierarchy, or in
the distmgr.log on the site server in the destination hierarchy that manages the
upgraded distribution point.

7 Note

When you upgrade a distribution point to the destination hierarchy, the


distribution point site system role is removed from the Configuration Manager
2007 source site. However, packages that were sent to the distribution point are
not updated in the Configuration Manager 2007 hierarchy. In the Configuration
Manager 2007 console, packages that had been sent to the distribution point
continue to list the site system computer as a distribution point with a Type of
Unknown. Subsequent updates to the package in Configuration Manager 2007
result in Distribution Manager reporting errors in the distmgr.log for that site when
the site attempts to update the package on the unknown site system.

If you decide not to upgrade a shared distribution point, you can still install a
distribution point from the destination hierarchy on a former Configuration Manager
2007 distribution point. Before you can install the new distribution point, you must first
uninstall all Configuration Manager 2007 site system roles from the distribution point
computer. This includes the Configuration Manager 2007 site if it is the site server
computer. When you uninstall a Configuration Manager 2007 distribution point, content
that was deployed to the distribution point is not deleted from the computer.

Plan to upgrade Configuration Manager 2007 secondary


sites
When you use migration to upgrade a shared distribution point that is hosted on a
Configuration Manager 2007 secondary site server, Configuration Manager upgrades
the distribution point site system role to be a distribution point in the destination
hierarchy. It also uninstalls the secondary site from the source hierarchy. The result is a
Configuration Manager current branch distribution point, but no secondary site.

For a distribution point on the site server computer to be eligible for upgrade,
Configuration Manager must be able to uninstall the secondary site and each of the site
system roles on that computer. Typically, a shared distribution point on a Configuration
Manager 2007 server share is eligible for upgrade. However, when a server share exists
on the secondary site server, the secondary site and any shared distribution points on
that computer are not eligible for upgrade. This is because the server share is treated as
an additional site system object when the process attempts to uninstall the secondary
site, and this process cannot uninstall this object. In this scenario, you can enable a
standard distribution point on the secondary site server and then redistribute the
content to that standard distribution point. This process does not use network
bandwidth, and when finished, you can uninstall the distribution point on the server
share, remove the server share, and then upgrade the distribution point and secondary
site.

Before you upgrade a shared distribution point, review the distribution point
configuration in Configuration Manager 2007 to avoid upgrading a distribution point on
a secondary site that you still want to use with Configuration Manager 2007. This is a
good practice, because after you upgrade a shared distribution point that is on a
secondary site server, the site system server is removed from the Configuration Manager
2007 hierarchy and is no longer available for use with that hierarchy. When the
secondary site is removed, any remaining distribution points at that secondary site are
orphaned. This means they become unmanaged from Configuration Manager 2007 and
are no longer shared or eligible for upgrade.

2 Warning

When you view shared distribution points in the Configuration Manager console,
there is no visible indication that a shared distribution point is on a remote site
system server or on the secondary site server.

When you have a secondary site in a remote network location that is used primarily to
control the deployment of content to that remote location, consider upgrading
secondary sites that have a shared distribution point. Because you can set up bandwidth
control for when you distribute content to a Configuration Manager current branch
distribution point, you can often upgrade a secondary site to a distribution point, set up
the distribution point for bandwidth controls, and avoid installing a secondary site in
that network location in the destination hierarchy.

The process to upgrade a shared distribution point on a secondary site server is the
same as any other shared distribution point upgrade. Content is copied and converted
to the single instance store in use by the destination hierarchy. However, when you
upgrade a shared distribution point that is on a secondary site server, the upgrade
process also uninstalls the management point (if present) and then uninstalls the
secondary site from the server. The result is that the secondary site is removed from the
Configuration Manager 2007 hierarchy. To uninstall the secondary site, Configuration
Manager uses the account that is set up to gather data from the source site.

During the upgrade, there is a delay between when the Configuration Manager 2007
secondary site is uninstalled and the when the installation of the distribution point in the
destination hierarchy begins. The data-gathering cycle determines this delay of up to
four hours. The delay is intended to provide time for the secondary site to uninstall
before the new distribution point installation begins.

For more about how to upgrade a shared distribution point, see Plan to upgrade
Configuration Manager 2007 shared distribution points.

Plan to reassign Configuration Manager


distribution points
When you migrate from a supported version of System Center 2012 Configuration
Manager to a hierarchy of the same version, you can reassign a shared distribution point
from the source hierarchy to a site in the destination hierarchy. This is like the concept
of upgrading a Configuration Manager 2007 distribution point to become a distribution
point in the destination hierarchy. You can reassign distribution points from primary
sites and secondary sites. The action to reassign a distribution point removes the
distribution point from the source hierarchy and makes the computer and its
distribution point a site system server of the site that you select in the destination
hierarchy.

When you reassign a distribution point, you do not have to redistribute migrated
content that was hosted on the source site distribution point. Additionally, unlike the
upgrade of a Configuration Manager 2007 distribution point, reassignment of a
distribution point does not require additional disk space on the distribution point
computer. This is because beginning with System Center 2012 Configuration Manager,
distribution points use the single instance store format for content. The content on the
distribution point computer does not need to be converted when the distribution point
is reassigned between hierarchies.

For a System Center 2012 Configuration Manager distribution point to be eligible for
reassignment, it must meet the following criteria:

A shared distribution point must be installed on a computer other than the site
server.

A shared distribution point cannot be co-located with any additional site system
roles.

To identify distribution points that are eligible for reassignment in the Configuration
Manager console in the Source Hierarchy node, select a source site, and then select the
Shared Distribution Points tab. Eligible distribution points display Yes in the Eligible for
Reassignment column (this column is named Eligible for Upgrade prior to System
Center 2012 R2 Configuration Manager).

Distribution point reassignment process


You can use the Configuration Manager console to reassign distribution points that you
have shared from an active source hierarchy. When you reassign a shared distribution
point, the distribution point is uninstalled from its source site and then installed as a
distribution point that is attached to a primary or secondary site that you specify in the
destination hierarchy.

To reassign the distribution point, the destination hierarchy uses the Source Site Access
Account that is set up to gather data from the SMS Provider of the source site. For
information about required permissions and additional prerequisites, see Prerequisites
for migration.

Migrate multiple shared distribution points at


the same time
Beginning with version 1610, you can use Reassign Distribution point to have
Configuration Manager process in parallel the reassignment of up to 50 shared
distribution points at the same time. This includes shared distribution points from
supported source sites that run:

Configuration Manager 2007


System Center 2012 Configuration Manager
System Center 2012 R2 Configuration Manager
Configuration Manager (current branch)

When you reassign distribution points, each distribution point must qualify to be either
upgraded or reassigned. The name of the action and process involved (upgrade or
reassign) depends on which version of Configuration Manager the source site runs. The
end results for both actions are the same: the distribution point is assigned to one of
your Current Branch sites with its content in place.

Prior to version 1610, Configuration Manager could process only one distribution point
at a time. Now you can reassign as many distribution points as you want with the
following caveats:

Although you cannot multiselect distribution points to be reassigned, when you


have queued up more than one, Configuration Manager will process them in
parallel instead of waiting to finish one before starting the next.
By default, up to 50 distribution points are processed in parallel at a time. After the
reassignment of the first distribution point is finished, Configuration Manager will
begin to process the 51st, and so on.
When you use the Configuration Manager SDK, you can change
SharedDPImportThreadLimit to adjust the number of reassigned distribution
points that Configuration Manager can process in parallel.

Assign content ownership when migrating


content
When you migrate content for deployments, you must assign the content object to a
site in the destination hierarchy. This site then becomes the owner for that content in
the destination hierarchy. Although the top-level site of your destination hierarchy is the
site that migrates the metadata for content, it is the assigned site that uses the original
source files for the content across the network.

To minimize the network bandwidth that is used when you migrate content, consider
transferring ownership of content to a site in the destination hierarchy that is close on
the network to the content location in the source hierarchy. Because information about
the content in the destination hierarchy is shared globally, it will be available at every
site.

Although information about content is shared to all sites by using database replication,
any content that you assign to a primary site and then deploy to distribution points at
other primary sites transfers by file-based replication. This transfer is routed through the
central administration site and then to the additional primary site. You can reduce data
transfers across low-bandwidth networks by centralizing packages that you plan to
distribute to multiple primary sites before or during migration when you assign a site as
the content owner.
Plan for the migration of Configuration
Manager objects to Configuration
Manager current branch
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

With Configuration Manager current branch, you can migrate many of the different
objects that are associated with different features found at a source site.

Plan to migrate software updates


You can migrate software update objects, like software update packages and software
update deployments.

To successfully migrate software update objects, you must first set up your destination
hierarchy with configurations that match your source hierarchy environment. This
requires the following actions:

Deploy an active software update point in the destination hierarchy

Set up the catalog of products and languages to match the configuration of your
source hierarchy

Sync the software update point in the destination hierarchy with Windows Server
Update Services (WSUS)

When you migrate software updates, consider the following:

Migration of software update objects can fail when you have not synced
information in your destination hierarchy to match the configuration of your
source hierarchy.

2 Warning

Configuration Manager does not support use of the WSUSutil tool to sync
data between a source and destination hierarchy.

You cannot migrate custom updates that are published by using System Center
Updates Publisher. Instead, custom updates must be republished to the
destination hierarchy.

When you migrate from a Configuration Manager 2007 source hierarchy, the migration
process modifies some software update objects to the format in use by the destination
hierarchy. Use the following table to help you plan the migration of software update
objects from Configuration Manager 2007.

Configuration Object name after migration


Manager 2007
object

Software update Software update lists are converted to software update groups.
lists

Software update Software update deployments are converted to deployments and update
deployments groups.

After you migrate a software update deployment from Configuration


Manager 2007, you must enable it in the destination hierarchy before you can
deploy it.

Software update Software update packages remain software update packages.


packages

Software update Software update templates remain software update templates.

templates
The Duration value in Configuration Manager 2007 deployment templates
does not migrate.

When you migrate objects from a System Center 2012 Configuration Manager or
Configuration Manager current branch source hierarchy, the software updates objects
are not modified.

Plan to migrate content


You can migrate content from a supported source hierarchy to your destination
hierarchy. For a Configuration Manager 2007 source hierarchy, this content includes
software distribution packages and programs and virtual applications, like Microsoft
Application Virtualization (App-V). For System Center 2012 Configuration Manager and
Configuration Manager current branch source hierarchies, this content includes
applications and App-V virtual applications. When you migrate content between
hierarchies, the compressed source files migrate to the destination hierarchy.

Packages and programs


When you migrate packages and programs, they are not modified by migration.
However, before you migrate them, you must set up each package to use a Universal
Naming Convention (UNC) path for its source file location. As part of the configuration
to migrate packages and programs, you must assign a site in the destination hierarchy
to manage this content. The content is not migrated from the assigned site, but after
migration, the assigned site accesses the original source file location by using the UNC
mapping.

After you migrate a package and program to the destination hierarchy, and while
migration from the source hierarchy remains active, you can make the content available
to clients in that hierarchy by using a shared distribution point. To use a shared
distribution point, the content must remain accessible on the distribution point at the
source site. For more about shared distribution points, see Share distribution points
between source and destination hierarchies in Plan a content deployment migration
strategy.

For content that has migrated, if the content version changes in the source hierarchy or
the destination hierarchy, clients can no longer access the content from the shared
distribution point in the destination hierarchy. In this scenario, you must re-migrate the
content to restore a consistent version of the package between the source hierarchy and
the destination hierarchy. This information syncs during the data gathering cycle.

 Tip

For each package that you migrate, update the package in the destination
hierarchy. This action can prevent issues with deploying the package to distribution
points in the destination hierarchy. However, when you update a package on the
distribution point in the destination hierarchy, clients in that hierarchy will no
longer be able to get that package from a shared distribution point. To update a
package in the destination hierarchy, in the Configuration Manager console, go to
the Software Library, right-click on the package, and then select Update
Distribution Points. Do this action for each package that you migrate.

 Tip

Use Package Conversion Manager to convert packages and programs into


Configuration Manager applications. For more information, see Package
Conversion Manager.

Virtual applications
When you migrate App-V packages from a supported Configuration Manager 2007 site,
the migration process converts them to applications in the destination hierarchy.
Additionally, based on existing advertisements for the App-V package, the following
deployment types are created in the destination hierarchy:

If there are no advertisements, one deployment type is created that uses the
default deployment type settings.

If one advertisement exists, one deployment type is created that uses the same
settings as the Configuration Manager 2007 advertisement.

If multiple advertisements exist, a deployment type is created for each


Configuration Manager 2007 advertisement by using the settings for that
advertisement.

) Important

If you migrate a previously migrated Configuration Manager 2007 App-V package,


the migration fails because virtual application packages do not support the
overwrite migration behavior. In this scenario, you must delete the migrated virtual
application package from the destination hierarchy, and then create a new
migration job to migrate the virtual application.

7 Note

After you migrate an App-V package, you can use the Update Content wizard to
change the source path for App-V deployment types. For more about how to
update content for a deployment type, see How to manage deployment types in
Management tasks for Configuration Manager applications.

When you migrate from a System Center 2012 Configuration Manager or Configuration
Manager current branch source hierarchy, you can migrate objects for the App-V virtual
environment in addition to App-V deployment types and applications. For more about
App-V environments, see Deploying App-V virtual applications.

Advertisements
You can migrate advertisements from a supported Configuration Manager 2007 source
site to the destination hierarchy by using collection-based migration. If you upgrade a
client, it retains the history of previously run advertisements to prevent the client from
rerunning migrated advertisements.
7 Note

You cannot migrate advertisements for virtual packages. This is an exception to the
migration of advertisements.

Applications
You can migrate applications from a supported System Center 2012 Configuration
Manager or Configuration Manager current branch source hierarchy to a destination
hierarchy. If you reassign a client from the source hierarchy to the destination hierarchy,
the client retains the history of previously installed applications to prevent the client
from rerunning a migrated application.

Plan to migrate collections


You can migrate the criteria for collections from a supported System Center 2012
Configuration Manager or Configuration Manager current branch source hierarchy. For
this, you use an object-based migration job. When you migrate a collection, you migrate
the rules for the collection and not information about the members of the collection or
information or objects related to the members of the collection.

Migration of the collection object is not supported when you migrate from a
Configuration Manager 2007 source hierarchy.

Plan to migrate operating system deployments


You can migrate the following operating system deployment objects from a supported
source hierarchy:

Operating system images and packages. The source path of boot images is
updated to the default image location for the Windows Administrative Installation
Kit (Windows AIK) on the destination site. The following are requirements and
limitations to migrating operating system images and packages:

To successfully migrate image files, the computer account of the SMS Provider
server for the destination hierarchy's top-level site must have Read and Write
permission to the image source files of the source site's Windows AIK location.

When you migrate an operating system installation package, ensure that the
configuration of the package on the source site points to the folder that has the
WIM file and not to the WIM file itself. If the installation package points to the
WIM file, the migration of the installation package will fail.

When you migrate a boot image package from a Configuration Manager 2007
source site, the package ID of the package is not maintained in the destination
site. The result of this is that clients in the destination hierarchy cannot use boot
image packages that are available on shared distribution points.

Task sequences. When you migrate a task sequence that has a reference to a client
installation package, that reference is replaced with a reference to the client
installation package of the destination hierarchy.

7 Note

When you migrate a task sequence, Configuration Manager might migrate


objects that are not required in the destination hierarchy. These objects
include boot images and Configuration Manager 2007 client installation
packages.

Drivers and driver packages. When you migrate driver packages, the computer
account of the SMS Provider in the destination hierarchy must have full control to
the package source.

Plan to migrate desired configuration


management
You can migrate configuration items and configuration baselines.

7 Note

Uninterpreted configuration items from Configuration Manager 2007 source


hierarchies aren't supported for migration. You can't migrate or import these
configuration items to the destination hierarchy.

You can import Configuration Manager 2007 Configuration Packs. The import process
automatically converts the configuration packs to be compatible with Configuration
Manager current branch.

Plan to migrate boundaries


You can migrate boundaries between hierarchies. When you migrate boundaries from
Configuration Manager 2007, each boundary from the source site migrates at the same
time and is added to a new boundary group that is created in the destination hierarchy.
When you migrate boundaries from a System Center 2012 Configuration Manager or
Configuration Manager current branch hierarchy, each boundary you select is added to
a new boundary group in the destination hierarchy.

Each automatically created boundary group is enabled for content location but not for
site assignment. This prevents overlapping boundaries for site assignment between the
source and destination hierarchies. When you migrate from a Configuration Manager
2007 source site, this helps prevent new Configuration Manager 2007 clients that install
from incorrectly assigning to the destination hierarchy. By default, Configuration
Manager current branch clients do not automatically assign to Configuration Manager
2007 sites.

During migration, if you share a distribution point with the destination hierarchy, any
boundaries that are associated with that distribution automatically migrate to the
destination hierarchy. In the destination hierarchy, migration creates a new read-only
boundary group for each shared distribution point. If you change the boundaries for the
distribution point in the source hierarchy, the boundary group in the destination
hierarchy updates with these changes during the next data gathering cycle.

Plan to migrate reports


Configuration Manager does not support the migration of reports. Instead, use SQL
Server Reporting Services Report Builder to export reports from the source hierarchy,
and then import them to the destination hierarchy.

7 Note

Because there are schema changes for reports between Configuration Manager
2007 and Configuration Manager current branch, test each report that you import
from a Configuration Manager 2007 hierarchy to ensure that it functions as
expected.

For more about reporting, see Introduction to reporting.

Plan to migrate organizational and search


folders
You can migrate organizational folders and search folders from a supported source
hierarchy to a destination hierarchy. In addition, from a System Center 2012
Configuration Manager or Configuration Manager current branch source hierarchy, you
can migrate the criteria for a saved search to a destination hierarchy.

By default, the migration process maintains your search folder and administrative folder
structures for objects and collections when you migrate. However, in the Create
Migration Job wizard, on the Settings page, you can set up a migration job to not
migrate the organizational structure for objects by unchecking the box for this option.
The organizational structures of collections are always maintained.

One exception to this is a search folder that contains virtual applications. When an App-
V package is migrated, the App-V package is transformed into an application in
Configuration Manager. After migration of the search folder, only the remaining
packages are found, and the search folder cannot locate an App-V package because of
this conversion to an application when the App-V package migrates.

When you migrate a saved search from a System Center 2012 Configuration Manager or
Configuration Manager current branch source hierarchy, you migrate the criteria for the
search, and not the information about the search results. Migration of a saved search is
not applicable from a Configuration Manager 2007 source site.

Plan to migrate Asset Intelligence


customizations
You can migrate customizations for Asset Intelligence from a supported source hierarchy
to a destination hierarchy. There are no significant changes to the structure of Asset
Intelligence customizations between Configuration Manager 2007 and Configuration
Manager current branch.

7 Note

Configuration Manager current branch doesn't support the migration of Asset


Intelligence objects from a Configuration Manager 2007 site that is using Asset
Intelligence Service 2.0 (AIS 2.0).

Plan to migrate software metering rules


customizations
There are no significant changes to software metering between Configuration Manager
2007 and Configuration Manager current branch. You can migrate your software
metering rules from a supported source hierarchy to a destination hierarchy.

By default, software metering rules that you migrate to a destination hierarchy are not
associated with a specific site in the destination hierarchy and instead apply to all clients
in the hierarchy. To apply a software metering rule to clients at a specific site, you must
edit the metering rule after it migrates.
Planning to monitor migration activity
in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

With Configuration Manager, you can monitor migration in the Configuration Manager
console that connects to the destination hierarchy. In the Configuration Manager
console in the Administration workspace, you can use the Migration node to monitor
the progress and success of migration jobs. You can view summary information for each
migration job that identifies objects that have migrated, those objects that have not yet
migrated, and the number of objects that are excluded from a migration job. You will
also see details about any migration problems.

View Migration Progress


To view the progress of a migration job, use any of the following actions:

In the Administration workspace of the Configuration Manager console, expand


the Migration Jobs node, select a migration job, and then select the Objects in
Job tab.

Use the Configuration Manager log files to review the migration progress or to
identify any problems. Migration Manager is the Configuration Manager process
that tracks migration actions and records these in the migmctrl.log file in the
&lt;InstallationPath>\LOGS folder on the site server.

7 Note

If a migration job fails, review the details in the migmctrl.log file as soon as
possible. The migration log entries are continually added to the file and
overwrite old details. If the entries are overwritten, you might not be able to
identify whether any problems that you might encounter with the migrated
objects relate to migration issues. Migration activity is logged at the top-level
site of the hierarchy regardless of the site your Configuration Manager
console connects to when you configure migration.

Use Configuration Manager reporting. Configuration Manager provides several


built-in reports for migration, or you can edit those reports to fit your
requirements. For more information about Configuration Manager reports, see
Introduction to reporting.
Plan to complete migration in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

With Configuration Manager, you can complete the process of migration when a source
hierarchy no longer has data that you want to migrate to your destination hierarchy.
Completing migration includes the following general steps:

Ensure that data you require has migrated. Before you complete migration from a
source hierarchy, make sure that you have successfully migrated all of the
resources from the source hierarchy that you require in the destination hierarchy.
This can include data and clients.

Stop gathering data from source sites. To complete migration from a source
hierarchy, you must first stop gathering data from source sites.

Clean up migration data. After you stop gathering data from all source sites in a
source hierarchy, you can remove data about the migration process and source
hierarchy from the database of the destination hierarchy.

Decommission the source hierarchy. After you complete migration from a source
hierarchy and that hierarchy no longer has resources that you manage, you can
decommission the sites in the source hierarchy and remove the related
infrastructure from your environment. For information about how to decommission
sites and source hierarchies, consult the documentation for that version of
Configuration Manager.

Use the following sections to help you plan to complete migration from a source
hierarchy by stopping data gathering and cleaning up migration data:

Plan to stop gathering data

Plan to clean up migration data

Plan to stop gathering data


Before you complete migration and clean up migration data, you must stop gathering
data from each source site in the source hierarchy. To stop gathering data from each
source site, you must perform the Stop Gathering Data command on the bottom tier
source sites, and then repeat the process at each parent site. The top-level site of the
source hierarchy must be the last site on which you stop gathering data. You must stop
data gathering at each child site before performing this command on a parent site.
Typically, you only stop gathering data when you are ready to finish the migration
process.

After you stop gathering data from a source site, shared distribution points from that
site are no longer available as content locations for clients in the destination hierarchy.
Therefore, ensure that any migrated content that the clients in the destination hierarchy
require access to remains available by using one of the following options:

In the destination hierarchy, distribute the content to at least one distribution


point.

Before you stop gathering data from a source site, upgrade or reassign shared
distribution points that have the required content. For more about upgrading or
reassigning shared distribution points, see the applicable sections in Planning a
content deployment migration strategy.

After you stop gathering data from each source site in the source hierarchy, you can
clean up migration data. Until you clean up migration data, each migration job that has
run or that is scheduled to run remains accessible in the Configuration Manager
console.

For more about source sites and data gathering, see Planning a source hierarchy
strategy.

Plan to clean up migration data


The last step required to finish migration is to clean up migration data. You can use the
Clean Up Migration Data command after you have stopped gathering data for each
source site in the source hierarchy. This optional action removes data about the current
source hierarchy from the database of the destination hierarchy.

When you clean up migration data, most data about the migration is removed from the
database of the destination hierarchy. However, details about migrated objects are
retained. With these details, you can use the Migration workspace to reconfigure the
source hierarchy that has the data that was migrated to resume migration from that
source hierarchy, or to review the objects and site ownership of the objects that
previously migrated.
Configure source hierarchies and source
sites for migration to Configuration
Manager current branch
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To enable migration of data to your Configuration Manager current branch


environment, you must configure a supported Configuration Manager source hierarchy
and one or more source sites in that hierarchy that contain data that you want to
migrate.

7 Note

Operations for migration are run at the top-level site in the destination hierarchy. If
you configure migration when you use a Configuration Manager console that is
connected to a primary child site, you must allow time for the configuration to
replicate to the central administration site, start, and then replicate status back to
the primary site to which you are connected.

Use the information and procedures in the following sections to specify the source
hierarchy and add additional source sites. After you finish these procedures, you can
create migration jobs and start to migrate data from the source hierarchy to the
destination hierarchy.

Specify a source hierarchy for migration

Identify additional source sites of the source hierarchy

Specify a source hierarchy for migration


To migrate data to your destination hierarchy, you must specify a supported source
hierarchy that has the data that you want to migrate. By default, the top-level site of
that hierarchy becomes a source site of the source hierarchy. If you migrate from a
Configuration Manager 2007 hierarchy, you can then set up additional source sites for
migration after data is gathered from the initial source site. If you migrate from a System
Center 2012 Configuration Manager or Configuration Manager current branch hierarchy,
you do not have to set up additional source sites to migrate data from the source
hierarchy. This is because these versions of Configuration Manager use a shared
database that is available at the top-level site of the source hierarchy. The shared
database has all the information that you can migrate.

Use the following procedures to specify a source hierarchy for migration and to identify
additional source sites in a Configuration Manager 2007 hierarchy.

Run this procedure with a Configuration Manager console that is connected to the
destination hierarchy:

To configure a source hierarchy


1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Migration, and then click Source


Hierarchy.

3. On the Home tab, in the Migration group, click Specify Source Hierarchy.

4. In the Specify Source Hierarchy dialog box, for Source Hierarchy, select New
source hierarchy.

5. For Top-level Configuration Manager site server, enter the name or IP address of
the top-level site of a supported source hierarchy.

6. Specify source site access accounts that have the following permissions:

Source Site Account: Read permission to the SMS Provider for the specified
top-level site in the source hierarchy. Distribution point sharing and upgrades
require Modify and Delete permissions to the site in the source hierarchy.

Source Site Database Account: Read and Execute permission to the SQL
Server database for the specified top-level site in the source hierarchy.

If you specify the use of the computer account, Configuration Manager uses
the computer account of the top-level site of the destination hierarchy. For
this option, ensure that this account is a member of the security group
Distributed COM Users in the domain where the top-level site of the source
hierarchy resides.

7. To share distribution points between the source and destination hierarchies, select
the Enable distribution point sharing for the source site server check box. If you
do not enable distribution point sharing at this time, you can do so by editing the
credentials of the source site after data gathering has finished.
8. Click OK to save the configuration. This opens the Data Gathering Status dialog
box, and data gathering starts automatically.

9. When data gathering finishes, click Close to close the Data Gathering Status
dialog box and complete the configuration.

Identify additional source sites of the source


hierarchy
When you configure a supported source hierarchy, the top-level site of that hierarchy is
automatically configured as a source site, and data is automatically gathered from that
site. The next action that you take depends on the version of Configuration Manager
that is run by the source hierarchy:

For a Configuration Manager 2007 source hierarchy, you can begin migration from
that initial source site or set up additional source sites from the source hierarchy
after the data gathering finishes for the initial source site. To migrate data that is
only available from a child site, set up additional source sites for a Configuration
Manager 2007 hierarchy. For example, you might configure additional source sites
to gather data about content that you want to migrate when it's created at a child
site in the source hierarchy and is not available at the top site of the source
hierarchy.

For a System Center 2012 Configuration Manager or Configuration Manager


current branch source hierarchy, you do not need to configure additional source
sites. This is because these versions of Configuration Manager use a shared
database that is available at the top-level site of the source hierarchy. The shared
database has all the information that you can migrate from all of the sites in that
source hierarchy. This makes the data that you can migrate available from the top-
level site of the source hierarchy.

When you configure additional source sites for a Configuration Manager 2007 source
hierarchy, you must configure the additional source sites from the top of the source
hierarchy to the bottom. You must configure a parent site as a source site before you
configure any of its child sites as source sites.

Use the following procedure to configure additional source sites for Configuration
Manager 2007 source hierarchies:

To identify additional source sites in the source hierarchy


1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Migration, and then click Source


Hierarchy.

3. Choose the site that you want to configure as a source site.

4. On the Home tab, in the Source Site group, click Configure.

5. In the Source Site Credentials dialog box, for the source site access accounts,
specify accounts that have the following permissions:

  Source Site Account: Read permission to the SMS Provider for the specified
top-level site in the source hierarchy. Distribution point sharing and upgrades
require Modify and Delete permissions to the site in the source hierarchy. 

Source Site Database Account: Read and Execute permission to the SQL
Server database for the specified top-level site in the source hierarchy.

If you specify the use of the computer account, Configuration Manager uses the
computer account of the top-level site of the destination hierarchy. For this option,
ensure that this account is a member of the security group Distributed COM Users
in the domain where the top-level site of the source hierarchy resides.

6. To share distribution points between the source and destination hierarchies, select
the Enable distribution point sharing for the source site server check box. If you
do not enable distribution point sharing at this time, you can do so by editing the
credentials for the source site after data gathering has finished.

7. Click OK to save the configuration. This opens the Data Gathering Status dialog
box, and data gathering starts automatically.

8. When data gathering finishes, click Close to complete the configuration.


Operations for migrating to
Configuration Manager current branch
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

For migration in Configuration Manager, you can migrate data and clients after you
successfully gather data from a source site in a supported source hierarchy. Use the
information in the following sections to create and run migration jobs to migrate data
and clients, and then finish the migration process.

Create and edit migration jobs

Run migration jobs

Upgrade or reassign a shared distribution point

Monitor migration activity in the Migration workspace

Migrate clients

Finish migration

Create and edit migration jobs


Use the following procedures to create data migration jobs, edit the exclusion list for
collection-based migration jobs, set up shared distribution points, and edit migration
job schedules.

7 Note

The following procedure for creating a migrating job that migrates by collections
applies only to source hierarchies that run a supported version of Configuration
Manager 2007. The collection-based migration job type is not available when you
migrate from a System Center 2012 Configuration Manager or Configuration
Manager current branch source hierarchy.

Create a migration job to migrate by collections

1. In the Configuration Manager console, choose Administration.


2. In the Administration workspace, expand Migration, and then choose Migration
Jobs.

3. On the Home tab, in the Create group, choose Create Migration Job.

4. On the General page of the Create Migration Job wizard, set up the following and
then choose OK:

Specify a name for the migration job.

In the Job type drop-down list, select Collection migration.

5. On the Select Collections page, set up the following and then choose Next:

Select the collections that you want to migrate.

If you want to migrate only collections and not the objects that are
associated with those collections, uncheck Migrate objects that are
associated with the specified collections. If you uncheck this option, no
associated objects are migrated in this job, and you can skip steps 6 and 7.

6. On the Select Objects page, uncheck any object types or specific available objects
that you do not want to migrate. By default, all associated object types and
available objects are selected. Choose Next.

7. On the Content Ownership page, assign the ownership of content from each listed
source site to a site in the destination hierarchy, and then choose Next.

8. On the Security Scope page, select one or more role-based administration security
scopes to assign to the objects to migrate in this migration job, and then choose
Next.

9. On the Collection Limiting page, set up a collection from the destination hierarchy
to limit the scope of each listed collection, and then choose Next. If no collections
are listed, choose Next.

10. On the Site Code Replacement page, assign a site code from the destination
hierarchy to replace the Configuration Manager 2007 site code for each listed
collection, and then choose Next. If no collections are listed, choose Next.

11. On the Review Information page, choose Save To File to save the displayed
information for later viewing. When you are ready to continue, choose Next.

12. On the Settings page, set up when the migration job will run, choose any
additional settings that you need for this migration job, and then choose Next.
13. Confirm the settings and finish the wizard.

Create a migration Job to migrate by objects


1. In the Configuration Manager console, choose Administration.

2. In the Administration workspace, expand Migration, and then choose Migration


Jobs.

3. On the Home tab, in the Create group, choose Create Migration Job.

4. On the General page of the Create Migration Job wizard, set up the following, and
then choose Next:

Specify a name for the migration job.

In the Job type drop-down list, select Object migration.

5. On the Select Objects page, select the object types that you want to migrate. By
default, all available objects are selected for each object type that you select.

6. On the Content Ownership page, assign the ownership of content from each listed
source site to a site in the destination hierarchy, and then choose Next. If no
source sites are listed, choose Next.

7. On the Security Scope page, select one or more role-based administration security
scopes to assign to the objects in this migration job, and then choose Next.

8. On the Review Information page, choose Save To File to save the displayed
information for later viewing. When you are ready to continue, choose Next.

9. On the Settings page, set up when the migration job will run and choose any
additional settings that you need for this migration job. Then choose Next.

10. Confirm the settings and finish the wizard.

Create a migration job to migrate changed objects


1. In the Configuration Manager console, choose Administration.

2. In the Administration workspace, expand Migration, and then choose Migration


Jobs.

3. On the Home tab, in the Create group, choose Create Migration Job.
4. On the General page of the Create Migration Job wizard, set up the following and
then choose Next:

Specify a name for the migration job.

In the Job type drop-down list, select Objects modified after migration.

5. On the Select Objects page, select the object types that you want to migrate. By
default, all available objects are selected for each object type that you select.

6. On the Content Ownership page, assign the ownership of content from each listed
source site to a site in the destination hierarchy, and then choose Next. If no
source sites are listed, choose Next.

7. On the Security Scope page, select one or more role-based administration security
scopes to assign to the objects in this migration job, and then choose Next.

8. On the Review Information page, choose Save To File to save the displayed
information for later viewing. When you are ready to continue, choose Next.

9. On the Settings page, set up when the migration job will run and choose any
additional settings that you require for this migration job. Unlike the other
migration job types, this migration job must overwrite the previously migrated
objects in the Configuration Manager database. Choose Next.

10. Confirm the settings and then finish the wizard.

Modify the exclusion list for migration


1. In the Configuration Manager console, choose Administration.

2. In the Administration workspace, choose Migration to gain access to the exclusion


list. You can also access the exclusion list from the Source Hierarchy or Migration
Jobs node.

3. On the Home tab, in the Migration group, choose Edit Exclusion List.

4. In the Edit Exclusion List dialog box, select the excluded object that you want to
remove from the exclusion list, and then choose Remove.

5. Choose OK to save the changes and finish the edit. To cancel current changes and
restore all the objects that you have removed, choose Cancel, and then choose No.
This will cancel the removal of the objects, and close the Edit Exclusion List dialog
box.
Share distribution points from the source hierarchy
1. In the Configuration Manager console, choose Administration.

2. In the Administration workspace, expand Migration, choose Source Hierarchy,


and then select the source site that you want to set up.

3. On the Home tab, in the Source Site group, choose Configure.

4. On the Source Site Credentials dialog box, select Enable distribution point
sharing for the source site server, and then choose OK.

5. When data gathering finishes, choose Close.

Change the schedule of a migration job


1. In the Configuration Manager console, choose Administration.

2. In the Administration workspace, expand Migration, and then choose Migration


Jobs.

3. Choose the migration job that you want to change. On the Home tab, in the
Properties group, choose Properties.

4. In the properties of the migration job, select the Settings tab, change the run time
for the migration job, and then choose OK.

Run migration jobs


Use the following procedure to run a migration job that has not yet started.

1. In the Configuration Manager console, choose Administration.

2. In the Administration workspace, expand Migration, and then choose Migration


Jobs.

3. Choose the migration job that you want to run. On the Home tab, in the Migration
Job group, choose Start.

4. Choose Yes to start the migration job.

Upgrade or reassign a shared distribution point


You can upgrade a supported distribution point that is shared from a Configuration
Manager 2007 source site (or reassign a supported distribution point that is shared from
a Configuration Manager source site) to be a distribution point in the destination
hierarchy.

) Important

Before you upgrade a Configuration Manager 2007 branch distribution point, you
must uninstall the Configuration Manager 2007 client software from the branch
distribution point computer. If the Configuration Manager 2007 client software is
installed when you attempt to upgrade the distribution point, the upgrade fails and
content that was previously deployed to the branch distribution point is removed
from the computer.

U Caution

When you upgrade or reassign a shared distribution point, the distribution point
site system role and site system computer are removed from the source site and
added as a distribution point to the site in the destination hierarchy that you select.

Upgrade or reassign a shared distribution point


1. In the Configuration Manager console, choose Administration.

2. In the Administration workspace, expand Migration, and then choose Source


Hierarchy.

3. Select the site that owns the distribution point you want to upgrade, choose the
Shared Distribution Points tab, and select the eligible distribution point that you
want to upgrade or reassign.

4. On the Distribution Point tab, in the Distribution Point group, choose Reassign.

5. Specify settings in the Reassign Shared Distribution Point wizard like you are
installing a new distribution point for the destination hierarchy, with the following
addition:

On the Content Conversion page, review the guidance about the space
required to convert the existing content. Then, on the Drive Settings page of
the wizard, ensure that the drive of the distribution point computer that is
selected has the required amount of free disk space.
6. Confirm the settings and then finish the wizard.

Monitor migration activity in the Migration


workspace
Use the Configuration Manager console to monitor migration.

1. In the Configuration Manager console, choose Administration.

2. In the Administration workspace, expand Migration, and then choose Migration


Jobs.

3. Choose the migration job that you want to monitor.

4. View details and status about the selected migration job on the tabs for Summary
and Objects in Job.

Migrate clients
After you migrate data for clients between hierarchies but before you finish migration,
plan to migrate clients to the destination hierarchy. The migration of clients between
hierarchies involves uninstalling the Configuration Manager client software from
computers that are assigned to the source hierarchy, and then installing the
Configuration Manager client software from the destination hierarchy. When you install
the client from the destination hierarchy you also assign the client to a primary site in
that hierarchy. For more about migrating clients, see Planning a client migration
strategy.

Finish migration
Use this procedure to finish migration from the source hierarchy.

1. In the Configuration Manager console, choose Administration.

2. In the Administration workspace, expand Migration, and then choose Source


Hierarchy.

3. For a Configuration Manager 2007 source hierarchy, select a source site that is at
the bottom level of the source hierarchy. For a System Center 2012 Configuration
Manager or Configuration Manager current branch source hierarchy, select the
available source site.
4. On the Home tab, in the Clean Up group, choose Stop Gathering Data.

5. Choose Yes to confirm the action.

6. For a Configuration Manager 2007 source hierarchy, before you continue to the
next step, repeat steps 3, 4, and 5. Go through these steps at each site in the
hierarchy, from the bottom of the hierarchy to the top. For a System Center 2012
Configuration Manager or Configuration Manager current branch source hierarchy,
continue to the next step.

7. On the Home tab, in the Clean Up group, choose Clean Up Migration Data.

8. On the Clean Up Migration Data dialog box, from the Source hierarchy drop-
down list, select the site code and site server of the top-level site of the source
hierarchy, and then choose OK.

9. Choose Yes to finish the migration process for the source hierarchy.
Security and privacy for migration to
Configuration Manager current branch
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This topic contains security best practices and privacy information for migration to your
Configuration Manager current branch environment.

Security Best Practices for Migration


Use the following security best practice for migration.

Security best practice More information

Use the computer account for If you must use a user account for migration, remove the
the Source Site SMS Provider account details when migration is completed.
Account and the Source Site SQL
Server Account rather than a
user account.

Use IPsec when you migrate Although the migrated content is hashed to detect tampering,
content from a distribution point if the data is modified while it is transferred, the migration will
in a source site to a distribution fail.
point in your destination site.

Restrict and monitor the The integrity of the database of the destination hierarchy
administrative users who can depends upon the integrity of data that the administrative
create migration jobs. user chooses to import from the source hierarchy. In addition,
this administrative user can read all data from the source
hierarchy.

Security Issues for Migration


Migration has the following security issues:

Clients that are blocked from a source site might successfully assign to the
destination hierarchy before their client record is migrated.

Although Configuration Manager retains the blocked status of clients that you
migrate, the client can successfully assign to the destination hierarchy if
assignment occurs before the migration of the client record is completed.
Audit messages are not migrated.

When you migrate data from a source site to a destination site, you lose any auditing
information from the source hierarchy.

Privacy Information for Migration


Migration discovers information from the site databases that you identify in a source
infrastructure and stores this data to the database in the destination hierarchy. The
information that Configuration Manager can discover from a source site or hierarchy
depends upon the features that were enabled in the source environment, as well as the
management operations that were performed in that source environment.

For more information about security and privacy information, see Security and privacy
for Configuration Manager.

You can migrate some or all of the supported data from a source site to a destination
hierarchy.

Migration is not enabled by default and requires several configuration steps. Migration
information is not sent to Microsoft.

Before you migrate data from a source hierarchy, consider your privacy requirements.
Deploy servers and roles
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you plan out your Configuration Manager site and hierarchy topology and are
ready to get sites installed or upgraded, use the information in the following articles:

Install Configuration Manager sites

Upgrade to Configuration Manager

Scenarios to streamline your installation of Configuration Manager

Configure sites and hierarchies

Migrate data between hierarchies


Where to get installation media for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

If you have Configuration Manager volume licenses with Software Assurance, or if you
have purchased licenses for Configuration Manager volume licenses, you can download
baseline source media to install Configuration Manager from the Volume Licensing
Service Center .

If you have a Configuration Manager license from EMS, Microsoft 365, or a Cloud
Solution Provider (CSP), please see the Product and Licensing FAQ.

If you would like to purchase volume licenses for Configuration Manager, contact your
preferred Microsoft Reseller or see How to purchase through Volume Licensing . You
can also download media to install an evaluation edition of Configuration Manager from
the Evaluation Center website.

To learn about baseline media for Configuration Manager, see Baseline and update
versions.
Reference for Configuration Manager
Setup
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager Setup provides links to several topics that are detailed in the
following sections. The information presented here can help you prepare to install a
Configuration Manager site or hierarchy, and help prepare you for some of the decisions
you must make during the installation.

Before you begin


Before you install new Configuration Manager sites, make sure you have reviewed the
following information, which can help set the stage for a successful deployment design:

Fundamentals of Configuration Manager


Plan for Configuration Manager infrastructure
Prepare to install Configuration Manager sites

Assess server readiness


Before you begin the installation of a new site, make sure that the site server and the
remote site system servers you plan to use for the site (for example, the server that
hosts the site database) meet all prerequisite configurations. These topics in the
documentation library can help:

Supported configurations for Configuration Manager


Prerequisite Checker

Usage data levels and settings


When you install your first Configuration Manager site, Configuration Manager
automatically installs and configures a new site system role, the service connection
point, on the site server. The service connection point has these default settings:

Online mode (an offline mode also is available)


Enhanced data collection level (two other data collection levels, Basic and Full, also
are available)
When the service connection point site system role is online, Microsoft can
automatically collect diagnostics and usage information over the Internet. Information
that is collected helps us:

Identify and troubleshoot problems


Improve our products and service
Identify updates for Configuration Manager that apply to the version of
Configuration Manager you use

Levels of data collection


Data collection includes these three levels:

Basic includes data about setup and upgrade, like the number of sites and which
Configuration Manager features are enabled. No personally identifiable
information is transmitted.

Enhanced includes the data in the Basic level setting, plus it transmits data about
the hierarchy, how each feature is used (frequency and duration), and enhanced
diagnostic information like the memory state of your server when a system or app
crash occurs. No personally identifiable data is transmitted.

Full includes the data in the Basic and Enhanced level settings, and it also sends
advanced diagnostic information like system files and memory snapshots. This
option might include personally identifiable information, but we won't use that
information to identify or contact you, or to target advertising to you.

For more information, including disclosure of the details collected by each level, see
Diagnostics and usage data for Configuration Manager.

For more information, see the Microsoft Privacy Statement .


Setup Downloader for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Before you run Configuration Manager setup to install or upgrade a site, you can use
the setup downloader standalone tool to download updated setup files. Run the tool
from the version of Configuration Manager that you want to install. Use updated setup
files to make sure your site installation uses current versions of key installation files.

When you use setup downloader, you specify a folder to contain the files. The account
you use to run the tool must have Full Control permissions to the download folder.
When you run setup to install or upgrade a site, you can specify this local copy of files
you previously downloaded. This behavior prevents setup from connecting to Microsoft
when you start the site install or upgrade. You can use the same local copy of setup files
for other site installations or upgrades of the same version.

The setup downloader tool downloads the following types of files:

Required prerequisite redistributable files


Language packs
The latest product updates for setup

You have two options to run setup downloader:

Run the application with the user interface


Run the application at a command prompt for additional command-line options

If your organization restricts network communication with the internet using a firewall or
proxy device, you need to allow the tool to access internet endpoints. The device where
you'll run the tool requires internet access the same as the service connection point. For
more information, see Internet access requirements.

Run setup downloader with the user interface


1. On a computer that has internet access, browse to the installation media for the
version of Configuration Manager that you want to install.

2. In the SMSSETUP\BIN\X64 subfolder, run Setupdl.exe.


3. Specify the path for the folder to store the updated installation files, and then
select Download. Setup downloader verifies the files that are currently in the
download folder. It downloads only files that are missing or that are newer than
existing files. It creates subfolders for downloaded languages, and other required
components.

4. To review the download results, see C:\ConfigMgrSetup.log.

Run setup downloader from a command


prompt
1. Open a command prompt, and change directory to the installation media for the
version of Configuration Manager that you want to install.

2. Change directory to the SMSSETUP\BIN\X64 subfolder, and run Setupdl.exe with


the necessary options.

3. To review the download results, see C:\ConfigMgrSetup.log.

Command-line options
You can use the following command-line options with Setupdl.exe:

/VERIFY : Verify the files in the download folder, which include language files. For

the list of outdated files, review C:\ConfigMgrSetup.log. When you use this option,
it doesn't download any files.

/VERIFYLANG : Only verify the language files in the download folder. For the list of
outdated language files, review C:\ConfigMgrSetup.log.

/LANG : Download only the language files to the download folder.

/NOUI : Start setup downloader without the user interface. When you use this
option, the download path is required.

Download path: To automatically start the verification or download process,


specify the path to the download folder. When you use the /NOUI option, the
download path is required. If you don't specify a download path, setup
downloader prompts you to specify the path. If the folder doesn't exist, setup
downloader creates it.

Example commands
Example 1
Setup downloader verifies the files in the specified download folder, and then
downloads files.

setupdl.exe C:\Download

Example 2

Setup downloader only verifies the files in the specified download folder.

setupdl.exe /VERIFY C:\Download

Example 3
Setup downloader verifies the files in the specified download folder, and then
downloads files. The tool doesn't show any user interface.

setupdl.exe /NOUI C:\Download

Example 4

Setup downloader verifies the language files in the specified download folder, and then
downloads only the language files.

setupdl.exe /LANG C:\Download

Copy setup downloader files to another


computer
1. In Windows Explorer, go to either one of the following locations:

<Configuration Manager installation media>\SMSSETUP\BIN\X64

<Configuration Manager installation path>\BIN\X64

2. Copy the following files to the same destination folder on the other computer:

setupdl.exe

.\<language>\setupdlres.dll

7 Note
This file is in the subfolder for the install language. For instance, English
is in the 00000409 subfolder.

The destination folders on your device should look like the following example:

C:\ConfigManInstall\setupdl.exe

C:\ConfigManInstall\00000409\setupdlres.dll

3. Run the setup downloader from the destination computer. Use either the user
interface or the command prompt.
Prerequisite Checker for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Before you run Setup to install or upgrade a Configuration Manager site, or before you
install a site system role on a new server, you can use this stand-alone application
(Prereqchk.exe) from the version of Configuration Manager that you want use to verify
server readiness. Use Prerequisite Checker to identify and fix problems that would block
a site or site system role installation.

7 Note

Prerequisite Checker always runs as part of Setup.

By default, when Prerequisite Checker runs:

It validates the server where it runs.


The local computer is scanned for an existing site server, and only the checks that
are applicable to the site are run.
If no existing sites are detected, all prerequisite rules are run.
It checks rules to verify that software and settings required for setup are installed.
It's possible that some prerequisites require other configurations or software
updates that the tool doesn't check.
It logs its results in the ConfigMgrPrereq.log file on the system drive of the
computer. The log file might contain more information that doesn't appear in the
tool.

When you run Prerequisite Checker at a command prompt and specify specific
command-line options:

Prerequisite Checker only runs the checks that are associated with the site server or
site systems that you specify in the command line.
To check a remote computer, your user account must have Administrator rights to
the remote computer.

For more information, see List of prerequisite checks.

Source folders
By default, the prerequisite checker tool is in one of the following locations:

<Configuration Manager installation media>\SMSSETUP\BIN\X64


<Configuration Manager installation path>\BIN\X64

Copy to another computer


1. In Windows Explorer, go to one of the X64 source folders.

2. Copy the following files to the destination folder on the other computer:

prereqchk.exe
prereqcore.dll
prereqchkres.dll
This file is in the subfolder for the install language. For
example, English is in the 00000409 subfolder.
basesql.dll
basesvr.dll
baseutil.dll

Run with default checks


1. In Windows Explorer, go to one of the X64 source folders.

2. Run prereqchk.exe to start Prerequisite Checker.

7 Note

The tool requires administrative permissions on the local computer.

Prerequisite Checker detects existing sites, and if found, runs the checks for upgrade
readiness. If no sites are found, it runs all checks. The Site Type column provides
information about the site server or site system with which the rule is associated.

In the Prerequisite Checker user interface, Prerequisite Checker creates a list of


discovered problems in the Prerequisite result section.

Select an item in the list for details about how to resolve the problem.
Before you install the component, resolve all items in the list that have an Error
status.
To review results after you close the tool, open the ConfigMgrPrereq.log file in the
root of the system drive. The log file might contain more information that's not
displayed in the tool.

Run from a command prompt


1. Open a Windows command prompt as an administrator and change directory to
one of the X64 source folders.

2. To start Prerequisite Checker and run all prerequisite checks on the server, run the
following command: prereqchk.exe /LOCAL

You can also run it with other command-line options. For example, to check a primary
site:

prereqchk.exe /PRI /SQL sql01.contoso.com /SDK cmprov01.contoso.com /JOIN

cas.contoso.com /MP mp01.contoso.com /DP dp01.contoso.com

Command-line options
There are four installation scenarios. The following list summarizes all of the command-
line options for each scenario:

Central administration site (CAS)


Required
/CAS

/SDK
/SQL

Optional
/EXPAND

/INSTALLDIR

/NOUI
/SCP

/SSBPORT
Primary site
Required
/PRI
/SDK

/SQL
Optional
/DP

/INSTALLDIR
/JOIN

/MP
/NOUI

/SCP
/SSBPORT

Secondary site
Required
/SEC

Optional
/INSTALLDIR

/INSTALLSQLEXPRESS

/NOUI
/SECUPGRADE

/SOURCEDIR
/SQLPORT

/SSBPORT

Configuration Manager console


/ADMINUI

For more information on these options, see the following sections.


/AdminUI

Applies to: Console

Required. This option verifies that the local computer meets the requirements for
installing the Configuration Manager console. It doesn't check any server requirements.
You can't combine this option with any other option.

/CAS

Applies to: CAS

Required. This option verifies that the local server meets the requirements for the CAS.
You can't combine it with the /PRI or /SEC options.

/DP

Applies to: Primary

Optional. Specify the FQDN of the server to host the distribution point role, for example:
/PRI /DP dp01.contoso.com

This option verifies that the specified server meets the requirements for the distribution
point site system role. This option can be used alone or with the /PRI option.

/Expand

Applies to: CAS

Optional. Specify the FQDN of a primary site, for example: /CAS /EXPAND
cmprimary.contoso.com

This option verifies that the referenced primary site meets the requirements to expand a
hierarchy with a CAS.

/InstallDir

Applies to: CAS, Primary, Secondary

Optional. Specify the local installation path, for example /InstallDir C:\ConfigMgr

This option verifies the minimum disk space for site installation.
/InstallSQLExpress

Applies to: Secondary

Optional. This option verifies that SQL Server Express can be installed on the specified
secondary site server.

/Join

Applies to: Primary

Optional. Specify the FQDN of the CAS server, for example, /PRI /JOIN cas.contoso.com

This option verifies that the local server meets the requirements for connecting to the
CAS server.

/MP

Applies to: Primary

Optional. Specify the FQDN of the server to host the management point role, for
example: /PRI /MP mp01.contoso.com

This option verifies that the specified server meets the requirements for the
management point site system role. This option can be used alone or with the /PRI
option.

/NoUI

Applies to: CAS, Primary, Secondary

Optional. This option starts the prerequisite checker without displaying the user
interface. Specify this option before any other option in the command line.

/Pri

Applies to: Primary

Required. This option verifies that the local server meets the requirements for a primary
site. You can't combine it with the /CAS or /SEC options.

/SCP
Applies to: CAS, Primary

Optional. Specify the FQDN of the server to host the service connection point. This
server may be the same as the site server.

Starting in version 2111, this option verifies that the specified computer meets the
requirements for the service connection point site system role. You can use this option
alone or with the /PRI or /CAS options.

/SDK

Applies to: CAS, Primary

Required. Specify the FQDN of the server to host the SMS Provider role. This server may
be the same as the site server.

This option verifies that the specified server meets the requirements for the SMS
Provider.

/Sec

Applies to: Secondary

Required. Specify the FQDN of the secondary site server, for example: /SEC
sec01.contoso.com

This option verifies that the specified server meets the requirements for the secondary
site. You can't combine it with the /CAS or /PRI options.

/SecUpgrade

Applies to: Secondary

Optional. Specify the FQDN of the secondary site server, for example: /SECUPGRADE
sec01.contoso.com

This option verifies that the specified server meets the requirements for the secondary
site upgrade. You can't combine it with the /CAS , /PRI , or /SEC options.

/SourceDir

Applies to: Secondary


Optional. This option verifies that the computer account of the secondary site can access
the folder that hosts the source files for Configuration Manager setup.

/SQL

Applies to: CAS, Primary

Required. Specify the fully qualified domain name (FQDN) of the SQL Server, for
example /SQL sql01.contoso.com

This option verifies that the specified server meets the requirements for SQL Server to
host the Configuration Manager site database.

/SQLPort

Applies to: Secondary

Optional. This option verifies that a firewall exception exists to allow communication for
the SQL Server service port. It also checks that the port isn't in use by another named
instance of SQL Server. The default port is 1433.

/SSBPort

Applies to: CAS, Primary, Secondary

Optional. This option verifies that a firewall exception exists to allow communication on
the SQL Server Service Broker (SSB) port. The default SSB port is 4022.
List of prerequisite checks for
Configuration Manager
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

This article details the prerequisite checks that run when you install or update
Configuration Manager. For more information, see Prerequisite checker.

Errors

Active migration mappings on the target primary site


Applies to: Central administration site

There are no active migration mappings to primary sites.

Active replica MP
Applies to: Primary site

There's an active management point replica.

Administrative rights on expand primary site


Applies to: Central administration site

When you expand a primary site to a hierarchy, the user account that runs setup has
Administrator rights on the standalone primary site server.

Administrative rights on site system


Applies to: Central administration site, primary site, secondary site

The user account that runs Configuration Manager setup has Administrator rights on
the site server.

Administrator rights on central administration site


Applies to: Primary site
The user account that runs Configuration Manager setup has Administrator rights on
the central administration site server.

Application catalog rules are unsupported


Applies to: Primary site

Starting in version 2107, this error happens if the site has either of the following site
system roles:

Application catalog website point


Application catalog web service point

Support for the application catalog was removed in version 1910. For more information,
see Remove the application catalog.

Asset Intelligence synchronization point on the expanded


primary site

) Important

Starting in November 2021, this feature of Configuration Manager is deprecated.


For more information, see Asset intelligence deprecation.

Applies to: Central administration site

When you expand a primary site to a hierarchy, the Asset Intelligence synchronization
point role isn't installed on the standalone primary site.

BITS enabled
Applies to: Management point

Background Intelligent Transfer Service (BITS) is installed on the management point. This
check can fail for one of the following reasons:

BITS isn't installed

The IIS 6.0 WMI compatibility component for IIS 7.0 isn't installed on the server or
remote IIS host
Setup was unable to verify remote IIS settings. IIS common components aren't
installed on the site server.

Case-insensitive collation on SQL Server


Applies to: Site database server

The SQL Server installation uses a case-insensitive collation, such as


SQL_Latin1_General_CP1_CI_AS.

Central administration site server administrative rights on


expand primary site
Applies to: Central administration site

When you expand a primary site to a hierarchy, the computer account of the central
administration site server has Administrator rights on the standalone primary site
server.

Client version on management point computer


Applies to: Management point

You're installing the management point on a server that doesn't have a different version
of the Configuration Manager client installed.

Cloud management gateway on the expanded primary


site
Applies to: Central administration site

When you expand a primary site to a hierarchy, the cloud management gateway (CMG)
role isn't installed on the standalone primary site.

Connection to SQL Server on central administration site


Applies to: Primary site

The user account that runs Configuration Manager setup on the primary site to join an
existing hierarchy has the sysadmin role on the SQL Server instance for the central
administration site.
Custom client agent settings have NAP enabled
Applies to: Central administration site, primary site

There are no custom client settings that enable network access protection (NAP).

Data warehouse service point on the expanded primary


site
Applies to: Central administration site

When you expand a primary site to a hierarchy, the data warehouse service point role
isn't installed on the standalone primary site.

Dedicated SQL Server instance


Applies to: Central administration site, primary site, secondary site

You configured a dedicated instance of SQL Server to host the Configuration Manager
site database.

If another site uses the instance, you must select a different instance for the new site.
You can also uninstall the other site, or move its database to a different instance for the
SQL Server.

Default client agent settings have NAP enabled


Applies to: Central administration site, primary site

The default client settings don't enable network access protection (NAP).

Domain membership (error)


Applies to: Central administration site, primary site, secondary site, SMS Provider, SQL
Server

The Configuration Manager computer is a member of a Windows domain.

Endpoint Protection point on the expanded primary site


Applies to: Central administration site
When you expand a primary site to a hierarchy, the Endpoint Protection point role isn't
installed on the standalone primary site.

Existing Configuration Manager server components on


server
Applies to: Central administration site, primary site, secondary site

A site server or site system role isn't already installed on the server selected for site
installation.

Existing stand-alone primary site for version and site


code
Applies to: Central administration site, primary site

The primary site you plan to expand is a standalone primary site. It has the same version
of Configuration Manager, but a different site code than the central administration site
to be installed.

Firewall exception for SQL Server


Applies to: Central administration site, primary site, secondary site, management point

The Windows Firewall is disabled or a relevant Windows Firewall exception exists for SQL
Server.

Allow Sqlservr.exe or the required TCP ports to be accessed remotely. By default, SQL
Server listens on TCP port 1433, and the SQL Server Service Broker (SSB) uses TCP port
4022.

Free disk space on site server


Applies to: Central administration site, primary site, secondary site

To install the site server, it must have at least 15 GB of free disk space. If you install the
SMS Provider on the same server, it needs an additional 1 GB of free space.

IIS service running


Applies to: Management point, distribution point
IIS is installed and running on the server for the management point or distribution point.

Incompatible collection references


Applies to: Central administration site

During an upgrade, collections reference only other collections of the same type.

Match collation of expand primary site


Applies to: Central administration site

When you expand a primary site to a hierarchy, the site database for the standalone
primary site has the same collation as the site database at the central administration
site.

Maximum text replication size for SQL Server Always On


availability groups
Applies to: Site database server

When using an availability group, the max text repl size setting must be properly
configured. For more information, see Prepare to use an availability group.

Microsoft Intune Connector on the expanded primary site


Applies to: Central administration site

When you expand a primary site to a hierarchy, the Microsoft Intune Connector role isn't
installed on the standalone primary site.

Microsoft Remote Differential Compression (RDC) library


registered
Applies to: Central administration site, primary site, secondary site

The RDC library is registered on the Configuration Manager site server.

Microsoft Windows Installer


Applies to: Central administration site, primary site, secondary site
Verifies the Windows Installer version.

When this check fails, setup wasn't able to verify the version, or the installed version
doesn't meet the minimum requirement of Windows Installer 4.5.

Microsoft Store for Business deprecation alert


Applies to: Central administration site, primary site

Starting in 2211, if you have a Microsoft Store for Business Connector configured, you
will see this warning while performing the upgrade. This is in conjunction with the
deprecation announcement made here.

Minimum .NET Framework version for Configuration


Manager console
Applies to: Configuration Manager console

Microsoft .NET Framework 4.0 is installed on the Configuration Manager console


computer.

Minimum .NET Framework version for Configuration


Manager site server
Applies to: Central administration site, primary site, secondary site

.NET Framework 3.5 is installed or enabled on the Configuration Manager site server.

Minimum .NET Framework version for SQL Server Express


edition installation for Configuration Manager secondary
site
Applies to: Secondary site

.NET Framework 4.0 is installed or enabled on the Configuration Manager secondary site
server. This version is required by SQL Server Express.

Parent database collation


Applies to: Primary site, secondary site
The collation of the site database matches the collation of the parent site's database. All
sites in a hierarchy must use the same database collation.

Parent site replication status


Applies to: Central administration site, primary site

The replication status of the parent site is Replication active (state 125).

Pending system restart


Applies to: Central administration site, primary site, secondary site

Before you run setup, another program requires the server to be restarted.

To see if the computer is in a pending restart state, it checks the following registry
locations:

HKLM:Software\Microsoft\Windows\CurrentVersion\Component Based
Servicing\RebootPending

HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update\RebootRequired

HKLM:SYSTEM\CurrentControlSet\Control\Session Manager,
PendingFileRenameOperations

HKLM:Software\Microsoft\ServerManager, CurrentRebootAttempts

Primary FQDN
Applies to: Central administration site, primary site, secondary site, site database server

The NetBIOS name of the computer matches the local hostname in the fully qualified
domain name (FQDN).

Read-only domain controller


Applies to: Central administration site, primary site, secondary site

Site database servers and secondary site servers aren't supported on a read-only
domain controller (RODC).
For more information, see Installing SQL Server on a domain controller.

Required SQL Server collation


Applies to: Central administration site, primary site, secondary site

The instance for SQL Server is configured to use the SQL_Latin1_General_CP1_CI_AS


collation.

If the Configuration Manager site database is already installed, this check also applies to
the database. For information about changing your SQL Server instance and database
collations, see SQL Server collation and unicode support.

If you're using a Chinese OS and require GB18030 support, this check doesn't apply. For
more information about enabling GB18030 support, see International support.

Required version of Microsoft .NET Framework (error)


Applies to: CAS, primary site, secondary site

This rule checks if the .NET Framework is at least version 4.6.2. You'll see this error if the
system has less than version 4.6.2.

Starting in version 2111, Configuration Manager requires Microsoft .NET Framework


version 4.6.2 for site servers, specific site systems, clients, and the console. If possible in
your environment, .NET version 4.8 is recommended. A later version of Configuration
Manager will require .NET version 4.8. Before you run setup to install or update the site,
first update .NET and restart the system. For more information, Site and site system
prerequisites.

7 Note

Third-party add-ons that use Microsoft .NET Framework and rely on Configuration
Manager libraries also need to use .NET 4.6.2 or later. For more information, see
External dependencies require .NET 4.6.2.

To determine the systems that need to be updated, review the


ConfigMgrPrereq.log found on the system drive of the computer.

) Important
If you're upgrading from System Center 2012 Configuration Manager R2 Service
Pack 1, you need to manually verify that remote site systems have at least .NET
version 4.6.2. Configuration Manager current branch setup skips the check in this
scenario.

Server service is running


Applies to: Central administration site, primary site, secondary site

The Server service is started and running.

Setup source folder


Applies to: Secondary site

The computer account for the secondary site has the following permissions to the setup
source folder and share:

Read NTFS file system permissions

Read share permissions

7 Note

If you use administrative shares, for example, C$ and D$, the secondary site
computer account must be an Administrator on the server.

Setup source version


Applies to: Secondary site

The Configuration Manager version in the specified source folder for the secondary site
installation matches the Configuration Manager version of the primary site.

Site code in use


Applies to: Primary site

The specified site code isn't already in use in the Configuration Manager hierarchy.
Specify a unique site code for this site.
Site server computer account administrative rights
Applies to: Primary site, site database server

The site server computer account has Administrator rights on the SQL Server and
management point.

Site server FQDN length


Applies to: Central administration site, primary site, secondary site

The length of the FQDN of the site server.

Site server in passive mode on the expanded primary site


Applies to: Central administration site

When you expand a primary site to a hierarchy, the site server in passive mode role isn't
installed on the standalone primary site.

SMS Provider in same domain as site server


Applies to: SMS Provider

Any instance of the SMS Provider is in the same domain as the site server.

Software update point in NLB configuration


Applies to: Software update point

The site isn't using network load balancing (NLB) with any virtual locations for active
software update points.

Software update point using a load balancer


Applies to: Software update point

Configuration Manager doesn't support software update points on network (NLB) or


hardware load balancers (HLB).

SQL Server Always On availability groups


Applies to: Site database server

When using an availability group, the server must meet the minimum requirements. For
more information, see Prepare to use an availability group.

SQL Server Always On availability group configured for


readable secondaries
Applies to: Site database server

When using an availability group, check the secondary read state of the replicas.

SQL Server Always On availability group configured for


manual failover
Applies to: Site database server

When using an availability group, configure the replicas for manual failover.

SQL Server Always On availability group replicas on


default instance
Applies to: Site database server

When using an availability group, replicas are on the default instance.

SQL Server Always On availability group replicas must all


have the same seeding mode
Applies to: Site database server

When using an availability group, you need to configure replicas with the same seeding
mode.

SQL Server Always On availability group replicas must be


healthy
Applies to: Site database server

When using an availability group, replicas are in a healthy state.


SQL Server configuration for site upgrade
Applies to: Site database server

The SQL Server meets the minimum requirements for site upgrade. For more
information, see Supported SQL Server versions.

SQL Server edition


Applies to: Site database server

SQL Server at the site isn't SQL Server Express.

SQL Server Express database size on secondary site


Applies to: Secondary site

Starting in version 2107, this check will fail if the amount of replicated data from the
primary site will exceed the 10-GB size limit of SQL Server Express. For more
information, see Configuration Manager site sizing and performance FAQ.

SQL Server Express on secondary site


Applies to: Secondary site

SQL Server Express can successfully install on the secondary site server.

SQL Server on the secondary site server


Applies to: Secondary site

SQL Server is installed on the secondary site server. You can't install SQL Server on a
remote site system for a secondary site.

2 Warning

This check only applies when you select to have setup use an existing instance of
SQL Server.

SQL Server service running account


Applies to: Central administration site, primary site, secondary site

The sign-in account for the SQL Server service isn't a local user account or LOCAL
SERVICE.

Configure the SQL Server service to use a valid domain account, NETWORK SERVICE, or
LOCAL SYSTEM.

SQL Server site database consistency


Applies to: Site database server

Verify database consistency.

SQL Server sysadmin rights


Applies to: Site database server

The user account that runs Configuration Manager setup has the sysadmin role on the
SQL Server instance that you selected for site database installation. This check also fails
when setup is unable to access the instance for the SQL Server to verify permissions.

SQL Server sysadmin rights for reference site


Applies to: Site database server

The user account that runs Configuration Manager setup has the sysadmin role on the
SQL Server role instance that you selected as the reference site database. SQL Server
sysadmin role permissions are required to modify the site database.

SQL Server TCP port


Applies to: Site database server

TCP is enabled for the SQL Server instance, and is set to use a static port.

SQL Server version


Applies to: Site database server

A supported version of SQL Server is installed on the specified site database server.

For more information, see Support for SQL Server versions.


Unsupported OS for Configuration Manager console
Applies to: Configuration Manager console

Install the Configuration Manager console on computers that run a supported OS


version.

For more information, see the Supported OS versions for the Configuration Manager
console.

Unsupported OS for site server


Applies to: Central administration site, primary site, secondary site, Configuration
Manager console, management point, distribution point

The server runs a supported OS version.

For more information, see Supported OS versions for Configuration Manager site system
servers.

Unsupported site system role: out of band service point


Applies to: Primary site

The out of band service point site system role isn't installed.

Unsupported site system role: system health validation


point
Applies to: Primary site

The system health validation point site system role isn't installed.

Unsupported upgrade path


Applies to: Central administration site, primary site

All site servers in the hierarchy meet the Configuration Manager minimum version that's
required for upgrade.

USMT installed
Applies to: Central administration site, primary site (standalone only)
The User State Migration Tool (USMT) component of the Windows Assessment and
Deployment Kit (ADK) for Windows is installed.

Validate FQDN of SQL Server


Applies to: Site database server

You specified a valid FQDN for the SQL Server computer.

Verify central administration site version


Applies to: Primary site

The central administration site has the same version of Configuration Manager.

Verify database consistency


Applies to: Central administration site, primary site

Verifies consistency of the site database in SQL Server.

Windows Deployment Tools installed


Applies to: SMS Provider

The Windows Deployment Tools component of the Windows ADK is installed.

Windows Failover Cluster


Applies to: Site server, management point, distribution point

Server with the site server, management point, or distribution point roles aren't part of a
Windows Cluster.

The Configuration Manager setup process doesn't block installation of the site server
role on a computer with the Windows role for Failover Clustering. SQL Server Always On
availability groups require this role, so previously you couldn't colocate the site database
on the site server. With this change, you can create a highly available site with fewer
servers by using an availability group and a site server in passive mode. For more
information, see High availability options.

Windows PE installed
Applies to: SMS Provider

The Windows Preinstallation Environment (PE) component of the Windows ADK is


installed.

Warnings

Active Directory domain functional level


Applies to: Central administration site, primary site

The Active Directory domain and forest functional level is a minimum of Windows Server
2008 R2. For more information, see Support for Active Directory domains.

Administrative rights on distribution point


Applies to: Distribution point

The user account running setup has Administrator rights on the distribution point.

Administrative rights on management point


Applies to: Management point, distribution point

The computer account of the site server has Administrator rights on the management
point and distribution point.

Administrative share (site system)


Applies to: Management point

The required administrative shares are present on the site system computer.

Application compatibility
Applies to: Central administration site, primary site

Current applications are compliant with the application schema.

Backlogged inboxes
Applies to: Central administration site, primary site
The site server is processing critical inboxes in a timely fashion. Inboxes don't contain
files older than one day.

It checks the following inbox folders:

despoolr.box\receive\*.i??

despoolr.box\receive\*.s??

despoolr.box\receive\*.nil

schedule.box\requests\*.sr?

To resolve this warning, check whether the despooler and scheduler site system
components are running.

BITS installed
Applies to: Management point

The Background Intelligent Transfer Service (BITS) is installed and enabled in IIS.

Check for a cloud management gateway (CMG) as a cloud


service (classic)
Applies to: Central administration site, primary site

Starting in version 2203, this warning displays if you have a cloud management gateway
(CMG) deployed with the classic cloud service. The option to deploy a CMG as a cloud
service (classic) is deprecated. All CMG deployments should use a virtual machine scale
set. If you have a CMG deployed with the classic cloud service, you can convert it to a
virtual machine scale set deployment. For more information, see Convert a CMG to a
virtual machine scale set.

Check for site system roles associated with deprecated or


removed features
Applies to: Central administration site, primary site

Starting in version 2203, this warning appears if there are site system roles installed for
deprecated features that will be removed in a future release. Remove the following site
system roles:
Enrollment point
Enrollment point proxy

For more information, see Remove a site system role.

The device management point is also deprecated. It's a management point that you
allow for mobile and macOS devices. You can entirely remove the role, or you can
reconfigure the management point. On the properties of the management point site
system role, disable the option to Allow mobile devices and Mac Computer to use this
management point, This option effectively turns the device management point into a
regular management point. For more information, see Configure roles for on-premises
MDM.

Check if the site uses Microsoft Operations Management


Suite (OMS) Connector
Applies to: Central administration site, primary site

Starting in version 2103, this check warns about the presence of the Log Analytics
connector for Azure Monitor. (This feature is called the OMS Connector in the Azure
Services wizard.)

Check if the site uses Upgrade Readiness cloud service


connector
Applies to: Central administration site, primary site

The Upgrade Readiness service is retired as of January 31, 2020. For more information,
see Windows Analytics retirement on January 31, 2020.

Desktop Analytics is the evolution of Windows Analytics. For more information, see
What is Desktop Analytics.

If your Configuration Manager site had a connection to Upgrade Readiness, you need to
remove it and reconfigure clients. For more information, see Remove Upgrade Readiness
connection.

If you ignore this prerequisite warning, Configuration Manager setup automatically


removes the Upgrade Readiness connector.

Check if the site uses the asset intelligence


synchronization point role
Applies to: Central administration site, primary site

Starting in version 2203, this warning displays if you have the asset intelligence
synchronization point site system role. The asset intelligence feature is deprecated and
will be removed in a future release. Remove the asset intelligence synchronization point
role. For more information, see Remove a site system role.

Cloud management gateway requires either token-based


authentication or an HTTPS management point
Applies to: Cloud management gateway

With some versions of Configuration Manager, you can't use an HTTP management
point with the cloud management gateway (CMG). Either configure the CMG for HTTPS,
or configure the site for enhanced HTTP. For more information, see Overview of cloud
management gateway.

Configuration for SQL Server memory usage


Applies to: Site database server

SQL Server is configured for unlimited memory use. Configure SQL Server memory to
have a maximum limit.

Distribution point package version


Applies to: Distribution points

All distribution points in the site have the latest version of software distribution
packages.

Domain membership (warning)


Applies to: Management point, distribution point

The Configuration Manager computer is a member of a Windows domain.

Desktop Analytics is being retired


Desktop Analytics will be retired on November 30, 2022. Check out the new reports in
the Microsoft Intune admin center. For more information see:
https://go.microsoft.com/fwlink/?linkid=2186861 .
Enable site system roles for HTTPS or Enhanced HTTP
Applies to: central administration site, primary site

Starting in version 2103, if your site is configured to allow HTTP communication without
enhanced HTTP, you'll see this warning. To improve the security of client
communications, in the future Configuration Manager will require HTTPS
communication or enhanced HTTP.

This check looks at the following settings:

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node.

2. Select a site, and then in the ribbon select Properties.

3. Switch to the Communication Security tab.

Configure one of the following options:

HTTPS only: This site setting requires that all site systems that use IIS use
HTTPS. These site systems need a server authentication certificate, and clients
need a client authentication certificate. For more information, see Plan a
transition strategy for PKI certificates.

HTTPS or HTTP and Use Configuration Manager-generated certificates for


HTTP site systems: This combination of settings enables Enhanced HTTP.

7 Note

If you see this warning when updating the central administration site, it may be
because of a child primary site.

Firewall exception for SQL Server (standalone primary


site)
Applies to: Primary site (standalone only)

The Windows Firewall is disabled, or a relevant Windows Firewall exception exists for
SQL Server.

Allow Sqlservr.exe or the required TCP ports to be accessed remotely. By default, SQL
Server listens on TCP port 1433, and the Server Service Broker (SSB) uses TCP port 4022.
Firewall exception for SQL Server for management point
Applies to: Management point

The Windows Firewall is disabled, or a relevant Windows Firewall exception exists for
SQL Server.

IIS HTTPS configuration


Applies to: Management point, distribution point

IIS website has bindings for the HTTPS communication protocol.

When you install site roles that require HTTPS, configure IIS site bindings on the
specified server with a valid public key infrastructure (PKI) certificate.

Invalid discovery records


Applies to: central administration site

There are discovery records that are no longer valid. These records will be marked for
deletion.

Network Access Account (NAA) account usage alert


Applies to: central administration site, Primary site

If your site is configured with NAA account, you'll see this warning. To improve the
security of distribution points configured with NAA account, review the existing
accounts and their relevant permissions. If it has more than minimal required
permission, then remove and add a minimal permission account. Don't configure any
administrator level permission accounts on the NAA. If the site server is configured with
HTTPS / EHTTP, it recommended removing NAA account, which is unused.

For more information, see the description of this permissions-for-the-network-access-


account.

Network access protection (NAP) is no longer supported


Applies to: Primary site

There are no software updates that are enabled for NAP.


NTFS drive on site server
Applies to: Primary site

The disk drive is formatted with the NTFS file system. For better security, install site
server components on disk drives formatted with the NTFS file system.

Pending configuration item policy updates


Applies to: Primary site

You may see this warning if you have many application deployments and at least one of
them requires approval.

You have two options:

Ignore the warning and continue with the update. This action causes higher
processing on the site server during the update as it processes the policies. You
may also see more processor load on the management point after the update.

Revise one of the applications that has no requirements or a specific OS


requirement. Pre-process some of the load on the site server at that time. Review
objreplmgr.log, and then monitor the processor on the management point. After
the processing is complete, update the site. There will still be some additional
processing after the update, but less than if you ignore the warning with the first
option.

Pending system restart on the remote SQL Server


Applies to: remote SQL Server

Before you run setup, another program requires the server to be restarted.

To see if the computer is in a pending restart state, it checks the following registry
locations:

HKLM:Software\Microsoft\Windows\CurrentVersion\Component Based
Servicing\RebootPending

HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update\RebootRequired

HKLM:SYSTEM\CurrentControlSet\Control\Session Manager,
PendingFileRenameOperations
HKLM:Software\Microsoft\ServerManager, CurrentRebootAttempts

PowerShell 2.0 on site server


Applies to: Primary site with Exchange connector

Windows PowerShell 2.0 or a later version is installed on the site server for the
Configuration Manager Exchange Connector.

Recommended version of Microsoft .NET Framework


Applies to: CAS, primary site, secondary site

This rule checks if the .NET Framework is at least version 4.8. You'll see this warning if
the system has at least version 4.6.2, but less than version 4.8.

Starting in version 2107, Configuration Manager requires Microsoft .NET Framework


version 4.6.2 for site servers, specific site systems, clients, and the console. If possible in
your environment, .NET version 4.8 is recommended. A later version of Configuration
Manager will require .NET version 4.8. Before you run setup to install or update the site,
first update .NET and restart the system. For more information, Site and site system
prerequisites.

Remote connection to WMI on secondary site


Applies to: Secondary site

Setup can establish a remote connection to WMI on the secondary site server.

Required version of Microsoft .NET Framework (warning)


Applies to: CAS, primary site, secondary site

In version 2107, this rule checks if the .NET Framework is at least version 4.6.2. You'll see
this warning if the system has less than version 4.6.2.

) Important

Starting in version 2111, if this check fails, it returns an error instead of a warning.
To determine the systems that need to be updated, review the
ConfigMgrPrereq.log found on the system drive of the computer.
Configuration Manager requires Microsoft .NET Framework version 4.6.2 for site servers,
specific site systems, clients, and the console. If possible in your environment, .NET
version 4.8 is recommended. A later version of Configuration Manager will require .NET
version 4.8. Before you run setup to install or update the site, first update .NET and
restart the system. For more information, Site and site system prerequisites.

Resource access policies are no longer supported


Applies to: CAS, primary site

Starting in version 2203, resource access policies are no longer supported. Remove the
certificate registration point site system role and all policies for company resource
access features:

Certificate profiles
VPN profiles
Wi-Fi profiles
Windows Hello for Business settings
Email profiles
The co-management resource access workload

For more information, see Frequently asked questions about resource access
deprecation.

For more information on removing the certificate registration point role, see Remove a
site system role.

Schema extensions
Applies to: Central administration site, primary site

The Active Directory schema has been extended. If it's extended, the version of the
schema extensions that were used.

Configuration Manager doesn't require Active Directory schema extensions for site
server installation. Microsoft recommends them for the full use of all Configuration
Manager features. For more information about the advantages of extending the schema,
see Prepare Active Directory for site publishing.

Share name in package


Applies to: Central administration site, primary site
Packages don't have invalid characters in the share name, such as # .

Site system to SQL Server communication


Applies to: Secondary site, management point

The account that you configured to run the SQL Server service for the site database
instance has a valid service principal name (SPN) in Active Directory Domain Services.
Register a valid SPN in Active Directory to support Kerberos authentication.

SQL Server 2012 lifecycle


Applies to: CAS, primary site, secondary site

This rule warns for the presence of SQL Server 2012. The support lifecycle for SQL Server
2012 ends on July 12, 2022. Plan to upgrade database servers in your environment,
including SQL Server Express at secondary sites.

For more information, see Removed and deprecated for site servers: SQL Server.

SQL Server change tracking cleanup


Applies to: Site database server

Check if the site database has a backlog of SQL Server change tracking data.

Manually verify this check by running a diagnostic stored procedure in the site database.
First, create a diagnostic connection to your site database. The easiest method is to use
SQL Server Management Studio's Database Engine Query Editor, and connect to admin:
<instance name> .

In a dedicated administrator connection query window, run the following commands:

SQL

USE <ConfigMgr database name>

EXEC spDiagChangeTracking

Depending upon the size of your database and the backlog size, this stored procedure
could run in a few minutes or several hours. When the query completes, you see two
sections of data related to the backlog. First look at CT_Days_Old. This value tells you
the age (days) of the oldest entry in your syscommittab table. It should be five days,
which is the Configuration Manager default value. Don't change this default value. At
times of heavy data processing or replication, the oldest entry in syscommittab could be
over five days. If this value is above seven days, run a manual cleanup of change
tracking data.

To clean up the change tracking data, run the following command in the dedicated
administration connection:

SQL

USE <ConfigMgr database name>

EXEC spDiagChangeTracking @CleanupChangeTracking = 1

This command starts a cleanup of syscommittab and all of the associated side tables. It
can run in several minutes or several hours. To monitor its progress, query the vLogs
view. To see the current progress, run the following query:

SQL

SELECT * FROM vLogs WHERE ProcedureName = 'spDiagChangeTracking'

SQL Server Express version on secondary site


Applies to: Secondary site

Starting in version 2103, if you have a secondary site that uses SQL Server Express
edition, this check warns if the version is earlier than SQL Server 2016 with service pack 2
(13.0.5026.0). If Configuration Manager didn't install SQL Server Express, then setup
skips this check. Setup looks for the presence of the CONFIGMGRSEC instance.

Microsoft recommends that you keep SQL Server Express up to date. For more
information, see Security for site administration.

SQL Server Native Client


When you install a new site, Configuration Manager automatically installs SQL Server
Native Client as a redistributable component. After the site is installed, Configuration
Manager doesn't upgrade SQL Server Native Client. Updating the SQL Server Native
Client may require a restart, which can impact the site install process.

This check makes sure the site server has a supported version of the SQL Server Native
Client. The prerequisite check doesn't verify the version of the SQL Server Native Client
on remote site systems.
The minimum version is SQL Server 2012 SP4 ( 11.*.7001.0 ). This SQL Server Native
Client version supports TLS 1.2. For more information, see the following articles:

TLS 1.2 support for Microsoft SQL Server

How to enable TLS 1.2 for Configuration Manager

Configuration Manager uses SQL Server Native Client on the following site system roles:

Site database server


Site server: central administration site, primary site, or secondary site
Management point
Device management point
State migration point
SMS Provider
Software update point
Multicast-enabled distribution point
Asset Intelligence update service point
Reporting services point
Enrollment point
Endpoint Protection point
Service connection point
Certificate registration point
Data warehouse service point

SQL Server process memory allocation


Applies to: Site database server

SQL Server reserves a minimum of 8 GB of memory for the central administration site
and primary site, and a minimum of 4 GB of memory for the secondary site.

For more information, see SQL Server memory configuration options.

7 Note

This check isn't applicable to SQL Server Express on a secondary site. This edition is
limited to 1 GB of reserved memory.

SQL Server security mode


Applies to: Site database server
SQL Server is configured for Windows authentication security.

Unsupported site system OS version for upgrade


Applies to: Primary site, secondary site

Site system roles other than distribution points are installed on servers running
Windows Server 2012 or later.

For more information, see Supported operating systems for Configuration Manager site
system servers.

7 Note

This check can't resolve the status of site system roles installed in Azure or for the
cloud storage used by Microsoft Intune. Ignore warnings for these roles as false
positives.

Upgrade Assessment Toolkit is unsupported


Applies to: Central administration site, primary site

The Upgrade Assessment Toolkit isn't installed. For more information, see Removed and
deprecated features.

Verify site server permissions to publish to Active


Directory
Applies to: Central administration site, primary site, secondary site

The computer account for the site server has Full Control permissions to the System
Management container in the Active Directory domain.

For more information, see Prepare Active Directory for site publishing.

7 Note

If you manually verify the permissions, you can ignore this warning.

Windows Remote Management (WinRM) v1.1


Applies to: Primary site, Configuration Manager console

WinRM 1.1 is installed on the primary site server or the Configuration Manager console
computer to run the out-of-band management console.

WinRM is automatically installed with all versions of Windows currently supported. For
more information, see Installation and configuration for Windows Remote Management.

Windows Server 2012/R2 lifecycle


Applies to: Central administration site, primary site, secondary site

Starting in version 2203, this warning displays if you have site systems running a version
of Windows Server that will soon be out of support. The support lifecycle for Windows
Server 2012 and Windows Server 2012 R2 ends on October 10, 2023. Plan to upgrade
the OS on your site servers. For more information, see the following blog post: Know
your options for SQL Server 2012 and Windows Server 2012 end of support .

WSUS on site server


Applies to: Central administration site, primary site

A supported version of Windows Server Update Services (WSUS) is installed on the site
server.

When you use a software update point on a server other than the site server, you must
install the WSUS Administration Console on the site server. For more information about
WSUS, see Windows Server Update Services.
Resources for installing Configuration
Manager sites
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The following articles can help you install Configuration Manager or add sites to your
existing Configuration Manager hierarchy.

Prepare to install sites

This article offers essential information that can help you install a site to a new or
existing hierarchy. Information includes when to choose non-default source files,
limitations that apply to all sites, and optional actions you can take to help simplify
your tasks when you install more than one site.

Prerequisites for installing sites

Learn about the user rights and permissions your account must have to install a
site and related prerequisites for each type of site you can install.

Install sites using the Setup Wizard

This article walks you through the site installation wizard. It provides details about
options that might not be clear in the wizard user interface.

Install sites using a command line and script

Learn how to create a site installation script, and how to use it for unattended site
installs.

Install the Configuration Manager console

This article has guidance on how to install the Configuration Manager console on a
computer on which you're not installing a site.

Upgrade an evaluation installation to a full installation

Read this article when you're ready to upgrade your evaluation site to a fully
licensed Configuration Manager site.
Prepare to install Configuration
Manager sites
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To prepare for a successful deployment of one or more Configuration Manager sites,


become familiar with the details in this article. These steps can save you time during
installation of multiple sites and help prevent missteps that might result in the need to
reinstall one or more sites.

 Tip

When managing Configuration Manager site and hierarchy infrastructure, the terms
upgrade, update, and install are used to describe three separate concepts. To learn
how each term is used, see About upgrade, update, and install.

Options for installing different types of sites


When you install a new Configuration Manager site, the version of the source files that
you can use depends on the version of sites that are already in the hierarchy (if any). The
installation methods that you can use depend on the type of site you want to install.

Before installing a site, make sure you have planned your hierarchy, and that you
understand the type of site you want to install. For more information, see Design a
hierarchy of sites.

First site
The first site that you install in a hierarchy will be either a stand-alone primary site or a
central administration site.

Installation media:
To install a central administration site or a stand-alone primary site
as the first site in a new hierarchy, you must use a baseline version of Configuration
Manager. Do not install the first site of a new hierarchy by using updated source files
from the CD.Latest folder of any site.

Installation method: You can install either type of site by using the Configuration
Manager Setup Wizard, or you can configure a script to use with a scripted command-
line installation.

Additional sites
After the initial site is installed, you can add more sites at any time. You have the
following options for adding sites (up to supported limits):

Site that you Additional site type you can install


have

Central Child primary site


administration
site

Child primary Secondary site


site

Stand-alone Secondary site (you can expand the primary site, which converts the stand-
primary site alone primary site to a child primary site)

Installation media: When you install a central administration site to expand a stand-
alone primary site, or if you install a new child primary site in an existing hierarchy, you
must use installation media (that contains source files) that matches the version of the
existing site or sites.

) Important

If you have installed in-console updates that have changed the version of the
previously installed sites, do not use the original installation media. Instead, in that
scenario, use source files from the CD.Latest folder of an updated site.
Configuration Manager requires you to use source files that match the version of
the existing site that your new site will connect to.

A secondary site must be installed from the Configuration Manager console. This way,
secondary sites are always installed by using source files from the parent primary site.

Installation method: The method you use to install additional sites depends on the type
of site you want to install.

Add a central administration site: You can use the Configuration Manager Setup
Wizard or a scripted command line to install the new central administration site as
a parent site to your existing stand-alone primary site. For more information, see
Expanding a stand-alone primary site.
Add a child primary site: You can use the Configuration Manager Setup Wizard or
a command-line installation to add a child primary site below a central
administration site.
Add a secondary site: Use the Configuration Manager console to install a
secondary site as a child site below a primary site. Other methods are not
supported for adding secondary sites.

Common tasks to complete before starting an


installation
Understand the hierarchy topology you will use for your deployment

For more information, see Design a hierarchy of sites for Configuration Manager.

Prepare and configure individual servers to meet prerequisites and supported


configurations for use with Configuration Manager

For more information, see Site and site system prerequisites.

Install and configure SQL Server to host the site database

For more information, see Support for SQL Server versions for Configuration
Manager.

Prepare your network environment to support Configuration Manager

For more information, see Configure firewalls, ports, and domains to prepare for
Configuration Manager.

If you will use a public key infrastructure (PKI), prepare your infrastructure and
certificates

For more information, see PKI certificate requirements for Configuration Manager.

Install the latest security updates on computers you will use as site servers or
site system servers, and when necessary, restart them

About site names and site codes


Site codes and site names are used to identify and manage the sites in a Configuration
Manager hierarchy. In the Configuration Manager console, the site code and site name
are displayed in the <site code> - <site name> format. Every site code that you use in
your hierarchy must be unique. If the Active Directory schema is extended for
Configuration Manager and your sites are publishing data, the site codes used within an
Active Directory forest must be unique even if they are used in a different Configuration
Manager hierarchy or if they have been used in earlier Configuration Manager
installations. Be sure to carefully plan your site codes and site names before you deploy
your hierarchy.

Specify a site code and site name


When you run Configuration Manager Setup, you are prompted for a site code and site
name for the central administration site, and for each primary site and secondary site
installation. A site code must uniquely identify each site in the hierarchy. Because the
site code is used in folder names, never use the following names for the site code, which
include names reserved for Configuration Manager and Windows:

AUX
CON
NUL
PRN
SMS
ENV

7 Note

Configuration Manager Setup does not verify that a site code is not already in use.

To enter the site code for a site when you're running Configuration Manager Setup, you
must enter three alphanumeric characters. Only the letters A through Z and the numbers
0 through 9, in any combination, are allowed in site codes. The sequence of letters or
numbers has no effect on the communication between sites. For example, it is not
necessary to name a primary site ABC and a secondary site DEF.

The site name is a friendly name identifier for the site. You can only use the characters A
through Z, a through z, 0 through 9, and the hyphen (-) in site names.

) Important

A change of the site code or site name after you install the site is not supported.

Reuse a site code


Site codes cannot be used more than one time in a Configuration Manager hierarchy for
a central administration site or for a primary site, even if the original site and site code
have been uninstalled. If you reuse a site code, you risk having object ID conflicts in your
hierarchy. You can reuse the site code for a secondary site if that secondary site and the
site code are no longer in use in your Configuration Manager hierarchy or in the Active
Directory forest.

Limits and restrictions for installed sites


Before you install a site, it's important to understand the following limitations that apply
to sites and site hierarchies:

After running Setup, you cannot change the following site properties without
uninstalling the site and then reinstalling it by using the new values:
Program Files installation directory
Site code
Site description
When your hierarchy includes a central administration site:
Configuration Manager does not support moving a child primary site out of a
hierarchy to create a stand-alone primary site or to attach it to a different
hierarchy. Instead, uninstall the child primary site, and then reinstall it as a new
stand-alone primary site or as a child site of the central administration site of a
different hierarchy.

Optional steps before running Setup


Manually run Setup Downloader

To download the updated Setup files for Configuration Manager, you can run Setup
Downloader. If the computer where you will run Setup is not connected to the Internet,
or if you expect to install multiple site servers, consider using Setup Downloader to
download the required updates to Setup. Here's additional information:

By default, Setup connects to the Internet to download updated Setup files.


By default, the files are stored in the Redist folder.
You can direct Setup to a location on your network where you have previously
stored a copy of these files.

Manually run Prerequisite Checker

To identify and fix problems before you run Setup to install a site and before you install
a site system role on a server, you can run Prerequisite Checker. Prerequisite Checker
helps ensure that the computer meets the requirements to host the site or site system
role. Here's additional information:
By default, Setup runs Prerequisite Checker.
If there are any errors, Setup stops until the issue is fixed.

Identify optional ports

You can identify optional ports for site systems and clients to use. Here's additional
information:

By default, site systems and clients use predefined ports to communicate.


During Setup, you can configure alternate ports.

For more information, see Ports used.


Prerequisites for installing Configuration
Manager sites
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Before you begin a site installation, learn about the prerequisites for installing the
different types of Configuration Manager sites.

Primary sites and the central administration


site
The following prerequisites apply to installing one of the following types:

A central administration site (CAS) as the first site of a hierarchy


A stand-alone primary site
A child primary site

If you're installing a CAS as part of a hierarchy expansion, see the section for Expanding
a stand-alone primary site.

Prerequisites for installing a primary site or a CAS


The necessary Windows Server roles, features, and Windows components must be
installed. For more information, see Site system prerequisites

The user account that installs the site must have the following permissions:

Administrator on the following servers:


The site server
Each SQL Server that hosts the site database
Each instance of the SMS Provider for the site

Sysadmin on the instance of SQL Server that hosts the site database

) Important

When Configuration Manager setup finishes, the site server computer


account still needs sysadmin permissions to SQL Server. Don't remove the
SQL Server sysadmin permissions from this account.
For more information on the need for these permissions after setup is
complete, see Accounts: Elevated permissions.

If you're installing a primary site, you may also need Administrator permissions on
additional servers. For example, where you install the initial management point and
distribution point, if not on the site server.

If you're installing a new child primary site below a CAS, you need the following
additional permissions:

Administrator on the site server that hosts the CAS

Administrator on the SQL Server that hosts the CAS site database

Role-based administration permissions within Configuration Manager that are


equivalent to the security role of Infrastructure Administrator or Full
Administrator

Use the correct installation source files, and run setup from that location. For
information about the correct source files to use to install different types of sites,
see Prepare to install site: Options for installing different types of sites.

The site server needs access to the latest setup files from Microsoft. Use one of the
following methods:

Before you start the install, download and store a copy of these files on your
local network. For more information, see Setup Downloader.

If a local copy of these files isn't available, the site server needs access to the
internet. It downloads these files from Microsoft during the installation. For
more information, see Internet access requirements.

The site server and site database server must meet all prerequisite configurations.
Before starting Configuration Manager setup, manually run Prerequisite Checker to
identify and fix problems.

Prerequisites to expand a stand-alone primary site


A stand-alone primary site must meet the following prerequisites before you can
expand it into a hierarchy with a CAS:

Source file version matches site version


Install the new CAS using media from a CD.Latest folder that matches the version of the
stand-alone primary site. To make sure the versions match, use the source files found in
the CD.Latest folder on the stand-alone primary site.

For more information about the correct source files to use to install different sites, see
Prepare to install sites: Options for installing different types of sites.

Stop active migration from another hierarchy


You can't configure the stand-alone primary site to migrate data from another
Configuration Manager hierarchy. Stop active migration to the stand-alone primary site
from other Configuration Manager hierarchies and remove all configurations for
migration. These configurations include:

Migration jobs that haven't completed


Data gathering
The configuration of the active source hierarchy

This configuration is necessary because Configuration Manager migrates data from the
top-level site of the hierarchy. When you expand a stand-alone primary site, the
configurations for migration don't transfer to the CAS.

After you expand the stand-alone primary site, if you reconfigure migration at the
primary site, the CAS runs the migration jobs.

For more information about how to configure migration, see Configure source
hierarchies and source sites for migration.

Computer account as Administrator


Add the computer account of the server that hosts the new CAS to the Administrators
group on the stand-alone primary site server.

To successfully expand the stand-alone primary site, the computer account of the new
CAS needs Administrator permissions on the stand-alone primary site. This account
requires these permissions only during site expansion. When site expansion finishes, you
can remove the account from the user group on the primary site.

Installation account permissions


The user account that runs Configuration Manager setup to install the new CAS needs
role-based administration permissions at the stand-alone primary site.
For the user account that installs a CAS as part of a site expansion, add them to the
proper role at the stand-alone primary site. Use the built-in Full Administrator or
Infrastructure Administrator roles.

For more information including the complete list of required permissions, see Site
installation account.

Top-level site roles


Before you expand the site, uninstall the following site system roles from the stand-
alone primary site:

Asset Intelligence sync point


Endpoint protection point
Service connection point

Configuration Manager only supports these roles at the top-level site of the hierarchy.
Uninstall these site system roles before you expand the stand-alone primary site. After
you expand the site, reinstall these site system roles at the CAS.

All other site system roles can remain installed at the primary site.

Configuration Manager setup also includes a prerequisite check that the standalone
primary site doesn't include the cloud management gateway (CMG) service. Before you
expand the site to a hierarchy, remove the CMG. Then redeploy it from the new CAS.

Open the SQL Server Service Broker port


The network port must be open for the SQL Server Service Broker (SSB) between the
stand-alone primary site and the server for the CAS.

To successfully replicate data between a CAS and a primary site, Configuration Manager
requires an open port between the two sites for SSB to use. When you install a CAS and
expand a stand-alone primary site, the prerequisite check doesn't verify that the port
you specify for the SSB is open on the primary site.

Known issues with Azure services


After you expand the site, you need to reconfigure the following Azure services with
Configuration Manager:

Log Analytics
Microsoft Store for Business
Tenant attach

The easiest method is to renew the Azure Active Directory tenant secret key. For more
information, see Renew secret key.

Instead of renewing the secret key, remove and then recreate the connection to that
service.

Secondary sites
The following prerequisites are for installing secondary sites:

The necessary Windows Server roles, features, and Windows components must be
installed. For more information, see Site system prerequisites.

The administrator who configures the installation of the secondary site in the
Configuration Manager console needs role-based administration permissions that
are equivalent to the security role of Infrastructure Administrator or Full
Administrator.

Add the computer account of the parent primary site to the Administrators group
on the secondary site server.

When the secondary site uses a previously installed instance of SQL Server to host
the secondary site database:

The computer account of the parent primary site needs sysadmin permissions
on the instance of SQL Server on the secondary site server.

The Local System account of the secondary site server computer needs
sysadmin permissions on the instance of SQL Server on the secondary site
server.

) Important

When Configuration Manager setup finishes, both accounts still need


sysadmin permissions to SQL Server. Don't remove the sysadmin
permissions from these accounts.

The secondary site server must meet all prerequisite configurations. These
configurations include SQL Server and the default site system roles of the
management point and distribution point.
Next steps
After you've confirmed the prerequisites, you're ready to run setup. For more
information, see Use the Setup Wizard to install Configuration Manager sites.
Use the Setup Wizard to install
Configuration Manager sites
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To install a new Configuration Manager site by using a guided user interface, use the
Configuration Manager Setup Wizard (setup.exe). The wizard supports installing a
primary site or central administration site (CAS). You also use the wizard to upgrade an
evaluation installation of Configuration Manager to a fully licensed installation. When
you don't want to use the wizard, you can instead use an installation script and run an
unattended command-line installation.

Install a secondary site from within the Configuration Manager console. Secondary sites
don't support a scripted command-line installation.

Before you install a site, be familiar with the details in the following articles:

Design a hierarchy of sites


Site and site system prerequisites
Prepare to install sites
Prerequisites for installing sites
Assess server readiness with the Prerequisite Checker
Release notes

 Tip

If you need assistance with site installation, see the Support options and
community resources. For example, the Microsoft Q&A forum for Configuration
Manager site and client deployment.

When you're ready to get started, see the following articles for the specific processes:

Use the setup wizard to install a central administration or primary site

Use the setup wizard to install a secondary site


Use the setup wizard to install a central
administration or primary site
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use this procedure to install a central administration site (CAS) or a primary site. Also
use it to upgrade an evaluation site to a fully licensed Configuration Manager site.

First, review the overview for using the setup wizard. It includes links to important
prerequisite articles.

If you're installing a CAS as part of a site expansion scenario, first read Expand a stand-
alone primary site before using the following procedure.

Process to install a CAS or primary site


1. On the computer where you want to install the site, run
<InstallationMedia>\SMSSETUP\BIN\X64\Setup.exe to start the Configuration

Manager Setup Wizard.

7 Note

When you install a CAS to expand on a stand-alone primary site, or install a


new child primary site in an existing hierarchy, use installation media (source
files) that match the version of the existing site or sites. If you've installed in-
console updates that have changed the version of the previously installed
sites, don't use the original installation media. Instead, use source files from
the CD.Latest folder of an updated site. Configuration Manager requires you
to use source files that match the version of the existing site that your new
site will connect to.

2. On the Before You Begin page, choose Next.

3. On the Getting Started page, select the type of site that you want to install:

Central administration site, as the first site of a new hierarchy, or when


expanding a stand-alone primary site:

Select Install a Configuration Manager central administration site.


Later in this process, you'll choose to install a CAS for a new hierarchy, or to
expand a stand-alone primary site.

Primary site, as a stand-alone primary site that is the first site of a new
hierarchy, or as a child primary:

Select Install a Configuration Manager primary site.

 Tip

Typically, you only select the option Use typical installation options for
a stand-alone primary site when you want to install a stand-alone
primary site in a test environment. When you select this option, setup
does the following actions:
Automatically configures the site as a stand-alone primary site.
Uses a default installation path.
Uses a local installation of the default instance of SQL Server for the
site database.
Installs a management point and a distribution point on the site
server computer.
Configures the site with English and the display language of the OS
on the primary site server if it matches one of the languages that
Configuration Manager supports.

4. On the Product Key page:

Choose whether to install Configuration Manager as an evaluation edition or


a licensed edition.

If you select a licensed edition, enter your product key, and choose Next.

If you select an evaluation edition, choose Next. You can upgrade an


evaluation installation to a full installation later.

You can also specify the Software Assurance expiration date of your
licensing agreement. It's a convenient reminder of that date. If you don't
enter this date during Setup, you can specify it later from within the
Configuration Manager console.

7 Note
Microsoft doesn't validate the expiration date that you entered and
doesn't use this date for license validation. You can use it as a reminder
of your expiration date. This date is useful because Configuration
Manager periodically checks for new software updates offered online.
Your software assurance license status should be current so that you're
eligible to use these additional updates.

For more information, see Licensing and branches.

5. On the Microsoft Software License Terms page, read and accept the license terms.

6. On the Prerequisite Licenses page, read and accept the license terms for the
prerequisite software. Setup downloads and automatically installs the software on
site systems or clients when it's required. Accept all of the terms before you
continue to the next page.

7. On the Prerequisite Downloads page, specify whether Setup must download the
latest prerequisite redistributable files from the internet or use previously
downloaded files:

If you want Setup to download the files at this time, select Download
required files. Then specify a location to store the files.

If you previously downloaded the files by using Setup Downloader, select Use
previously downloaded files. Then specify the download folder.

 Tip

If you use previously downloaded files, verify that the path to the
download folder contains the most recent version of the files.

8. On the Server Language Selection page, select the languages that are available for
the Configuration Manager console and for reports. The wizard selects English by
default and you can't remove it. For more information, see Language packs.

9. On the Client Language Selection page, select the languages that are available to
client computers. Also specify whether to enable all client languages for mobile
device clients. The wizard selects English by default and you can't remove it.

) Important
When you use a CAS, make sure that client languages you configure at the
CAS include all client languages that you configure at each child primary site.
Clients that install from a distribution point have access to the client
languages from the top-tier site, while clients that install from a management
point have access to the client languages from their assigned primary site.

10. On the Site and Installation Settings page, specify the following settings for the
new site that you're installing:

Site code: Each site code in a hierarchy must be unique. Use three alpha-
numeric characters: A through Z and 0 through 9 . Because the site code is
used in folder names, don't use the following Windows-reserved names:
AUX

CON
NUL

PRN
SMS

7 Note

Setup doesn't verify whether the site code that you specify is already in
use, or if it's a reserved name.

Site name: Each site requires this friendly name, which can help you identify
the site.

Installation folder: This folder is the path to the Configuration Manager


installation. You can't change the location after the site installs. The path can't
contain Unicode characters or trailing spaces.

7 Note

Consider whether you want to use the default installation folder. If you
use the default OS partition in a production environment, you may
experience the following issues in the future:
If Configuration Manager uses the additional free disk space on the
OS partition, neither Windows or Configuration Manager will operate
properly. If you install Configuration Manager on a separate partition,
its disk consumption won't impact the OS.
Configuration Manager performance is better with a fast disk. Some
server designs don't optimize the OS disk for speed.
You can service, restore, or reinstall the OS without impacting your
Configuration Manager installation.

11. On the Site Installation page, use the following option that matches your scenario:

I'm installing a CAS:

On the Central Administration Site Installation page, select Install as the


first site in a new hierarchy, and then choose Next to continue.

I'm expanding a stand-alone primary into a hierarchy with a CAS:

On the Central Administration Site Installation page, select Expand an


existing stand-alone primary into a hierarchy. Then specify the FQDN of the
stand-alone primary site server, and choose Next to continue.

The media that you use to install the new CAS must match the version of the
primary site.

I'm installing a stand-alone primary site:

On the Primary Site Installation page, select Install the primary site as a
stand-alone site, and then choose Next.

I'm installing a child primary site:

On the Primary Site Installation page, select Join the primary site to an
existing hierarchy. Then specify the FQDN for the CAS, and choose Next.

12. On the Database Information page, specify the following information:

SQL Server name (FQDN): By default, this value is set to the site server
computer.

If you use a custom port, add that port to the FQDN of the SQL Server. Follow
the FQDN of the SQL Server with a comma and then the port number. For
example, for server SQLServer1.fabrikam.com, use the following string to
specify custom port 1551: SQLServer1.fabrikam.com,1551

Instance name: By default, this value is blank. It uses the default instance of
SQL Server on the site server computer.
Database name: By default, this value is set to CM_<Sitecode> . You can
customize this value.

Service Broker Port: By default, this value is set to use the default SQL Server
Service Broker (SSB) port of 4022. SQL Server uses it to communicate directly
to the site database at other sites.

13. On the second Database Information page, you can specify custom locations for
the SQL Server data file and the SQL Server log file for the site database:

By default, it uses the default file locations for SQL Server.

When you use a SQL Server Always On failover cluster instance, the option to
specify custom file locations isn't available.

The prerequisite checker doesn't run a check for free disk space for custom
file locations.

14. On the SMS Provider Settings page, specify the FQDN for the server where you
want to install the SMS Provider.

By default, it specifies the site server.

After the site installs, you can configure more SMS Providers. For more
information, see Plan for the SMS Provider.

15. On the Client Communication Settings page, choose how clients will
communicate with site systems. The more secure option is to require all site
systems to use HTTPS. Otherwise, you individually configure the communication
method for each site system role.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced
HTTP. For more information, see Enable the site for HTTPS-only or enhanced
HTTP.

All site system roles accept only HTTPS communication from clients: When
you select this option, clients must have a valid PKI certificate for client
authentication. For more information, see PKI certificate requirements.

Configure the communication method on each site system role: Starting in


version 2203, when you select this option, setup configures the site to use
Enhanced HTTP.

7 Note

This page only applies when you install a primary site. If you're installing a
CAS, skip this page.

16. On the Site System Roles page, choose whether to install a management point or
distribution point. For each role that you choose to have installed by Setup:

7 Note

This step only applies when you install a primary site. If you're installing a CAS,
skip this step.

Enter the FQDN for the server that will host the role. Then choose the client
connection method that the server will support: HTTP or HTTPS.

If you selected All site system roles accept only HTTPS communication from
clients on the previous page, the wizard automatically configures the client
connection settings for HTTPS. You can't change this setting unless you go
back to the previous page.

7 Note

To install site system roles, Setup uses the site system installation account. By
default, it uses the primary site's computer account. This account must be a
local administrator on the remote computer to install the role. If this account
lacks the required permissions, don't install the roles during Setup. After you
configure additional accounts to use as site system installation accounts,
install the roles from the Configuration Manager console. For more
information, see Accounts.

17. On the Usage Data page, review the information about data that Microsoft
collects, and then choose Next. For more information, see Diagnostics and usage
data.

18. The Service Connection Point Setup page is only available when you're installing a
stand-alone primary site or a CAS.
7 Note

If you're installing a child primary site, skip this step.

If you're installing a CAS as part of a site expansion scenario, and the stand-alone
primary site already has this role, first uninstall it from the stand-alone primary site.
Configuration Manager can only have one instance of the service connection point
in a hierarchy. It's only supported at the top-tier site of the hierarchy.

After you select a configuration for the Service Connection Point, choose Next.
After Setup completes, you can change this configuration from the Configuration
Manager console. For more information, see About the service connection point.

19. On the Settings Summary page, review the setting that you've selected. When
you're ready, choose Next to start the Prerequisite Checker.

20. On the Prerequisite Installation Check page, it lists any problems that the checker
can identify.

When the Prerequisite Checker finds a problem, choose an item in the list for
details about how to resolve the problem.

Before you can continue to install the site, resolve any Failed items. Try to
resolve all Warning items, but they don't block installation.

After you resolve any issues, choose Run Check to rerun the Prerequisite
Checker.

When the Prerequisite Checker runs, and no checks receive a Failed status,
you can choose Begin Install to start the site installation.

 Tip

In addition to the feedback that the wizard provides, you can find additional
information about prerequisite issues in the ConfigMgrPrereq.log file. It's in
the root of the system drive on the server. For more information, see List of
prerequisite checks.

21. On the Installation page, Setup displays the installation status. When the core site
server installation is complete, you can Close the installation wizard. When you
close the wizard, the installation and initial site configurations continue in the
background.
You can connect a Configuration Manager console to the site before Setup is
complete. This console connects as read-only, and lets you view objects and
settings, but you can't modify anything.

After Setup completes, you can connect a console to edit objects and
settings.

If setup fails, you can Report update error to Microsoft. For more
information, see Report setup and upgrade failures to Microsoft.

Expand a stand-alone primary site


When you've installed a stand-alone primary site as your first site, you can later install a
CAS to expand that site into a larger hierarchy. This process is also called site expansion.
The main reason to expand to a hierarchy is for scale. A hierarchy allows you to support
more clients than a stand-alone primary site can support. For more information, see Size
and scale numbers.

When you expand a stand-alone primary site, you install a new CAS that uses the
existing stand-alone primary site database as a reference. After the new CAS installs, the
stand-alone primary site functions as a child primary site.

You can only expand a stand-alone primary site into a new hierarchy.

You can only expand one stand-alone primary site into a specific hierarchy. You
can't use this option to join other stand-alone primary sites into the same
hierarchy. Instead, use the Migration Wizard to migrate data from one hierarchy
into another. For more information, see Migrate data between hierarchies.

After you expand a stand-alone site into a hierarchy with a CAS, you can install
other child primary child sites.

To remove a primary site from a hierarchy with a CAS, first uninstall the primary
site.

Before you start, first see the prerequisites to expand a site.

To expand the site, use the process to install a CAS or primary site with the following
caveats:

Install the CAS by using the same version of Configuration Manager as the stand-
alone primary site.
On the Getting Started page of the Setup Wizard, select the option to install a
CAS. At a later stage of Setup, you'll choose an option to expand an existing stand-
alone primary site.

On the Client Language Selection page for the new CAS, select the same client
languages that you configured on the original primary site.

On the Site Installation page, select the option to expand the stand-alone primary
site.

If you enable Endpoint Analytics for devices uploaded to Microsoft Endpoint


Manager, in version 2107 or later, re-enable this option.

Next steps
Use the setup wizard to install a secondary site

Configure sites and hierarchies

Install consoles
Use the setup wizard to install a
secondary site
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use this procedure to install a secondary site. Install a secondary site from within the
Configuration Manager console. Secondary sites don't support a scripted command-line
installation.

In a hierarchy, you don't have to connect the console to the parent primary site. If
the console isn't connected to the parent primary site for the new secondary site,
Configuration Manager replicates the command to install the secondary site to the
correct primary site.

Before you start the secondary site installation, make sure that your user account
has the prerequisite permissions. Also make sure that the server that will host the
new secondary site meets all the prerequisites for use as a secondary site server.
For more information, see Prerequisites for installing sites and Site and site system
prerequisites.

When you install the secondary site, Configuration Manager configures the new
site to use the same client communication ports as the parent primary site.

Before you start, review the overview for using the setup wizard. It includes links to
important prerequisite articles.

Process to install a secondary site


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node. Select the site that will be
the parent primary site of the new secondary site.

2. In the ribbon, select Create Secondary Site. This action starts the Create
Secondary Site Wizard.

3. On the Before You Begin page, confirm that the listed server is the primary site
that you want to be the parent of the new secondary site. Then choose Next.

4. On the General page, specify the following settings:


Site code: Each site code in a hierarchy must be unique. Use three alpha-
numeric characters: A through Z and 0 through 9 . Because the site code is
used in folder names, don't use the following Windows-reserved names:
AUX
CON

NUL

PRN
SMS

7 Note

Setup doesn't verify whether the site code that you specify is already in use, or
if it's a reserved name.

Site server name: This value is the FQDN of the server for the new secondary
site.

Site name: Each site requires this friendly name, which can help you identify
the site in the console.

Installation folder: This folder is the path to the Configuration Manager


installation. You can't change the location after the site installs. The path can't
contain Unicode characters or trailing spaces.

) Important

After you specify details on this page, you can choose Summary to skip to the
end of the wizard. This action uses the default settings for the remainder of
the secondary site options.

Only use this option when you're familiar with the default settings in this
wizard, and they're the settings you want to use.

When you use the default settings, boundary groups aren't associated
with the distribution point. Until you configure boundary groups that
include the secondary site server, clients won't use the distribution point
that's installed on this secondary site as a content source location.

5. On the Installation Source Files page, choose how the secondary site server gets
the source files to install the site.
When you use CD.Latest source files that are shared on the network or copied
locally to the target secondary site server:

The CD.Latest source file location includes a folder named Redist. Move this
Redist folder as a subfolder under the SMSSETUP folder.

Copy the following files from the Redist folder to the SMSSETUP\BIN\X64
folder:
SharedManagementObjects.msi
SQLSysClrTypes.msi
sqlncli.msi

If any of the files from Redist aren't available, Setup fails to install the
secondary site.

The computer account of the secondary site server needs Read permissions
to the source file folder and share.

6. On the SQL Server Settings page, specify the version of SQL Server to use:

7 Note

Setup doesn't validate the information that you enter on this page until it
starts the installation. Before you continue, verify these settings.

Install and configure a local copy of SQL Express on the secondary site
computer

SQL Server Service port: Specify the SQL Server service port for SQL
Server Express to use. The service port is typically configured to use TCP
port 1433, but you can configure another port.

SQL Server Broker port: Specify the SQL Server Service Broker (SSB) port
for SQL Server Express to use. The Service Broker is typically configured to
use TCP port 4022, but you can configure a different port. Specify a valid
port that no other site or service is using, and that the firewall doesn't
block.

Use an existing SQL Server instance

SQL Server FQDN: Review the FQDN for the computer running SQL Server.
Use a local server running SQL Server to host the secondary site database,
and you can't modify this setting.
SQL Server instance: Specify the instance of SQL Server to use as the
secondary site database. Leave this option blank to use the default
instance.

ConfigMgr site database name: Specify the name to use for the secondary
site database.

SQL Server Broker port: Specify the SQL Server Service Broker (SSB) port
for SQL Server to use. Specify a valid port that no other site or service is
using, and that the firewall doesn't block.

 Tip

For a list of the SQL Server versions that Configuration Manager supports, see
Supported SQL Server versions.

7. On the Distribution Point page, configure settings for the distribution point that
Setup will install on the secondary site server.

Required settings:

Specify how client devices communicate with the distribution point:


Choose between HTTP and HTTPS.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP


client communication are deprecated. Configure the site for HTTPS or
Enhanced HTTP. For more information, see Enable the site for
HTTPS-only or enhanced HTTP.

Create a self-signed certificate or import a PKI client certificate: Choose


between using a self-signed certificate or importing a certificate from your
PKI. A self-signed certificate lets you also allow anonymous connections
from Configuration Manager clients to the content library. The certificate is
used to authenticate the distribution point to a management point before
the distribution point sends status messages. For more information, see
PKI certificate requirements.

Optional settings:
Install and configure IIS if required by Configuration Manager: Select this
setting to let Configuration Manager install and configure Internet
Information Services (IIS) on the server. Configuration Manager only
installs IIS if it's not already installed on the server. IIS is required on all
distribution points.

7 Note

Although this setting is optional, IIS is required to add the distribution


point role.

Enable and configure BranchCache for this distribution point

Description: This value is a friendly description for the distribution point to


help you recognize it in the console.

Enable this distribution point for prestaged content

8. On the Drive Settings page, specify the drive settings for the secondary site
distribution point.

You can configure up to two disk drives for the content library and two disk drives
for the package share. However, Configuration Manager can use other drives when
the first two reach the configured drive space reserve. Use this Drive Settings page
to configure the priority for the disk drives and the amount of free disk space to
remain on each disk drive.

Drive space reserve (MB): The value that you configure for this setting
determines the amount of free space on a drive before Configuration
Manager chooses a different drive and continues the copy process to that
drive. Content files can span multiple drives.

Content Locations: Specify the content locations for the content library and
package share. Configuration Manager copies content to the primary content
location until the amount of free space reaches the value that's specified for
Drive space reserve (MB).

By default, the content locations are set to Automatic. The primary content
location is set to the disk drive that has the most space at installation time. The
secondary location is set to the disk drive that has the most free disk space after
the primary drive. When the primary and secondary drives reach the drive space
reserve, Configuration Manager selects another available drive with the most free
disk space and continues the copy process.
9. On the Content Validation page, specify whether to validate the integrity of
content files on the distribution point.

When you enable content validation on a schedule, Configuration Manager


starts the process at the scheduled time. It verifies all content on the
distribution point.

You can also configure the Content validation priority.

10. On the Boundary Groups page, manage the boundary groups for this distribution
point:

Allow fallback source location for content: This option allows clients outside
these boundary groups to fall back and use the distribution point as a source
location for content when no preferred distribution points are available.

For more information, see the Fundamental concepts for content management.

11. On the Summary page, verify the settings, and then choose Next to install the
secondary site. When the wizard shows the Completion page, you can close the
wizard. The secondary site installation continues in the background.

How to verify the secondary site installation status


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.

2. Select the new secondary site, and then choose Show Install Status in the ribbon.

 Tip

When you install more than one secondary site at a time, the Prerequisite
Checker runs against a single site at a time. It finishes a site before it starts to
check the next site.

Next steps
Configure sites and hierarchies

Install consoles
Use a command line to install
Configuration Manager sites
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can run Configuration Manager setup at a command prompt to automate the
installation of different kinds of site types. This article provides an overview of the
command-line methods.

Supported tasks for command-line installations


Install a central administration site (CAS) or primary site

Modify the languages in use at a CAS or primary site

Recovery a site

 Tip

You can also install the Configuration Manager client and console from the
command prompt. For more information, see the following articles:

Install consoles
Deploy clients to Windows computers

About the command-line script file


For unattended installations of Configuration Manager, you can specify a script file that
contains installation options.

7 Note

You can't use the unattended script file to upgrade an evaluation site to a licensed
installation of Configuration Manager.

To use an answer file with setup, first configure the script file with required keys and
values. For an unattended installation of a CAS or primary site, the script file requires the
following sections:
Identification

Options
SQLConfigOptions

HierarchyExpansionOption
CloudConnectorOptions

SABranchOptions

Then run setup with the command line-option /SCRIPT and specify a script file.

To recover a site, the script file also uses the RecoveryOptions section.

For a list of keys and values to use in an unattended installation script file, see
Unattended setup script file keys.

7 Note

When you run setup from the CD.Latest folder for a scripted install or recovery,
include the CDLatest key with a value of 1 . This value isn't supported with
installation media from the Microsoft Volume License site. For more information on
how to use this key name in the script file, see Command-line options.

Create the script


When you run setup to install a site using the user interface, setup automatically creates
the installation script. When you confirm the settings on the Summary page of the
wizard, the following actions happen:

Setup creates the script %TEMP%\ConfigMgrAutoSave.ini . You can rename this file
before you use it, but it needs the .ini file extension.
The unattended installation script contains the settings that you selected in the
wizard.
You can modify the script to install other sites in your hierarchy.
You can use this script to do an unattended setup of Configuration Manager.

This script file provides the same information as the Setup Wizard, except that there are
no default settings. Specify all values for the setup keys that are required and necessary
for your requirements.

When setup creates the unattended installation script, it includes the product key that
you entered in the Setup Wizard. This key can be a valid product key, or EVAL to install
an evaluation version of Configuration Manager. The product key value in the script is
required by the prerequisite checker. When setup starts the actual site installation, it
clears the product key value in the script. Before using the script for an unattended
installation of a new site, edit the script to provide a valid product key or to specify an
evaluation installation of Configuration Manager.

 Tip

You can also manually create the script file from a plain-text editor like Notepad.

Section names, key names, and values


The script contains section names, key names, and values.

Required section key names vary depending on the installation type.


The order of the sections and the order of the keys within sections aren't
important.
The keys aren't case-sensitive.
When you provide values for keys, the name of the key must be followed by an
equal sign ( = ) and the value for the key. For example, CDLatest=1

To view the full set of options, see Command-line options for setup and scripts.

Use a setup script file


To use a setup script file, specify the file name after the /SCRIPT command-line option.

The script file name requires the .ini extension.

Provide the full path to the file. For example, if you name the file setup.ini , and
store it in the C:\Setup folder, then use the following command line: setup.exe
/script C:\Setup\setup.ini

The account that runs setup must have Administrator rights on the computer.
When you run setup with the unattended script, open the command prompt
window with the Run as administrator option.

Modify languages
To modify the languages that are installed at a site from a command prompt:

Run setup from <ConfigMgrInstallationPath>\Bin\X64 on the site server


Use the /MANAGELANGS command-line option
Specify a language script file with the languages to add or remove

For example, use the following command syntax: setupwpf.exe /MANAGELANGS <language
script file>

For more information values to use in the language script file, see Manage languages.

For more information on languages in Configuration Manager, see Language packs.

Next steps
Command-line options for setup

Unattended setup script file keys

Install the Configuration Manager console


Command-line options for
Configuration Manager setup
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use this information to configure scripts or to install Configuration Manager from a


command line. For more information on how to use these command-line options, see
Command-line overview.

Run setup.exe from the \BIN\X64 directory of the Configuration Manager installation
path on the site server.

 Tip

You can also use setupwpf.exe from the same folder, but it doesn't include basic
prerequisite checks.

/DEINSTALL
Uninstall the site. Run setup from the site server computer.

/DONTSTARTSITECOMP
Install a site, but prevent the Site Component Manager service from starting. Until the
Site Component Manager service starts, the site isn't active. The Site Component
Manager is responsible for installing and starting the SMS_Executive service, and for
other processes at the site. After the site install is finished, when you start the Site
Component Manager service, it installs the SMS_Executive service and other processes
that are necessary for the site to operate.

/HIDDEN
Hide the user interface during setup. Only use this option with the /SCRIPT option. The
unattended script file must provide all required options or setup fails.

/NOUSERINPUT
Disable user input during setup, but display the setup wizard. Only use this option with
the /SCRIPT option. The unattended script file must provide all required options or
setup fails.

/RESETSITE
Run a site reset. This action resets the database and service accounts for the site. For
more information, see Run a site reset.

/SQLMOVE
Move the site database. This action moves the site database to a new instance of SQL
Server on the same computer, or to a different computer that runs a supported version
of SQL Server. For more information, see Modify the site database configuration.

Provide the SQL server name, database name and instance name in the following
format:

/SQLMOVE <SQL Server FQDN>:<Database Name>:<SSB Port>

/SQLMOVE <SQL Server FQDN>:<InstanceName>\<Database Name>:<SSB Port>

/TESTDBUPGRADE
Run a test on a backup of the site database to make sure that the database can
upgrade.

) Important

The test upgrade is no longer a required or recommend step for most sites.

If your database is suspect, or is modified by customizations not explicitly


supported by Configuration Manager, continue to use this process.

Don't run this command-line option on your production site database. Running this
command-line option on your production site database upgrades the site database
and could render your site inoperable.

Provide the instance name and database name for the site database. If you specify only
the database name, setup uses the default instance name.
/TESTDBUPGRADE <Instance name>\<Database name>

/TESTDBUPGRADE CM_ABC

/TESTDBUPGRADE Named\CM_ABC

For more information, see Test the database upgrade when installing an update.

/UPGRADE
Run an unattended upgrade of a site. Specify the product key including the dash ( - )
delimiters. Also specify the path to the previously downloaded setup prerequisite files.

For example: /UPGRADE xxxxx-xxxxx-xxxxx-xxxxx-xxxxx C:\Setup\prereqs

For more information about setup prerequisite files, see Setup Downloader.

/SCRIPT
Run an unattended installation. Use a setup initialization file with this option. For more
information about how to run setup unattended, see Install sites using a command line.
For more information on the script file keys and values, see Unattended setup script file
keys.

For example: /SCRIPT C:\Setup\setup.ini

/SDKINST
Install the SMS Provider on the specified server. Provide the fully qualified domain name
(FQDN) for the SMS Provider computer. For more information about the SMS Provider,
see Plan for the SMS Provider.

For example: /SDKINST cm02.contoso.com

/SDKDEINST
Uninstall the SMS Provider on the specified computer. Provide the FQDN for the SMS
Provider computer.

For example: /SDKDEINST cm01.contoso.com


/MANAGELANGS
Manage the languages that are installed at a previously installed site. Provide the
location for the language script file that contains the language settings. For more
information, see the Keys to manage languages.

For example: /MANAGELANGS C:\Setup\langsetup.ini

Next steps
Unattended setup script file keys
Unattended setup script file keys
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article defines all of the keys and values to specify in the .ini installation script file.
Use this file with the /SCRIPT command-line option to do an unattended installation or
recovery of a Configuration Manager site. The tables in this article show:

The available setup script keys and their corresponding values


If they're required
Which type of installation they're used for
A short description of the key

For more information, see the following articles:

Command-line overview
Setup command-line options

Specify the section names in square brackets ( [] ): [<Section name>] . For example,
[Identification] .

When you provide values for keys, the name of the key must be followed by an equal
sign ( = ) and the value for the key: <Key name>=<Value> . For example, CDLatest=1 . Make
sure the keys are under the appropriate section.

Each section and each value needs to be unique in a single script. For example, there
can only be one [Identification] section and only one Action key.

Supported actions
A script is primarily defined by the Action key in the Identification section. The
following list includes all of the currently supported actions for running setup
unattended:

InstallCAS : Install a central administration site (CAS)


InstallPrimarySite : Install a primary site

ManageLanguages : Add or remove client and server languages


RecoverPrimarySite : Recovery a primary site

RecoverCCAR : Recover a CAS


Install a site

Identification section for site install

Depending upon the type of site you're installing, include the following keys with the
appropriate values in the Identification section:

Key Required Values Details


name

Action Yes -  InstallPrimarySite


- Install a primary site.

-  InstallCAS - Install a central administration site (CAS)

CDLatest Yes 2 1 : Setup runs from When you run setup from the CD.Latest folder,
CD.Latest include this key and value. This value tells setup
that you're using media from CD.Latest .

Note 2: CDLatest required


The CDLatest key is only required when you run setup from the CD.Latest folder to
install a primary site or a central administration site. For more information, see About the
command-line script file.

Options section for site install

Include the following keys in the Options section to install a site:

Key name Required Values Details

ProductID Yes -  xxxxx-xxxxx- The type of license to install.


xxxxx-xxxxx-
xxxxx : A valid
product key
with dashes

-  Eval : Install
the evaluation
version

SiteCode Yes Three character The three-character site code that


code, for uniquely identifies the site in the
example XYZ hierarchy.

SiteName Yes A site name The friendly name for this site to help
identify it.
Key name Required Values Details

SMSInstallDir Yes Local directory The installation folder for the


path Configuration Manager program files.

SDKServer Yes SMS Provider The FQDN of the first server to host the
FQDN SMS Provider.

PrerequisiteComp Yes - 0 : Download


Specify whether prerequisite files have
- 1 : Already already been downloaded. If you use a
downloaded value of 0 , setup downloads the files.

PrerequisitePath Yes Local directory The path to the prerequisite files.


path Depending on the PrerequisiteComp
value, setup uses this path to store
downloaded files or to locate previously
downloaded files.

AdminConsole Yes - 0 : Don't Specify whether to install the


install
Configuration Manager console on the
- 1 : Install site server.

JoinCEIP Yes 0 While support for the Customer


Experience Improvement Program (CEIP)
was removed from the product, this key is
still required.

MobileDeviceLanguage Yes - 0 : Don't Specify whether the mobile device client


install
languages are installed.
- 1 : Install

When you install a site, you can also specify the keys to manage languages, such as
AddServerLanguages or AddClientLanguages . For more information, see Options section
for languages.

The following keys in the Options section are specific to a primary site:

Key name Required Values Details

ManagementPoint No MP FQDN The FQDN of the server that will host


the first management point (MP) site
system role.

ManagementPointProtocol No HTTPS or The protocol to use for the MP.


HTTP

DistributionPoint No DP FQDN The FQDN of the server that will host


the first distribution point (DP) site
system role.
Key name Required Values Details

DistributionPointProtocol No HTTPS or The protocol to use for the DP.


HTTP

DistributionPointInstallIIS No - 0 : Don't Specify whether to install IIS on the


install
DP.
- 1 : Install

RoleCommunicationProtocol Yes EnforceHTTPS Specify whether to configure all site


or systems to accept only HTTPS
HTTPorHTTPS communication from clients, or to
configure the communication
method for each site system role.
When you select EnforceHTTPS ,
clients need a valid public key
infrastructure (PKI) certificate for
client authentication.

ClientsUsePKICertificate Yes - 0 : Don't Specify whether clients will use a


use
client PKI certificate to communicate
- 1 : Use with site system roles.

UseFQDN No - 0 : Don't Specify whether the site systems'


use
FQDN is for use on the internet.
- 1 : Use

ParentSiteCode No Site code When you're adding a child primary


site to an existing hierarchy, specify
the site code of the CAS.

ParentSiteServer No FQDN When you're adding a child primary


site to an existing hierarchy, specify
the FQDN of the CAS server.

SQLConfigOptions section for site install

Include the following keys in the SQLConfigOptions section to install a site:

Key name Required Values Details

SQLServerName Yes FQDN of SQL The name of the server or clustered instance
Server that's running SQL Server to host the site
database.
Key name Required Values Details

DatabaseName Yes Name or


The name of the SQL Server database to create
Instance\Name or use. If it's on the default instance, just specify
the database name. Otherwise specify the
instance and name.

SQLServerPort No Port number The port that SQL Server uses. By default, it uses
1433.

SQLSSBPort No Port number The SQL Server Service Broker (SSB) port. By
default, SSB uses TCP port 4022.

SQLDataFilePath No Local directory An alternate location to create the database


path .mdb file.

SQLLogFilePath No Local directory An alternate location to create the database .ldf


path log file.

AGBackupShare No Network share The network location for sharing database


path backups when creating the site database in an
Availability Group. The backup share is only
needed if automatic seeding is not set.

CloudConnectorOptions section for site install

Include the following keys in the CloudConnectorOptions section to install a site:

Key name Required Values Details

CloudConnector Yes - Specify whether to install a service connection


0 : Don't point (SCP) at this site. Because you can only
install
install the SCP at the top-tier site of a hierarchy,
- set this value to 0 for a child primary site.
1 : Install

CloudConnectorServer Yes* SCP The FQDN of the server that will host the SCP
FQDN role. * Only required when CloudConnector equals
1.

UseProxy Yes* - 0 : No Specify whether the SCP uses a proxy server. *


proxy
Only required when CloudConnector equals 1 .
- 1 : Use
proxy

ProxyName Yes* Proxy The FQDN of the proxy server that the SCP uses.
FQDN * Only required when UseProxy equals 1 .
Key name Required Values Details

ProxyPort Yes* Port The port number of the proxy server that the SCP
number uses. * Only required when UseProxy equals 1 .

SABranchOptions section for site install

Include the following keys in the SABranchOptions section to install a site:

Key name Required Values Details

SAActive Yes - 0: Specify if you have active Software Assurance (SA). For
You more information, see Product and licensing FAQ.
don't
have
SA

- 1 : SA
is
active

CurrentBranch Yes - 0: Specify whether to use Configuration Manager current


Install branch or long-term servicing branch (LTSB). For more
the information, see Which branch of Configuration Manager
LTSB
should I use?
- 1:
Install
current
branch

SAExpiration No Date The date when SA expires, used as a convenient reminder


of that date. For more information, see Licensing and
branches.

HierarchyExpansionOption section for site expansion

When you're installing a CAS to expand a standalone primary site into a hierarchy, use
the following keys in the HierarchyExpansionOption section:

Key name Required Values Details

CCARSiteServer No CAS The FQDN of the CAS that a primary site attaches
FQDN to when it joins the Configuration Manager
hierarchy. Specify the CAS during setup.
Key name Required Values Details

CASRetryInterval No Minutes If the connection to the CAS fails, the primary site
waits this number of minutes, and then
reattempts the connection.

WaitForCASTimeout No 0 to 100 The maximum timeout value in minutes for a


primary site to connect to the CAS.

UseDistributionView No - 0: Specify whether to use distributed views to


Don't optimize database replication.
enable

-
1 : Enable

JoinPrimarySiteName No Site The FQDN of the primary site server to expand.


server
FQDN

Manage languages

Identification section for languages

Include the following key in the Identification section to manage languages:

Key Required Values Details


name

Action Yes ManageLanguages Manages the server, client, and mobile client language
support at a site.

Options section for languages

Include the following keys in the Options section to manage languages:

Key name Required Values Details

AddServerLanguages No See note 1 The server languages that will be available


for the Configuration Manager console,
reports, and other objects.

AddClientLanguages No See note 1 The languages that will be available to client


computers.
Key name Required Values Details

DeleteServerLanguages No See note 1 The languages to remove. They'll no longer


be available for the Configuration Manager
console, reports, and other objects.

DeleteClientLanguages No See note 1 The languages to remove, and which will no


longer be available to client computers.
English is available by default, you can't
remove it.

MobileDeviceLanguage Yes - 0 : Don't Specify whether the mobile device client


install
languages are installed.
- 1 : Install

PrerequisiteComp Yes - 0: Specify whether prerequisite files have


Download
already been downloaded. For example, if
- 1 : Already you use a value of 0 , setup downloads the
downloaded files.

PrerequisitePath Yes Local The path to the prerequisite files. Depending


directory on the PrerequisiteComp value, setup uses
path this path to store downloaded files or to
locate previously downloaded files.

ResetSecSiteLangs No - 0 : Don't Reset the language packs installed at a


reset
secondary site.
- 1 : Reset

Note 1: Supported language values

Use the three-letter code for the server languages or client languages that Configuration
Manager supports. For example, to add support for German on the client, specify the
following key and value pair: AddClientLanguages=DEU

English ( ENG ) is available by default. You don't have to add it, and you can't remove it.

Recover a site

Identification section for site recovery

Depending upon the type of site you're recovering, include the following keys with the
appropriate values in the Identification section:
Key Required Values Details
name

Action Yes -  RecoverPrimarySite


- Recover a primary site

-  RecoverCCAR - Recover a CAS

CDLatest Yes 3 1 : Setup runs from When you run setup from the CD.Latest folder,
CD.Latest include this key and value. This value tells setup
that you're using media from CD.Latest.

Note 3: CDLatest required

The CDLatest key is only required when you run setup from the CD.Latest folder to
recover a site. For more information, see About the command-line script file.

RecoveryOptions section for site recovery

Include the following keys in the RecoveryOptions section to recover a site:

Key name Required Values Details

ServerRecoveryOptions Yes - 1 : Site What components to recover. See note 4


server
and SQL
Server

- 2 : Site
server
only

- 4 : SQL
Server
only

DatabaseRecoveryOptions Yes* - 10 : Specify how setup recovers the site


Restore database in SQL Server. * Only required
from when ServerRecoveryOptions is 1 or 4 .
backup

- 20 :
Manually
recovered

- 40 :
Create
new
database

- 80 : Skip
Key name Required Values Details

ReferenceSite Yes* FQDN The reference primary site that the CAS uses
to recover global data. * Only required
when DatabaseRecoveryOptions is 40 . See
note 5

SiteServerBackupLocation No Directory The path to the site server backup set. If you
path don't specify a value, setup reinstalls the site
without restoring it from a backup set.

BackupLocation Yes* Directory The path to the site database backup set. *
path Required when ServerRecoveryOptions is 1
or 4 , and DatabaseRecoveryOptions is 10 .

Note 4: ServerRecoveryOptions value notes


1 or 2 : To recover the site by using a site backup, specify a value for

SiteServerBackupLocation . If you don't specify a value, setup reinstalls the site


without restoring it from a backup set.

4 : The BackupLocation key is required when you configure a value of 10 for the

DatabaseRecoveryOptions key, which is to restore the site database from backup.

Note 5: ReferenceSite value notes

If the database backup is older than the change-tracking retention period, or when
you recover the site without a backup, specify the reference primary site that the
CAS uses to recover global data.

When you don't specify a reference site, and the backup is older than the change-
tracking retention period, all primary sites are reinitialized with the restored data
from the CAS.

When you don't specify a reference site, and the backup is within the change-
tracking retention period, only changes that are made after the backup are
replicated from primary sites. When there are conflicting changes from different
primary sites, the CAS uses the first one that it receives.

Options section for site recovery

Many of the keys in the Options section are also required for site recovery. For more
information, see Options section for site install. The following table summarizes the keys
in the Options section for site recovery:

Key name Required Comment

ProductID Yes

SiteCode Yes Use the same site code that it used before the failure.

SiteName No

SMSInstallDir Yes

SDKServer Yes Use the same server that hosted this role before the failure.

PrerequisiteComp Yes

PrerequisitePath Yes

AdminConsole Yes* * Only required when ServerRecoveryOptions is 1 or 2 .

JoinCEIP Yes

SQLConfigOptions section for site recovery

Many of the keys in the SQLConfigOptions section are also required for site recovery. For
more information, see SQLConfigOptions section for site install. The following table
summarizes the keys in the SQLConfigOptions section for site recovery:

Key name Required Comment

SQLServerName Yes Use the same server that hosted the site database before the
failure.

DatabaseName Yes Use the same database name that was used before the failure.

SQLSSBPort Yes Use the same port that was used before the failure.

SQLDataFilePath No

SQLLogFilePath No

CloudConnectorOptions section for site recovery

Many of the keys in the CloudConnectorOptions section are also required for site
recovery. For more information, see CloudConnectorOptions section for site install. The
following table summarizes the keys in the CloudConnectorOptions section for site
recovery:

Key name Required Comment

CloudConnector Yes

CloudConnectorServer Yes* * Only required when CloudConnector equals 1 .

UseProxy Yes* * Only required when CloudConnector equals 1 .

ProxyName Yes* * Only required when UseProxy equals 1 .

ProxyPort Yes* * Only required when UseProxy equals 1 .

HierarchyExpansionOption section for site recovery

Many of the keys in the HierarchyExpansionOption section are also required for site
recovery. For more information, see HierarchyExpansionOption section for site install.
The following table summarizes the keys in the HierarchyExpansionOption section for
site recovery:

Key name Required Comment

CCARSiteServer Yes* * Only required if the primary site was attached to a CAS before
the failure.

CASRetryInterval No

WaitForCASTimeout No

Examples

Example script to install a primary site


ini

[Identification]

Action=InstallPrimarySite

CDLatest=1

[Options]

ProductID=Eval

SiteCode=XYZ

SiteName=Contoso eval site

SMSInstallDir=D:\Program Files\Microsoft Configuration Manager

SDKServer=cmsite.contoso.com

PrerequisiteComp=0

PrerequisitePath=C:\Sources\Redist

AdminConsole=1

JoinCEIP=0

ManagementPoint=cmsite.contoso.com

ManagementPointProtocol=HTTP

DistributionPoint=cmsite.contoso.com

DistributionPointProtocol=HTTP

DistributionPointInstallIIS=1

RoleCommunicationProtocol=HTTPorHTTPS

ClientsUsePKICertificate=0

MobileDeviceLanguage=0

[SQLConfigOptions]

SQLServerName=cmsql.contoso.com

SQLServerPort=1433

DatabaseName=CM_XYZ

SQLSSBPort=4022

SQLDataFilePath=E:\Program Files\Microsoft SQL


Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\

SQLLogFilePath=E:\Program Files\Microsoft SQL


Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\

[CloudConnectorOptions]

CloudConnector=1

CloudConnectorServer=cmsite.contoso.com

UseProxy=0

[SABranchOptions]

SAActive=1

CurrentBranch=1

Install the Configuration Manager


console
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Administrators use the Configuration Manager console to manage the Configuration


Manager environment. Each Configuration Manager console can connect to a central
administration site (CAS) or to a primary site. You can't connect a Configuration
Manager console to a secondary site.

The Configuration Manager console is always installed on the site server for the CAS or
a primary site. To install the console separate from site server installation, run the
standalone installer.

Prerequisites
Supported OS versions for Configuration Manager consoles

You have local Administrator rights on the target computer for the console.

You have Read permissions to the location of the console installation files.

.NET version requirements


Starting in version 2107, the console requires Microsoft .NET Framework version 4.6.2,
but version 4.8 is recommended. If you install the console on other devices, make sure
to update .NET. If the device doesn't already have it, the console setup doesn't install
this prerequisite.

Starting in version 2103, the ConfigurationManager PowerShell module requires


Microsoft .NET version 4.7.2 or later.

7 Note

.NET Framework version 4.6.2 is preinstalled with Windows Server 2016 and
Windows 10 version 1607. Later versions of Windows are preinstalled with a later
version of the .NET Framework.

.NET Framework version 4.8 isn't supported on some OS versions, such as Windows
10 2015 LTSB.
For more information, see .NET Framework system requirements.

Source paths
Decide which source path to use:

ConsoleSetup folder in the installation path on the site server: \Tools\ConsoleSetup

When you install a site server, it copies the console installation files and supported
language packs for the site to the Tools\ConsoleSetup subfolder. Optionally, you
can copy the ConsoleSetup folder to an alternate location to start the installation.
When you update the site, it always keeps its local version up to date.

Configuration Manager installation media: \SMSSETUP\BIN\I386

Installing the Configuration Manager console from the installation media always
installs the English version. This behavior happens even if the site server supports
different languages, or the target computer's OS is set to a different language.

When possible, start the console installer from the ConsoleSetup folder rather than
from the source media.

) Important

Don't install the console using the CD.Latest source files. It's an unsupported
scenario, and may cause problems with the console installation. For more
information, see The CD.Latest folder.

If you create a package for installing the console on other computers, make sure the
package includes the following files:

ConsoleSetup.exe
AdminConsole.msi
ConfigMgr.AC_Extension.i386.cab
ConfigMgr.AC_Extension.amd64.cab

Use the Setup Wizard


1. Browse to the source path, and open ConsoleSetup.exe.

) Important
Always install the console by using ConsoleSetup.exe. Although you can
install the Configuration Manager console by running AdminConsole.msi, this
method doesn't run prerequisites or dependency checks. The installation
might not install correctly.

2. In the wizard, select Next.

3. On the Site Server page, enter the fully qualified domain name (FQDN) of the site
server to which the Configuration Manager console connects.

4. On the Installation Folder page, enter the installation folder for the Configuration
Manager console. The folder path can't include trailing spaces or Unicode
characters.

5. On the Ready to Install page, select Install.

Install from a command prompt

 Tip

Installing the Configuration Manager console from a command prompt always


installs the English version. This behavior happens even if the target computer's OS
is set to a different language. To install the Configuration Manager console in a
language other than English, use the Setup Wizard.

ConsoleSetup.exe command-line options

/q

Installs the Configuration Manager console unattended. The TargetDir and


DefaultSiteServerName options are required when you use this option.

/uninstall

Uninstalls the Configuration Manager console. Specify this option first when you use it
with the /q option.

LangPackDir
Specifies the path to the folder that contains the language files. You can use Setup
Downloader to download the language files. If you don't use this option, Setup looks
for the language folder in the current folder. If the language folder isn't found, Setup
continues to install English only. For more information, see Setup Downloader.

TargetDir

Specifies the installation folder to install the Configuration Manager console. This option
is required when you use the /q option.

DefaultSiteServerName

Specifies the FQDN of the site server to which the console connects when it opens. This
option is required when you use the /q option.

Examples

Silent install
ConsoleSetup.exe /q "TargetDir=%ProgramFiles%\ConfigMgr Console"

DefaultSiteServerName=MyServer.Contoso.com

Silent install with language packs

ConsoleSetup.exe /q "TargetDir=C:\Program Files\ConfigMgr Console"


DefaultSiteServerName=MyServer.Contoso.com LangPackDir=C:\Downloads\ConfigMgr

Silent uninstall
ConsoleSetup.exe /uninstall /q

Postinstallation information
The Configuration Manager console requires installation of the built-in WebView2
extension for certain features such as Community hub and dashboards. A notification to
install the extension is given to the console user when they open the console. For more
information see,the WebView2 console extension.
Next steps
An administrator sees objects in the console based on the permissions assigned to their
user account. For more information, see Fundamentals of role-based administration.

For more information on the fundamentals of navigating the Configuration Manager


console, see How to use the console.

If your environment uses a proxy server, this configuration may impact the functionality
of the console. For more information, see Proxy server support - Configuration Manager
console.
Upgrade an evaluation installation of
Configuration Manager to a full
installation
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

If you installed Configuration Manager as an evaluation version, after 180 days the
Configuration Manager console becomes read-only. You then need to activate the
product from the Site Maintenance page in Setup. At any time before or after the 180-
day period, you can upgrade to a full installation.

7 Note

When you connect a Configuration Manager console to an evaluation installation


of Configuration Manager, the window title bar displays the number of days that
remain until it expires. The number of days in the window title doesn't
automatically refresh. It only updates when you make a new connection to a site.

You can upgrade the following sites that run an evaluation installation:

Central administration site (CAS)


Primary site

Configuration Manager doesn't consider secondary sites as evaluation installations. So


after you upgrade a primary parent site to a full installation, you don't need to modify a
secondary site.

Prerequisites
To upgrade an evaluation version to a licensed version, you need the following
requirements:

A valid product license key to use during the upgrade.

Administrator rights on the site server.

Process
1. On the site server, run .\BIN\X64\Setup.exe from the Configuration Manager
installation folder. Use this copy of Setup because site maintenance options aren't
available when you run Setup from source media.

2. On the Before You Begin page, select Next.

3. On the Getting Started page, select Perform site maintenance or reset the Site,
and then select Next.

4. On the Site Maintenance page, select Upgrade the evaluation edition to a


licensed edition. Then enter a valid product key, and select Next.

5. On the Microsoft Software License Terms page, read and accept the license terms,
and then select Next.

6. On the Configuration page, select Close to complete the wizard.

7 Note

Until you reconnect the console to the site, the title bar might indicate that the site
is still an evaluation version.

Next steps
Configure sites and hierarchies
Upgrade to Configuration Manager
current branch
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

) Important

Starting in April 2022, this feature of Configuration Manager is deprecated. The


baseline media for version 2203 is the last version of Configuration Manager
current branch that will support upgrade from any version of System Center 2012
Configuration Manager. Current branch version 2303 media will only support new
installs of current branch.

Do an in-place upgrade to Configuration Manager current branch from a site and


hierarchy that runs System Center 2012 Configuration Manager. Before upgrading from
System Center 2012 Configuration Manager, you must prepare the sites. This
preparation requires you to remove specific configurations that can prevent a successful
upgrade. Then follow the upgrade sequence when more than a single site is involved.

 Tip

When managing Configuration Manager site and hierarchy infrastructure, the terms
upgrade, update, and install are used to describe three separate concepts. To learn
how each term is used, see About upgrade, update, and install.

In-place upgrade paths


The following options are the currently supported in-place upgrade paths:

Upgrade to the latest current branch version


You can upgrade the following products to a fully licensed, baseline version of
Configuration Manager:

System Center 2012 Configuration Manager with Service Pack 2


System Center 2012 R2 Configuration Manager with Service Pack 1
For more information, see Frequently asked questions for Configuration Manager
branches and licensing.

 Tip

When you upgrade from a System Center 2012 Configuration Manager version to
current branch, you might be able to streamline your upgrade process. For more
information, see the following:

Baseline and update versions


The CD.Latest folder

If you previously installed Configuration Manager Evaluation version, you can use the
upgrade process to convert the site to the full version. For more information, see
Upgrade an evaluation installation of Configuration Manager to a full installation.

Unsupported paths
The following paths aren't supported:

It's not supported to upgrade a technical preview branch to a fully licensed


installation. A technical preview version can only upgrade to a later version of the
technical preview.

Migration from a technical preview to a fully licensed version isn't supported.

Upgrade checklists
The following checklists can help you plan a successful upgrade to Configuration
Manager.

Before you upgrade


Review these steps before you upgrade to Configuration Manager.

Review your System Center 2012 Configuration Manager


environment

Resolve issues as detailed in the following Microsoft Support article: Configuration


Manager clients reinstall every five hours because of a recurring retry task and may
cause an inadvertent client upgrade.
Make sure your environment meets the supported configurations
Review the server OS version in use to host site system roles:

Some older operating systems supported by System Center 2012 Configuration


Manager aren't supported by Configuration Manager current branch. Before the
upgrade, remove site system roles on those OS versions. For more information,
see Supported operating systems for site system servers.

The prerequisite checker for Configuration Manager doesn't verify the


prerequisites for site system roles on the site server or on remote site systems.
For example, you need to manually verify that remote site systems have at least
.NET version 4.6.2. For more information, see List of prerequisite checks for
Configuration Manager.

Review required prerequisites for each computer that hosts a site system role. For
example, to deploy an OS, Configuration Manager uses the Windows Assessment
and Deployment Kit (ADK). Before you run Setup, download and install the
Windows ADK on the site server and on each computer that runs an instance of
the SMS Provider.

For more information about supported platforms and prerequisite configurations, see
Supported configurations.

For more information about using the Windows ADK with Configuration Manager, see
Infrastructure requirements for OS deployment.

Review the site and hierarchy status and verify that there are no
unresolved issues

Before you upgrade a site, resolve all operational issues for the following components:

Site server
Site database server
Site system roles on remote computers

A site upgrade can fail because of existing operational problems.

Install all applicable critical updates for operating systems on


computers that host the site, the site database server, and remote
site system roles
Before you upgrade a site, install any critical software updates for each applicable site
system. If an update that you install requires a restart, restart the applicable computers
before you start the upgrade.

Uninstall the site system roles not supported by Configuration


Manager

The following site system roles are no longer used in Configuration Manager. Uninstall
them before you upgrade from System Center 2012 Configuration Manager:

Out of Band Management point

System Health Validator point

Application catalog website point and web service point

Disable database replicas for management points at primary sites


Configuration Manager can't upgrade a primary site that has a database replica for
management points. Disable database replication before you:

Create a backup of the site database to test the database upgrade

Upgrade the production site to Configuration Manager current branch

For more information, see the following articles:

System Center 2012 Configuration Manager: Configure database replicas for


management points

Configuration Manager, current branch: Database replicas for management points

Reconfigure software update points that use NLB


Configuration Manager can't upgrade a site that uses a Network Load Balancing (NLB)
cluster to host software update points.

If you use NLB clusters for software update points, use PowerShell to remove the NLB
cluster. (Beginning with System Center 2012 Configuration Manager SP1, there was no
option in the Configuration Manager console to configure an NLB cluster.)

Disable all site maintenance tasks at each site during its upgrade
Before you upgrade to Configuration Manager, disable any site maintenance tasks that
might run during the time the upgrade process is active. This list includes but isn't
limited to the following tasks:

Backup Site Server


Delete Aged Client Operations
Delete Aged Discovery Data

If a site database maintenance task runs during the upgrade process, the site upgrade
can fail.

Before you disable a task, record the schedule of the task so you can restore its
configuration after the site upgrade completes.

For more information about site maintenance tasks, see the following articles:

System Center 2012 Configuration Manager: Planning for site operations

Configuration Manager, current branch: Reference for maintenance tasks

Run setup prerequisite checker


Before you upgrade a site, run the Prerequisite Checker independently from setup to
validate that your site meets the prerequisites. Later, when you upgrade the site,
prerequisite checker runs again.

The independent prerequisite check evaluates the site for upgrade to both the current
branch and the long-term servicing branch (LTSB) of Configuration Manager. Because
some features aren't supported by the LTSB, you might see entries in the
ConfigMgrPrereq.log that are like the following examples:

INFO: The site is a LTSB edition.

Unsupported site system role 'Asset Intelligence synchronization point' for

the LTSB edition; Error; Configuration Manager has detected that the 'Asset
Intelligence synchronization point' is installed. Asset Intelligence is not

supported on the LTSB edition. You must uninstall the Asset Intelligence
synchronization point site system role before you can continue.

If you plan to upgrade to the current branch, errors for the LTSB edition can be safely
ignored. They only apply if you plan to upgrade to the LTSB.

Later, when you run Configuration Manager setup to do the upgrade, the prerequisite
check runs again. It evaluates your site based on the branch of Configuration Manager
you choose to install (current branch, or LTSB). If you choose to upgrade to the current
branch, it doesn't run the check for features that aren't supported by the LTSB.

For more information, see the Prerequisite checker and List of prerequisite checks.

Download prerequisite files and redistributable files for


Configuration Manager

Use Setup Downloader to download prerequisite redistributable files, language packs,


and the latest product updates for Configuration Manager.

For information, see Setup Downloader.

Plan to manage server and client languages

When you upgrade a site, the site upgrade installs only the language pack versions you
select during the upgrade.

Setup reviews the current language configuration of your site. It then identifies the
language packs that are available in the folder where you store previously
downloaded prerequisite files.

You can affirm the selection of the current server and client language packs, or
change the selections to add or remove support for languages.

Only language packs that are available when you run Setup can be selected.

7 Note

You can't use the language packs from System Center 2012 Configuration Manager
to enable languages for a Configuration Manager current branch site.

For more information about language packs, see Language packs.

Review considerations for site upgrades

When you upgrade a site, some features and configurations reset to a default
configuration. To help you prepare for these and related changes, see Considerations for
upgrading.
Create a backup of the site database at the central administration
site (CAS) and primary sites

Before you upgrade a site, back up the site database to make sure that you have a
successful backup to use for disaster recovery.

For more information, see Backup and recovery.

Back up a customized configuration.mof file


If you use a customized configuration.mof file to define data classes you use with
hardware inventory, create a backup of this file. After the upgrade, restore this file to
your site. For more information, see How to extend hardware inventory.

Test the database upgrade process on a copy of the most recent


site database backup

Before you upgrade a Configuration Manager CAS or primary site, test the site database
upgrade process on a copy of the site database.

Test the site database upgrade process. When you upgrade a site, the site
database might be modified.

Although testing the database upgrade isn't required, it can identify problems for
the upgrade before your production database is affected.

A failed site database upgrade can render your site database inoperable and might
require a site recovery to restore functionality.

Although the site database is shared between sites in a hierarchy, plan to test the
database at each applicable site before you upgrade that site.

If you use database replicas for management points at a primary site, disable
replication before you create the backup of the site database.

Configuration Manager doesn't support the backup of secondary sites, or the test
upgrade of a secondary site database.

It's not supported to run a test database upgrade on the production site database.
Doing so upgrades the site database and could render your site inoperable.

For more information, see Test the site database upgrade.


Restart the site server and each computer that hosts a site system
role

Do this action to make sure there are no pending actions from a recent installation of
updates or from prerequisites.

Start the upgrade

Starting at the top-level site in the hierarchy, run Setup.exe from the Configuration
Manager source media.

After the top-level site upgrades, you can begin the upgrade of each child site.
Complete the upgrade of each site before you begin to upgrade the next site.

Until all sites in your hierarchy upgrade to Configuration Manager, your hierarchy
operates in a mixed version mode.

For information about how to run upgrade, see Upgrade sites.

After you upgrade


Review these steps after you upgrade to Configuration Manager.

Upgrade stand-alone Configuration Manager consoles

By default, when you upgrade a CAS or primary site, the installation also upgrades the
Configuration Manager console that's installed on the site server. Manually upgrade
each console that's installed on a computer other than the site server.

 Tip

Close each open console before you start the upgrade.

For more information, see Install Configuration Manager consoles.

Reconfigure database replicas for management points at primary


sites
If you use database replicas for management points at primary sites, uninstall the
database replicas before you upgrade the site. After you upgrade a primary site,
reconfigure the database replica for management points.
For more information, see Database replicas for management points.

Reconfigure any database maintenance tasks you disabled before


the upgrade

If you disabled database maintenance tasks at a site before the upgrade, reconfigure
those tasks at the site using the same settings that were in place before the upgrade.

Upgrade clients
After all your sites upgrade to Configuration Manager, plan to upgrade clients.

When you upgrade a client, the current client software is uninstalled and the new client
software version is installed. To upgrade clients, you can use any method that
Configuration Manager supports.

 Tip

When you upgrade the top-level site of a hierarchy, the client installation package
on each distribution point in the hierarchy is also updated. When you upgrade a
primary site, the client upgrade package that's available from that primary site is
updated.

For more information, see How to upgrade clients for Windows computers.

Considerations for upgrading

Automatic actions
When you upgrade to Configuration Manager, the following actions occur
automatically:

A site reset. This action includes a reinstallation of all site system roles.

If the site is the top-level site of a hierarchy, it updates the client installation
package on each distribution point in the hierarchy. The site also updates the
default boot images to use the new Windows PE version for the same version of
the Windows ADK. However, the upgrade doesn't upgrade existing media for use
with image deployment.

If the site is a primary site, it updates the client upgrade package for that site.
Manual actions after an upgrade
After you upgrade a site, make sure that you do the following actions:

Make sure that clients assigned to each primary site upgrade and install the new
client version.

Upgrade each Configuration Manager console that connects to the site and that
runs on a computer that's remote from the site server.

At primary sites where you use database replicas for management points,
reconfigure the database replicas.

After the site upgrades, manually upgrade physical media like ISO files for CDs,
DVDs, or USB flash drives. It also includes prestaged media provided to hardware
vendors. The site upgrade updates the default boot images, it can't upgrade these
media files or devices used external to Configuration Manager.

Plan to update custom boot images when you don't require the older version of
Windows PE.

Actions that affect configurations and settings


When a site upgrades to Configuration Manager, some configurations and settings
don't persist after the upgrade. Some configurations are set to a new default. The
following list includes some settings that don't persist or that change:

Software Center: The following Software Center items are reset to their default
values:

Work information is reset to business hours from 5:00am to 10:00pm Monday


to Friday.

The value for Computer maintenance is set to Suspend Software Center


activities when my computer is in presentation mode.

The value for Remote control is set to the value in the client settings that are
assigned to the computer.

Software update summarization schedules: Custom summarization schedules for


software updates or software update groups are reset to the default value of one
hour. After the upgrade finishes, reset custom summarization values to the
required frequency.
Test the site database upgrade
This process only applies when you're upgrading a prior version like System Center 2012
Configuration Manager to Configuration Manager current branch.

Before you upgrade a site, test a copy of that site's database for the upgrade.

To test the database for an upgrade, you first restore a copy of the site database to an
instance of SQL Server that doesn't host a Configuration Manager site. The version of
SQL Server that you use to host the database copy must be a version of SQL Server that
Configuration Manager supports.

After you restore the site database, on the SQL Server computer, run Configuration
Manager Setup from the source media folder for Configuration Manager.

For more information including specific steps, see Test the database upgrade.

Upgrade sites
If you've completed the following tasks, you're ready to upgrade your Configuration
Manager site:

Pre-upgrade configurations for your site


Test the upgrade of the site database on a database copy
Download prerequisite files and language packs for the version that you plan to
install

When you upgrade a site in a hierarchy, you upgrade the top-level site of the hierarchy
first. This top-level site is either a CAS or a stand-alone primary site. After you complete
the upgrade of a CAS, you can upgrade child primary sites in any order you want. After
you upgrade a primary site, you can upgrade that site's secondary sites, or upgrade
other primary sites before you upgrade any secondary sites.

Before you upgrade a site, close the Configuration Manager console on the site server
until the upgrade successfully completes. Also close all remote consoles that run on
other computers. After the site upgrade completes successfully, you can reconnect the
console. Until you upgrade a console to the new version, that console can't display
some objects and information that are available in new version.

Upgrade a CAS or primary site


1. Verify that the user who runs Setup has the following security rights:
Local Administrator rights on the site server

If the site database server is remote from the site server, local Administrator
rights on it

2. On the site server, run the following program from the Configuration Manager
source media: .\SMSSETUP\BIN\X64\Setup.exe . This action starts the Configuration
Manager Setup wizard.

3. Read the information on the Before You Begin page, and then select Next.

4. On the Getting Started page, select Upgrade this Configuration Manager site,
and then select Next.

5. On the Product Key page:

If you previously installed Configuration Manager Evaluation version, you can


select Install the licensed edition of this product. Then enter your product key for
the full installation of Configuration Manager. This action converts the site to the
full version. For more information, see Upgrade an evaluation installation of
Configuration Manager to a full installation.

You can specify the Software Assurance expiration date of your licensing
agreement. This date is a convenient reminder for you of that date. If you don't
enter this value during setup, you can specify it later in the console.

7 Note

Microsoft doesn't validate this expiration date, and doesn't use this date for
license validation. It's a reminder to you of your expiration date. Configuration
Manager periodically checks for new software updates offered online. To be
eligible to install these updates, your license status should be current.

For more information, see Licensing and branches.

6. On the Microsoft Software License Terms page, read and accept the license terms,
and then select Next.

7. On the Prerequisite Licenses page, read and accept the license terms for the
prerequisite software, and then select Next. Setup downloads and automatically
installs the software on site systems or clients when it's required. Before you can
continue to the next page, agree to all terms.
8. On the Prerequisite Downloads page, specify whether Setup downloads the latest
content from the internet or uses previously downloaded files. This content
includes prerequisite redistributable files, language packs, and the latest product
updates. If you already used Setup Downloader, select Use previously downloaded
files and specify the download folder. For more information, see Setup
Downloader.

7 Note

When you use previously downloaded files, verify that the path to the
download folder contains the most recent version of the files.

9. On the Server Language Selection page, view the list of languages that are
currently installed for the site. Select other languages that are available at this site
for the Configuration Manager console and for reports. You can also clear
languages that you no longer want to support at this site. By default, English is
selected and can't be removed.

) Important

Each version of Configuration Manager can't use language packs from a prior
version. To enable support for a language at a site that you upgrade, use the
version of the language pack for the new version. For example, during
upgrade from System Center 2012 Configuration Manager to Configuration
Manager current branch, if the current branch version of a language pack isn't
available with the prerequisite files you download, you can't install support for
that language.

10. On the Client Language Selection page, view the list of languages that are
currently installed for the site. Select other languages that are available at this site
for client computers, or clear languages that you no longer want to support at this
site. Specify whether to enable all client languages for mobile device clients, and
then select Next. By default, English is selected and can't be removed.

11. On the Settings Summary page, review the configuration. When you're ready,
select Next to start the Prerequisite Checker. This tool verifies server readiness for
the upgrade of the site. For more information, see Prerequisite Checker.

12. On the Prerequisite Installation Check page, if there are no problems listed, select
Next to upgrade the site and site system roles.
If the Prerequisite Checker finds a problem, select the item on the list for details
about how to resolve it. Resolve all items in the list that have an Error status before
you continue Setup. For items with a Warning status, resolve as many as possible
in your environment. After you resolve the issues, select Run Check to restart
prerequisite checking. For more detailed information, open the
ConfigMgrPrereq.log file in the root of the system drive. The log file can contain
additional information that's not displayed in the user interface. For a list of
installation prerequisite rules and descriptions, see Prerequisite checks.

On the Upgrade page, Setup displays the overall progress status. When Setup
completes the core site server and site system installation, you can close the wizard. Site
configuration continues in the background.

Upgrade a secondary site


1. Verify that the administrative user that runs Setup has the following security rights:

Local Administrator rights on the secondary site server

Infrastructure Administrator or Full Administrator security role on the


parent primary site

System administrator (SA) rights on the site database of the secondary site

2. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and then select the Sites node.

3. Select the secondary site that you want to upgrade. On the Home tab of the
ribbon, in the Site group, select Upgrade.

4. Select Yes to confirm the decision, and to start the upgrade of the secondary site.

The secondary site upgrade runs in the background. After the upgrade is complete,
confirm the status in the Configuration Manager console. Select the secondary site
server, then on the Home tab of the ribbon, in the Site group, select Show Install Status.

Post-upgrade tasks
After you upgrade a site, you might have to complete other tasks to finish the upgrade
or reconfigure the site. These tasks can include the following items:

Upgrade Configuration Manager clients


Upgrade Configuration Manager consoles
Re-enable database replicas for management points
Restore settings for Configuration Manager functionality that you use and that
doesn't persist after the upgrade

Next steps
Scenarios to streamline your installation of Configuration Manager current branch
Scenarios to streamline your installation
of Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

With the release of update versions for Configuration Manager current branch, there are
new scenarios to streamline the install of a new hierarchy to an update version. You can
also use these techniques to upgrade from Microsoft System Center 2012 Configuration
Manager.

The following list is a summary of the two main scenarios:

Install a new Configuration Manager current branch hierarchy that runs an update
version.
Install only the top-tier site with a baseline version. Then immediately install an
update to bring that site current with the update version that you'll use. Then
install others sites directly to that update version.
This process skips the installation of other sites to a baseline level, and then
updating them to the update version that you want to use.
The process also skips the installation of clients to a baseline version, and then
reinstalling them when you update to a later version.

Upgrade a Microsoft System Center 2012 Configuration Manager infrastructure to


an update version of Configuration Manager.
Manually upgrade your central administration site (CAS) and each primary site
to a baseline version before you install an update version.
Don't upgrade secondary sites from Microsoft System Center 2012
Configuration Manager until your primary sites run the update version that
you'll use.
Don't upgrade clients from Microsoft System Center 2012 Configuration
Manager until your primary sites run the update version that you'll use.

Install a new hierarchy to an update version


1. Install a top-level site for your new hierarchy by using the baseline media. You can
use baseline media only to install the first site of a new hierarchy. For more
information, see Use the Setup Wizard to install sites.

After this step, your top-level site runs the baseline version.
2. Use in-console updates to update your top-level site to a later version. Before you
install any child sites or clients, update your top-level site to the update version
that you plan to use. For more information, see Updates for Configuration
Manager.

After this step, your top-level site runs the updated version.

3. If you intend for the first site to be a CAS, next install new child primary sites. Use
the installation media from the CD.Latest folder on the CAS server to install child
primary sites. Use this source media to make sure that new child primary sites
match the version of the CAS. For more information, see The CD.Latest folder for
Configuration Manager.

4. Add other site system roles on remote servers at the CAS and primary sites. This
action makes sure that the site systems run the updated version. For more
information, see Install site system roles.

5. If you plan to have secondary sites, at each primary site, use the in-console option
to install new secondary sites. Because you didn't install secondary sites while
primary sites were at the baseline version, you don't need to update the secondary
sites. Instead, you install new secondary sites that run the updated version. For
more information, see Install a secondary site.

6. Install new clients at the primary site. Because you didn't install clients while
primary sites were at the baseline version, you don't need to update clients.
Instead, install new clients that run the updated version. For more information, see
Deploy clients.

7. Install new consoles on remote computers. Because you didn't install consoles
while primary sites were at the baseline version, you don't need to update
consoles. Install them with the updated version. For more information, see Install
consoles.

Upgrade to current branch


1. Upgrade your top-level System Center 2012 Configuration Manager site to a
baseline version of the current branch. Use source media for Configuration
Manager current branch. You always upgrade the top-level site of a hierarchy first,
and then upgrade child sites. For more information, see Upgrade to Configuration
Manager.

After this step, your top-level site runs the baseline version.
2. Upgrade each child primary site in your hierarchy to the same baseline version.
When you upgrade from Microsoft System Center 2012 Configuration Manager,
manually upgrade each primary site to a baseline version of the current branch.
Don't upgrade secondary sites yet.

After this step, each primary site runs the baseline version.

3. Set service windows on child-primary sites. After you upgrade all of your primary
sites to the baseline version, configure maintenance windows to control when
those sites install infrastructure updates. For more information, see Service
windows for site servers.

Child primary sites automatically install the same updates that you install at a
CAS.
Secondary sties don't automatically install new versions. Update them
manually from the console.

After this step, child primary sites are ready to install updates during their service
window.

4. Install the update version at your top-level site. This action updates your top-level
site to the updated version. After a CAS installs the update version, each child
primary site automatically installs the same update during its service window. For
more information, see Updates for Configuration Manager.

After this step, your CAS and each primary site run the updated version.

5. Upgrade secondary sites. After a primary site installs the update, use the in-
console option to update secondary sites. This action upgrades secondary sites
directly from System Center 2012 Configuration Manager to the same update
version as the primary site. For more information about upgrading a secondary
site, see Upgrade sites.

6. Upgrade clients. This process upgrades clients directly from System Center 2012
Configuration Manager to the update version that you installed at the primary site.
For more information, see How to upgrade clients for Windows computers.

After this step, run the updated version.

7. Upgrade consoles on remote computers. This process upgrades clients directly


from System Center 2012 Configuration Manager to the update version that you
installed at the primary site. For more information, see Install consoles.

Next steps
Configure sites and hierarchies
Configure sites and hierarchies for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you install your first Configuration Manager site or add additional sites to your
hierarchy, use this checklist to ensure that you consider the most common
configurations that affect both sites and hierarchies.

The following configuration notes apply to most deployments:

Some options build upon each other, such as Active Directory Forest Discovery,
boundaries, and boundary groups.

Several configurations have default values to use without configuration changes, at


least to start.

Other configurations, like boundary groups and distribution point groups, require
you to configure them before using.

Action Details

Configure Segregate administrative assignments to control which administrative users can


role-based view and manage different objects and data in your Configuration Manager
administration environment.

Configurations for role-based administration are shared with all sites in a


hierarchy.

For more information, see Configure role-based administration.

Publish site Make it easy for clients to find services and efficiently use site resources.
data to Active
Directory First extend the Active Directory schema. Then individually configure each site to
Domain publish site data
Services

Configure a Plan to install and configure the service connection point at the top-level site of
service your hierarchy. For more information, see About the service connection point.
connection
point

Add site Install one or more additional site system roles for individual sites. For more
system roles information, see Add site system roles.
Action Details

Configure site Specify boundaries that define network locations on your intranet that can
boundaries contain devices that you want to manage. Then configure boundary groups so
and boundary that clients at those network locations can find Configuration Manager
groups resources. For more information, see Define site boundaries and boundary
groups.

Configure Configure logical groups of distribution points to make managing deployments


distribution easier. For more information, see Manage distribution point groups.
point groups

Run discovery Run discovery to find resources on your network, including network
infrastructure, devices, and users.

For more information, see Run discovery.

Add Install additional SMS Providers and Configuration Manager consoles to expand
redundancy capacity for administrators to manage your infrastructure:

and capacity
for Install additional SMS providers to provide redundancy for console and API
administrators connections to the site. For more information, see Manage the SMS Provider.

Install additional Configuration Manager consoles to provide access to


additional administrative users. For more information, see Install Configuration
Manager consoles.

Configure site Configure site components at each site to modify the behavior of site system
components roles and site status reporting. For more information, see Site components.

Create custom Using information that the site discovers about devices and users, create custom
collections collections of objects to simplify future management tasks. For more
information, see How to create collections.

Configure Configure settings at a site to warn administrators when they create a high-risk
settings to deployment. For more information, see Settings to manage high-risk
manage high- deployments.
risk
deployments

Configure Configure a database replica to reduce the processor load that's placed on the
database site database server by management points as they service requests from clients.
replicas for For more information, see Database replicas for management points.
management
points
Action Details

Configure a Configure availability groups as high-availability and disaster-recovery solutions


SQL Server for hosting the site database at primary sites and the central administration site.
Always On For more information, see Prepare to use a SQL Server Always On availability
availability group with Configuration Manager.
group

Modify See Data transfers between sites to learn about the following subjects:

replication
between sites Configure file-based replication between secondary sites

Configure database replication links

Configure distributed views

Configure site Starting in version 1806, configure a site server in passive mode for each primary
servers in site and the central administration site. This feature provides a highly available
passive mode site server. For more information, see Site server high availability.
Add site system roles for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Each Configuration Manager site supports multiple site system roles. Each role extends
the functionality and capacity of your site to provide services to the site and to manage
devices and users. Each site system role on a site system server must be from the same
site.

Configuration Manager doesn't support site system roles for multiple sites on a single
site system server.

 Tip

If you're not familiar with the basics for site system roles or the difference between
the site server, site system servers, and site system roles, see Fundamentals of
Configuration Manager.

The following articles detail procedures and related details for installing site system
roles:

Install site system roles: Basic guidance about how to use the two in-console
wizards to install new site system roles.

Set up checklist for CMG: Set up a cloud management gateway (CMG) to manage
clients on the internet.

Install site system roles for on-premises mobile device management (MDM): Set up
your site system roles to support managing modern devices by using
Configuration Manager on-premises MDM.

Configuration options for site system roles: Some site system roles support
configurations that require more details than the user interface can explain.

Remove a site system role: Guidance and procedures to remove roles from site
system servers.
Install site system roles for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

There are two methods in the Configuration Manager console to install site system
roles:

Add Site System Roles: Add site system roles to an existing site system server in
the site.

Create Site System Server: Specify a new server as a site system server, and then
install one or more roles. This method is the same as the Add Site System Roles,
except for the first page. You first specify the name of the server and the site in
which you want to install it.

 Tip

When you install a role on a remote computer, Configuration Manager adds the
computer account of the remote computer to a local group on the site server.

When you install the site on a domain controller, the group on the site server is a
domain group instead of a local group. In this case, the remote site system role
doesn't immediately work. The site system server needs to restart, or you refresh
the Kerberos ticket for the remote server's computer account. For more
information, see Accounts used.

Before it installs the site system role, Configuration Manager checks the destination
computer to make sure it meets the prerequisites for the selected roles.

By default, when Configuration Manager installs a site system role, it installs files on the
first available NTFS-formatted disk drive that has the most available free disk space. To
prevent Configuration Manager from installing on specific drives, before you install the
site system server, create an empty file named NO_SMS_ON_DRIVE.SMS in the root of
the drive.

Configuration Manager uses the site system installation account to install roles. You
specify this account when you install the role. By default, this account is the local system
account of the site server computer. You can specify a domain user account as the site
system installation account. For more information, see Accounts - Site system
installation account.

Install roles on an existing site system server


1. In the Configuration Manager console, go to the Administration workspace.
Expand Site Configuration, and select the Servers and Site System Roles node.
Select the existing site system server on which you want to install new site system
roles.

2. In the ribbon, on the Home tab, in the Server group, select Add Site System Roles.

3. On the General page, review the settings.

 Tip

To access the site system role from the internet, make sure that you specify an
internet fully qualified domain name (FQDN).

4. On the Proxy page, if roles on this server require an internet proxy, then specify
settings for a proxy server. For more information, see Proxy server support.

5. On the System Role Selection page, select the site system roles that you want to
add.

6. Complete the wizard. Additional pages may appear for specific roles. For more
information, see Configuration options for site system roles.

 Tip

The Windows PowerShell cmdlet, New-CMSiteSystemServer, performs the same


function as this procedure. For more information, see New-CMSiteSystemServer.

Install roles on a new site system server


1. In the Configuration Manager console, go to the Administration workspace.
Expand Site Configuration, and select the Servers and Site System Roles node.

2. In the ribbon, on the Home tab, in the Create group, select Create Site System
Server.
3. On the General page, specify the general settings for the site system.

 Tip

To access the new site system role from the internet, make sure that you
specify an internet FQDN.

4. On the Proxy page, if roles on this server require an internet proxy, then specify
settings for a proxy server. For more information, see Proxy server support.

5. On the System Role Selection page, select the site system roles that you want to
add.

6. Complete the wizard. Additional pages may appear for specific roles. For more
information, see Configuration options for site system roles.

 Tip

The Windows PowerShell cmdlet, New-CMSiteSystemServer, performs the same


function as this procedure. For more information, see New-CMSiteSystemServer.

Next steps
Configuration options for site system roles

Remove role
About the service connection point in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The service connection point is a site system role that provides several important
functions for the hierarchy. Before you set up the service connection point, understand
and plan for its range of uses. Planning for usage might affect how you set up this site
system role:

Download updates that apply to your Configuration Manager infrastructure. Only


relevant updates for your infrastructure are made available based on usage data
you upload.

Upload usage data from your Configuration Manager infrastructure. You can
control the level or amount of detail that you upload. For more information, see
Usage data levels and settings.

Deploy a cloud management gateway in Azure

Synchronize apps from the Microsoft Store for Business and Education

Discover users and groups in Azure Active Directory (Azure AD)

Use Desktop Analytics to gain insights on Windows 10 update and app readiness

Each hierarchy supports a single instance of this role. It can only be installed at the top-
tier site of your hierarchy, which is a central administration site (CAS) or stand-alone
primary site. If you expand a stand-alone primary site to a larger hierarchy, uninstall this
role from the primary site, and then install it at the CAS.

Modes of operation
The service connection point supports two modes of operation:

Online: The service connection point automatically checks every 24 hours for
updates. It downloads new updates that are available for your current
infrastructure and product version to make them available in the Configuration
Manager console.
Offline: The service connection point doesn't connect to the Microsoft cloud
service. To manually import available updates, use the service connection tool.

Change mode
If you change between online or offline modes after you install the service connection
point, restart the SMS_DMP_DOWNLOADER thread of the SMS_Executive service.
Restarting this thread makes the change become effective. To restart this thread, use the
Configuration Manager Service Manager.

 Tip

You can also restart the SMS_Executive service for Configuration Manager, which
restarts most site components. Alternatively, wait for a scheduled task like a site
backup, which stops and restarts the SMS_Executive service for you.

To use the Configuration Manager Service Manager to restart the


SMS_DMP_DOWNLOADER thread:

1. In the Configuration Manager console go to the Monitoring workspace, expand


System Status, and select the Component Status node. In the ribbon, choose
Start, and then select Configuration Manager Service Manager.

2. In the service manager navigation pane, expand the site, expand Components, and
then choose the component that you want to restart: SMS_DMP_DOWNLOADER.

3. Go to the Component menu, and choose Query.

4. Confirm the current status of the component. Then go to the Component menu,
and choose Stop.

5. Query the component again to confirm that it stopped. Then choose the Start
component action to restart it.

Remote site system requirements


When you install the service connection point on a site system server that's remote from
the site server, configure one of the following requirements:

The computer account of the site server must be a local admin on the computer
that hosts a remote service connection point.
or

Set up the site system server that hosts this role with a site system installation
account. The distribution manager on the site server uses the site system
installation account to transfer updates from the service connection point.

Internet access requirements


If your organization restricts network communication with the internet using a firewall or
proxy device, you need to allow the service connection point to access internet
endpoints.

For more information, see Internet access requirements. Other Configuration Manager
features may require additional endpoints from the service connection point.

These configurations apply to the server that hosts the service connection point and any
firewalls between that server and the internet. Allow communication through outgoing
HTTPS port TCP 443 to the internet locations.

The service connection point supports using a web proxy with or without authentication
to use these locations. For more information, see Proxy server support.

If the Configuration Manager site fails to connect to required endpoints for a cloud
service, it raises a critical status message ID 11488. When it can't connect to the service,
the SMS_SERVICE_CONNECTOR component status changes to critical. View detailed
status in the Component Status node of the Configuration Manager console.

Starting in version 2010, the service connection point validates important internet
endpoints for Desktop Analytics and tenant attach. These checks help make sure that
the cloud-connected services are available. It also helps you troubleshoot issues by
quickly determining if network connectivity is a problem. For more information, see
Validate internet access.

The specific URLs required by the service connection point vary by Configuration
Manager feature:

Updates and servicing


Windows servicing
Azure services
Microsoft Store for Business
Cloud services
Configuration Manager console
Desktop Analytics
Tenant attach
External notifications

 Tip

The service connection point uses the Microsoft Intune service when it connects to
go.microsoft.com or manage.microsoft.com . There's a known issue in which the

Intune connector experiences connectivity issues if the Baltimore CyberTrust Root


Certificate isn't installed, is expired, or is corrupted on the service connection point.
For more information, see Service connection point doesn't download updates.

Validate internet access


If you use Desktop Analytics or tenant attach, starting in version 2010, the service
connection point now checks important internet endpoints. These checks help make
sure that the cloud-connected services are available. It also helps you troubleshoot
issues by quickly determining if network connectivity is a problem.

For the list of internet endpoints, see the following sections of the Internet access
requirements article:

Desktop Analytics
Tenant attach

For more details, review the EndpointConnectivityCheckWorker.log file on the service


connection point.

A failure isn't always determined by the HTTP status code, but if there's network
connectivity to an endpoint. The following scenarios can cause a check to fail:

Network connection timeout

SSL/TLS failure

Unexpected status code:

Status Description Possible reason


code

407 Proxy authentication May indicate a proxy issue


required

408 Request timeout May indicate a proxy issue


Status Description Possible reason
code

426 Upgrade required May indicate a TLS misconfiguration

451 Unavailable for legal May indicate a proxy issue


reasons

502 Bad gateway May indicate a proxy issue

511 Network May indicate a proxy issue


authentication
required

598 Network read timeout Not RFC compliant, but used by some proxy servers to
error indicate a network timeout

599 Network connection Not RFC compliant, but used by some proxy servers to
timeout error indicate a network timeout

There are also the following status messages for the SMS_SERVICE_CONNECTOR
component:

Message ID Severity Notes

11410 Informational All checks are successful

11411 Warning One or more non-critical failures occurred

11412 Error One or more critical failures occurred

Install
When you run Setup to install the top-tier site of a hierarchy, you can install the service
connection point.

After setup runs, or if you're reinstalling the role, use the Add Site System Roles wizard
or the Create Site System Server wizard. (Only install the service connection point on
the top-tier site of your hierarchy.) For more information, see Install site system roles.

Move the role


There are several scenarios in which you may need to move the service connection point
to another server:

Recovery
Site server high availability
Site expansion

After you move the service connection point, check all site functions. For example, you
may need to renew the secret key for any connections to Azure Active Directory (Azure
AD) tenants. For more information, see Renew secret key.

Console notifications for the service connection


point
Occasionally, the Configuration Manager console may give you a notification about your
service connection point. The notification asks you to restart the SMS_EXECUTIVE service
on the server that hosts the service connection point. This notification occurs because a
configuration change was made by Microsoft on the services that your service
connection point connects to. Features of Configuration Manager that rely on these
services may not function for your site properly until the SMS_EXECUTIVE service is
restarted.

Log files
To view information about uploads to Microsoft, view the Dmpuploader.log on the
server that runs the service connection point. For download progress of updates, view
the Dmpdownloader.log. For the complete list of logs related to the service connection
point, see Log files - Service connection point.

Next steps
Use the following flowcharts to understand the process flow and key log entries. This
process includes update downloads and replication of updates to other sites.

Flowchart - Download updates

Flowchart - Update replication


Configuration options for site system
roles in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Most configuration options for Configuration Manager site system roles are self-
explanatory or are explained in the wizard or dialog boxes when you configure them.
The following sections explain site system roles whose settings might require additional
information.

Certificate registration point

2 Warning

Starting in version 2203, the certificate registration point is no longer supported.


For more information, see Frequently asked questions about resource access
deprecation.

For more information about how to set up the certificate registration point, see
Introduction to certificate profiles.

Distribution point
For more information about how to set up the distribution point for content
deployment, see Manage content and content infrastructure.

For more information about how to set up the distribution point for PXE deployments,
see Use PXE to deploy Windows over the network.

For more information about how to set up the distribution point for multicast
deployments, see Use multicast to deploy Windows over the network.

Install and configure IIS if required by Configuration


Manager
Select this option to let Configuration Manager install and set up IIS on the site system if
it's not already installed. IIS must be installed on all distribution points, and you must
select this setting to continue in the wizard.

Site system installation account


For distribution points that are installed on a site server, only the computer account of
the site server is supported for use as the site system installation account. For more
information, see Accounts.

Enrollment point
Enrollment points are used to install macOS computers and enroll devices that you
manage with on-premises mobile device management. For more information, see the
following articles:

How to deploy clients to Macs

How users enroll devices with on-premises MDM

Allowed connections
The HTTPS setting is automatically selected and requires a PKI certificate on the server
for server authentication to the enrollment proxy point, and encryption of data over SSL.
For more information, see PKI certificate requirements.

For an example deployment of the server certificate and information about how to
configure it in IIS, see Deploying the web server certificate for site systems that run IIS.

Enrollment proxy point


For more information about how to set up an enrollment proxy point for mobile devices,
see How users enroll devices with on-premises MDM.

Client connections
The HTTPS setting is automatically selected. It requires the following PKI certificates on
the server:

For server authentication to mobile devices and Mac computers that you enroll
with Configuration Manager
For encryption of data over Secure Sockets Layer (SSL)
For more information about the certificate requirements, see PKI certificate
requirements.

For an example deployment of the server certificate and information about how to
configure it in IIS, see Deploying the web server certificate for site systems that run IIS.

Fallback status point

Number of state messages and Throttle interval (in


seconds)
The default settings for these options are 10,000 state messages and 3,600 seconds for
the throttle interval. While these settings are sufficient for most circumstances, you
might have to change them when both of the following conditions are true:

The fallback status point accepts connections only from the intranet.

You use the fallback status point during a client deployment rollout for many
computers.

In this scenario, a continuous stream of state messages might create a backlog of state
messages that causes high processor usage on the site server for a sustained period. In
addition, you might not see up-to-date information about the client deployment in the
Configuration Manager console and in the client deployment reports.

These fallback status point settings are designed to be set up for state messages that
are generated during client deployment. The settings aren't designed to be set up for
client communication issues, like when clients on the internet can't connect to their
internet-based management point. Because the fallback status point can't apply these
settings just to the state messages that are generated during client deployment, don't
configure these settings when the fallback status point accepts connections from the
internet.

Each computer that successfully installs the Configuration Manager client sends the
following four state messages to the fallback status point:

Client deployment started

Client deployment succeeded

Client assignment started

Client assignment succeeded


Computers that can't be installed or that assign the Configuration Manager client send
additional state messages.

For example, if you deploy the Configuration Manager client to 20,000 computers, the
deployment might send 80,000 state messages to the fallback status point. Because the
default throttling configuration lets 10,000 state messages to be sent to the fallback
status point each 3,600 seconds (1 hour), state messages might become backlogged on
the fallback status point. Also consider the available network bandwidth between the
fallback status point and the site server and the processing power of the site server to
process many state messages.

To help prevent these issues, consider an increase in the number of state messages and
a decrease in the throttle interval.

Reset the throttle values for the fallback status point if either of the following conditions
is true:

You calculate that the current throttle values are higher than required to process
state messages from the fallback status point.

You find that the current throttle settings create high processor usage on the site
server.

Don't change the settings for the fallback status point throttle settings unless you
understand the consequences. For example, when you increase the throttle settings to
high, the processor usage on the site server can increase to high, which slows down all
site operations.
Database replicas for management
points for Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager primary sites can use a database replica to reduce the CPU load
placed on the site database server by management points as they service requests from
clients. When a management point uses a database replica, it requests data from the
SQL Server computer that hosts the database replica instead of from the site database
server.

This configuration can help reduce the CPU processing requirements on the site
database server by offloading frequent processing tasks related to clients. An example
of frequent processing tasks for clients includes sites where there are a large number of
clients that make frequent requests for client policy.

About
Replicas are a partial copy of the site database that replicates to a separate
instance of SQL Server.

Primary sites support a dedicated database replica for each management point
at the site.

Secondary sites don't support database replicas.

A single database replica can be used by more than a one management point
from the same site.

A SQL Server can host multiple database replicas for use by different
management points so long as each runs in a separate instance of SQL Server.

Replicas synchronize a copy of the site database on a fixed schedule from data that
the site's database server publishes for this purpose.

You can configure management points to use a replica when you install it, or at a
later time. For an existing management point, reconfigure it to use the database
replica.

Regularly monitor the site database server and each database replica server to
make sure that replication occurs between them. Make sure that the performance
of the database replica server is sufficient for the site and client performance that
you require.

Prerequisites

SQL Server requirements


The SQL Server that hosts the database replica has the same requirements as the
site database server. The replica server doesn't need to run the same version or
edition of SQL Server as the site database server, as long as it runs a supported
version and edition of SQL Server. For more information, see Support for SQL
Server versions.

The SQL Server service on the computer that hosts the replica database must run
as the System account.

Both the SQL Server that hosts the site database and that hosts a database replica
must have SQL Server replication installed.

The site database must publish the database replica, and each remote database
replica server must subscribe to the published data.

Configure both SQL Servers to support a max text repl size of 2 GB. For more
information and how to configure this setting for SQL Server, see Configure the
max text repl size Server Configuration Option.

Self-signed certificate
To configure a database replica, create a self-signed certificate on the database replica
server. Make this certificate available to each management point that will use that
database replica server.

The certificate is automatically available to a management point that's installed on


the database replica server.

To make this certificate available to remote management points, first export the
certificate. Then add it to the Trusted People certificate store on the remote
management point.

Client notification
To support client notification with a database replica for a management point, configure
communication between the site database server and the database replica server for the
SQL Server Service Broker:

Configure each database with information about the other database.

Exchange certificates between the two databases for secure communication.

Limitations
When you configure the site to publish database replicas, use the following
procedures instead of the normal guidance:

Uninstall a site server that publishes a database replica

Move a site server database that publishes a database replica

User deployments in Software Center won't work against a management point


using a SQL Server replica.

Upgrades to Configuration Manager current branch: Before you upgrade a site,


either from System Center 2012 Configuration Manager to Configuration Manager
current branch or updating Configuration Manager current branch to the latest
release, disable database replicas for management points. After your site upgrades,
you can reconfigure the database replicas for management points.

Multiple replicas on a single SQL Server: If you configure separate instances of a


database replica server to host multiple database replicas for management points,
use a modified configuration script. As noted in step 4 of the process to Configure
database replicas, this action prevents overwriting the self-signed certificate in use
by previously configured database replicas on that server.

Configure
To configure a database replica, the following steps are required:

Step 1 - Configure the site database server to Publish the database replica

Step 2 - Configuring the database replica server

Step 3 - Configure management points to use the database replica

Step 4 -Configure a self-signed certificate for the database replica server


Step 5 - Configure the SQL Server Service Broker for the database replica server

Step 1 - Configure the site database server to publish the


database replica
Use the following procedure as an example of how to configure the site database server
to publish the database replica. The specific steps might vary depending upon the
version of Windows Server.

Do the following steps on the site database server:

1. Set the SQL Server Agent to automatically start.

2. Create a local user group with the name ConfigMgr_MPReplicaAccess. For each
database replica server that you use at this site, add its computer account to this
group. This action enables those database replica servers to synchronize with the
published database replica.

7 Note

You can also create a domain group for this purpose.

3. Configure a file share with the name ConfigMgr_MPReplica.

4. Add the following permissions to the ConfigMgr_MPReplica share:

7 Note

If the SQL Server Agent uses an account other than the local system account,
replace SYSTEM with that account name in the following list.

Share permissions:

SYSTEM: Change

ConfigMgr_MPReplicaAccess: Read

NTFS permissions:

SYSTEM: Full Control

ConfigMgr_MPReplicaAccess: Read, Read & execute, and List folder


contents
5. Use SQL Server Management Studio to connect to the site database and run the
following stored procedure as a query: spCreateMPReplicaPublication

7 Note

If you're using a domain group instead of a local group, change this SQL
statement to: EXEC spCreateMPReplicaPublication
N'<DomainName>\ConfigMgr_MPReplicaAccess'

When the stored procedure completes, the site database server is configured to publish
the database replica.

Step 2 - Configure the database replica server


Use the following procedure as an example of how to configure a database replica
server. The specific steps might vary depending upon the version of Windows Server.

Do the following steps on the database replica server:

1. Set the SQL Server Agent to automatic startup.

2. Use SQL Server Management Studio to connect to the local server. Browse to the
Replication folder, select Local Subscriptions, and then select New Subscriptions.
This action starts the New Subscription Wizard.

a. On the Publication page, select Find SQL Server Publisher. Enter the name of
the site database server, and then select Connect.

b. Select ConfigMgr_MPReplica, and then select Next.

c. On the Distribution Agent Location page, select Run each agent at its
Subscriber (pull subscriptions), and then select Next.

d. On the Subscribers page, do one of the following actions:

Select an existing database from the database replica server to use for the
database replica, and then select OK.

Select New database to create a new database for the database replica.
On the New Database page, specify a database name, and then select OK.

e. Select Next to continue.


f. On the Distribution Agent Security page, select the properties button (...) in the
Subscriber Connection row of the dialog box. Then configure the security
settings for the connection.

 Tip

The properties button, (...), is in the fourth column of the display box.

Configure the account that runs the Distribution Agent process (process
account):

If the SQL Server Agent runs as local system, select Run under the SQL
Server Agent service account (This is not a recommended security best
practice.)

If the SQL Server Agent runs by using a different account, select Run
under the following Windows account, and then configure that account.
You can specify a Windows account or a SQL Server account.

) Important

Grant the account that runs the Distribution Agent permissions to the
publisher as a pull subscription. For more information about configuring
these permissions, see Distribution agent security.

For Connect to the Distributor, select By impersonating the process


account.

For Connect to the Subscriber, select By impersonating the process


account.

After you configure the connection security settings, select OK to save them,
and then select Next.

a. On the Synchronization Schedule page, select Define schedule, and then


configure the New Job Schedule. Set the frequency to occur Daily, recur every 5
minute(s), and the duration to have No end date. Select Next to save the
schedule, and then select Next again.

b. On the Wizard Actions page, enable the option to Create the subscriptions(s),
and then select Next.

c. Complete the wizard.


3. Immediately after completing the New Subscription Wizard, use SQL Server
Management Studio to connect to the database replica server database. Run the
following query to enable the TRUSTWORTHY database property: ALTER DATABASE
<MP Replica Database Name> SET TRUSTWORTHY ON;

4. Review the synchronization status to validate that the subscription is successful:

On the subscriber computer:

In SQL Server Management Studio, connect to the database replica


server, and expand Replication.

Expand Local Subscriptions, right-click the subscription to the site


database publication, and then select View Synchronization Status.

On the publisher computer:


In SQL Server Management Studio, connect to the site database
computer, right-click the Replication folder, and then select Launch
Replication Monitor.

5. To enable common language runtime (CLR) integration for the database replica,
use SQL Server Management Studio to connect to the database replica on the
database replica server. Run the following stored procedure as a query: exec
sp_configure 'clr enabled', 1; RECONFIGURE WITH OVERRIDE

6. For each management point that uses a database replica server, add that
management points computer account to the local Administrators group on that
database replica server.

 Tip

This step isn't necessary for a management point that runs on the database
replica server.

The database replica is now ready for a management point to use.

Step 3 - Configure management points to use the


database replica
You can configure a management point at a primary site to use a database replica when
you install the management point role, or you can reconfigure an existing management
point to use a database replica.
Use the following information to configure a management point to use a database
replica:

To configure a new management point:

1. On the Management Point Database page of the wizard to install the


management point, select Use a database replica.
2. Specify the FQDN of the computer that hosts the database replica.
3. For the ConfigMgr site database name, specify the database name of the
database replica on that computer.

To configure a previously installed management point:

1. Open the properties page of the management point, and switch to the
Management Point Database tab.
2. Select Use a database replica, and then specify the FQDN of the computer
that hosts the database replica.
3. Next, for ConfigMgr site database name, specify the database name of the
database replica on that computer.

For each management point that uses a database replica, manually add the computer
account of the management point server to the db_datareader role for the database
replica.

In addition to configuring the management point to use the database replica server,
enable Windows Authentication in IIS on the management point:

1. Open Internet Information Services (IIS) Manager.

2. Select the website used by the management point, and open Authentication.

3. Set Windows Authentication to Enabled, and then close Internet Information


Services (IIS) Manager.

Step 4 -Configure a self-signed certificate for the


database replica server
Use the following procedures as an example of how to configure the self-signed
certificate on the database replica server. The specific steps might vary depending upon
the version of Windows Server.

Configure a self-signed certificate for the database replica server


1. On the database replica server, open a PowerShell command prompt with
administrative privileges, and then run the following command: Set-
ExecutionPolicy Unrestricted

2. Copy the following PowerShell script and save it as a file with the name
CreateMPReplicaCert.ps1. Place a copy of this file in the root folder of the system
partition of the database replica server.

) Important

If you're configuring more than one database replica on a single SQL Server,
for each subsequent replica you configure, use a modified version of this
script for this procedure. For more information, see Supplemental script for
additional database replicas on a single SQL Server.

PowerShell

# Script for creating a self-signed certificate for the local machine


and configuring SQL Server to use it.

Param($SQLInstance)

$ConfigMgrCertFriendlyName = "ConfigMgr SQL Server Identification


Certificate"

# Get local computer name

$computerName = "$env:computername"

# Get the SQL Server name

#$key="HKLM:\SOFTWARE\Microsoft\SMS\MP"

#$value="SQL Server Name"

#$sqlServerName= (Get-ItemProperty $key).$value

#$dbValue="Database Name"

#$sqlInstance_DB_Name= (Get-ItemProperty $key).$dbValue

$sqlServerName = [System.Net.Dns]::GetHostByName("localhost").HostName

$sqlInstanceName = "MSSQLSERVER"

$SQLServiceName = "MSSQLSERVER"

if ($SQLInstance -ne $Null)

$sqlInstanceName = $SQLInstance

$SQLServiceName = "MSSQL$" + $SQLInstance

# Delete existing cert if one exists

function Get-Certificate($storename, $storelocation)

$store=new-object
System.Security.Cryptography.X509Certificates.X509Store($storename,$sto
relocation)

$store.Open([Security.Cryptography.X509Certificates.OpenFlags]::ReadWri
te)

$store.Certificates

$cert = Get-Certificate "My" "LocalMachine" | ?{$_.FriendlyName -eq


$ConfigMgrCertFriendlyName}

if($cert -is [Object])

$store = new-object
System.Security.Cryptography.X509Certificates.X509Store("My","LocalMach
ine")

$store.Open([Security.Cryptography.X509Certificates.OpenFlags]::ReadWri
te)

$store.Remove($cert)

$store.Close()

# Remove this cert from Trusted People too...

$store = new-object
System.Security.Cryptography.X509Certificates.X509Store("TrustedPeople"
,"LocalMachine")

$store.Open([Security.Cryptography.X509Certificates.OpenFlags]::ReadWri
te)

$store.Remove($cert)

$store.Close()

# Create the new cert

$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"

$name.Encode("CN=" + $sqlServerName, 0)

$key = new-object -com "X509Enrollment.CX509PrivateKey.1"

$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

$key.KeySpec = 1

$key.Length = 1024

$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)
(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"

$key.MachineContext = 1

$key.Create()

$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"

$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")

$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"

$ekuoids.add($serverauthoid)

$ekuext = new-object -com


"X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"

$ekuext.InitializeEncode($ekuoids)

$cert = new-object -com


"X509Enrollment.CX509CertificateRequestCertificate.1"

$cert.InitializeFromPrivateKey(2, $key, "")

$cert.Subject = $name

$cert.Issuer = $cert.Subject

$cert.NotBefore = get-date

$cert.NotAfter = $cert.NotBefore.AddDays(3650)

$cert.X509Extensions.Add($ekuext)

$cert.Encode()

$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"

$enrollment.InitializeFromRequest($cert)

$enrollment.CertificateFriendlyName = "ConfigMgr SQL Server


Identification Certificate"

$certdata = $enrollment.CreateRequest(0x1)

$enrollment.InstallResponse(0x2, $certdata, 0x1, "")

# Add this cert to the trusted peoples store

[Byte[]]$bytes = [System.Convert]::FromBase64String($certdata)

$trustedPeople = new-object
System.Security.Cryptography.X509certificates.X509Store
"TrustedPeople", "LocalMachine"

$trustedPeople.Open([Security.Cryptography.X509Certificates.OpenFlags]:
:ReadWrite)

$trustedPeople.Add([Security.Cryptography.X509Certificates.X509Certific
ate2]$bytes)

$trustedPeople.Close()

# Get thumbprint from cert

$sha = new-object
System.Security.Cryptography.SHA1CryptoServiceProvider

$certHash = $sha.ComputeHash($bytes)

$certHashCharArray = "";

$certThumbprint = "";

# Format the bytes into a hexadecimal string

foreach($byte in $certHash)

$temp = ($byte | % {"{0:x}" -f $_}) -join ""

$temp = ($temp | % {"{0,2}" -f $_})

$certHashCharArray = $certHashCharArray+ $temp;

$certHashCharArray = $certHashCharArray.Replace(' ', '0');

# SQL Server needs the thumbprint in lower case

foreach($char in $certHashCharArray)

[System.String]$myString = $char;

$certThumbprint = $certThumbprint + $myString.ToLower();

# Configure SQL Server to use this cert

$path = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\Instance


Names\SQL"

$subKey = (Get-ItemProperty $path).$sqlInstanceName

$realPath = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\" + $subKey


+ "\MSSQLServer\SuperSocketNetLib"

$certKeyName = "Certificate"

Set-ItemProperty -path $realPath -name $certKeyName -Type string -Value


$certThumbprint

# restart SQL Server service

Restart-Service $SQLServiceName -Force

3. On the database replica server, run the following command that applies to the
configuration of your SQL Server:

For a default instance of SQL Server: Enter the following command in the
PowerShell session: .\CreateMPReplicaCert.ps1 . When the script runs, it
creates the self-signed certificate and configures SQL Server to use the
certificate.

For a named instance of SQL Server: Use PowerShell to run the following
command: .\CreateMPReplicaCert.ps1 <SQL Server instance name>

After the script completes, verify that the SQL Server Agent is running. If not,
restart the SQL Server Agent.

Configure remote management points to use the self-signed


certificate of the database replica server

Do the following steps on the database replica server to export the server's self-signed
certificate:

1. Go to the Start menu, select Run, and type mmc.exe . In the empty console, select
File, and then select Add/Remove Snap-in.

2. In the Add or Remove Snap-ins dialog box, select Certificates from the list of
Available snap-ins, and then select Add.

3. In the Certificate snap-in dialog box, select Computer account, and then select
Next.

4. In the Select Computer dialog box, make sure that Local computer: (the
computer this console is running on) is selected, and then select Finish.

5. In the Add or Remove Snap-ins dialog box, select OK.

6. In the console, expand Certificates (Local Computer), expand Personal, and select
Certificates.
7. Right-click the certificate with the friendly name of ConfigMgr SQL Server
Identification Certificate, select All Tasks, and then select Export.

8. Complete the Certificate Export Wizard with the default options. Save the
certificate with the .cer file name extension.

Do the following steps on the management point server to add the self-signed
certificate for the database replica server to the Trusted People certificate store:

1. Repeat the preceding steps to open the Certificate snap-in MMC on the
management point computer.

2. In the Certificates console, expand Certificates (Local Computer), expand Trusted


People, right-click Certificates, select All Tasks, and then select Import. This action
starts the Certificate Import Wizard.

3. On the File to Import page, select the saved certificate, and then select Next.

4. On the Certificate Store page, select Place all certificates in the following store,
with the Certificate store set to Trusted People, and then select Next.

5. Select Finish to close the wizard and complete the certificate configuration on the
management point.

Step 5 - Configure the SQL Server Service Broker for the


database replica server
To support client notification with a database replica for a management point, configure
communication between the site database server and the database replica server for the
SQL Server Service Broker. Configure each database with information about the other
database, and to exchange certificates between the two databases for secure
communication.

7 Note

Before you can use the following procedure, the database replica server must
successfully complete the initial synchronization with the site database server.

The following procedure doesn't modify the Service Broker port that's configured in SQL
Server for the site database server or the database replica server. This procedure
configures each database to communicate with the other database by using the correct
Service Broker port.
Use the following procedure to configure the Service Broker for the site database server
and the database replica server:

1. Use SQL Server Management Studio to connect to the replica server database.
Then run the following query to enable the Service Broker on the database replica
server: ALTER DATABASE <Replica Database Name> SET ENABLE_BROKER,
HONOR_BROKER_PRIORITY ON WITH ROLLBACK IMMEDIATE

2. On the database replica server, configure the Service Broker for client notification
and export the Service Broker certificate. Run a SQL Server stored procedure that
configures the Service Broker and exports the certificate as a single action. When
you run the stored procedure, specify the FQDN of the database replica server, the
name of the database replicas database, and specify a location for the export of
the certificate file.

Run the following query to configure the required details on the database replica
server, and to export the certificate for the database replica server: EXEC
sp_BgbConfigSSBForReplicaDB '<Replica SQL Server FQDN>', '<Replica Database

Name>', '<Certificate Backup File Path>'

7 Note

When the database replica server isn't on the default instance of SQL Server,
also specify the instance name with the replica database name. In the example
command, replace <Replica Database Name> with <Instance name>\<Replica
Database Name> .

After you export the certificate from the database replica server, place a copy of
the certificate on the primary site database server.

3. Use SQL Server Management Studio to connect to the primary site database. After
you connect to the primary sites database, run a query to import the certificate
and specify the Service Broker port that's in use on the database replica server, the
FQDN of the database replica server, and name of the database replicas database.
This action configures the primary sites database to use the Service Broker to
communicate to the database of the database replica server.

Run the following query to import the certificate from the database replica server
and specify the required details: EXEC sp_BgbConfigSSBForRemoteService 'REPLICA',
'<SQL Service Broker Port>', '<Certificate File Path>', '<Replica SQL Server

FQDN>', '<Replica Database Name>'


7 Note

When the database replica server isn't on the default instance of SQL Server,
also specify the instance name with the replica database name. In the example
command, replace <Replica Database Name> with <Instance name>\<Replica
Database Name> .

4. On the site database server, run the following command to export the certificate for
the site database server: EXEC sp_BgbCreateAndBackupSQLCert '<Certificate Backup
File Path>'

After you export the certificate from the site database server, place a copy of the
certificate on the database replica server.

5. Use SQL Server Management Studio to connect to the replica server database.
After you connect to the replica server database, run a query to import the
certificate and specify the site code of the primary site and the Service Broker port
that's in use on the site database server. This action configures the database
replica server to use the Service Broker to communicate to the database of the
primary site.

Run the following query to import the certificate from the site database server:
EXEC sp_BgbConfigSSBForRemoteService '<Site Code>', '<SQL Service Broker
Port>', '<Certificate File Path>'

A few minutes after you complete the configuration of the site database and the
database replica database, the notification manager at the primary site sets up the
Service Broker conversation for client notification from the primary site database to the
database replica.

Supplemental script for other database replicas on a


single SQL Server
When you use the script from step 4 to configure a self-signed certificate for the
database replica server on a SQL Server that already has a database replica you plan to
continue using, use a modified version of the original script. The following modifications
prevent the script from deleting an existing certificate on the server, and create
subsequent certificates with unique friendly names. Edit the original script as follows:

Comment out each line between the script entries # Delete existing cert if one
exists and # Create the new cert . Add a pound sign ( # ) as the first character of
each applicable line.

For each subsequent database replica you use this script to configure, update the
friendly name for the certificate. Edit the line $enrollment.CertificateFriendlyName
= "ConfigMgr SQL Server Identification Certificate" and replace ConfigMgr SQL
Server Identification Certificate with a new name. For example, ConfigMgr SQL

Server Identification Certificate1 .

Manage database replica configurations


When you use a database replica at a site, use the information in the following sections
to supplement the process of uninstalling a database replica, uninstalling a site that uses
a database replica, or moving the site database to a new installation of SQL Server.
When delete publications, use the guidance for deleting transactional replication for the
version of SQL Server that you use for the database replica. For more information, see
Delete a Publication.

7 Note

After you restore a site database that was configured for database replicas, before
you can use the database replicas, reconfigure each database replica and recreate
both the publications and subscriptions.

Uninstall a database replica


When you use a database replica for a management point, you might need to uninstall
it and then reconfigure it for use. For example, remove database replicas before you
update Configuration Manager to the latest version. After the site update completes,
restore the database replica for use.

Use the following steps to uninstall a database replica.

1. In the Administration workspace of the Configuration Manager console, expand


Site Configuration, then select Servers and Site System Roles. In the details pane,
select the site system server that hosts the management point that uses the
database replica you will uninstall.

2. In the Site System Roles pane, select the Management point role. In the ribbon,
on the Site Role tab, select Properties.
3. Switch to the Management Point Database tab. Select Use the site database to
configure the management point to use the site database instead of the database
replica. Select OK to save the configuration.

4. Use SQL Server Management Studio to do the following tasks:

Delete the publication for the database replica from the site server database.

Delete the subscription for the database replica from the database replica
server.

Delete the replica database from the database replica server.

Disable publishing and distribution on the site database server. To disable


publishing and distribution, right-click the Replication folder and select
Disable Publishing and Distribution.

After you delete the publication, subscription, the replica database, and disable
publishing on the site database server, the database replica is uninstalled.

Uninstall a site server that publishes a database replica


Before you uninstall a site that publishes a database replica, use the following steps to
clean up the publication and any subscriptions.

1. Use SQL Server Management Studio to delete the database replica publication
from the site server database.

2. Use SQL Server Management Studio to delete the database replica subscription
from each remote SQL Server that hosts a database replica for this site.

3. Uninstall the site.

Move a site server database that publishes a database


replica
When you move the site database to a new computer, use the following steps:

1. Use SQL Server Management Studio to delete the publication for the database
replica from the site server database.

2. Use SQL Server Management Studio to delete the subscription for the database
replica from each database replica server for this site.
3. Move the database to the new SQL Server computer. For more information, see
Modify the site database configuration.

4. Recreate the publication for the database replica on the site database server. For
more information, see Step 1 - Configure the site database server to Publish the
database replica.

5. Recreate the subscriptions for the database replica on each database replica server.
For more information, see Step 2 - Configuring the database replica server.
Site components for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

For each Configuration Manager site, you can configure site components to modify the
behavior of site system roles and site status reporting. Site component configurations
apply to a site, and to each instance of an applicable site system role at the site.

In the Configuration Manager console, go to the Administration workspace, expand Site


Configuration, and select the Sites node. Select a site. In the Settings group of the
ribbon, choose Configure Site Components. Select one of the following options:

Software distribution
Software update point
OS deployment
Management point
Status reporting
Email notification
Collection membership evaluation

About site components


Most options for the various site components are self-explanatory when viewed in the
Configuration Manager console. However, the following details can help explain some of
the more complex configurations, or direct you to other content.

7 Note

The available options for some components vary whether you select the central
administration site, a primary site, or a secondary site. Some components are not
available at all for certain types of sites.

Software distribution

Content distribution settings


On the General tab, specify settings that modify how the site server transfers content to
its distribution points. When you increase the values you use for concurrent distribution
settings, content distribution can use more network bandwidth.

Pull distribution point


For more information, see Use a pull-distribution point.

Network access account


For more information, see Network access account.

Automate software distribution site component with PowerShell


To programmatically view and configure the Software distribution site component, use
the following PowerShell cmdlets:

Get-CMSoftwareDistributionComponent
Set-CMSoftwareDistributionComponent

Software update point


For more information, see Install a software update point.

Automate software update point site component with PowerShell

To programmatically view and configure the Software update point site component, use
the following PowerShell cmdlets:

Get-CMSoftwareUpdatePointComponent
Set-CMSoftwareUpdatePointComponent

OS deployment
For more information, see Specify the drive for offline OS image servicing.

Management point
On the General tab, set up the site to publish information about its management points
to Active Directory Domain Services.
Configuration Manager clients use management points to locate services, and to find
site information such as boundary group membership and PKI certificate selection
options. Clients also use management points to find other management points in the
site, and distribution points from which to download software. Management points also
help clients to complete site assignment, and to download client policy and upload
client information.

The most secure method for clients to find management points is to publish them in
Active Directory Domain Services. This service location method requires the following to
be true:

The schema is extended for Configuration Manager.


There's a System Management container, with appropriate security permissions
for the site server to publish to this container.
The Configuration Manager site is set up to publish to Active Directory Domain
Services.
Clients belong to the same Active Directory forest as the site server's forest.

When clients on the intranet can't use Active Directory Domain Services to find
management points, use DNS publishing. This article also describes the option to
Publish selected intranet management points in DNS.

For general information about service location, see Understand how clients find site
resources and services.

Automate management point site component with PowerShell


To programmatically view and configure the Management point site component, use
the following PowerShell cmdlets:

Get-CMManagementPointComponent
Set-CMManagementPointComponent

Status reporting
These settings directly set up the level of detail that's included in status reports from
sites and clients.

Automate status reporting site component with PowerShell


To programmatically view and configure the Status reporting site component, use the
following PowerShell cmdlets:
Get-CMStatusReportingComponent
Set-CMStatusReportingComponent

Email notification
Specify account and email server details to enable Configuration Manager to send email
notifications for alerts.

For more information, see Configure alerts.

Automate email notification site component with PowerShell


To programmatically view and configure the Email notification site component, use the
following PowerShell cmdlets:

Get-CMEmailNotificationComponent
Set-CMEmailNotificationComponent

Collection membership evaluation


Use this component to set how often collection membership is incrementally evaluated.
Incremental evaluation updates a collection membership with only new or changed
resources.

For more information, see Best practices for collections.

Automate collection membership evaluation site component with


PowerShell

To programmatically view and configure the Collection membership evaluation site


component, use the following PowerShell cmdlets:

Get-CMCollectionMembershipEvaluationComponent
Set-CMCollectionMembershipEvaluationComponent

Configuration Manager Service Manager


You can use the Service Manager to control Configuration Manager services, and to view
the status of any Configuration Manager service or working thread. These services and
threads are referred to collectively as Configuration Manager components.

Components can run on any site system.


Manage components the same way that you manage services in Windows. The
following actions apply to Configuration Manager components:
Start
Stop
Pause
Resume
Query

A Configuration Manager service runs when there's something for it to do. For example,
when a configuration file is written to a component's inbox.

Use Service Manager


1. In the Configuration Manager console, go to the Monitoring workspace, expand
System Status, and select the Component Status node.

2. In the Component group of the ribbon, select Start, and then choose
Configuration Manager Service Manager.

3. When the Configuration Manager Service Manager opens, connect to the site that
you want to manage.

If you don't see the site that you want to manage, go to the Site menu, and select
Connect. Then enter the name of the site server of the correct site.

4. Expand the site and navigate to Components or Servers, depending on the


location of the components that you want to manage.

5. In the right pane, select one or more components. Then on the Component menu,
select Query to update the status of your selection.

6. After it updates the status of the component, use one of the four action-based
options on the Component menu. Use these actions to modify the component's
operation. After you request an action, query the component again to display the
new status of the component.

7. Close the Configuration Manager Service Manager when you're finished modifying
the operational status of components.
Publish site data for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you extend the Active Directory schema for Configuration Manager, you can
publish Configuration Manager sites to Active Directory Domain Services (AD DS). This
lets Active Directory computers securely retrieve site information from a trusted source.
Although publishing site information to AD DS is not required for basic Configuration
Manager functionality, it can reduce administrative overhead to do so.

When a site is configured to publish to AD DS, Configuration Manager clients can


automatically find management points through Active Directory publishing. They
use an LDAP query to a global catalog server.

When a site does not publish to AD DS, clients must have an alternative
mechanism to locate their default management point.

For information about how clients find a management point, see Understand how
clients find site resources and services for Configuration Manager.

Configure sites to publish to AD DS


The following are the high-level steps:

You must extend the Active Directory schema for Configuration Manager in each
forest where you will publish site data. Also ensure the System Management
container is present.

You must grant the computer account of each primary site that will publish data
full control to the System Management container, and all of its child objects.

To enable a Configuration Manager site to publish site


information to Active Directory forest
1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Configuration, and click Sites. Select
the site that you want to have publish its site data. Then on the Home tab, in the
Properties group, click Properties.
3. On the Publishing tab of the site's properties, select the forests to which this site
will publish site data.

4. Click OK to save the configuration.

To set up Active Directory forests for publishing


1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Hierarchy Configuration, and click


Active Directory Forests. If Active Directory Forest Discovery has previously run,
you see each discovered forest in the results pane. The local forest and any trusted
forests are discovered when Active Directory Forest Discovery runs. Only untrusted
forests must be manually added.

To set up a previously discovered forest, select the forest in the results pane.
Then on the Home tab, in the Properties group, click Properties to open the
forest properties. Continue with step 3.

To set up a new forest that is not listed, on the Home tab, in the Create
group, click Add Forest to open the Add Forests dialog box. Continue with
step 3.

3. On the General tab, complete configurations for the forest that you want to
discover, and specify the Active Directory Forest Account.

7 Note

Active Directory Forest Discovery requires a global account to discover and


publish to untrusted forests. If you do not use the computer account of the
site server, you can only select a global account.

4. If you plan to allow sites to publish site data to this forest, on the Publishing tab,
complete configurations for publishing to this forest.

7 Note

If you enable sites to publish to a forest, you must extend the Active Directory
schema of that forest for Configuration Manager. The Active Directory Forest
Account must have Full Control permissions to the System container in that
forest.
5. When you complete the configuration of this forest for use with Active Directory
Forest Discovery, click OK to save the configuration.
Manage content and content
infrastructure for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you are ready to set up and then manage your content management
infrastructure for Configuration Manager, use the information in the following topics:

Install and configure distribution points for Configuration Manager. Before you can
deploy content, you must install and set up distribution points. Then you can set
up distribution point groups to help simplify management of content across your
infrastructure. The information in this topic can help you complete these tasks, and
details the deep and varied settings supported by individual distribution points.

Deploy and manage content for Configuration Manager. Content deployment


transfers files and software to distribution point servers throughout your network.
In addition to a simple transfer, you can prestage content, which is a method that
can help you avoid excessive use of network bandwidth. The information in this
topic can help you with the basic tasks of sending that content or using pre-staged
content effectively.

Monitor content you have distributed with Configuration Manager. As you deploy
content, you can monitor its status across your infrastructure. You can also
redistribute content that fails to reach distribution points, or cancel distributions
that remain in progress. The information in this topic helps you understand how to
monitor your content, including how to fix some problems when the transfer of
content fails.
Install and configure distribution points
in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Install Configuration Manager distribution points to host the content files that you
deploy to devices and users. Create distribution point groups to simplify how you
manage distribution points, and how you distribute content to distribution points.

You install a new distribution point by using the installation wizard. For more
information, see Install a distribution point. To manage the properties of an existing
distribution point, edit the properties of the distribution point. For more information, see
Configure a distribution point.

Configure most of the distribution point settings with either method. A few settings are
available only when you're either installing or editing, but not both:

Settings that are available only when you're installing a distribution point:

Allow Configuration Manager to install IIS on the distribution point computer

Configure drive space settings for the distribution point

Settings that are available only when you're editing the properties of a distribution
point:

Manage distribution point group relationships

View Content deployed to the distribution point

Configure Rate limits for data transfers to distribution points

Configure Schedules for data transfers to distribution points

Install a distribution point


Before you can make content available to clients, choose a site system server as a
distribution point. Assign each distribution point to at least one boundary group. Add
the distribution point role to a new server, or add it to an existing server.

Prerequisites
When you install a new distribution point, you use an installation wizard that walks you
through the available settings. Before you start, consider the following prerequisites:

You must have the following security permissions to create and configure a
distribution point:

Read for the Distribution Point object

Copy to Distribution Point for the Distribution Point object

Modify for the Site object

Manage Certificates for Operating System Deployment for the Site object

Install Internet Information Services (IIS) on the Windows server that hosts the
distribution point. Or, when you install the site system role, Configuration Manager
can install and configure IIS for you.

 Tip

To prevent Configuration Manager from installing on a specific drive, create an


empty file named NO_SMS_ON_DRIVE.SMS and copy it to the root folder of the
drive before you install the distribution point.

Procedure to install a distribution point


Use this procedure to add a new distribution point. To change the configuration of an
existing distribution point, see the Configure a distribution point section.

Start with the general procedure to Install site system roles. Select the Distribution
point role on the System Role Selection page of the Create Site System Server wizard.
This action adds the following pages to the wizard:

Distribution point
Communication
Drive Settings
Pull Distribution Point
PXE Settings
Multicast
Content Validation
Boundary Groups

) Important
The following settings are available only when you're installing a distribution point:

Allow Configuration Manager to install IIS on the distribution point


computer

Configure drive space settings for the distribution point

For more information on the pages of the wizard specific to the distribution point role,
see the Configure a distribution point section. For example, if you want to install the
distribution point as a pull-distribution point, choose the option to Enable this
distribution point to pull content from other distribution points. Then make the other
configurations that pull-distribution points require.

After you finish the Create Site System Server wizard, the site adds the distribution point
role to the site system server.

7 Note

You can use PowerShell to automate the installation of a distribution point. For
more information, see Add-CMDistributionPoint.

To help you troubleshoot, review the following log files on the site server:

distmgr.log
SMSdpmon.log

For more information, see Log file reference.

Manage distribution point groups


Distribution point groups provide a logical grouping of distribution points for content
distribution. Use these groups to manage and monitor content from a central location
for distribution points that span multiple sites. Keep the following point in mind:

Add one or more distribution points from any site in the hierarchy to a distribution
point group.

Add a distribution point to more than one distribution point group.

When you distribute content to a distribution point group, Configuration Manager


distributes the content to all distribution points that are members of the group.
If you add a distribution point to the group after an initial content distribution,
Configuration Manager automatically distributes the content to the new
distribution point member.

Associate a collection with a distribution point group. When you distribute content
to that collection, Configuration Manager determines which groups are associated
with the collection. It then distributes the content to all distribution points that are
members of those groups.

7 Note

After you distribute content to a collection, if you then associate the collection
with a new distribution point group, you must redistribute the content to the
collection before the content is distributed to the new distribution point
group.

The next sections list the procedures for the following actions to manage distribution
point groups:

Create and configure a new distribution point group


Modify an existing distribution point group
Add selected distribution points to existing distribution point groups

Procedure to create and configure a new distribution


point group
1. In the Configuration Manager console, go to the Administration workspace, and
select the Distribution Point Groups node.

2. In the ribbon, select Create Group.

3. In the Create New Distribution Point Group window, enter the Name, and
optionally a Description for the group.

4. On the Members tab, select Add.

5. In the Add Distribution Points window, select one or more distribution points to
add as members of the group. Then choose OK.

6. If necessary, switch to the Collections tab of the Create New Distribution Point
Group window, and select Add.
7. In the Select Collections window, select the collections to associate with the
distribution point group, and then choose OK.

8. In the Create New Distribution Point Group window, choose OK to create the
group.

7 Note

You can use PowerShell to automate this process. For more information, see New-
CMDistributionPointGroup.

Create a new group from an existing distribution point

1. In the Configuration Manager console, go to the Administration workspace, and


select the Distribution Points node. Select one or more distribution points to add
to a new distribution point group.

2. In the ribbon, select Add Selected Items, and then select Add Selected Items to
New Distribution Point Group.

This process automatically populates the Members tab of the Create New Distribution
Point Group window with the selected servers.

Procedure to modify an existing distribution point group


1. In the Configuration Manager console, go to the Administration workspace, and
select the Distribution Point Groups node.

2. Select an existing distribution point group to modify. In the ribbon, select


Properties.

3. To associate new collections with this group, switch to the Collections tab, and
choose Add. Select the collections, and then choose OK.

4. To add new distribution points to this group, switch to the Members tab, and
choose Add. Select the distribution points, and then choose OK.

5. Choose OK to save changes to the distribution point group.

7 Note
You can use PowerShell to automate this process. For more information, see Set-
CMDistributionPointGroup.

Procedure to add selected distribution points to existing


distribution point groups
1. In the Configuration Manager console, go to the Administration workspace, and
select the Distribution Points node. Select one or more distribution points to add
to an existing group.

2. In the ribbon, select Add Selected Items, and then select Add Selected Items to
Existing Distribution Point Groups.

3. In the Available distribution point groups, select the groups to which the selected
distribution points are added as members. Then choose OK.

7 Note

You can use PowerShell to automate this process. For more information, see Add-
CMDistributionPointToGroup.

Reassign a distribution point


Many customers have large Configuration Manager infrastructures, and are reducing
primary or secondary sites to simplify their environment. They still need to keep
distribution points at branch office locations to serve content to managed clients. These
distribution points often contain multiple terabytes or more of content. This content is
costly for time and network bandwidth to distribute to these remote servers.

This feature lets you reassign a distribution point to another primary site without
redistributing the content. The distribution point's current site can be either a primary or
secondary site. This action updates the site system assignment while persisting all of the
content on the server. If you need to reassign multiple distribution points, first do this
action on a single distribution point. Then continue with other servers one at a time.

) Important

The target server can only host the distribution point role. If the site system server
hosts another Configuration Manager server role, such as the state migration point,
you can't reassign the distribution point. You can't reassign a cloud management
gateway.

Before reassigning a distribution point, add the computer account of the destination site
server to the local Administrator group on the target distribution point server.

Follow these steps to reassign a distribution point:

1. In the Configuration Manager console, connect to the central administration site.

2. Go to the Administration workspace, and select the Distribution Points node.

3. Right-click the target distribution point, and select Reassign Distribution Point.

4. Select the target site server and site code to which you want to reassign this
distribution point.

Monitor the reassignment similarly as when you add a new role. The simplest method is
to refresh the console view after several minutes. Add the site code column to the view.
This value changes when Configuration Manager reassigns the server. If you try to do
another action on the target server before you refresh the console view, an "object not
found" error occurs. Ensure the process is complete and refresh the console view before
starting any other actions on the server.

After reassigning a distribution point, refresh the server's certificate. The new site server
needs to re-encrypt this certificate using its public key and store it in the site database.
For more information, see the Create a self-signed certificate or import a public key
infrastructure (PKI) client certificate for the distribution point setting on the General
tab of the distribution point properties.

For PKI certificates, you don't need to create a new certificate. Import the same
.PFX and enter the password.

For self-signed certificates, adjust the expiration date or time to update it.

If you don't refresh the certificate, the distribution point still serves content, but the
following functions fail:

Content validation messages (the distmgr.log shows that it can't decrypt the
certificate)

PXE support for clients

Tips
Do this action from the central administration site. This practice helps with
replication to the primary sites.

Don't distribute content to the target server and then attempt to reassign it.
Distribute content tasks that are in progress may fail during the reassignment
process, but it retries per normal.

If the server is also a Configuration Manager client, make sure to also reassign the
client to the new primary site. This step is especially critical for pull-distribution
points, which use client components to download content.

This process removes the distribution point from the old site's default boundary
group. You need to manually add it to the new site's default boundary group, if
necessary. All other boundary group assignments remain the same.

7 Note

You can use PowerShell to automate this process. For more information, see the
ReassignSiteCode parameter of the Set-CMDistributionPoint cmdlet.

Maintenance mode
You can set a distribution point in maintenance mode. Enable maintenance mode when
you're installing software updates, or making hardware changes to the server.

While the distribution point is in maintenance mode, it has the following behaviors:

The site doesn't distribute any content to it.

Management points don't return the location of this distribution point to clients.

When you update the site, a distribution point in maintenance mode still updates.

The distribution point properties are read-only. For example, you can't change the
certificate or add boundary groups.

Any scheduled task, like content validation, still runs on the same schedule.

Be careful about enabling maintenance mode on more than one distribution point. This
action may cause a performance impact to your other distribution points. Depending
upon your boundary group configurations, clients may have increased download times
or be unable to download content.
Maintenance mode shouldn't be a long-term state for any distribution point. For any
actions with a long duration, consider first removing the distribution point role.

7 Note

While a distribution point is in maintenance mode, don't do the following actions:

Remove role
Reassign distribution point

Enable maintenance mode


To put a distribution point in maintenance mode, your user account requires the Modify
permission on the Site class. For example, the Infrastructure Administrator and Full
Administrator built-in roles have this permission.

1. In the Configuration Manager console, go to the Administration workspace.

2. Select the Distribution Points node.

3. Select the target distribution point, and choose Enable maintenance mode from
the ribbon.

To view the current state of the distribution points, add the "Maintenance mode"
column to the Distribution Points node in the console.

For more information on automating this process with the Configuration Manager SDK,
see SetDPMaintenanceMode method in class SMS_DistributionPointInfo.

Configure a distribution point


Individual distribution points support different kinds of configurations. However, not all
distribution point types support all configurations. For example, cloud management
gateways don't support PXE- or multicast-enabled deployments. For more information
about specific limitations, see the following articles:

Supported configurations for cloud management gateway

Use a pull-distribution point

The following sections describe the distribution point configurations when you're
installing a new one or editing an existing one:
General settings
Communication
Drive Settings
Firewall Settings
Pull Distribution Point
PXE Settings
Multicast
Content Validation
Boundary Groups

Procedure to change a distribution point


1. In the Configuration Manager console, go to the Administration workspace, and
select the Distribution Points node.

2. Select the distribution point to configure. In the ribbon, choose Properties.

3. Use the information in the following sections when you're editing the properties of
the distribution point.

4. After you make the changes that you want, select OK to save your settings and
close the distribution point properties.

7 Note

You can use PowerShell to automate this process. For more information, see Set-
CMDistributionPoint.

General
The following settings are on the Distribution point page of the Create Site System
Server wizard, and the General tab of the distribution point properties window:

Description: An optional description for this distribution point role.

Install and configure IIS if required by Configuration Manager: If IIS isn't already
installed on the server, Configuration Manager installs and configures it.
Configuration Manager requires IIS on all distribution points. If you don't choose
this setting, and IIS isn't installed on the server, first install IIS before Configuration
Manager can successfully install the distribution point.
7 Note

This option is only on the Distribution point page of the Create Site System
Server wizard. It's available only when you're installing a new distribution
point.

Enable and configure BranchCache for this distribution point: Choose this setting
to let Configuration Manager configure Windows BranchCache on the distribution
point server. For more information, see BranchCache.

Adjust the download speed to use the unused network bandwidth (Windows
LEDBAT): Enable distribution points to use network congestion control. For more
information, see Windows LEDBAT. Minimum requirements for LEDBAT support:
Windows Server, version 1709 or later
Windows Server 2016 with the following updates:
Cumulative update KB4132216, released June 21, 2018, or a later cumulative
update.
Servicing stack update KB4284833, released May 18, 2018, or a later servicing
stack update.
Windows Server 2019

Enable this distribution point for prestaged content: This setting enables you to
add content to the server before you distribute software. Because the content files
are already in the content library, they don't transfer over the network when you
distribute the software. For more information, see Prestaged content.

Enable this distribution point to be used as Microsoft Connected Cache server:


Use this option to install a Microsoft Connected Cache server on your distribution
point. By caching this content on-premises, your clients can benefit from the
Delivery Optimization feature, but you can help to protect WAN links. For more
information, including description of the other settings, see Microsoft Connected
Cache in Configuration Manager.

Communication
The following settings are on the Communication page of the Create Site System Server
wizard and the distribution point properties window:

Configure how client devices communicate with the distribution point: There are
advantages and disadvantages to using HTTP or HTTPS. For more information, see
Security guidance for content management.
Allow clients to connect anonymously: This setting specifies whether the
distribution point allows anonymous connections from Configuration Manager
clients to the content library.

Create a self-signed certificate or import a PKI client certificate: Configuration


Manager uses this certificate for the following purposes:

It authenticates the distribution point to a management point before the


distribution point sends status messages.

When you Enable PXE support for clients on the PXE Settings page, the
distribution point sends it to computers that PXE boot. These computers then
use it to connect to a management point during the OS deployment process.

When you configure all your management points in the site for HTTP, select the
option to Create self-signed certificate. When you configure the management
points for HTTPS, use the option to Import certificate from PKI. In other words,
don't use self-signed certificates on distribution points when management
points use certificates. Issues may occur otherwise. For example, distribution
points won't send state messages.

To import the certificate, browse to a valid Public Key Cryptography Standard


(PKCS #12) file. This PFX or CER file has the PKI certificate with the following
requirements for Configuration Manager:

The intended use includes client authentication

Enable the private key to be exported

 Tip

There are no specific requirements for the certificate subject or subject


alternative name (SAN). If necessary, use the same certificate for multiple
distribution points.

For more information about the certificate requirements, see PKI certificate
requirements.

For an example deployment of this certificate, see Deploying the client


certificate for distribution points.

Drive settings
7 Note

These options are available only when you're installing a new distribution point.

Specify the drive settings for the distribution point. Configure up to two disk drives for
the content library and two disk drives for the package share. Configuration Manager
can use other drives when the first two reach the configured drive space reserve. The
Drive Settings page configures the priority for the disk drives and the amount of free
disk space that remains on each disk drive.

Drive space reserve (MB): This value determines the amount of free space on a
drive before Configuration Manager chooses a different drive and continues the
copy process to that drive. Content files can span multiple drives.

Content locations: Specify the locations for the content library and package share
on this distribution point. By default, all content locations are set to Automatic.
Configuration Manager copies content to the primary content location until the
amount of free space reaches the value specified for Drive space reserve (MB).
When you select Automatic, Configuration Manager sets the primary content
locations to the disk drive with the most disk space at installation. It sets the
secondary locations to the disk drive with the second-most free disk space. When
the primary and secondary locations reach the drive space reserve, Configuration
Manager selects another available drive with the most free disk space to continue
the copy process.

 Tip

To prevent Configuration Manager from installing on a specific drive, create an


empty file named NO_SMS_ON_DRIVE.SMS and copy it to the root folder of the
drive before you install the distribution point.

For more information, see The content library.

Firewall Settings
The distribution point must have the following inbound rules configured in the Windows
firewall:

Windows Management Instrumentation (DCOM-In)


Windows Management Instrumentation (WMI-In)
Without these rules, clients will receive error 0x801901F4 in DataTransferService.log
when attempting to download content.

Pull distribution point


When you Enable this distribution point to pull content from other distribution points,
it becomes a pull-distribution point. You change the behavior of how the distribution
point gets the content that you distribute to it. For more information, see Use a pull-
distribution point.

For each pull-distribution point that you configure, specify one or more source
distribution points from which it gets the content:

Choose Add, and then select one or more of the available distribution points to be
sources.

Use the arrow buttons to adjust the priority. When the pull-distribution point
attempts to transfer content, the priority is the order in which it contacts the
source distribution points. It first contacts distribution points with the lowest value.

PXE
Specify whether to enable PXE on the distribution point. Use PXE to start OS
deployments on clients. For more information on how to use PXE in Configuration
Manager, see Use PXE to deploy Windows over the network.

When you enable PXE, Configuration Manager installs Windows Deployment Services
(WDS) on the server, if necessary. WDS is the service that supports PXE boot to install
operating systems. After you finish the wizard to create the distribution point,
Configuration Manager installs a provider in WDS that uses the PXE boot functions.

You can enable PXE on a distribution point without WDS.

Select the option to Enable PXE support for clients, and then configure the following
settings:

7 Note

Select Yes in the Review Required Ports for PXE dialog box to confirm that you
want to enable PXE. Configuration Manager automatically configures the default
ports on Windows firewall. If you use a different firewall, manually configure the
ports.
If you install WDS and DHCP on the same server, configure WDS to listen on a
different port. By default, DHCP listens on the same port. For more information, see
Considerations when you have WDS and DHCP on the same server.

Allow this distribution point to respond to incoming PXE requests: Specify


whether to enable WDS to respond to PXE service requests. Use this setting to
enable and disable the service without removing the PXE functionality from the
distribution point.

Enable unknown computer support: Specify whether to enable support for


computers that Configuration Manager doesn't manage. For more information, see
Prepare for unknown computer deployments.

Enable a PXE responder without Windows Deployment Service: This option


enables a PXE responder on the distribution point, which doesn't require WDS. This
PXE responder supports IPv6 networks. If you enable this option on a distribution
point that's already PXE-enabled, Configuration Manager suspends the WDS
service. If you disable this option, but still Enable PXE support for clients, then the
distribution point enables WDS again.

7 Note

When you enable a PXE responder on a distribution point without Windows


Deployment Service, it can be on the same server as the DHCP service.

Require a password when computers use PXE: To provide more security for your
PXE deployments, specify a strong password.

User device affinity: Specify how you want the distribution point to associate users
with the destination computer for PXE deployments. Choose one of the following
options:

Allow user device affinity with auto-approval: Choose this setting to


automatically associate users with the destination computer without waiting for
approval.

Allow user device affinity pending administrator approval: Choose this setting
to wait for approval from an administrative user before users are associated
with the destination computer.

Do not allow user device affinity: Choose this setting to specify that users
aren't associated with the destination computer. This setting is the default.
For more information about user device affinity, see Link users and devices with
user device affinity.

Network interfaces: Specify that the distribution point responds to PXE requests
from all network interfaces or from specific network interfaces. If the distribution
point responds to specific network interfaces, then provide the MAC address for
each network interface.

7 Note

When changing the network interface, restart the WDS service to make sure it
properly saves the configuration. When using the PXE responder service,
restart the ConfigMgr PXE Responder Service (SccmPxe).

Specify the PXE server response delay (seconds): When you use multiple PXE
servers, specify how long this PXE-enabled distribution point should wait before it
responds to computer requests. By default, the Configuration Manager PXE-
enabled distribution point responds immediately.

Multicast
Specify whether to enable multicast on the distribution point. Multicast deployments
conserve network bandwidth by simultaneously sending data to multiple Configuration
Manager clients. Without multicast, the server sends a copy of the data to each client
over a separate connection. For more information about using multicast for OS
deployment, see Use multicast to deploy Windows over the network.

When you enable multicast, Configuration Manager installs Windows Deployment


Services (WDS) on the server, if necessary.

Select the option to Enable multicast to simultaneously send data to multiple clients,
and then configure the following settings:

Multicast Connection Account: Specify the account to use when you configure
Configuration Manager database connections for multicast. For more information,
see the Multicast connection account.

Multicast address settings: Specify the IP addresses for sending data to the
destination computers. By default, it obtains the IP address from a DHCP server
that's enabled to distribute multicast addresses. Depending on the network
environment, you can specify a range of IP addresses from 239.0.0.0 through
239.255.255.255.
) Important

The IP addresses that you configure must be accessible by the destination


computers that request the OS image. Verify that routers and firewalls allow
for multicast traffic between the destination computer and the distribution
point.

UDP port range for multicast: Specify the range of UDP ports that are used to
send data to the destination computers.

) Important

The UDP ports must be accessible by the destination computers that request
the OS image. Verify that routers and firewalls allow for multicast traffic
between the destination computer and the site server.

Maximum clients: Specify the maximum number of destination computers that can
download the OS image from this distribution point.

Enable scheduled multicast: Specify how Configuration Manager controls when to


start deploying operating systems to destination computers. Configure the
following options:

Session start delay (minutes): Specify the number of minutes that


Configuration Manager waits before it responds to the first deployment request.

Minimum session size (clients): Specify how many requests must be received
before Configuration Manager starts to deploy the operating system.

) Important

To enable and configure multicast on the Multicast tab of the distribution point
properties, the distribution point must use Windows Deployment Service.

If you Enable PXE support for clients and Enable multicast to simultaneously
send data to multiple clients, then you can't Enable a PXE responder without
Windows Deployment Service.

If you Enable PXE support for clients and Enable a PXE responder without
Windows Deployment Service, then you can't Enable multicast to
simultaneously send data to multiple clients.
Group relationships

7 Note

These options are available only when you're editing the properties of a previously
installed distribution point.

Manage the distribution point groups in which this distribution point is a member.

To add this distribution point as a member to an existing a distribution point group,


choose Add. In the Add to Distribution Point Groups window, select an existing group,
and then choose OK.

To remove this distribution point from a distribution point group, select the group in the
list, and then choose Remove. Removing the distribution point from a distribution point
group doesn't remove any content from the distribution point.

Content

7 Note

These options are available only when you're editing the properties of a previously
installed distribution point.

Manage the content that you distributed to the distribution point. Select from the list of
deployment packages, and then select one of the following actions:

Validate: Start the process to validate the integrity of the content files for the
software. To view the results of the content validation process, in the Monitoring
workspace, expand Distribution Status, and then choose the Content Status node.
For more information, see Validate content.

Redistribute: Copies all of the content files for the selected software to the
distribution point, and overwrites the existing files. You typically use this action to
repair content files. For more information, see Redistribute content.

Remove: Removes the content files for the software from the distribution point.
For more information, see Remove content.
Content validation
Set a schedule to validate the integrity of content files on the distribution point. When
you enable content validation on a schedule, Configuration Manager starts the process
at the scheduled time. It verifies all content on the distribution point based on the local
SMS_PackagesInContLib SCCMDP class. You can also configure the content validation
priority. By default, the priority is set to Lowest. Increasing the priority might increase
the processor and disk utilization on the server during the validation process, but it
should complete faster.

To view the results of the content validation process, in the Monitoring workspace,
expand Distribution Status, and then choose the Content Status node. It shows the
content for each software type, for example, application, software update package, and
boot image.

2 Warning

Although you specify the content validation schedule by using the local time for
the computer, the Configuration Manager console shows the schedule in UTC.

For more information, see Validate content.

Boundary groups
Manage the boundary groups to which you assign this distribution point. Add the
distribution point to at least one boundary group. During content deployment, clients
must be in a boundary group associated with a distribution point to use that
distribution point as a source location for content.

Configure boundary group relationships that define when and to which boundary
groups a client can fall back to find content. For more information, see Boundary
groups.

Choose Add and select an existing boundary group from the list.

To create a new boundary group for this distribution point, choose Create. For more
information on how to create and configure a boundary group, see Procedures for
boundary groups.

When you're editing the properties of a previously installed distribution point, manage
the option to Enable for on-demand distribution. This option allows Configuration
Manager to automatically distribute content to this server when a client requests it. For
more information, see On-demand content distribution.

Schedule

7 Note

These options are available only when you're editing the properties of a previously
installed distribution point.

This tab is available only when you edit the properties for a distribution point that's
remote from the site server.

Configure a schedule that restricts when Configuration Manager can transfer data to the
distribution point. Restrict data by priority or close the connection for selected time
periods.

To restrict data, select the time period in the grid, and then choose one of the following
settings for Availability:

Open for all priorities: Configuration Manager sends data to the distribution point
with no restrictions. This setting is the default for all time periods.

Allow medium and high priority: Configuration Manager sends only medium-
priority and high-priority data to the distribution point.

Allow high priority only: Configuration Manager sends only high-priority data to
the distribution point.

Closed: Configuration Manager doesn't send any data to the distribution point.

Configure the Distribution priority of software on the Distribution Settings tab of the
software's properties.

) Important

The schedule is based on the time zone from the sending site, not the distribution
point.

Rate limits
7 Note

These options are available only when you're editing the properties of a previously
installed distribution point.

This tab is available only when you edit the properties for a distribution point that's
remote from the site server.

Configure rate limits to control the network bandwidth that Configuration Manager uses
to transfer content to the distribution point. Choose from the following options:

Unlimited when sending to this destination: Configuration Manager sends


content to the distribution point with no rate limit restrictions. This setting is the
default.

Pulse mode: This option specifies the size of the data blocks that the site server
sends to the distribution point. You can also specify a time delay between sending
each data block. Use this option when you must send data across a very low-
bandwidth network connection to the distribution point. For example, you have
constraints to send 1 KB of data every five seconds, whatever the speed of the link
or its usage at a given time.

Limited to specified maximum transfer rates by hour: Specify this setting to have
a site send data to a distribution point by using only the percentage of time that
you configure. When you use this option, Configuration Manager doesn't identify
the network's available bandwidth. Instead it divides the time that it can send data.
The server sends data for a short period of time, which is followed by periods of
time when data isn't sent. For example, if you set Limit available bandwidth to
50%, Configuration Manager transmits data for a time period followed by an equal
period of time when no data is sent. The actual size amount of data, or size of the
data block, isn't managed. It only manages the amount of time during which it
sends data.
Deploy and manage content for
Configuration Manager
Article • 12/05/2022

Applies to: Configuration Manager (current branch)

After you install distribution points for Configuration Manager, you can begin to deploy
content to them. Typically, content transfers to distribution points across the network,
but other options to get content to the distribution points exists. After content transfers
to a distribution point, you can update, redistribute, remove, and validate that content
on distribution points.

There are many types of content. All of the actions in this article apply to the following
objects in the Software Library workspace in the Configuration Manager console:

Applications: Expand the Application Management node, select Applications, and


then select the specific applications.

Packages: Expand the Application Management node, select Packages, and then
select the specific packages.

Software update deployment packages: Expand the Software Updates node,


select Deployment Packages, and then select the specific deployment packages.

Driver packages: Expand the Operating Systems node, select Driver Packages, and
then select the specific driver packages.

OS images: Expand the Operating Systems node, select Operating System


Images, and then select the specific OS images.

OS upgrade packages: Expand the Operating Systems node, select Operating


System Upgrade Packages, and then select the specific OS upgrade packages.

Boot Images: Expand the Operating Systems node, select Boot Images, and then
select the specific boot images.

Task Sequences: Expand the Operating Systems node, select Task Sequences, and
then select the specific task sequence. Although task sequences don't contain
content, they have associated content references.

Distribute content
Typically, you distribute content to distribution points so that it's available to clients. The
exception to this behavior is when you use on-demand content distribution for a
specific deployment. When you distribute content, Configuration Manager stores
content files in a package, and then distributes the package to the distribution point.
The content for the package is pulled from the site server's content library.

When you create a package that contains source files, the site on which you create it
becomes the site owner for the content source. Configuration Manager copies the
source files from the source file path that you specify for the object to the content
library on the site server that owns it. Then Configuration Manager replicates the
information to additional sites. For more information, see The content library.

Use the following procedure to distribute content to distribution points.

1. In the Configuration Manager console, go to the Software Library workspace.

2. Select one of the content types that you want to distribute.

3. On the Home tab of the ribbon, in the Deployment group, select Distribute
Content.

4. On the General page of the Distribute Content Wizard, verify that the content
listed is the content that you want to distribute. Then choose whether you want
Configuration Manager to detect content dependencies that are associated with
the selected content and add the dependencies to the distribution.

7 Note

For applications, you can also configure the Detect associated content
dependencies and add them to this distribution setting. Configuration
Manager automatically configures this setting for task sequences.

5. On the Content tab, if displayed, verify that the content listed is the content that
you want to distribute.

7 Note

The Content page displays only when you select the Detect associated
content dependencies and add them to this distribution setting on the
General page of the wizard.
6. On the Content Destination page, select Add, choose one of the following
options:

Collections: Choose User Collections or Device Collections, and then select


the collection associated with one or more distribution point groups.

7 Note

It only displays the collections that are associated with a distribution


point group. For more information, see Manage distribution point
groups.

Distribution Point: Choose an existing distribution point, and then select OK.
It doesn't display distribution points that have previously received the
content.

Distribution Point Group: Choose an existing distribution point group, and


then select OK. It doesn't display distribution point groups that have
previously received the content.

When you finish adding content destinations, select Next.

7. On the Summary page, review the settings for the distribution before you
continue. To distribute the content to the selected destinations, select Next.

8. The Progress page displays the progress of the distribution.

9. The Confirmation page displays whether the content was successfully assigned to
the servers. To further monitor the content distribution, see Monitor content
you've distributed with Configuration Manager.

Use prestaged content


Prestaged content is a compressed file that contains the content files and associated
metadata for a content type. You can then manually import this content to another site
server, a secondary site, or a distribution point.

When you import the prestaged content file on a site server, it adds the content
files to its content library. It then registers the content in the site server database.

When you import the prestaged content file on a distribution point, the content
files are added to the content library on the distribution point. It then sends a
status message to the site server, which informs the site that the content is
available on the distribution point.

Limitations and considerations for prestaged content


When the distribution point is located on the site server, don't enable the
distribution point for prestaged content. Instead use the procedure in How to
prestage content on a distribution point on a site server.

When the distribution point is configured as a pull-distribution point, don't enable


the distribution point for prestaged content. The prestage content configuration
for a distribution point overrides the pull-distribution point configuration. A pull-
distribution point that you configure for prestaged content doesn't pull content
from its source distribution point and doesn't receive content from the site server.

Before you can prestage content to the distribution point, create the content
library on the server. Distribute content over the network at least once to prepare
the content library. Then you can prestage content.

When you prestage content for an object with a long package source path, the
Extract Content command-line tool might fail. A long package source path is more
than 140 characters.

For more information about when to prestage content files, see Manage network
bandwidth for content management.

Step 1: Create a prestaged content file


1. In the Configuration Manager console, go to the Software Library workspace.

2. Select one of the content types that you want to prestage.

3. On the Home tab of the ribbon, select Create Prestage Content File.

4. On the General page of the Create Prestaged Content File Wizard, select Browse.
Choose the location for the prestaged content file, specify a name for the file, and
then select Save. You use this prestaged content file on primary site servers,
secondary site servers, or distribution points to import the content and metadata.

5. For applications, select Export all dependencies to have Configuration Manager


detect and add the dependencies associated with the application to the prestaged
content file. By default, this setting is selected.
6. In Administrator comments, enter optional comments about the prestaged
content file.

7. On the Content page, verify that the content listed is the content that you want to
add to the prestaged content file.

8. On the Content Locations page, specify the distribution points from which to
retrieve the content for the prestaged content file. You can select more than one
distribution point to retrieve the content. The distribution points are listed in the
Content locations section. The Content column displays how many of the selected
packages or applications are available on each distribution point.

Configuration Manager starts with the first distribution point in the list to retrieve
the selected content. It then moves down the list to retrieve the remaining content
required for the prestaged content file. To change the priority order of the
distribution points, select Move Up or Move Down.

When the distribution points in the list don't contain all of the selected content,
add distribution points to the list that contain the content. Otherwise, exit the
wizard, distribute the content to at least one distribution point, and then restart
the wizard.

9. On the Summary page, confirm the details. You can go back to previous pages and
make changes. Select Next to create the prestaged content file.

10. The Progress page displays the content that it's adding to the prestaged content
file.

11. On the Completion page, verify that it successfully created the prestaged content
file, and then select Close.

Step 2: Assign the content to distribution points


After you prestage the content file, assign the content to distribution points.

7 Note

When you use a prestaged content file to recover the content library on a site
server, and don't have to prestage the content files on a distribution point, you can
skip this procedure.

Use the following procedure to assign the content in the prestaged content file to
distribution points.
) Important

Verify that the distribution points that you want to prestage are configured as
prestaged distribution points, or that the content is distributed to the distribution
points over the network.

1. In the Configuration Manager console, go to the Software Library workspace.

2. Select the same content type that you selected when you created the prestaged
content file.

3. On the Home tab, in the Deployment group, select Distribute Content.

4. On the General page of the Distribute Content Wizard, verify that the content
listed is the content that you prestaged. Choose whether you want Configuration
Manager to detect content dependencies that are associated with the selected
content and add the dependencies to the distribution.

7 Note

For applications, you can also configure the Detect associated content
dependencies and add them to this distribution setting. Configuration
Manager automatically configures this setting for task sequences.

5. On the Content page, if displayed, verify that the content listed is the content that
you want to distribute.

7 Note

The Content page displays only when the Detect associated content
dependencies and add them to this distribution setting is selected on the
General page of the wizard.

6. On the Content Destination page, select Add, and choose one of the following
options that includes the distribution points to be prestaged:

Collections: Choose User Collections or Device Collections, then select the


collection associated with one or more distribution point groups.

7 Note
It only displays the collections that are associated with a distribution
point group. For more information, see Manage distribution point
groups.

Distribution Point: Select an existing distribution point, and then select OK. It
doesn't display distribution points that already have the content.

Distribution Point Group: Select an existing distribution point group, and


then select OK. It doesn't display distribution point groups that already have
the content.

When you finish adding content destinations, select Next.

7. On the Summary page, review the settings for the distribution before you
continue. To distribute the content to the selected destinations, select Next.

8. The Progress page displays the progress of the distribution.

9. The Confirmation page displays whether the content was successfully assigned to
the distribution points. To monitor the content distribution, see Monitor content
you've distributed.

Step 3: Extract the content from the prestaged content


file
After you create the prestaged content file and assign the content to distribution points,
extract the content files to the content library on the target server.

First, manually copy the prestaged content file to the target server. Use a portable drive
like a USB drive, or media like a DVD. Have it available at the location of the server that
requires the content.

Next, you use the Extract Content command-line tool to export the content files from
the prestaged content file.

When you run the tool, it creates a temporary file as it creates the content files.
Then it copies the file to the destination folder, and deletes the temporary file. The
server needs sufficient disk space for this temporary file.

The tool creates the temporary file in the specified destination folder for the
content files.

The user that runs the tool must have Administrator rights on the server where
you extract the content.
To extract the content files from the prestaged content file
1. Copy the prestaged content file to the server where you want to extract the
content.

2. Copy ExtractContent.exe from the \bin\x64 subfolder of the Configuration


Manager site installation. Copy it to the same folder on the target server as the
prestaged content file.

3. On the target server, open the command prompt. Navigate to the folder location
of the prestaged content file and Extract Content tool.

7 Note

You can extract one or more prestaged content files on a site server,
secondary site server, or distribution point.

4. Use the following commands to import the content:

Single file: extractcontent.exe /P:<PrestagedFileLocation>\


<PrestagedFileName> /S

All prestaged files in the specified folder: extractcontent.exe /P:


<PrestagedFileLocation> /S

For example, if D:\PrestagedFiles\ is the prestaged file location, and


MyPrestagedFile.pkgx is the prestaged file name:

extractcontent /P:D:\PrestagedFiles\MyPrestagedFile.pkgx /S

The /S parameter extracts only content files that are newer than what's currently
in the content library.

When you extract the prestaged content file on a site server, the content files are
added to its content library. The site then registers the content in the site server
database. When you export the prestaged content file on a distribution point, it
adds the content files to the content library on the distribution point. The
distribution point sends a status message to the parent primary site server, which
then registers the content in the site database.

) Important
When you update content on the site to a new version, make sure to also update
content for prestaged content files. For example:

1. You create a prestaged content file for version 1 of a package.


2. You update the source files for the package with version 2.
3. You extract the version 1 prestaged content file on a distribution point.

In this example, Configuration Manager doesn't automatically distribute package


version 2 to the distribution point. Create a new prestaged content file that
contains the new file version. Then extract the content, update the distribution
point to distribute the files that have changed, or redistribute all files in the
package.

How to prestaged content on a distribution point on a


site server
When a distribution point is installed on a site server, use the following procedure to
successfully prestage content. This process is different because the content files are
already in the content library.

When the distribution point isn't enabled for prestaged content or when the distribution
point isn't located on a site server, see the Use Prestaged content section.

1. Verify that the distribution point isn't enabled for prestaged content.

a. In the Configuration Manager console, go to the Administration workspace.

b. In the Administration workspace, select the Distribution Points node. Then


select the distribution point that's on the site server.

c. On the Home tab of the ribbon, in the Properties group, select Properties.

d. On the General tab, verify that the option to Enable this distribution point for
prestaged content isn't selected.

2. Create a prestaged content file.

3. Assign the content to the distribution point.

4. On the site server, extract the content from the prestaged content file.

7 Note
When the distribution point is on a secondary site, wait for at least 10
minutes. Then in the Configuration Manager console, assign the content to
the distribution point on the secondary site.

Manage distributed content


You have the following options for managing content:

Update content
Update content on schedule
Redistribute content
Remove content
Validate content

Update content
When you update the source file location for a deployment by adding new files or
replace existing files with a newer version, update the content files on distribution
points. Use the Update Distribution Points or Update Content actions.

The site copies the content files from the original package source location to the
content library on the site that owns the package content source.
It increments the package version.
Each instance of the content library on site servers and on distribution points
updates with only the changed files.

2 Warning

The package version for applications is always 1. When you update the content for
an application deployment type, Configuration Manager creates a new content ID
for the deployment type, and the package references the new content ID.

Process to update content on distribution points


1. In the Configuration Manager console, go to the Software Library workspace.

2. Select the content type that you want to update.

3. For most object types: On the Home tab of the ribbon, in the Deployment group,
select Update Distribution Points. Then select OK to confirm that you want to
update the content.

To update content for applications: Select the Deployment Types tab in the details
pane. Choose the deployment type. On the Deployment Type tab of the ribbon,
select Update Content. Then select OK to confirm that you want to refresh the
content.

When you update content for boot images: The Update Distribution Points action
opens the Manage Distribution Point Wizard. For more information, see Update
distribution points with the boot image.

Update content on schedule


You can create a schedule for when the site updates the content for the object. Use this
option for an object whose content changes frequently.

1. In the Configuration Manager console, go to the Software Library workspace.

2. Select the content type that you want to update.

3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. Switch to the Data source tab. Select the option to Update distribution points on
a schedule.

5. Select Schedule and specify a custom schedule. You can also set a recurrence
pattern.

If the source content hasn't changed, then this action doesn't do anything. To
redistribute all content, use the distribute or redistribute actions.

Redistribute content
You can redistribute a package to copy all of the content files in the package to
distribution points or distribution point groups. This action overwrites the existing files.

Use this operation to repair content files in the package or resend the content when the
initial distribution fails. You can redistribute a package from:

Package properties
Distribution point properties
Distribution point group properties

Process to redistribute content from package properties


1. In the Configuration Manager console, go to the Software Library workspace.

2. Select the content types that you want to redistribute.

3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. Switch to the Content Locations tab. Select the distribution point or distribution
point group to which you want to redistribute the content, and select Redistribute.

Process to redistribute content from distribution point properties


1. In the Configuration Manager console, go to the Administration workspace.

2. In the Administration workspace, select the Distribution Points node. Then select
the distribution point to which you want to redistribute content.

3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. Switch to the Content tab. Select the content to redistribute, and select
Redistribute.

Process to redistribute content from distribution point group


properties

1. In the Configuration Manager console, go to the Administration workspace.

2. In the Administration workspace, select the Distribution Point Groups node. Then
select the distribution point group to which you want to redistribute content.

3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. Switch to the Content tab. Select the content to redistribute, and select
Redistribute.

) Important

The site redistributes the content in the package to all of the distribution
points in the group.

Use the SDK to force replication of content

You can use the RetryContentReplication WMI method from the Configuration
Manager SDK to force distribution manager to copy content from the source location to
the content library.

Only use this method to force replication when you need to redistribute content after
there were issues with normal replication of content. You can typically confirm this state
in the Monitoring node of the console.

For more information about this SDK option, see RetryContentReplication method in
class SMS_CM_UpdatePackages.

Distribution point content migration


Content migration support is now available for migrating content from one DP to
another DP using PowerShell cmdlets. You can also monitor the DP migration status
using these PowerShell cmdlets.

There are multiple scenarios where the content of one distribution point needs to be
migrated to another distribution point.

1. Cloud distribution points (CDP) hosted on Azure classic services are getting
deprecated by mid of 2024. You need to migrate CDP content to another
distribution point.
2. Migration of cloud migration gateway v1 (CMGv1) hosted with *.cloudapp.net
domain is also getting deprecated, hence you may need to migrate CMGv1
content to another distribution point.
3. You may need to migrate local distribution point content to other local distribution
point or CMG.

Prerequisites
1. The user's security role permission should have "Copy to Distribution Point"
enabled under Distribution Point.
2. If you want to deprecate the source distribution point, make sure that the source,
and destination distribution points have the same boundary group.
3. The destination distribution point should be installed already and able to receive
the content.

7 Note

You can't currently configure this behavior from the Configuration Manager
console.

For more information on configuring this behavior with PowerShell, see the cmdlet
details in the following section.

Distribution failure status is not shown in admin console when source distribution
point is locked during migration and sending new content to source distribution
point.

Get and Stop DP migration cmdlets works only on the site server where the DP
migration is initiated.

Start-CMDistributionPointMigration
Use this cmdlet to initiate distribution point content migration. You can pass the desired
parameters such as SourceDistributionPointName and
DestinationDistributionPointName per your distribution point migration scenario.
You
can also pass the LockSourceDistributionPoint parameter to lock the source distribution
point. This parameter is used to deprecate the source distribution point scenarios (for
example: CDP Migration).
If the source DP is locked during migration, you won't be able
to distribute the new content to the source dp, but the endpoints will be able to
download the content that is already available in the source DP.
For deprecation
scenarios, you can delete the source distribution point after the distribution content
migration is completed.

Syntax

PowerShell

Start-CMDistributionPointMigration -SourceDistributionPointName <FQDN for


source distribution point> -DestinationDistributionPointName <FQDN for
destination distribution point>

Examples

PowerShell

Start-CMDistributionPointMigration -SourceDistributionPointName <FQDN for


source distribution point> -DestinationDistributionPointName <FQDN for
destination distribution point> -LockSourceDistributionPoint

Start-CMDistributionPointMigration -SourceDistributionPointName <FQDN for


source distribution point> -DestinationDistributionPointName <FQDN for
destination distribution point>

Parameters
SourceDistributionPointName: Use the parameter to specify the source
distribution point from where content will be migrated.

DestinationDistributionPointName: Use the parameter to specify the destination


distribution point where you want the content to be copied.

LockSourceDistributionPoint: Use when you need to initiate distribution point


migration with source distribution point locked.

Get-CMDistributionPointMigrationStatus
Use this cmdlet to monitor the distribution point migration status.

Syntax

PowerShell

Get-CMDistributionPointMigrationStatus -SourceDistributionPointName <FQDN


for source distribution point> -DestinationDistributionPointName <FQDN for
destination distribution point>

Get-CMDistributionPointMigrationContentStatus
Use this cmdlet to monitor the distribution point content migration status.

Syntax

PowerShell

Get-CMDistributionPointMigrationContentStatus -SourceDistributionPointName
<FQDN for source distribution point> -DestinationDistributionPointName <FQDN
for destination distribution point>

Stop-CMDistributionPointMigration
Use this cmdlet to stop the distribution point migration. In case you have mistakenly
locked the source distribution point, you can use this cmdlet to unlock the source
distribution point. Unlocking the source distribution point will stop the distribution point
migration. To restart the migration, use the Start-CMDistributionPointMigration cmdlet.

Syntax
PowerShell

Stop-CMDistributionPointMigration -SourceDistributionPointName <FQDN for


source distribution point> -DestinationDistributionPointName <FQDN for
destination distribution point>

Examples

PowerShell

Stop-CMDistributionPointMigration -SourceDistributionPointName <FQDN for


source distribution point> -DestinationDistributionPointName <FQDN for
destination distribution point> -LockSourceDistributionPoint

Stop-CMDistributionPointMigration -SourceDistributionPointName <FQDN for


source distribution point> -DestinationDistributionPointName <FQDN for
destination distribution point>

7 Note

You can't currently configure this behavior from the Configuration Manager
console.

For more information on configuring this behavior with PowerShell, see the cmdlet
details in the following section.

Distribution failure status is not shown in admin console when source distribution
point is locked during migration and sending new content to source distribution
point.

Get and Stop DP migration cmdlets works only on the site server where the DP
migration is initiated.

Remove content
When you no longer require content on your distribution points, you can remove it.

When the content is associated with another package that was distributed to the same
distribution point, you can't remove the content.

Process to remove content from distribution points using object


properties

1. In the Configuration Manager console, select the Software Library workspace.

2. Select the content type that you want to remove its content.
3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. Switch to the Content Locations tab. Select the distribution point or distribution
point group from which you want to remove the content, select Remove, and then
select OK.

Process to remove content using distribution point properties

1. In the Configuration Manager console, select the Administration workspace.

2. In the Administration workspace, select the Distribution Points node, and then
select the distribution point from which you want to delete the content.

3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. Switch to the Content tab. Choose the content to remove, select Remove, and
then select OK.

Process to remove content using distribution point group


properties
1. In the Configuration Manager console, select the Administration workspace.

2. In the Administration workspace, select the Distribution Point Groups node. Then
select the distribution point group from which you want to remove content.

3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. Switch to the Content tab. Choose the content to remove, select Remove, and
then select OK.

Validate content
The content validation process verifies the integrity of content files on distribution
points. You enable content validation on a schedule, or you can manually start content
validation from the properties of distribution points and packages.

When the content validation process starts, Configuration Manager verifies the content
files on distribution points. If the file hash is unexpected for the files on the distribution
point, Configuration Manager creates a status message that you can review in the
Monitoring workspace.

For more information about configuring the content validation schedule, see
Distribution point configurations.
Process to validate all content on a distribution point
1. In the Configuration Manager console, select the Administration workspace.

2. Select the Distribution Points node, and then select the distribution point from
which you want to validate content.

3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. Switch to the Content tab. Select the package that you want to validate. Select
Validate, and then select OK. The content validation process starts for the package
on the distribution point.

5. To view the results of the content validation process, go to the Monitoring


workspace. Expand Distribution Status, and select the Content Status node. This
node displays the content for each type. For more information about monitoring
content status, see Monitor content you've distributed.

Process to validate content for a specific object


1. In the Configuration Manager console, select the Software Library workspace.

2. Select the content type that you want to validate.

3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. Switch to the Content Locations tab. Select the distribution point or distribution
point group on which to validate the content. Select Validate, and then select OK.
The content validation process starts for the content on the selected distribution
point or distribution point group.

5. To view the results of the content validation process, go to the Monitoring


workspace. Expand Distribution Status, and select the Content Status node. It
displays the content for each type. For more information about monitoring the
content status, see Monitor content you've distributed.
Monitor content you distribute with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the Configuration Manager console to monitor distributed content, including:

The status for all package types for the associated distribution points.
The content validation status for the content in a package.
The status of content assigned to a specific distribution point group.
The state of content assigned to a distribution point.
The status of optional features for each distribution point (content validation, PXE,
and multicast).

Configuration Manager only monitors the content on a distribution point that's in the
content library. It doesn't monitor content stored on the distribution point in package or
custom shares.

 Tip

The Power BI sample reports for Configuration Manager includes a report called
Content Status. This report can also help with monitoring content.

Content status monitoring


The Content Status node in the Monitoring workspace provides information about
content packages. In the Configuration Manager console, review information like:

Package name, type, and ID


How many distribution points a package has been sent to
Compliance rate
When the package was created
Source version

You also find detailed status information for any package, including:

Distribution status
The number of failures
Pending distributions
The number of installations

You can also manage distributions that remain in progress to a distribution point, or that
failed to successfully distribute content to a distribution point:

The option to either cancel or redistribute content is available when you view the
deployment status message of a distribution job to a distribution point in the
Asset Details pane. This pane can be found in either the In Progress tab or the
Error tab of the Content Status node.

Additionally, the job details display the percentage of the job that has completed
when you view the details of a job on the In Progress tab. The job details also
display the number of retries that remain for a job. When you view the details of a
job on the Error tab, it shows how long before the next retry occurs.

When you cancel a deployment that's not yet complete, the distribution job to transfer
that content stops:

The status of the deployment then updates to indicate that the distribution failed,
and that it was canceled by a user action.
This new status appears in the Error tab.

7 Note

When a deployment is near completion, it's possible the action to cancel that
distribution won't process before the distribution to the distribution point
completes. When this occurs, the action to cancel the deployment is ignored, and
the status for the deployment displays as successful.

Although you can select the option to cancel a distribution to a distribution point
that is located on a site server, this has no effect. This behavior is because the site
server and the distribution point on a site server share the same single instance
content store. There's no actual distribution job to cancel.

When you redistribute content that previously failed to transfer to a distribution point,
Configuration Manager immediately begins redeploying that content to the distribution
point. Configuration Manager updates the status of the deployment to reflect the
ongoing state of that redeployment.

Tasks to monitor content


1. In the Configuration Manager console, go to the Monitoring workspace, expand
Distribution Status, and then select the Content Status node. This node displays
the packages.

2. Select the package you want to manage.

3. On the Home tab of the ribbon, in the Content group, select View Status. The
console displays detailed status information for the package.

 Tip

Starting in version 2203, select View Content Distribution to monitor content


distribution path and status in a graphical format. The graph shows distribution
point type, distribution state, and associated status messages. This visualization
allows you to more easily understand the status of your content package
distribution. For more information, see Visualize content distribution status.

Continue to one of the following sections for other actions:

Cancel a distribution that remains in progress


1. Switch to the In Progress tab.

2. In the Asset Details pane, right-click the entry for the distribution that you want to
cancel, and select Cancel.

3. Select Yes to confirm the action and cancel the distribution job to that distribution
point.

Redistribute content that failed to distribute

1. Switch to the Error tab.

2. In the Asset Details pane, right-click the entry for the distribution that you want to
redistribute, and select Redistribute.

3. Select Yes to confirm the action and start the redistribution process to that
distribution point.

Distribution point group status


The Distribution Point Group Status node in the Monitoring workspace provides
information about distribution point groups. You can review information like:

The distribution point group name, description, and status


How many distribution points are members of the distribution point group
How many packages have been assigned to the group
The compliance rate

You also view the following detailed status information:

Errors for the distribution point group


How many distributions are in progress
How many have been successfully distributed

Monitor distribution point group status


1. In the Configuration Manager console, go to the Monitoring workspace, expand
Distribution Status, and then select the Distribution Point Group Status node. It
displays the distribution point groups.

2. Select the distribution point group for which you want detailed status information.

3. On the Home tab of the ribbon, select View Status. It displays detailed status
information for the distribution point group.

Distribution point configuration status


The Distribution Point Configuration Status node in the Monitoring workspace
provides information about the distribution point. You can review what attributes are
enabled for the distribution point, such as the PXE, multicast, content validation. Also
review the distribution status for the distribution point.

2 Warning

Distribution point configuration status is relative to the last 24 hours. If the


distribution point has an error and recovers, the error status might be displayed for
up to 24 hours after the distribution point recovers.

Monitor distribution point configuration status


1. In the Configuration Manager console, go to the Monitoring workspace, expand
Distribution Status, and then select the Distribution Point Configuration Status
node.

2. Select a distribution point.

3. In the results pane, switch to the Details tab. It displays status information for the
distribution point.

Client data sources dashboard


Use the Client data sources dashboard to better understand from where clients get
content in your environment. The dashboard starts displaying data after clients
download content and report that information back to the site. This process can take up
to 24 hours.

The client data sources dashboard includes a selection of filters to view information
about where clients get content:

7 Note
Configuration Manager doesn't enable this optional feature by default. Before you
can use it, enable the Client Peer Cache feature. For more information, see Enable
optional features from updates.

1. In the Configuration Manager console, go to the Monitoring workspace, expand


Distribution Status, and select the Client Data Sources node.

2. Report Period: Select a time period to apply to the dashboard.

3. Then select the single boundary group for which you want to view information.

You can also select more filters for the dashboard:

All boundary groups


Internet clients
Clients not associated with a boundary group

7 Note

If there's no data available for the selected client group, the chart displays:
"This data is not yet available."

You can hover your mouse over tiles to see more details about the different content or
policy sources.

Also use the report, Client Data Sources - Summarization, to view a summary of the
client data sources for each boundary group.

Dashboard tiles
The dashboard includes the following tiles:

Data source usage

This tile summarizes the types of sources in your environment and how many clients use
them.

This summary tile replaces the following four tiles in prior versions:

Distribution points
Clients that used a distribution point
Peer cache sources
Clients that used a peer

Client content sources


Displays the sources from which clients got content:

Distribution point
Cloud distribution point, which includes content-enabled cloud management
gateways
BranchCache
Peer Cache
Delivery Optimization Note 1
Microsoft Update: Devices report this source when the Configuration Manager
client downloads software updates from Microsoft cloud services. These services
include Microsoft Update and Microsoft 365 Apps for enterprise.

7 Note

To include Delivery Optimization on this dashboard, do the following actions:

Configure the client setting, Enable installation of Express Updates on clients


in the Software Updates group
Deploy Windows express updates

For more information, see Manage Express installation files for Windows updates.

Content downloads using fallback source

This information helps you understand how often clients download content from an
alternate source.

Top distributed content


The most distributed packages by source type

Next steps
Visualize content distribution status
Visualize content distribution status
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Starting in version 2203, you can monitor content distribution path and status in a
graphical format. The graph shows distribution point type, distribution state, and
associated status messages. This visualization allows you to more easily understand the
status of your content package distribution. It helps you answer questions like:

Has the site successfully distributed the content?


Is the content distribution in progress?
Which distribution points have already processed the content?
This example shows a graph for the content distribution status of the Configuration
Manager client package in an example hierarchy. It lets you easily see the following
information:

The solid blue line from the site server to each distribution point indicates that the
rate limit is Unlimited. For more information, see Rate limits.
The green check mark on DP01 and DP02 indicates that the content was
successfully distributed to these site systems.
The red X on DP03 and both cloud distribution points indicates that there's an
error in distributing the content to these site systems.

View content distribution


1. In the Configuration Manager console, go to the Monitoring workspace, expand
Distribution Status and select the Content Status node.

2. If this node doesn't show anything, first distribute content.

3. Select a distributed content item. For example, the Configuration Manager client
package.

4. In the ribbon, select View Content Distribution. This action displays the
distribution graph for the selected content.

Hover over the status icon to quickly view more information. Select the path
or the status icon to view status messages for the content.

Hover over the title of the site system to quickly view more information.
Select it to drill through to the Distribution Points node.

Navigation tips
Use the following tips to navigate the relationship viewer:

Select the plus ( + ) or minus ( - ) icons next to the server name to expand or
collapse members of a node.

The style and color of the line between the servers determines the type of
distribution. If you hover over a specific line, a tooltip shows the type.

The maximum number of child nodes displayed depends upon the level of the
graph:
First level: five nodes
Second level: three nodes
Third level: two nodes
Fourth level: one node

If there are more objects than the graph can display at that level, you'll see the
More icon.

When the size of the tree is larger than the window, use the green arrows to view
more.

When a node of the tree is larger than the available space, select More to change
the view to just that node.

To navigate to a prior view, select the Back arrow. Select the Home icon to return
to the main page.

Use the Search box to locate a server in the current tree view.

Use the Navigator to zoom and pan around the tree. You can also print the current
view.

 Tip

Hold the Ctrl key and scroll the mouse wheel to zoom the graph.

For more information on how to navigate the graph with a keyboard, see Accessibility
features for the collection relationship diagram.

Next steps
Deploy and manage content for Configuration Manager
Microsoft Connected Cache in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can install a Microsoft Connected Cache server on your distribution points. By
caching this content on-premises, your clients can benefit from the Delivery
Optimization feature that can help to protect WAN links.

This cache server acts as an on-demand transparent cache for content downloaded by
Delivery Optimization. Use client settings to make sure this server is offered only to the
members of the local Configuration Manager boundary group.

This cache is separate from Configuration Manager's distribution point content. If you
choose the same drive as the distribution point role, it stores content separately.

7 Note

The Connected Cache server is an application installed on Windows Server. Starting


in Configuration Manager version 2111, the Connected Cache is generally available
for production use.

The version of Connected Cache that's available with Configuration Manager


version 2107 and earlier is still considered in development.

Supported scenarios
Connected Cache supports the following three primary scenarios:

Traditional Configuration Manager clients that communicate with on-premises


distribution points.

Co-managed clients that get Win32 apps from Microsoft Intune. For more
information, see Support for Intune Win32 apps.

Cloud-only devices, such as Intune-enrolled devices without the Configuration


Manager client. For more information, see Support for cloud-managed devices.

Supported content types


When clients download cloud-managed content, they use Delivery Optimization from
the cache server installed on your distribution point. Cloud-managed content includes
the following types:

Microsoft Store apps

If you enable Windows Update for Business policies: Windows feature and quality
updates

For co-management workloads:

Windows Update for Business: Windows feature and quality updates

Office Click-to-Run apps: Microsoft 365 Apps and updates

Client apps: Microsoft Store apps and updates

Endpoint Protection: Windows Defender definition updates

7 Note

Connected Cache doesn't support content that Configuration Manager manages,


like software updates with an integrated software update point.

How it works
When you configure clients to use the Connected Cache server, they no longer request
Microsoft cloud-managed content from the internet. Clients request this content from
the cache server installed on the distribution point. The on-premises server caches this
content using the IIS feature for Application Request Routing (ARR). Then the cache
server can quickly respond to any future requests for the same content. If the Connected
Cache server is unavailable, clients download the content from the internet. Clients also
use Delivery Optimization to download portions of the content from peers in their
network.
1. Client checks for updates and gets the address for the content delivery network
(CDN).

2. Configuration Manager configures Delivery Optimization (DO) settings on the


client, including the cache server name.

3. Client A requests content from the Connected Cache server.

4. If the cache doesn't include the content, then the Connected Cache server gets it
from the CDN.

5. If the cache server fails to respond, the client downloads the content from the
CDN.

6. Clients will also use DO to get pieces of the content from peers, such as client B
and client C.

Prerequisites and limitations

7 Note
Additional prerequisites apply to the scenario for co-managed clients and Intune
Win32 apps. For more information, see Support for Intune Win32 apps.

Supported clients
Connected Cache and Delivery Optimization only support clients running a supported
version of Windows 10 or later.

Licensing
You need one of the following license subscriptions for each device that gets content
from a Connected Cache-enabled distribution point:

Windows Enterprise E3 or E5, included in Microsoft 365 F3, E3, or E5

Windows Education A3 or A5, included in Microsoft 365 A3 or A5

Windows Virtual Desktop Access (VDA) E3 or E5

Distribution point
Connected Cache in Configuration Manager requires an on-premises distribution point,
with the following configurations:

Running Windows Server 2012 or later

Microsoft .NET Framework version 4.7.2 or later. For more information, see .NET
Framework system requirements.

The default web site enabled on port 80

Don't preinstall the IIS Application Request Routing (ARR) feature. Connected
Cache installs ARR and configures its settings. Microsoft can't guarantee that the
Connected Cache's ARR configuration won't conflict with other applications on the
server that also use this feature.

The Connected Cache application can use an unauthenticated proxy server for
internet access. For more information, see Configure the proxy for a site system
server.

Don't use a distribution point that has other site roles, for example, a management
point. Enable Connected Cache on a site system server that only has the
distribution point role.
Network access requirements
The distribution point requires internet access to the Microsoft cloud. The specific
URLs can vary depending upon the specific cloud-enabled content. Make sure to
also allow the endpoints for delivery optimization. For more information, see
Internet access requirements.

For co-managed clients and Intune Win32 apps, allow the distribution point to
access the endpoints for that scenario. For more information, see Network
requirements for PowerShell scripts and Win32 apps.

Clients technically only need access to the distribution point with the Connected
Cache. Although it's best to also give clients access to the internet endpoints for
the content, in case they need to fall back to the original source.

Enable Connected Cache


1. In the Configuration Manager console, go to the Administration workspace, and
select the Distribution Points node.

2. Select an on-premises distribution point, and then in the ribbon select Properties.

3. In the properties of the distribution point role, on the General tab, configure the
following settings:

a. Enable the option to Enable this distribution point to be used as Microsoft


Connected Cache server

Review the list of required license subscriptions, and then confirm your licenses.

b. Local drive to be used: Select the disk to use for the cache. Automatic is the
default value, which uses the disk with the most free space.Note 1

7 Note

You can change this drive later. Any cached content is lost, unless you copy
it to the new drive.

c. Disk space: Select the amount of disk space to reserve in GB or a percentage of


the total disk space. By default, this value is 100 GB.

7 Note
The default cache size should be sufficient for most customers. You can
adjust the cache size later.

If the cache size on disk exceeds the allocated space, ARR clears space by
removing content based on its built-in heuristics.

d. Retain cache when disabling the Connected Cache server: If you remove the
cache server, and you enable this option, the server keeps the cache's content
on the disk.

4. In client settings, in the Delivery Optimization group, configure the setting to


Enable devices managed by Configuration Manager to use Microsoft Connected
Cache servers for content download.

Note 1: About drive selection


If you select Automatic, when Configuration Manager installs the Connected Cache
component, it honors the NO_SMS_ON_DRIVE.SMS file. For example, the distribution
point has the file C:\NO_SMS_ON_DRIVE.SMS . Even if the C: drive has the most free space,
Configuration Manager configures Connected Cache to use another drive for its cache.

If you select a specific drive that already has the NO_SMS_ON_DRIVE.SMS file,
Configuration Manager ignores the file. Configuring Connected Cache to use that drive
is an explicit intent. For example, the distribution point has the file
F:\NO_SMS_ON_DRIVE.SMS . When you explicitly configure the distribution point properties

to use the F: drive, Configuration Manager configures Connected Cache to use the F:
drive for its cache.

To change the drive after you install Connected Cache:

Manually configure the distribution point properties to use a specific drive letter.

If set to automatic, first create the NO_SMS_ON_DRIVE.SMS file. Then make some
change to the distribution point properties to trigger a configuration change.

Automation

Automation via Windows PowerShell


Starting in version 2010, use the following parameters of the Set-CMDistributionPoint
cmdlet to configure the Connected Cache:
EnableDoinc
DiskSpaceUnit
DiskSpaceDoinc
LocalDriveDoinc
RetainDoincCache
AgreeDoincLicense

For more information, see the 2010 release notes.

Automation via the Configuration Manager SDK

You can use the Configuration Manager SDK to automate the configuration of Microsoft
Connected Cache settings on a distribution point. As is the case for all site roles, use the
SMS_SCI_SysResUse WMI class. For more information, see Programming the site roles.

When you update the SMS_SCI_SysResUse instance for the distribution point, set the
following properties:

AgreeDOINCLicense: Set to 1 to accept the license terms.


Flags: Enable |= 4 , disable &= ~4
DiskSpaceDOINC: Set to Percentage or GB
RetainDOINCCache: Set to 0 or 1
LocalDriveDOINC: Set to Automatic , or a specific drive letter, such as C: or D:

Verify
On supported versions of Windows 10 or later, verify this behavior with the Get-
DeliveryOptimizationStatus Windows PowerShell cmdlet. In the cmdlet output, review
the BytesFromCacheServer value. For more information, see Monitor Delivery
Optimization.

If the cache server returns any HTTP failure, the Delivery Optimization client falls back to
the original cloud source.

For more detailed information, see Troubleshoot Microsoft Connected Cache in


Configuration Manager.

Support for Intune Win32 apps


When you enable Connected Cache on your Configuration Manager distribution points,
they can serve Microsoft Intune Win32 apps to co-managed clients.
 Tip

All other content that Intune-managed devices download from Microsoft with
Delivery Optimization can also be cached on Microsoft Connected Cache. This
content includes software updates for Windows, Microsoft 365 apps, and Microsoft
Edge.

Prerequisites

Client

Update the client to the latest version.

The client device needs to have at least 4 GB of memory.

 Tip

Use the following group policy setting: Computer Configuration >


Administrative Templates > Windows Components > Delivery Optimization >
Minimum RAM capacity (inclusive) required to enable use of Peer Caching
(in GB).

Site
Enable Connected Cache on a distribution point.

The client and the Connected Cache-enabled distribution point need to be in the
same boundary group. If a client isn't in a boundary group with a Connected
Cache-enabled distribution point, it won't download content from a Connected
Cache-enabled distribution point in a neighbor or site default boundary group.
Enable Allow peer downloads in this boundary group option for the Boundary
Group that contains the client and the distribution point. For more information,
see Boundary Group options.

Enable the following client settings in the Delivery Optimization group:


Use Configuration Manager Boundary Groups for Delivery Optimization
Group ID
Enable devices managed by Configuration Manger to use Microsoft
Connected Cache servers for content download
Enable co-management, and switch the Client apps workload to Pilot Intune or
Intune. For more information, see the following articles:

Workloads - Client apps

How to enable co-management

Switch workloads to Intune

If in pilot, add the client to the pilot collection for Client Apps.

Intune
This feature only supports the Intune Win32 app type.
Create and assign (deploy) a new app in Intune for this purpose. (Apps created
before Intune version 1811 don't work.) For more information, see Win32 app
management in Microsoft Intune.

Support for cloud-managed devices


When you install a Microsoft Connected Cache on a Configuration Manager distribution
point, cloud-managed devices can use the on-premises cache. For example, a device
that's managed by Intune, but connects to the on-premises network. As long as the
device can communicate with the server, the cache is available to deliver content to
these devices.

To configure the device to use the Microsoft Connected Cache, configure the
DOCacheHost policy. Set it to the FQDN or IP address of the Configuration Manager
distribution point. For more information on this policy, see Policy CSP -
DeliveryOptimization. To use Intune to configure this policy, use the Cache server host
names setting. For more information, see Delivery Optimization settings for Windows
devices in Intune.

When you enable this policy for cloud-managed devices, either type of device can
request the server to cache content, and either can download the content. If multiple
devices request the same content, no matter their management authority, they
download supported and available content from the Microsoft Connected Cache.

Next steps
Optimize Windows updates with Delivery Optimization
Troubleshoot Microsoft Connected Cache in Configuration Manager
Troubleshoot Microsoft Connected
Cache in Configuration Manager
Article • 10/04/2022

This article provides technical details about Microsoft Connected Cache in Configuration
Manager. Use it to help troubleshoot issues that you might have in your environment.
For more information on how it works and how to use it, see Microsoft Connected
Cache in Configuration Manager.

Verify
When you correctly install the Delivery Optimization cache server, and correctly
configure clients, they download from the cache server installed on your distribution
point rather than the internet.

Verify this behavior on a client or on the server.

Verify on a client
1. On a client running a supported version of Windows 10 or later, download cloud-
managed content. For more information on the types of content that Connected
Cache supports, see Supported content types.

2. Open PowerShell and run the following command: Get-


DeliveryOptimizationStatus .

For example:

PowerShell

PS C:\> Get-DeliveryOptimizationStatus

FileId : ec523d49c4f7c3c4444f0d9b952286ce40fdcee4

FileSize : 549064

TotalBytesDownloaded : 549064

PercentPeerCaching : 0

BytesFromPeers : 0

BytesFromHttp : 0

Status : Caching

Priority : Background

BytesFromCacheServer : 549064

BytesFromLanPeers : 0

BytesFromGroupPeers : 0

BytesFromInternetPeers : 0

BytesToLanPeers : 0

BytesToGroupPeers : 0

BytesToInternetPeers : 0

DownloadDuration : 00:00:00.0780000

HttpConnectionCount : 2

LanConnectionCount : 0

GroupConnectionCount : 0

InternetConnectionCount : 0

DownloadMode : 99

SourceURL :
http://au.download.windowsupdate.com/c/msdownload/update/software/defu/
2019/09/am_delta_p

atch_1.301.664.0_ec523d49c4f7c3c4444f0d9b952286ce40fdcee4.exe

NumPeers : 0

PredefinedCallerApplication : WU Client Download

ExpireOn : 9/6/2019 8:36:19 AM

IsPinned : False

Notice that the BytesFromCacheServer attribute isn't zero.

If the client isn't configured correctly, or the cache server isn't installed correctly, the
Delivery Optimization client falls back to the original cloud source. Then the
BytesFromCacheServer attribute will be zero.

Verify on the server


First, verify the registry properties are configured correctly:
HKLM\SOFTWARE\Microsoft\Delivery Optimization In-Network Cache . For example, the
drive cache location is PrimaryDrivesInput\DOINC-E77D08D0-5FEA-4315-8C95-
10D359D59294 , where PrimaryDrivesInput can be multiple drives, such as C,D,E .

Next, use the following method to simulate a client download request to the server with
the mandatory headers.

1. Open a 64-bit PowerShell window as an administrator.

2. Run the following command, and replace the name or IP address of your server for
<DoincServer> :

PowerShell

Invoke-WebRequest -URI "http://<DoincServer>/mscomtest/wuidt.gif" -


Headers @{"Host"="b1.download.windowsupdate.com"}

The output looks similar to the following example:


PowerShell

PS C:\WINDOWS\system32> Invoke-WebRequest -URI


"http://SERVER01.CONTOSO.COM/mscomtest/wuidt.gif" -Headers
@{"Host"="b1.download.windowsupdate.com"}

StatusCode :
200

StatusDescription :
OK

Content :
{71, 73, 70, 56...}

RawContent :
HTTP/1.1 200 OK

X-HW:
1567797125.dop019.se2.t,1567797125.cds058.se2.s,1567797125.dop114.at2.r
,1567797125.cds079.at2

.p,1567797125.cds058.se2.p

X-CCC:
cdP+dRBgUCoZO1mezA9zhg2VwQ7P1JWTh9k+GhfQmu8=_SLwv...

Headers : {[X-HW,
1567797125.dop019.se2.t,1567797125.cds058.se2.s,1567797125.dop114.at2.r
,1567797125.cds079.a

t2.p,1567797125.cds058.se2.p], [X-CCC,

cdP+dRBgUCoZO1mezA9zhg2VwQ7P1JWTh9k+GhfQmu8=_SLwvtSBQdT3uPQ5ikBe1ABMbdY
IIncem+h5dtcLI6GY=],

[X-CID, 100], [Accept-Ranges, bytes]...}

RawContentLength : 969710

The following attributes indicate success:

StatusCode : 200

StatusDescription : OK

Log files
Application Request Routing (ARR) setup log: %temp%\arr_setup.log

Connected Cache server setup log: SMS_DP$\Ms.Dsp.Do.Inc.Setup\DoincSetup.log


on the distribution point and DistMgr.log on the site server

Internet Information Services (IIS) operational logs: By default,


%SystemDrive%\inetpub\logs\LogFiles

Connected Cache server operational log: C:\Doinc\Product\Install\Logs

 Tip
Among other uses, this log can help you identify connectivity issues with the
Microsoft cloud.

Setup error codes


When Configuration Manager installs the Connected Cache component on the
distribution point, the following table lists the possible error codes that might occur:

Error code Error description

0x00000000 Success

0x00000BC2 Success, reboot required

0x00000643 Generic install failure

0x00D00001 Connected Cache setup can only be run if Internet Information Services (IIS) has
been installed

0x00D00002 Connected Cache setup can only be run if a 'Default Web Site' exists on the server

0x00D00003 You can't install Connected Cache if Application Request Routing (ARR) is already
installed

0x00D00004 Connected Cache setup can only be run if Application Request Routing (ARR) was
installed by the Install.ps1 script

0x00D00005 Connected Cache setup requires a PowerShell session running as Administrator

0x00D00006 Connected Cache setup can only be run from a 64-bit PowerShell environment

0x00D00007 Connected Cache setup can only be run on a Windows Server

0x00D00008 Failure: The number of cache drives specified must match the number of cache
drive size percentages specified

0x00D00009 Failure: A valid cache node ID must be supplied

0x00D0000A Failure: A valid cache drive set must be supplied

0x00D0000B Failure: A valid cache drive size percent set must be supplied

0x00D0000C Failure: A valid cache drive size percent set or cache drive size in GB must be
supplied

0x00D0000D Failure: A valid cache drive size percent set and cache drive size in GB cannot both
be supplied
Error code Error description

0x00D0000E Failure: The number of cache drives specified must match the number of cache
drives size in GB specified

0x00D0000F Failure: Couldn't back up the applicationhost.config file from $AppHostConfig to


$AppHostConfigDestinationName

0x00D00010 Failure: Couldn't back up the Default Web Site web.config file from
$WebsiteConfigFilePath to $WebConfigDestinationName

0x00D00011 Failure: An exception occurred in SetupARRWebFarm.ps1

0x00D00012 Failure: An exception occurred in SetupARRWebFarmRewriteRules.ps1

0x00D00013 Failure: An exception occurred in SetupARRWebFarmProperties.ps1

0x00D00014 Failure: An exception occurred in SetupAllowableServerVariables.ps1

0x00D00015 Failure: An exception occurred in SetupFirewallRules.ps1

0x00D00016 Failure: An exception occurred in SetupAppPoolProperties.ps1

0x00D00017 Failure: An exception occurred in SetupARROutboundRules.ps1

0x00D00018 Failure: An exception occurred in SetupARRDiskCache.ps1

0x00D00019 Failure: An exception occurred in SetupARRProperties.ps1

0x00D0001A Failure: An exception occurred in SetupARRHealthProbes.ps1

0x00D0001B Failure: An exception occurred in VerifyIISSItesStarted.ps1

0x00D0001C Failure: An exception occurred in SetDrivesToHealthy.ps1

0x00D0001D Failure: An exception occurred in VerifyCacheNodeSetup.ps1

0x00D0001E You can't install Connected Cache if the Default Web Site isn't on port 80

0x00D0001F Failure: The cache drive allocation in percentage can't exceed 100

0x00D00020 Failure: The cache drive allocation in GB can't exceed the drive's free space

0x00D00021 Failure: The cache drive allocation in percentage must be greater than 0

0x00D00022 Failure: The cache drive allocation in GB must be greater than 0

0x00D00023 Failure: An exception occurred in RegisterScheduledTask_CacheNodeKeepAlive

0x00D00024 Failure: An exception occurred in RegisterScheduledTask_Maintenance

0x00D00025 Failure: An exception occurred setting up the rewrite rules for HTTPS farm:
$FarmName
Error code Error description

0x00D00026 Failure: An exception occurred setting up the rewrite rules for HTTP farm:
$FarmName

0x00D00027 You can't install Connected Cache because dependent software "Application
Request Routing (ARR)" failed to install. See the log file located at
%temp%\arr_setup.log

IIS configurations
The Connected Cache server installation makes several modifications to the IIS
configuration on the distribution point.

Application request routing


The Connected Cache server installs and configures IIS Application Request Routing .
To avoid potential conflicts, the distribution point can't already have this component
installed.

Allowed server variables


After you install the Connected Cache server, the default website has the following local
server variables:

HTTP_HOST
QUERY_STRING
X-CCC
X-CID
X-DOINC-OUTBOUND

Rewrite rules
The Connected Cache server adds the following rewrite rules:

Inbound rewrite rules


Doinc_ForwardToFarm_shswda01.download.manage-selfhost.microsoft.com_E77D08D0-

5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_swdc01.manage.microsoft.com_E77D08D0-5FEA-4315-8C95-

10D359D59294
Doinc_ForwardToFarm_swdc02.manage.microsoft.com_E77D08D0-5FEA-4315-8C95-

10D359D59294
Doinc_ForwardToFarm_dl.delivery.mp.microsoft.com_E77D08D0-5FEA-4315-8C95-

10D359D59294
Doinc_ForwardToFarm_officecdn.microsoft.com_E77D08D0-5FEA-4315-8C95-

10D359D59294

Doinc_ForwardToFarm_b1.download.windowsupdate.com_E77D08D0-5FEA-4315-8C95-
10D359D59294

Doinc_ForwardToFarm_download.windowsupdate.com_E77D08D0-5FEA-4315-8C95-
10D359D59294

Doinc_ForwardToFarm_officecdn.microsoft.com.edgesuite.net_E77D08D0-5FEA-4315-

8C95-10D359D59294
Doinc_ForwardToFarm_au.b1.download.windowsupdate.com_E77D08D0-5FEA-4315-8C95-

10D359D59294
Doinc_ForwardToFarm_assets1.xboxlive.com_E77D08D0-5FEA-4315-8C95-10D359D59294

Doinc_ForwardToFarm_au.download.windowsupdate.com_E77D08D0-5FEA-4315-8C95-

10D359D59294
Doinc_ForwardToFarm_emdl.ws.microsoft.com_E77D08D0-5FEA-4315-8C95-

10D359D59294
Doinc_ForwardToFarm_tlu.dl.delivery.mp.microsoft.com_E77D08D0-5FEA-4315-8C95-

10D359D59294
Doinc_ForwardToFarm_assets2.xboxlive.com_E77D08D0-5FEA-4315-8C95-10D359D59294

Outbound rewrite rules

Doinc_Outbound_SetHeader_X_CID_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_Outbound_SetHeader_X_CCC_E77D08D0-5FEA-4315-8C95-10D359D59294

IIS custom headers


If requests with X-Forwarded-For headers are blocked on a proxy server, either allow the
header on the proxy server or change the custom header name in IIS for each server
farm.

To change the custom header name for each server farm:

1. Open IIS Manager.


2. Select Server Farms.
3. Select a server farm and the proxy icon.
4. Under Custom Headers, change the value X-Forwarded-For to X-Forwarded-For-
<custom-name> .

Manage server resources


Disk space required for each Connected Cache server might vary, based on your
organization's update requirements. Disk space of 100 GB should be enough to cache
the following content:

A feature update
Two to three months of quality and Microsoft 365 Apps updates
Microsoft Intune apps and Windows inbox apps

The Connected Cache server shouldn't consume much system memory or processor
time. After you install the Connected Cache server, if you notice significant process or
memory resource consumption, analyze the IIS and ARR log files.

If the IIS and ARR log files take up too much space on the server, there are several
methods you can use to manage the log files. For more information, see Managing IIS
log file storage.

See also
Microsoft Connected Cache in Configuration Manager
Run discovery for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You use one or more discovery methods in Configuration Manager to find device and
user resources that you can manage. You can also use discovery to identify network
infrastructure in your environment. There are several different methods you can use to
discover different things, and each method has its own configurations and limitations.

Overview of discovery
Discovery is the process by which Configuration Manager learns about the things you
can manage. The following are the available discovery methods:

Active Directory Forest Discovery

Active Directory Group Discovery

Active Directory System Discovery

Active Directory User Discovery

Azure Active Directory User Discovery

Azure Active Directory User Group Discovery

Heartbeat Discovery

Network Discovery

Server Discovery

 Tip

You can learn about the individual discovery methods in About discovery methods
for Configuration Manager.

For assistance in selecting which methods to use, and at which sites in your
hierarchy, see Select discovery methods to use for Configuration Manager.
To use most discovery methods, you must enable the method at a site, and set it up to
search specific network or Active Directory locations. When it runs, it queries the
specified location for information about devices or users that Configuration Manager
can manage. When a discovery method successfully finds information about a resource,
it puts that information into a file called a discovery data record (DDR). That file is then
processed by a primary or central administration site. Processing of a DDR creates a new
record in the site database for newly discovered resources, or updates existing records
with new information.

Some discovery methods can generate a large volume of network traffic, and the DDRs
they produce can result in a significant use of CPU resources during processing.
Therefore, plan to use only those discovery methods that you require to meet your
goals. You might start by using only one or two discovery methods, and then later
enable additional methods in a controlled manner to extend the level of discovery in
your environment.

After discovery information is added to the site database, the information then
replicates to each site in the hierarchy, regardless of where it was discovered or
processed. Therefore, while you can set up different schedules and settings for discovery
methods at different sites, you might run a specific discovery method at only a single
site. This reduces the use of network bandwidth through duplicate discovery actions,
and reduces the processing of redundant discovery data at multiple sites.

You can use discovery data to create custom collections and queries that logically group
resources for management tasks. For example:

Pushing client installations, or upgrading.

Deploying content to users or devices.

Deploying client settings and related configurations.

About discovery data records


DDRs are files created by a discovery method. They contain information about a
resource you can manage in Configuration Manager, such as computers, users, and in
some cases, network infrastructure. They are processed at primary sites or at central
administration sites. After the resource information in the DDR is entered into the
database, the DDR is deleted, and the information replicates as global data to all sites in
the hierarchy.

The site at which a DDR is processed depends on the information it contains:


DDRs for newly discovered resources that are not in the database are processed at
the top-level site of the hierarchy. The top-level site creates a new resource record
in the database, and assigns it a unique identifier. DDRs transfer by file-based
replication until they reach the top-level site.

DDRs for previously discovered objects are processed at primary sites. Child
primary sites do not transfer DDRs to the central administration site when the DDR
contains information about a resource that is already in the database.

Secondary sites do not process DDRs, and always transfer them by file-based
replication to their parent primary site.

DDR files are identified by the .ddr extension, and have a typical size of about 1 KB.

Get started with discovery:


Before using the Configuration Manager console to set up discovery, you should
understand the differences among the methods, what they can do, and for some, their
limitations.

The following topics can build a foundation that will help you use discovery methods
successfully:

About discovery methods for Configuration Manager

Select discovery methods to use for Configuration Manager

Then, when you understand the methods you want to use, find guidance to set up each
method in Configure discovery methods for Configuration Manager.
About discovery methods for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager discovery methods find different devices on your network,


devices and users from Active Directory, or users from Azure Active Directory (Azure
AD). To efficiently use a discovery method, you should understand its available
configurations and limitations.

Active Directory forest discovery


Configurable: Yes

Enabled by default: No

Accounts you can use to run this method:

Active Directory forest account (user defined)

Computer account of the site server

Unlike other Active Directory discovery methods, Active Directory forest discovery
doesn't discover resources that you can manage. Instead, this method discovers network
locations that are configured in Active Directory. It can convert those locations into
boundaries for use throughout your hierarchy.

When this method runs, it searches the local Active Directory forest, each trusted forest,
and other forests that you configure in the Active Directory Forests node of the
Configuration Manager console.

Use Active Directory forest discovery to:

Discover Active Directory sites and subnets, and then create Configuration
Manager boundaries based on those network locations.

Identify supernets that are assigned to an Active Directory site. Convert each
supernet into an IP address range boundary.

Publish to Active Directory Domain Services (AD DS) in a forest when publishing to
that forest is enabled. The specified Active Directory forest account must have
permissions to that forest.
You can manage Active Directory forest discovery in the Configuration Manager console.
Go to the Administration workspace and expand Hierarchy Configuration.

Discovery Methods: Enable Active Directory forest discovery to run at the top-level
site of your hierarchy. You can also specify a schedule to run discovery. Configure it
to automatically create boundaries from the IP subnets and Active Directory sites
that it discovers. Active Directory forest discovery can't run at a child primary site
or at a secondary site.

Active Directory Forests: Configure the other forests to discover, specify each
Active Directory forest account, and configure publishing to each forest. Monitor
the discovery process. Add IP subnets and Active Directory sites as Configuration
Manager boundaries and members of boundary groups.

To configure publishing for Active Directory forests for each site in your hierarchy,
connect your Configuration Manager console to the top-level site of your hierarchy. The
Publishing tab in an Active Directory site's Properties dialog box can show only the
current site and its child sites. When publishing is enabled for a forest, and that forest's
schema is extended for Configuration Manager, the following information is published
for each site that is enabled to publish to that Active Directory forest:

SMS-Site-<site code>

SMS-MP-<site code>-<site system server name>

SMS-SLP-<site code>-<site system server name>

SMS-<site code>-<Active Directory site name or subnet>

7 Note

Secondary sites always use the secondary site server computer account to publish
to Active Directory. If you want secondary sites to publish to Active Directory,
ensure that the secondary site server computer account has permissions to publish
to Active Directory. A secondary site cannot publish data to an untrusted forest.

U Caution

When you uncheck the option to publish a site to an Active Directory forest, all
previously published information for that site, including available site system roles,
is removed from Active Directory.
Actions for Active Directory Forest Discovery are recorded in the following logs:

All actions, except actions related to publishing, are recorded in the


ADForestDisc.Log file in the <InstallationPath>\Logs folder on the site server.

Active Directory Forest Discovery publishing actions are recorded in the hman.log
and sitecomp.log files in the <InstallationPath>\Logs folder on the site server.

For more information about how to configure this discovery method, see Configure
discovery methods.

Active Directory group discovery


Configurable: Yes

Enabled by default: No

Accounts you can use to run this method:

Active Directory group discovery account (user defined)

Computer account of the site server

 Tip

In addition to the information in this section, see Common features of Active


Directory group, system, and user discovery.

Use this method to search Active Directory Domain Services to identify:

Local, global, and universal security groups.

The membership of groups.

Limited information about a group's member computers and users, even when
another discovery method hasn't previously discovered those computers and
users.

This discovery method is intended to identify groups and the group relationships of
members of groups. By default, only security groups are discovered. If you want to also
find the membership of distribution groups, you must check the box for the option
Discover the membership of distribution groups on the Option tab in the Active
Directory Group Discovery Properties dialog box.
Active Directory group discovery doesn't support the extended Active Directory
attributes that can be identified by using Active Directory system discovery or Active
Directory user discovery. Because this discovery method isn't optimized to discover
computer and user resources, consider running this discovery method after you have
run Active Directory system discovery and Active Directory user discovery. This
suggestion is because this method creates a full discovery data record (DDR) for groups,
but only a limited DDR for computers and users that are members of groups.

You can configure the following discovery scopes that control how this method searches
for information:

Location: Use a location if you want to search one or more Active Directory
containers. This scope option supports a recursive search of the specified Active
Directory containers. This process searches each child container under the
container that you specify. It continues until no more child containers are found.

Groups: Use groups if you want to search one or more specific Active Directory
groups. You can configure Active Directory Domain to use the default domain and
forest, or limit the search to an individual domain controller. Additionally, you can
specify one or more groups to search. If you don't specify at least one group, all
groups found in the specified Active Directory Domain location are searched.

U Caution

When you configure a discovery scope, choose only the groups that you must
discover. This recommendation is because Active Directory group discovery tries to
discover each member of each group in the discovery scope. Discovery of large
groups can require extensive use of bandwidth and Active Directory resources.

7 Note

Before you can create collections that are based on extended Active Directory
attributes, and to ensure accurate discovery results for computers and users, run
Active Directory system discovery or Active Directory user discovery, depending on
what you want to discover.

Actions for Active Directory group discovery are recorded in the file adsgdis.log in the
<InstallationPath>\LOGS folder on the site server.

For more information about how to configure this discovery method, see Configure
discovery methods.
Active Directory system discovery
Configurable: Yes

Enabled by default: No

Accounts you can use to run this method:

Active Directory system discovery account (user defined)

Computer account of the site server

 Tip

In addition to the information in this section, see Common features of Active


Directory group, system, and user discovery.

Use this discovery method to search the specified Active Directory Domain Services
locations for computer resources that can be used to create collections and queries. You
can also install the Configuration Manager client on a discovered device by using client
push installation.

By default, this method discovers basic information about the computer, including the
following attributes:

Computer name

OS and version

Active Directory container name

IP address

Active Directory site

Time stamp of last sign in

To successfully create a DDR for a computer, Active Directory system discovery must be
able to identify the computer account and then successfully resolve the computer name
to an IP address.

In the Active Directory System Discovery Properties dialog box, on the Active
Directory Attributes tab, you can view the full list of default object attributes that it
discovers. You can also configure the method to discover extended attributes.
Actions for Active Directory system discovery are recorded in the file adsysdis.log in the
<InstallationPath>\LOGS folder on the site server.

For more information about how to configure this discovery method, see Configure
discovery methods.

Active Directory user discovery


Configurable: Yes

Enabled by default: No

Accounts you can use to run this method:

Active Directory user discovery account (user defined)

Computer account of the site server

 Tip

In addition to the information in this section, see Common features of Active


Directory group, system, and user discovery.

Use this discovery method to search Active Directory Domain Services to identify user
accounts and associated attributes. By default, this method discovers basic information
about the user account, including the following attributes:

User name

Unique user name, which includes the domain name

Domain

Active Directory container names

In the Active Directory User Discovery Properties dialog box, on the Active Directory
Attributes tab, you can view the full default list of object attributes that it discovers. You
can also configure the method to discover extended attributes.

Actions for Active Directory User Discovery are recorded in the file adusrdis.log in the
<InstallationPath>\LOGS folder on the site server.

For more information about how to configure this discovery method, see Configure
discovery methods.
Azure AD user discovery
Use Azure Active Directory (Azure AD) user discovery to search your Azure AD
subscription for users with a modern cloud identity. Azure AD user discovery can find
the following attributes:

objectId

displayName
mail

mailNickname

onPremisesSecurityIdentifier
userPrincipalName

tenantID
onPremisesDomainName

onPremisesSamAccountName

onPremisesDistinguishedName

This method supports full and delta synchronization of user attributes from Azure AD.
This information can then be used along-side discovery data you collect from the other
discovery methods.

Actions for Azure AD user discovery are recorded in the


SMS_AZUREAD_DISCOVERY_AGENT.log file on the top-tier site server of the hierarchy.

To configure Azure AD user discovery, see Configure Azure Services for Cloud
Management. For information about how to configure this discovery method, see
Configure Azure AD User Discovery.

Azure AD user group discovery


You can discover user groups and members of those groups from Azure Active directory
(Azure AD). Azure AD user group discovery can find the following attributes:

objectId
displayName

mailNickname
onPremisesSecurityIdentifier

tenantID

Actions for Azure AD user group discovery are recorded in the


SMS_AZUREAD_DISCOVERY_AGENT.log file on the top-tier site server of the hierarchy.
For information about how to configure this discovery method, see Configure Azure AD
user group discovery.

Heartbeat discovery
Configurable: Yes

Enabled by default: Yes

Accounts you can use to run this method:

Computer account of the site server

Heartbeat discovery differs from other Configuration Manager discovery methods. It's
enabled by default and runs on each computer client instead of on a site server to
create a DDR. To help maintain the database record of Configuration Manager clients,
don't disable heartbeat discovery. In addition to maintaining the database record, this
method can force discovery of a computer as a new resource record. It can also
repopulate the database record of a computer that was deleted from the database.

Heartbeat discovery runs on a schedule configured for all clients in the hierarchy. The
default schedule for heartbeat discovery is set to every seven days. If you change the
heartbeat discovery interval, make sure that it runs more frequently than the site
maintenance task Delete Aged Discovery Data. This task deletes inactive client records
from the site database. You can configure the Delete Aged Discovery Data task only for
primary sites.

You can also manually run heartbeat discovery on a specific client. Run the Discovery
Data Collection Cycle on the Action tab of a client's Configuration Manager control
panel.

When heartbeat discovery runs, it creates a DDR that has the client's current
information. The client then copies this small file to a management point so that a
primary site can process it. The file is about 1 KB in size and has the following
information:

Network location

NetBIOS name

Version of the client agent

Operational status details


Heartbeat discovery is the only discovery method that provides details about the client
installation status. It does so by updating the system resource client attribute to set a
value equal to Yes.

Actions for heartbeat discovery are logged on the client in the InventoryAgent.log file
in the %Windir%\CCM\Logs folder.

For more information about how to configure this discovery method, see Configure
discovery methods.

Network discovery
Configurable: Yes

Enabled by default: No

Accounts you can use to run this method:

Computer account of the site server

Use this method to discover the topology of your network and to discover devices on
your network that have an IP address. Network discovery searches your network for IP-
enabled resources by querying the following sources:

Servers that run a Microsoft implementation of DHCP


Address Resolution Protocol (ARP) caches in network routers
SNMP-enabled devices
Active Directory domains

Before you can use network discovery, you must specify the level of discovery to run.
You also configure one or more discovery mechanisms that enable network discovery to
query for network segments or devices. You can also configure settings that help control
discovery actions on the network. Finally, you define one or more schedules for when
network discovery runs.

For this method to successfully discover a resource, network discovery must identify the
IP address and the subnet mask of the resource. The following methods are used to
identify the subnet mask of an object:

Router ARP cache: Network discovery queries the ARP cache of a router to find
subnet information. Typically, data in a router ARP cache has a short time-to-live.
Therefore, when network discovery queries the ARP cache, the ARP cache might no
longer have information about the requested object.
DHCP: Network discovery queries each DHCP server that you specify to discover
the devices for which the DHCP server has provided a lease. Network discovery
supports only DHCP servers that run the Microsoft implementation of DHCP.

SNMP device: Network discovery can directly query an SNMP device. For network
discovery to query a device, the device must have a local SNMP agent installed.
Also configure network discovery to use the community name that the SNMP
agent is using.

When discovery identifies an IP-addressable object and can determine the object's
subnet mask, it creates a DDR for that object. Because different types of devices connect
to the network, network discovery discovers resources that don't support the
Configuration Manager client. For example, devices that can be discovered but not
managed include printers and routers.

Network discovery can return several attributes as part of the discovery record that it
creates. These attributes include:

NetBIOS name

IP addresses

Resource domain

System roles

SNMP community name

MAC addresses

Network discovery activity is recorded in the Netdisc.log file in InstallationPath>\Logs


on the site server that runs discovery.

For more information about how to configure this discovery method, see Configure
discovery methods.

7 Note

Complex networks and low-bandwidth connections can cause network discovery to


run slowly and generate significant network traffic. Run network discovery only
when the other discovery methods can't find the resources that you have to
discover. For example, use network discovery to discover workgroup computers.
Other discovery methods don't discover workgroup computers.
Levels of network discovery
When you configure network discovery, you specify one of three levels of discovery:

Level of Details
discovery

Topology This level discovers routers and subnets but doesn't identify a subnet mask for
objects.

Topology and In addition to topology, this level discovers potential clients like computers,
client and resources like printers and routers. This level of discovery tries to identify
the subnet mask of objects that it finds.

Topology, client, In addition to topology and potential clients, this level tries to discover the
and client computer operating system name and version. This level uses Windows
operating Browser and Windows Networking calls.
system

With each incremental level, network discovery increases its activity and network
bandwidth usage. Consider the network traffic that can be generated before you enable
all aspects of network discovery.

For example, when you first use network discovery, you might start with only the
topology level to identify your network infrastructure. Then, reconfigure network
discovery to discover objects and their device operating systems. You can also configure
settings that limit network discovery to a specific range of network segments. That way,
you discover objects in network locations that you require and avoid unnecessary
network traffic. This process also allows you to discover objects from edge routers or
from outside your network.

Network discovery options


To enable network discovery to search for IP-addressable devices, configure one or
more of these options.

7 Note

Network discovery runs in the context of the computer account of the site server
that runs discovery. If the computer account doesn't have permissions to an
untrusted domain, the domain and DHCP server configurations can fail to discover
resources.
DHCP
Specify each DHCP server that you want network discovery to query. Network discovery
supports only DHCP servers that run the Microsoft implementation of DHCP.

Network discovery retrieves information by using remote procedure calls to the


database on the DHCP server.

Network discovery can query both 32-bit and 64-bit DHCP servers for a list of
devices that are registered with each server.

For network discovery to successfully query a DHCP server, the computer account
of the server that runs discovery must be a member of the DHCP Users group on
the DHCP server. For example, this level of access exists when one of the following
statements is true

The specified DHCP server is the DHCP server of the server that runs discovery.

The computer that runs discovery and the DHCP server are in the same domain.

A two-way trust exists between the computer that runs discovery and the DHCP
server.

The site server is a member of the DHCP Users group.

When network discovery enumerates a DHCP server, it doesn't always discover


static IP addresses. Network discovery doesn't find IP addresses that are part of an
excluded range of IP addresses on the DHCP server. It also doesn't discover IP
addresses that are reserved for manual assignment.

Domains
Specify each domain that you want network discovery to query.

The computer account of the site server that runs discovery must have permissions
to read the domain controllers in each specified domain.

To discover computers from the local domain, you must enable the Computer
Browser service on at least one computer. This computer must be on the same
subnet as the site server that runs network discovery.

Network discovery can discover any computer that you can view from your site
server when you browse the network.
Network discovery retrieves the IP address. It then uses an Internet Control
Message Protocol (ICMP) echo request to ping each device that it finds. The ping
command helps determine which computers are currently active.

SNMP devices
Specify each SNMP device that you want network discovery to query.

Network discovery gets the ipNetToMediaTable value from any SNMP device that
responds to the query. This value returns arrays of IP addresses that are client
computers or other resources like printers, routers, or other IP-addressable
devices.

To query a device, you must specify the IP address or NetBIOS name of the device.

Configure network discovery to use the community name of the device, or the
device rejects the SNMP-based query.

Limiting network discovery


When network discovery queries an SNMP device on the edge of your network, it can
identify information about subnets and SNMP devices that are outside your immediate
network. Use the following information to limit network discovery by configuring the
SNMP devices that discovery can communicate with, and by specifying the network
segments to query.

Subnets
Configure the subnets that network discovery queries when it uses the SNMP and DHCP
options. These two options search only the enabled subnets.

For example, a DHCP request can return devices from locations across your whole
network. If you want to discover only devices on a specific subnet, specify and enable
that specific subnet on the Subnets tab in the Network Discovery Properties dialog
box. When you specify and enable subnets, you limit future DHCP and SNMP discovery
tasks to those subnets.

7 Note

Subnet configurations don't limit the objects that the Domains discovery option
discovers.
SNMP community names
To enable network discovery to successfully query an SNMP device, configure network
discovery with the community name of the device. If network discovery isn't configured
by using the community name of the SNMP device, the device rejects the query.

Maximum hops

When you configure the maximum number of router hops, you limit the number of
network segments and routers that network discovery can query by using SNMP.

The number of hops that you configure limits the number of devices and network
segments that network discovery can query.

For example, a topology-only discovery with 0 (zero) router hops discovers the subnet
on which the originating server resides. It includes any routers on that subnet.

The following diagram shows what a topology-only network discovery query finds when
it runs on Server 1 with 0 router hops specified: subnet D and Router 1.

The following diagram shows what a topology and client network discovery query finds
when it runs on Server 1 with 0 router hops specified: subnet D and Router 1, and all
potential clients on subnet D.

To get a better idea of how more router hops can increase the amount of network
resources that are discovered, consider the following network:
Running a topology-only network discovery from Server 1 with one router hop discovers
the following entities:

Router 1 and subnet 10.1.10.0 (found with zero hops)

Subnets 10.1.20.0 and 10.1.30.0, subnet A, and Router 2 (found on the first hop)

2 Warning

Each increase to the number of router hops can significantly increase the number
of discoverable resources and increase the network bandwidth that network
discovery uses.

Server discovery
Configurable: No

In addition to the user-configurable discovery methods, Configuration Manager uses a


process named Server Discovery ( SMS_WINNT_SERVER_DISCOVERY_AGENT ). This discovery
method creates resource records for computers that are site systems, like a computer
that is configured as a management point.

Common features of Active Directory group


discovery, system discovery, and user discovery
This section provides information about features that are common to the following
discovery methods:

Active Directory group discovery

Active Directory system discovery


Active Directory user discovery

7 Note

The information in this section doesn't apply to Active Directory forest discovery.

These three discovery methods are similar in configuration and operation. They can
discover computers, users, and information about group memberships of resources that
are stored in Active Directory Domain Services. The discovery process is managed by a
discovery agent. The agent runs on the site server at each site where discovery is
configured to run. You can configure each of these discovery methods to search one or
more Active Directory locations as location instances in the local forest or remote
forests.

When discovery searches an untrusted forest for resources, the discovery agent must be
able to resolve the following to be successful:

To discover a computer resource by using Active Directory system discovery, the


discovery agent must be able to resolve the FQDN of the resource. If it can't
resolve the FQDN, it then tries to resolve the resource by its NetBIOS name.

To discover a user or group resource by using Active Directory user discovery or


Active Directory group discovery, the discovery agent must be able to resolve the
FQDN of the domain controller name that you specify for the Active Directory
location.

For each location that you specify, you can configure individual search options, like
enabling a recursive search of the location's Active Directory child containers. You can
also configure a unique account to use when it searches that location. This account
provides flexibility in configuring a discovery method at one site to search multiple
Active Directory locations across multiple forests. You don't have to configure a single
account that has permissions to all locations.

When each of these three discovery methods runs at a specific site, the Configuration
Manager site server at that site contacts the nearest domain controller in the specified
Active Directory forest to locate Active Directory resources. The domain and forest can
be in any supported Active Directory mode. The account that you assign to each
location instance must have Read access permission to the specified Active Directory
locations.

Discovery searches the specified locations for objects and then tries to collect
information about those objects. A DDR is created when sufficient information about a
resource can be identified. The required information varies depending on the discovery
method that is being used.

If you configure the same discovery method to run at different Configuration Manager
sites to take advantage of querying local Active Directory servers, you can configure
each site with a unique set of discovery options. Because discovery data is shared with
each site in the hierarchy, avoid overlap between these configurations to efficiently
discover each resource a single time.

For smaller environments, consider running each discovery method at only one site in
your hierarchy. This configuration reduces administrative overhead and the potential for
multiple discovery actions to rediscover the same resources. When you minimize the
number of sites that run discovery, you reduce the overall network bandwidth that
discovery uses. You can also reduce the overall number of DDRs that are created and
must be processed by your site servers.

Many of the discovery method configurations are self-explanatory. Use the following
sections for more information about the discovery options that might require additional
information before you configure them.

The following options are available for use with multiple Active Directory discovery
methods:

Delta Discovery

Filter stale computer records by domain sign in

Filter stale records by computer password

Search customized Active Directory attributes

Delta discovery
Available for:

Active Directory group discovery

Active Directory system discovery

Active Directory user discovery

Delta discovery isn't an independent discovery method but an option available for the
applicable discovery methods. Delta discovery searches specific Active Directory
attributes for changes that were made since the last full discovery cycle of the applicable
discovery method. The attribute changes are submitted to the Configuration Manager
database to update the discovery record of the resource.

By default, delta discovery runs on a five-minute cycle. This schedule is much more
frequent than the typical schedule for a full discovery cycle. This frequent cycle is
possible because delta discovery uses fewer site server and network resources than a full
discovery cycle. When you use delta discovery, you can reduce the frequency of the full
discovery cycle for that discovery method.

The following are the most common changes that delta discovery detects:

New computers or users added to Active Directory

Changes to basic computer and user information

New computers or users that are added to a group

Computers or users that are removed from a group

Changes to system group objects

Although delta discovery can detect new resources and changes to group membership,
it can't detect when a resource has been deleted from Active Directory. DDRs created by
delta discovery are processed similarly to the DDRs that are created by a full discovery
cycle.

You configure delta discovery on the Polling Schedule tab in the properties for each
discovery method.

Filter stale computer records by domain sign in


Available for:

Active Directory group discovery

Active Directory system discovery

You can configure discovery to exclude computers with a stale computer record. This
exclusion is based on the last domain sign in of the computer. When this option is
enabled, Active Directory system discovery evaluates each computer that it identifies.
Active Directory group discovery evaluates each computer that is a member of a group
that's discovered.

To use this option:


Computers must be configured to update the lastLogonTimeStamp attribute in
Active Directory Domain Services.

The Active Directory domain functional level must be set to Windows Server 2003
or later.

When you're configuring the time after the last sign in that you want to use for this
setting, consider the interval for replication between domain controllers.

You configure filtering on the Option tab in the Active Directory System Discovery
Properties and Active Directory Group Discovery Properties dialog boxes. Choose to
Only discover computers that have logged on to a domain in a given period of time.

2 Warning

When you configure this filter and Filter stale records by computer password,
discovery excludes computers that meet the criteria of either filter.

Filter stale records by computer password


Available for:

Active Directory group discovery

Active Directory system discovery

You can configure discovery to exclude computers with a stale computer record. This
exclusion is based on the last computer account password update by the computer.
When this option is enabled, Active Directory system discovery evaluates each computer
that it identifies. Active Directory group discovery evaluates each computer that is a
member of a group that is discovered.

To use this option:

Computers must be configured to update the pwdLastSet attribute in Active


Directory Domain Services.

When you're configuring this option, consider the interval for updates to this attribute.
Also consider the replication interval between domain controllers.

You configure filtering on the Option tab in the Active Directory System Discovery
Properties and Active Directory Group Discovery Properties dialog boxes. Choose to
Only discover computers that have updated their computer account password in a
given period of time.

2 Warning

When you configure this filter and Filter stale records by domain logon, discovery
excludes computers that meet the criteria of either filter.

Search customized Active Directory attributes


Available for:

Active Directory system discovery

Active Directory user discovery

Each discovery method supports a unique list of Active Directory attributes that can be
discovered.

You can view and configure the list of customized attributes on the Active Directory
Attributes tab in the Active Directory System Discovery Properties and Active
Directory User Discovery Properties dialog boxes.

Next steps
Select discovery methods to use for Configuration Manager

Configure discovery methods


Select discovery methods to use for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To successfully and efficiently use discovery for Configuration Manager, you must
consider which methods to use and at which sites to run them.

Because discovery can generate a large volume of network traffic, and the resultant
discovery data records (DDRs) can use significant CPU resources during processing, use
only those discovery methods that you require to meet your goals. You might start by
using only one or two discovery methods, and then later enable additional methods in a
controlled manner to extend the level of discovery in your environment. The information
in this topic can help you make informed decisions.

For information about the different discovery methods, see About discovery methods
for Configuration Manager.

Select methods to discover different things


To discover potential Configuration Manager client computers or user resources, you
must enable the appropriate discovery methods. You can use different combinations of
discovery methods to locate different resources, and to discover additional information
about those resources. The discovery methods that you use determine the type of
resources that are discovered, and which Configuration Manager services and agents are
used in the discovery process. They also determine the type of information about
resources that you can discover.

Discover computers
When you want to discover computers, you can use Active Directory System Discovery
or Network Discovery.

For example, if you want to discover resources that can install the Configuration
Manager client before you use client push installation, you might run Active Directory
System Discovery. Using this method, you not only discover the resource, but also
discover basic information even extended information about it from Active Directory
Domain Services. This information might be useful in building complex queries and
collections to use for the assignment of client settings or content deployment.
Alternatively, you could run Network Discovery, and use its options to discover the
operating system of resources (required to later use client push installation). Network
Discovery provides you with information about your network topology that you are not
able to acquire with other discovery methods. This method does not, however, provide
you any information about your Active Directory environment.

There is also a method called Heartbeat Discovery. It is possible to use only Heartbeat
Discovery to force the discovery of clients that you installed by methods other than
client push installation. However, unlike other discovery methods, Heartbeat Discovery
cannot discover computers that do not have an active Configuration Manager client. It
returns a limited set of information, intended to maintain an existing database record
rather than be the basis of that record. Information submitted by Heartbeat Discovery
might not be sufficient to build complex queries or collections.

If you use Active Directory Group Discovery to discover the membership of a specified
group, you can discover limited system or computer information. This does not replace
a full discovery of computers, but can provide basic information. This information is
insufficient for client push installation.

Discover users
When you want to discover information about users, use Active Directory User
Discovery. Similar to Active Directory System Discovery, this method discovers users
from Active Directory. It includes basic information, in addition to extended Active
Directory information. You can use this information to build complex queries and
collections similar to those for computers.

Discover group information


When you want to discover information about groups and group memberships, use
Active Directory Group Discovery. This discovery method creates resource records for
security groups.

You can use this method to search a specific Active Directory group to identify the
members of that group, in addition to any nested groups within that group. You can
also use this method to search an Active Directory location for groups, and recursively
search each child container of that location in Active Directory Domain Services.

This discovery method can also search the membership of distribution groups. This can
identify the group relationships of both users and computers.
When you discover a group, you can also discover limited information about its
members. This does not replace the Active Directory system or user discovery methods,
though. It is usually insufficient to build complex queries and collections, or serve as the
basis of a client push installation.

Discover infrastructure
There are two methods you can use to discover network infrastructure, Active Directory
Forest Discovery and Network Discovery.

Use Active Directory Forest Discovery to search an Active Directory forest for
information about subnets and Active Directory site configurations. These
configurations can then be automatically entered into Configuration Manager as
boundary locations.

When you want to discover your network topology, use Network Discovery. While other
discovery methods return information related to Active Directory Domain Services, and
can identify the current network location of a client, they do not provide infrastructure
information based on the subnets and router topology of your network.

Discovery data is shared among sites


After Configuration Manager adds discovery data to a database, it is quickly shared
among all sites in the hierarchy. Because there is typically no benefit to discovering the
same information at multiple sites in your hierarchy, consider setting up a single
instance of each discovery method that you use to run at a single site. It's a good idea
to do this instead of running multiple instances of a single method at different sites.

However, for some environments it might be useful to assign the same discovery
method to run at multiple sites, each with a separate configuration and schedule. For
example, when using Network Discovery, you might want to direct each site to discover
its local network, instead of attempting to discover all network locations across a WAN.

If you do configure multiple instances of the same discovery methods to run at different
sites, plan the configuration of each site carefully. You want to avoid having two or more
sites discover the same resources from your network or Active Directory. This can
consume additional network bandwidth and create duplicate DDRs.

The following table identifies at which sites you can set up the different discovery
methods.

Discovery method Supported locations


Discovery method Supported locations

Active Directory Forest Discovery Central administration site

Primary site

Active Directory Group Discovery Primary site

Active Directory System Discovery Primary site

Active Directory User Discovery Primary site

Heartbeat Discovery1 Primary site

Network Discovery Primary site

Secondary site

1
Secondary sites cannot configure Heartbeat Discovery, but can receive the Heartbeat
DDR from a client.

When secondary sites run Network Discovery, or receive Heartbeat Discovery DDRs, they
transfer the DDR by file-based replication to their parent primary site. This is because
only primary sites and central administration sites can process DDRs. For more
information about how DDRs are processed, see About discovery data records.

Considerations for different discovery methods


Because each site server and network environment is different, it's a good idea to limit
your initial configurations for discovery. Then closely monitor each site server for its
ability to process the discovery data that is generated.

When you use an Active Directory discovery method for systems, users, or groups:

Run discovery at a site that has a fast network connection to your domain
controllers.

Consider the Active Directory replication topology to ensure discovery can access
the latest information.

Consider the scope of the discovery configuration, and limit discovery to only
those Active Directory locations and groups that you have to discover.

If you use Network Discovery:

Use a limited initial configuration to identify your network topography.


After you identify your network topography, set up Network Discovery to run at
specific sites that are central to the network areas that you want to more fully
discover.

Because Heartbeat Discovery does not run at a specific site, you do not have to
consider it in general planning for where to run discovery.

Best practices for discovery


For best results with discovery, we recommend the following:

Run Active Directory System Discovery and Active Directory User Discovery
before you run Active Directory Group Discovery.

When Active Directory Group Discovery identifies a previously undiscovered user


or computer as a member of a group, it attempts to discover basic details for the
user or computer. Because Active Directory Group Discovery is not optimized for
this type of discovery, this process can cause it to run slowly. Additionally, Active
Directory Group Discovery identifies only the basic details about the users and
computers it discovers, and does not create a complete user or computer
discovery record. When you run Active Directory System Discovery and Active
Directory User Discovery, the additional Active Directory attributes for each object
type are available. As a result, Active Directory Group Discovery runs more
efficiently.

When you set up Active Directory Group Discovery, only specify groups that you
use with Configuration Manager.

To help control the use of resources by Active Directory Group Discovery, specify
only those groups that you use with Configuration Manager. This is because Active
Directory Group Discovery recursively searches each group it discovers for users,
computers, and nested groups. The search of each nested group can expand the
scope of Active Directory Group Discovery, and reduce performance. Additionally,
when you set up delta discovery for Active Directory Group Discovery, the
discovery method monitors each group for changes. This further reduces
performance when the method must search unnecessary groups.

Set up discovery methods with a longer interval between full discovery, and a
more frequent period of delta discovery.

Because delta discovery uses fewer resources than a full discovery cycle, and can
identify new or modified resources in Active Directory, you can reduce the
frequency of full discovery cycles to run weekly (or less). Delta discovery for Active
Directory System Discovery, Active Directory User Discovery and Active Directory
Group Discovery identifies almost all the changes of Active Directory objects, and
can maintain accurate discovery data for resources.

Run Active Directory discovery methods at a primary site that has a network
location that is closest to your Active Directory domain controller.

To improve the performance of Active Directory discovery, it's a good idea to run
discover at a primary site that has a fast network connection to your domain
controllers. If you run the same Active Directory discovery method at multiple sites,
set up each discovery method to avoid overlap. Unlike past versions of
Configuration Manager, discovery data is shared among sites. Therefore, it is not
necessary to discover the same information at multiple sites. For more information,
see Discovery data is shared between sites.

Run Active Directory Forest Discovery at only one site when you plan to
automatically create boundaries from the discovery data.

If you run Active Directory Forest Discovery at more than one site in a hierarchy,
it's a good idea to only enable options to automatically create boundaries at a
single site. This is because when Active Directory Forest Discovery runs at each site
and creates boundaries, Configuration Manager cannot merge those boundaries
into a single boundary object. When you configure Active Directory Forest
Discovery to automatically create boundaries at multiple sites, the result can be
duplicated boundary objects in the Configuration Manager console.
Configure discovery methods for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configure discovery methods to find resources to manage from your network, Active
Directory, and Azure Active Directory (Azure AD). First enable and then configure each
method that you want to use to search your environment. You can also disable a
method by using the same procedure that you use to enable it. The only exceptions to
this process are Heartbeat Discovery and Server Discovery:

By default, Heartbeat Discovery is already enabled when you install a


Configuration Manager primary site. It's configured to run on a basic schedule.
Keep Heartbeat Discovery enabled. It makes sure that the discovery data records
(DDRs) for devices are up to date. For more information about Heartbeat
Discovery, see About Heartbeat Discovery.

Server Discovery is an automatic discovery method. It finds computers that you


use as site systems. You can't configure or disable it.

Active Directory Forest Discovery


To finish the configuration of Active Directory Forest Discovery, configure settings in the
following locations of the Configuration Manager console:

In the Discovery Methods node:

Enable this discovery method.

Set a polling schedule.

Select whether discovery automatically creates boundaries for the Active


Directory sites and subnets that it discovers.

In the Active Directory Forests node:

Add forests that you want to discover.

Enable discovery of Active Directory sites and subnets in that forest.

Configure settings that enable Configuration Manager sites to publish their site
information to the forest.
Assign an account to use as the Active Directory Forest Account for each forest.

Use the following procedures to enable Active Directory Forest Discovery, and to
configure individual forests for use with Active Directory Forest Discovery.

Configure Active Directory Forest Discovery


1. In the Configuration Manager console, go to the Administration workspace,
expand Hierarchy Configuration, and select the Discovery Methods node.

2. Select the Active Directory Forest Discovery method for the site where you want to
configure discovery.

3. On the Home tab of the ribbon, select Properties.

4. On the General tab of the properties, configure the following settings:

Enable the discovery method.

Specify options to create site boundaries for discovered locations.

Specify a schedule for when discovery runs.

5. Select OK to save the configuration.

Configure a forest for Active Directory Forest Discovery


1. In the Administration workspace, expand Hierarchy Configuration, and select the
Active Directory Forests node. If Active Directory Forest Discovery has previously
run, you see each discovered forest in the results pane. When this discovery
method runs, it discovers the local forest and any trusted forests. Manually add
untrusted forests.

To configure a previously discovered forest, select the forest in the results


pane. In the ribbon, select Properties to open the forest properties.

To configure a new forest that isn't listed, on the Home tab of the ribbon, in
the Create group, select Add Forest. This action opens the Add Forests
dialog box.

2. On the General tab, finish configurations for the forest that you want to discover,
and specify the Active Directory Forest Account. For more information on this
account, see Accounts.
7 Note

Active Directory Forest Discovery requires a global account to discover and


publish to untrusted forests. If you don't use the computer account of the site
server, you can only select a global account.

3. If you plan to let sites publish site data to this forest, on the Publishing tab, finish
configurations for publishing to this forest.

7 Note

If you let sites publish to a forest, extend the Active Directory schema of that
forest for Configuration Manager. The Active Directory Forest Account must
have Full Control permissions to the System container in that forest.

4. Select OK to save the configuration.

Active Directory discovery for computers,


users, or groups
To configure discovery of computers, users, or groups, start with these common steps:

1. In the Configuration Manager console, go to the Administration workspace,


expand Hierarchy Configuration, and select the Discovery Methods node.

2. Select the method for the site where you want to configure discovery.

3. On the Home tab of the ribbon, select Properties.

4. On the General tab of the properties, select the checkbox to enable discovery. Or
you can configure discovery now, and then return to enable discovery later.

Then use the information in the following sections to configure the specific discovery
methods:

Active Directory Group Discovery

Active Directory System Discovery

Active Directory User Discovery

7 Note
The information in this section doesn't apply to Active Directory Forest Discovery.

Although each of these discovery methods is independent of the others, they share
similar options. For more information about these configuration options, see Shared
options for group, system, and user discovery.

2 Warning

The Active Directory polling by each of these discovery methods can generate
significant network traffic. Consider scheduling each discovery method to run at a
time when this network traffic doesn't adversely affect business uses of your
network.

Configure Active Directory Group Discovery


1. On the General tab of the Active Directory Group Discovery Properties window,
select Add to configure a discovery scope. Select either Groups or Location. Then
finish the following configurations in the Add Groups or Add Active Directory
Location dialog box:

a. Specify a Name for this discovery scope.

b. Specify an Active Directory Domain or Location to search:

If you chose Groups, specify one or more Active Directory groups to


discover.

If you chose Location, specify an Active Directory container as a location


to discover. You can also enable a recursive search of Active Directory child
containers for this location.

c. Specify the Active Directory Group Discovery Account that the site uses to
search this discovery scope. For more information, see Accounts.

d. Select OK to save the discovery scope configuration.

2. Repeat the previous steps for each other discovery scope that you want to define.

3. On the Polling Schedule tab, configure both the full discovery polling schedule
and delta discovery.

4. On the Options tab, configure settings to filter out or exclude stale computer
records from discovery. Also configure the discovery of the membership of
distribution groups.

7 Note

By default, Active Directory Group Discovery discovers only the membership


of security groups.

5. Select OK to save the configuration.

Configure Active Directory System Discovery


1. On the General tab of the Active Directory System Discovery Properties window,
select the New icon to specify a new Active Directory container. In the Active
Directory Container dialog box, finish the following configurations:

a. Type or browse to a location for the Path. This value is a valid LDAP path to a
container or organizational unit (OU). The site queries this path for resources.
For example, LDAP://CN=Computers,DC=contoso,DC=com

b. Specify options that change the search behavior:

Discover objects within Active Directory groups: The site also looks at the
membership of groups in this path.

Recursively search Active Directory child containers: If you enable this


option, the site searches any other containers or OUs within the above
path. If you disable this option, the site only searches for resources in the
specific path.

Select subcontainers to exclude from this recursive search. This option


helps to reduce the number of discovered objects. Select Add to choose
the containers under the above path. In the Select New Container dialog
box, select a child container to exclude. Select OK to close the Select New
Container dialog box.

 Tip
The list of Active Directory containers in the Active Directory
System Discovery Properties window includes a column Has
Exclusions. When you select containers to exclude, this value is Yes.
Starting in version 2203, you can exclude subcontainers in
untrusted domains for Active Directory System Discovery and
Active Directory User Discovery.

c. For each location, specify the account to use as the Active Directory Discovery
Account. For more information, see Accounts.

 Tip

For each specified location, you can configure a set of discovery options
and a unique Active Directory Discovery Account.

d. Select OK to save the Active Directory container configuration.

2. On the Polling Schedule tab, configure both the full discovery polling schedule
and delta discovery.

3. On the Active Directory Attributes tab, configure other Active Directory attributes
for computers that you want to discover. This tab lists the default object attributes.

 Tip

For example, your organization uses the Description attribute on the


computer account in Active Directory. Select Custom, and add Description as
a custom attribute. After this discovery method runs, this attribute shows on
the device Properties tab in the Configuration Manager console.

4. On the Options tab, configure settings to filter out or exclude stale computer
records from discovery.

5. Select OK to save the configuration.

Configure Active Directory User Discovery


1. On the General tab of the Active Directory User Discovery Properties window,
select the New icon to specify a new Active Directory container. In the Active
Directory Container dialog box, finish the following configurations:

a. Specify one or more locations to search.

b. For each location, specify options that change the search behavior.

c. For each location, specify the account to use as the Active Directory Discovery
Account. For more information, see Accounts.
7 Note

For each specified location, you can configure a unique set of discovery
options and a unique Active Directory Discovery Account.

d. Select OK to save the Active Directory container configuration.

2. On the Polling Schedule tab, configure both the full discovery polling schedule
and delta discovery.

3. On the Active Directory Attributes tab, configure other Active Directory attributes
for computers that you want to discover. This tab lists the default object attributes.

4. Select OK to save the configuration.

Exclude organizational units (OU) from Active Directory User


Discovery
Starting in version 2103, you can exclude OUs from Active Directory User Discovery. To
exclude an OU:

1. From the Configuration Manager console, go to Administration > Hierarchy


Configuration > Discovery Methods.

2. Select Active Directory User Discovery then select Properties from the ribbon.

3. On the General tab of the Active Directory User Discovery Properties window,
select the New icon to specify a new Active Directory container or Edit to change
an existing one.

4. In the Active Directory Container dialog box, locate the search option named
Select sub containers to be excluded from discovery.

5. Select Add to add an exclusion or Remove to remove an existing exclusion.

6. Select OK to save the Active Directory container configuration.

 Tip

Starting in version 2203, you can exclude subcontainers in untrusted domains for
Active Directory System Discovery and Active Directory User Discovery.
Azure AD User Discovery
Azure AD User Discovery isn't enabled or configured the same as other discovery
methods. Configure it when you onboard the Configuration Manager site to Azure AD.

For more information, see Azure AD User Discovery.

Prerequisites for Azure AD User Discovery


To enable and configure this discovery method, Configure Azure Services for Cloud
Management.

If you use Configuration Manager to create the Azure app, it configures the app with the
necessary permissions.

If you create the app in Azure first, and then import it into Configuration Manager, you
need to manually configure the app. This configuration includes granting the server app
permission to read directory data.

1. Open the Azure portal as a user with Global Admin permissions. Go to Azure
Active Directory, and select App registrations. Switch to All applications if
necessary.

2. Select the target application.

3. In the Manage menu, select API permissions.

a. On the API permissions panel, select Add a permission.

b. In the Request API permissions panel, switch to APIs my organization uses.

c. Search for and select the Microsoft Graph API.

d. Select the Application permissions group. Expand Directory, and select


Directory.Read.All.

e. Select Add permissions.

4. On the API permissions panel, in the Grant consent section, select Grant admin
consent.... Select Yes.

Configure Azure AD User Discovery


When configuring the Cloud Management Azure service:
On the Discovery page of the wizard, select the option to Enable Azure Active
Directory User Discovery.
Select Settings.
In the Azure AD User Discovery Settings dialog box, configure a schedule for when
discovery occurs. You can also enable delta discovery, which only checks for new or
changed accounts in Azure AD.

7 Note

If the user is a federated or synchronized identity, you must use Configuration


Manager Active Directory user discovery as well as Azure AD user discovery. For
more information about hybrid identities, see Define a hybrid identity adoption
strategy.

Azure AD User Group Discovery


You can discover user groups and members of those groups from Azure AD. When the
site finds users in Azure AD groups that it hasn't previously discovered, it adds them as
new user resources in Configuration Manager. A user group resource record is created
when the group is a security group.

Prerequisites for Azure AD User Group Discovery


Cloud Management Azure service
Permission to read and search Azure AD groups

Log files
Use the SMS_AZUREAD_DISCOVERY_AGENT.log for troubleshooting. This log is also
shared with Azure AD user discovery. For more information, see Log files.

Enable Azure AD user group discovery


To enable discovery on an existing Cloud Management Azure service:

1. Go to the Administration workspace, expand Cloud Services, then select the Azure
Services node.
2. Select one of your Azure services, then select Properties in the ribbon.
3. In the Discovery tab, check the box to Enable Azure Active Directory Group
Discovery, then select Settings.
4. Select Add under the Discovery Scopes tab.

You can modify the Polling Schedule in the other tab.

5. Select one or more user groups. You can Search by name.

You'll be prompted to sign in to Azure when you select Search the first time.

6. Select OK when you finish selecting groups.


7. Once discovery finishes running, you can browse your Azure AD user groups in the
Users node.

To enable discovery when configuring a new Cloud Management Azure service:

On the Discovery page of the wizard, select the option to Enable Azure Active
Directory Group Discovery.
Select Settings.
In the Azure AD Group Discovery Settings dialog box, configure your discovery
scope and a schedule for when discovery occurs.

Heartbeat Discovery
Configuration Manager enables the Heartbeat Discovery method when you install a
primary site. If you want to use the default schedule of every seven days, there's nothing
else to configure. Otherwise, you only have to configure the schedule for how often
clients send the Heartbeat Discovery data record to a management point.

7 Note

If you enable both client push installation and the site maintenance task for Clear
Install Flag at the same site, set the schedule of Heartbeat Discovery to be less than
the Client Rediscovery period of the Clear Install Flag site maintenance task. By
default, this task runs every 21 days. Heartbeat discovery should run more
frequently than the task, or clients will unnecessarily reinstall. For more information
about site maintenance tasks, see Maintenance tasks.

Configure the Heartbeat Discovery schedule


1. In the Configuration Manager console, go to the Administration workspace,
expand Hierarchy Configuration, and select the Discovery Methods node.
2. Select the Heartbeat Discovery method for the site where you want to configure
Heartbeat Discovery.

3. On the Home tab of the ribbon, select Properties.

4. Configure the frequency with which clients submit a Heartbeat discovery data
record. Then select OK to save the configuration.

Network Discovery
Before you configure Network Discovery, understand the following topics:

Available levels of Network Discovery

Available Network Discovery options

Limiting Network Discovery on the network

For more information, see About Network Discovery.

The following sections provide information about common configurations for Network
Discovery. You can configure one or more of these configurations for use during the
same discovery run. If you use multiple configurations, plan for the interactions that can
affect the discovery results.

For example, you discover all Simple Network Management Protocol (SNMP) devices
that use a specific SNMP community name. For the same discovery run, you disable
discovery on a specific subnet. When discovery runs, Network Discovery doesn't
discover the SNMP devices with the specified community name on the subnet that
you've disabled.

Determine your network topology


You can use a topology-only discovery to map your network. This kind of discovery
doesn't discover potential clients. The topology-only Network Discovery relies on SNMP.

When you're mapping your network topology, configure the Maximum hops on the
SNMP tab in the Network Discovery Properties dialog box. Just a few hops can help
control the network bandwidth that's used when discovery runs. As you discover more
of your network, increase the number of hops to gain a better understanding of your
network topology.

After you understand your network topology, configure the properties for Network
Discovery. These properties help to discover potential clients and their operating
systems. Also configure Network Discovery to limit the network segments that it can
search.

For more information, see How to determine your network topology

Network Discovery search options


Configuration Manager supports the following methods to search the network:

Limit searches by using subnets


Search a specific domain
Limit searches by using SNMP community names
Search a specific DHCP server

Limit searches by using subnets


You can configure Network Discovery to search specific subnets during a discovery run.
By default, Network Discovery searches the subnet of the server that runs discovery. Any
other subnets that you configure and enable apply only to SNMP and DHCP search
options. When Network Discovery searches domains, it isn't limited by configurations
for subnets.

If you specify one or more subnets on the Subnets tab in the Network Discovery
Properties dialog box, it only searches the subnets that you mark as Enabled.

When you disable a subnet, the site excludes it from discovery, and the following
conditions apply:

SNMP-based queries don't run on the subnet.

DHCP servers don't reply with a list of resources located on the subnet.

Domain-based queries can discover resources that are located on the subnet.

Search a specific domain

You can configure Network Discovery to search a specific domain or set of domains
during a discovery run. By default, Network Discovery searches the local domain of the
server that runs discovery.

If you specify one or more domains on the Domains tab in the Network Discovery
Properties dialog box, it only searches the domains that you mark as Enabled.
When you disable a domain, the site excludes it from discovery, and the following
conditions apply:

Network Discovery doesn't query domain controllers in that domain.

SNMP-based queries can still run on subnets in the domain.

DHCP servers can still reply with a list of resources located in the domain.

Limit searches by using SNMP community names


You configure Network Discovery to search a specific SNMP community or set of
communities during a discovery run. By default, the method configures the public
community name.

Network Discovery uses community names to gain access to routers that are SNMP
devices. A router can supply Network Discovery with information about other routers
and subnets that are linked to the first router.

7 Note

SNMP community names resemble passwords. Network Discovery can get


information only from an SNMP device for which you've specified a community
name. Each SNMP device can have its own community name, but often the same
community name is shared among several devices. Additionally, most SNMP
devices have a default community name of public. But some organizations delete
the public community name from their devices as a security precaution.

If you include more than one SNMP community on the SNMP tab in the Network
Discovery Properties dialog box, it searches them in the order in which they're shown.
Make sure that the most frequently used names are at the top of the list. This
configuration helps to minimize network traffic that the site generates when it tries to
contact a device by using different names.

7 Note

Along with using the SNMP community name, you can specify the IP address or
resolvable name of a specific SNMP device. You do this action on the SNMP
Devices tab in the Network Discovery Properties dialog box.

Search a specific DHCP server


You can configure Network Discovery to use a specific DHCP server or multiple servers
to discover DHCP clients during a discovery run.

Network Discovery searches each DHCP server that you specify on the DHCP tab in the
Network Discovery Properties dialog box. If the server that's running discovery leases
its IP address from a DHCP server, you can configure discovery to search that DHCP
server. Enable this behavior with the option to Include the DHCP server that the site
server is configured to use.

7 Note

To successfully configure a DHCP server in Network Discovery, your environment


must support IPv4. You can't configure Network Discovery to use a DHCP server in
a native IPv6 environment.

How to configure Network Discovery


Use the following procedures to first discover only your network topology, and then to
configure Network Discovery to discover potential clients by using one or more of the
available Network Discovery options.

How to determine your network topology

1. In the Configuration Manager console, go to the Administration workspace,


expand Hierarchy Configuration, and select the Discovery Methods node.

2. Select the Network Discovery method for the site where you want to discover
network resources.

3. On the Home tab of the ribbon, select Properties.

On the General tab, select the option to Enable network discovery. Then
select Topology from the Type of discovery options.

On the Subnets tab, select the Search local subnets option.

 Tip

If you know the specific subnets that constitute your network, deselect
the Search local subnets checkbox. Then select the New icon , and
add the specific subnets that you want to search. For large networks,
search only one or two subnets at a time to minimize the use of network
bandwidth.

On the Domains tab, select the option to Search local domain.

On the SNMP tab, select an option from the Maximum hops drop-down list.
This option specifies how many router hops Network Discovery can take in
mapping your topology.

 Tip

When you first map your network topology, configure just a few router
hops to minimize the use of network bandwidth.

4. On the Schedule tab, select the New icon , and set a schedule for running
discovery. The Duration is the period of time that Network Discovery has to
complete the search for resources. On smaller subnets, an hour may be enough,
but searching across an enterprise network with multiple router hops will take
longer. If Network Discovery runs out of time, a message is logged in Netdisc.log.

7 Note

You can't assign a different discovery configuration to separate Network


Discovery schedules. Each time Network Discovery runs, it uses the current
discovery configuration.

5. Select OK to accept the configurations. Network Discovery runs at the scheduled


time.

How to configure Network Discovery


1. In the Configuration Manager console, go to the Administration workspace,
expand Hierarchy Configuration, and select the Discovery Methods node.

2. Select the Network Discovery method for the site where you want to discover
network resources.

3. On the Home tab of the ribbon, select Properties.

4. On the General tab, select the option to Enable network discovery.


Select from the Type of discovery options the type of discovery that you
want to run.

Enable the Slow network option for Configuration Manager to make


automatic adjustments for low-bandwidth networks.

5. To configure discovery to search subnets, switch to the Subnets tab. Then


configure one or more of the following options:

To run discovery on subnets that are local to the computer that runs
discovery, enable the option to Search local subnets.

To search a specific subnet, make sure that the subnet is listed in Subnets to
search and has a Search value of Enabled:

a. If the subnet isn't listed, select the New icon . In the New Subnet
Assignment dialog box, enter the Subnet and Mask information, and then
select OK. By default, a new subnet is enabled for search.

b. To change the Search value for a listed subnet, select it in the list. Then
select the Toggle icon to switch the value between Disabled and Enabled.

6. To configure discovery to search domains, switch to the Domains tab. Then


configure one or more of the following options:

To run discovery on the domain of the computer that runs discovery, enable
the option to Search local domain.

To search a specific domain, make sure that the domain is listed in Domains
and has a Search value of Enabled:

a. If the domain isn't listed, select the New icon . In the Domain
Properties dialog box, enter the Domain information, and then select OK.
By default, a new domain is enabled for search.

b. To change the Search value for a listed domain, select it in the list. Then
select the Toggle icon to switch the value between Disabled and Enabled.

7. To configure discovery to search specific SNMP community names for SNMP


devices, switch to the SNMP tab. Then configure one or more of the following
options:

To add an SNMP community name to the list of SNMP Community names,


select the New icon . In the New SNMP Community Name dialog box,
specify the Name of the SNMP community, and then select OK.
To remove an SNMP community name, select the community name, and then

select the Delete icon .

To adjust the search order of SNMP community names, select a community

name from the list. Then select the Move Item Up icon or the Move Item
Down icon . When discovery runs, community names are searched in a
top-to-bottom order.

To configure the maximum number of router hops for use by SNMP searches,
select the number of hops from the Maximum hops drop-down list.

8. To configure an SNMP device, switch to the SNMP Devices tab. If the device isn't
listed, select the New icon . In the New SNMP Device dialog box, specify the IP
address or device name of the SNMP device, and then select OK.

7 Note

If you specify a device name, Configuration Manager must be able to resolve


the NetBIOS name to an IP address.

9. To configure discovery to query specific DHCP servers, switch to the DHCP tab.
Then configure one or more of the following options:

To query the DHCP server on the computer that is running discovery, enable
the option to Always use the site server's DHCP server.

7 Note

To use this option, the server must lease its IP address from a DHCP
server and can't use a static IP address.

To query a specific DHCP server, select the New icon . In the New DHCP
Server dialog box, specify the IP address or server name of the DHCP server,
and then select OK.

7 Note

If you specify a server name, Configuration Manager must be able to


resolve the NetBIOS name to an IP address.
10. To configure when discovery runs, switch to the Schedule tab. Then select the New
icon to set a schedule for running Network Discovery. You can configure
multiple recurring schedules, and multiple schedules that have no recurrence.

7 Note

If the Schedule tab shows more than one schedule at the same time, Network
Discovery runs for all schedules as it's configured at the time indicated in the
schedule. This behavior is also true for recurring schedules.

11. Select OK to save your configurations.

How to verify that Network Discovery has finished


The time that Network Discovery requires to finish can vary depending on one or more
of the following factors:

The size of your network

The topology of your network

The maximum number of hops that are configured to find routers in the network

The type of discovery that is being run

Network Discovery doesn't create messages to alert you when it's finished. Use the
following procedure to verify when discovery has finished:

1. In the Configuration Manager console, go to the Monitoring workspace. Expand


System Status, and then select the Status Message Queries node.

2. Select the All Status Messages query.

3. On the Home tab of the ribbon, in the Status Message Queries group, select Show
Messages.

4. In the All Status Messages window, select a value from the Select date and time
drop-down list that includes how long ago the discovery started. Then select OK to
open the Configuration Manager Status Message Viewer.

 Tip

You can also use the Specify date and time option to select a given date and
time that you ran discovery. This option is useful when you ran Network
Discovery on a given date and want to retrieve messages from only that date.

5. To validate that Network Discovery has finished, search for a status message that
has the following details:

Message ID: 502

Component: SMS_NETWORK_DISCOVERY

Description: This component stopped

If this status message isn't present, Network Discovery hasn't finished.

6. To validate when Network Discovery started, search for a status message that has
the following details:

Message ID: 500

Component: SMS_NETWORK_DISCOVERY

Description: This component started

This information verifies that Network Discovery started. If this information isn't
present, reschedule Network Discovery.
Overview of boundaries and boundary
groups
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Boundaries in Configuration Manager define network locations on your intranet. These


locations include devices that you want to manage. Boundary groups are logical groups
of boundaries that you configure. A hierarchy can include any number of boundary
groups. Each boundary group can contain any combination of the following boundary
types:

IP subnet
Active Directory site name
IPv6 prefix
IP address range
VPN (starting in version 2006)

Clients on the intranet evaluate their current network location and then use that
information to identify boundary groups to which they belong.

Clients use boundary groups to:

Find an assigned site: Boundary groups enable clients to find a primary site for
client assignment. This behavior is also known as automatic site assignment.

Find certain site system roles they can use: Associate a boundary group with
certain site system roles. Then the site provides clients with that list of site systems
in the boundary group. Clients use these site systems for actions such as finding
content or a nearby management point.

Clients that are on the internet or configured as internet-only clients don't use boundary
information. These clients can't use automatic site assignment. They can download
content from an internet-based distribution point from their assigned site or a content-
enabled cloud management gateway.

During OS deployment, while a device is running Windows PE, the site can convert
Active Directory site boundary information to IP subnet information. This behavior is
only during this process, and specifically for these devices. In other words, if your site
only has Active Directory site boundaries, Windows PE clients during an OS deployment
will still be in a boundary.
Overlapping boundaries
Configuration Manager supports overlapping boundary and boundary group
configurations for content and service location requests. Overlapping occurs when a
client's location maps to multiple boundary groups. This behavior happens for one of
two reasons:

You add the same boundary to multiple boundary groups.

You add separate boundaries that include the client's location to different
boundary groups.

When overlapping occurs, Configuration Manager creates a list of all site systems
referenced by all boundary groups that include a client's location. Configuration
Manager sends this list to a client in response to a content or service location request.
Configuration Manager doesn't apply any precedence or deterministic ordering to this
list based on overlapping boundaries and boundary groups. Instead, the client chooses
at random from this list.

For client content requests, Configuration Manager includes only distribution points that
have the requested content in the list of site systems returned. For other service location
requests, Configuration Manager includes only site systems that host the type of role
requested which may be one of the following roles:

State migration point

Software update point

Management point

This behavior enables the client to select the nearest server to communicate with for
each request type.

Recommendations

Use a mix of the fewest boundaries that meet your needs


Use whichever boundary type or types you choose that work for your environment. To
simplify your management tasks, use boundary types that let you use the fewest
number of boundaries you can.
Avoid overlapping boundaries for automatic site
assignment
Although each boundary group supports both site assignment and site system
reference, create a separate set of boundary groups to use only for site assignment.
Make sure that each boundary in a boundary group isn't a member of another boundary
group with a different site assignment.

A single boundary can be included in multiple boundary groups.

Each boundary group can be associated with a different primary site for site
assignment.

For a boundary that's a member of two different boundary groups with different
site assignments, clients randomly select a site to join. This behavior might not be
for the site you want the client to join. This configuration is called overlapping
boundaries.

Overlapping boundaries aren't a problem for content location. It can be a useful


configuration that provides clients more resources or content locations they can
use.

For more information on boundary groups and site assignment, see Site assignment.

Next steps
Define network locations as boundaries

About boundary groups


Define network locations as boundaries
for Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager boundaries are locations on your network that contain devices
that you want to manage. You can create different types of boundaries, for example, an
Active Directory site or network IP address. When the Configuration Manager client
identifies a similar network location, that device is a part of the boundary.

Configuration Manager supports the following boundary types:

IP subnet
Active Directory site
IPv6 prefix
IP address range
VPN (starting in version 2006)

You can manually create individual boundaries or use Active Directory forest discovery.
This discovery method automatically finds and creates boundaries for IP subnets and
Active Directory sites. When Active Directory forest discovery identifies a supernet for an
Active Directory site, Configuration Manager converts the supernet into an IP address
range boundary.

If a device isn't in the boundary you expect, it may because you haven't defined its
network location as a boundary. When the network location of a device is in doubt, use
the following Windows commands on the device to confirm:

IP address: ipconfig
Active Directory site: nltest /dsgetsite
VPN: ipconfig /all

Boundary types

IP subnet
The IP subnet boundary type requires a Subnet ID. For example, 169.254.0.0 . If you
provide the Network (default gateway) and Subnet mask values, Configuration Manager
automatically calculates the Subnet ID. When you save the boundary, Configuration
Manager only saves the Subnet ID value.

7 Note

Configuration Manager doesn't support the direct entry of a supernet as a


boundary. Instead, use the IP address range boundary type.

Active Directory site


For the Active Directory site boundary type, you specify the site name. You can type the
name or browse the local forest of the site server.

When you specify an Active Directory site for a boundary, the boundary includes each IP
subnet that's a member of that Active Directory site. If the configuration of the Active
Directory site changes in Active Directory, the network locations included in this
boundary also change.

Active Directory site boundaries don't work for pure Azure Active Directory (Azure AD)
devices, also called cloud domain-joined devices. If they roam on-premises, and you
only create Active Directory site type boundaries, these devices won't be in a boundary.

 Tip

Use the following Windows command to see a device's current Active Directory
site: nltest /dsgetsite .

To determine if a client is cloud domain-joined, use the following Windows


command: dsregcmd /status . For more information, see dsregcmd command -
device state.

IPv6 prefix
For the IPv6 prefix boundary type, you specify a Prefix. For example,
2001:1111:2222:3333 .

IP address range
For the IP address range boundary type, specify the Starting IP address and Ending IP
address for the range. The range can include part of an IP subnet or multiple IP subnets.
Use an IP address range boundary type to support a supernet.

You can also use this type to define a boundary for a single IP address. Set both the
starting and ending IP addresses as the same value. This configuration may be useful for
unique devices or test environments.

VPN
Starting in version 2006, to simplify managing remote clients, create a boundary type for
VPNs. When a client sends a location request, it includes additional information about
its network configuration. Based upon this information, the server determines whether
the client is on a VPN. For Configuration Manager to associate the client in the
boundary, connect the device to the VPN.

You can configure a VPN boundary in several ways:

Auto detect VPN: Configuration Manager detects any VPN solution that uses the
point-to-point tunneling protocol (PPTP). If it doesn't detect your VPN, use one of
the other options. The boundary value in the console list will be Auto:On .

Connection name: Specify the name of the VPN connection on the device. It's the
name of the network adapter in Windows for the VPN connection. Configuration
Manager matches the first 250 characters of the string, but doesn't support
wildcard characters or partial strings. The boundary value in the console list will be
Name:<name> , where <name> is the connection name that you specify.

For example, you run the ipconfig command on the device, and one of the
sections starts with: PPP adapter ContosoVPN: . Use the string ContosoVPN as the
Connection name. It displays in the list as Name:CONTOSOVPN .

Connection description: Specify the description of the VPN connection.


Configuration Manager matches the first 243 characters of the string, but doesn't
support wildcard characters or partial strings. The boundary value in the console
list will be Description:<description> , where <description> is the connection
description that you specify.

For example, you run the ipconfig /all command on the device, and one of the
connections includes the following line: Description . . . . . . . . . . . :
ContosoMainVPN . Use the string ContosoMainVPN as the Connection description. It
displays in the list as Description:CONTOSOMAINVPN .

) Important
To take full advantage of this feature, after you update the site, also update clients
to the latest version. New functionality appears in the Configuration Manager
console when you update the site and console. The complete scenario isn't
functional until the client version is also the latest.

To use this VPN boundary during an OS deployment, make sure to also update the
boot image to include the latest client binaries.

Starting in version 2111, you can now match the start of a connection name or
description instead of the whole string. Some third-party VPN drivers dynamically create
the connection, which starts with a consistent string but also has a unique connection
identifier. For example, Virtual network adapter #19 . When you use the Connection
name or Connection description options, also use the new Starts with option.

Create a boundary
1. In the Configuration Manager console, go to the Administration workspace,
expand Hierarchy Configuration, and select the Boundaries node.

2. On the Home tab of the ribbon, in the Create group, select Create Boundary.

3. On the General tab of the Create Boundary window, specify the following
information:

Description: Identify the boundary by a friendly name or reference.

7 Note

Configuration Manager automatically names the boundary based on its


type and scope. You can't modify the name.

Type: Select the type of boundary to create. Then specify the additional
information that the type requires. For more information, see Boundary types.

4. Switch to the Boundary Groups tab. If you already have boundary groups in the
site, you can immediately add this new boundary to one or more groups.

5. Select OK to save the new boundary.

Configure a boundary
 Tip

When you create a boundary, Configuration Manager automatically names it based


on the type and scope of the boundary. You can't modify this name. To help
identify the boundary in the Configuration Manager console, specify a description.

1. In the Configuration Manager console, go to the Administration workspace,


expand Hierarchy Configuration, and select the Boundaries node.

2. Select the boundary you want to modify. On the Home tab of the ribbon, in the
Properties group, select Properties.

3. In the Properties window for the boundary, on the General tab, you can configure
the following settings:

Edit the Description


Change the Type for the boundary
Change the scope of a boundary by editing its network locations. For
example, for an Active Directory site boundary you can specify a new Active
Directory site name.

4. To view the site systems that are associated with this boundary, switch to the Site
Systems tab. You can't change this configuration from the properties of a
boundary.

 Tip

For a server to be listed as a site system for a boundary, associate it as a site


system server for at least one boundary group that includes this boundary.
Make this configuration on the References tab of a boundary group. For more
information, see Configure site assignment and select site system servers.

5. To modify the boundary group membership for this boundary, select the Boundary
Groups tab:

To add this boundary to one or more boundary groups, select Add. Select
one or more boundary groups, and then select OK.

To remove this boundary from a boundary group, choose the boundary


group, and then select Remove.

6. Select OK to close the boundary properties and save the configuration.


Next steps
Each boundary is available for use by every site in your hierarchy. After you create a
boundary, add the boundary to one or more boundary groups.
About boundary groups in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use boundary groups in Configuration Manager to logically organize related network


locations called boundaries. Use boundaries and boundary groups to make it easier to
manage your infrastructure. Assign boundaries to boundary groups before using the
boundary group.

By default, Configuration Manager creates a default site boundary group at each site.

To configure boundary groups, associate boundaries and site system roles to the
boundary group. This configuration helps associate clients to site system servers that are
located near the clients on the network.

To increase the availability of servers to a wider range of network locations, assign the
same boundary and the same server to more than one boundary group.

Clients use a boundary group for:

Automatic site assignment

To find a site system server that can provide a service, including:

Distribution points for content location.

Software update points

State migration points

7 Note

The state migration point doesn't use fallback relationships. For more
information, see Fallback.

Management points

Preferred management points

7 Note
If you use preferred management points, enable this option for the
hierarchy, not from within the boundary group configuration. For more
information, see Enable use of preferred management points.

Cloud management gateway (CMG) for policy and content

Boundary groups and relationships


For each boundary group in your hierarchy, you can assign:

One or more boundaries. A client's current boundary group is a network location


that's defined as a boundary assigned to a specific boundary group. A client can
have more than one current boundary group.

One or more site system roles. Clients can always use roles associated with their
current boundary group. Depending on other configurations, they can use roles in
other boundary groups.

For each boundary group you create, you can configure a one-way link to another
boundary group. The link is called a relationship. The boundary groups you link to are
called neighbor boundary groups. A boundary group can have more than one
relationship, each with a specific neighbor boundary group.

When a client fails to find an available site system in its current boundary group, the
configuration of each relationship determines when it begins to search a neighbor
boundary group. This search of other groups is called fallback.

For more information, see the following articles:

Example of using boundary groups


Create a boundary group
Configure a boundary group
Show boundary groups for devices

Fallback
To prevent problems when clients can't find an available site system in their current
boundary group, define the relationship between boundary groups for fallback
behavior. Fallback lets a client expand its search to other boundary groups to find an
available site system.
Relationships are configured on a boundary group properties Relationships tab. When
you configure a relationship, you define a link to a neighbor boundary group. For each
type of supported site system role, configure independent settings for fallback to the
neighbor boundary group. For more information, see Configure fallback behavior.

For example, when you configure a relationship to a specific boundary group, set
fallback for distribution points to occur after 20 minutes. The default is 120 minutes For
a more detailed example, see Example of using boundary groups.

If a client fails to find an available site system role in its current boundary group, the
client uses the fallback time in minutes. This fallback time determines when the client
begins to search for an available site system associated with the neighbor boundary
group.

When a client can't find an available site system, it begins to search locations from
neighbor boundary groups. This behavior increases the pool of available site systems.
The configuration of boundary groups and their relationships defines the client's use of
this pool of available site systems.

A boundary group can have more than one relationship. With this configuration,
you can configure fallback for each type of site system to different neighbors to
occur after different periods of time.

Clients only fall back to a boundary group that's a direct neighbor of their current
boundary group.

When a client is a member of more than one boundary group, it defines its current
boundary group as a union of all its boundary groups. The client falls back to
neighbors of any of those original boundary groups.

7 Note

The state migration point role doesn't use fallback relationships. If you add both
the state migration point and distribution point roles to the same site system
server, don't configure fallback on its boundary group. If you need to use boundary
group fallback for the distribution point, add the state migration point role on a
different site system server.

The default site boundary group


You can create your own boundary groups, and each site has a default site boundary
group that Configuration Manager creates. This group is named Default-Site-Boundary-
Group<sitecode>. For example, the group for site ABC would be named Default-Site-
Boundary-Group<ABC>.

For each boundary group you create, Configuration Manager automatically creates an
implied link to each default site boundary group in the hierarchy.

The implied link is a default fallback option from a current boundary group to the
site's default boundary group. The default fallback time is 120 minutes.

For clients not in a boundary associated with any boundary group: to identify valid
site system roles, use the default site boundary group from their assigned site.

To manage fallback to the default site boundary group:

Open the properties of the site default boundary group, and change the values on
the Default Behavior tab. Changes you make here apply to all implied links to this
boundary group. When you configure an explicit link to this default site boundary
group from another boundary group, you override these default settings.

Open the properties of a custom boundary group. Change the values for the
explicit link to a default site boundary group. When you set a new time in minutes
for fallback or block fallback, that change affects only the link you're configuring.
Configuration of the explicit link overrides the settings on the Default Behavior tab
of a default site boundary group.

Site assignment
You can configure each boundary group with an assigned site for clients.

A newly installed client that uses automatic site assignment joins the assigned site
of a boundary group that contains the client's current network location.

After assigning to a site, a client doesn't change its site assignment when it
changes its network location. For example, a client roams to a new network
location. This location is a boundary in a boundary group with a different site
assignment. The client's assigned site doesn't change.

When Active Directory System Discovery discovers a new resource, the site
evaluates network information for the resource against the boundaries in
boundary groups. This process associates the new resource with an assigned site
for use by the client push installation method.

When a boundary is a member of more than one boundary groups that have
different assigned sites, clients randomly select one of the sites.
Changes to a boundary groups assigned site only apply to new site assignment
actions. Clients that previously assigned to a site don't reevaluate their site
assignment based on changes to the configuration of a boundary group (or to
their own network location).

For more information about client site assignment, see Using automatic site assignment
for computers.

For more information on how to configure site assignment, see the following
procedures:

Configure site assignment and select site system servers


Configure a fallback site for automatic site assignment

Default site boundary group behavior supports


cloud source selection
(Added in version 2207)

You can add options via PowerShell to include and prefer cloud management gateway
(CMG) management points for the default site boundary group. When a site is set up,
there's a default site boundary group created for each site and all the clients are by
default mapped to it until they're assigned to some custom boundary group.

Currently on the admin console, you can add references to default site boundary group,
but the added references don't have any effect when the client requests for
management point list. Starting with technical preview version 2206, you can use
PowerShell cmdlets to include and prefer cloud-based sources for clients in the default
site boundary group. This action is currently only for the management point role.

7 Note

You can't currently configure this behavior from the Configuration Manager
console. For more information on configuring this behavior with PowerShell, see
the cmdlet details in the following section.

Set-CMDefaultBoundaryGroup
Use this cmdlet to modify the properties of a default site boundary group. You can set
the options to include and prefer the cloud-based sources for the clients in default site
boundary group.
Syntax

PowerShell

Set-CMDefaultBoundaryGroup [-IncludeCloudBasedSources <Boolean>] [-


PreferCloudBasedSources <Boolean>]

Examples

PowerShell

Set-CMDefaultBoundaryGroup -IncludeCloudBasedSources $true -


PreferCloudBasedSources $true

Set-CMDefaultBoundaryGroup -IncludeCloudBasedSources $true

Set-CMDefaultBoundaryGroup -IncludeCloudBasedSources $true -


PreferCloudBasedSources $false

Parameters
IncludeCloudBasedSources: Used to specify whether admin wants to include the
cloud-based sources in the management point list for the clients in default site
boundary group.

PreferCloudBasedSources: Used to specify whether admin wants to prefer the


cloud-based sources in the management point list for the clients in default site
boundary group. On selecting this option, cloud-based servers will be given
preference by the clients.

7 Note

You can only set this option to true if the parameter IncludeCloudBasedSources is
set to true or was already set to true by admin.

Next steps
Boundary group options

Procedures for boundary groups


7 Note

Some sections that were previously in this article have moved:

Show boundary groups for devices


Distribution points
Boundary group options
Software update points
Management points
Preferred management points
Overlapping boundaries
Example of using boundary groups
Boundary group options
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To give you more control over policy and content distribution in your environment,
boundary groups include several options to configure behaviors. These settings
primarily apply to downloading content from peer sources. There's also a setting for
clients to prefer policy and content from cloud-based sources.

For more information on how to configure these settings, see Configure a boundary
group.

If a device is in more than one boundary group, the following behaviors apply for these
settings:

Allow peer downloads in this boundary group: If it's disabled in any one
boundary group, the client won't use delivery optimization.
During peer downloads, only use peers within the same subnet: If it's enabled
in any one boundary group, this setting takes effect.
Prefer distribution points over peers within the same subnet: If it's enabled in
any one boundary group, this setting takes effect.
Prefer cloud based sources over on-premises sources: If it's enabled in any one
boundary group, this setting takes effect.

Allow peer downloads in this boundary group


This setting is enabled by default. The management point provides clients a list of
content locations that includes peer sources. This setting also affects applying Group IDs
for Delivery Optimization.

There are two common scenarios in which you should consider disabling this option:

If you have a boundary group that includes boundaries from geographically


dispersed locations such as a VPN. Two clients may be in the same boundary
group because they're connected through VPN, but in vastly different locations
that are inappropriate for peer sharing of content.

If you use a single, large boundary group for site assignment that doesn't
reference any distribution points.

) Important
If a device is in more than one boundary group, make sure to enable this setting on
all boundary groups for the device. Otherwise the client won't use delivery
optimization. For example, it doesn't set the DOGroupID registry key.

During peer downloads, only use peers within


the same subnet
This setting is dependent upon the preceding option. If you enable this option, the
management point only includes in the content location list peer sources that are in the
same subnet as the client.

Common scenarios for enabling this option:

Your boundary group design for content distribution includes one large boundary
group that overlaps other smaller boundary groups. With this new setting, the list
of content sources that the management point provides to clients only includes
peer sources from the same subnet.

You have a single large boundary group for all remote office locations. Enable this
option and clients only share content within the subnet at the remote office
location, instead of risking sharing content between locations.

Depending on the configuration of your network, you can exclude certain subnets for
matching. For example, you want to include a boundary but exclude a specific VPN
subnet. By default, Configuration Manager excludes the default Teredo subnet
( 2001:0000:% ).

7 Note

When you expand a stand-alone primary site to add a central administration site
(CAS), the subnet exclusion list reverts to the default. To work around this issue,
after site expansion, run the PowerShell script to customize the subnet exclusion list
on the CAS.

Import your subnet exclusion list as a comma-separated subnet string. Use the percent
sign ( % ) as a wildcard character. On the top-level site server, set or read the
SubnetExclusionList embedded property for the SMS_HIERARCHY_MANAGER
component in the SMS_SCI_Component class. For more information, see
SMS_SCI_Component server WMI class.
Sample PowerShell script to update the subnet exclusion
list
The following script is a sample way of changing this value. Append your subnets to the
PropertyValue variable after 2001:0000:%,172.16.16.0 . It's a comma-separated string.
Run this script on the top-level site server in your hierarchy.

PowerShell

$PropertyValue = "2001:0000:%,172.16.16.0"

$PropertyName = "SubnetExclusionList"

$providerMachine = Get-WmiObject -Class "SMS_ProviderLocation" -Namespace


"root\sms"

if ($providerMachine -is [system.array])

$providerMachine=$providerMachine[0]

$SiteCode = $providerMachine.SiteCode

$component = Get-WmiObject -Query 'select comp.* from sms_sci_component comp


join SMS_SCI_SiteDefinition sdef on sdef.SiteCode=comp.SiteCode where
sdef.ParentSiteCode="" and comp.componentname="SMS_HIERARCHY_MANAGER"' -
ComputerName $providerMachine.Machine -Namespace root\sms\site_$SiteCode

$properties = $component.props

Write-host "Updating property for site " $SiteCode

foreach ($property in $properties)

if ($property.propertyname -like $PropertyName)

Write-host "Current value for SubnetExclusionList is " $property.value1

$property.value1 = $PropertyValue

Write-host "Updating value for SubnetExclusionList to " $property.value1

break

$component.props = $properties

$component.put()

7 Note

By default, Configuration Manager includes the Teredo subnet in this list. When you
change the list, always read the existing value first. Append additional subnets to
the list, and then set the new value.
Prefer distribution points over peers within the
same subnet
By default, the management point prioritizes peer cache sources at the top of the list of
content locations. This setting reverses that priority for clients that are in the same
subnet as the peer cache source.

 Tip

This behavior applies to the Configuration Manager client. It doesn't apply when
the task sequence downloads content. When the task sequence runs, it prefers peer
cache sources over distribution points.

Prefer cloud based sources over on-premises


sources
If you have a branch office with a faster internet link, you can prioritize cloud-based
sources, which include the following locations:

Cloud management gateway (CMG). Clients will prefer the CMG for both policy
and content.
Starting in version 2203, this setting also applies for software update scanning.
To reduce the performance impact of this change, existing clients don't
automatically switch to a cloud-based software update point. For more
information, see Boundary groups and software update points.
Microsoft Update
You can only use Microsoft Update as a source when you enable the following
option in the software update deployment download settings: If software
updates are not available on distribution point in current, neighbor or site
boundary groups, download content from Microsoft Updates.

Next steps
Boundary groups and distribution points

Procedures for boundary groups


Boundary groups and distribution
points
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When a client requests the location of a distribution point, Configuration Manager


sends the client a list of site systems. These site systems are of the appropriate type
associated with each boundary group that includes the client's current network location.

During software distribution, clients request a location for deployment content on


a valid content source. This location may be a distribution point, or a peer cache
source.

During OS deployment, clients request a location to send or receive their state


migration information.
Clients get content based on boundary group behaviors. For more information,
see Task sequence support for boundary groups.

During content deployment, if a client requests content that isn't available from a source
in its current boundary group, the client continues to request that content. The client
tries different content sources in its current boundary group until it reaches the fallback
period for a neighbor or the default site boundary group. If the client still hasn't found
content, it then expands its search for content sources to include the neighbor boundary
groups.

If you configure the content to distribute on-demand, and it isn't available on a


distribution point when a client requests it, the site begins to transfer the content to that
distribution point. It's possible the client finds that server as a content source before
falling back to use a neighbor boundary group.

Client installation
The Configuration Manager client installer, ccmsetup, can get installation content from a
local source or via a management point. Its initial behavior depends upon the
command-line parameters you use to install the client:

If you don't use either /mp or /source parameters, ccmsetup tries to get a list of
management points from Active Directory or DNS.
If you only specify /source , it forces the installation from the specified path. It
doesn't discover management points. If it can't find ccmsetup.cab at the specified
path, ccmsetup fails.

If you specify both /mp and /source , it checks the specified management points,
and any it discovers. If it can't locate a valid management point, it falls back to the
specified source path.

For more information on these ccmsetup parameters, see Client installation parameters
and properties.

When ccmsetup contacts the management point to locate the necessary content, the
management point returns distribution points based on boundary group configuration.
If you define relationships on the boundary group, the management point returns
distribution points in the following order:

1. Current boundary group

2. Neighbor boundary groups

3. The site default boundary group

7 Note

The client setup process doesn't use the fallback time. To locate content as quickly
as possible, it immediately falls back to the next boundary group.

In previous versions of Configuration Manager, during this process the


management point only returned distribution points in the client's current
boundary group. If no content was available, the setup process fell back to
download content from the management point. There was no option to fall back to
distribution points in other boundary groups that might have the necessary
content.

Task sequence support


When a device runs a task sequence and needs to acquire content, it uses boundary
group behaviors similar to the Configuration Manager client.

Configure this behavior using the following settings on the Distribution Points page of
the task sequence deployment:
When no local distribution point is available, use a remote distribution point: For
this deployment, the task sequence can fall back to distribution points in a
neighbor boundary group.

Allow clients to use distribution points from the default site boundary group: For
this deployment, the task sequence can fall back to distribution points in the
default site boundary group.

To use this new behavior, make sure to update clients to the latest version.

Location priority
The task sequence tries to acquire content in the following order:

1. Peer cache sources

2. Distribution points in the current boundary group

3. Distribution points in a neighbor boundary group

) Important

Due to the real-time nature of task sequence processing, it doesn't wait for
the failover time on a neighbor boundary group. It uses the failover times for
prioritizing the neighbor boundary groups. For example, if the task sequence
fails to acquire content from a distribution point in its current boundary
group, it immediately tries a distribution point in a neighbor boundary group
with the shortest failover time. If that process fails, it then fails over to a
distribution point in a neighbor boundary group with a larger failover time.

For content like applications and software updates, which are downloaded by
the client and not the task sequence engine, the client behaves as normal. In
other words, if you install applications or software updates from a task
sequence, when the client tries to download the content it will wait for
boundary group failover.

4. Distribution points in the site default boundary group

The task sequence log file smsts.log shows the priority of the location sources that it
uses based on the deployment properties.

Next steps
Boundary groups and software update points

Procedures for boundary groups


Boundary groups and software update
points
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Clients use boundary groups to find a new software update point. To control which
servers a client can find, add individual software update points to different boundary
groups.

If you add all existing software update points to the default site boundary group, the
client selects a software update point from the pool of available servers. This behavior is
similar to earlier versions of Configuration Manager current branch. For controlled
selection and fallback behavior, add individual software update points to different
boundary groups.

If you install a new site, software update points aren't added to the default site
boundary group. Assign software update points to a boundary group so that clients can
find and use them.

Fallback
Configure software update point fallback like other site system roles, but with the
following caveats.

New clients use boundary groups to select software


update points
When you install new clients, they select a software update point from those servers
associated with the boundary groups you configure. This behavior replaces the previous
behavior where clients select a software update point randomly from a list of the servers
that share the client's forest.

Clients continue to use a last known-good software


update point until they fall back to find a new one
Clients that already have a software update point continue to use it until it can't be
reached. This behavior includes continued use of a software update point that isn't
associated with the client's current boundary group.
This behavior is intentional. The client continues to use an existing software update
point, even when it isn't in the client's current boundary group. When the software
update point changes, the client synchronizes data with the new server, which causes
significant network usage. If all clients switch to a new server at the same time, the delay
in transition helps to avoid saturating your network.

A client always tries to reach its last known-good


software update point for 120 minutes before starting
fallback
After 120 minutes, if the client hasn't established contact, it then begins fallback. When
fallback starts, the client receives a list of all software update points in its current
boundary group. Other software update points in neighbor and site default boundary
groups are available based on fallback configurations.

Fallback configurations
You can configure Fallback times (in minutes) for software update points to be less than
120 minutes. However, the client still tries to reach its original software update point for
120 minutes. Then it expands its search to other servers. Boundary group fallback times
start when the client first fails to reach its original server. When the client expands its
search, the site provides any boundary groups configured for less than 120 minutes.

To block fallback for a software update point to a neighbor boundary group, configure
the setting to Never fallback.

After failing to reach its original server for two hours, the client then uses a shorter cycle
to establish a connection to a new software update point. This behavior enables the
client to rapidly search through the expanding list of potential software update points.

Example
You configure software update points in boundary group A to fall back after 10 minutes.
You configure the same setting for boundary group B to 130 minutes. A client in
boundary group Z fails to reach its last known-good software update point.

For the next 120 minutes, the client tries to reach only its original server in
boundary group Z. After 10 minutes, Configuration Manager adds the software
update points from boundary group A to the pool of available servers. However,
the client doesn't try to contact them or any other server until the initial 120-
minute period elapses.
After trying to contact the original software update point for 120 minutes, the
client expands its search. It adds servers to the available pool of software update
points that are in it's current and any neighbor boundary groups configured for
120 minutes or less. This pool includes the servers in boundary group A, which
were previously added to the pool of available servers.

After 10 more minutes, the client expands the search to include software update
points from boundary group B. This period is 130 minutes of total time after the
client first failed to reach its last known-good software update point.

Manually switch to a new software update


point
Along with fallback, use client notification to manually force a device to switch to a new
software update point.

When you switch to a new server, the devices use fallback to find that new server.
Clients switch to the new software update point during their next software updates scan
cycle.

Review your boundary group configurations. Before you start this change, make sure
that your software update points are in the correct boundary groups.

For more information, see Manually switch clients to a new software update point.

Intranet clients can use a CMG software update


point
Intranet clients can access a software update point via a cloud management gateway
(CMG). Assign the CMG to a boundary group, and enable the software update point to
Allow Configuration Manager cloud management gateway traffic.

This behavior is useful in the following scenarios:

When an internet machine connects to the VPN, it will continue to scan against the
CMG software update point over the internet.

If the only software update point for the boundary group is the CMG software
update point, then all intranet and internet devices will scan against it.

Prefer cloud-based software update points


(Introduced in version 2203)

Starting in version 2203, clients prefer to scan against a cloud management gateway
(CMG) software update point (SUP) over an on-premises SUP when the boundary group
uses the Prefer cloud based source over on-premises source option. To reduce the
performance impact of this change, clients don't automatically switch their SUP to a
cloud-based SUP. The client will stay assigned to their current SUP unless their current
SUP fails or the client is manually switched to a new SUP. You won't need to manually
switch the SUP for any new clients added to the environment after the boundary group
option is set.

Use the following high-level guidance to set your clients to prefer a cloud-based
software update point:

1. Ensure your cloud management gateway is configured and functional


2. Verify that your software update points are functional and synchronized.
3. Enable the Allow Configuration Manager cloud management gateway traffic
option for any SUP you want to use with CMG.
4. Configure the boundary group for this behavior by enabling the Prefer cloud
based sources over on-premises sources option and adding the CGM SUP server
to the Site system servers list.
5. To manually switch clients to a new SUP, use the Switch to next Software Update
Point client notification action for a device or for a collection.

Clients in the boundary group don't automatically switch to a new SUP*9


unless scanning against their current SUP fails four times over the course of
two hours.
You won't need to manually switch the SUP for any new clients added to the
environment after the boundary group option is set.

6. To verify that clients prefer the CMG SUP, start a software update scan cycle on
some of the clients that you switched.

To limit potential performance issues caused by a large number of clients


scanning against a new SUP simultaneously, we recommend that if you're
immediately calling a scan cycle on a large number of clients that you start
with no more than 100 clients every 10-15 minutes. Increase or decrease the
number of clients and the frequency once you gauge the performance impact
in your environment.

Next steps
Boundary groups and management points

Procedures for boundary groups


Boundary groups and management
points
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configure fallback relationships for management points between boundary groups. This
behavior provides greater control for the management points that clients use. On the
Relationships tab of the boundary group properties, there's a column for management
point. When you add a new fallback boundary group, the fallback time for the
management point is currently always zero (0). This behavior is the same for the Default
Behavior on the site default boundary group.

Previously, a common problem occurred when you had a protected management point
in a secure network. Clients on the main network received policy that included this
protected management point, even though they couldn't communicate with it across a
firewall. To address this problem now, use the Never fallback option to make sure that
clients only fall back to management points with which they can communicate.

7 Note

If you enable distribution points in the site default boundary group to fallback, and
a management point is collocated on a distribution point, the site also adds that
management point to the site default boundary group.

If a client is in a boundary group with no assigned management point, the site gives the
client the entire list of management points. This behavior makes sure that a client always
receives a list of management points.

 Tip

If you enable the option to Prefer cloud-based sources over on-premises sources
then clients will prefer a cloud management gateway (CMG) for both policy and
content.

Management point boundary group fallback doesn't change the behavior during client
installation (ccmsetup.exe). If the command line doesn't specify the initial management
point using the /MP parameter, the new client receives the full list of available
management points. For its initial bootstrap process, the client uses the first
management point it can access. Once the client registers with the site, it receives the
management point list properly sorted with this new behavior.

For more information on the client's behavior to acquire content during installation, see
Client installation.

During client upgrade, if you don't specify the /MP command-line parameter, the client
queries sources such as Active Directory and WMI for any available management point.
Client upgrade doesn't honor the boundary group configuration.

For clients to use this capability, enable the following setting: Clients prefer to use
management points specified in boundary groups in Hierarchy Settings.

7 Note

OS deployment processes aren't aware of boundary groups for management


points.

Troubleshoot
New entries appear in the LocationServices.log. The Locality attribute identifies one of
the following states:

0: Unknown

1: The specified management point is only in the site default boundary group for
fallback.

2: The specified management point is in a remote or neighbor boundary group.


When the management point is in both a neighbor and the site default boundary
groups, the locality is 2.

3: The specified management point is in the local or current boundary group.


When the management point is in the current boundary group and either a
neighbor or the site default boundary group, the locality is 3. If you don't enable
the preferred management points setting in Hierarchy Settings, the locality is
always 3 no matter which boundary group the management point is in.

Clients use local management points first (locality 3), remote second (locality 2), then
fallback (locality 1).

When a client receives five errors in 10 minutes and fails to communicate with a
management point in its current boundary group, it tries to contact a management
point in a neighbor or the site default boundary group. If the management point in the
current boundary group later comes back online, the client returns to the local
management point on the next refresh cycle. The refresh cycle is 24 hours, or when the
Configuration Manager agent service restarts.

Preferred management points

7 Note

When you enable Clients prefer to use management points specified in boundary
groups, Configuration Manager uses the boundary group functionality for the
assigned management point.

Preferred management points enable a client to identify a management point that's


associated with its current network location (boundary).

A client tries to use a preferred management point from its assigned site before
using one not configured as preferred from its assigned site.

To use this option, enable Clients prefer to use management points specified in
boundary groups in Hierarchy Settings. Then configure boundary groups at
individual primary sites. Include the management points that should be associated
with that boundary group's associated boundaries. For more information, see
Enable use of preferred management points.

When you configure preferred management points, and a client organizes its list of
management points, the client places the preferred management points at the top
of its list. This list includes all management points from the client's assigned site.

7 Note

Client roaming means it changes its network locations. For example, when a laptop
travels to a remote office location. When a client roams, it might use a
management point from the local site before attempting to use a server from its
assigned site. This list of servers from its assigned site includes the preferred
management points. For more information, see Understand how clients find site
resources and services.

Next steps
Example of using boundary groups

Procedures for boundary groups


Example of using boundary groups
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The following example uses a client searching for content from a distribution point. This
example can be applied to other site system roles that use boundary groups.

Create three boundary groups that don't share boundaries or site system servers:

Group BG_A with distribution points DP_A1 and DP_A2

Group BG_B with distribution points DP_B1 and DP_B2

Group BG_C with distribution points DP_C1 and DP_C2

Add the network locations of your clients as boundaries to only the BG_A boundary
group. Then configure relationships from that boundary group to the other two
boundary groups:

Configure distribution points for the first neighbor group (BG_B) to be used after
10 minutes. This group contains distribution points DP_B1 and DP_B2. Both are
well connected to the first group's boundary locations.

Configure the second neighbor group (BG_C) to be used after 20 minutes. This
group contains distribution points DP_C1 and DP_C2. Both are across a WAN from
the other two boundary groups.

Also add to the default site boundary group another distribution point that's on
the site server. This server is your least preferred content source location, but it's
centrally located to all your boundary groups.

Example of boundary groups and fallback times:


With this configuration:

The client begins searching for content from distribution points in its current
boundary group (BG_A). It searches each distribution point for two minutes, and
then switches to the next distribution point in the boundary group. The client's
pool of valid content source locations includes DP_A1 and DP_A2.

If the client fails to find content from its current boundary group after searching for
10 minutes, it then adds the distribution points from the BG_B boundary group to
its search. It then continues to search for content from a distribution point in its
combined pool of servers. This pool now includes servers from both the BG_A and
BG_B boundary groups. The client continues to contact each distribution point for
two minutes, and then switches to the next server in its pool. The client's pool of
valid content source locations includes DP_A1, DP_A2, DP_B1, and DP_B2.

After another 10 minutes (20 minutes total), if the client still hasn't found a
distribution point with content, it expands its pool to include available servers from
the second neighbor group, boundary group BG_C. The client now has six
distribution points to search: DP_A1, DP_A2, DP_B2, DP_B2, DP_C1, and DP_C2. It
continues changing to a new distribution point every two minutes until it finds
content.

If the client hasn't found content after a total of 120 minutes, it falls back to
include the default site boundary group as part of its continued search. Now the
pool includes all distribution points from the three configured boundary groups,
and the final distribution point located on the site server. The client then continues
its search for content, changing distribution points every two minutes until content
is found.

By configuring the different neighbor groups to be available at different times, you


control when specific distribution points are added as a content source location. The
client uses fallback to the default site boundary group as a safety net for content that
isn't available from any other location.

Next steps
Procedures for boundary groups
How to configure boundary groups for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article includes procedures on how to view and configure boundary groups. Before
you begin, make sure you understand boundary group concepts. For more information,
see Boundary groups.

Show boundary groups for devices


To help you better identify and troubleshoot device behaviors with boundary groups,
you can view the boundary groups for specific devices. In the Devices node or when you
show the members of a Device Collection, add the Boundary Group(s) column to the
list view.

If a device is in more than one boundary group, the value is a comma-separated


list of boundary group names.

The data updates when the client makes a location request to the site, or at most
every 24 hours.

If a client is roaming and not a member of a boundary group, the value is blank.

7 Note

This information is site data and only available on primary sites. You won't see a
value for this column when you connect the Configuration Manager to a central
administration site (CAS). For more information, see Types of data.

Create a boundary group


1. In the Configuration Manager console, go to the Administration workspace,
expand Hierarchy Configuration, and select the Boundary Groups node.

2. On the Home tab, in the Create group, select Create Boundary Group.

3. In the Create Boundary Group dialog box, on the General tab, specify a Name for
this boundary group. Optionally include a Description.
4. Select OK to save the new boundary group, or continue to the next section to
configure the boundary group.

Configure a boundary group


1. In the Configuration Manager console, go to the Administration workspace,
expand Hierarchy Configuration, and select the Boundary Groups node.

2. Select the boundary group you want to modify, and select Properties in the
ribbon. This action opens the boundary group Properties window.

Configure the following settings:

Add or remove boundaries


Configure site assignment and select site system servers
Configure fallback behavior
Configure boundary group options

Add or remove boundaries


In the boundary group Properties window, use the General tab to modify the
boundaries that are members of this boundary group:

To add boundaries, select Add. In the Add Boundaries window, select the check
box for one or more boundaries, and select OK.

To remove boundaries, select the boundary in the list, and select Remove.

Configure site assignment and select site system servers


To modify the site assignment and associated site system server configuration, switch to
the References tab in the boundary group Properties window.

To enable this boundary group for use by clients for site assignment, select Use
this boundary group for site assignment. Then select a site from the Assigned site
dropdown list. For more information, see Site assignment.

To associate available site system servers with this boundary group, select Add. The
Add Site Systems window only lists servers that have supported site system roles.
Select the check box for one or more servers, and select OK. It adds them as
associated site system servers for this boundary group.
7 Note

You can select any combination of available site systems from any site in the
hierarchy. Selected site systems are listed on the Site Systems tab in the
properties of each boundary that's a member of this boundary group.

To remove a server from this boundary group, select the server and then select
Remove.

7 Note

To stop use of this boundary group for associating site systems, remove all
servers listed as associated site system servers.

Configure fallback behavior


To configure fallback behavior, switch to the Relationships tab in the boundary group
Properties window.

To create a relationship with another boundary group:

Select Add. In the Fallback Boundary Groups window, select the boundary
group to configure.

Set a fallback time for the following site system roles:

Distribution point

Software update point

Management point

7 Note

For example, you open the Properties window for the Branch Office
boundary group. In the Fallback Boundary Groups window, you select
the Main Office boundary group. You set the distribution point fallback
time to 20 . When you save this configuration, clients in the Branch
Office boundary group will start searching for content from the
distribution points in the Main Office boundary group after 20 minutes.
To prevent fallback to a specific boundary group, select the boundary group,
and then select Never fallback for the type of site system role. This action can
include the default site boundary group.

To modify the configuration of an existing relationship, select the boundary group


in the list, and select Change. This action opens the Fallback Boundary Groups
window for just this boundary group.

To remove a relationship, select the boundary group in the list, and select Remove.

For more information, see Fallback.

Configure boundary group options


To configure options for clients in this boundary group, switch to the Options tab. For
more information, see Boundary group options.

Allow peer downloads in this boundary group: This option is enabled by default.
The management point provides clients a list of content locations that includes
peer sources.

During peer downloads, only use peers within the same subnet: This setting is
dependent upon the one above. If you enable this option, the management
point only includes in the content location list peer sources that are in the same
subnet as the client.

Prefer distribution points over peers within the same subnet: By default, the
management point prioritizes peer cache sources at the top of the list of
content locations. This setting reverses that priority for clients in the same
subnet as a peer cache source.

Prefer cloud based sources over on-premises sources: A common scenario is if


you have a branch office with a faster internet link, you can prioritize cloud content
and policy. This behavior includes cloud management gateways (CMG) or
Microsoft Update.

7 Note

Starting in version 2203, this setting also applies for software update
scanning. To reduce the performance impact of this change, existing clients
don't automatically switch to a cloud-based software update point. For more
information, see Boundary groups and software update points.
Configure a fallback site for automatic site
assignment
If clients aren't in a boundary group with an assigned site, assign them to this site when
they're installed.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node.

2. On the Home tab of the ribbon, in the Sites group, select Hierarchy Settings.

3. On the General tab, select the checkbox to Use a fallback site. Then select a site
from the Fallback site drop-down list.

4. Select OK to save the configuration.

For more information, see Site assignment.

Enable use of preferred management points


For more information, see Preferred management points.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node.

2. On the Home tab of the ribbon, in the Sites group, select Hierarchy Settings.

3. On the General tab, select Clients prefer to use management points specified in
boundary groups.

4. Select OK to save the configuration.


High availability options for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article describes how to deploy Configuration Manager using options that maintain
a high level of available service.

The following Configuration Manager options support high availability:

Configure any central administration or primary site with an additional site server
in passive mode.

Configure a SQL Server Always On availability group for the site database at
primary sites and the central administration site.

Sites support multiple instances of site system roles that provide important
services to clients. For example, management points and distribution points.

Central administration sites and primary sites support the backup of the site
database. The site database stores all the configurations for sites and clients. The
sites in a hierarchy share this configuration data.

Built-in site recovery options can reduce server downtime. These advanced options
simplify recovery when you have a hierarchy with a central administration site.

Clients can automatically remediate typical issues without administrative


intervention.

Sites generate alerts about clients that fail to submit recent data, which alerts
administrators to potential problems.

Configuration Manager provides several built-in reports and dashboards. Use


these to identify problems and trends before they become problems for server or
client operations.

Configuration Manager includes several features that provide near real-time service. If
these features are critical to meet your business requirements, plan and configure your
sites and hierarchies for high availability. For example:

Client notification actions, such as restart, start Windows Defender scans, or


remote desktop.
State-based messages for monitoring features such as software updates and
endpoint protection.

Scripts

CMPivot

Other features of Configuration Manager don't provide real-time service. These features
include, but aren't limited to, client settings, hardware and software inventory, software
deployments, and compliance settings. Expect them to operate with some data latency.
It's unusual for most scenarios that involve a temporary interruption of service to
become a critical problem. To minimize downtime, maintain autonomy of operations,
and provide a high level of service, configure your sites and hierarchies with high
availability in mind.

For example, Configuration Manager clients typically operate autonomously by using


known schedules and configurations for operations, and schedules to submit data to the
site for processing.

When clients can't contact the site, they cache data to be submitted until they can
contact the site.

Clients that can't contact the site continue to operate. They use the last known
schedules and cached information, until they can contact the site and receive new
policies. For example, a client may keep a previously downloaded application that
they must run or install.

The site monitors its site systems and clients for periodic status updates. It can
generate alerts when these components fail to register.

Built-in reports provide insight to ongoing operations, historical operations, and


current trends. Configuration Manager also supports state-based messages that
provide near real-time information for ongoing operations.

High availability for sites and hierarchies

Use a site server in passive mode


Install an additional site server in passive mode for a central administration or primary
site. The site server in passive mode is in addition to your existing site server in active
mode. A site server in passive mode is available for immediate use, when needed. For
more information, see Site server high availability.
Use a remote content library
Move the site's content library to a remote location that provides highly available
storage. This feature is a requirement for site server high availability. For more
information, see Configure a remote content library for the site server.

Centralize content sources


All software content in Configuration Manager requires a package source location on
the network. Use centralized, highly available storage to host a common package source
location for all content.

Use a SQL Server Always On solution for the site database


Configuration Manager supports the following SQL Server Always On solutions for the
site database:

Host the site database at primary sites and the central administration site in an
availability group. For more information, see Prepare to use a SQL Server Always
On availability group.

Use a failover cluster instance for the database at a central administration site or
primary site. For more information, see Use a SQL Server Always On failover cluster
instance.

Secondary sites can't use SQL Server Always On, and don't support backup or
restoration of their site database. Recover a secondary site by reinstalling the secondary
site from its parent primary site.

Deploy a hierarchy of sites with a central administration


site, and one or more child primary sites
This configuration can provide fault tolerance when your sites manage overlapping
segments of your network. It also offers an additional recovery option to use the
information in the shared database available at another site, to rebuild the site database
at the recovered site. Use this option to replace a failed or unavailable backup of the
failed site's database.

Create regular backups at central administration sites and


primary sites
When you create and test a regular site backup, this makes sure that you have the data
necessary to recover a site. You also practice recovering a site in the minimal amount of
time.

Install multiple instances of site system roles


When you install multiple instances of critical site system roles, you provide redundant
points of contact for clients. For example, multiple management points and distribution
points provide redundant service in the event that a specific server is offline.

Install multiple instances of the SMS Provider at a site


The SMS Provider provides the point of administrative contact for one or more
Configuration Manager consoles. To provide redundancy for contact points to
administer your site and hierarchy, install multiple SMS Providers.

High availability for site system roles


At each site, you deploy site system roles to provide the services that you want clients to
use at that site. The site database contains the configuration information for the site and
for all clients. Use one or more of the available options to provide for high availability of
the site database, and the recovery of the site and site database if needed.

Redundancy for important site system roles


Distribution point

Management point

Software update point

State migration point

To provide redundancy for reporting on sites and clients, install multiple instances of the
reporting services point.

Failover support for a software update point in a network load balancing (NLB) cluster
was deprecated in version 1702. For more information, see Removed and deprecated
features. To provide redundancy for software update points, use software update point
switching. This allows clients to connect to a new software update point server if one
fails or becomes unavailable. For more information, see Software update point switching
Built-in site backup
Configuration Manager includes a built-in backup task to help you back up your site and
critical information on a regular schedule. Additionally, the Configuration Manager
setup wizard supports site restoration actions to help you restore a site to operations.

Publishing to Active Directory Domain Services and DNS


Configure each site to publish data about the site to Active Directory Domain Services
and DNS. This publishing enables clients to identify the most accessible server on the
network. Clients also use it to identify when new site system servers are available to
provide important services, such as management points.

SMS Provider and Configuration Manager console


Configuration Manager supports installing multiple SMS Providers on separate servers
as multiple access points for the console. If one SMS Provider server is offline, you can
still view and manage sites and clients.

When a Configuration Manager console connects to a site, it connects to an instance of


the SMS Provider at that site. The instance of the SMS Provider is randomly selected. If
the selected SMS Provider isn't available, you have the following options:

Reconnect the console to the site. Each new connection request is randomly
assigned an instance of the SMS Provider. It's possible that the new connection is
assigned an available instance.

Connect the console to a different Configuration Manager site and manage the
configuration from that connection. This option introduces a slight delay of
configuration changes of no more than a few minutes. After the SMS Provider for
the site is online, reconnect your Configuration Manager console directly to the
site that you want to manage.

Install the Configuration Manager console on multiple computers for use by


administrators. Each SMS Provider supports connections from more than one console.

Management point
Install multiple management points at each primary site, and enable the sites to publish
site data to your Active Directory infrastructure, and to DNS.
Multiple management points help to load-balance the use of any single management
point by multiple clients. Also consider installing one or more database replicas for
management points. This configuration decreases the processor-intensive operations of
the management point. It also increases the availability of this critical site system role.

Secondary sites only support installation of one management point, which must be
located on the secondary site server. Management points at secondary sites aren't
considered to have a highly available configuration.

7 Note

Devices managed by on-premises mobile device management connect to only one


management point at a primary site. The management point is assigned by
Configuration Manager to the mobile device during enrollment and then doesn't
change. When you install multiple management points and enable more than one
for mobile devices, the management point that's assigned to a mobile device client
is non-deterministic.

If the management point that a mobile device client uses becomes unavailable, you
must resolve the problem with that management point or wipe the mobile device
and re-enroll the mobile device so that it can be assigned to an operational
management point that is enabled for mobile devices.

Distribution point
Install multiple distribution points, and deploy content to multiple distribution points.
Add more than one distribution point per boundary group to make sure clients get
several options in their content request. Configure boundary group relationships so that
they have a predicable fallback behavior to another boundary group or content-enabled
cloud management gateway. For more information, see Configure boundary groups.

High availability for clients

Client operations are autonomous


Configuration Manager client autonomy includes the following behaviors:

Clients don't require continuous contact with any specific site system servers. They
use known configurations to perform preconfigured actions on a schedule.
Clients can use any available instance of a site system role that provides services to
clients. They attempt to contact known servers until they locate an available server.

Clients can run inventory, software deployments, and similar scheduled actions
independent of direct contact with site system servers.

Clients that are configured to use a fallback status point can submit details to the
fallback status point when they can't communicate with a management point.

Clients can repair themselves


Clients automatically remediate most typical issues without direct administrative
intervention.

Periodically, clients self-evaluate their status. They take action to remediate typical
problems by using a local cache of remediation steps and source files for repairs.

When a client fails to submit status information to its site, the site can generate an
alert. Administrative users that receive these alerts can take immediate action to
restore the normal operation of the client.

Clients cache information to use in the future


When a client communicates with a management point, the client can obtain and cache
the following information:

Client settings

Client schedules

Information about software deployments and a download of the software the


client is scheduled to install, when the deployment is configured for this action.

When a client can't contact a management point, the clients locally cache the status,
state, and client information they report to the site. The client transfers this data after it
establishes contact with a management point.

Client can submit status to a fallback status point


When you configure a client to use a fallback status point, you provide an additional
point of contact for the client to submit important details about its operation. Clients
that are configured to use a fallback status point continue to send status about their
operations to that site system role even when the client can't communicate with a
management point.

Central management of client data and client identity


The site database, rather than the individual client, retains important information about
each client's identity, and associates that data to a specific computer, or user.

The client source files on a computer can be uninstalled and reinstalled without
affecting the historical records for the computer where the client is installed.

Failure of a client computer doesn't affect the integrity of the information that's
stored in the database. This information can remain available for reporting.

Options for sites and site system roles that


aren't highly available
Several site systems don't support multiple instances at a site or in the hierarchy. This
information can help you prepare for these site systems going offline.

Asset intelligence synchronization point (hierarchy)

) Important

Starting in November 2021, this feature of Configuration Manager is deprecated.


For more information, see Asset intelligence deprecation.

This site system role isn't considered mission critical and provides optional functionality
in Configuration Manager. If this site system goes offline, use one of the following
options:

Resolve the reason for the site system to be offline.

Uninstall the role from the current server, and install the role on a new server.

Endpoint protection point (hierarchy)


This site system role isn't considered mission critical and provides optional functionality
in Configuration Manager. If this site system goes offline, use one of the following
options:
Resolve the reason for the site system to be offline.

Uninstall the role from the current server, and install the role on a new server.

Enrollment point (site)


This site system role isn't considered mission critical and provides optional functionality
in Configuration Manager. If this site system goes offline, use one of the following
options:

Resolve the reason for the site system to be offline.

Uninstall the role from the current server, and install the role on a new server.

Enrollment proxy point (site)


This site system role isn't considered mission critical and provides optional functionality
in Configuration Manager. However, you can install multiple instances of this site system
role at a site, and at multiple sites in the hierarchy. If this site system goes offline, use
one of the following options:

Resolve the reason for the site system to be offline.

Uninstall the role from the current server, and install the role on a new server.

When you have more than one enrollment proxy server in a site, use a DNS alias for the
server name. When you use this configuration, DNS round robin provides some fault
tolerance and load balancing for when users enroll their mobile devices.

Fallback status point (site or hierarchy)


This site system role isn't considered mission critical and provides optional functionality
in Configuration Manager. If this site system goes offline, use one of the following
options:

Resolve the reason for the site system to be offline.

Uninstall the role from the current server, and install the role on a new server.
Because clients are assigned the fallback status point during client installation, you
need to modify existing clients to use the new site system server.

Service connection point (hierarchy)


While this site system role is critical for keeping Configuration Manager current branch
up to date, it's generally not used frequently. If this system goes offline, use one of the
following options:

Resolve the reason for the site system to be offline.

Uninstall the role from the current server, and install the role on a new server.

See also
Supported configurations

Recommended hardware

Supported operating systems for site system servers

Site and site system prerequisites

Site failure impacts


Site server high availability in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Historically, you could add redundancy to most of the roles in Configuration Manager
by having multiple instances of these roles in your environment. Except for the site
server itself. High availability for the site server role is a Configuration Manager-based
solution to install another site server in passive mode. The central administration site
(CAS) and child primary sites can have another site server in passive mode. The site
server in passive mode can be on-premises or cloud-based in Azure.

This feature brings the following benefits

Redundancy and high availability to the site server role


More easily change the hardware or OS of the site server
More easily move your site server to Azure IaaS

The site server in passive mode is in addition to your existing site server that is in active
mode. A site server in passive mode is available for immediate use, when needed.
Include this other site server as part of your overall design for making the Configuration
Manager service highly available.

A site server in passive mode:

Uses the same site database as your site server in active mode.
Doesn't write data to the site database when it's in passive mode.
Uses the same content library as your site server in active mode.

To make the site server in passive mode become active, you manually promote it. This
action switches the site server in active mode to be the site server in passive mode. The
site system roles that are available on the original active mode server remain available
so long as that computer is accessible. Only the site server role is switched between
active and passive modes.

Microsoft Core Services Engineering and Operations used this feature to migrate their
CAS to Microsoft Azure. For more information, see the Microsoft IT Showcase article .

Supported configurations
Configuration Manager supports site servers in passive mode in a hierarchy. The
CAS and child primary sites can have another site server in passive mode.

The site server in passive mode can be on-premises or cloud-based in Azure.

7 Note

A cloud-based site server in passive mode uses Azure infrastructure as a


service (IaaS). For more information, see the following articles:
Azure virtual machines (for cloud-based infrastructure)
FAQ for Configuration Manager on Azure

Prerequisites

Active Directory
Both site servers must be joined to the same Active Directory domain.

If you've extended the Active Directory schema for Configuration Manager, both
site servers need Full Control permissions to Active Directory's System - System
Management container and all descendant objects.

General configurations for both site servers


Both site servers can run different OS or service pack versions, as long as both are
supported by Configuration Manager.

Don't host the service connection point role on either site server configured for
high availability. If it's currently on the original site server, remove it, and install it
on another site system server. For more information, see About the service
connection point.

Configurations for the site server in passive mode


Must meet the prerequisites for installing a primary site.
This requirement includes components like .NET Framework, Remote Differential
Compression, and the Windows ADK. For the complete list, see Site and site
system prerequisites.

7 Note
Make sure to install the SQL Server Native Client. If you don't install it, the
prerequisite checker during Configuration Manager setup will report an error
about missing SQL Server permissions.

Must have its computer account in the local Administrators group on the site
server in active mode.

Must install using source files that match the version of the site server in active
mode.

Can't have a site system role from any site installed on it before you install the site
server in passive mode role.

Make sure the computer account for the site server in passive mode has the same
permissions as the site server in active mode. For example, it may need permission
to content source files, such as boot image source directories.

Permissions for the site system installation account


By default, many customers use the site server's computer account to install new site
systems. The requirement is then to add the site server's computer account to the local
Administrators group on the remote site system. If your environment uses this
configuration, make sure to add the computer account of the new site server to this
local group on all remote site systems. For example, all remote distribution points.

The more secure and recommended configuration is to use a service account for
installing the site system. The most secure configuration is to use a local service account.
If your environment uses this configuration, no change is needed.

For more information, see Site system installation account and Elevated permissions.

Content library
The site content library must be on a remote network share. Both site servers need Full
Control permissions to the share and its contents. For more information, see Configure
a remote content library for the site server.

The site server computer account needs Full control permissions to the network
path to which you're moving the content library. This permission applies to both
the share and the file system. No components are installed on the remote system.

The site server can't have the distribution point role. The distribution point also
uses the content library, and this role doesn't support a remote content library.
After moving the content library, you can't add the distribution point role to the
site server.

Site database
Both site servers must use the same site database.

The database can be remote from each site server. The Configuration Manager
setup process doesn't block installation of the site server role on a computer with
the Windows role for Failover Clustering. SQL Server Always On availability groups
require this role, so previously you couldn't colocate the site database on the site
server. With this change, you can create a highly available site with fewer servers
by using an availability group and a site server in passive mode. Only an active
server can be installed to a node in an Always On availability group. Passive servers
must be installed to standalone servers that do not have any existing site roles on
them.

The SQL Server that hosts the site database can use a default instance, named
instance, failover cluster instance, or an availability group.

Both site servers need the sysadmin security role on the instance of SQL Server
that hosts the site database. The original site server should already have these
roles, so add them for the new site server. For example, the following SQL script
adds these roles for the new site server VM2 in the Contoso domain:

SQL

USE [master]

GO

CREATE LOGIN [contoso\vm2$] FROM WINDOWS WITH DEFAULT_DATABASE=


[master], DEFAULT_LANGUAGE=[us_english]

GO

ALTER SERVER ROLE [sysadmin] ADD MEMBER [contoso\vm2$]

GO

Both site servers need access to the site database on the instance of SQL Server.
The original site server should already have this access, so add it for the new site
server. For example, the following SQL script adds a login to the CM_ABC database
for the new site server VM2 in the Contoso domain:

SQL

USE [CM_ABC]

GO

CREATE USER [contoso\vm2$] FOR LOGIN [contoso\vm2$] WITH


DEFAULT_SCHEMA=[dbo]

GO

The site server in passive mode is configured to use the same site database as the
site server in active mode. The site server in passive mode only reads from the
database. It doesn't write to the database until after it's promoted to active mode.

Limitations
Only a single site server in passive mode is supported at each site.

Passive site servers cannot be installed to nodes in the Always On availability group
hosting the Configuration Manager database and must be installed on standalone
servers. Moving a passive site server into the Always On availability group after
installation is not currently supported.

A site server in passive mode isn't supported at a secondary site.

7 Note

Secondary sites are still supported under a primary site with highly available
site servers.

Promotion of the site server in passive mode to active mode is manual. There's no
automatic failover.

Site system roles can't be installed on the new server before you add the site
server in passive mode.

7 Note

After it installs the site server in passive mode, you can add additional roles as
necessary. For example, a management point at a primary site.

For roles like the reporting point that use a database, host the database on a
server that's remote from both site servers.

The Configuration Manager console doesn't automatically install on the site server
in passive mode.

Add a site server in passive mode


For more information on the general process of adding roles, see Install site system
roles.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, select the Sites node, and select Create Site System
Server in the ribbon.

2. On the General page of the Create Site System Server Wizard, specify the server to
host the site server in passive mode. The server you specify can't host any site
system roles before installing a site server in passive mode.

3. On the System Role Selection page, select only Site server in passive mode.

7 Note

The wizard performs the following initial prerequisite checks on this page:

The selected server isn't a secondary site server


The selected server isn't already a site server in passive mode
The site's content library is in a remote location

If these initial prerequisite checks fails, you can't continue past this page of
the wizard.

4. On the Site Server In Passive Mode page, provide the following information that's
used to run setup and install the site server role on the specified server:

Choose one of the following options:

Copy installation source files over the network from the site server in
active mode: This option creates a compressed package and sends it to
the new site server.

Use the source files at the following location on the site server in passive
mode: For example, a local path to which you already copied the source
files. Make sure this content is the same version as the site server in active
mode.

(Recommended) Use the source files at the following network location:


Specify the path directly to the contents of the CD.Latest folder from the
site server in active mode. For example, \\Server\SMS_ABC\CD.Latest
where "Server" is the name of the site server in active mode, and "ABC" is
the site code.
Specify the local path at which to install Configuration Manager on the new
site server. For example: C:\Program Files\Configuration Manager

5. Complete the wizard. Configuration Manager then installs the site server in passive
mode on the specified server.

For detailed installation status, in the console go to the Monitoring workspace, and
select the Site Server Status node. The state for the site server in passive mode displays
as Installing. For more detailed information, select the server and select Show Status.
This action opens the Site Server Installation Status window. When the process is
complete, the state shows OK for both servers.

For more information on the setup process, see Flowchart - Set up a site server in
passive mode.

After you add a site server in passive mode, see both site servers on the Nodes tab in
the Sites node of the console.

All Configuration Manager site server components are in standby on the site server in
passive mode. The Windows services are still running.

Site server promotion


Similarly as with backup and recovery, plan and practice your process to change site
servers. Consider the following points in your promotion plan:

Practice a planned promotion, where both site servers are online. Also practice an
unplanned failover, by forcibly disconnecting or shutting down the site server in
active mode.

Determine your operational processes during failover, and what to communicate


with other Configuration Manager administrators.

Before a planned promotion:

Check the overall status of the site and site components. Make sure everything
is healthy as normal for your environment.

Check content status for any packages actively replicating between sites.

Check secondary site status and site replication.

Don't start any new content distribution jobs or maintenance on child or


secondary site servers.
7 Note

If file or database replication between sites is in progress during failover,


the new site server may not receive the replicated content. If this happens,
redistribute the software content after the new site server is active. For
database replication, you may need to reinitialize a secondary site after
failover.

Reduce or remove other scheduled activities at the same time. For example,
don't plan to promote a site server immediately after updating the site to a new
version. Site update includes other tasks that can potentially conflict with the
site server promotion.

 Tip

Here's an example of how other activities can conflict with site server
promotion:
Monday: Update the site to the latest version. Enable automatic client
upgrade with client piloting.
Tuesday: Promote the site server in passive mode to be the active site
server.

By Wednesday or Thursday, this action may cause all clients to upgrade,


not just the pilot collection. This behavior can cause significant network
usage and unexpected load on the distribution points.

If you enable the pre-production client, review the known issue with site server
high availability. For more information, see Pre-production client and site server
high availability.

Process to promote the site server in passive mode to


active mode
This section describes how to change the site server in passive mode to active mode. To
access the site and make this change, you need to be able to access an instance of the
SMS Provider. For more information, see Use multiple SMS Providers.

) Important
If all instances of the SMS Provider are offline, you can't connect to the site as no
provider is available. When you add the site server in passive mode, setup installs
an instance of the SMS Provider on this server.

The Configuration Manager console requests the list of available SMS Providers
from WMI on the site server. When you install multiple SMS Providers at a site, the
site randomly assigns each new connection request to use an installed SMS
Provider. You can't specify the SMS Provider location to use with a specific
connection session. If your console is unable to connect to the site because the
current site server is offline, specify the other site server in the Site Connection
window.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node. Select the site, and then
switch to the Nodes tab. Select the site server in passive mode, and then select
Promote to active in the ribbon. Select Yes to confirm and continue.

2. Refresh the console node. The Status column for the server you're promoting
displays in the Nodes tab as Promoting.

3. After the promotion is complete, the Status column shows OK for both the new
site server in active mode, and for the new site server in passive mode. The Server
Name column for the site now displays the name of the new site server in active
mode.

For detailed status, go to the Monitoring workspace, and select the Site Server Status
node. The Mode column identifies which server is Active or Passive. When you promote
a server from passive mode to active mode, select the site server that you're promoting
to active, and then choose Show Status from the ribbon. This action opens the Site
Server Promotion Status window that displays more details about the process.

When a site server in active mode switches over to passive mode, only the site system
role is made passive. All other site system roles that are installed on that computer
remain active and accessible to clients.

For more information on the planned promotion process, see Flowchart - Promote site
server (planned).

Unplanned failover
If the current site server in active mode is offline, the site server for promotion tries to
contact the current site server in active mode for 30 minutes. If the offline server comes
back before this time, it's successfully notified, and the change proceeds gracefully.
Otherwise the site server for promotion forcibly updates the site configuration for it to
be active. If the offline server comes back after this time, it first checks the current state
in the site database. It then proceeds with demoting itself to the site server in passive
mode.

During this 30-minute waiting period, the site has no site server in active mode. Clients
still communicate with client-facing roles such as management points, software update
points, and distribution points. Users can install software that's already deployed. No
site administration is possible in this time period. For more information, see Site failure
impacts.

If the offline server is damaged such that it can't return, delete this site server from the
console. Then create a new site server in passive mode to restore a highly available
service.

For more information on the unplanned failover process, see Flowchart - Promote site
server (unplanned).

Other tasks after site server promotion


After switching site servers, you don't have to do most of the other tasks as are
necessary when recovering a site. For example, you don't need to reset passwords or
reconnect your Microsoft Intune subscription.

The following steps may be required if necessary in your environment:

If you import PKI certificates for distribution points, reimport the certificate for
affected servers. For more information, see Regenerate the certificates for
distribution points.

If you integrate Configuration Manager with the Microsoft Store for Business,
reconfigure that connection. For more information, see Manage apps from the
Microsoft Store for Business.

Recreate OSD bootable media and prestaged media in non-PKI environments.

In non-PKI environments, you may need to update the self-signed certificate on


PXE-enabled distribution points. Do this action in the properties of the distribution
point on the Communication tab. Make changes to the self-signed certificate date
or time.

Daily monitoring
When you have a site server in passive mode, monitor it daily. Make sure its Status
remains OK and is ready for use. In the Configuration Manager console, go to the
Monitoring workspace, and select the Site Server Status node. View both site servers
and their current status. Also view status in the Administration workspace. Expand Site
Configuration, and select the Sites node. Select the site, and then switch to the Nodes
tab.

7 Note

When you update the site to a new version of Configuration Manager, it also
updates the site server in passive mode.

Remove a site server in passive mode


The process to remove a site server in passive mode is the same as any site system role.
Remove the Site server role from the server in passive mode. For more information, see
Procedure to remove a site system role.

When you remove any other site system role, the site component manager ( sitecomp )
processes the request. When you remove a site server in passive mode, the failover
manager processes the request. For status, monitor the SMS_FAILOVER_MANAGER
component.

Next steps
Flowchart - Set up a site server in passive mode
Flowchart - Promote site server
(planned)
Flowchart - Promote site server (unplanned)
Flowchart - Set up a site server in
passive mode
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This flowchart diagram shows the process by which the site sets up a site server in
passive mode. For more information, see the following articles:

Site server high availability


Flowchart - Promote site server (planned)
The content library
Flowchart - Manage content library
Flowchart - Promote site server
(planned)
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This flowchart diagram shows the process by which a site server in passive mode is
promoted to the site server in active mode. In this example, the administrator plans for
the promotion process. Both servers are online and fully functional. For more
information, see the following articles:

Site server high availability


Flowchart - Set up a site server in passive mode
Flowchart - Promote site server
(unplanned)
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This flowchart diagram shows the process by which a site server in passive mode is
promoted to the site server in active mode when the current site server in active mode is
offline. In this example, the current site server in active mode isn't fully operational, for
example it is disconnected from the network or powered off. For more information, see
the following articles:

Site server high availability


Flowchart - Promote site server (planned)
Flowchart - Set up a site server in passive mode
Prepare to use a SQL Server Always On
availability group with Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use this article to prepare Configuration Manager to use a SQL Server Always On
availability group for the site database. This feature provides a high availability and
disaster recovery solution.

Configuration Manager supports using availability groups:

At primary sites and the central administration site.


On-premises, or in Microsoft Azure.

When you use availability groups in Microsoft Azure, you can further increase availability
of your site database by using Azure availability sets. For more information on Azure
availability sets, see Manage the availability of virtual machines.

) Important

Before you continue, be comfortable with configuring SQL Server and availability
groups. This article references the SQL Server documentation library with more
information and procedures.

Supported scenarios
The following scenarios are supported for using availability groups with Configuration
Manager. For more information and procedures for each scenario, see Configure
availability groups for Configuration Manager.

Create an availability group for use with Configuration Manager


Configure a site to use the availability group
Add or remove synchronous replica members from an availability group that hosts
a site database
Configure or recover a site from an asynchronous commit replicas
Move a site database out of an availability group to a default or named instance of
a standalone SQL Server
Prerequisites
The following prerequisites apply to all scenarios. If additional prerequisites apply to a
specific scenario, they're detailed with that scenario.

Configuration Manager accounts and permissions

Installation account
The account you use to run Configuration Manager setup must be:

A member of the local Administrators group on each computer that's a member


of the availability group.
A sysadmin on each instance of SQL Server that hosts the site database.

Site server to replica member access

The computer account of the site server must be a member of the local Administrators
group on each computer that's a member of the availability group.

SQL Server

Version
Each replica in the availability group must run a version of SQL Server that's supported
by your version of Configuration Manager. When supported by SQL Server, different
nodes of an availability group can run different versions of SQL Server. For more
information, see Supported SQL Server versions for Configuration Manager.

Edition
Use an Enterprise edition of SQL Server.

Account
Each instance of SQL Server can run under a domain user account (service account) or a
non-domain account. Each replica in a group can have a different configuration.

Use an account with the lowest possible permissions. For more information, see
Security considerations for a SQL Server installation.
For more information on configuring service accounts and permissions for SQL
Server, see Configure Windows service accounts and permissions.

To use a non-domain account, you must use certificates. For more information, see
Use certificates for a database mirroring endpoint (Transact-SQL).

For more general information, see Create a database mirroring endpoint for
availability groups.

Database

Configure the database on a new replica

Only make these configurations on a primary replica. To configure a secondary replica,


first fail over the primary to the secondary. This action makes the secondary the new
primary replica.

Configure the database of each replica with the following settings:

Enable CLR Integration:

SQL

sp_configure 'show advanced options', 1;

GO

RECONFIGURE;

GO

sp_configure 'clr enabled', 1;

GO

RECONFIGURE;

GO

For more information, see CLR integration.

Set Max text repl size to 2147483647 :

SQL

EXECUTE sp_configure 'max text repl size (B)', 2147483647

Set the database owner to the SA account. You don't need to enable this account.

Turn ON the TRUSTWORTHY setting:

SQL
ALTER DATABASE [CM_xxx] SET TRUSTWORTHY ON;

For more information, see the TRUSTWORTHY database property.

Enable the Service Broker:

SQL

ALTER DATABASE [CM_xxx] SET ENABLE_BROKER

7 Note

You can't enable the Service Broker option on a database that's already part of
an availability group. You have to enable that option before adding it to the
availability group.

Configure the Service Broker priority:

SQL

ALTER DATABASE [CM_xxx] SET HONOR_BROKER_PRIORITY ON;

ALTER DATABASE [CM_xxx] SET ENABLE_BROKER WITH ROLLBACK IMMEDIATE

Database verification script

Run the following SQL script to verify database configurations for both primary and
secondary replicas. Before you can fix an issue on a secondary replica, change that
secondary replica to be the primary replica.

SQL

SET NOCOUNT ON

DECLARE @dbname NVARCHAR(128)

SELECT @dbname = sd.name FROM sys.sysdatabases sd WHERE sd.dbid =


DB_ID()

IF (@dbname = N'master' OR @dbname = N'model' OR @dbname = N'msdb' OR


@dbname = N'tempdb' OR @dbname = N'distribution' ) BEGIN

RAISERROR(N'ERROR: Script is targeting a system database. It should be


targeting the DB you created instead.', 0, 1)

GOTO Branch_Exit;

END ELSE

PRINT N'INFO: Targeted database is ' + @dbname + N'.'

PRINT N'INFO: Running verifications....'

IF NOT EXISTS (SELECT * FROM sys.configurations c WHERE c.name = 'clr


enabled' AND c.value_in_use = 1)

PRINT N'ERROR: CLR is not enabled!'

ELSE

PRINT N'PASS: CLR is enabled.'

DECLARE @repltable TABLE (

name nvarchar(max),

minimum int,

maximum int,

config_value int,

run_value int )

INSERT INTO @repltable

EXEC sp_configure 'max text repl size (B)'

IF NOT EXISTS(SELECT * from @repltable where config_value = 2147483647


and run_value = 2147483647 )

PRINT N'ERROR: Max text repl size is not correct!'

ELSE

PRINT N'PASS: Max text repl size is correct.'

IF NOT EXISTS (SELECT db.owner_sid FROM sys.databases db WHERE


db.database_id = DB_ID() AND db.owner_sid = 0x01)

PRINT N'ERROR: Database owner is not sa account!'

ELSE

PRINT N'PASS: Database owner is sa account.'

IF NOT EXISTS( SELECT * FROM sys.databases db WHERE db.database_id =


DB_ID() AND db.is_trustworthy_on = 1 )

PRINT N'ERROR: Trustworthy bit is not on!'

ELSE

PRINT N'PASS: Trustworthy bit is on.'

IF NOT EXISTS( SELECT * FROM sys.databases db WHERE db.database_id =


DB_ID() AND db.is_broker_enabled = 1 )

PRINT N'ERROR: Service broker is not enabled!'

ELSE

PRINT N'PASS: Service broker is enabled.'

IF NOT EXISTS( SELECT * FROM sys.databases db WHERE db.database_id =


DB_ID() AND db.is_honor_broker_priority_on = 1 )

PRINT N'ERROR: Service broker priority is not set!'

ELSE

PRINT N'PASS: Service broker priority is set.'

PRINT N'Done!'

Branch_Exit:

Availability group configurations

Replica members
The availability group must have one primary replica.

Use the same number and type of replicas in an availability group that your version
of SQL Server supports.

You can use an asynchronous commit replica to recover your synchronous replica.
For more information, see site database recovery options.

2 Warning

Configuration Manager doesn't support failover to use the asynchronous


commit replica as your site database. For more information, see Failover and
failover modes (Always On availability groups).

Configuration Manager doesn't validate the state of the asynchronous commit replica to
confirm it's current. Use of an asynchronous commit replica as the site database can put
the integrity of your site and data at risk. This replica can be out of sync by design. For
more information, see Overview of SQL Server Always On availability groups.

Each replica member must have the following configuration:

Use the default instance or a named instance.

7 Note

Don't have a file share on the server that's the same name as the SQL Server
instance name.

The Connections in Primary Role setting is Allow all connections.

The Readable Secondary setting is Yes.

Enabled for Manual Failover

7 Note

Configuration Manager supports using the availability group synchronous


replicas when set to Automatic Failover. Set Manual Failover when:
You run Configuration Manager setup to specify use of the site database in
the availability group.
You install any update to Configuration Manager. (Not just updates that
apply to the site database).

All members need the same seeding mode. Configuration Manager setup includes
a prerequisite check to verify this configuration when creating a database through
install or recovery.

7 Note

When setup creates the database, and you configure automatic seeding, the
availability group must have permissions to create the database. This
requirement applies to both a new database or recovery. For more
information, see Automatic seeding for secondary replica.

Replica member location


Either host all replicas in an availability group on-premises, or host them all on Microsoft
Azure. A group that includes an on-premises member and a member in Azure isn't
supported.

7 Note

If you're using an Azure virtual machine for the SQL Server, enable floating IP. For
more information, see Configure a load balancer for a SQL Server Always On
availability group in Azure virtual machines.

Configuration Manager setup needs to connect to each replica. When you set up an
availability group in Azure, and the group is behind an internal or external load balancer,
open the following default ports:

RPC Endpoint Mapper: TCP 135

SQL Server Service Broker: TCP 4022

SQL over TCP: TCP 1433

After setup completes, these ports must stay open for Configuration Manager and
replication link analyzer.
You can use custom ports for these configurations. Use the same custom ports by the
endpoint and on all replicas in the availability group.

For SQL Server to replicate data between sites, create a load-balancing rule for each
port in the Azure load balancer. For more information, see Configure High Availability
Ports for an internal load balancer.

Listener
The availability group must have at least one availability group listener. When you
configure Configuration Manager to use the site database in the availability group, it
uses the virtual name of this listener. Although an availability group can contain multiple
listeners, Configuration Manager can only make use of one. For more information, see
Create or configure a SQL Server availability group listener.

File paths

When you run Configuration Manager setup to configure a site to use the database in
an availability group, each secondary replica server must have a SQL Server file path
that's identical to the file path for the site database files on the current primary replica. If
an identical path doesn't exist, setup fails to add the instance for the availability group
as the new location of the site database.

The local SQL Server service account must have Full Control permission to this folder.

The secondary replica servers only require this file path while you're using Configuration
Manager setup to specify the database instance in the availability group. After it
completes configuration of the site database in the availability group, you can delete the
unused path from secondary replica severs.

For example, consider the following scenario:

You create an availability group that uses three SQL Servers.

Your primary replica server is a new installation of SQL Server 2014. By default, it
stores the database MDF and LDF files in C:\Program Files\Microsoft SQL
Server\MSSQL12.MSSQLSERVER\MSSQL\DATA .

You upgraded both of your secondary replica servers to SQL Server 2014 from
previous versions. With the upgrade, these servers keep the original file path to
store database files: C:\Program Files\Microsoft SQL
Server\MSSQL10.MSSQLSERVER\MSSQL\DATA .
Before moving the site database to this availability group, on each secondary
replica server, create the following file path: C:\Program Files\Microsoft SQL
Server\MSSQL12.MSSQLSERVER\MSSQL\DATA . This path is a duplicate of the path in use

on the primary replica, even if the secondary replicas won't use this file location.

You then grant the SQL Server service account on each secondary replica full
control access to the newly created file location on that server.

You can now successfully run Configuration Manager setup to configure the site to
use the site database in the availability group.

Multi-subnet failover
You can enable the MultiSubnetFailover connection string keyword in SQL Server. You
also need to manually add the following values to the Windows Registry on the site
server:

Registry

HKLM:\SOFTWARE\Microsoft\SMS\Identification

HKLM:\SOFTWARE\Microsoft\SMS\SQL Server

MSF Enabled : 1 (DWORD)

2 Warning

Use of site server high availability and SQL Server Always On availability groups
with multi-subnet failover doesn't provide the full capabilities of automatic failover
for disaster recovery scenarios.

If you need to create an availability group with a member in a remote location, prioritize
based on the lowest network latency. High network latency can cause replication
failures.

Limitations and known issues


The following limitations apply to all scenarios.

Unsupported SQL Server options and configurations


Basic availability groups: Introduced with SQL Server 2016 Standard edition, basic
availability groups don't support read access to secondary replicas. Configuration
requires this access. For more information, see Basic SQL Server availability groups.

Failover cluster instance: Failover cluster instances aren't supported for a replica
you use with Configuration Manager. For more information, see SQL Server Always
On failover cluster instances.

SQL Servers that host additional availability groups


When the SQL Server hosts one or more availability groups in addition to the group you
use for Configuration Manager, it needs specific settings at the time you run
Configuration Manager setup. These settings are also needed to install an update for
Configuration Manager. Each replica in each availability group must have the following
configurations:

Manual failover

Allow any read-only connection

7 Note

Configuration Manager supports using the availability group synchronous replicas


when set to Automatic Failover. Set Manual Failover when:

You run Configuration Manager setup to specify use of the site database in
the availability group.
You install any update to Configuration Manager. (Not just updates that apply
to the site database).

Unsupported database use

Configuration Manager supports only the site database in an


availability group
The following databases aren't supported by Configuration Manager in an availability
group:

Reporting database

WSUS database
Pre-existing database
You can't use a new database created on the replica. When you configure an availability
group, restore a copy of an existing Configuration Manager database to the primary
replica.

Setup errors in ConfigMgrSetup.log


When you run Configuration Manager setup to move a site database to an availability
group, it tries to process database roles on the secondary replicas of the availability
group. The ConfigMgrSetup.log file shows the following error:

ERROR: SQL Server error: [25000][3906][Microsoft][SQL Server Native Client 11.0]


[SQL Server]Failed to update database "CM_AAA" because the database is read-only.

Configuration Manager Setup 1/21/2016 4:54:59 PM 7344 (0x1CB0)

These errors are safe to ignore.

Site expansion
If you configure the site database for a standalone primary site to use an availability
group, you can't expand the site to include a central administration site. If you try this
process, it fails. To expand the site, temporarily remove the primary site database from
the availability group.

You don't need to make any changes to the configuration when adding a secondary site.

Changes for site backup

Backup database files


When a site database uses an availability group, run the built-in Backup Site server
maintenance task to back up common Configuration Manager settings and files. Don't
use the MDF or LDF files created by that backup. Instead, make direct backups of these
database files by using SQL Server.

You can still use the SQL Server back up, however you can't restore it directly to a SQL
Server Always On cluster. You need to restore it on a standalone server and move it back
to SQL Server Always On.

Transaction log
Set the recovery model of the site database to Full. This configuration is a requirement
for Configuration Manager use in an availability group. Plan to monitor and maintain the
size of the site database transaction log. In the full recovery model, the transactions
aren't hardened until it makes a full backup of the database or transaction log. For more
information, see Back up and restore of SQL Server databases.

Changes for site recovery


If at least one node of the availability group is still functional, use the site recovery
option to Skip database recovery (Use this option if the site database was unaffected).

Site recovery can recreate the database in an availability group. This process works with
both manual and automatic seeding.

 Tip

When you run the setup/recovery wizard, the New Availability Group Database
page only applies to manual seeding configurations. With automatic seeding,
there's no shared database backup, so that page of the wizard isn't shown.

For more information, see Backup and recovery.

Changes for reporting

Install the reporting service point


The reporting services point doesn't support using the listener virtual name of the
availability group. It also doesn't support hosting its database in an availability group.

By default, the reporting services point installation sets the Site database server
name to the virtual name that's specified as the listener. Change this setting to
specify a computer name and instance of a replica in the availability group.

To offload reporting and to increase availability when a replica node is offline,


consider installing additional reporting services points on each replica node. Then
configure each reporting services point to use its own computer name. When you
install a reporting service point on each replica of the availability group, reporting
can always connect to an active reporting point server.

Switch the reporting services point used by the console


1. In the Configuration Manager console, go to the Monitoring workspace, expand
Reporting, and select the Reports node.

2. In the ribbon, select Report Options.

3. In the Report Options dialog box, select the reporting services point you want to
use.

Next steps
This article describes the prerequisites, limitations, and changes to common tasks that
Configuration Manager requires when you use availability groups. For procedures to set
up and configure your site to use availability groups, see Configure availability groups.
Configure a SQL Server Always On
availability group for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the information in this article to configure and manage a SQL Server Always On
availability group for the Configuration Manager site database. Before you start, be
familiar with the information to Prepare to use an availability group. Also be familiar
with SQL Server documentation that covers the use of availability groups and related
procedures.

Create and configure an availability group


Use this procedure to create an availability group for Configuration Manager. Then
move a copy of the site database to that availability group.

1. Use the following command to stop the Configuration Manager site:

preinst.exe /stopsite

For more information, see Hierarchy maintenance tool.

2. Change the backup model for the site database from SIMPLE to FULL:

SQL

ALTER DATABASE [CM_xxx] SET RECOVERY FULL;

Availability groups only support the FULL backup model. For more information, see
View or change the recovery model of a database.

3. Use SQL Server to create a full backup of your site database. Choose one of the
following options:

Will be member of your availability group: If you use this server as the initial
primary replica member of the availability group, you don't need to restore a
copy of the site database to this server or another in the group. The database
is already in place on the primary replica. SQL Server replicates the database
to the secondary replicas during a later step.
Will not be a member of the availability group: Restore a copy of the site
database to the server that will host the primary replica of the group.

For more information, see the following articles in the SQL Server documentation:

Create a full database backup


Restore a database backup using SSMS

7 Note

If you plan to move from an availability group to standalone on an existing


replica, first remove the database from the availability group.

4. On the server that will host the initial primary replica of the group, use the New
availability group wizard to create the availability group. In the wizard:

On the Select Database page, select the database for your Configuration
Manager site.

On the Specify Replicas page, configure:

Replicas: Specify the servers that will host secondary replicas.

Listener: Specify the Listener DNS Name as a full DNS name, for example
<listener_server>.fabrikam.com . When you configure Configuration

Manager to use the database in the availability group, it uses this name.

On the Select Initial Data Synchronization page, select Full. After the wizard
creates the availability group, the wizard backs up the primary database and
transaction log. Then the wizard restores them on each server that hosts a
secondary replica.

7 Note

If you don't use this step, restore a copy of the site database to each
server that hosts a secondary replica. Then manually join that database
to the group.

5. Check the configuration on each replica:

a. Make sure the computer account of the site server is a member of the local
Administrators group on each computer that's a member of the availability
group.
b. Run the verification script to confirm that the site database on each replica is
correctly configured.

c. If it's necessary to set configurations on secondary replicas, before you


continue, manually fail over the primary replica to the secondary replica. You
can only configure the database of a primary replica. For more information, see
Perform a planned manual failover of an availability group in the SQL Server
documentation.

6. After all replicas meet the requirements, the availability group is ready to be used
with Configuration Manager.

Configure a site to use the availability group


When installing a new site, after you have created and configured the availability group,
direct setup to use the FQDN of the availability group listener. If you used a custom port
and named instance, leave the instance name empty in the setup wizard and use the
format FQDN of listener, port number. For example, use listener.contoso.com, 1445 for
a named instance that doesn't use the default port of 1433.

If you moved an existing site database to an availability group you created and
configured, use Configuration Manager site maintenance to change the configuration
with the below instructions:

1. Run Configuration Manager Setup: \BIN\X64\setup.exe from the Configuration


Manager site installation folder.

2. On the Getting Started page, select Perform site maintenance or reset this site,
and then select Next.

3. Select Modify SQL Server configuration, and then select Next.

4. Reconfigure the following settings for the site database:

SQL Server name: Enter the virtual name for the availability group listener.
You configured the listener when you created the availability group. The
virtual name should be a full DNS name, like
<Listener_Server>.fabrikam.com .

Instance: To specify the default instance for the listener of the availability
group, this value must be blank. If the current site database runs on a named
instance, clear the current named instance.
Database: Leave the name as it appears. This name is the current site
database.

5. After you provide the information for the new database location, complete setup
with your normal process and configurations.

Synchronous replica members


When your site database is hosted in an availability group, use the following procedures
to add or remove synchronous replica members. For more information about the
supported type and number of replicas, see Availability group configurations.

Add or remove a synchronous replica member


Run Configuration Manager setup to add or remove a synchronous replica member. The
following steps show how to add:

1. Add a secondary replica using the SQL Server procedures.

a. Add a secondary replica to an Always On availability group.

b. Watch the status in SQL Server Management Studio. Wait for the availability
group to return to full health.

2. Run Configuration Manager setup, and select the option to modify the site.

3. Specify the availability group listener name as the database name. If the listener
uses a non-standard network port, specify that as well. This action causes setup to
make sure each node is appropriately configured. It also starts a database recovery
process.

Configuration Manager setup uses the SQL Server database move operation, and makes
sure the nodes are correctly configured.

Asynchronous replicas
You can use an asynchronous replica in the availability group that you use with
Configuration Manager. You don't need to run the configuration scripts required to
configure a synchronous replica, because an asynchronous replica isn't supported for
the site database.

Configure an asynchronous commit replica


For more information, see Add a secondary replica to an availability group.

Use the asynchronous replica to recover your site


Use the asynchronous replica to recover your site database.

1. Stop the active primary site to prevent additional writes to the site database. To
stop the site, use the Hierarchy maintenance tool: preinst.exe /stopsite

2. After you stop the site, use the asynchronous replica instead of a manually
recovered database.

Stop using an availability group


Use the following procedure when you no longer want to host your site database in an
availability group. With this process, you'll move the site database back to a single
instance of SQL Server.

1. Stop the Configuration Manager site by using the following command:


preinst.exe /stopsite . For more information, see Hierarchy maintenance tool.

2. Use SQL Server to create a full backup of your site database from the primary
replica. For more information, see Create a full database backup.

3. Use SQL Server to restore the site database backup to the server that will host the
site database. For more information, see Restore a database backup using SSMS.

7 Note

If the primary replica server for the availability group will host the single
instance of the site database, skip this step.

4. On the server that will host the site database, change the backup model for the
site database from FULL to SIMPLE. For more information, see View or change the
recovery model of a database.

5. Run Configuration Manager Setup: \BIN\X64\setup.exe from the Configuration


Manager site installation folder.

6. On the Getting Started page, select Perform site maintenance or reset this site,
and then select Next.

7. Select Modify SQL Server configuration, and then select Next.


8. Reconfigure the following settings for the site database:

SQL Server name: Enter the name of the server that now hosts the site
database.

Instance: Specify the named instance that hosts the site database. If the
database is on the default instance, leave this field blank.

Database: Leave the name as it appears. This name is the current site
database.

9. After you provide the information for the new database location, complete setup
with your normal process and configurations. When setup completes, the site
restarts, and begins to use the new database location.

10. To clean up the servers that were members of the availability group, follow the
guidance in Remove an availability group.
Use a SQL Server Always On failover
cluster instance for the site database
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can use a SQL Server Always On failover cluster instance to host the Configuration
Manager site database. Failover cluster instances provide failover support for the entire
instance of SQL Server and improve the reliability of the site database. However, it
doesn't provide additional processing or load-balancing benefits. Failover cluster
instances require the use of shared storage, which can be a single point of failure.
Degradation in performance can occur, because the site server must find the active
node of the failover cluster instance before it connects to the site database.

) Important

To successfully set up of a failover cluster instance, use the documentation and


procedures for SQL Server. For more information, see Always On Failover Cluster
Instances (SQL Server).

Before you install Configuration Manager, prepare the failover cluster instance to
support Configuration Manager. For more information, see Prepare a clustered SQL
Server instance.

During Configuration Manager setup, the Windows Volume Shadow Copy Service writer
installs on each physical computer node of the Windows Server failover cluster. This
service supports the Backup Site Server maintenance task.

After the site installs, Configuration Manager checks for changes to the cluster node
each hour. Configuration Manager automatically manages any changes it finds that
affect its component installs. For example, a node failover or the addition of a new node
to the failover cluster instance.

Supported options
Configuration Manager supports the following options for failover cluster instances
used for the site database:

A single instance cluster


Multiple instance configurations

Multiple active nodes

Both a named or a default instance

Prerequisites
The site database server must be remote from the site server. The cluster can't
include the site server.

7 Note

The Configuration Manager setup process doesn't block installation of the site
server role on a computer with the Windows role for Failover Clustering. SQL
Server Always On availability groups require this role, so previously you
couldn't colocate the site database on the site server. With this change, you
can create a highly available site with fewer servers by using an availability
group and a site server in passive mode. For more information, see High
availability options.

Add the computer account of the site server to the local Administrators group of
each server in the cluster.

To support Kerberos authentication, enable the TCP/IP network communication


protocol for the network connection of each cluster node. The Named pipes
protocol isn't required, but can be used to troubleshoot Kerberos authentication
issues. The network protocol settings are configured in SQL Server Configuration
Manager, under SQL Server Network Configuration.

There are specific certificate requirements when you use a failover cluster instance
for the site database. For more information, see the following articles:

Install a certificate in an Always On failover cluster instance configuration

PKI certificate requirements for Configuration Manager

7 Note

If you don't pre-provision a certificate in SQL Server, Configuration Manager


creates and provisions a self-signed certificate for SQL Server.
Limitations

Installation and configuration


Secondary sites can't use a failover cluster instance.

When you specify a failover cluster instance, you can't set a custom file location for
the site database.

SMS Provider
You can't install the SMS Provider on a failover cluster instance. It's also not supported
on a computer that runs as a node participating in the failover cluster instance.

Data replication options


If you use Distributed Views, you can't use a failover cluster instance to host the site
database.

Backup and recovery


Configuration Manager doesn't support System Center Data Protection Manager (DPM)
backup for failover cluster instances that use a named instance. It does support DPM
backup on failover cluster instances that use the SQL Server default instance.

Prepare a failover cluster instance


Here are the main tasks to complete to prepare your site database:

Create the failover cluster instance to host the site database on an existing
Windows Server failover cluster environment. For specific steps to install and set
up a failover cluster instance, see the documentation specific to your version of
SQL Server. For more information, see Create a new SQL Server Always On failover
cluster instance.

On each computer in the failover cluster instance, place a file in the root folder of
each drive where you don't want Configuration Manager to install site
components. Name the file NO_SMS_ON_DRIVE.SMS . By default, Configuration
Manager installs some components on each physical node, to support operations
such as backup.
Add the computer account of the site server to the local Administrators group of
each Windows Server failover cluster node.

In the failover cluster instance, assign the sysadmin SQL Server role to the user
account that runs Configuration Manager setup.

Install a new site


To install a site that uses a clustered site database, run Configuration Manager setup
following your normal process for installing a site. On the Database Information page,
specify the name of the failover cluster instance. The failover cluster instance name
replaces the name of a single computer that runs SQL Server.

) Important

Make sure to use the name of the SQL Server Always On failover cluster instance,
not the Windows Server failover cluster. If you use the Windows Server failover
cluster name, the site database installs on the local hard drive of the active
Windows Server failover cluster node. This configuration prevents successful
failover if that node fails.
Custom locations for Configuration
Manager site database files
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager supports custom locations for SQL Server database files.

7 Note

The option to specify non-default file locations isn't available when you use a SQL
Server Always On failover cluster instance.

During setup of a new primary site or central administration site, you can:

Specify non-default file locations for the site database: Configuration Manager
setup then creates the site database using these locations.

Specify the use of a pre-created SQL Server database that uses custom file
locations: Configuration Manager setup then uses that pre-created database and
its pre-configured file locations.

After setup, you can change the location of the site database files. This requires you to
stop the site and edit the file location in SQL Server:

1. On the Configuration Manager site server, stop the SMS_Executive service.

2. Move the database in SQL Server. For more information, see Move User Databases.

3. After you complete the database file move, restart the SMS_Executive service on
the Configuration Manager site server.
Configure role-based administration for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

In Configuration Manager, role-based administration combines security roles, security


scopes, and assigned collections to define the administrative scope for each
administrative user. An administrative scope includes the objects that an administrative
user can view in the Configuration Manager console and the tasks related to those
objects that they have permission to do.

If you're not yet familiar with these concepts, see Fundamentals of role-based
administration.

Use the information in this article to create and configure role-based administration and
related security settings.

7 Note

The procedures in this article assume that your administrative user is in a security
role with the required permissions. For example, the Full Administrator or Security
administrator roles.

 Tip

Use the Role-based administration and auditing tool to help with the following
actions:

Model permissions for a new role that you want to create.


Audit all existing administrative users, collections, and security scopes.
Audit a specific user

Create custom security roles


Configuration Manager provides several built-in security roles. You can't change the
permissions of the built-in roles. If you require other roles, create a custom one. You
might create a custom role to grant administrative users other permissions that they
require and aren't included in a built-in role. By using a custom security role, you can
assign them the least required permissions. A custom role can help you avoid assigning
a security role that grants more permissions than they require.

How to create custom security roles


In the Configuration Manager console, go to the Administration workspace. Expand
Security, and then select the Security Roles node. Then use one of the following
processes to create a new security role:

Create a new custom security role by copying a built-in role

1. Select an existing security role to use as the source for the new role.

2. On the Home tab of the ribbon, in the Security Role group, select Copy. This
action creates a copy of the source security role.

3. In the Copy Security Role wizard, specify a Name for the new custom security role.
The maximum length is 256 characters.

4. Optional but recommended, specify a Description to summarize the purpose of


this custom security role. The maximum length is 512 characters.

5. Under Permissions, expand each object type to display the available permissions.

6. To change a permission, select the drop-down list, and choose either Yes or No.

U Caution

When you configure a custom security role, only grant permissions that are
required by the users assigned to this role. For example, the Modify
permission for the Security Roles object allows assigned users to edit any
accessible security role, even if they aren't assigned to that security role.

7. After you configure the permissions, select OK to save the new security role.

Import a security role that was exported from another


Configuration Manager hierarchy

) Important
Only import custom security role configuration files from a trusted source. When
you export a custom security role, save it in a secure location. The XML files aren't
digitally signed.

1. On the Home tab of the ribbon, in the Create group, choose Import Security Role.

2. Specify the XML file that contains the exported security role configuration. Select
Open to complete the procedure and create the security role.

3. After you import a custom security role, open its Properties. View the permissions
to confirm they include the least required permissions for this role. Change any
permissions that aren't required in this environment.

7 Note

You can't export built-in security roles.

Configure security roles


You can modify the permissions for a custom security role, but you can't modify the
built-in security roles.

1. In the Configuration Manager console, go to the Administration workspace,


expand Security, and then select the Security Roles node.

2. Select the custom security role that you want to modify or view.

3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. On the General tab of the properties window, change the Name or Description if
necessary.

5. On the Administrative Users tab, view the users that are associated with this role.
To change the assignment, go to the properties of the administrative user.

6. On the Permissions tab, expand each object type to display the available
permissions.

7. To change a permission, select the drop-down list, and then choose either Yes or
No.

U Caution
When you configure a custom security role, only grant permissions that are
required by the users assigned to this role. For example, the Modify
permission for the Security Roles object allows assigned users to edit any
accessible security role, even if they aren't assigned to that security role.

8. When you're done, select OK to save the custom security role.

Configure security scopes for an object


Manage security scopes from the securable object, not from the security scope. The only
properties you can change on a custom security scope is the name and description. You
can't modify the two built-in scopes. To change the name and description of a custom
scope, you need the Modify permission for the Security Scopes object.

When you create a new object in Configuration Manager, it's associated with each
security scope that's associated with the security roles of the account used to create the
object. This behavior occurs when those security roles provide the Create permission or
Set Security Scope permission. After you create an object, you can change the security
scopes and assign it to multiple scopes.

For example, you're assigned a security role that grants you permission to create a new
boundary group. That role is associated with the Admins security scope. When you
create a new boundary group, you've no option to assign specific security scopes. The
Admins security scope is automatically assigned to the new boundary group. After you
save the new boundary group, you can edit the security scopes for the boundary group.

For more information on how to add a scope for a user, see Modify the administrative
scope of an administrative user.

How to create a custom security scope


1. In the Configuration Manager console, go to the Administration workspace,
expand Security, and then select the Security Scopes node.

2. On the Home tab of the ribbon, in the Create group, select Create Security Scope.

3. In the Create Security Scope window, specify a Security scope name. The
maximum length is 256 characters.

4. Optional but recommended, specify a Description to summarize the purpose of


this custom security scope. The maximum length is 512 characters.
5. Select or remove administrative user assignments. You can change these after you
create the security scope.

6. To save the custom security scope, select OK.

How to configure security scopes for an object


1. In the Configuration Manager console, select an object that supports being
assigned to a security scope. For the list of supported objects, see Fundamentals of
role-based administration - Security scopes.

2. On the Home tab of the ribbon, in the Classify group, select Set Security Scopes.

For a folder, go to the Folder tab of the ribbon. In the Actions group, select Set
Security Scopes.

7 Note

An item is searchable in folders outside of a user's security scope if that user


shares a security scope with the person who created the object.

3. In the Set Security Scopes window, select or clear the security scopes for this
object. Select at least one security scope.

4. Select OK to save the assigned security scopes.

Configure collections to manage security


There are no procedures to configure collections for role-based administration.
Collections don't have a role-based administration configuration. Instead, you assign
collections to an administrative user. To determine the actions that an administrative
user can do to a collection and its members, view the permissions for the Collection
object type on the security role.

When an administrative user has permissions to a collection, they also have permissions
to collections that are limited to that collection. For example, your organization uses a
collection named All Desktops. There's also a collection named All North America
Desktops that's limited to the All Desktops collection. If an administrative user has
permissions to All Desktops, they have the same permissions to the All North America
Desktops collection.
An administrative user can't use the Delete or Modify permissions on a collection that's
directly assigned to them. They can use these permissions on the collections that are
limited to that collection. In the previous example, the administrative user can delete or
modify the All North America Desktops collection, but they can't delete or modify the
All Desktops collection.

Create a new administrative user


To grant individuals or members of a security group access to manage Configuration
Manager, create an administrative user. Specify a Windows account of the user or user
group. Assign each administrative user to at least one security role and one security
scope. You can also assign collections to limit the administrative scope of the user or
group.

How to create a new administrative user


1. In the Configuration Manager console, go to the Administration workspace,
expand Security, and then select the Administrative Users node.

2. On the Home tab of the ribbon, in the Create group, select Add User or Group.

3. Select Browse, and then select the user account or group to use for this new
administrative user in Configuration Manager.

7 Note

For console-based administration, you can only specify domain users or


domain security groups as an administrative user.

4. For the Associated security roles, select Add to open a list of the available security
roles. Select one or more security roles, and then select OK.

5. Choose one of the following options to define the securable object behavior for
the new user:

All instances of the objects that are related to the assigned security roles:
This option has the following behaviors:
Security scope: All
Collections: All Systems and All Users and User Groups
The security roles that you assign to the user define their access to objects.
New objects that this user creates are assigned to the Default security
scope.

Only the instances of objects that are assigned to the specified security
scopes and collections: This option has the following behaviors:
Security scope: Default
Collections: All Systems and All Users and User Groups
These defaults maybe different, as the actual security scopes and
collections are limited to those that are associated with the account that
you use to create the administrative user.
Add or Remove security scopes and collections to customize the
administrative scope of this user.

) Important

After you create the user, view its properties to select a third option, Associate
assigned security roles with specific security scopes and collections. For
more information, see Modify the administrative scope of an administrative
user.

6. Select OK to close the window and create the administrative user.

Modify the administrative scope of an


administrative user
You can modify the administrative scope of an administrative user by adding or
removing security roles, security scopes, and collections that are associated with the
user. Each administrative user must be associated with at least one security role and one
security scope. You might have to assign one or more collections to the administrative
scope of the user. Most security roles interact with collections and don't function
correctly without an assigned collection.

When you modify an administrative user, you can change the behavior for how
securable objects are associated with the assigned security roles. The three behaviors
that you can select are as follows:

All instances of the objects that are related to the assigned security roles: This
option associates the administrative user with the All scope, and the All Systems
and All Users and User Groups collections. The security roles that are assigned to
the user define access to objects.
Only the instances of objects that are assigned to the specified security scopes
and collections: This option associates the administrative user to the same security
scopes and collections that are associated to the account you use to configure the
administrative user. This option supports the addition or removal of security roles
and collections to customize the administrative scope of the administrative user.

Associate assigned security roles with specific security scopes and collections:
This option lets you create specific associations between individual security roles
and specific security scopes and collections for the user.

7 Note

This option is available only when you modify the properties of an


administrative user.

The current configuration for the securable object behavior changes the process that
you use to assign additional security roles. Use the following procedures that are based
on the different options for securable objects to help you manage an administrative
user.

Use the following procedure to view and manage the configuration for securable
objects for an administrative user.

To view and manage the securable object behavior for an


administrative user
1. In the Configuration Manager console, choose Administration.
2. In the Administration workspace, expand Security, and then choose
Administrative Users.
3. Select the administrative user that you want to modify.
4. On the Home tab, in the Properties group, choose Properties.
5. Choose the Security Scopes tab to view the current configuration for securable
objects for this administrative user.
6. To modify the securable object behavior, select a new option for securable object
behavior. After you change this configuration, see the appropriate procedure for
further guidance to configure security scopes and collections, and security roles for
this administrative user.
7. Choose OK to complete the procedure.

Use the following procedure to modify an administrative user that has the securable
object behavior set to All instances of the objects that are related to the assigned
security roles.

For option: All instances of the objects that are related to


the assigned security roles
1. In the Configuration Manager console, choose Administration.

2. In the Administration workspace, expand Security, and then choose


Administrative Users.

3. Select the administrative user that you want to modify.

4. On the Home tab, in the Properties group, choose Properties.

5. Choose the Security Scopes tab to confirm that the administrative user is
configured for All instances of the objects that are related to the assigned
security roles.

6. To modify the assigned security roles, choose the Security Roles tab.

To assign additional security roles to this administrative user, choose Add,


check the box for each additional security role that you want to assign, and
then choose OK.
To remove security roles, select one or more security roles from the list, and
then choose Remove.

7. To modify the securable object behavior, choose the Security Scopes tab and
choose a new option for the securable object behavior. After you change this
configuration, see the appropriate procedure for further guidance to configure
security scopes and collections, and security roles for this administrative user.

7 Note

When the securable object behavior is set to All instances of the objects that
are related to the assigned security roles, you can't add or remove specific
security scopes and collections.

8. Choose OK to complete this procedure.

Use the following procedure to modify an administrative user that has the securable
object behavior set to Only the instances of objects that are assigned to the specified
security scopes and collections.
For option: Only the instances of objects that are
assigned to the specified security scopes and collections
1. In the Configuration Manager console, choose Administration.

2. In the Administration workspace, expand Security, and then choose


Administrative Users.

3. Select the administrative user that you want to modify.

4. On the Home tab, in the Properties group, choose Properties.

5. Choose the Security Scopes tab to confirm that the user is configured for Only the
instances of objects that are assigned to the specified security scopes and
collections.

6. To modify the assigned security roles, choose the Security Roles tab.

To assign additional security roles to this user, choose Add, check the box for
each additional security role that you want to assign, and then choose OK.
To remove security roles, select one or more security roles from the list, and
then choose Remove.

7. To modify the security scopes and collections that are associated with security
roles, choose the Security Scopes tab.

To associate new security scopes or collections with all security roles that are
assigned to this administrative user, choose Add and select one of the four
options. If you select Security Scope or Collection, check the box for one or
more objects to complete that selection, and then choose OK.
To remove a security scope or collection, choose the object, and then choose
Remove.

8. Choose OK to complete this procedure.

Use the following procedure to modify an administrative user that has the securable
object behavior set to Associate assigned security roles with specific security scopes
and collections.

For option: Associate assigned security roles with specific


security scopes and collections
1. In the Configuration Manager console, choose Administration.
2. In the Administration workspace, expand Security, and then choose
Administrative Users.

3. Select the administrative user that you want to modify.

4. On the Home tab, in the Properties group, choose Properties.

5. Choose the Security Scopes tab to confirm that the administrative user is
configured for Associate assigned security roles with specific security scopes and
collections.

6. To modify the assigned security roles, choose the Security Roles tab.

To assign additional security roles to this administrative user, choose Add. On


the Add Security Role dialog box, select one or more available security roles,
choose Add, and select an object type to associate with the selected security
roles. If you select Security Scope or Collection, check the box for one or
more objects to complete that selection, and then choose OK.

7 Note

You must configure at least one security scope before the selected
security roles can be assigned to the administrative user. When you
select multiple security roles, each security scope and collection that you
configure is associated with each of the selected security roles.

To remove security roles, select one or more security roles from the list, and
then choose Remove.

7. To modify the security scopes and collections that are associated with a specific
security role, choose the Security Scopes tab, select the security role, and then
choose Edit.

To associate new objects with this security role, choose Add, and select an
object type to associate with the selected security roles. If you select Security
Scope or Collection, check the box for one or more objects to complete that
selection, and then choose OK.

7 Note

You must configure at least one security scope.


To remove a security scope or collection that is associated with this security
role, select the object, and then choose Remove.

When you have finished modifying the associated objects, choose OK.

8. Choose OK to complete this procedure.

U Caution

When a security role grants administrative users the collection deployment


permission, those administrative users can distribute objects from any security
scope for which they have object read permissions, even if that security scope
is associated with a different security role.

Automate with Windows PowerShell


You can use the following PowerShell cmdlets to automate some of these tasks:

Manage administrative users:

Get-CMAdministrativeUser: Get an administrative user object.


New-CMAdministrativeUser: Create a new administrative user.
New-CMAdministrativeUserPermission: {{ Fill in the Synopsis }}
Remove-CMAdministrativeUser: Remove an administrative user.

Manage roles and scopes on users:

Add-CMSecurityRoleToAdministrativeUser: Add a security role to a user or group.


Remove-CMSecurityRoleFromAdministrativeUser: Remove the association between
a security role and an administrative user.
Add-CMSecurityScopeToAdministrativeUser: Add a security scope to a user or
group.
Remove-CMSecurityScopeFromAdministrativeUser: Remove the association
between a security scope and an administrative user.

Manage security roles:

Copy-CMSecurityRole: Create a custom security role.


Export-CMSecurityRole: Export a security role to an XML file.
Get-CMSecurityRole: Get a security role.
Import-CMSecurityRole: Import a security role from an XML file.
Remove-CMSecurityRole: Remove custom security roles.
Set-CMSecurityRole: Change configuration settings of a security role.
Manage permissions on security roles:

Get-CMSecurityRolePermission: Get the permissions for a security role.


Set-CMSecurityRolePermission: Configure a security role with specific permissions.

Manage security scopes:

Get-CMSecurityScope: Get a security scope.


New-CMSecurityScope: Create a security scope.
Remove-CMSecurityScope: Remove a security scope.
Set-CMSecurityScope: Configure a security scope.

Manage object security scope:

Add-CMObjectSecurityScope: Add a security scope to an object.


Get-CMObjectSecurityScope: Get the security scope for a Configuration Manager
object.
Remove-CMObjectSecurityScope: Remove a security scope from a Configuration
Manager object.

Next steps
Role-based administration and auditing tool

Accounts used in Configuration Manager


Configure Azure services for use with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the Azure Services Wizard to simplify the process of configuring the Azure cloud
services you use with Configuration Manager. This wizard provides a common
configuration experience by using Azure Active Directory (Azure AD) web app
registrations. These apps provide subscription and configuration details, and
authenticate communications with Azure AD. The app replaces entering this same
information each time you set up a new Configuration Manager component or service
with Azure.

Available services
Configure the following Azure services using this wizard:

Cloud Management: This service enables the site and clients to authenticate by
using Azure AD. This authentication enables other scenarios, such as:

Install and assign Configuration Manager clients using Azure AD for


authentication

Configure Azure AD User Discovery

Configure Azure AD User Group Discovery

Support certain cloud management gateway scenarios

 Tip

For more information specific to cloud management, see Configure Azure


Active Directory for cloud management gateway.

App approval email notifications

Log Analytics Connector: Connect to Azure Log Analytics. Sync collection data to
Log Analytics.

) Important
This article refers to the Log Analytics Connector, which was formerly called
the OMS Connector. This feature was deprecated in November 2020. It's
removed from Configuration Manager in version 2107. For more information,
see Removed and deprecated features.

Microsoft Store for Business: Connect to the Microsoft Store for Business. Get
store apps for your organization that you can deploy with Configuration Manager.

Administration Service Management: When configuring Azure Services, for


enhanced security you can select Administration Service Management option.
Selecting this option allows administrators to segment their admin privileges
between cloud management and administration service. By enabling this option,
access is restricted to only administration service endpoints. Configuration
Management clients will authenticate to the site using Azure Active Directory.
(version 2207 or later)

7 Note

Only CMG VMSS customers can enable administrative service management


option. This option is not applicable for classic CMG customers.

Service details
The following table lists details about each of the services.

Tenants: The number of service instances you can configure. Each instance must be
a distinct Azure AD tenant.

Clouds: All services support the global Azure cloud, but not all services support
private clouds, such as the Azure US Government cloud.

Web app: Whether the service uses an Azure AD app of type Web app / API, also
referred to as a server app in Configuration Manager.

Native app: Whether the service uses an Azure AD app of type Native, also
referred to as a client app in Configuration Manager.

Actions: Whether you can import or create these apps in the Configuration
Manager Azure Services Wizard.

Service Tenants Clouds Web app Native app Actions


Service Tenants Clouds Web app Native app Actions

Cloud management with


Multiple Public, Private Import, Create
Azure AD discovery

Log Analytics Connector One Public, Private Import

Microsoft Store for One Public Import, Create


Business

About Azure AD apps


Different Azure services require distinct configurations, which you make in the Azure
portal. Additionally, the apps for each service can require separate permissions to Azure
resources.

You can use a single app for more than one service. There's only one object to manage
in Configuration Manager and Azure AD. When the security key on the app expires, you
only have to refresh one key.

When you create additional Azure services in the wizard, Configuration Manager is
designed to reuse information that's common between services. This behavior helps you
from needing to input the same information more than once.

For more information about the required app permissions and configurations for each
service, see the relevant Configuration Manager article in Available services.

For more information about Azure apps, start with the following articles:

Authentication and authorization in Azure App Service


Web Apps overview
Basics of Registering an Application in Azure AD
Register your application with your Azure Active Directory tenant

Before you begin


After you decide the service to which you want to connect, refer to the table in Service
details. This table provides information you need to complete the Azure Service Wizard.
Have a discussion in advance with your Azure AD administrator. Decide which of the
following actions to take:

Manually create the apps in advance in the Azure portal. Then import the app
details into Configuration Manager.
 Tip

For more information specific to cloud management, see Manually register


Azure Active Directory apps for the cloud management gateway.

Use Configuration Manager to directly create the apps in Azure AD. To collect the
necessary data from Azure AD, review the information in the other sections of this
article.

Some services require the Azure AD apps to have specific permissions. Review the
information for each service to determine any required permissions. For example, before
you can import a web app, an Azure administrator must first create it in the Azure
portal .

When configuring the Log Analytics Connector, give your newly registered web app
contributor permission on the resource group that contains the relevant workspace. This
permission allows Configuration Manager to access that workspace. When assigning the
permission, search for the name of the app registration in the Add users area of the
Azure portal. This process is the same as when providing Configuration Manager with
permissions to Log Analytics. An Azure administrator must assign these permissions
before you import the app into Configuration Manager.

Start the Azure Services wizard


1. In the Configuration Manager console, go to the Administration workspace,
expand Cloud Services, and select the Azure Services node.

2. On the Home tab of the ribbon, in the Azure Services group, select Configure
Azure Services.

3. On the Azure Services page of the Azure Services Wizard:

a. Specify a Name for the object in Configuration Manager.

b. Specify an optional Description to help you identify the service.

c. Select the Azure service that you want to connect with Configuration Manager.

4. Select Next to continue to the Azure app properties page of the Azure Services
Wizard.

Azure app properties


On the App page of the Azure Services Wizard, first select the Azure environment from
the list. Refer to the table in Service details for which environment is currently available
to the service.

The rest of the App page varies depending upon the specific service. Refer to the table
in Service details for which type of app the service uses, and which action you can use.

If the app supports both import and creates actions, select Browse. This action
opens the Server app dialog or the Client App dialog.

If the app only supports the import action, select Import. This action opens the
Import Apps dialog (server) or the Import Apps dialog (client).

After you specify the apps on this page, select Next to continue to the Configuration or
Discovery page of the Azure Services Wizard.

Web app
This app is the Azure AD type Web app / API, also referred to as a server app in
Configuration Manager.

Server app dialog


When you select Browse for the Web app on the App page of the Azure Services
Wizard, it opens the Server app dialog. It displays a list that shows the following
properties of any existing web apps:

Tenant friendly name


App friendly name
Service Type

There are three actions you can take from the Server app dialog:

To reuse an existing web app, select it from the list.


Select Import to open the Import apps dialog.
Select Create to open the Create Server Application dialog.

After you select, import or create a web app, select OK to close the Server app dialog.
This action returns to the App page of the Azure Services Wizard.

Import apps dialog (server)


When you select Import from the Server app dialog or the App page of the Azure
Services Wizard, it opens the Import apps dialog. This page lets you enter information
about an Azure AD web app that is already created in the Azure portal. It imports
metadata about that web app into Configuration Manager. Specify the following
information:

Azure AD Tenant Name: The name of your Azure AD tenant.


Azure AD Tenant ID: The GUID of your Azure AD tenant.
Application Name: A friendly name for the app, the display name in the app
registration.
Client ID: The Application (client) ID value of the app registration. The format is a
standard GUID.
Secret Key: You have to copy the secret key when you register the app in Azure
AD.
Secret Key Expiry: Select a future date from the calendar.
App ID URI: This value needs to be unique in your Azure AD tenant. It's in the
access token used by the Configuration Manager client to request access to the
service. The value is the Application ID URI of the app registration entry in the
Azure AD portal.

After entering the information, select Verify. Then select OK to close the Import apps
dialog. This action returns to either the App page of the Azure Services Wizard, or the
Server app dialog.

) Important

When you use an imported Azure AD app, you aren't notified of an upcoming
expiration date from console notifications.

Create Server Application dialog

When you select Create from the Server app dialog, it opens the Create Server
Application dialog. This page automates the creation of a web app in Azure AD. Specify
the following information:

Application Name: A friendly name for the app.

HomePage URL: This value isn't used by Configuration Manager, but required by
Azure AD. By default this value is https://ConfigMgrService .

App ID URI: This value needs to be unique in your Azure AD tenant. It's in the
access token used by the Configuration Manager client to request access to the
service. By default this value is https://ConfigMgrService . Change the default to
one of the following recommended formats:
api://{tenantId}/{string} , for example, api://5e97358c-d99c-4558-af0c-

de7774091dda/ConfigMgrService
https://{verifiedCustomerDomain}/{string} , for example,

https://contoso.onmicrosoft.com/ConfigMgrService

Secret Key validity period: choose either 1 year or 2 years from the drop-down list.
One year is the default value.

7 Note

You may see an option for Never, but Azure AD no longer supports it. If you
previously selected this option, the expiration date is now set for 99 years
from the date you created it.

Select Sign in to authenticate to Azure as an administrative user. These credentials


aren't saved by Configuration Manager. This persona doesn't require permissions in
Configuration Manager, and doesn't need to be the same account that runs the Azure
Services Wizard. After successfully authenticating to Azure, the page shows the Azure
AD Tenant Name for reference.

Select OK to create the web app in Azure AD and close the Create Server Application
dialog. This action returns to the Server app dialog.

7 Note

If you have an Azure AD Conditional Access policy defined and applies to All Cloud
apps - you must exclude the created Server Application from this policy. For more
information on how to exclude specific apps, see Azure AD Conditional Access
Documentation.

Native Client app


This app is the Azure AD type Native, also referred to as a client app in Configuration
Manager.

Client App dialog


When you select Browse for the Native Client app on the App page of the Azure
Services Wizard, it opens the Client App dialog. It displays a list that shows the following
properties of any existing native apps:

Tenant friendly name


App friendly name
Service Type

There are three actions you can take from the Client App dialog:

To reuse an existing native app, select it from the list.


Select Import to open the Import apps dialog.
Select Create to open the Create Client Application dialog.

After you select, import or create a native app, choose OK to close the Client App
dialog. This action returns to the App page of the Azure Services Wizard.

Import apps dialog (client)

When you select Import from the Client App dialog, it opens the Import apps dialog.
This page lets you enter information about an Azure AD native app that is already
created in the Azure portal. It imports metadata about that native app into
Configuration Manager. Specify the following information:

Application Name: A friendly name for the app.


Client ID: The Application (client) ID value of the app registration. The format is a
standard GUID.

After entering the information, select Verify. Then select OK to close the Import apps
dialog. This action returns to the Client App dialog.

 Tip

When you register the app in Azure AD, you may need to manually specify the
following Redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/<ClientID> .
Specify the app's client ID GUID, for example: ms-appx-
web://Microsoft.AAD.BrokerPlugin/a26a653e-17aa-43eb-ab36-0e36c7d29f49 .

Create Client Application dialog


When you select Create from the Client App dialog, it opens the Create Client
Application dialog. This page automates the creation of a native app in Azure AD.
Specify the following information:

Application Name: A friendly name for the app.


Reply URL: This value isn't used by Configuration Manager, but required by Azure
AD. By default this value is https://ConfigMgrService .

Select Sign in to authenticate to Azure as an administrative user. These credentials


aren't saved by Configuration Manager. This persona doesn't require permissions in
Configuration Manager, and doesn't need to be the same account that runs the Azure
Services Wizard. After successfully authenticating to Azure, the page shows the Azure
AD Tenant Name for reference.

Select OK to create the native app in Azure AD and close the Create Client Application
dialog. This action returns to the Client App dialog.

Configuration or Discovery
After specifying the web and native apps on the Apps page, the Azure Services Wizard
proceeds to either a Configuration or Discovery page, depending upon the service to
which you're connecting. The details of this page vary from service to service. For more
information, see one of the following articles:

Cloud Management service, Discovery page: Configure Azure AD User Discovery

Log Analytics Connector service, Configuration page: Configure the connection to


Log Analytics

Microsoft Store for Business service, Configurations page: Configure Microsoft


Store for Business synchronization

Finally, complete the Azure Services Wizard through the Summary, Progress, and
Completion pages. You've completed the configuration of an Azure service in
Configuration Manager. Repeat this process to configure other Azure services.

Update application settings


To allow your Configuration Manager clients to request an Azure AD device token and
to enable the Reading directory data permissions, you need to update the web server
application settings.

1. In the Configuration Manager console, go to the Administration workspace,


expand Cloud Services, and select the Azure Active Directory Tenants node.
2. Select the Azure AD tenant for the application you want to update.
3. In the Applications section, select your Azure AD web server application, then
select Update Application Settings from the ribbon.
4. When prompted for confirmation, select Yes to confirm you want to update the
application with the latest settings.

Renew secret key


You need to renew the Azure AD app's secret key before the end of its validity period. If
you let the key expire, Configuration Manager can't authenticate with Azure AD, which
will cause your connected Azure services to stop working.

Starting in version 2006, the Configuration Manager console displays notifications for
the following circumstances:

One or more Azure AD app secret keys will expire soon


One or more Azure AD app secret keys have expired

To mitigate both cases, renew the secret key.

For more information on how to interact with these notifications, see Configuration
Manager console notifications.

7 Note

You need to have at least the "Cloud Application Administrator" Azure AD role
assigned to be able to renew the key.

Renew key for created app


1. In the Configuration Manager console, go to the Administration workspace,
expand Cloud Services, and select the Azure Active Directory Tenants node.

2. On the Details pane, select the Azure AD tenant for the app.

3. In the ribbon, select Renew Secret Key. Enter the credentials of either the app
owner or an Azure AD administrator.

Renew key for imported app


If you imported the Azure app in Configuration Manager, use the Azure portal to renew.
Note the new secret key and expiry date. Add this information on the Renew Secret Key
wizard.
7 Note

Save the secret key before closing the Azure application properties Key page. This
information is removed when you close the page.

Disable authentication
Starting in version 2010, you can disable Azure AD authentication for tenants not
associated with users and devices. When you onboard Configuration Manager to Azure
AD, it allows the site and clients to use modern authentication. Currently, Azure AD
device authentication is enabled for all onboarded tenants, whether or not it has
devices. For example, you have a separate tenant with a subscription that you use for
compute resources to support a cloud management gateway. If there aren't users or
devices associated with the tenant, disable Azure AD authentication.

1. In the Configuration Manager console, go to the Administration workspace.

2. Expand Cloud Services and select the Azure Services node.

3. Select the target connection of type Cloud Management. In the ribbon, select
Properties.

4. Switch to the Applications tab.

5. Select the option to Disable Azure Active Directory authentication for this tenant.

6. Select OK to save and close the connection properties.

 Tip

It can take up to 25 hours for this change to take effect on clients. For purposes of
testing to speed up this change in behavior, use the following steps:

1. Restart the sms_executive service on the site server.


2. Restart the ccmexec service on the client.
3. Trigger the client schedule to refresh the default management point. For
example, use the send schedule tool: SendSchedule {00000000-0000-0000-
0000-000000000023}

View the configuration of an Azure service


View the properties of an Azure service you've configured for use. In the Configuration
Manager console, go to the Administration workspace, expand Cloud Services, and
select Azure Services. Select the service you want to view or edit, and then select
Properties.

If you select a service and then choose Delete in the ribbon, this action deletes the
connection in Configuration Manager. It doesn't remove the app in Azure AD. Ask your
Azure administrator to delete the app when it's no longer needed. Or run the Azure
Service Wizard to import the app.

Cloud management data flow


The following diagram is a conceptual data flow for the interaction between
Configuration Manager, Azure AD, and connected cloud services. This specific example
uses the Cloud Management service, which includes a Windows 10 client, and both
server and client apps. The flows for other services are similar.
1. The Configuration Manager administrator imports or creates the client and server
apps in Azure AD.

2. Configuration Manager Azure AD user discovery method runs. The site uses the
Azure AD server app token to query Microsoft Graph for user objects.

3. The site stores data about the user objects. For more information, see Azure AD
User Discovery.

4. The Configuration Manager client requests the Azure AD user token. The client
makes the claim using the application ID of the Azure AD client app, and the server
app as the audience. For more information, see Claims in Azure AD Security
Tokens.

5. The client authenticates with the site by presenting the Azure AD token to the
cloud management gateway and on-premises HTTPS-enabled management point.

For more detailed information, see Azure AD authentication workflow.


Uninstall roles, sites, and hierarchies in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use this article as a guide to uninstall a Configuration Manager site system role, site, or
hierarchy. You can also remove the central administration site (CAS) from a hierarchy,
but keep the primary site.

Site system role


You might want to remove a role from a site system server for the following reasons:

Broader infrastructure change, such as network or physical locations


Decommission the underlying server
Consolidate roles to reduce costs and complexity
Reconfigure or redesigning the site roles
Discontinue use of the feature that role supports

When you decide you need to remove a role, first consider your answers to the
following questions:

Do you still need the role in the site? If so, does another site system already have
the role?

Are other site systems with this role properly sized to support your business
requirements for performance and availability?

Are all clients already reconfigured to use another role? Will you rely upon default
client behaviors to fall back or discover another server?

Procedure to remove a site system role


Use the following procedure to remove a role:

1. In the Configuration Manager console, go to the Administration workspace.


Expand Site Configuration, and then select the Servers and Site System Roles
node.
2. Select the site system server with the role to remove. In the Site System Roles
details pane, select the target role.

3. In the ribbon, on the Site Role tab, in the Site Role group, select Remove Role.
Confirm that you want to remove the role.

Additional information for specific roles


Some roles may have additional steps and considerations.

Software update point


After you remove the software update point, Configuration Manager updates the client
policy to remove the software update point from the list. When you remove the last
software update point at the site, the software update point list contains no software
update points. With no roles available, software updates management is essentially
disabled at the site.

When you have more than one software update point at a primary site, and you remove
the software update point that's the synchronization source, choose another software
update point at the site to be the new synchronization source.

Secondary site
Other than when you're decommissioning a hierarchy, the main reason to remove a
secondary site is because of a broader infrastructure change, such as network or
physical locations. Also review the reasons to choose a secondary site.

When you decide you need to remove a secondary site, first consider your answers to
the following questions:

Did you remove all site system roles from the site server?

Are any boundaries or boundary groups associated with the secondary site?
Reconfigure boundaries before removing the site.

Are any clients still at the location?

Have you configured other content management options like peer caching?

Options to delete secondary sites


You can't move or reassign a secondary site to another primary site. When you remove a
secondary site from its direct parent site, choose whether to uninstall or delete it.

Uninstall the secondary site

Use this option to remove a functional secondary site that's accessible from the network.
This option uninstalls Configuration Manager from the secondary site server. It then
deletes all information about the site and its resources from the Configuration Manager
site.

If Configuration Manager installed SQL Server Express for the secondary site,
Configuration Manager uninstalls SQL Server Express as well. If you installed SQL Server
Express before you installed the secondary site, Configuration Manager doesn't uninstall
SQL Server Express.

Delete the secondary site

Use this option in the following situations:

It failed to install

After you uninstall it, the Configuration Manager console still shows the secondary
site

This option deletes all information about the site and its resources from the
Configuration Manager hierarchy, but doesn't make any changes on the site server.

 Tip

You also can use the Hierarchy Maintenance Tool with the /DELSITE option to
delete a secondary site. For more information, see Hierarchy Maintenance
Tool (Preinst.exe).

Prerequisites to delete a secondary site


The administrative user that runs Configuration Manager setup needs the following
security rights:

Local Administrator rights on the secondary site server

If the primary site database server is remote from the primary site server, local
Administrator rights on the remote site database server for the primary site.
Infrastructure Administrator or Full Administrator security role on the parent
primary site

Sysadmin rights on the secondary site database

Procedure to delete a secondary site


Use the following procedure to uninstall or delete a secondary site:

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and then select the Sites node.

2. Select the secondary site server that you want to remove. In the ribbon, on the
Home tab, in the Site group, select Delete.

3. On the General page, select whether to uninstall or delete the secondary site.

4. Complete the wizard.

Primary site
You might want to uninstall a primary site from your hierarchy for the following reasons:

Consolidate sites to reduce costs and complexity


Reconfigure or redesign the sites of the hierarchy

Before you uninstall a child primary site that uses distributed views for its replication link
to the CAS, first turn off distributed views in your hierarchy. For more information, see
Uninstall a primary site that is configured with distributed views.

Plan to uninstall a primary site


Before you uninstall a primary site, review the following tasks:

Review boundaries, boundary groups, and fallback relationships. If you assign


clients to a new site, but don't change the boundaries, they may be considered
roaming. For more information, see Define site boundaries and boundary groups.

Make sure all active clients are reassigned to another primary site in the hierarchy.
Otherwise clients will be unmanaged after you uninstall the site. For more
information, see How to assign clients to a site.

Review the list of site roles to make sure the new site provides the same level of
service.
Make sure that you've properly sized the other site systems with this role in the
other site. They will need to support your business requirements for
performance and availability with the additional clients.

If this site has lots of clients, reassign them in stages. Monitor database
replication as clients refresh full inventory and other site-specific data. If you
manage software updates, clients will assign to a new software update point.
This behavior causes a full scan for update compliance.

Client reassignment may impact reports and queries that rely on inventory data,
and state-based compliance. Consider temporarily adjusting any client cycles
during the transition.

Review all client assignment methods to make sure that none refers to this
primary site.

Check if any actively used objects in the hierarchy have static references to the site
code. For example, collection queries, task sequences, or administrative scripts.

If the hierarchy uses a fallback site for automatic site assignment, make sure it
doesn't reference this primary site.

Reconfigure any client installation methods that may reference a static site code.

If this primary site has any site-specific cloud-attached services, make sure to
remove them. If you still need the cloud resources, move them to another primary
site in the hierarchy. Remove them from the primary site that you're going to
uninstall, and add them to another primary site.

If this primary site has any discovery methods for the hierarchy, move them to
another site.

Retire any site-based OS deployment media.

Uninstall all site system roles from the site and the site server. For more
information, see Uninstall site system roles. While this preparation step isn't
required, it helps identify any additional dependencies before uninstalling the site.

Uninstall any secondary sites under this primary site. For more information, see the
Secondary site section.

Prerequisites to uninstall a primary site


The administrative user that runs Configuration Manager setup needs the following
security rights:
Local Administrator rights on the CAS server

If the CAS database server is remote from the site server, local Administrator rights
on the remote site database server for the CAS.

Sysadmin rights on the CAS site database

Local Administrator rights on the primary site server

If the primary site database server is remote from the primary site server, local
Administrator rights on the remote site database server for the primary site.

Infrastructure Administrator or Full Administrator security role on the CAS

Procedure to uninstall a primary site


You run Configuration Manager setup to uninstall a primary site that doesn't have an
associated secondary site. Use the following procedure to uninstall a primary site:

 Tip

If the primary site server is no longer available, use the Hierarchy Maintenance Tool
at the CAS to delete the primary site from the site database. For more information,
see Hierarchy Maintenance Tool (Preinst.exe).

1. Start Configuration Manager setup on the primary site server by using one of the
following methods:

On the Start menu, select Configuration Manager Setup.

In the directory for the Configuration Manager installation media, open


\SMSSETUP\BIN\X64\setup.exe . Make sure this version is the same as the site
version.

In the directory where Configuration Manager is installed, open


\BIN\X64\setup.exe .

2. Review the information on the Before You Begin page.

3. On the Getting Started page, select Uninstall a Configuration Manager site.

) Important
When a secondary site is attached to the primary site, you must remove the
secondary site before you can uninstall the primary site.

4. On the Uninstall the Configuration Manager Site page, both of the following
options are enabled by default:

Remove the site database from the primary site server


Remove the Configuration Manager console

5. Select Yes to confirm the uninstallation of the Configuration Manager primary site.

Uninstall a primary site that uses distributed views


1. Before you uninstall a child primary site, turn off distributed views on each link in
the hierarchy between the CAS and a primary site.

2. After you turn off distributed views on each link, confirm that the data from the
primary site finishes reinitializing at the CAS. To monitor the initialization of data,
see Monitor replication.

3. After the data successfully reinitializes with the CAS, you can uninstall the primary
site.

4. When the primary site is uninstalled, you can reconfigure distributed views on links
from the CAS to other primary sites.

) Important

If you uninstall the primary site before you turn off distributed views at each
site, or before the data from the primary site successfully reinitializes at the
CAS, data replication might fail.

Decommission a hierarchy
Some organizations have multiple hierarchies because of mergers, acquisitions, test
environments, or other business requirements. If you consolidate management to a
single hierarchy, this action can help reduce costs and complexity. Another reason to
decommission the hierarchy is that you're migrating to a cloud-only management
service such as Microsoft Intune, and are ready to remove your on-premises
infrastructure.
To decommission a hierarchy with multiple sites, the sequence of removal is important.
Start by uninstalling the sites at the bottom of the hierarchy and then move upward:

1. Remove secondary sites attached to primary sites.


2. Uninstall primary sites.
3. After you uninstall all primary sites, you can uninstall the CAS.

For more information, see the following sections:

Remove a secondary site


Uninstall a primary site
Uninstall the CAS

Uninstall the CAS


The final step to decommission a hierarchy is to uninstall the CAS. Run Configuration
Manager setup to uninstall the CAS that doesn't have child primary sites.

Prerequisites to uninstall the CAS

The administrative user who runs Configuration Manager setup needs the following
security rights:

Local Administrator rights on the CAS server

If the CAS database server is remote from the site server, local Administrator rights
on the remote site database server for the CAS.

Procedure to uninstall the CAS


1. Start Configuration Manager setup on the CAS server by using one of the following
methods:

On the Start menu, select Configuration Manager Setup.

In the directory for the Configuration Manager installation media, open


\SMSSETUP\BIN\X64\setup.exe . Make sure this version is the same as the site
version.

In the directory where Configuration Manager is installed, open


\BIN\X64\setup.exe .

2. Review the information on the Before You Begin page.


3. On the Getting Started page, select Uninstall a Configuration Manager site.

) Important

Remove all child primary sites before you can uninstall the CAS.

4. On the Uninstall the Configuration Manager Site page, both of the following
options are enabled by default:

Remove the site database from the CAS server


Remove the Configuration Manager console

5. Select Yes to confirm the uninstallation of the Configuration Manager central


administration site (CAS).

Remove the CAS


If the hierarchy consists of the CAS and a single child primary site, you can remove the
CAS. This action simplifies your Configuration Manager infrastructure to a single,
standalone primary site. It removes the complexities of site-to-site replication, and
focuses your management tasks to the single site.

For more information, see Remove the CAS.


Remove the central administration site
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

If the hierarchy consists of the central administration site (CAS) and a single child
primary site, you can remove the CAS. This action simplifies your Configuration Manager
infrastructure to a single, standalone primary site. It removes the complexities of site-to-
site replication, and focuses your management tasks to the single site.

7 Note

This feature was first introduced in version 2002 as a pre-release feature. Starting
in version 2103, it's no longer a pre-release feature.

Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.

Plan
The hierarchy needs to consist of the CAS and a single child primary site. The
primary site can have secondary sites. To remove other child primary sites from the
hierarchy, review the planning steps and prerequisites to Uninstall a primary site.

Make sure your child primary site meets the size and scale requirements for a
stand-alone primary site.

Make sure to upgrade all sites to the latest released version of Configuration
Manager current branch.

Move or retire any site roles at the CAS, except the service connection point and
the software update point. Configuration Manager setup handles these two roles
when you remove the CAS.

The following roles are most common at the CAS, which you need to retire or
move to the primary site:
Asset Intelligence sync point
Endpoint Protection point
Reporting services point
Data warehouse service point
Turn off distributed views

Configuration Manager automatically handles package source locations for built-in


packages, like the Configuration Manager client. Review all other content source
locations to make sure they aren't using a share on the CAS.

Stop any active migration jobs and remove all configurations for migration. For
more information, see Stop active migration from another hierarchy.

If you have any custom status filter rules or alerts and subscriptions, recreate them
on the child primary site. Starting in version 2107, also recreate any subscriptions
for external notifications.

If you use automatic deployment rules for software updates, recreate them on the
child primary site.

If you use Configuration Manager or System Center Updates Publisher to manage


third-party software updates, export the WSUS signing certificate from the
software update point on the CAS.
Before you remove the CAS, wait for the deadlines of any required deployments
of third-party software updates. Clients pre-download content for required
deployments, and when you change the software update point, the content
hash changes with local publishing of software updates. (This behavior doesn't
impact other content types, only local publishing of third-party software
updates.) If you remove the CAS with these required deployments still in-
progress, they'll fail on clients with a hash mismatch error.

Review any third-party software that might have a dependency on the CAS.

Prerequisites
Configuration Manager version 2103 or later.

The administrative user that runs Configuration Manager setup needs the
following security rights:

Local Administrator rights on the CAS server

If the CAS database server is remote from the site server, local Administrator
rights on the remote site database server for the CAS.

Sysadmin rights on the CAS site database

Local Administrator rights on the primary site server


If the primary site database server is remote from the primary site server, local
Administrator rights on the remote site database server for the primary site.

Sysadmin rights on the primary site database

Infrastructure Administrator or Full Administrator security role on the CAS and


primary site

Only one child primary site in the hierarchy. For more information, see Uninstall a
primary site.

Process
1. Start Configuration Manager setup on the CAS server by using one of the following
methods:

On the Start menu, select Configuration Manager Setup.

In the directory for the Configuration Manager installation media, open


\SMSSETUP\BIN\X64\setup.exe . Make sure this version is the same as the site

version.

In the directory where Configuration Manager is installed, open


\BIN\X64\setup.exe .

2. Review the information on the Before You Begin page.

3. On the Getting Started page, select Perform site maintenance or reset this site.

4. On the Site Maintenance page, select Remove central administration site.

5. On the Reconfiguring Existing Site System Roles page:

Service Connection Point: Enter the fully qualified domain name of the site
system in the primary site to host this required role. For more information,
see About the service connection point.

Software Update Point: Select an existing software update point in the


primary site. Setup configures this software update point to synchronize the
same as the CAS configuration.

Setup checks that the specified servers meet the prerequisites. Select Begin Install
when you're ready to continue.

If setup comes across an issue, use the wizard to retry the process.
When setup is complete, it resets the primary site. For more information, see Run a site
reset.

Monitor and verify


Review the following logs during the setup process:

C:\ConfigMgrSetup.log on the CAS server

hman.log in the Configuration Manager logs directory on the primary site server

Use the Site Hierarchy node in the Monitoring workspace to visualize the changes to
the hierarchy. For example, the following graphic shows the before and after
comparison of the SHY CAS, HAW primary site, and VWT secondary site:

Before After

Post-setup tasks
After you remove the CAS, review the following steps as they apply to your
environment.

Manually remove the CAS server computer account from the primary site local
groups.
The trusted root key changed, which can require additional actions:

Update OS deployment boot images to include the latest Configuration


Manager binaries.

Recreate OS deployment media.

If you enable Endpoint Analytics for devices uploaded to Microsoft Endpoint


Manager, in version 2107, re-enable this option.

If you connect Configuration Manager with Azure Monitor, you need to reset the
connection. The first step to resolve any issues is to renew the secret key. If that
doesn't resolve the issue, recreate the connection.

) Important

The Log Analytics Connector was deprecated in November 2020. It's removed
from Configuration Manager in version 2107. For more information, see
Removed and deprecated features.

If you enable synchronization of Surface drivers, reconfigure this feature after you
remove the CAS. For more information, see Microsoft Surface drivers and firmware
updates.

If you manage third-party software updates:

1. Export the WSUS signing certificate from the software update point on the
CAS, if you haven't already.

2. Before you create any new deployments, remove the update from any
existing deployments and software update packages.

3. To recover software update metadata into a usable state, resynchronize


subscribed catalogs. You can also wait for Configuration Manager to
automatically resynchronize.

4. Start or wait for a normal software update sync process to update


Configuration Manager with the current status from WSUS. Optionally, use
SCUP or WSUS PowerShell cmdlets to delete and readd updates.

5. Republish content for updates that you need to deploy.


Accounts used in Configuration
Manager
Article • 12/02/2022

Applies to: Configuration Manager (current branch)

Use the following information to identify the Windows groups, accounts, and SQL Server
objects that are used in Configuration Manager, how they're used, and any
requirements.

Windows groups that Configuration Manager creates and uses


Configuration Manager_CollectedFilesAccess
Configuration Manager_DViewAccess
Configuration Manager Remote Control Users
SMS Admins
SMS_SiteSystemToSiteServerConnection_MP_<sitecode>
SMS_SiteSystemToSiteServerConnection_SMSProv_<sitecode>
SMS_SiteSystemToSiteServerConnection_Stat_<sitecode>
SMS_SiteToSiteConnection_<sitecode>

Accounts that Configuration Manager uses


Active Directory group discovery account
Active Directory system discovery account
Active Directory user discovery account
Active Directory forest account
Certificate registration point account
Capture OS image account
Client push installation account
Enrollment point connection account
Exchange Server connection account
Management point connection account
Multicast connection account
Network access account
Package access account
Reporting services point account
Remote tools permitted viewer accounts
Site installation account
Site system installation account
Site system proxy server account
SMTP server connection account
Software update point connection account
Source site account
Source site database account
Task sequence domain join account
Task sequence network folder connection account
Task sequence run as account

User objects that Configuration Manager uses in SQL


smsdbuser_ReadOnly
smsdbuser_ReadWrite
smsdbuser_ReportSchema

Database roles that Configuration Manager uses in SQL


smsdbrole_AITool
smsdbrole_AIUS
smsdbrole_CRP
smsdbrole_CRPPfx
smsdbrole_DMP
smsdbrole_DmpConnector
smsdbrole_DViewAccess
smsdbrole_DWSS
smsdbrole_EnrollSvr
smsdbrole_extract
smsdbrole_HMSUser
smsdbrole_MCS
smsdbrole_MP
smsdbrole_MPMBAM
smsdbrole_MPUserSvc
smsdbrole_siteprovider
smsdbrole_siteserver
smsdbrole_SUP
smsschm_users

Windows groups that Configuration Manager


creates and uses
Configuration Manager automatically creates, and in many cases automatically
maintains, the following Windows groups:

7 Note
When Configuration Manager creates a group on a computer that's a domain
member, the group is a local security group. If the computer is a domain controller,
the group is a domain local group. This type of group is shared among all domain
controllers in the domain.

Configuration Manager_CollectedFilesAccess
Configuration Manager uses this group to grant access to view files collected by
software inventory.

For more information, see Introduction to software inventory.

Type and location for CollectedFilesAccess


This group is a local security group created on the primary site server.

When you uninstall a site, this group isn't automatically removed. Manually delete it
after uninstalling a site.

Membership for CollectedFilesAccess

Configuration Manager automatically manages the group membership. Membership


includes administrative users that are granted the View Collected Files permission to the
Collection securable object from an assigned security role.

Permissions for CollectedFilesAccess


By default, this group has Read permission to the following folder on the site server:
C:\Program Files\Microsoft Configuration Manager\sinv.box\FileCol

Configuration Manager_DViewAccess
This group is a local security group that Configuration Manager creates on the site
database server or database replica server for a child primary site. The site creates it
when you use distributed views for database replication between sites in a hierarchy. It
contains the site server and SQL Server computer accounts of the central administration
site.

For more information, see Data transfers between sites.


Configuration Manager Remote Control Users
Configuration Manager remote tools use this group to store the accounts and groups
that you set up in the Permitted Viewers list. The site assigns this list to each client.

For more information, see Introduction to remote control.

Type and location for remote control users


This group is a local security group created on the Configuration Manager client when
the client receives a policy that enables remote tools.

After you disable remote tools for a client, this group isn't automatically removed.
Manually delete it after disabling remote tools.

Membership for remote control users

By default, there are no members in this group. When you add users to the Permitted
Viewers list, they're automatically added to this group.

Use the Permitted Viewers list to manage the membership of this group instead of
adding users or groups directly to this group.

In addition to being a permitted viewer, an administrative user must have the Remote
Control permission to the Collection object. Assign this permission by using the Remote
Tools Operator security role.

Permissions for remote control users

By default, this group doesn't have permissions to any locations on the computer. It's
used only to hold the Permitted Viewers list.

SMS Admins
Configuration Manager uses this group to grant access to the SMS Provider through
WMI. Access to the SMS Provider is required to view and change objects in the
Configuration Manager console.

7 Note

The role-based administration configuration of an administrative user determines


which objects they can view and manage when using the Configuration Manager
console.

For more information, see Plan for the SMS Provider.

Type and location for SMS Admins

This group is a local security group created on each computer that has an SMS Provider.

When you uninstall a site, this group isn't automatically removed. Manually delete it
after uninstalling a site.

Membership for SMS Admins

Configuration Manager automatically manages the group membership. By default, each


administrative user in a hierarchy and the site server computer account are members of
the SMS Admins group on each SMS Provider computer in a site.

Permissions for SMS Admins


You can view the rights and permissions for the SMS Admins group in the WMI Control
MMC snap-in. By default, this group is granted Enable Account and Remote Enable on
the Root\SMS WMI namespace. Authenticated users have Execute Methods, Provider
Write, and Enable Account.

When you use a remote Configuration Manager console, configure Remote Activation
DCOM permissions on both the site server computer and the SMS Provider. Grant these
rights to the SMS Admins group. This action simplifies administration instead of
granting these rights directly to users or groups. For more information, see Configure
DCOM permissions for remote Configuration Manager consoles.

SMS_SiteSystemToSiteServerConnection_MP_<sitecode>
Management points that are remote from the site server use this group to connect to
the site database. This group provides a management point access to the inbox folders
on the site server and the site database.

Type and location for SMS_SiteSystemToSiteServerConnection_MP

This group is a local security group created on each computer that has an SMS Provider.
When you uninstall a site, this group isn't automatically removed. Manually delete it
after uninstalling a site.

Membership for SMS_SiteSystemToSiteServerConnection_MP

Configuration Manager automatically manages the group membership. By default,


membership includes the computer accounts of remote computers that have a
management point for the site.

Permissions for SMS_SiteSystemToSiteServerConnection_MP

By default, this group has Read, Read & execute, and List folder contents permission to
the following folder on the site server: C:\Program Files\Microsoft Configuration
Manager\inboxes . This group also has Write permission to subfolders below inboxes, to

which the management point writes client data.

SMS_SiteSystemToSiteServerConnection_SMSProv_<sitecode>
Remote SMS Provider computers use this group to connect to the site server.

Type and location for


SMS_SiteSystemToSiteServerConnection_SMSProv

This group is a local security group created on the site server.

When you uninstall a site, this group isn't automatically removed. Manually delete it
after uninstalling a site.

Membership for SMS_SiteSystemToSiteServerConnection_SMSProv

Configuration Manager automatically manages the group membership. By default,


membership includes the computer account or a domain user account. It uses this
account to connect to the site server from each remote SMS Provider.

Permissions for SMS_SiteSystemToSiteServerConnection_SMSProv


By default, this group has Read, Read & execute, and List folder contents permission to
the following folder on the site server: C:\Program Files\Microsoft Configuration
Manager\inboxes . This group also has the Write and Modify permissions to subfolders

below the inboxes. The SMS Provider requires access to these folders.
This group also has Read permission to the subfolders on the site server below
C:\Program Files\Microsoft Configuration Manager\OSD\Bin .

It also has the following permissions to the subfolders below C:\Program


Files\Microsoft Configuration Manager\OSD\boot :

Read
Read & execute
List folder contents
Write
Modify

SMS_SiteSystemToSiteServerConnection_Stat_<sitecode>
The file dispatch manager component on Configuration Manager remote site system
computers uses this group to connect to the site server.

Type and location for SMS_SiteSystemToSiteServerConnection_Stat

This group is a local security group created on the site server.

When you uninstall a site, this group isn't automatically removed. Manually delete it
after uninstalling a site.

Membership for SMS_SiteSystemToSiteServerConnection_Stat


Configuration Manager automatically manages the group membership. By default,
membership includes the computer account or the domain user account. It uses this
account to connect to the site server from each remote site system that runs the file
dispatch manager.

Permissions for SMS_SiteSystemToSiteServerConnection_Stat

By default, this group has Read, Read & execute, and List folder contents permission to
the following folder and its subfolders on the site server: C:\Program Files\Microsoft
Configuration Manager\inboxes .

This group also has the Write and Modify permissions to the following folder on the
site server: C:\Program Files\Microsoft Configuration Manager\inboxes\statmgr.box .

SMS_SiteToSiteConnection_<sitecode>
Configuration Manager uses this group to enable file-based replication between sites in
a hierarchy. For each remote site that directly transfers files to this site, this group has
accounts set up as a File Replication Account.

Type and location for SMS_SiteToSiteConnection


This group is a local security group created on the site server.

Membership for SMS_SiteToSiteConnection


When you install a new site as a child of another site, Configuration Manager
automatically adds the computer account of the new site server to this group on the
parent site server. Configuration Manager also adds the parent site's computer account
to the group on the new site server. If you specify another account for file-based
transfers, add that account to this group on the destination site server.

When you uninstall a site, this group isn't automatically removed. Manually delete it
after uninstalling a site.

Permissions for SMS_SiteToSiteConnection

By default, this group has Full control to the following folder: C:\Program
Files\Microsoft Configuration Manager\inboxes\despoolr.box\receive .

Accounts that Configuration Manager uses


You can set up the following accounts for Configuration Manager.

 Tip

Don't use the percentage character ( % ) in the password for accounts that you
specify in the Configuration Manager console. The account will fail to authenticate.

Active Directory group discovery account


The site uses the Active Directory group discovery account to discover the following
objects from the locations in Active Directory Domain Services that you specify:

Local, global, and universal security groups


The membership within these groups
The membership within distribution groups
Distribution groups aren't discovered as group resources

This account can be a computer account of the site server that runs discovery, or a
Windows user account. It must have Read access permission to the Active Directory
locations that you specify for discovery.

For more information, see Active Directory group discovery.

Active Directory system discovery account


The site uses the Active Directory system discovery account to discover computers
from the locations in Active Directory Domain Services that you specify.

This account can be a computer account of the site server that runs discovery, or a
Windows user account. It must have Read access permission to the Active Directory
locations that you specify for discovery.

For more information, see Active Directory system discovery.

Active Directory user discovery account


The site uses the Active Directory user discovery account to discover user accounts
from the locations in Active Directory Domain Services that you specify.

This account can be a computer account of the site server that runs discovery, or a
Windows user account. It must have Read access permission to the Active Directory
locations that you specify for discovery.

For more information, see Active Directory user discovery.

Active Directory forest account


The site uses the Active Directory forest account to discover network infrastructure
from Active Directory forests. Central administration sites and primary sites also use it to
publish site data to Active Directory Domain Services for a forest.

7 Note

Secondary sites always use the secondary site server computer account to publish
to Active Directory.
To discover and publish to untrusted forests, the Active Directory forest account must be
a global account. If you don't use the computer account of the site server, you can select
only a global account.

This account must have Read permissions to each Active Directory forest where you
want to discover network infrastructure.

This account must have Full Control permissions to the System Management container
and all its child objects in each Active Directory forest where you want to publish site
data. For more information, see Prepare Active Directory for site publishing.

For more information, see Active Directory forest discovery.

Certificate registration point account

2 Warning

Starting in version 2203, the certificate registration point is no longer supported.


For more information, see Frequently asked questions about resource access
deprecation.

The certificate registration point uses the Certificate registration point account to
connect to the Configuration Manager database. It uses its computer account by
default, but you can configure a user account instead. When the certificate registration
point is in an untrusted domain from the site server, you must specify a user account.
This account requires only Read access to the site database, because the state message
system handles write tasks.

For more information, see Introduction to certificate profiles.

Capture OS image account


When you capture an OS image, Configuration Manager uses the Capture OS image
account to access the folder where you store captured images. If you add the Capture
OS Image step to a task sequence, this account is required.

The account must have Read and Write permissions on the network share where you
store captured images.

If you change the password for the account in Windows, update the task sequence with
the new password. The Configuration Manager client receives the new password when it
next downloads the client policy.
If you need to use this account, create one domain user account. Grant it minimal
permissions to access the required network resources, and use it for all capture task
sequences.

) Important

Don't assign interactive sign-in permissions to this account.

Don't use the network access account for this account.

For more information, see Create a task sequence to capture an OS.

Client push installation account


When you deploy clients by using the client push installation method, the site uses the
Client push installation account to connect to computers and install the Configuration
Manager client software. If you don't specify this account, the site server tries to use its
computer account.

This account must be a member of the local Administrators group on the target client
computers. This account doesn't require Domain Admin rights.

You can specify more than one client push installation account. Configuration Manager
tries each one in turn until one succeeds.

 Tip

If you have a large Active Directory environment and need to change this account,
use the following process to more effectively coordinate this account update:

1. Create a new account with a different name


2. Add the new account to the list of client push installation accounts in
Configuration Manager
3. Allow sufficient time for Active Directory Domain Services to replicate the new
account
4. Then remove the old account from Configuration Manager and Active
Directory Domain Services

) Important
Use domain or local group policy to assign the Windows user right to Deny log on
locally. As a member of the Administrators group, this account will have the right
to sign in locally, which isn't needed. For better security, explicitly deny the right for
this account. The deny right supersedes the allow right.

For more information, see Client push installation.

Enrollment point connection account


The enrollment point uses the Enrollment point connection account to connect to the
Configuration Manager site database. It uses its computer account by default, but you
can configure a user account instead. When the enrollment point is in an untrusted
domain from the site server, you must specify a user account. This account requires
Read and Write access to the site database.

For more information, see Install site system roles for on-premises MDM.

Exchange Server connection account


The site server uses the Exchange Server connection account to connect to the
specified Exchange Server. It uses this connection to find and manage mobile devices
that connect to Exchange Server. This account requires Exchange PowerShell cmdlets
that provide the required permissions to the Exchange Server computer. For more
information about the cmdlets, see Install and configure the Exchange connector.

Management point connection account


The management point uses the Management point connection account to connect to
the Configuration Manager site database. It uses this connection to send and retrieve
information for clients. The management point uses its computer account by default,
but you can configure a user account instead. When the management point is in an
untrusted domain from the site server, you must specify a user account.

Create the account as a low-right local account on the computer that runs Microsoft
SQL Server.

) Important

Don't grant interactive sign-in rights to this account.


Multicast connection account
Multicast-enabled distribution points use the Multicast connection account to read
information from the site database. The server uses its computer account by default, but
you can configure a user account instead. When the site database is in an untrusted
forest, you must specify a user account. For example, if your data center has a perimeter
network in a forest other than the site server and site database, use this account to read
the multicast information from the site database.

If you need this account, create it as a low-right local account on the computer that runs
Microsoft SQL Server.

) Important

Don't grant interactive sign-in rights to this account.

For more information, see Use multicast to deploy Windows over the network.

Network access account


Client computers use the network access account when they can't use their local
computer account to access content on distribution points. It mostly applies to
workgroup clients and computers from untrusted domains. This account is also used
during OS deployment, when the computer that's installing the OS doesn't yet have a
computer account on the domain.

) Important

The network access account is never used as the security context to run programs,
install software updates, or run task sequences. It's used only for accessing
resources on the network.

A Configuration Manager client first tries to use its computer account to download the
content. If it fails, it then automatically tries the network access account.

If you configure the site for HTTPS or Enhanced HTTP, a workgroup or Azure AD-joined
client can securely access content from distribution points without the need for a
network access account. This behavior includes OS deployment scenarios with a task
sequence running from boot media, PXE, or Software Center. For more information, see
Client to management point communication.
7 Note

If you enable Enhanced HTTP to not require the network access account, the
distribution point needs to be running Windows Server 2012 or later.

Permissions for the network access account


Grant this account the minimum appropriate permissions on the content that the client
requires to access the software. The account must have the Access this computer from
the network right on the distribution point. You can configure up to 10 network access
accounts per site.

Create the account in any domain that provides the necessary access to resources. The
network access account must always include a domain name. Pass-through security isn't
supported for this account. If you have distribution points in multiple domains, create
the account in a trusted domain.

 Tip

To avoid account lockouts, don't change the password on an existing network


access account. Instead, create a new account and set up the new account in
Configuration Manager. When sufficient time has passed for all clients to have
received the new account details, remove the old account from the network shared
folders and delete the account.

) Important

Don't grant interactive sign-in rights to this account.

Don't grant this account the right to join computers to the domain. If you must join
computers to the domain during a task sequence, use the Task sequence domain
join account.

Configure the network access account


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node. Then select the site.
2. On the Settings group of the ribbon, select Configure Site Components, and
choose Software Distribution.

3. Choose the Network access account tab. Set up one or more accounts, and then
choose OK.

Actions that require the network access account

The network access account is still required for the following actions (including eHTTP &
PKI scenarios):

Multicast. For more information, see Use multicast to deploy Windows over the
network.

Task sequence deployment option to Access content directly from a distribution


point when needed by the running task sequence. For more information, see Task
sequence deployment options.

Request State Store task sequence step. If the task sequence can't communicate
with the state migration point using the device's computer account, it falls back to
use the network access account. For more information, see Request State Store.

Apply OS Image task sequence step option to Access content directly from the
distribution point. This option is primarily for Windows Embedded scenarios with
low disk space where caching content to the local disk is costly. For more
information, see Access content directly from the distribution point

Task Sequence properties setting to Run another program first. This setting runs a
package and program from a network share before the task sequence starts. For
more information, see Task sequences properties: Advanced tab.

Managing clients in untrusted domains and cross-forest scenarios allow multiple


network access accounts.

Package access account


A Package access account lets you set NTFS permissions to specify the users and user
groups that can access package content on distribution points. By default, Configuration
Manager grants access only to the generic access accounts User and Administrator. You
can control access for client computers by using other Windows accounts or groups.
Mobile devices always retrieve package content anonymously, so they don't use a
package access account.
By default, when Configuration Manager copies the content files to a distribution point,
it grants Read access to the local Users group, and Full Control to the local
Administrators group. The actual permissions required depend on the package. If you
have clients in workgroups or in untrusted forests, those clients use the network access
account to access the package content. Make sure that the network access account has
permissions to the package by using the defined package access accounts.

Use accounts in a domain that can access the distribution points. If you create or modify
the account after you create the package, you must redistribute the package. Updating
the package doesn't change the NTFS permissions on the package.

You don't have to add the network access account as a package access account, because
membership of the Users group adds it automatically. Restricting the package access
account to only the network access account doesn't prevent clients from accessing the
package.

Manage package access accounts


1. In the Configuration Manager console, go to the Software Library workspace.

2. In the Software Library workspace, determine the type of content for which you
want to manage access accounts, and follow the steps provided:

Application: Expand Application Management, choose Applications, and


then select the application for which to manage access accounts.

Package: Expand Application Management, choose Packages, and then


select the package for which to manage access accounts.

Software update deployment package: Expand Software Updates, choose


Deployment Packages, and then select the deployment package for which to
manage access accounts.

Driver package: Expand Operating Systems, choose Driver Packages, and


then select the driver package for which to manage access accounts.

OS image: Expand Operating Systems, choose Operating System Images,


and then select the operating system image for which to manage access
accounts.

OS upgrade package: Expand Operating Systems, choose Operating system


upgrade packages, and then select the OS upgrade package for which to
manage access accounts.
Boot image: Expand Operating Systems, choose Boot Images, and then
select the boot image for which to manage access accounts.

3. Right-click the selected object, and then choose Manage Access Accounts.

4. In the Add Account dialog box, specify the account type that will be granted
access to the content, and then specify the access rights associated with the
account.

7 Note

When you add a user name for the account, and Configuration Manager finds
both a local user account and a domain user account with that name,
Configuration Manager sets access rights for the domain user account.

Reporting services point account


SQL Server Reporting Services uses the Reporting services point account to retrieve the
data for Configuration Manager reports from the site database. The Windows user
account and password that you specify are encrypted and stored in the SQL Server
Reporting Services database.

7 Note

The account you specify must have Log on locally permissions on the computer
hosting the SQL Server Reporting Services database.

The account is automatically granted all necessary rights by being added to the
smsschm_users SQL Server Database Role on the Configuration Manager database.

For more information, see Introduction to reporting.

Remote tools permitted viewer accounts


The accounts that you specify as Permitted Viewers for remote control are a list of users
who are allowed to use remote tools functionality on clients.

For more information, see Introduction to remote control.

Site installation account


Use a domain user account to sign in to the server where you run Configuration
Manager setup and install a new site.

This account requires the following rights:

Administrator on the following servers:


The site server
Each server that hosts the site database
Each instance of the SMS Provider for the site

Sysadmin on the instance of SQL Server that hosts the site database

Configuration Manager setup automatically adds this account to the SMS Admins
group.

After installation, this account is the only user with rights to the Configuration Manager
console. If you need to remove this account, make sure to add its rights to another user
first.

When expanding a standalone site to include a central administration site, this account
requires either Full Administrator or Infrastructure Administrator role-based
administration rights at the standalone primary site.

Site system installation account


The site server uses the Site system installation account to install, reinstall, uninstall,
and set up site systems. If you set up the site system to require the site server to initiate
connections to this site system, Configuration Manager also uses this account to pull
data from the site system after it installs the site system and any roles. Each site system
can have a different installation account, but you can set up only one installation
account to manage all roles on that site system.

This account requires local administrative permissions on the target site systems.
Additionally, this account must have Access this computer from the network in the
security policy on the target site systems.

) Important

If you are specifying an account in a remote domain or forest, be sure to specify the
domain FQDN before the user name, and not just the domain NetBIOS name. For
example, specify Corp.Contoso.com\UserName instead of just Corp\UserName. This
allows Configuration Manager to use Kerberos when the account is used to
authenticate to the remote site system. Using the FQDN often fixes authentication
failures resulting from recent hardening changes around NTLM in Windows
monthly updates.

 Tip

If you have many domain controllers and these accounts are used across domains,
before you set up the site system, check that Active Directory has replicated these
accounts.

When you specify a local account on each site system to be managed, this
configuration is more secure than using domain accounts. It limits the damage that
attackers can do if the account is compromised. However, domain accounts are
easier to manage. Consider the trade-off between security and effective
administration.

Site system proxy server account


The following site system roles use the Site system proxy server account to access the
internet via a proxy server or firewall that requires authenticated access:

Asset Intelligence synchronization point


Exchange Server connector
Service connection point
Software update point

) Important

Specify an account that has the least possible permissions for the required proxy
server or firewall.

For more information, see Proxy server support.

SMTP server connection account


The site server uses the SMTP server connection account to send email alerts when the
SMTP server requires authenticated access.

) Important

Specify an account that has the least possible permissions to send emails.
For more information, see Configure alerts.

Software update point connection account


The site server uses the Software update point connection account for the following
two software update services:

Windows Server Update Services (WSUS), which sets up settings like product
definitions, classifications, and upstream settings.

WSUS Synchronization Manager, which requests synchronization to an upstream


WSUS server or Microsoft Update.

The site system installation account can install components for software updates, but it
can't do software update-specific functions on the software update point. If you can't
use the site server computer account for this functionality because the software update
point is in an untrusted forest, you must specify this account along with to the site
system installation account.

This account must be a local administrator on the computer where you install WSUS. It
must also be part of the local WSUS Administrators group.

For more information, see Plan for software updates.

Source site account


The migration process uses the Source site account to access the SMS Provider of the
source site. This account requires Read permissions to site objects in the source site to
gather data for migration jobs.

If you have Configuration Manager 2007 distribution points or secondary sites with
colocated distribution points, when you upgrade them to Configuration Manager
(current branch) distribution points, this account must also have Delete permissions to
the Site class. This permission is to successfully remove the distribution point from the
Configuration Manager 2007 site during the upgrade.

7 Note

Both the source site account and the source site database account are identified as
Migration Manager in the Accounts node of the Administration workspace in the
Configuration Manager console.
For more information, see Migrate data between hierarchies.

Source site database account


The migration process uses the Source site database account to access the SQL Server
database for the source site. To gather data from the SQL Server database of the source
site, the source site database account must have the Read and Execute permissions to
the source site's SQL Server database.

If you use the Configuration Manager (current branch) computer account, make sure
that all the following are true for this account:

It's a member of the Distributed COM Users security group in the same domain as
the Configuration Manager 2012 site
It's a member of the SMS Admins security group
It has the Read permission to all Configuration Manager 2012 objects

7 Note

Both the source site account and the source site database account are identified as
Migration Manager in the Accounts node of the Administration workspace in the
Configuration Manager console.

For more information, see Migrate data between hierarchies.

Task sequence domain join account


Windows Setup uses the Task sequence domain join account to join a newly imaged
computer to a domain. This account is required by the Join Domain or Workgroup task
sequence step with the Join a domain option. This account can also be set up with the
Apply Network Settings step, but it isn't required.

This account requires the Domain Join right in the target domain.

 Tip

Create one domain user account with the minimal permissions to join the domain,
and use it for all task sequences.

) Important
Don't assign interactive sign-in permissions to this account.

Don't use the network access account for this account.

Task sequence network folder connection account


The task sequence engine uses the Task sequence network folder connection account
to connect to a shared folder on the network. This account is required by the Connect to
Network Folder task sequence step.

This account requires permissions to access the specified shared folder. It must be a
domain user account.

 Tip

Create one domain user account with minimal permissions to access the required
network resources, and use it for all task sequences.

) Important

Don't assign interactive sign-in permissions to this account.

Don't use the network access account for this account.

Task sequence run as account


The task sequence engine uses the Task sequence run as account to run command lines
or PowerShell Scripts with credentials other than the Local System account. This account
is required by the Run Command Line and Run PowerShell Script task sequence steps
with the option Run this step as the following account chosen.

Set up the account to have the minimum permissions required to run the command line
that you specify in the task sequence. The account requires interactive sign-in rights. It
usually requires the ability to install software and access network resources. For the Run
PowerShell Script task, this account requires local administrator permissions.

) Important

Don't use the network access account for this account.


Never make the account a domain admin.

Never set up roaming profiles for this account. When the task sequence runs, it
downloads the roaming profile for the account. This leaves the profile vulnerable to
access on the local computer.

Limit the scope of the account. For example, create different task sequence run as
accounts for each task sequence. Then if one account is compromised, only the
client computers to which that account has access are compromised.

If the command line requires administrative access on the computer, consider


creating a local administrator account solely for this account on all computers that
run the task sequence. Delete the account once you no longer need it.

User objects that Configuration Manager uses


in SQL Server
Configuration Manager automatically creates and maintains the following user objects
in SQL. These objects are located within the Configuration Manager database under
Security/Users.

) Important

Modifying or removing these objects may cause drastic issues within a


Configuration Manager environment. We recommend that you don't make any
changes to these objects.

smsdbuser_ReadOnly
This object is used to run queries under the read-only context. This object is used with
several stored procedures.

smsdbuser_ReadWrite
This object is used to provide permissions for dynamic SQL statements.

smsdbuser_ReportSchema
This object is used to run SQL Server Reporting Executions. The following stored
procedure is used with this function: spSRExecQuery .

Database roles that Configuration Manager


uses in SQL
Configuration Manager automatically creates and maintains the following role objects in
SQL. These roles provide access to specific stored procedures, tables, views, and
functions. These roles either get or add data in the Configuration Manager database.
These objects are located within the Configuration Manager database under
Security/Roles/Database Roles.

) Important

Modifying or removing these objects may cause drastic issues within a


Configuration Manager environment. Don't change these objects. The following list
is for information purposes only.

smsdbrole_AITool
Configuration Manager grants this permission to administrative user accounts based on
role-based access to import volume license information for Asset Intelligence. This
account could be added by a Full Administrator, Operations Administrator or Asset
Manager role, or any role with 'Manage Asset Intelligence' permission.

smsdbrole_AIUS
Configuration Manager grants the computer account that hosts the Asset Intelligence
synchronization point account access to get Asset Intelligence proxy data and to view
pending AI data for upload.

smsdbrole_CRP
Configuration Manager grants permission to the computer account of the site system
that supports the certificate registration point for Simple Certificate Enrollment Protocol
(SCEP) support for certificate signing and renewal.

smsdbrole_CRPPfx
Configuration Manager grants permission to the computer account of the site system
that supports the certificate registration point configured for PFX support for signing
and renewal.

smsdbrole_DMP
Configuration Manager grants this permission to computer account for a management
point that has the option Allow mobile devices and Mac computers to uses this
management point, the ability to provide support for MDM enrolled devices.

smsdbrole_DmpConnector
Configuration Manager grants this permission to the computer account that hosts the
service connection point to retrieve and provide diagnostic data, manage cloud services,
and retrieve service updates.

smsdbrole_DViewAccess
Configuration Manager grants this permission to the computer account of the primary
site servers on the CAS when the SQL Server distributed views option is selected in the
replication link properties.

smsdbrole_DWSS
Configuration Manager grants this permission to the computer account that hosts the
data warehouse role.

smsdbrole_EnrollSvr
Configuration Manager grants this permission to the computer account that hosts the
enrollment point to allow for device enrollment via MDM.

smsdbrole_extract
Provides access to all the extended schema views.

smsdbrole_HMSUser
For the hierarchy manager service. Configuration Manager grants permissions this
account to manage failover state messages and SQL Server Broker transactions between
sites within a hierarchy.

7 Note

The smdbrole_WebPortal role is a member of this role by default.

smsdbrole_MCS
Configuration Manager grants this permission to the computer account of the
distribution point that supports multicast.

smsdbrole_MP
Configuration Manager grants this permission to the computer account that hosts the
management point role to provide support for the Configuration Manager clients.

smsdbrole_MPMBAM
Configuration Manager grants this permission to the computer account that hosts the
management point that manages BitLocker for an environment.

smsdbrole_MPUserSvc
Configuration Manager grants this permission to the computer account that hosts the
management point to support user-based application requests.

smsdbrole_siteprovider
Configuration Manager grants this permission to the computer account that hosts an
SMS Provider role.

smsdbrole_siteserver
Configuration Manager grants this permission to the computer account that hosts the
primary site or CAS.

smsdbrole_SUP
Configuration Manager grants this permission to the computer account that hosts the
software update point for working with third-party updates.

smsschm_users
Configuration Manager grants access to the account used for the reporting services
point account to allow access to the SMS reporting views to display the Configuration
Manager reporting data. The data is further restricted with the use of role-based access.

Elevated permissions
Configuration Manager requires some accounts to have elevated permissions for on-
going operations. For example, see Prerequisites for installing a primary site. The
following list summarizes these permissions and the reasons why they're needed.

The computer account of the primary site server and central administration site
server requires:

Local Administrator rights on all site system servers. This permission is to


manage, install, and remove system services. The site server also updates local
groups on the site system when you add or remove roles.

Sysadmin access to the SQL Server instance for the site database. This
permission is to configure and manage SQL Server for the site. Configuration
Manager tightly integrates with SQL, it's not just a database.

User accounts in the Full Administrator role require:

Local Administrator rights on all site servers. This permission is to view, edit,
remove, and install system services, registry keys and values, and WMI objects.

Sysadmin access to the SQL Server instance for the site database. This
permission is to install and update the database during setup or recovery. It's
also required for SQL Server maintenance and operations. For example,
reindexing and updating statistics.

7 Note

Some organizations may choose to remove sysadmin access and only grant
it when it is required. This behavior is sometimes referred to as "just-in-
time (JIT) access." In this case, users with the Full Administrator role should
still have access to read, update, and execute stored procedures on the
Configuration Manager database. These permissions allow them to
troubleshoot most issues without full sysadmin access.
Communications between endpoints in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article describes how Configuration Manager site systems and clients communicate
across your network. It includes the following sections:

Communications between site systems in a site


Site server to distribution point

Communications from clients to site systems and services


Client to management point communication
Client to distribution point communication
Considerations for client communications from the internet or an untrusted
forest

Communications across Active Directory forests


Support domain computers in a forest that's not trusted by your site server's
forest
Support computers in a workgroup
Scenarios to support a site or hierarchy that spans multiple domains and forests

Communications between site systems in a site


When Configuration Manager site systems or components communicate across the
network to other site systems or components in the site, they use one of the following
protocols, depending on how you configure the site:

Server message block (SMB)

HTTP

HTTPS

With the exception of communication from the site server to a distribution point, server-
to-server communications in a site can occur at any time. These communications don't
use mechanisms to control the network bandwidth. Because you can't control the
communication between site systems, make sure that you install site system servers in
locations that have fast and well-connected networks.
Site server to distribution point
To help you manage the transfer of content from the site server to distribution points,
use the following strategies:

Configure the distribution point for network bandwidth control and scheduling.
These controls resemble the configurations that are used by intersite addresses.
Use this configuration instead of installing another Configuration Manager site
when the transfer of content to remote network locations is your main bandwidth
consideration.

You can install a distribution point as a prestaged distribution point. A prestaged


distribution point lets you use content that is manually put on the distribution
point server and removes the requirement to transfer content files across the
network.

For more information, see Manage network bandwidth for content management.

Communications from clients to site systems


and services
Clients initiate communication to site system roles, Active Directory Domain Services,
and online services. To enable these communications, firewalls must allow the network
traffic between clients and the endpoint of their communications. For more information
about ports and protocols used by clients when they communicate to these endpoints,
see Ports used in Configuration Manager.

Before a client can communicate with a site system role, the client uses service location
to find a role that supports the client's protocol (HTTP or HTTPS). By default, clients use
the most secure method that's available to them. For more information, see Understand
how clients find site resources and services.

To help secure the communication between Configuration Manager clients and site
servers, configure one of the following options:

Use a public key infrastructure (PKI) and install PKI certificates on clients and
servers. Enable site systems to communicate with clients over HTTPS. For
information about how to use certificates, see PKI certificate requirements.

Configure the site to Use Configuration Manager-generated certificates for HTTP


site systems. For more information, see Enhanced HTTP.
When you deploy a site system role that uses Internet Information Services (IIS) and
supports communication from clients, you must specify whether clients connect to the
site system by using HTTP or HTTPS. If you use HTTP, you must also consider signing
and encryption choices. For more information, see Planning for signing and encryption.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Client to management point communication


There are two stages when a client communicates with a management point:
authentication (transport) and authorization (message). This process varies depending
upon the following factors:

Site configuration: HTTPS only, allows HTTP or HTTPS, or allows HTTP or HTTPS
with enhanced HTTP enabled
Management point configuration: HTTPS or HTTP
Device identity for device-centric scenarios
User identity for user-centric scenarios

Use the following table to understand how this process works:

MP Client authentication Client authorization


Client authorization

type Device identity User identity


MP Client authentication Client authorization
Client authorization

type Device identity User identity

HTTP Anonymous
Location request: For user-centric scenarios,
With Enhanced HTTP, the Anonymous
using one of the following
site verifies the Azure AD Client package: methods to prove user
user or device token. Anonymous
identity:

Registration, using one of - Windows-integrated


the following methods to authentication

prove device identity:


- Azure AD user token
- Anonymous (manual (Enhanced HTTP)
approval)

- Windows-integrated
authentication

- Azure AD device token


(Enhanced HTTP)
After registration, the
client uses message
signing to prove device
identity

HTTPS Using one of the Location request: For user-centric scenarios,


following methods:
Anonymous
using one of the following
- PKI certificate
Client package: methods to prove user
- Windows-integrated Anonymous
identity:

authentication
Registration, using one of - Windows-integrated
- Azure AD user or device the following methods to authentication

token prove device identity:


- Azure AD user token
- Anonymous (manual
approval)

- Windows-integrated
authentication

- PKI certificate

- Azure AD user or device


token

After registration, the


client uses message
signing to prove device
identity

 Tip

For more information on the configuration of the management point for different
device identity types and with the cloud management gateway, see Enable
management point for HTTPS.
Client to distribution point communication
When a client communicates with a distribution point, it only needs to authenticate
before downloading the content. Use the following table to understand how this
process works:

DP Client authentication
type

HTTP - Anonymous, if allowed

- Windows-integrated authentication with computer account or network access


account

- Content access token (Enhanced HTTP)

HTTPS - PKI certificate

- Windows-integrated authentication with computer account or network access


account

- Content access token

Considerations for client communications from the


internet or an untrusted forest
For more information, see the following articles:

Overview of cloud management gateway

Plan for internet-based client management

Communications across Active Directory forests


Configuration Manager supports sites and hierarchies that span Active Directory forests.
It also supports domain computers that aren't in the same Active Directory forest as the
site server, and computers that are in workgroups.

Support domain computers in a forest that's not trusted


by your site server's forest
Install site system roles in that untrusted forest, with the option to publish site
information to that Active Directory forest

Manage these computers as if they're workgroup computers


When you install site system servers in an untrusted Active Directory forest, the client-
to-server communication from clients in that forest is kept within that forest, and
Configuration Manager can authenticate the computer by using Kerberos. When you
publish site information to the client's forest, clients benefit from retrieving site
information, such as a list of available management points, from their Active Directory
forest, rather than downloading this information from their assigned management point.

7 Note

If you want to manage devices that are on the internet, you can install internet-
based site system roles in your perimeter network when the site system servers are
in an Active Directory forest. This scenario doesn't require two-way trust between
the perimeter network and the site server's forest.

Support computers in a workgroup


Manually approve workgroup computers when they use HTTP client connections
to site system roles. Configuration Manager can't authenticate these computers by
using Kerberos.

Configure workgroup clients to use the Network Access Account so that these
computers can retrieve content from distribution points.

Provide an alternative mechanism for workgroup clients to find management


points. Use DNS publishing or directly assign a management point. These clients
can't retrieve site information from Active Directory Domain Services.

For more information, see the following articles:

Manage conflicting records

Network access account

How to install Configuration Manager clients on workgroup computers

Scenarios to support a site or hierarchy that spans


multiple domains and forests

Scenario 1: Communication between sites in a hierarchy that spans


forests
This scenario requires a two-way forest trust that supports Kerberos authentication. If
you don't have a two-way forest trust that supports Kerberos authentication, then
Configuration Manager doesn't support a child site in the remote forest.

Configuration Manager supports installing a child site in a remote forest that has the
required two-way trust with the forest of the parent site. For example, you can place a
secondary site in a different forest from its primary parent site as long as the required
trust exists.

7 Note

A child site can be a primary site (where the central administration site is the parent
site) or a secondary site.

Intersite communication in Configuration Manager uses database replication and file-


based transfers. When you install a site, you must specify an account with which to
install the site on the designated server. This account also establishes and maintains
communication between sites. After the site successfully installs and initiates file-based
transfers and database replication, you don't have to configure anything else for
communication to the site.

When a two-way forest trust exists, Configuration Manager doesn't require any
additional configuration steps.

By default, when you install a new child site, Configuration Manager configures the
following components:

An intersite file-based replication route at each site that uses the site server
computer account. Configuration Manager adds the computer account of each
computer to the SMS_SiteToSiteConnection_<sitecode> group on the destination
computer.

Database replication between the SQL Servers at each site.

Also set the following configurations:

Intervening firewalls and network devices must allow the network packets that
Configuration Manager requires.

Name resolution must work between the forests.

To install a site or site system role, you must specify an account that has local
administrator permissions on the specified computer.
Scenario 2: Communication in a site that spans forests
This scenario doesn't require a two-way forest trust.

Primary sites support the installation of site system roles on computers in remote
forests.

When a site system role accepts connections from the internet, as a security best
practice, install the site system roles in a location where the forest boundary
provides protection for the site server (for example, in a perimeter network).

To install a site system role on a computer in an untrusted forest:

Specify a Site System Installation Account, which the site uses to install the site
system role. (This account must have local administrative credentials to connect
to.) Then install site system roles on the specified computer.

Select the site system option Require the site server to initiate connections to this
site system. This setting requires the site server to establish connections to the site
system server to transfer data. This configuration prevents the computer in the
untrusted location from initiating contact with the site server that's inside your
trusted network. These connections use the Site System Installation Account.

To use a site system role that was installed in an untrusted forest, firewalls must allow
the network traffic even when the site server initiates the transfer of data.

Additionally, the following site system roles require direct access to the site database.
Therefore, firewalls must allow applicable traffic from the untrusted forest to the site's
SQL Server:

Asset Intelligence synchronization point

Endpoint Protection point

Enrollment point

Management point

Reporting service point

State migration point

For more information, see Ports used in Configuration Manager.

You might need to configure the management point and enrollment point access to the
site database.
By default, when you install these roles, Configuration Manager configures the
computer account of the new site system server as the connection account for the
site system role. It then adds the account to the appropriate SQL Server database
role.

When you install these site system roles in an untrusted domain, configure the site
system role connection account to enable the site system role to obtain
information from the database.

If you configure a domain user account to be the connection account for these site
system roles, make sure that the domain user account has appropriate access to the SQL
Server database at that site:

Management point: Management Point Database Connection Account

Enrollment point: Enrollment Point Connection Account

Consider the following additional information when you plan for site system roles in
other forests:

If you run Windows Firewall, configure the applicable firewall profiles to pass
communications between the site database server and computers that are installed
with remote site system roles.

When the internet-based management point trusts the forest that contains the
user accounts, user policies are supported. When no trust exists, only computer
policies are supported.

Scenario 3: Communication between clients and site system roles


when the clients aren't in the same Active Directory forest as their
site server
Configuration Manager supports the following scenarios for clients that aren't in the
same forest as their site's site server:

There's a two-way forest trust between the forest of the client and the forest of the
site server.

The site system role server is located in the same forest as the client.

The client is on a domain computer that doesn't have a two-way forest trust with
the site server, and site system roles aren't installed in the client's forest.

The client is on a workgroup computer.


Clients on a domain-joined computer can use Active Directory Domain Services for
service location when their site is published to their Active Directory forest.

To publish site information to another Active Directory forest:

Specify the forest and then enable publishing to that forest in the Active Directory
Forests node of the Administration workspace.

Configure each site to publish its data to Active Directory Domain Services. This
configuration enables clients in that forest to retrieve site information and find
management points. For clients that can't use Active Directory Domain Services for
service location, you can use DNS or the client's assigned management point.

Scenario 4: Put the Exchange Server connector in a remote forest

To support this scenario, make sure that name resolution works between the forests. For
example, configure DNS forwards. When you configure the Exchange Server connector,
specify the intranet FQDN of the Exchange Server. For more information, see Manage
mobile devices with Configuration Manager and Exchange.

See also
Plan for security

Security and privacy for Configuration Manager clients


Enhanced HTTP
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Microsoft recommends using HTTPS communication for all Configuration Manager


communication paths, but it's challenging for some customers because of the overhead
of managing PKI certificates. With enhanced HTTP, Configuration Manager can provide
secure communication by issuing self-signed certificates to specific site systems.

There are two primary goals for this configuration:

You can secure sensitive client communication without the need for PKI server
authentication certificates.

Clients can securely access content from distribution points without the need for a
network access account, client PKI certificate, or Windows authentication.

All other client communication is over HTTP. Enhanced HTTP isn't the same as enabling
HTTPS for client communication or a site system.

7 Note

PKI certificates are still a valid option for customers with the following
requirements:

All client communication is over HTTPS


Advanced control of the signing infrastructure

If you're already using PKI, site systems use the PKI certificate bound in IIS even if
you enable enhanced HTTP.

Scenarios
The following scenarios benefit from enhanced HTTP:

Scenario 1: Client to management point


Azure Active Directory (Azure AD)-joined devices and devices with a Configuration
Manager issued token can communicate with a management point configured for HTTP
if you enable enhanced HTTP for the site. With enhanced HTTP enabled, the site server
generates a certificate for the management point allowing it to communicate via a
secure channel.

7 Note

This scenario doesn't require using an HTTPS-enabled management point, but it's
supported as an alternative to using enhanced HTTP. For more information on
using an HTTPS-enabled management point, see Enable management point for
HTTPS.

Scenario 2: Client to distribution point


A workgroup or Azure AD-joined client can authenticate and download content over a
secure channel from a distribution point configured for HTTP. These types of devices
can also authenticate and download content from a distribution point configured for
HTTPS without requiring a PKI certificate on the client. It's challenging to add a client
authentication certificate to a workgroup or Azure AD-joined client.

This behavior includes OS deployment scenarios with a task sequence running from
boot media, PXE, or Software Center. For more information, see Network access account.

Scenario 3: Azure AD device identity


An Azure AD-joined or hybrid Azure AD device without an Azure AD user signed in can
securely communicate with its assigned site. The cloud-based device identity is now
sufficient to authenticate with the CMG and management point for device-centric
scenarios. (A user token is still required for user-centric scenarios.)

Features
The following Configuration Manager features support or require enhanced HTTP:

Cloud management gateway


OS deployment without a network access account
Enable co-management for new internet-based Windows devices
App approvals via email
Administration service
View recently connected consoles
BitLocker management key recovery (version 2103 and later)
Software Center user-available applications (version 2107 and later)
Company Portal on co-managed devices (version 2107 and later)

7 Note

The software update point and related scenarios have always supported secure
HTTP traffic with clients as well as the cloud management gateway. It uses a
mechanism with the management point that's different from certificate- or token-
based authentication.

Unsupported scenarios
Enhanced HTTP doesn't currently secure all communication in Configuration Manager.
The following list summarizes some key functionality that's still HTTP.

Client peer-to-peer communication for content


State migration point
Remote tools
Reporting services point

7 Note

This list isn't exhaustive.

Prerequisites
A management point configured for HTTP client connections. Set this option on
the General tab of the management point role properties.

A distribution point configured for HTTP client connections. Set this option on the
Communication tab of the distribution point role properties. Don't enable the
option to Allow clients to connect anonymously.

For scenarios that require Azure AD authentication, onboard the site to Azure AD
for cloud management. If you don't onboard the site to Azure AD, you can still
enable enhanced HTTP.

For Scenario 3 only: A client running a supported version of Windows 10 or later


and joined to Azure AD. The client requires this configuration for Azure AD device
authentication.
7 Note

There are no OS version requirements, other than what the Configuration Manager
client supports.

Configure the site


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node. Select the site and choose
Properties in the ribbon.

2. Switch to the Communication Security tab. Select the option for HTTPS or HTTP.
Then enable the option to Use Configuration Manager-generated certificates for
HTTP site systems.

 Tip

Wait up to 30 minutes for the management point to receive and configure the new
certificate from the site.

You can also enable enhanced HTTP for the central administration site (CAS). Use this
same process, and open the properties of the CAS. This action only enables enhanced
HTTP for the SMS Provider role at the CAS. It's not a global setting that applies to all
sites in the hierarchy.

For more information on how the client communicates with the management point and
distribution point with this configuration, see Communications from clients to site
systems and services.

Validate the certificate


You can see these certificates in the Configuration Manager console. Go to the
Administration workspace, expand Security, and select the Certificates node. Look for
the SMS Issuing root certificate and the site server role certificates issued by the SMS
Issuing root.

When you enable enhanced HTTP, the site server generates a self-signed certificate
named SMS Role SSL Certificate. This certificate is issued by the root SMS Issuing
certificate. The management point adds this certificate to the IIS default web site bound
to port 443.
To see the status of the configuration, review mpcontrol.log.

Conceptual diagram
This diagram summarizes and visualizes some of the main aspects of the enhanced
HTTP functionality in Configuration Manager.

The connection with Azure AD is recommended but optional. It enables scenarios


that require Azure AD authentication.

When you enable the site option for enhanced HTTP, the site issues self-signed
certificates to site systems such as the management point and distribution point
roles.

With the site systems still configured for HTTP connections, clients communicate
with them over HTTPS.

Frequently asked questions

What are the benefits of enhanced HTTP?


The main benefit is to reduce the usage of pure HTTP, which is an insecure protocol.
Configuration Manager tries to be secure by default, and Microsoft wants to make it
easy for you to keep your devices secure. Enabling PKI-based HTTPS is a more secure
configuration, but that can be complex for many customers. If you can't do HTTPS, then
enable enhanced HTTP. Microsoft recommends this configuration, even if your
environment doesn't currently use any of the features that support it.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Do I need to use Azure AD to enable enhanced HTTP?


No. Many of the scenarios and features that benefit from enhanced HTTP rely on Azure
AD authentication. You can enable enhanced HTTP without onboarding the site to Azure
AD. It then supports features like the administration service and the reduced need for
the network access account. You only need Azure AD when one of the supporting
features requires it.

7 Note

Even if you don't directly use the administration service REST API, some
Configuration Manager features natively use it, including parts of the Configuration
Manager console.

How do clients communicate with site systems?


When you enable enhanced HTTP, the site issues certificates to site systems. For
example, the management point and the distribution point. Then these site systems can
support secure communication in currently supported scenarios.

From a client perspective, the management point issues each client a token. The client
uses this token to secure communication with the site systems. That behavior is OS
version agnostic, other than what the Configuration Manager client supports.

If some site systems are already HTTPS, can I enable


enhanced HTTP?
Yes. Site systems always prefer a PKI certificate. For example, one management point
already has a PKI certificate, but others don't. When you enable enhanced HTTP for the
site, the HTTPS management point continues to use the PKI certificate. The other
management points use the site-issued certificate for enhanced HTTP.

Next steps
Plan for security

Security and privacy for Configuration Manager clients

Configure security

Communication between endpoints


Hierarchy maintenance tool (Preinst.exe)
for Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The hierarchy maintenance tool (Preinst.exe) passes commands to the Configuration


Manager Hierarchy Manager while the Hierarchy Manager service is running. The
hierarchy maintenance tool is automatically installed when you install a Configuration
Manager site. You can find Preinst.exe in the \bin\X64\00000409 folder on the site server.

Use the hierarchy maintenance tool in the following scenarios:

When secure key exchange is required, there are situations where you need to
manually do the initial public key exchange between sites. For more information,
see Manually exchange public keys between sites.

Remove active jobs for a destination site that's no longer available.

Delete a site server from the Configuration Manager console when you can't
uninstall it with setup. For example, if you physically remove a Configuration
Manager site without first running setup to uninstall the site. The site information
will still exist in the parent site's database, and the parent site will continue to
attempt to communicate with the child site. To resolve this issue, run the hierarchy
maintenance tool and manually delete the child site from the parent site's
database.

Stop all Configuration Manager services at a site without having to stop services
individually.

When you recover a site, use the CHILDKEYS option to distribute the public keys
from multiple child sites to the recovering site.

To run the hierarchy maintenance tool, the current user needs administrative privileges
on the local computer. Also, the user must explicitly have the Administer security right
for the Site class. It's not sufficient that the user inherits this right by being a member of
a group that has that permission.

Hierarchy maintenance tool command-line


options
When you use the hierarchy maintenance tool, you must run it locally on the central
administration site (CAS), primary site, or secondary site server. Use the following syntax:
preinst.exe /<option> . The following command-line options are available:

/DELJOB <SiteCode> : Delete all jobs or commands from the current site to the
specified destination site.

/DELSITE <ChildSiteCodeToRemove> : Use this option at a parent site to delete the

data for child sites from the site database of the parent site. Typically, you use this
option if a site server computer is decommissioned before you uninstall the site
from it.

7 Note

The /DELSITE option doesn't uninstall the site on the computer specified by
the ChildSiteCodeToRemove parameter. This option only removes the site
information from the Configuration Manager site database.

/DUMP <SiteCode> : Use this option on the local site server to write site control
images to the root folder of the drive on which the site is installed. You can write a
specific site control image to the folder or write all site control files in the
hierarchy.

/DUMP <SiteCode> writes the site control image only for the specified site.

/DUMP writes the site control files for all sites.

An image is a binary representation of the site control file, which is stored in the
Configuration Manager site database. The dumped site control file image is a sum
of the base image plus the pending delta images.

After dumping a site control file image with the hierarchy maintenance tool, the
file name is in the format sitectrl_<SiteCode>.ct0 .

/STOPSITE : Use this option on the local site server to start a shutdown cycle for the

Configuration Manager Site Component Manager service, which partially resets the
site. When you start this shutdown cycle, it stops some Configuration Manager
services on a site server and its remote site systems. It also flags these services for
reinstallation. As a result of this shutdown cycle, some passwords are automatically
changed when the services are reinstalled.

7 Note
If you want to see a record of shutdown, reinstallation, and password changes
for Site Component Manager, enable logging for this component before
using this command-line option.

After the shutdown cycle is started, it proceeds automatically, skipping any non-
responding components or computers. However, if the Site Component Manager
service can't access a remote site system during the shutdown cycle, the
components that are installed on the remote site system are reinstalled when the
Site Component Manager service is restarted. When it's restarted, the Site
Component Manager service repeatedly attempts reinstallation of all services that
are flagged for reinstallation until it's successful.

You can restart the Site Component Manager service using Service Manager. After
it restarts, all affected services are uninstalled, reinstalled, and restarted. After you
use the /STOPSITE option to start the shutdown cycle, you can't avoid the
reinstallation cycles after the Site Component Manager service is restarted.

/KEYFORPARENT : Distribute the site's public key to a parent site.

The /KEYFORPARENT option places the public key of the site in the file
<SiteCode>.CT4 at the root of the program files drive. After you run preinst.exe
with this option, manually copy this file to the parent site's \Inboxes\hman.box
folder (not hman.box\pubkey ).

/KEYFORCHILD : Distribute the site's public key to a child site.

The /KEYFORCHILD option places the public key of the site in the file
<SiteCode>.CT5 at the root of the program files drive. After you run preinst.exe

with this option, manually copy this file to the child site's \Inboxes\hman.box folder
(not hman.box\pubkey ).

/CHILDKEYS : Use this option on the child sites of a site that you're recovering. It

distributes public keys from multiple child sites to the recovering site.

The /CHILDKEYS option places the key from the site where you run the option and
all of that sites child sites public keys into the file <SiteCode>.CT6 . After you run
preinst.exe with this option, manually copy this file to the recovering site's
\Inboxes\hman.box folder (not hman.box\pubkey ).

/PARENTKEYS : Use this option on the parent site of a site that you're recovering. It
distributes public keys from all parent sites to the recovering site.
The /PARENTKEYS option places the key from the site where you run the option and
the keys from each parent site above that site into the file <SiteCode>.CT7 . After
you run preinst.exe with this option, manually copy this file to the recovering site's
\Inboxes\hman.box folder (not hman.box\pubkey ).

Manually exchange public keys between sites


By default, the Require secure key exchange option is enabled for Configuration
Manager sites. When secure key exchange is required, there are two situations when you
need to manually do the initial key exchange between sites:

If you haven't extended the Active Directory schema for Configuration Manager

Configuration Manager sites aren't publishing site data to Active Directory

You can use the hierarchy maintenance tool to export the public keys for each site. Once
exported, then manually exchange the keys between the sites.

7 Note

After the public keys are manually exchanged, review the hman.log log file on the
parent site server. This log file records site configuration changes and site
information publication to Active Directory. You can make sure that the primary site
has processed the new public key.

How to manually transfer the child site public key to the


parent site
1. Sign in to the child site server, open a command prompt, and navigate to the
location of Preinst.exe.

2. Type the following command to export the child site's public key: Preinst
/keyforparent

The /keyforparent option places the public key of the child site in the <SiteCode>.CT4
file located at the root of the system drive.

1. Move the <SiteCode>.CT4 file to the parent site's \inboxes\hman.box folder in the
Configuration Manager installation directory.
How to manually transfer the parent site public key to the
child site
1. Sign in to the parent site server, open a command prompt, and navigate to the
location of Preinst.exe.

2. Type the following command to export the parent site's public key: Preinst
/keyforchild

The /keyforchild option places the public key of the parent site in the <SiteCode>.CT5
file located at the root of the system drive.

1. Move the <SiteCode>.CT5 file to the child site's \inboxes\hman.box folder in the
Configuration Manager installation directory.
International support in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The following sections provide technical details to help you make Configuration
Manager compliant with specific international requirements.

GB18030 Requirements
Configuration Manager meets the standards that are defined in GB18030 so that you
can use Configuration Manager in China. A Configuration Manager deployment must
have the following configurations to meet the GB18030 requirements:

Each site server computer and SQL Server computer that you use with
Configuration Manager must use a Chinese operating system.

Each site database and each instance of SQL Server in the hierarchy must use the
same collation, and must be one of the following:

Chinese_Simplified_Pinyin_100_CI_AI

Chinese_Simplified_Stroke_Order_100_CI_AI

7 Note

These database collations are an exception to the requirements that are noted
in Support for SQL Server versions for Configuration Manager.

You must place a file with the name GB18030.SMS in the root folder of the system
volume of each site server computer in the hierarchy. This file does not contain any
data and can be an empty text file that is named to meet this requirement.
Interoperability between different
versions of Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can install and operate multiple, independent hierarchies of Configuration Manager
on the same network. However, because different hierarchies of Configuration Manager
don't interoperate outside of the migration process, each hierarchy requires
configurations to prevent conflicts between them. Additionally, you can create certain
configurations to help resources that you manage interact with the site systems from
the correct hierarchy.

Current branch and earlier versions


Sites of different versions can't coexist in the same Configuration Manager hierarchy.
The only exceptions are during the process of the following upgrade scenarios:

From System Center 2012 Configuration Manager to Configuration Manager


current branch
From one Configuration Manager current branch version to a newer version using
in-console updates

You can deploy a Configuration Manager current branch site and hierarchy side by side
with an existing System Center 2012 Configuration Manager site or hierarchy. Plan to
prevent clients from either version from trying to join a site from the other version.

For example, if two or more Configuration Manager hierarchies have overlapping


boundaries that include the same network locations, assign each new client to a specific
site instead of using automatic site assignment. For more information, see How to
assign clients to a site.

Additionally, you can't install a client from System Center 2012 Configuration Manager
on a computer that hosts a site system role from Configuration Manager current branch.
You also can't you install a Configuration Manager current branch client on a computer
that hosts a site system role from System Center 2012 Configuration Manager.

The following clients and connections aren't supported:

Any System Center 2012 Configuration Manager or earlier computer client version
Any System Center 2012 Configuration Manager or earlier device management
client

Windows CE Platform Builder device management client (any version)

System Center Mobile Device Manager VPN connection

Client site assignment considerations


Configuration Manager clients can be assigned to only a single primary site. You can't
predict the actual site assignment of a client when all of the following conditions are
true:

You use automatic site assignment to assign clients to a site during client
installation
More than one boundary group includes the same boundary
The boundary groups have different assigned sites

If boundaries overlap across multiple Configuration Manager sites and hierarchies,


clients might not be assigned to the site you expect, or might not get assigned to a site
at all.

Configuration Manager current branch clients check the version of the site before they
complete site assignment. If site boundaries overlap, you can't assign clients to a site
with a previous version. However, earlier System Center 2012 Configuration Manager
clients might incorrectly be assigned to a later Configuration Manager current branch
site.

To prevent clients from unintentionally being assigned to the wrong site when two
hierarchies have overlapping boundaries, configure client installation parameters to
assign clients to a specific site.

Limitations in a mixed-version hierarchy


When you upgrade a Configuration Manager current branch hierarchy, there are times
when different sites will have different versions. For example, first you upgrade the
central administration site. Because of site maintenance windows, you don't upgrade the
primary sites until a later time and date.

When different sites in a single hierarchy run different versions, some functionality isn't
available. This behavior can affect how you manage Configuration Manager objects in
the Configuration Manager console, and which functionality is available to clients.
Typically, functionality from the newer version of Configuration Manager isn't accessible
at sites or to clients that run a lower service pack version.

Network access account


You upgrade the central administration site to Configuration Manager current branch.
You view the network access account details from a Configuration Manager console
that's connected to this updated site. It doesn't display account details from sites that
still run System Center 2012 Configuration Manager.

After you upgrade the primary site to the same version as the central administration site,
the account details are visible in the console.

The same behavior applies when you update between versions of Configuration
Manager.

Boot images for OS deployment

When upgrading from System Center 2012 Configuration Manager


to Configuration Manager current branch

When the top-level site of a hierarchy upgrades to Configuration Manager current


branch, it automatically updates the default boot images to use the Windows
Assessment and Deployment Kit (ADK) version 10. Use these boot images only for
deployments to clients at Configuration Manager current branch sites. For more
information, see Planning for OS deployment interoperability.

When upgrading between Configuration Manager current branch


versions
As long as new versions of Configuration Manager don't update the version of Windows
ADK that's in use, there's no effect on boot images.

New task sequence steps


When you create a task sequence with a step introduced in one version of Configuration
Manager that's not available in an earlier version, you might have the following issues:

An error occurs when you try to edit the task sequence from a site that's running a
previous version of Configuration Manager.
The task sequence doesn't run on a computer that runs a previous version of the
Configuration Manager client.

Client to down-level management point communications


A Configuration Manager client that communicates with a management point from a
site that runs a lower version than the client can only use functionality that the down-
level version of Configuration Manager supports. For example, if you deploy content
from a Configuration Manager current branch site that was recently upgraded to a client
that communicates with a management point that hasn't yet upgraded to that version,
that client can't use new functionality from the latest version.

Package and task sequence deployments to legacy clients


You can't deploy a package or task sequence to a client version 5.7730 or earlier. To
work around this limitation, upgrade the client to a later version.

Orchestration groups
Orchestration groups can't be used in a mixed-version hierarchy.

Assign site systems as clients to the same site


If you install the Configuration Manager client on site systems, assign them to the same
site. Roles like the management point and distribution point have shared binary files
between the role and the client. These collocated clients should always be the same
version as the site system role.

For example, for a management point in site XYZ, assign the client installed on this site
system server to site XYZ.

Configuration Manager console


This section contains information about the use of the Configuration Manager console
in an environment that has a mix of Configuration Manager versions.

An environment with both System Center 2012


Configuration Manager and Configuration Manager
current branch
To manage a Configuration Manager site, both the console and the site the console
connects to must run the same version of Configuration Manager. For example, you
can't use a System Center 2012 Configuration Manager console to manage a
Configuration Manager current branch site, or the other way around.

It's not supported to install both the System Center 2012 Configuration Manager
console and the Configuration Manager current branch console on the same computer.

An environment with multiple versions of Configuration


Manager
Configuration Manager current branch doesn't support installing more than a single
Configuration Manager console on a computer. To use multiple consoles that are
specific to different versions of Configuration Manager, install the different consoles on
separate computers.

During the process of updating sites in a hierarchy to a new version, you can connect a
console to a site that runs a newer version and view information about other sites in that
hierarchy. However, this configuration isn't recommended. It's possible that differences
between the console version and Configuration Manager site version can result in data
issues. Some features that are available in the latest product version won't be available
in the console.

It's not supported to manage a site when using a console with a version that doesn't
match the site version. Doing so might cause loss of data and can put your site at risk.
For example, it's not supported to use a console from version 2103 to manage a site
that runs version 2010.

Next steps
Use the Configuration Manager client software for extended interoperability with future
versions of a Current Branch site
Language packs in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article provides technical details about language support in Configuration Manager.
Configuration Manager site servers and clients are considered language-neutral. Add
support for display languages by installing server language packs or client language
packs at a central administration site and at primary sites. You select the server and
client languages to support at a site from the available language pack files during the
site installation process.

Install multiple languages at each site. You only need to install the languages that you
use.

Each site supports multiple languages for Configuration Manager consoles.

Add support for only the client languages that you want to support by installing
individual client language packs at each site.

When you install support for a language that matches the following components:

The display language of a computer: Both the Configuration Manager console and
the client user interface that runs on that computer display information in that
language.

The language preference that's in use by the web browser of a computer:


Connections to web-based information display in that language. For example, SQL
Server Reporting Services.

When you run Configuration Manager setup, it downloads language pack files as part of
the prerequisites and redistributable files. You can also use the setup downloader to
download these files before you run setup.

Server languages
Use the following table to map a locale ID to a language that you want to support on
servers. For more information about locale IDs, see Locale IDs assigned by Microsoft.

Server language Locale ID (LCID) Three-letter code


Server language Locale ID (LCID) Three-letter code

English (default) 0409 ENU

Chinese (Simplified) 0804 CHS

Chinese (Traditional, Taiwan) 0404 CHT

Czech 0405 CSY

Dutch - Netherlands 0413 NLD

French 040c FRA

German 0407 DEU

Hungarian 040e HUN

Italian - Italy 0410 ITA

Japanese 0411 JPN

Korean 0412 KOR

Polish 0415 PLK

Portuguese - Brazil 0416 PTB

Portuguese - Portugal 0816 PTG

Russian 0419 RUS

Spanish - Spain 0c0a ESN

Swedish 041d SVE

Turkish 041f TRK

Client languages
Use the following table to map a locale ID to a language that you want to support on
client computers. For more information about locale IDs, see Locale IDs assigned by
Microsoft.

Client language Locale ID (LCID) Three-letter code

English (default) 0409 ENG

Chinese -Simplified 0804 CHS


Client language Locale ID (LCID) Three-letter code

Chinese (Traditional, Taiwan) 0404 CHT

Czech 0405 CSY

Danish 0406 DAN

Dutch - Netherlands 0413 NLD

Finnish 040b FIN

French 040c FRA

German 0407 DEU

Greek 0408 ELL

Hungarian 040e HUN

Italian - Italy 0410 ITA

Japanese 0411 JPN

Korean 0412 KOR

Norwegian 0414 NOR

Polish 0415 PLK

Portuguese (Brazil) 0416 PTB

Portuguese (Portugal) 0816 PTG

Russian 0419 RUS

Spanish - Spain 0c0a ESN

Swedish 041d SVE

Turkish 041f TRK

Mobile device client languages


When you add support for mobile device languages, all supported mobile device client
languages are included. You can't select individual language packs for mobile device
support.

Identify installed language packs


To identify the language packs that are installed on a computer that runs the
Configuration Manager client, look for the locale ID (LCID) of the installed language
packs in the computer's registry. This information is available at the following registry
path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCMSetup\InstalledLangs

Customize hardware inventory to collect this information. Then build a custom report to
view the language details. For more information about collecting custom hardware
inventory, see How to configure hardware inventory. For more information, see Create
reports.
About log files in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

In Configuration Manager, client and site server components record process information
in individual log files. You can use the information in these log files to help you
troubleshoot issues that might occur. By default, Configuration Manager enables
logging for client and server components.

This article provides general information about the Configuration Manager log files. It
includes tools to use, how to configure the logs, and where to find them. For more
information on specific log files, see Log files reference.

How it works
Most processes in Configuration Manager write operational information to a log file that
is dedicated to that process. The log files are identified by .log or .lo_ file extensions.
Configuration Manager writes to a .log file until that log reaches its maximum size.
When the log is full, the .log file is copied to a file of the same name but with the .lo_
extension, and the process or component continues to write to the .log file. When the
.log file again reaches its maximum size, the .lo_ file is overwritten and the process

repeats. Some components establish a log file history by appending a date and time
stamp to the log file name and by keeping the .log extension.

Log viewer tools


All Configuration Manager log files are plain text, so you can view them with any text
reader like Notepad. The logs use unique formatting that's best viewed with one of the
following specialized tools:

CMTrace
OneTrace
Support Center log file viewer

CMTrace
To view the logs, use the Configuration Manager log viewer tool CMTrace. It's located in
the \SMSSetup\Tools folder of the Configuration Manager source media. The CMTrace
tool is added to all boot images that are added to the Software Library. The CMTrace log
viewing tool is automatically installed along with the Configuration Manager client. For
more information, see CMTrace.

OneTrace
OneTrace is a log viewer with Support Center. It works similarly to CMTrace, with
improvements. For more information, see Support Center OneTrace.

Support Center Log File Viewer


Support Center includes a modern log viewer. This tool replaces CMTrace and provides
a customizable interface with support for tabs and dockable windows. It has a fast
presentation layer, and can load large log files in seconds. For more information, see
Support Center Log File Viewer.

7 Note

Support Center Log File Viewer and OneTrace use Windows Presentation
Foundation (WPF). This component isn't available in Windows PE. Continue to use
CMTrace in boot images with task sequence deployments.

Configure logging options


You can change the configuration of the log files, such as the verbose level, size, and
history. There are several ways to change these settings:

During client installation


Using Configuration Manager Service Manager
Using the Windows Registry
In the Configuration Manager console

You can also use hardware inventory to collect log settings from clients.

Configure logging options during client installation


You can set the configuration of the client log files during installation. Use the following
properties:
CCMENABLELOGGING
CCMDEBUGLOGGING
CCMLOGLEVEL
CCMLOGMAXHISTORY
CCMLOGMAXSIZE

For more information, see Client installation properties.

Configure logging options by using Configuration


Manager Service Manager
You can change where Configuration Manager stores the log files, and their size.

To modify the size of log files, change the name and location of the log file, or to force
multiple components to write to a single log file, do the following steps:

Modify logging for a component

1. In the Configuration Manager console, go to the Monitoring workspace, expand


System Status, and then select either the Site Status or Component Status node.

2. In the ribbon, select Start, and then select Configuration Manager Service
Manager.

3. When Configuration Manager Service Manager opens, connect to the site that you
want to manage. If the site that you want to manage isn't shown, select Site, select
Connect, and then enter the name of the site server for the correct site.

4. Expand the site and go to Components or Servers, depending on where the


components that you want to manage are located.

5. In the right pane, select one or more components.

6. On the Component menu, select Logging.

7. In the Configuration Manager Component Logging dialog box, complete the


available configuration options for your selection.

8. Select OK to save the configuration.

Configure logging options by using the Windows


Registry
Use the Windows Registry on the servers or clients to change the following logging
options:

Verbose level
Maximum history
Maximum size

When troubleshooting a problem, you can enable verbose logging for Configuration
Manager to write additional details in the log files.

2 Warning

Misconfiguration of these settings can cause Configuration Manager to log large


amounts of information, or none at all. While this data can be beneficial for
troubleshooting, be cautious when changing these values in production sites.
Always test these changes in a lab environment first. Excessive logging can occur,
which might make it difficult to find relevant information in the log files.

After you make changes to these registry settings, restart the component:

If you change the client settings, restart the SMS Agent Host service (CcmExec).
If you change the server settings, restart the SMS Executive service.

The registry settings vary depending upon the component:

Client and management point


Site server
Site system role
Configuration Manager console

Client and management point logging options

To configure logging options for all components on a client or management point site
system, configure these REG_DWORD values under the following Windows Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Logging\@Global

Name Values Description


Name Values Description

LogLevel 0 : Verbose
The level of detail to write to log files.
1 : Default

2 : Warnings and
errors

3 : Errors only

LogMaxHistory Any integer When a log file reaches the maximum size, the client
greater than or renames it as a backup and creates a new log file. Specify
equal to zero, for how many previous versions to keep.
example:

0 : No history

1 : Default

LogMaxSize Any integer The maximum log file size in bytes. When a log grows to
greater than or the specified size, the client renames it as a history file, and
equal to 10,000, creates a new file. The default value is 250,000 bytes.
for example:

250000

7 Note

Don't change other values that may exist in this registry key.

For advanced debugging, you can also add this REG_SZ value under the following
Windows Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Logging\DebugLogging

Name Values Description

Enabled True : enable debug logs


Enables debug logging for troubleshooting purposes.
False : disable debug logs

This setting causes the client to log low-level information for troubleshooting. Avoid
using this setting in production sites. Excessive logging can occur, which might make it
difficult to find relevant information in the log files. Make sure to turn off this setting
after you resolve the issue.

Site server logging options

You can configure settings globally or for a specific component on the Configuration
Manager site server.
Configure these values under the following Windows Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing

Name Values Type Description

SqlEnabled 1 : enable SQL Server REG_DWORD Add SQL Server trace logging to
tracing
all site server logs.
0 : disable SQL Server
tracing

ArchiveEnabled 1 : enable log archives


REG_DWORD Archive site server logs to a
0 : disable log archives separate location for historical
preservation.

ArchivePath A valid folder path, for REG_SZ The path to archive site server
example C:\Logs\Archive logs.

Only enable SQL Server tracing for troubleshooting purposes. Avoid using it in
production sites. Excessive logging can occur, which might make it difficult to find
relevant information in the log files. Make sure to turn off this setting after you resolve
the issue.

7 Note

Don't change other values that may exist in this registry key.

To configure logging options for a specific server component, configure these


REG_DWORD values under the following Windows Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\<ComponentName>

Name Values Description

LoggingLevel 0 : Verbose
The level of detail to write to log files.
1 : Default

2 : Warnings and
errors

3 : Errors only

LogMaxHistory Any integer When a log file reaches the maximum size, the server
greater than or renames it as a backup and creates a new log file. Specify
equal to zero, for how many previous versions to keep.
example:

0 : No history

1 : Default
Name Values Description

MaxFileSize Any integer The maximum log file size in bytes. When a log grows to
greater than or the specified size, the client renames it as a history file, and
equal to 10,000, creates a new file. The default value is 250,000 bytes.
for example:

250000

DebugLogging 1 : enable debug Enables debug logging for troubleshooting purposes.


logs

0 : disable debug
logs

The DebugLogging setting causes the server to log low-level information for
troubleshooting. Avoid using this setting in production sites. Excessive logging can
occur, which might make it difficult to find relevant information in the log files. Make
sure to turn off this setting after you resolve the issue.

7 Note

Don't change other values that may exist in this registry key.

Site system role logging options

You can configure settings globally or for a specific component on a site system that
hosts a Configuration Manager server role.

To configure logging options for a specific server component, configure these


REG_DWORD values under the following Windows Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\<ComponentName>\Logging

For example, for the distribution point role:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP\Logging

Name Values Description

LogLevel 0 : Verbose
The level of detail to write to log files.
1 : Default

2 : Warnings and
errors

3 : Errors only
Name Values Description

LogMaxHistory Any integer When a log file reaches the maximum size, the server
greater than or renames it as a backup and creates a new log file. Specify
equal to zero, for how many previous versions to keep.
example:

0 : No history

1 : Default

LogMaxSize Any integer The maximum log file size in bytes. When a log grows to
greater than or the specified size, the server renames it as a history file,
equal to 10,000, and creates a new file. The default value is 250,000 bytes.
for example:

250000

7 Note

Don't change other values that may exist in this registry key.

Configuration Manager console logging options


To change the verbose level of the AdminUI.log for the Configuration Manager console,
use the following procedure:

1. Open the console configuration file,


Microsoft.ConfigurationManagement.exe.config, in an XML editor like Notepad.
The default configuration file is in the following location: C:\Program Files
(x86)\Microsoft Endpoint

Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe.config

2. Under the system.diagnostics > sources > source element, change the
switchValue attribute from Error to Verbose . For example:

Original: <source name="SmsAdminUISnapIn" switchValue="Error">


New: <source
name="SmsAdminUISnapIn" switchValue="Verbose" >

3. Save the file, and restart the console.

Configure logging options in the Configuration Manager


console
Enable or disable verbose logging on a client or collection from the console:
1. In the Configuration Manager console, go to the Assets and Compliance
workspace, select the Devices node, and choose a target device.

2. In the ribbon, on the Home tab, in the Device group, select Client Diagnostics.
Choose one of the available actions.

For more information, see Client diagnostics.

Hardware inventory for client log settings


Starting in version 2107, you can enable hardware inventory to collect client log file
settings. Enable the hardware inventory class, Client Diagnostics
(CCM_ClientDiagnostics), and then select the following attributes:

Debug Logging Enabled


Logging Enabled
Log Level
History File Count
Max Log File Size

7 Note

This inventory class isn't enabled by default.

For more information, see Enable or disable existing hardware inventory classes.

Locating log files


Configuration Manager and dependent components store log files in various locations.
These locations depend on the process that creates the log file and the configuration of
your environment.

The following locations are the defaults. If you customized the installation directories in
your environment, the actual paths may vary.

Client: C:\Windows\CCM\logs
Server: C:\Program Files\Microsoft Configuration Manager\Logs
Management point: C:\SMS_CCM\Logs
Configuration Manager console: C:\Program Files (x86)\Microsoft Endpoint
Manager\AdminConsole\AdminUILog

IIS: C:\inetpub\logs\logfiles\w3svc1
Task sequence log locations
The location of the task sequence log file smsts.log varies depending upon the phase of
the task sequence:

In Windows PE before Format and Partition Disk step:


X:\Windows\temp\smstslog\smsts.log (X is the Windows PE RAM drive)
In Windows PE after Format and Partition Disk step: X:\smstslog\smsts.log , then
copied to C:\_SMSTaskSequence\Logs\smstslog\smsts.log when drive is ready
In the new Windows OS before the client is installed:
C:\_SMSTaskSequence\Logs\smstslog\smsts.log

In Windows after the client is installed: C:\Windows\CCM\Logs\smstslog\smsts.log


In Windows after the task sequence completes: C:\Windows\CCM\Logs\smsts.log

 Tip

The read-only task sequence variable _SMSTSLogPath always contains the path of
the current log file.

Next steps
Log files reference

Support Center OneTrace

Support Center log file viewer

CMTrace
Log file reference
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

In Configuration Manager, client and site server components record process information
in individual log files. You can use the information in these log files to help you
troubleshoot issues that might occur. By default, Configuration Manager enables
logging for client and server components.

For more general information about log files in Configuration Manager, see About log
files. That article includes information on the tools to use, how to configure the logs, and
where to find them.

The following sections provide details about the different log files available to you.
Monitor Configuration Manager client and server logs for operation details, and view
error information to troubleshoot problems.

Client log files

Client operations

Client installation

Client for Mac computers

Server log files

Site server and site systems

Site server installation

Data warehouse service point

Fallback status point

Management point

Service connection point

Software update point

Log files by functionality

Application management
Asset Intelligence

Backup and recovery

Certificate enrollment

Client notification

Cloud management gateway

Compliance settings and company resource access

Configuration Manager console

Content management

Desktop Analytics

Discovery

Endpoint analytics

Endpoint Protection

Extensions

Inventory

Migration

Mobile devices

OS deployment

Power management

Remote control

Reporting

Role-based administration

Software metering

Software updates

Wake On LAN

Windows servicing
Windows Update Agent

WSUS server

Client log files


The following sections list the log files related to client operations and client installation.

Client operations
The following table lists the log files located on the Configuration Manager client.

Log name Description

ADALOperationProvider.log Information about client authentication token


requests with Azure Active Directory (Azure AD)
Authentication Library (ADAL). (Replaced by
CcmAad.log starting in version 2107)

BitLockerManagementHandler.log Records information about BitLocker management


policies.

CAS.log The Content Access service. Maintains the local


package cache on the client.

Ccm32BitLauncher.log Records actions for starting applications on the client


marked run as 32 bit.

CcmEval.log Records Configuration Manager client status


evaluation activities and details for components that
are required by the Configuration Manager client.

CcmEvalTask.log Records the Configuration Manager client status


evaluation activities that are initiated by the
evaluation scheduled task.

CcmExec.log Records activities of the client and the SMS Agent


Host service. This log file also includes information
about enabling and disabling wake-up proxy.

CcmMessaging.log Records activities related to communication between


the client and management points.

CCMNotificationAgent.log Records activities related to client notification


operations.
Log name Description

Ccmperf.log Records activities related to the maintenance and


capture of data related to client performance
counters.

CcmRestart.log Records client service restart activity.

CCMSDKProvider.log Records activities for the client SDK interfaces.

ccmsqlce.log Records activities for the built-in version of SQL Server


Compact Edition (CE) that the client uses. This log is
typically only used when you enable debug logging,
or there's a problem with the component. The client
health task (ccmeval) usually self-corrects problems
with this component.

CcmUsrCse.log Records details during user sign on for folder


redirection policies.

CCMVDIProvider.log Records information for clients in a virtual desktop


infrastructure (VDI).

CertEnrollAgent.log Records information for Windows Hello for Business.


Specifically communication with the Network Device
Enrollment Service (NDES) for certificate requests
using the Simple Certificate Enrollment Protocol
(SCEP).

CertificateMaintenance.log Maintains certificates for Active Directory Domain


Services and management points.

CIAgent.log Records details about the process of remediation and


compliance for compliance settings, software updates,
and application management.

CIDownloader.log Records details about configuration item definition


downloads.

CIStateStore.log Records changes in state for configuration items, such


as compliance settings, software updates, and
applications.

CIStore.log Records information about configuration items, such


as compliance settings, software updates, and
applications.

CITaskMgr.log Records tasks for each application and deployment


type, such as content download and install or uninstall
actions.
Log name Description

ClientAuth.log Records signing and authentication activity for the


client.

ClientIDManagerStartup.log Creates and maintains the client GUID and identifies


tasks during client registration and assignment.

ClientLocation.log Records tasks that are related to client site


assignment.

ClientServicing.log Records information for client deployment state


messages during auto-upgrade and client piloting.

CMBITSManager.log Records information for Background Intelligent


Transfer Service (BITS) jobs on the device.

CMHttpsReadiness.log Records the results of running the Configuration


Manager HTTPS Readiness Assessment Tool. This tool
checks whether computers have a public key
infrastructure (PKI) client authentication certificate
that can be used with Configuration Manager.

CmRcService.log Records information for the remote control service.

CoManagementHandler.log Use to troubleshoot co-management on the client.

ComplRelayAgent.log Records information for the co-management


workload for compliance policies.

ContentTransferManager.log Schedules the Background Intelligent Transfer Service


(BITS) or Server Message Block (SMB) to download or
access packages.

DataTransferService.log Records all BITS communication for policy or package


access.

DCMAgent.log Records high-level information about the evaluation,


conflict reporting, and remediation of configuration
items and applications.

DCMReporting.log Records information about reporting policy platform


results into state messages for configuration items.

DcmWmiProvider.log Records information about reading configuration item


synclets from WMI.

DeltaDownload.log Records information about the download of express


updates and updates downloaded using Delivery
Optimization.

Diagnostics.log Records the status of client diagnostic actions.


Log name Description

EndpointProtectionAgent Records information about the installation of the


System Center Endpoint Protection client and the
application of antimalware policy to that client.

execmgr.log Records details about packages and task sequences


that run on the client.

ExpressionSolver.log Records details about enhanced detection methods


that are used when verbose or debug logging is
turned on.

ExternalEventAgent.log Records the history of Endpoint Protection malware


detection and events related to client status.

FileBITS.log Records all SMB package access tasks.

FileSystemFile.log Records the activity of the Windows Management


Instrumentation (WMI) provider for software inventory
and file collection.

FSPStateMessage.log Records the activity for state messages that are sent
to the fallback status point by the client.

InternetProxy.log Records the network proxy configuration and use


activity for the client.

InventoryAgent.log Records activities of hardware inventory, software


inventory, and heartbeat discovery actions on the
client.

InventoryProvider.log More details about hardware inventory, software


inventory, and heartbeat discovery actions on the
client.

LocationCache.log Records the activity for location cache use and


maintenance for the client.

LocationServices.log Records the client activity for locating management


points, software update points, and distribution
points.

M365AHandler.log Information about the Desktop Analytics settings


policy

MaintenanceCoordinator.log Records the activity for general maintenance tasks for


the client.

Mifprovider.log Records the activity of the WMI provider for


Management Information Format (MIF) files.
Log name Description

mtrmgr.log Monitors all software metering processes.

PolicyAgent.log Records requests for policies made by using the Data


Transfer Service.

PolicyAgentProvider.log Records policy changes.

PolicyEvaluator.log Records details about the evaluation of policies on


client computers, including policies from software
updates.

PolicyPlatformClient.log Records the process of remediation and compliance


for all providers located in \Program Files\Microsoft
Policy Platform, except the file provider.

PolicySdk.log Records activities for policy system SDK interfaces.

Pwrmgmt.log Records information about enabling or disabling and


configuring the wake-up proxy client settings.

PwrProvider.log Records the activities of the power management


provider (PWRInvProvider) hosted in the WMI service.
On all supported versions of Windows, the provider
enumerates the current settings on computers during
hardware inventory and applies power plan settings.

SCClient_<domain>@<username>_1.log Records the activity in Software Center for the


specified user on the client computer.

SCClient_<domain>@<username>_2.log Records the historical activity in Software Center for


the specified user on the client computer.

Scheduler.log Records activities of scheduled tasks for all client


operations.

SCNotify_<domain>@<username>_1.log Records the activity for notifying users about software


for the specified user.

SCNotify_<domain>@<username>_1- Records the historical information for notifying users


<date_time>.log about software for the specified user.

Scripts.log Records the activity of when Configuration Manager


scripts run on the client.

SensorWmiProvider.log Records the activity of the WMI provider for the


endpoint analytics sensor.

SensorEndpoint.log Records the execution of endpoint analytics policy


and upload of client data to the site server.
Log name Description

SensorManagedProvider.log Records the gathering and processing of events and


information for endpoint analytics.

setuppolicyevaluator.log Records configuration and inventory policy creation in


WMI.

SleepAgent_<domain>@SYSTEM_0.log The main log file for wake-up proxy.

SmsClientMethodProvider.log Records activity for sending client schedules. For


example, with the Send Schedule tool or other
programmatic methods.

smscliui.log Records use of the Configuration Manager client in


Control Panel.

SrcUpdateMgr.log Records activity for installed Windows Installer


applications that are updated with current distribution
point source locations.

StateMessageProvider.log Records information for the component that sends


state messages from the client to the site.

StatusAgent.log Records status messages that are created by the client


components.

SWMTRReportGen.log Generates a use data report that is collected by the


metering agent. This data is logged in Mtrmgr.log.

UserAffinity.log Records details about user device affinity.

UserAffinityProvider.log Technical details from the component that tracks user


device affinity.

VirtualApp.log Records information specific to the evaluation of


Application Virtualization (App-V) deployment types.

Wedmtrace.log Records operations related to write filters on Windows


Embedded clients.

wakeprxy-install.log Records installation information when clients receive


the client setting option to turn on wake-up proxy.

wakeprxy-uninstall.log Records information about uninstalling wake-up proxy


when clients receive the client setting option to turn
off wake-up proxy, if wake-up proxy was previously
turned on.

Client installation
The following table lists the log files that contain information related to the installation
of the Configuration Manager client.

Log name Description

ccmsetup.log Records ccmsetup.exe tasks for client setup, client upgrade, and client
removal. Can be used to troubleshoot client installation problems.

ccmsetup- Records ccmsetup.exe tasks for client status and remediation.


ccmeval.log

CcmRepair.log Records the repair activities of the client agent.

client.msi.log Records setup tasks done by client.msi. Can be used to troubleshoot client
installation or removal problems.

ClientServicing.log Records information for client deployment state messages during auto-
upgrade and client piloting.

Client for Mac computers


The Configuration Manager client for Mac computers records information in the
following log files on the Mac computer:

Log name Details Location

CCMClient- Records activities that are related to the Mac /Library/Application


<date_time>.log client operations, including application Support/Microsoft/CCM/Logs
management, inventory, and error logging.

CCMAgent- Records information that is related to client ~/Library/Logs


<date_time>.log operations, including user sign in and sign out
operations, and Mac computer activity.

CCMNotifications- Records activities that are related to ~/Library/Logs


<date_time>.log Configuration Manager notifications displayed
on the Mac computer.

CCMPrefPane- Records activities related to the Configuration ~/Library/Logs


<date_time>.log Manager preferences dialog box on the Mac
computer, which includes general status and
error logging.

The log file SMS_DM.log on the site system server also records communication between
Mac computers and the management point that is set up for mobile devices and Mac
computers.
Server log files
The following sections list log files that are on the site server or that are related to
specific site system roles.

Site server and site systems


The following table lists the log files that are on the Configuration Manager site server
and site system servers.

Log name Description Computer


with log file

adctrl.log Records enrollment processing Site server


activity.

ADForestDisc.log Records Active Directory Forest Site server


Discovery actions.

adminservice.log Records actions for the SMS Computer


Provider administration service with the SMS
REST API Provider

ADService.log Records account creation and Site server


security group details in Active
Directory.

adsgdis.log Records Active Directory Group Site server


Discovery actions.

adsysdis.log Records Active Directory System Site server


Discovery actions.

adusrdis.log Records Active Directory User Site server


Discovery actions.

BusinessAppProcessWorker.log Records processing for Site server


Microsoft Store for Business
apps.

ccm.log Records activities for client push Site server


installation.

CertMgr.log Records certificate activities for Site system


intrasite communication. server

chmgr.log Records activities of the client Site server


health manager.
Log name Description Computer
with log file

Cidm.log Records changes to the client Site server


settings by the Client Install
Data Manager (CIDM).

colleval.log Records details about when Site server


collections are created,
changed, and deleted by the
Collection Evaluator.

compmon.log Records the status of Site system


component threads monitored server
for the site server.

compsumm.log Records Component Status Site server


Summarizer tasks.

ComRegSetup.log Records the initial installation of Site system


COM registration results for a server
site server.

dataldr.log Records information about the Site server


processing of MIF files and
hardware inventory in the
Configuration Manager
database.

ddm.log Records activities of the Site server


discovery data manager.

despool.log Records incoming site-to-site Site server


communication transfers.

distmgr.log Records details about package Site server


creation, compression, delta
replication, and information
updates. It can also include
other activities from the
distribution manager
component. For example,
installing a distribution point,
connection attempts, and
installing components. For more
information on other
functionality that uses this log,
see Service connection point
and OS deployment.
Log name Description Computer
with log file

EPCtrlMgr.log Records information about the Site server


syncing of malware threat
information from the Endpoint
Protection site system role
server with the Configuration
Manager database.

EPMgr.log Records the status of the Site system


Endpoint Protection site system server
role.

EPSetup.log Provides information about the Site system


installation of the Endpoint server
Protection site system role.

EnrollSrv.log Records activities of the Site system


enrollment service process. server

EnrollWeb.log Records activities of the Site system


enrollment website process. server

ExternalNotificationsWorker.log Records the queue and activities Site server


for notifications to external
systems like Azure Logic Apps.

fspmgr.log Records activities of the fallback Site system


status point site system role. server

hman.log Records information about site Site server


configuration changes, and
about the publishing of site
information in Active Directory
Domain Services.

Inboxast.log Records the files that are moved Site server


from the management point to
the corresponding INBOXES
folder on the site server.

inboxmgr.log Records file transfer activities Site server


between inbox folders.

inboxmon.log Records the processing of inbox Site server


files and performance counter
updates.
Log name Description Computer
with log file

invproc.log Records the forwarding of MIF Site server


files from a secondary site to its
parent site.

migmctrl.log Records information for Top-level site


Migration actions that involve in the
migration jobs, shared Configuration
distribution points, and Manager
distribution point upgrades. hierarchy, and
each child
primary site.
In a multi-
primary site
hierarchy, use
the log file
that is created
at the central
administration
site.

mpcontrol.log Records the registration of the Site system


management point. Records the server
availability of the management
point every 10 minutes.

mpfdm.log Records the actions of the Site system


management point component server
that moves client files to the
corresponding INBOXES folder
on the site server.

mpMSI.log Records details about the Site server


management point installation.

MPSetup.log Records the management point Site server


installation wrapper process.

netdisc.log Records Network Discovery Site server


actions.

NotiCtrl.log Application request Site server


notifications.

ntsvrdis.log Records the discovery activity of Site server


site system servers.
Log name Description Computer
with log file

Objreplmgr Records the processing of Site server


object change notifications for
replication.

offermgr.log Records advertisement updates. Site server

offersum.log Records the summarization of Site server


deployment status messages.

OfflineServicingMgr.log Records the activities of Site server


applying updates to operating
system image files.

outboxmon.log Records the processing of Site server


outbox files and performance
counter updates.

PerfSetup.log Records the results of the Site system


installation of performance server
counters.

PkgXferMgr.log Records the actions of the Site server


SMS_Executive component that
is responsible for sending
content from a primary site to a
remote distribution point.

policypv.log Records updates to the client Primary site


policies to reflect changes to server
client settings or deployments.

rcmctrl.log Records the activities of Site server


database replication between
sites in the hierarchy.

replmgr.log Records the replication of files Site server


between the site server
components and the Scheduler
component.

ResourceExplorer.log Records errors, warnings, and Computer


information about running that runs the
Resource Explorer. Configuration
Manager
console
Log name Description Computer
with log file

RESTPROVIDERSetup.log Installation of the SMS Provider Computer


administration service REST API with the SMS
Provider

ruleengine.log Records details about automatic Site server


deployment rules for the
identification, content
download, and software update
group and deployment creation.

schedule.log Records details about site-to- Site server


site job and file replication.

sender.log Records the files that transfer by Site server


file-based replication between
sites.

sinvproc.log Records information about the Site server


processing of software
inventory data to the site
database.

sitecomp.log Records details about the Site server


maintenance of the installed site
components on all site system
servers in the site.

sitectrl.log Records site setting changes Site server


made to site control objects in
the database.

sitestat.log Records the availability and disk Site server


space monitoring process of all
site systems.

SMS_AZUREAD_DISCOVERY_AGENT.log Log file for Azure Active Site server


Directory (Azure AD) user and
user group discovery.

SMS_BUSINESS_APP_PROCESS_MANAGER.log Log file for component that Site server


synchronizes apps from the
Microsoft Store for Business.

SMS_DataEngine.log Log file for management Site server


insights.
Log name Description Computer
with log file

SMS_ISVUPDATES_SYNCAGENT.log Log file for synchronization of Top-level


third-party software updates. software
update point
in the
Configuration
Manager
hierarchy.

SMS_MESSAGE_PROCESSING_ENGINE.log Log file for the message Site server


processing engine, which the
site uses to process results for
client actions. For example, run
scripts and CMPivot.

SMS_OrchestrationGroup.log Log file for orchestration groups Site server

SMS_PhasedDeployment.log Log file for phased deployments Top-level site


in the
Configuration
Manager
hierarchy

SMS_REST_PROVIDER.log Service health state for the SMS Computer


Provider administration service with the SMS
REST API, including certificate Provider
information

SmsAdminUI.log Records Configuration Manager Computer


console activity. that runs the
Configuration
Manager
console

smsbkup.log Records output from the site Site server


backup process.

smsdbmon.log Records database changes. Site server

SMSENROLLSRVSetup.log Records the installation activities Site system


of the enrollment web service. server

SMSENROLLWEBSetup.log Records the installation activities Site system


of the enrollment website. server

smsexec.log Records the processing of all Site server or


site server component threads. site system
server
Log name Description Computer
with log file

SMSFSPSetup.log Records messages generated by Site system


the installation of a fallback server
status point.

SMSProv.log Records WMI provider access to Computer


the site database. with the SMS
Provider

srsrpMSI.log Records detailed results of the Site system


reporting point installation server
process from the MSI output.

srsrpsetup.log Records results of the reporting Site system


point installation process. server

statesys.log Records the processing of state Site server


system messages.

statmgr.log Records the writing of all status Site server


messages to the database.

swmproc.log Records the processing of Site server


metering files and settings.

Site server installation


The following table lists the log files that contain information related to site installation.

Log name Description Computer


with log
file

ConfigMgrPrereq.log Records prerequisite component evaluation and Site server


installation activities.

ConfigMgrSetup.log Records detailed output from the site server setup. Site Server

ConfigMgrSetupWizard.log Records information related to activity in the Setup Site Server


Wizard.

SMS_BOOTSTRAP.log Records information about the progress of launching Site Server


the secondary site installation process. Details of the
actual setup process are contained in
ConfigMgrSetup.log.
Log name Description Computer
with log
file

smstsvc.log Records information about the installation, use, and Site server
removal of a Windows service. Windows uses this and site
service to test network connectivity and permissions system
between servers. It uses the computer account of the server
server that creates the connection.

Data warehouse service point


The following table lists the log files that contain information related to the data
warehouse service point.

Log name Description Computer


with log
file

DWSSMSI.log Records messages generated by the Site


installation of a data warehouse service system
point. server

DWSSSetup.log Records messages generated by the Site


installation of a data warehouse service system
point. server

Microsoft.ConfigMgrDataWarehouse.log Records information about data Site


synchronization between the site system
database and the data warehouse server
database.

Fallback status point


The following table lists the log files that contain information related to the fallback
status point.

Log name Description Computer


with log file

FspIsapi Records details about communications to the fallback status point Site system
from mobile device legacy clients and client computers. server

fspMSI.log Records messages generated by the installation of a fallback status Site system
point. server
Log name Description Computer
with log file

fspmgr.log Records activities of the fallback status point site system role. Site system
server

Management point
The following table lists the log files that contain information related to the
management point.

Log name Description Computer


with log
file

CcmIsapi.log Records client messaging activity on the endpoint. Site


system
server

CCM_STS.log Records activities for authentication tokens, either Site


from Azure Active Directory or site-issued client system
tokens. server

ClientAuth.log Records signing and authentication activity. Site


system
server

MP_CliReg.log Records the client registration activity processed by Site


the management point. system
server

MP_Ddr.log Records the conversion of XML.ddr records from Site


clients, and then copies them to the site server. system
server

MP_Framework.log Records the activities of the core management point Site


and client framework components. system
server

MP_GetAuth.log Records client authorization activity. Site


system
server

MP_GetPolicy.log Records policy request activity from client Site


computers. system
server
Log name Description Computer
with log
file

MP_Hinv.log Records details about the conversion of XML Site


hardware inventory records from clients and the system
copy of those files to the site server. server

MP_Location.log Records location request and reply activity from Site


clients. system
server

MP_OOBMgr.log Records the management point activities related to Site


receiving an OTP from a client. system
server

MP_Policy.log Records policy communication. Site


system
server

MP_RegistrationManager.log Records activities related to client registration, such Site


as validating certificates, CRL, and tokens. system
server

MP_Relay.log Records the transfer of files that are collected from Site
the client. system
server

MP_RelayMsgMgr.log Records how the management point handles Site


incoming client messages, such as for scripts or system
CMPivot. server

MP_Retry.log Records hardware inventory retry processes. Site


system
server

MP_Sinv.log Records details about the conversion of XML Site


software inventory records from clients and the copy system
of those files to the site server. server

MP_SinvCollFile.log Records details about file collection. Site


system
server

MP_Status.log Records details about the conversion of XML.svf Site


status message files from clients and the copy of system
those files to the site server. server

mpcontrol.log Records the registration of the management point. Site server


Records the availability of the management point
every 10 minutes.
Log name Description Computer
with log
file

mpfdm.log Records the actions of the management point Site


component that moves client files to the system
corresponding INBOXES folder on the site server. server

mpMSI.log Records details about the management point Site server


installation.

MPSetup.log Records the management point installation wrapper Site server


process.

UserService.log Records user requests from Software Center, Site


retrieving/installing user-available applications from system
the server. server

Service connection point


The following table lists the log files that contain information related to the service
connection point.

Log name Description Computer


with log file

CertMgr.log Records certificate and proxy account Site server


information.

CollectionAADGroupSyncWorker.log Log file for synchronization of Computer


collection membership results to Azure with the
Active Directory. service
connection
point

CollEval.log Records details about when collections Primary site


are created, changed, and deleted by and central
the Collection Evaluator. administration
site

Cloudusersync.log Records license enablement for users. Computer


with the
service
connection
point

Dataldr.log Records information about the Site server


processing of MIF files.
Log name Description Computer
with log file

ddm.log Records activities of the discovery data Site server


manager.

Distmgr.log Records details about content Top-level site


distribution requests. server

Dmpdownloader.log Records details about downloads from Computer


Microsoft, such as site updates. with the
service
connection
point

Dmpuploader.log Records detail related to uploading Computer


database changes to Microsoft. with the
service
connection
point

EndpointConnectivityCheckWorker.log Records detail related to checks for Computer


important internet endpoints. with the
service
connection
point

hman.log Records information about message Site server


forwarding.

WsfbSyncWorker.log Records information about the Computer


communication with the Microsoft with the
Store for Business. service
connection
point

objreplmgr.log Records the processing of policy and Primary site


assignment. server

PolicyPV.log Records policy generation of all Site server


policies.

outgoingcontentmanager.log Records content uploaded to Microsoft. Computer


with the
service
connection
point
Log name Description Computer
with log file

ServiceConnectionTool.log Records details about use of the service Same location


connection tool based on the as the tool
parameter you use. Each time you run
the tool, it replaces any existing log file.

Sitecomp.log Records details of service connection Site server


point installation.

SmsAdminUI.log Records Configuration Manager Computer


console activity. that runs the
Configuration
Manager
console

SMS_CLOUDCONNECTION.log Records information about cloud Computer


services. with the
service
connection
point

Smsprov.log Records activities of the SMS Provider. Computer


Configuration Manager console with the SMS
activities use the SMS Provider. Provider

SrvBoot.log Records details about the service Computer


connection point installer service. with the
service
connection
point

Statesys.log Records the processing of mobile Primary site


device management messages. and central
administration
site

UXAnalyticsUploadWorker.log Records data upload to the service for Computer


endpoint analytics. with the
service
connection
point

Software update point


The following table lists the log files that contain information related to the software
update point.
Log name Description Computer with log file

objreplmgr.log Records details about Site server


the replication of
software updates
notification files from
a parent site to child
sites.

PatchDownloader.log Records details about When you manually download


the process of updates, this file is in your %temp%
downloading directory on the computer where
software updates you use the console. For automatic
from the update deployment rules, if the
source to the Configuration Manager client is
download installed on the site server, this file
destination on the is on the site server in
site server. %windir%\CCM\Logs .

ruleengine.log Records details about Site server


automatic
deployment rules for
the identification,
content download,
and software update
group and
deployment creation.

SMS_ISVUPDATES_SYNCAGENT.log Log file for Top-level software update point in


synchronization of the Configuration Manager
third-party software hierarchy.
updates.

SUPSetup.log Records details about Site system server


the software update
point installation.
When the software
update point
installation
completes,
Installation was
successful is written
to this log file.
Log name Description Computer with log file

WCM.log Records details about Site server that connects to the


the software update WSUS server
point configuration
and connections to
the WSUS server for
subscribed update
categories,
classifications, and
languages.

WSUSCtrl.log Records details about Site system server


the configuration,
database
connectivity, and
health of the WSUS
server for the site.

wsyncmgr.log Records details about Site system server


the software updates
sync process.

WUSSyncXML.log Records details about Client computer configured as the


the Inventory Tool for sync host for the Inventory Tool for
the Microsoft Microsoft Updates
Updates sync
process.

Log files by functionality


The following sections list log files related to Configuration Manager functions.

Application management
The following table lists the log files that contain information related to application
management.

Log name Description Computer


with log
file
Log name Description Computer
with log
file

AppIntentEval.log Records details about the current Client


and intended state of applications,
their applicability, whether
requirements were met,
deployment types, and
dependencies.

AppDiscovery.log Records details about the discovery Client


or detection of applications on
client computers.

AppEnforce.log Records details about enforcement Client


actions (install and uninstall) taken
for applications on the client.

AppGroupHandler.log Records detection and enforcement Client


information for application groups

BusinessAppProcessWorker.log Records processing for Microsoft Site server


Store for Business apps.

Ccmsdkprovider.log Records the activities of the Client


application management SDK.

colleval.log Records details about when Site


collections are created, changed, system
and deleted by the Collection server
Evaluator.

WsfbSyncWorker.log Records information about the Computer


communication with the Microsoft with the
Store for Business. service
connection
point

NotiCtrl.log Application request notifications. Site server

PrestageContent.log Records details about the use of Site


the ExtractContent.exe tool on a system
remote, prestaged distribution server
point. This tool extracts content
that has been exported to a file.
Log name Description Computer
with log
file

SettingsAgent.log Enforcement of specific Client


applications, records orchestration
of application group evaluation,
and details of co-management
policies.

SMS_BUSINESS_APP_PROCESS_MANAGER.log Log file for component that Site server


synchronizes apps from the
Microsoft Store for Business.

SMS_CLOUDCONNECTION.log Records information about cloud Computer


services. with the
service
connection
point

SMS_ImplicitUninstall.log Records events from the implicit Site server


uninstall background worker
process.

SMSdpmon.log Records details about the Site server


distribution point health
monitoring scheduled task that is
configured on a distribution point.

SoftwareCenterSystemTasks.log Records activities related to Client


Software Center prerequisite
component validation.

TSDTHandler.log For the task sequence deployment Client


type. It logs the process from app
enforcement (install or uninstall) to
the launch of the task sequence.
Use it with AppEnforce.log and
smsts.log.

Packages and programs


The following table lists the log files that contain information related to deploying
packages and programs.

Log name Description Computer


with log file
Log name Description Computer
with log file

colleval.log Records details about when collections are created, changed, and Site server
deleted by the Collection Evaluator.

execmgr.log Records details about packages and task sequences that run. Client

Asset Intelligence
The following table lists the log files that contain information related to Asset
Intelligence.

Log Name Description Computer


with log
file

AssetAdvisor.log Records the activities of Asset Intelligence inventory actions. Client

aikbmgr.log Records details about the processing of XML files from the Site server
inbox for updating the Asset Intelligence catalog.

AIUpdateSvc.log Records the interaction of the Asset Intelligence sync point Site
with the cloud service. system
server

AIUSMSI.log Records details about the installation of the Asset Site


Intelligence sync point site system role. system
server

AIUSSetup.log Records details about the installation of the Asset Site


Intelligence sync point site system role. system
server

ManagedProvider.log Records details about discovering software with an Site


associated software identification tag. Also records activities system
related to hardware inventory. server

MVLSImport.log Records details about the processing of imported licensing Site


files. system
server

Backup and recovery


The following table lists log files that contain information related to backup and
recovery actions, including site resets, and changes to the SMS Provider.
Log name Description Computer
with log
file

ConfigMgrSetup.log Records information about setup and recovery tasks when Site server
Configuration Manager recovers a site from backup.

Smsbkup.log Records details about the site backup activity. Site server

smssqlbkup.log Records output from the site database backup process when Site
SQL Server is installed on a server that isn't the site server. database
server

Smswriter.log Records information about the state of the Configuration Site server
Manager VSS writer that is used by the backup process.

Certificate enrollment
The following table lists the Configuration Manager log files that contain information
related to certificate enrollment. Certificate enrollment uses the certificate registration
point and the Configuration Manager Policy Module on the server that's running the
Network Device Enrollment Service (NDES).

Log name Description Computer with log file

CertEnrollAgent.log Records client communication with NDES Windows Hello for Business
for certificate requests using the Simple client
Certificate Enrollment Protocol (SCEP).

Crp.log Records enrollment activities. Certificate registration point

Crpctrl.log Records the operational health of the Certificate registration point


certificate registration point.

Crpsetup.log Records details about the installation and Certificate registration point
configuration of the certificate registration
point.

Crpmsi.log Records details about the installation and Certificate registration point
configuration of the certificate registration
point.

NDESPlugin.log Records challenge verification and Configuration Manager


certificate enrollment activities. Policy Module and the
Network Device Enrollment
Service
Along with the Configuration Manager log files, review the Windows Application logs in
Event Viewer on the server running the Network Device Enrollment Service and the
server hosting the certificate registration point. For example, look for messages from the
NetworkDeviceEnrollmentService source.

You can also use the following log files:

IIS log files for Network Device Enrollment Service:


%SYSTEMDRIVE%\inetpub\logs\LogFiles\W3SVC1

IIS log files for the certificate registration point:


%SYSTEMDRIVE%\inetpub\logs\LogFiles\W3SVC1

Network Device Enrollment Policy log file: mscep.log

7 Note

This file is located in the folder for the NDES account profile, for example, in
C:\Users\SCEPSvc. For more information about how to enable NDES logging,
see the Enable Logging section of the NDES wiki.

Client notification
The following table lists the log files that contain information related to client
notification.

Log name Description Computer


with log file

bgbmgr.log Records details about site server activities related to Site server
client notification tasks and processing online and
task status files.

BGBServer.log Records the activities of the notification server, such Management


as client-server communication and pushing tasks to point
clients. Also records information about the
generation of online and task status files to be sent
to the site server.

BgbSetup.log Records the activities of the notification server Management


installation wrapper process during installation and point
uninstallation.

bgbisapiMSI.log Records details about the notification server Management


installation and uninstallation. point
Log name Description Computer
with log file

BgbHttpProxy.log Records the activities of the notification HTTP proxy Client


as it relays the messages of clients using HTTP to and
from the notification server.

CcmNotificationAgent.log Records the activities of the notification agent, such Client


as client-server communication and information
about tasks received and dispatched to other client
agents.

Cloud management gateway


The following table lists the log files that contain information related to the cloud
management gateway.

Log name Description Computer with


log file

CloudMgr.log Records details about deploying the cloud The installdir


management gateway service, ongoing folder on the
service status, and use data associated with primary site
the service. To configure the logging level, server or CAS.
edit the Logging level value in the
following registry key: HKLM\SOFTWARE\
Microsoft\SMS\COMPONENTS\ SMS_CLOUD_
SERVICES_MANAGER

CMGSetup.log Note 1 Records details about the second phase of The


the cloud management gateway %approot%\logs
deployment (local deployment in Azure). To on your Azure
configure the logging level, use the setting server, or the
Trace level (Information (Default), Verbose, SMS/Logs folder
Error) on the Azure portal\Cloud services on the site
configuration tab. system server

CMGService.log Note 1 Records details about the cloud The


management gateway service core %approot%\logs
component in Azure. To configure the on your Azure
logging level, use the setting Trace level server, or the
(Information (Default), Verbose, Error) on SMS/Logs folder
the Azure portal\Cloud services on the site
configuration tab. system server
Log name Description Computer with
log file

SMS_Cloud_ProxyConnector.log Records details about setting up Site system


connections between the cloud server
management gateway service and the
cloud management gateway connection
point.

CMGContentService.log Note 1 When you enable a CMG to also serve The


content from Azure storage, this log %approot%\logs
records the details of that service. on your Azure
server, or the
SMS/Logs folder
on the site
system server

For troubleshooting deployments, use CloudMgr.log and CMGSetup.log


For troubleshooting service health, use CMGService.log and
SMS_Cloud_ProxyConnector.log.
For troubleshooting client traffic, use CMGService.log and
SMS_Cloud_ProxyConnector.log.

Note 1: Logs synchronized from Azure

These are local Configuration Manager log files that cloud service manager syncs from
Azure storage every five minutes. The cloud management gateway pushes logs to Azure
storage every five minutes. So the maximum delay is 10 minutes. Verbose switches affect
both local and remote logs. The actual file names include the service name and role
instance identifier. For example, CMG-ServiceName-RoleInstanceID-CMGSetup.log.
These log files are synced, so you don't need to RDP to the cloud management gateway
to obtain them, and that option isn't supported.

Compliance settings and company resource access


The following table lists the log files that contain information related to compliance
settings and company resource access.

Log name Description Computer


with log
file
Log name Description Computer
with log
file

CIAgent.log Records details about the process of remediation and Client


compliance for compliance settings, software updates, and
application management.

CITaskManager.log Records information about configuration item task Client


scheduling.

DCMAgent.log Records high-level information about the evaluation, conflict Client


reporting, and remediation of configuration items and
applications.

DCMReporting.log Records information about reporting policy platform results Client


into state messages for configuration items.

DcmWmiProvider.log Records information about reading configuration item Client


synclets from WMI.

Configuration Manager console


The following table lists the log files that contain information related to the
Configuration Manager console.

Log name Description Computer with log


file

ConfigMgrAdminUISetup.log Records the installation of the Computer that runs


Configuration Manager console. the Configuration
Manager console

SmsAdminUI.log Records information about the operation Computer that runs


of the Configuration Manager console. the Configuration
Manager console

Smsprov.log Records activities of the SMS Provider. Site server or site


Configuration Manager console activities system server
use the SMS Provider.

Content management
The following table lists the log files that contain information related to content
management.
Log name Description Computer
with log file

CloudDP-<guid>.log Records details for a specific cloud-based content Site system


source, including information about storage and server
content access.

CloudMgr.log Records details about content provisioning, collecting Site system


storage and bandwidth statistics, and administrator- server
initiated actions to stop or start the cloud service that
runs a content-enabled cloud management gateway
(CMG).

DataTransferService.log Records all BITS communication for policy or package Computer that
access. This log also is used for content management is configured
by pull-distribution points. as a pull-
distribution
point

PullDP.log Records details about content that the pull- Computer that
distribution point transfers from source distribution is configured
points. as a pull-
distribution
point

PrestageContent.log Records the details about the use of the Site system
ExtractContent.exe tool on a remote, prestaged role
distribution point. This tool extracts content that has
been exported to a file.

PkgXferMgr.log Records the actions of the SMS_Executive component Site server


that is responsible for sending content from a primary
site to a remote distribution point.

SMSdpmon.log Records details about distribution point health Site system


monitoring scheduled tasks that are configured on a role
distribution point.

smsdpprov.log Records details about the extraction of compressed Distribution


files received from a primary site. This log is generated point
by the WMI provider of the remote distribution point. computer that
isn't colocated
with the site
server

smsdpusage.log Records details about the smsdpusage.exe that runs Site system
and gathers data for the distribution point usage role
summary report.
Desktop Analytics
Use the following log files to help troubleshoot issues with Desktop Analytics integrated
with Configuration Manager.

The log files on the service connection point are in the following directory:
%ProgramFiles%\Configuration Manager\Logs\M365A .
The log files on the Configuration
Manager client are in the following directory: %WinDir%\CCM\logs .

Log Description Computer


with log
file

M365ADeploymentPlanWorker.log Information about deployment plan sync from Service


Desktop Analytics cloud service to on- connection
premises Configuration Manager point

M365ADeviceHealthWorker.log Information about device health upload from Service


Configuration Manager to Microsoft cloud connection
point

M365AHandler.log Information about the Desktop Analytics Client


settings policy

M365AUploadWorker.log Information about collection and device Service


upload from Configuration Manager to connection
Microsoft cloud point

SmsAdminUI.log Information about Configuration Manager Service


console activity, like configuring the Azure connection
cloud services point

Discovery
The following table lists the log files that contain information related to discovery.

Log name Description Computer


with log file

adsgdis.log Records Active Directory Security Group Discovery actions. Site server

adsysdis.log Records Active Directory System Discovery actions. Site server

adusrdis.log Records Active Directory User Discovery actions. Site server

ADForestDisc.Log Records Active Directory Forest Discovery actions. Site server

ddm.log Records activities of the discovery data manager. Site server


Log name Description Computer
with log file

InventoryAgent.log Records activities of hardware inventory, software inventory, Client


and heartbeat discovery actions on the client.

netdisc.log Records Network Discovery actions. Site server

Endpoint analytics

Log name Description Computer


with log
file

UXAnalyticsUploadWorker.log Records data upload to the service for endpoint Service


analytics. connection
point

SensorWmiProvider.log Records the activity of the WMI provider for the Client
endpoint analytics sensor.

SensorEndpoint.log Records the execution of endpoint analytics policy Client


and upload of client data to the site server.

SensorManagedProvider.log Records the gathering and processing of events Client


and information for endpoint analytics.

Endpoint Protection
The following table lists the log files that contain information related to Endpoint
Protection.

Log name Description Computer


with log
file

EndpointProtectionAgent.log Records details about the installation of the Endpoint Client


Protection client and the application of antimalware
policy to that client.

EPCtrlMgr.log Records details about the syncing of malware threat Site


information from the Endpoint Protection role server system
with the Configuration Manager database. server

EPMgr.log Monitors the status of the Endpoint Protection site Site


system role. system
server
Log name Description Computer
with log
file

EPSetup.log Provides information about the installation of the Site


Endpoint Protection site system role. system
server

Extensions
The following table lists the log files that contain information related to extensions.

Log name Description Computer with


log file

AdminUI.ExtensionInstaller.log Records information about the download of Computer that


extensions from Microsoft, and the installation runs the
and uninstallation of all extensions. Configuration
Manager
console

FeatureExtensionInstaller.log Records information about the installation Computer that


and removal of individual extensions when runs the
they're enabled or disabled in the Configuration
Configuration Manager console. Manager
console

SmsAdminUI.log Records Configuration Manager console Computer that


activity. runs the
Configuration
Manager
console

Inventory
The following table lists the log files that contain information related to processing
inventory data.

Log name Description Computer


with log file

dataldr.log Records information about the processing of MIF files and Site server
hardware inventory in the Configuration Manager database.

invproc.log Records the forwarding of MIF files from a secondary site to its Secondary
parent site. site server
Log name Description Computer
with log file

sinvproc.log Records information about the processing of software inventory Site server
data to the site database.

Metering
The following table lists the log files that contain information related to metering.

Log name Description Computer


with log file

mtrmgr.log Monitors all software metering processes. Client

SWMTRReportGen.log Generates a use data report that is collected by the Client


metering agent. This data is logged in Mtrmgr.log.

swmproc.log Records the processing of metering files and settings. Site server

Migration
The following table lists the log files that contain information related to migration.

Log name Description Computer with log file

migmctrl.log Records information about Top-level site in the Configuration Manager


migration actions that involve hierarchy, and each child primary site. In a
migration jobs, shared distribution multi-primary site hierarchy, use the log file
points, and distribution point created at the central administration site.
upgrades.

Mobile devices
The following sections list the log files that contain information related to managing
mobile devices.

Enrollment
The following table lists logs that contain information related to mobile device
enrollment.
Log name Description Computer
with log
file

DMPRP.log Records communication between management points that Site


are enabled for mobile devices and the management point system
endpoints. server

dmpmsi.log Records the Windows Installer data for the configuration of Site
a management point that is enabled for mobile devices. system
server

DMPSetup.log Records the configuration of the management point when Site


it's enabled for mobile devices. system
server

enrollsrvMSI.log Records the Windows Installer data for the configuration of Site
an enrollment point. system
server

enrollmentweb.log Records communication between mobile devices and the Site


enrollment proxy point. system
server

enrollwebMSI.log Records the Windows Installer data for the configuration of Site
an enrollment proxy point. system
server

enrollmentservice.log Records communication between an enrollment proxy point Site


and an enrollment point. system
server

SMS_DM.log Records communication between mobile devices, Mac Site


computers, and the management point that is enabled for system
mobile devices and Mac computers. server

Exchange Server connector

The following logs contain information related to the Exchange Server connector.

Log name Description Computer with log


file

easdisc.log Records the activities and the status of the Exchange Server Site server
connector.

Mobile device legacy


The following table lists logs that contain information related to the mobile device
legacy client.

Log name Description Computer


with log
file

DmCertEnroll.log Records details about certificate enrollment data on Client


mobile device legacy clients.

DMCertResp.htm Records the HTML response from the certificate server Client
when the mobile device legacy client enroller program
requests a PKI certificate.

DmClientHealth.log Records the GUIDs of all mobile device legacy clients Site
that communicate with the management point that is system
enabled for mobile devices. server

DmClientRegistration.log Records registration requests and responses to and from Site


mobile device legacy clients. system
server

DmClientSetup.log Records client setup data for mobile device legacy Client
clients.

DmClientXfer.log Records client transfer data for mobile device legacy Client
clients and for ActiveSync deployments.

DmCommonInstaller.log Records client transfer file installation for configuring Client


mobile device legacy client transfer files.

DmInstaller.log Records whether DMInstaller correctly calls Client


DmClientSetup, and whether DmClientSetup exits with
success or failure for mobile device legacy clients.

DmpDatastore.log Records all the site database connections and queries Site
made by the management point that is enabled for system
mobile devices. server

DmpDiscovery.log Records all the discovery data from the mobile device Site
legacy clients on the management point that is enabled system
for mobile devices. server

DmpHardware.log Records hardware inventory data from mobile device Site


legacy clients on the management point that is enabled system
for mobile devices. server

DmpIsapi.log Records mobile device legacy client communication with Site


a management point that is enabled for mobile devices. system
server
Log name Description Computer
with log
file

dmpmsi.log Records the Windows Installer data for the configuration Site
of a management point that is enabled for mobile system
devices. server

DMPSetup.log Records the configuration of the management point Site


when it's enabled for mobile devices. system
server

DmpSoftware.log Records software distribution data from mobile device Site


legacy clients on a management point that is enabled for system
mobile devices. server

DmpStatus.log Records status messages data from mobile device clients Site
on a management point that is enabled for mobile system
devices. server

DmSvc.log Records client communication from mobile device legacy Client


clients with a management point that is enabled for
mobile devices.

FspIsapi.log Records details about communications to the fallback Site


status point from mobile device legacy clients and client system
computers. server

OS deployment
The following table lists the log files that contain information related to OS deployment.

Log name Description Computer with


log file

CAS.log Records details when distribution points are Client


found for referenced content.

ccmsetup.log Records ccmsetup tasks for client setup, client Client


upgrade, and client removal. Can be used to
troubleshoot client installation problems.

CreateTSMedia.log Records details for task sequence media Computer that


creation. runs the
Configuration
Manager console

Dism.log Records driver installation actions or update Site system server


application actions for offline servicing.
Log name Description Computer with
log file

Distmgr.log Records details about the configuration of Site system server


enabling a distribution point for Preboot
Execution Environment (PXE).

DriverCatalog.log Records details about device drivers that have Site system server
been imported into the driver catalog.

mcsisapi.log Records information for multicast package Site system server


transfer and client request responses.

mcsexec.log Records health check, namespace, session Site system server


creation, and certificate check actions.

mcsmgr.log Records changes to configuration, security Site system server


mode, and availability.

mcsprv.log Records multicast provider interaction with Site system server


Windows Deployment Services (WDS).

MCSSetup.log Records details about multicast server role Site system server
installation.

MCSMSI.log Records details about multicast server role Site system server
installation.

Mcsperf.log Records details about multicast performance Site system server


counter updates.

MP_ClientID.log Records management point responses to Site system server


client ID requests that task sequences start
from PXE or boot media.

MP_DriverManager.log Records management point responses to Site system server


Auto Apply Driver task sequence action
requests.

OfflineServicingMgr.log Records details of offline servicing schedules Site system server


and update apply actions on operating
system Windows Imaging Format (WIM) files.

Setupact.log Records details about Windows Sysprep and Client


setup logs. For more information, see Log
Files.

Setupapi.log Records details about Windows Sysprep and Client


setup logs.
Log name Description Computer with
log file

Setuperr.log Records details about Windows Sysprep and Client


setup logs.

smpisapi.log Records details about the client state capture Client


and restore actions, and threshold
information.

Smpmgr.log Records details about the results of state Site system server
migration point health checks and
configuration changes.

smpmsi.log Records installation and configuration details Site system server


about the state migration point.

smpperf.log Records the state migration point Site system server


performance counter updates.

smspxe.log Records details about the responses to clients Site system server
that use PXE boot, and details about the
expansion of boot images and boot files.

smssmpsetup.log Records installation and configuration details Site system server


about the state migration point.

SMS_PhasedDeployment.log Log file for phased deployments Top-level site in


the Configuration
Manager
hierarchy

Smsts.log Records task sequence activities. Client

TSAgent.log Records the outcome of task sequence Client


dependencies before starting a task
sequence.

TaskSequenceProvider.log Records details about task sequences when Site system server
they're imported, exported, or edited.

loadstate.log Records details about the User State Client


Migration Tool (USMT) and restoring user
state data.

scanstate.log Records details about the User State Client


Migration Tool (USMT) and capturing user
state data.

Power management
The following table lists the log files that contain information related to power
management.

Log name Description Computer


with log
file

pwrmgmt.log Records details about power management activities on the client Client
computer, including monitoring and the enforcement of settings by
the Power Management Client Agent.

Remote control
The following table lists the log files that contain information related to remote control.

Log name Description Computer with log file

CMRcViewer.log Records details about the activity On the computer that runs the remote
of the remote control viewer. control viewer, in the %temp% folder.

Reporting
The following table lists the Configuration Manager log files that contain information
related to reporting.

Log name Description Computer


with log file

srsrp.log Records information about the activity and status of the Site system
reporting services point. server

srsrpMSI.log Records detailed results of the reporting services point Site system
installation process from the MSI output. server

srsrpsetup.log Records results of the reporting services point installation Site system
process. server

Role-based administration
The following table lists the log files that contain information related to managing role-
based administration.

Log name Description Computer


with log file
Log name Description Computer
with log file

hman.log Records information about site configuration changes and the Site server
publishing of site information to Active Directory Domain
Services.

SMSProv.log Records WMI provider access to the site database. Computer with
the SMS
Provider

Software metering
The following table lists the log files that contain information related to software
metering.

Log name Description Computer with log file

mtrmgr.log Monitors all software metering processes. Site server

Software updates
The following table lists the log files that contain information related to software
updates.

Log name Description Computer with log file

AlternateHandler.log Records details when the Client


client calls the Office click-
to-run COM interface to
download and install
Microsoft 365 Apps for
enterprise client updates.
It's similar to use of
WuaHandler when it calls
the Windows Update
Agent API to download
and install Windows
updates.

ccmperf.log Records activities related Client


to the maintenance and
capture of data related to
client performance
counters.
Log name Description Computer with log file

DeltaDownload.log Records information about Client


the download of express
updates and updates
downloaded using
Delivery Optimization.

PatchDownloader.log Records details about the When downloading updates


process of downloading manually, this log file is
software updates from the located in the %temp%
update source to the directory of the user running
download destination on the console on the machine
the site server. you're running the console.
For Automatic Deployment
Rules, this log file is located
on the site server in
%windir%\CCM\Logs, if the
ConfigMgr client is installed
on the site server.

PolicyEvaluator.log Records details about the Client


evaluation of policies on
client computers, including
policies from software
updates.

RebootCoordinator.log Records details about the Client


coordination of system
restarts on client
computers after software
update installations.

ScanAgent.log Records details about scan Client


requests for software
updates, the WSUS
location, and related
actions.

SdmAgent.log Records details about the Client


tracking of remediation
and compliance. However,
the software updates log
file, Updateshandler.log,
provides more informative
details about installing the
software updates that are
required for compliance.
This log file is shared with
compliance settings.
Log name Description Computer with log file

ServiceWindowManager.log Records details about the Client


evaluation of maintenance
windows.

SMS_ISVUPDATES_SYNCAGENT.log Log file for Top-level software update


synchronization of third- point in the Configuration
party software updates. Manager hierarchy.

SMS_OrchestrationGroup.log Log file for orchestration Site server


groups

SmsWusHandler.log Records details about the Client


scan process for the
Inventory Tool for
Microsoft Updates.

StateMessage.log Records details about Client


software update state
messages that are created
and sent to the
management point.

SUPSetup.log Records details about the Site system server


software update point
installation. When the
software update point
installation completes,
Installation was successful
is written to this log file.

UpdatesDeployment.log Records details about Client


deployments on the client,
including software update
activation, evaluation, and
enforcement. Verbose
logging shows additional
information about the
interaction with the client
user interface.

UpdatesHandler.log Records details about Client


software update
compliance scanning and
about the download and
installation of software
updates on the client.
Log name Description Computer with log file

UpdatesStore.log Records details about Client


compliance status for the
software updates that
were assessed during the
compliance scan cycle.

WCM.log Records details about Site server


software update point
configurations and
connections to the WSUS
server for subscribed
update categories,
classifications, and
languages.

WSUSCtrl.log Records details about the Site system server


configuration, database
connectivity, and health of
the WSUS server for the
site.

wsyncmgr.log Records details about the Site server


software update sync
process.

WUAHandler.log Records details about the Client


Windows Update Agent
on the client when it
searches for software
updates.

Wake On LAN
The following table lists the log files that contain information related to using Wake On
LAN.

7 Note

When you supplement Wake On LAN by using wake-up proxy, this activity is
logged on the client. For example, see CcmExec.log and
SleepAgent_<domain>@SYSTEM_0.log in the Client operations section of this
article.
Log name Description Computer
with log
file

wolcmgr.log Records details about which clients need to be sent wake-up packets, Site server
the number of wake-up packets sent, and the number of wake-up
packets retried.

wolmgr.log Records details about wake-up procedures, such as when to wake up Site server
deployments that are configured for Wake On LAN.

Windows servicing
The following table lists the log files that contain information related to Windows
servicing.

Servicing uses the same infrastructure and process as software updates. For other logs
applicable to the servicing scenario, see Software updates.

Log name Description Computer


with log
file

CBS.log Records servicing failures related to changes for Windows Updates or Client
roles and features.

DISM.log Records all actions using DISM. If necessary, DISM.log will point to Client
CBS.log for more details.

setupact.log Primary log file for most errors that occur during the Windows Client
installation process. The log file is located in the
%windir%$Windows.~BT\sources\panther folder.

For more information, see Online Servicing-Related Log Files.

Windows Update Agent


The following table lists the log files that contain information related to the Windows
Update Agent.

Log name Description Computer


with log
file
Log name Description Computer
with log
file

WindowsUpdate.log Records details about when the Windows Update Agent Client
connects to the WSUS server and retrieves the software
updates for compliance assessment, and whether there are
updates to the agent components.

For more information, see Windows Update log files.

WSUS server
The following table lists the log files that contain information related to the WSUS
server.

Log name Description Computer


with log
file

Change.log Records details about WSUS server database information WSUS


that has changed. server

SoftwareDistribution.log Records details about the software updates that are WSUS
synced from the configured update source to the WSUS server
server database.

These log files are located in the %ProgramFiles%\Update Services\LogFiles folder.

See also
About log files

Support Center OneTrace

Support Center log file viewer

CMTrace
Release notes for Configuration
Manager
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

With Configuration Manager, product release notes are limited to urgent issues. These
issues aren't yet fixed in the product, or detailed in a troubleshooting article.

Feature-specific documentation includes information about known issues that affect


core scenarios.

This article contains release notes for the current branch of Configuration Manager. For
information on the technical preview branch, see Technical Preview.

For information about the new features introduced with different versions, see the
following articles:

What's new in version 2303


What's new in version 2211
What's new in version 2207
What's new in version 2203
What's new in version 2111

 Tip

You can use RSS to be notified when this page is updated. For more information,
see How to use the docs.

Set up and upgrade

Version 2107 update fails to download


Applies to: version 2107 and later

The update for Configuration Manager version 2107 is available to download, but it fails
to download. The dmpdownloader.log on the service connection point has entries
similar to the following:

log
Download large file with BITs

WARNING: EasySetupDownloadSinglePackage Failed with exception: The remote


name could not be resolved: 'configmgrbits.azureedge.net'

WARNING: Retry in the next polling cycle

This failure happens because the service connection point can't communicate with the
required internet endpoint, configmgrbits.azureedge.net . Confirm that the site system
that hosts the service connection point role can communicate with this internet
endpoint. It was already required, but its use is expanded in version 2107. The site
system can't download version 2107 or later unless your network allows traffic to this
URL.

For more information, see internet access requirements for the service connection point.

Software updates

Reset default value of superseding age in months for


software updates
Applies to: version 2303

Removing SUP role in Admin Console does not reset the superseding age property in
WMI. As a result, while reconfiguring the role, the previously configured value is shown
in the configuration window. This property needs to be reset to default value on role
removal. For more information, see supersedence rules for installing a software update
point.

Security roles are missing for phased deployments


The OS Deployment Manager built-in security role has permissions to phased
deployments. The following roles are missing these permissions:

Application Administrator
Application Deployment Manager
Software Update Manager

The App Author role may appear to have some permissions to phased deployments,
but can't create deployments.

A user with one these roles can start the Create Phased Deployment wizard, and can see
phased deployments for an application or software update. They can't complete the
wizard, or make any changes to an existing deployment.
To work around this issue, create a custom security role. Copy an existing security role,
and add the following permissions on the Phased Deployment object class:

Create
Delete
Modify
Read

For more information, see Create custom security roles

Configuration Manager console

Intune RBAC for tenant attached devices


Applies to: version 2207

[Updated]: There is a checkbox for a role-based access control (RBAC) setting in the
cloud attach configuration wizard in the console. By default, Configuration Manager
RBAC is enforced along with Intune RBAC when you're uploading your Configuration
Manager devices to the cloud service. This checkbox is selected by default.

You can now configure Intune role-based access control (RBAC) when interacting with
tenant attached devices from the Microsoft Intune admin center. For more information,
see Intune role-based access control for tenant-attached clients.

Unable to open console because extension installation


loops
Applies to: version 2111

In certain circumstances, you'll be unable to open the console due to an extension


installation loop. This issue occurs when two or more versions of a single extension were
marked as required for installation. This issue occurs for extensions imported through
the wizard, from a PowerShell script, or through Community hub. If you use the Make
optional setting before importing a new version of the extension, this issue doesn't
occur.

When you encounter this issue, it initially appears as a normal console extension
installation. After the extension finishes installing, you select Close to restart the
Configuration Manager console. When the console restarts, you're prompted to install
the console extension again. The extension installation will continue to loop and the
Configuration Manager console doesn't fully open.
To both prevent and work around this issue, run the below SQL script on your CAS
database and all of your primary site databases:

SQL

ALTER VIEW vSMS_ConsoleExtensionMetadata

AS

WITH m AS(

SELECT *,

RN = ROW_NUMBER()OVER(PARTITION BY ID ORDER BY Version DESC)

FROM ConsoleExtensionMetadata

SELECT

m.ID,

m.Name,

m.Description,

m.Author,

m.Version,

m.IsEnabled,

m.IsApproved,

m.CreatedTime,

m.CreatedBy,

m.UpdateTime,

m.IsTombstoned,

m.IsRequired,

m.IsSigned,

m.IsUnsignedAllowed,

CASE m.IsRequired

WHEN 0 THEN ''

ELSE

SELECT top(1) author FROM ConsoleExtensionRevisionHistory h

WHERE m.ID=h.ExtensionId AND m.Version=h.Version AND


h.Changes & 1=1

ORDER BY h.RevisionTime DESC

END AS RequiredBy,

m.IsSetupDefined

FROM m

WHERE RN = 1

GO

State messages in Configuration


Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

State messages contain concise information about conditions on the Configuration


Manager client. The state messaging system is used by specific components of
Configuration Manager, such as software updates and configuration settings.

Configuration Manager clients send state messages to the fallback status point or the
management point to report the current state of operations. You can create reports to
view state messages sent by clients.

Each Configuration Manager feature that uses state messages is identified by the topic
type of the state message. The state message topic types listed in this article can be
used to define the Configuration Manager feature that a state message relates to.

7 Note

A state message ID value of zero ( 0 ) typically indicates that the topic type is in an
unknown state.

Software updates

300 STATE_TOPICTYPE_SUM_ASSIGNMENT_COMPLIANCE

State message ID State message description

1 Compliant

2 Non-compliant

301
STATE_TOPICTYPE_SUM_ASSIGNMENT_ENFORCEMENT

State message ID State message description

1 Installing updates
State message ID State message description

2 Waiting for restart

3 Waiting for another installation to complete

4 Successfully installed updates

5 Pending system restart

6 Failed to install the updates

7 Downloading the updates

8 Downloaded updates

9 Failed to download updates

10 Waiting for the maintenance window before installing

11 Waiting for orchestration

12 Waiting for superseding update

302 STATE_TOPICTYPE_SUM_ASSIGNMENT_EVALUATION

State message ID State message description

1 Evaluation activated

2 Evaluation succeeded

3 Evaluation failed

400 STATE_TOPICTYPE_SUM_CI_DETECTION

State message ID State message description

1 Not required

2 Not detected

3 Detected

401 STATE_TOPICTYPE_SUM_CI_COMPLIANCE

State message ID State message description


State message ID State message description

1 Compliant

2 Non-compliant

3 Conflict detected

4 Error

5 Unknown

6 Partial compliance

7 Compliance not configured

402 STATE_TOPICTYPE_SUM_CI_ENFORCEMENT

State message ID State message description

1 Enforcement started

2 Enforcement waiting for content

3 Waiting for another installation to complete

4 Waiting for the maintenance window before installing

5 Restart required before installing

6 General failure

7 Pending installation

8 Installing update

9 Pending system restart

10 Successfully installed update

11 Failed to install the update

12 Downloading update

13 Downloaded update

14 Failed to download the update

500 STATE_TOPICTYPE_SUM_UPDATE_DETECTION
State message ID State message description

1 Update isn't required

2 Update is required

3 Update is installed

501 STATE_TOPICTYPE_SUM_UPDATE_SOURCE_SCAN

State message ID State message description

1 Scan is waiting for content

2 Scan is running

3 Scan complete

4 Scan is pending retry

5 Scan failed

6 Scan completed with errors

Client deployment
The following topic types have no state IDs:

Topic type Description

700 STATE_TOPICTYPE_RESYNC_STATE_MSG

701 STATE_TOPICTYPE_SYSTEM_HEARTBEAT

702 STATE_TOPICTYPE_CKD_UPDATE

801 STATE_TOPICTYPE_DEVICE_CLIENT_DEPLOYMENT

800 STATE_TOPICTYPE_CLIENT_DEPLOYMENT

State State message description


message ID

100 Client deployment started

101 Waiting for download


State State message description
message ID

102 Deployment Scheduled

103 Waiting for the window before deploying

104 Deployment skipped

301 Unknown client deployment failure

302 Failed to create the ccmsetup service

303 Failed to delete the ccmsetup service

304 Can't install over embedded OS with File-Based Write Filter (FBWF) enabled on
the system drive

305 Native security mode isn't valid on Windows 2000

306 Failed to start ccmsetup download process

307 Non-valid ccmsetup command line

308 Failed to download the file over WINHTTP at address

309 Failed to download the files through BITS at address

310 Failed to install BITS version

311 Can't verify that prerequisite file is MS signed

312 Failed to copy the file because the disk is full

313 Client.msi installation failed with MSI error

314 Failed to load ccmsetup.xml manifest file

315 Failed to obtain a client certificate

316 Prerequisite file isn't MS signed

317 Reboot required to continue the installation

318 Can't install the client on the MP because the MP and client versions do not
match

319 Operating system or service pack not supported

320 Deployment not supported

321 Bits Missing


State State message description
message ID

322 Source folder is unavailable

323 App-V not supported

324 Incorrect Site Version

325 Prerequisite hash mismatch

326 MDM Deregistration Failed

327 MDM Registration Detected

328 Intune Detected

329 Metered Network Disallowed

400 Client deployment succeeded

401 Deployment Succeeded Reboot Required

402 Deployment Succeeded Reboot Succeeded

500 Client assignment started

601 Unknown client assignment failure

602 The following site code is invalid

603 Failed to assign to MP

604 Failed to discover default management point

605 Failed to download site signing certificate

606 Failed to auto discover site code

607 Site assignment failed; client version higher than site version

608 Failed to get Site Version from Active Directory Domain Services and SLP

609 Failed to get client version

700 Client assignment succeeded

810 STATE_TOPICTYPE_CLIENT_COMANAGEMENT

State message ID State message description


State message ID State message description

100 Enrollment status

101 Enrollment scheduled

102 Enrollment canceled

105 Enrollment started

106 Enrollment succeeded but isn't provisioned

107 Enrollment succeeded and is provisioned

108 Enrollment no active user

110 Enrollment failed

820 STATE_TOPICTYPE_CLIENT_WUFB

State message ID State message description

1 Windows Update for Business client status

Content
The following topic types have no state IDs:

Topic type Description

901 STATE_TOPICTYPE_REMOTE_DP_MONITORING

902 STATE_TOPICTYPE_PULL_DP_MONITORING

903 STATE_TOPICTYPE_DP_USAGE

900 STATE_TOPICTYPE_BRANCH_DP

State message ID State message description

1 Disk Space

Client operations
1000 STATE_TOPICTYPE_CLIENT_FRAMEWORK_COMM

State message ID State message description

1 Client is successfully communicating with the management point

2 Client failed to communicate with the management point

1001 STATE_TOPICTYPE_CLIENT_FRAMEWORK_LOCAL

State message ID State message description

1 Client successfully retrieved the certificate from the local certificate store

2 Client failed to retrieve the certificate from the local certificate store

1100
STATE_TOPICTYPE_CLIENT_FRAMEWORK_MODEREADINESS

State message ID State message description

1 Client not ready for native mode

2 Client ready for native mode

1300 STATE_TOPICTYPE_CLIENT_HEALTH

State message ID State message description

1 Success

2 Not successful

Legacy device client


The following topic types have no state IDs:

Topic type Description

1002 STATE_TOPICTYPE_DEVICE_CLIENT_FRAMEWORK_COMM

1003 STATE_TOPICTYPE_DEVICE_CLIENT_FRAMEWORK_LOCAL
Topic type Description

1004 STATE_TOPICTYPE_DEVICE_CLIENT_FRAMEWORK_CERTIFICATE

1005 STATE_TOPICTYPE_DEVICE_CLIENT_WIPE

1006 STATE_TOPICTYPE_DEVICE_CLIENT_RETIRE

1007 STATE_TOPICTYPE_DEVICE_CLIENT_WIPE_INTUNE

1008 STATE_TOPICTYPE_DEVICE_CLIENT_RETIRE_INTUNE

1009 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICELOCK

1010 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICELOCK_INTUNE

1011 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEPINRESET

1012 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEPINRESET_INTUNE

1013 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEPINRESET_ONPREM

1014 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEALBYPASS

1015 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEALBYPASS_INTUNE

Miscellaneous
The following topic types have no state IDs:

Topic type Description

1401 STATE_TOPICTYPE_STATE_REPORT

1500 STATE_TOPICTYPE_CAL_TRACK_UT

1502 STATE_TOPICTYPE_CAL_TRACK_MT

1503 STATE_TOPICTYPE_CAL_TRACK_ML

1600 STATE_TOPICTYPE_USER_AFFINITY

State message ID State message description

1 User affinity set

2 User affinity removed


1660 STATE_TOPICTYPE_SENSOR_STATUS

State message ID State message description

1 Sensor off

2 Sensor on

Applications
The following topic types have no state IDs:

Topic type Description

1700 STATE_TOPICTYPE_APP_CI_SCAN

1701 STATE_TOPICTYPE_APP_CI_COMPLIANCE

1703 STATE_TOPICTYPE_APP_CI_ASSIGNMENT_EVALUATION

1704 STATE_TOPICTYPE_APP_CI_LAUNCH

1702 STATE_TOPICTYPE_APP_CI_ENFORCEMENT

State message ID State message description

1000 Configuration item succeeded

1001 Configuration item succeeded already installed

1002 Configuration item succeeded preflight

1003 Configuration item fast status succeeded

2000 Configuration item in progress

2001 Configuration item in progress waiting for content

2002 Configuration item in progress installing

2003 Configuration item in progress waiting reboot

2004 Configuration item in progress waiting for maintenance window

2005 Configuration item in progress waiting schedule

2006 Configuration item in progress downloading dependent content


State message ID State message description

2007 Configuration item in progress installing dependencies

2008 Configuration item in progress pending reboot

2009 Configuration item in progress content downloaded

2010 Configuration item in progress pending update

2011 Configuration item in progress waiting user reconnect

2012 Configuration item in progress waiting for user sign-out

2013 Configuration item in progress waiting for user sign-in

2014 Configuration item in progress waiting for install

2015 Configuration item in progress waiting for retry

2016 Configuration item in progress waiting for presentation mode

2017 Configuration item in progress waiting for orchestration

2018 Configuration item in progress waiting for network

2019 Configuration item in progress pending update VE

2020 Configuration item in progress updating VE

3000 Configuration item requirements not met

3001 Configuration item requirements not met host not applicable

4000 Configuration item unknown

5000 Configuration item error

5001 Configuration item error evaluating

5002 Configuration item error installing

5003 Configuration item error retrieving content

5004 Configuration item error installing dependency

5005 Configuration item error retrieving content dependency

5006 Configuration item error rules conflict

5007 Configuration item error waiting for retry

5008 Configuration item error uninstalling supersedence


State message ID State message description

5009 Configuration item error downloading superseded

5010 Configuration item error updating VE

5011 Configuration item error installing license

5012 Configuration item error retrieving allow all trusted apps

5013 Configuration item error no licenses available

5014 Configuration item error OS not supported

6000 Configuration item launch succeeded

6010 Configuration item launch error

6020 Configuration item launch unknown

Events
The following topic types have no state IDs:

Topic type Description

1800 STATE_TOPICTYPE_EVENT_INTRINSIC

1801 STATE_TOPICTYPE_EVENT_EXTRINSIC

Endpoint protection
The following topic types have no state IDs:

Topic type Description

1900 STATE_TOPICTYPE_EP_AM_INFECTION

1901 State_Topictype_Ep_Am_Health

1902 STATE_TOPICTYPE_EP_MALWARE

1950 STATE_TOPICTYPE_ATP_HEALTH_STATUS

2001 STATE_TOPICTYPE_EP_CLIENT_DEPLOYMENT
State message ID State message description

1 Endpoint Protection unmanaged

2 Endpoint Protection waiting for install

3 Endpoint Protection managed

4 Endpoint Protection installation failed

5 Endpoint Protection reboot pending

6 Endpoint Protection not supported

7 Endpoint Protection co-managed

2002 STATE_TOPICTYPE_EP_CLIENT_POLICYAPPLICATION

State message ID State message description

1 Endpoint Protection policy application succeeded

2 Endpoint Protection policy application failed

2003 STATE_TOPICTYPE_CLIENT_ACTION

State message ID State message description

1 Not applicable

2 Failed

3 Succeeded

Wake-up proxy

2100 STATE_TOPICTYPE_WP_CLIENT_DEPLOYMENT

State message ID State message description

1 Wake-up proxy isn't installed

2 Wake-up proxy is waiting for installation

3 Wake-up proxy is installed


State message ID State message description

4 Wake-up proxy installation failed

5 Wake-up proxy is waiting for reboot

6 Wake-up proxy isn't supported on this OS

7 Wake-up proxy server opt-out

8 Wake-up proxy uninstall failed

9 Wake-up proxy runtime not supported

Mobile device management


The following topic types have no state IDs:

Topic type Description

2200 STATE_TOPICTYPE_FDM

2201 STATE_TOPICTYPE_CCM_CERT_BINDING

2202 STATE_TOPICTYPE_SERVER_STATISTIC

4000 STATE_TOPICTYPE_MDM_DEVICE_PROPERTY

4002 STATE_TOPICTYPE_MDM_CLIENT_IDENITITY

4003 STATE_TOPICTYPE_MDM_APPLICATION_REQUEST

4004 STATE_TOPICTYPE_MDM_APPLICATION_STATE

4005 STATE_TOPICTYPE_MDM_LICENSE_DEVICE_RELATION

4006 STATE_TOPICTYPE_MDM_LICENSE_KEYS

4007 STATE_TOPICTYPE_MDM_POLICY_ASSIGNMENT

4008 STATE_TOPICTYPE_MDM_ANDROID_COUNT

4009 STATE_TOPICTYPE_MDM_SLK_STATUS

4010 STATE_TOPICTYPE_MDM_USER_COMPANY_TERM_ACCEPTANCE

4022 STATE_TOPICTYPE_MDM_DEP_SYNCNOW_STATUS

4023 STATE_TOPICTYPE_MDM_MAM_STORE_APP_SYNC
3000 STATE_TOPICTYPE_DM_WNS_CHANNEL

State message ID State message description

0 Windows Push Notification service channel set

Resource access

5000 STATE_TOPICTYPE_CERTIFICATE_ENROLLMENT

State message ID State message description

1 Challenge issued

2 Challenge issue failed

3 Request creation failed

4 Request submit failed

5 Challenge validation succeeded

6 Challenge validation failed

7 Issue failed

8 Issue pending

9 Issued

10 Response processing failed

11 Response pending

12 Enrollment succeeded

13 Enrollment not needed

14 Revoked

15 Removed from collection

16 Renew verified

17 Install failed

18 Installed

19 Delete failed
State message ID State message description

20 Deleted

21 Renewal requested

5001 STATE_TOPICTYPE_CERTIFICATE_CRP

State message ID State message description

1 Challenge issued

2 Challenge issue failed

3 Request creation failed

4 Request submit failed

5 Challenge validation succeeded

6 Challenge validation failed

7 Issue failed

8 Issue pending

9 Issued

10 Response processing failed

11 Response pending

12 Enrollment succeeded

13 Enrollment not needed

14 Revoked

15 Removed from collection

16 Renew verified

17 Install failed

18 Installed

19 Delete failed

20 Deleted

21 Renewal requested
5200 STATE_TOPICTYPE_RESOURCE_ACCESS_STATUS

State message ID State message description

1 Status pin set up succeeded

2 Status pin set up failed

3 Status pin set up not supported

4 Status pin set up in progress

Remote applications
The following topic types have no state IDs:

Topic type Description

6000 STATE_TOPICTYPE_REMOTEAPP_SUBSCRIPTION_STATUS

6001 STATE_TOPICTYPE_REMOTEAPP_SUBSCRIPTION_SYNC_STATUS

6002 STATE_TOPICTYPE_REMOTEAPP_AUTHCOOKIES_SYNC_STATUS

6003 STATE_TOPICTYPE_REMOTEAPPLICATIONS_SYNC_STATUS

6004 STATE_TOPICTYPE_REMOTEAPP_LOCK_RESULT

Compliance settings
The following topic types have no state IDs:

Topic type Description

7000 STATE_TOPICTYPE_USER_COMPANY_TERM_ACCEPTANCE

7001 STATE_TOPICTYPE_PFX_CERTIFICATE

State message ID State message description

1 Challenge issued

2 Challenge issue failed

3 Request creation failed


State message ID State message description

4 Request submit failed

5 Challenge validation succeeded

6 Challenge validation failed

7 Issue failed

8 Issue pending

9 Issued

10 Response processing failed

11 Response pending

12 Enrollment succeeded

13 Enrollment not needed

14 Revoked

15 Removed from collection

16 Renew verified

17 Install failed

18 Installed

19 Delete failed

20 Deleted

21 Renewal requested

7010
STATE_TOPICTYPE_CONDITIONAL_ACCESS_COMPLIANCE

State message ID State message description

1 Compliance success

2 Compliance fail at MP

3 Compliance fail at the client

4 Compliance fail at Intune


State message ID State message description

5 Compliance fail at Azure AD

6 Compliance comgmt Intune

Peer caching

7200
STATE_TOPICTYPE_SUPER_PEER_UPDATE_CACHE_MAP

State message ID State message description

1 Peer Cache Source added

2 Peer Cache Source removed

7201 STATE_TOPICTYPE_SUPER_PEER_UPDATE_CONFIG

State message ID State message description

1 Peer Cache Source deactivated

2 Peer Cache Source is active

7202 STATE_TOPICTYPE_DOWNLOAD_AGGREGATE_DATA

State message ID State message description

1 Download aggregate data upload

7203
STATE_TOPICTYPE_PEERSOURCE_REQ_REJECTION_STATS

State message ID State message description

1 Peer source rejection data upload

Proxy
The following topic types have no state IDs:

Topic type Description

7300 STATE_TOPICTYPE_PROXY_TRAFFIC

7301 STATE_TOPICTYPE_PROXY_CONNECTION

7302 STATE_TOPICTYPE_SRS_USAGE_DATA

7303 STATE_TOPICTYPE_PROXY_TRAFFIC_IDENTITY

Health attestation

8001 STATE_TOPICTYPE_HAS_REPORT

State message ID State message description

1 Health attestation is supported

2 Health attestation isn't supported

Client actions
The following topic types have no state IDs:

Topic type Description

8002 STATE_TOPICTYPE_DEVICE_CLIENT_EDPLOG

8003 STATE_TOPICTYPE_ENABLE_LOSTMODE

8004 STATE_TOPICTYPE_DISABLE_LOSTMODE

8005 STATE_TOPICTYPE_LOCATE_DEVICE

8006 STATE_TOPICTYPE_REBOOT_DEVICE

8007 STATE_TOPICTYPE_LOGOUTUSER

8008 STATE_TOPICTYPE_USERSLIST

8009 STATE_TOPICTYPE_DELETEUSER

8010 STATE_TOPICTYPE_CLEANPCRETAININGUSERDATA

8011 STATE_TOPICTYPE_CLEANPCWITHOUTRETAININGUSERDATA
Topic type Description

8012 STATE_TOPICTYPE_SETDEVICENAME

9000 STATE_TOPICTYPE_BOOK_CI_COMPLIANCE

9001 STATE_TOPICTYPE_BOOK_CI_ENFORCEMENT

Next steps
Description of state messaging in Configuration Manager
Unicode and ASCII support in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager creates most objects by using Unicode characters. However,


several objects only support ASCII characters, or they have other limitations.

Objects that use ASCII characters


When you create the following objects, Configuration Manager only supports the ASCII
character set:

Site code

All site system server computer names

The following Configuration Manager accounts:

7 Note

These accounts support ASCII characters, and RUS characters on a site that
runs in Russian.

Client push installation account

Management point database connect account

Network access account

Package access account

Standard sender account

Site system installation account

Software update point connection account

Software update point proxy server account

7 Note
The accounts that you specify for role-based administration support
Unicode.

The reporting services point account supports Unicode, with the exception
of RUS characters.

Fully qualified domain name (FQDN) for site servers and site systems

Installation path for Configuration Manager

SQL Server instance name

The path for the following site system roles:

Enrollment point

Enrollment proxy point

Reporting services point

State migration point

The path for the following folders:

The folder that stores client state migration data

The folder that contains the Configuration Manager reports

The folder that stores the Configuration Manager backup

The folder that stores the installation source files for site setup

The folder that stores the prerequisite downloads for use by setup

The path for the following objects:

IIS website

Virtual application installation path

Virtual application name

Boot media ISO file names

Custom property names

Other limitations
The following limitations are for supported character sets and language versions:

Configuration Manager doesn't support changing the locale of the site server
computer.

An enterprise certificate authority (CA) doesn't support client computer names that
use double-byte character sets (DBCS). The client computer names that you can
use are restricted by the PKI limitation of the IA5 character set. Configuration
Manager doesn't support CA names or subject name values that use DBCS.

Objects that aren't localized


The Configuration Manager database supports Unicode for most objects that it stores.
When possible, it displays this information in the OS language that matches the locale
of a computer. For the client interface or Configuration Manager console to display
information in the computer's OS language, the computer's locale must match a client
or server language that you install at a site.

Several Configuration Manager objects don't support Unicode. They're stored in the
database by using ASCII, or they have other language limitations. This information is
always displayed by using the ASCII character set, or in the language that was in use
when you created the object.

Next steps
Language packs in Configuration Manager
Management insights in Configuration
Manager
Article • 03/14/2023

Applies to: Configuration Manager (current branch)

Management insights in Configuration Manager provide information about the current


state of your environment. The information is based on analysis of data from the site
database. Insights help you to better understand your environment and take action
based on the insight.

Review management insights


To view the insights, your account needs the Read permission on the Site object.

1. In the Configuration Manager console, go to the Administration workspace,


expand Management Insights, and select All Insights.

7 Note

When you select the Management Insights node, it shows the Management
insights dashboard.

2. Open the management insights group name you want to review.

3. In the ribbon, select Show Insights.

The following four tabs are available for review:

All Rules: Gives the complete list of insights for the chosen group.

Complete: Lists insights where no action is needed.

In Progress: Shows insights where some, but not all, prerequisites are complete.

Action Needed: This tab lists insights that need you to take action. Select More
Details to show specific items where action is needed.

The Prerequisites pane lists any required items needed to run the selected insight.

For example, the following screenshot shows an example of the All Rules tab for the
Cloud Services group:
To see the details, select an insight, and then select More Details.

Operations
The site reevaluates the applicability of the management insights on a weekly schedule.
To manually reevaluate an insight, right-click the insight, and select Re-evaluate.

The log file for management insights is SMS_DataEngine.log on the site server.

Some insights let you take action. Select an insight, select More Details, and then if
available select Take action. Depending upon the insight, this action has one of the
following behaviors:

Automatically navigate in the console to the node where you can take further
action. For example, if the management insight recommends changing a client
setting, taking action navigates to the Client Settings node. Then take further
action by modifying the default or a custom client settings object.

Navigate to a filtered view based on a query. For example, taking action on the
empty collections insight shows just these collections in the list of collections. Then
take further action, such as deleting a collection or modifying its membership
rules.

Management insights dashboard


Select the Management Insights node to display a graphical dashboard. This dashboard
displays an overview of the insight states, which makes it easier for you to show your
progress.

Use the following filters at the top of the dashboard to refine the view:

Show Completed
Optional
Recommended
Critical

The dashboard includes the following tiles:

Management insights index: Tracks overall progress on management insights. The


index is a weighted average. Critical insights are worth the most. This index gives
the least weight to optional insights.

Management insights groups: Shows percent of insights in each group, honoring


the filters. Select a group to drill down to the specific insights in this group.

Management insights priority: Shows percent of insights by priority, honoring the


filters.

Top 10 applicable insight rules: A table of insights including priority and state. Use
the Filter field at the top of the table to match strings in any of the available
columns. The dashboard sorts the table in the following order:
Status: Action Needed, Completed, Unknown
Priority: Critical, Recommended, Optional
Last Changed: older dates on top

Groups and insights


Insights are organized into the following management insight groups:

Applications
Cloud services
Collections
Configuration Manager Assessment
Deprecated and unsupported features
Optimize for remote workers
Proactive maintenance
Security
Simplified management
Software Center
Software updates
Windows 10

7 Note

Your site may not show all of the following groups and insights. Some insights
don't appear when you've already configured the site for the recommendation.
Applications
Insights for your application management.

Applications without deployments or references: Lists the applications in your


environment that don't have active deployments or references. References include
dependencies, task sequences, and virtual environments. This insight helps you
find and delete unused applications to simplify the list of applications displayed in
the console. For more information, see Deploy applications.

Cloud services
Helps you integrate with many cloud services, which enable modern management of
your devices.

Assess co-management readiness: Helps you understand what steps are needed
to enable co-management. This insight has prerequisites. For more information,
see Co-management overview.

Devices not uploaded to Azure AD: This insight lists devices that the site hasn't
uploaded to Azure Active Directory (Azure AD) because you haven't configured it
for HTTPS. Configure Enhanced HTTP, or enable at least one management point
for HTTPS. If you already configured the site for HTTPS communication, this insight
doesn't appear.

Enable cloud management gateway: The cloud management gateway (CMG)


provides a simple way to manage Configuration Manager clients over the internet.
By deploying the CMG as a cloud service in Microsoft Azure, you can continue to
manage and serve content to clients that roam onto the internet. With CMG, you
don't need any additional on-premises infrastructure exposed to the internet. For
more information, see Overview of CMG.

Enable devices to be hybrid Azure Active Directory joined: Azure AD-joined


devices allow users to sign in with their domain credentials, and make sure devices
meet the organization's security and compliance standards. For more information,
see Azure AD hybrid identity design considerations.

Sites that don't have proper HTTPS configuration: This insight lists sites in your
hierarchy that aren't properly configured for HTTPS. This configuration prevents
the site from synchronizing collection membership results to Azure AD groups. It
may cause Azure AD sync to not upload all devices. Management of these clients
may not function properly. Configure Enhanced HTTP, or enable at least one
management point for HTTPS. If you already configured the site for HTTPS
communication, this insight doesn't appear.

Update clients to the latest Windows 10 version: Windows 10, version 1709 or
above improves and modernizes the computing experience of your users. For
more information, see Stay current with Windows as a service.

Collections
Insights that help simplify management by cleaning up and reconfiguring collections.

Empty Collections: Lists collections in your environment that have no members.


For more information, see How to manage collections.

Collections with no query rules and no direct members: To simplify the list of
collections in your hierarchy, delete these collections.

Collections with the same re-evaluation start time: These collections have the
same re-evaluation time as other collections. Modify the re-evaluation time so they
don't conflict.

Collections with query time over 5 minutes: Review the query rules for this
collection. Consider modifying or deleting the collection.

The following insights include configurations that potentially cause unnecessary


load on the site. Review these collections, then either delete them, or disable
collection rule evaluation:

Collections with no query rules and incremental updates enabled

Collections with no query rules and enabled for any schedule

Collections with no query rules and schedule full evaluation selected

7 Note

For more information on managing collections and collection evaluation, see the
following articles:

Best practices for collections


Collection evaluation
How to view collection evaluation
Configuration Manager Assessment
This group is courtesy of Microsoft Premier Field Engineering. These insights are a
sample of the many more checks that Microsoft Premier provides in the Services Hub.

Active Directory Security Group Discovery is configured to run too frequently:


You typically don't need to configure Active Directory Security Group Discovery to
occur more frequently than every three hours. A more frequent configuration can
have a negative performance impact on Active Directory, the network, and
Configuration Manager. Enable incremental synchronization instead of using a full
sync schedule. For more information, see Active Directory group discovery.

Active Directory System Discovery is configured to run too frequently: You


typically don't need to configure Active Directory System Discovery to occur more
frequently than every three hours. A more frequent configuration can have a
negative performance impact on Active Directory, the network, and Configuration
Manager. Enable incremental synchronization instead of using a full sync schedule.
For more information, see Active Directory system discovery.

Active Directory User Discovery is configured to run too frequently: You typically
don't need to configure Active Directory User Discovery to occur more frequently
than every three hours. A more frequent configuration can have a negative
performance impact on Active Directory, the network, and Configuration Manager.
Enable incremental synchronization instead of using a full sync schedule. For more
information, see Active Directory user discovery.

Collections limited to All Systems or All Users: Review any collections that use the
All Systems or All Users collections as the limiting collection. Configuration
Manager updates the membership of these default collections with data from the
Active Directory discovery methods. This data may not be valid information for
Configuration Manager clients.

Heartbeat Discovery is disabled: Heartbeat discovery requires that you install the
Configuration Manager client on devices. It's the only discovery method that
clients start. All other methods occur on site servers. Heartbeat discovery is
essential to keep client activity status current. It makes sure that the site doesn't
accidentally age out the resource records from the site database. For more
information, see Heartbeat discovery.

Long running collection queries enabled for incremental updates: Collections


with a last incremental refresh time higher than 30 seconds use site server and
database resources, which could potentially impact overall Configuration Manager
performance. For more information, see Best practices for collections.
Reduce the number of applications and packages on distribution points:
Microsoft officially supports a combined total of up to 10,000 packages and
applications on a distribution point. Exceeding this total can lead to operational
problems. For more information, see Size and scale numbers - distribution point.

Secondary site installation issues: The installation status of some secondary sites
is Pending or Failed. These states mean that you started the install but it didn't
complete successfully. Until the secondary site install finishes, clients may not
communicate properly with the primary site. Check the Monitoring workspace, and
retry the installation. For more information, see Retry installation of a failed update.

Update all sites to the same version: Use the same version of Configuration
Manager in a hierarchy. This configuration makes sure all sites provide the same
functionality. Sites of different versions in the same hierarchy introduce
interoperability scenarios. Later versions of Configuration Manager include new
features and resolve known issues. For more information, see Interoperability
between different versions.

For more information on these insights, see Remediation steps for Configuration
Manager management insights.

 Tip

If you're already a customer of Microsoft Unified or Microsoft Premier, sign in to


the Services Hub for additional on-demand assessments.

For more information about Microsoft Services, see Support Solutions .

Deprecated and unsupported features


(Introduced in version 2203)

The following management insights are about features you may be using which have
been deprecated or are no longer supported. These features may be removed from the
product in a future release.

Site system roles associated with deprecated or removed features: This insight
checks for installed site system roles for deprecated features that will be removed
in a future release.
Check if the site uses the asset intelligence sync point role: This insight checks for
installation of the asset intelligence synchronization point role.
Configuration Manager client for macOS end of support: This insight lists the
clients running macOS. Support for the Configuration Manager client for macOS
and Mac client management ends on December 31, 2022.
Certificate registration point is no longer supported: This insight checks for
installation of the certificate registration point site system role. This feature is no
longer supported as of March 2022. Configuration Manager versions released
before March 2022 will still be able to install and use certificate registration points.
Company resource access policies are no longer supported: This insight checks
for company resource access policies. These features are no longer supported as of
March 2022. Company resource access includes email, certificate, VPN, Wi-Fi, and
Windows Hello for Business profiles. Configuration Manager versions released
before March 2022 will still be able to use company resource access policies.
Microsoft Store for Business deprecated: This insight checks for the presence of
Microsoft Store for Business connector. This feature has been deprecated as of
Nov 2021.

Operating system deployment


The following management insights help you manage the policy size of task sequences.
When the size of the task sequence policy exceeds 32 MB, the client fails to process the
large policy. The client then fails to run the task sequence deployment.

Large task sequences may contribute to exceeding maximum policy size: If you
deploy these task sequences, clients may not be able to process the large policy
objects. Reduce the size of the task sequence policy to prevent potential policy
processing issues.

Total policy size for task sequences exceeds policy limit: Clients can't process the
policy for these task sequences because it's too large. Reduce the size of the task
sequence policy to allow the deployment to run on clients.

For more information, see Reduce the size of task sequence policy.

This group also includes the following insight:

Unused boot images: Boot images not referenced for PXE boot or task sequence
use. For more information, see Manage boot images.

Optimize for remote workers


Starting in version 2006, the following insights help you create better experiences for
remote workers and reduce load on your infrastructure:
Configure VPN connected clients to prefer cloud based content sources: To
reduce traffic on the VPN, enable the boundary group option to Prefer cloud
based sources over on-premises sources. This option allows clients to download
content from the internet instead of distribution points across the VPN. For more
information, see Boundary group options.

Define VPN boundary groups: Create a VPN boundary and associate it to a


boundary group. Associate VPN-specific site systems to the group, and configure
the settings for your environment. This insight checks for at least one boundary
group with at least one VPN boundary in it. From the properties of this insight,
select Review Actions to go to the Boundary Groups node. For more information,
see VPN boundary type.

Disable peer to peer content sharing for VPN connected clients: To prevent
unnecessary peer-to-peer traffic that likely doesn't benefit the remote clients,
disable the boundary group option to Allow peer downloads in this boundary
group. For more information, see Boundary group options.

Proactive maintenance
The insights in this group highlight potential configuration issues to avoid through
upkeep of Configuration Manager objects.

Boundary groups with no assigned site systems: Without assigned site systems,
boundary groups can only be used for site assignment. For more information, see
Configure boundary groups.

Boundary groups with no members: Boundary groups aren't applicable for site
assignment or content lookup if they don't have any members. For more
information, see Configure boundary groups.

Distribution points not serving content to clients: Distribution points that haven't
served content to clients in the past 30 days. This data is based on reports from
clients of their download history. For more information, see Install and configure
distribution points.

Enable WSUS Cleanup: Verifies that you've enabled the option to run WSUS
cleanup on the properties of the software update point component. This option
helps to improve WSUS performance. For more information, see Software update
maintenance.

Unused configuration items: Configuration items that aren't part of a


configuration baseline and are older than 30 days. For more information, see
Create configuration baselines.

Update Microsoft .NET Framework on site systems: Starting in version 2107,


Configuration Manager requires Microsoft .NET Framework version 4.6.2 for site
servers, specific site systems, clients, and the console. Before you run setup to
install or update the site, first update .NET and restart the system. If possible in
your environment, install the latest version of .NET version 4.8. For more
information, Site and site system prerequisites.

Update servers running Windows Server 2012 and 2012 R2: Detects servers that
are running Windows Server 2012 or 2012 R2 operating systems. The support
lifecycle for these operating systems ends on October 9, 2023. For more
information, see the Product lifecycle.

Upgrade peer cache sources to the latest version of the Configuration Manager
client: Identify clients that serve as a peer cache source but haven't upgraded from
a pre-1806 client version. Pre-1806 clients can't be used as a peer cache source for
clients that run version 1806 or later. Select Take action to open a device view that
displays the list of clients.

 Tip

In version 2006, the insight for Unused boot images moved to the new OS
deployment group.

Security
Insights for improving the security of your infrastructure and devices.

NTLM fallback is enabled: This insight detects if you enabled the less secure NTLM
authentication fallback method for the site. When using the client push method of
installing the Configuration Manager client, the site can require Kerberos mutual
authentication. This enhancement helps to secure the communication between the
server and the client. For more information, see How to install clients with client
push.

Unsupported antimalware client versions: More than 10% of clients are running
versions of System Center Endpoint Protection that aren't supported. For more
information, see Endpoint Protection.

Update clients running Windows 7 and Windows Server 2008: The rule shows
clients running Windows 7, Windows Server 2008 (non-Azure), and Windows
Server 2008 R2 (non-Azure) that are no longer receiving security updates. For more
information about updates for these operating systems, see Extended Security
Updates (ESU) .

Simplified management
Insights that help you simplify the day-to-day management of your environment.

Connect the site to the Microsoft cloud for Configuration Manager updates: This
insight makes sure your Configuration Manager service connection point has
connected to the Microsoft cloud within the past seven days. This connection is to
download content for regular updates. Review DMPDownloader.log and hman.log.
For more information, see Internet access requirements.

Non-CB Client Versions: Lists all clients whose versions aren't a current branch (CB)
build. For more information, see Upgrade clients.

Update clients to a supported Windows 10 version: This insight reports on clients


that are running a version of Windows 10 that's no longer supported.

Software Center
Insights for managing Software Center.

Direct users to Software Center instead of Application Catalog: Check if users


have installed or requested applications from the application catalog in the last 14
days. The primary functionality of application catalog is now included in Software
Center. Support for the application catalog roles ended with version 1910. For
more information, see Deprecated features.

Use the new version of Software Center: The previous version of Software Center
is no longer supported. Set up clients to use the new Software Center by enabling
the client setting Use new Software Center in the Computer Agent group. For
more information, see About client settings.

Software updates
Client settings aren't configured to allow clients to download delta content:
Some software updates synchronized in your environment include delta content.
Enable the client setting, Allow clients to download delta content when available.
If you don't enable this setting, when you deploy these updates, client will
unnecessarily download more content than they require. For more information, see
Client settings - Software updates.

Enable the software updates product category 'Windows 10, version 1903 and
later': There's a new software updates product category for Windows 10, version
1903 and later. If you synchronize Windows 10 updates, and have Windows 10,
version 1903 or later clients, select the Windows 10, version 1903 and later
product category in the software update point component properties. For more
information, seeConfigure classifications and products to synchronize.

Configure software update points to use TLS/SSL: Detects if your software update
points are configured to use TLS/SSL. Configuring Windows Server Update Services
(WSUS) servers and their corresponding software update points (SUPs) to use
TLS/SSL may reduce the ability of a potential attacker to remotely compromise a
client and elevate privileges. This rule was added in Configuration Manager version
2107.

Windows 10
Insights related to the deployment and servicing of Windows 10. The Windows 10
management insight group is only available when more than half of clients are running
Windows 7, Windows 8, or Windows 8.1.

Configure Windows diagnostic data and commercial ID key: To use data from
Desktop Analytics, configure devices with a Commercial ID key and enable
collection of diagnostic data. Set Windows 10 devices to Enhanced (Limited) level
or higher. For more information, see Enable data sharing for Desktop Analytics.
Community hub and GitHub
Article • 10/31/2022

Applies to: Configuration Manager (current branch)

) Important

Starting in March 2023, this feature of Configuration Manager is being removed.


All
future versions, starting with 2303 will not have the Community hub node in the
admin console. The Community hub node in older versions will be redirected to
deprecated features.

The IT Admin community has developed a wealth of knowledge over the years. Rather
than reinventing items like Scripts and Reports from scratch, we've built a Community
hub in Configuration Manager where IT Admins can share with each other. By
leveraging the work of others, you can save hours of work. The Community hub fosters
creativity by building on others work and having other people build on yours. GitHub
already has industry-wide processes and tools built for sharing. Now, the Community
hub can leverage those tools directly in the Configuration Manager console as
foundational pieces for driving this new community.

About Community hub


Community hub supports the following objects:

CMPivot queries
Applications
Task sequences
Configuration items
Configuration baselines, including child configuration items
Baselines with software updates or version-specific references aren't supported
PowerShell Scripts
Reports
Power BI report templates
For information about sharing and using Power BI report templates with
Community hub, see Integrate with Power BI Report Server.
Console extensions are available for download, but contributions are currently
limited
Content for console extensions isn't hosted by Microsoft. Currently, the source
download location displays in the verbose SmsAdminUi.log for the console that
initiates the download.

What's new
Support for downloading signed console extensions and limited contribution,
added in July 2021
Filter content when using search, added in June 2021
Support for configuration baselines including child configuration items, added in
March 2021
Support for Power BI reports, added in February 2021

Prerequisites
The device running the Configuration Manager console used to access the
Community hub needs the following items:
.NET Framework version 4.6 or later
.NET Framework version 4.6.2 or later is required starting in Configuration
Manager 2010
Starting in version 2107, the console requires .NET version 4.6.2, and version
4.8 is recommended. For more information, see Install the Configuration
Manager console.
A supported version of Windows 10 or later
Windows Server isn't supported before version 2010, so the Configuration
Manager console needs to be installed on a supported Windows client
device separate from the site server.
Starting in version 2010, install the Microsoft Edge WebView2 console
extension to support Windows Server.

The administration service in Configuration Manager needs to be set up and


functional.

If your organization restricts network communication with the internet using a


firewall or proxy device, you need to allow the Configuration Manager console to
access internet endpoints. For more information, see Internet access requirements.

A GitHub account is only required to contribute and share content from the Your
hub page. If you don't wish to share, you can use contributions from others
without having a GitHub account, For more information, see Contribute to
Community hub.
) Important

Configuration Manager versions 2006 and earlier won't be able to sign in to


GitHub. Configuration Manager version 2010 or later with the WebView2
console extension installed is required for sign in.

Permissions
To import a script: Create permission for SMS_Scripts class.
To import a report: Full Administrator security role.
Starting in version 2010, Full Administrators can opt in the hierarchy for
unreviewed content via hierarchy settings. Lower hierarchy administrators can't opt
in the hierarchy for unreviewed hub items. For more information, see the
Categorize Community hub content section.

Most built-in security roles will have access to the Community hub node:

Role name View the hub Contribute hub content Download hub content

Remote Tools Operator No N/A N/A

Read Only Analyst Yes No No

All other roles Yes Yes Yes

Use the Community hub


1. Go to the Community hub node in the Community workspace.
2. Select an item to download.
3. You'll need appropriate permissions in your Configuration Manager site to
download objects from the hub and import them into the site.

To import a script: Create permission for SMS_Scripts class.


To import a report: Full Administrator security role.

4. Downloaded reports are deployed to a report folder called hub on the reporting
services point. Downloaded scripts can be seen in the Run Scripts node. Typically,
downloaded items are placed in the console node for which they're used.
5. View all items downloaded from the hub by your organization by selecting Your
downloads from the Community hub node.

Filter Community hub content when searching


You can filter content in the Community hub when using search. The following filters are
available to use when searching:

Filter name Example search Uses a like filter

Type type:report Yes

Curated curated:false No

User user:<GitHubUserName> No

Organization org:<GitHubOrganizationName> No

Name name:test_report Yes

Description desc:description Yes

When filtering Community hub items in search:

The filtering on some items is done using like so you don't need to know the
exact name of an item you are trying to find. For instance, using type:task would
return task sequences.
You can't use the same filter twice in a search. For instance, using type:report and
type:extension would only return reports since the second filter gets ignored.

Search filtering respects the hierarchy setting for displaying Community hub
content categories.
If your hierarchy is set to Display Microsoft and curated community content,
then curated:false is ignored.
If your hierarchy is set to Display Microsoft content, then the curated: filter is
ignored.
Starting in version 2203, the console displays a list of search filters you can use in
Community hub.

Direct links to Community hub items


(Introduced in version 2006)

You can navigate to and reference items in the Configuration Manager console
Community hub node with a direct link. Collaborate with your colleagues easily by
sharing direct links to Community hub items. These deep links are currently only for
items in the Community hub node of the console.

Prerequisites for direct links:

Configuration Manager console version 2006 or later

Share an item:

1. Go the item in the hub and select Share.


2. Paste the copied link and share it with others.

Open a shared link:

1. Open the link from a machine that has the Configuration Manager console
installed.
2. Select Launch the Community hub when prompted.
3. The console opens directly to the script in the Community hub node.

Categorize Community hub content


(Introduced in version 2010)

Starting in Configuration Manager version 2010, Community hub content is grouped


into a Microsoft, curated, or unreviewed category to allow admins to choose the types
of content their environment displays. Admins can choose from the different categories
of content that are provided in the Community hub to match their risk profile and their
willingness to share and use content from those outside Microsoft and outside their
own company. Only Full Administrators can opt in the hierarchy for unreviewed content
via hierarchy settings.

Community hub content has three categories for content sources:

Microsoft curated: Content provided by Microsoft


Community curated: Content provided by the community that gets reviewed by
Microsoft
Community unreviewed: General content from the community that doesn't get
reviewed by Microsoft

Admins can choose the types of content their environment displays from the following
options:

Display Microsoft content: Selecting this option means that only content created
by Microsoft will be shown in the Community hub. This content has had some
basic testing and scanning validation to confirm no malware and inappropriate
text.
Display Microsoft and curated community content: Show curated content from
both Microsoft and community partners with basic level of review. Selecting this
option means that only content that has been curated will be shown. The curation
process includes basic review to confirm that the content doesn’t have malware
and inappropriate text, but hasn’t necessarily been tested. It will include content
from the community, not just from Microsoft.
Display all content including unreviewed content: Selecting this option means
that all content is shown. This option includes unreviewed open-source type
samples from the community, meaning that the content hasn’t necessarily been
reviewed at all. It's provided as-is as open-source type sample content. Doing your
own inspection and testing before using is highly encouraged, which is good
practice on any content, but especially this class of content.

Since the content is open-source style content, admins should always review what is
provided before consuming it. The new curation process is intended to vet the material
to make sure there aren't obvious quality or compliance issues, but it will be somewhat
of a cursory review. All content stored within GitHub and accessed from the Community
hub isn’t supported by Microsoft. Microsoft doesn’t validate content collected from or
shared by the general community. For more information, see GitHub Terms of Service
and GitHub Privacy Statement .

Select the content categories to display in Community


hub for the environment
1. In the Configuration Manager console, go to Administration > Overview > Site
Configuration > Sites.
2. Select the top-level site in your hierarchy and select Hierarchy Settings from the
ribbon.
3. On the General tab, change the Community hub setting to Display Microsoft
content.
4. Select Ok when you're finished changing the hierarchy setting.
5. Open the Community hub node in the Community workspace.
6. Ensure that only Microsoft content is displayed and available for download.
7. Go back to Hierarchy Settings and select another option such as Display all
content, including unreviewed content.
8. Confirm that only the type of content is displayed and able to be downloaded
from the Community hub, that matches the corresponding hierarchy setting
category.
Install the WebView2 console extension
(Introduced in version 2010)

The Microsoft Edge WebView2 console extension enables the full functionality for
Community hub. If WebView2 isn't installed, a banner is shown when you navigate to
the Community hub node. The WebView2 console extension:

Displays the Community hub on Windows Server operating systems


Enables sign in for GitHub
GitHub sign-in is needed for contributing to Community hub but not for
downloading items.

) Important

When you upgrade to Configuration Manager 2107, you will be prompted to


install the WebView2 console extension again.
Configuration Manager versions 2006 and earlier can’t sign into GitHub but
can still download items. Using Community hub on Windows Server requires
the WebView2 console extension and Configuration Manager version 2010 or
later.

Follow the instructions below to enable the full functionality of Community hub:

1. In the upper-right corner of the console, select the bell icon to display
Configuration Manager console notifications.

2. The notification will say New custom console extensions are available.

3. Select the link Install custom console extensions to launch the install.
4. When the install completes, select Close to restart the console.

5. Confirm that you can view the Community hub node from the machine running
the Windows Server operating system.

You may also notice that a new folder


AdminConsole\bin\Microsoft.WebView2.FixedVersionRuntime.<version>.x86

was created.
The files are automatically downloaded from
https://developer.microsoft.com/en-us/microsoft-
edge/webview2/#download-section with the other redistributable files.

 Tip

Starting in Configuration Manager version 2103, you can also install the WebView2
extension from the Console Extensions node. For more information, see Install an
extension on a local console.

Known issues

Community hub doesn't load


The Community hub may not load, or load after a long delay if the WebView2 console
extension hasn't been installed. For more information about installing console
extensions, see the Install the WebView2 console extension and Managing console
extensions (starting in version 2103).
Unhandled exception occurs when loading Community
hub
In certain circumstances, you may encounter the following exception when loading
Community hub:

Could not load type 'System.Runtime.InteropServices.Architecture' from assembly

'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.

Workaround: To work around this issue, update the .NET Framework to version 4.7.1 or
later for the machine running the Configuration Manager console.

Unable to access Community hub node when running


console as a different user
If you're signed in as a user with lower rights and choose Run as a different user to open
the Configuration Manager console, you may not be able to access the Community hub
node.

Downloaded reports don't get removed from your


downloads page
If you delete a downloaded report from the Monitoring > Reports node, the report isn't
deleted from the Community hub > Your downloads page and you're unable to
download the report again.

Unable to download baseline that contains a previously


downloaded configuration item
If you previously downloaded a configuration item from Community hub using
Configuration Manager 2010, you may receive an error when downloading a baseline
after upgrading to Configuration Manager version 2103. A download error can occur
when the baseline contains an updated version of the configuration item you previously
downloaded with Configuration Manager 2010.

Workaround: To work around this issue, delete the configuration item you previously
downloaded, then download the baseline with the new version of the configuration
item.
Unable to sign in when single sign on with multifactor
authentication is used
When single sign on with multifactor authentication is used, you may not be able to sign
in for the following features when using Configuration Manager 2103 and earlier:

Community hub
Community hub from CMPivot
Custom tabs in Software Center that load a website that's subject to conditional
access policies

Next steps
Contribute to the Configuration Manager Community hub
Contribute to the Community hub
Article • 10/31/2022

Applies to: Configuration Manager (current branch)

) Important

Starting in March 2023, this feature of Configuration Manager is being removed.


All
future versions, starting with 2303 will not have the Community hub node in the
admin console. The Community hub node in older versions will be redirected to
deprecated features.

Community hub fosters creativity by building on others work and having other people
build on yours. GitHub already has industry-wide processes and tools built for sharing.
Now, the Community hub can leverage those tools directly in the Configuration
Manager console as foundational pieces for driving this new community. You can share
the following objects for use by others in the Configuration Manager community:

CMPivot queries
Applications
Task sequences
Configuration items
Configuration baselines, including child configuration items
Baselines with software updates or version-specific references aren't supported
PowerShell Scripts
Reports
Power BI report templates
For information about sharing and using Power BI report templates with
Community hub, see Integrate with Power BI Report Server.
Console extensions are available for download, but contributions are currently
limited
Content for console extensions isn't hosted by Microsoft. Currently, the source
download location displays in the verbose SmsAdminUi.log for the console that
initiates the download.

Prerequisites
All Community hub prerequisites and permissions
Configuration Manager version 2010 or later
Install the Microsoft Edge WebView2 extension for the Configuration Manager
console.
A GitHub account
A GitHub account is only required to contribute and share content from the
Your hub page.
If you don't already have a GitHub account, you can create one before you join.
If you don't wish to share, you can use contributions from others without having
a GitHub account.

) Important

Configuration Manager versions 2006 and earlier can’t sign into GitHub but can still
download items. Using Community hub on Windows Server requires the WebView2
console extension and Configuration Manager version 2010 or later.

Most built-in security roles will have access to the Community hub node:

Role name View the hub Contribute hub content Download hub content

Remote Tools Operator No N/A N/A

Read Only Analyst Yes No No

All other roles Yes Yes Yes

Join the Community hub to contribute content


1. Go to the Community hub node in the Community workspace.

2. Select Your hub and you'll be prompted to sign into GitHub. If you don't have an
account, you'll be redirected to GitHub where you can create one. A GitHub
account is only required to contribute and share content from the Your hub page.

3. Once you've signed into GitHub, select the Join button to join the Community hub.
4. After joining, you'll see your membership request is pending. Your account needs
approval by the Configuration Manager Content Curation team. Approvals are
done once a day, so it may take up to one business day for your approval to be
granted.

5. Once you're granted access, you'll get an email from GitHub. Open the link in the
email to accept the invitation.

) Important

You must accept the invitation sent in the email otherwise you won't be able
to contribute content.

Contribute content
Once you've accepted the invitation, you can contribute content.

1. Go to Community > Community hub > Your hub.

2. Select Add an Item to open the Contribute item wizard.

3. Specify the Type of object you want to share from the drop-down menu. The
following object types are available:

CMPivot queries
Applications
Task sequences
Configuration items
Configuration baselines, including child configuration items
Baselines with software updates or version-specific references aren't
supported
PowerShell Scripts
Reports
Power BI report templates
For information about sharing and using Power BI report templates with
Community hub, see Integrate with Power BI Report Server.
Console extensions are available for download, but contributions are
currently limited
Content for console extensions isn't hosted by Microsoft. Currently, the
source download location displays in the verbose SmsAdminUi.log for the
console that initiates the download.

4. Select Browse to load your environment's object list for the selected type. The
object's Name and Description (if available) will automatically load in the
contribution wizard.

5. Edit the following information to reflect what the community should see for your
contribution:

Name: Name of your object


Description: The description of the object you're contributing.

6. On the Organization page, select the GitHub Organization to use for organization
branding if needed.

None is the default.


If your organization isn't listed, verify that the membership visibility is set
to Public in your GitHub profile.

7. Select Next to submit the contribution.

8. Once the contribution is complete, you'll see the GitHub pull request (PR) link. The
link is also emailed to you. You can paste the link into a browser to view the PR.
Your PR will go though the standard GitHub merge process.

PRs should be submitted through the Configuration Manager console, not


directly to the GitHub repository.

9. Choose Close to exit the contribution wizard.

10. Once the PR has been completed and merged, the new item will display in the
Community hub home page for others to see.

Update contributed content


You can update content you've contributed to the Community hub.
1. Select an item that you previously contributed. Currently, you can only edit items
that you contributed.
2. In the item details, select Push Update to open the contribute item wizard.
3. Edit the Description of the item to note what changes were made.
4. Select Next to upload the item.
5. Once the item is uploaded, you'll be given the pull request URL of the change for
monitoring.
6. Select Close when you're done to exit the wizard.

Delete a contribution you made


You can delete contributions you've made if you no longer want it to be displayed in the
Community hub. There are two ways to delete your contributions.

Method 1:

1. Go to Community > Community hub > Your hub.


2. From the item you want to delete, select Delete in the far-right column.

Method 2:

If the pull request was never completed (merged) into the GitHub repository, then you
can just close the pull request. Ensure that you're signed into GitHub with the same
GitHub account that you used to create the pull request.

Personalization and organization branding of


contributed content
Starting in January 2021, your contributions are personalized. By default, your
contributions include your personal GitHub profile picture. The default GitHub
Identicon is used if you don't have a profile picture. All contributions you've
submitted before January 2021 are automatically personalized using this default.
Community hub also allows new contributions to be branded instead of using the
default personalization. You can brand a contribution to one of your organization
memberships in GitHub that's publicly visible. When you choose to brand your
contribution, the organization's profile picture is used rather than your personal profile
picture. The organization's web page, Twitter handle, and company bio are included on
the contribution. Branding to the organization identity allows for uniformity regardless
of which user is submitting the contribution.

To use branding:

The visibility of the organization membership must be set to Public from the
contributor's GitHub profile.
On the Organization page in the Contribute item wizard, select the GitHub
Organization to use for branding. For more information, see the Contribute
content section.

Directly link to Community hub items


(Introduced in version 2006)

You can navigate to and reference items in the Configuration Manager console
Community hub node with a direct link. Collaborate with your colleagues easily by
sharing direct links to Community hub items. These deep links are currently only for
items in the Community hub node of the console.

Prerequisites for direct links:

Configuration Manager console version 2006 or later

Share an item:

1. Go the item in the hub and select Share.


2. Paste the copied link and share it with others.

Open a shared link:

1. Open the link from a machine that has the Configuration Manager console
installed.
2. Select Launch the Community hub when prompted.
3. The console opens directly to the script in the Community hub node.

Publish query to Community hub from


CMPivot
(Applies to version 2107 or later)

Starting in version 2107, you can publish a CMPivot query to the Community hub
directly from the CMPivot window. Submitting your queries directly through CMPivot
makes contributing to the Community hub easier.

You'll need the following requirements for CMPivot and for contributing to the
Community hub:

Meet all of the CMPivot prerequisites and permissions


Enable Community hub.
If needed, install the Microsoft Edge WebView2 extension from the
Configuration Manager console notification.
A GitHub account that's joined to Community hub
You must accept the invitation sent in the email otherwise you won't be able to
contribute content.

1. Go to the Assets and Compliance workspace then select the Device Collections
node.

2. Select a target collection, target device, or group of devices then select Start
CMPivot in the ribbon to launch the tool.
3. From the CMPivot window, select the Community hub icon on the menu.

4. Select Sign in, then sign into GitHub.

5. Create a CMPivot query, then select Run Query to verify it functions as expected.

Optionally, select the folder icon to access your favorites list to use a query
you've already created.

6. Select the Publish link at top of CMPivot's Community hub window when you're
ready to submit your query.

7. Give your query a Name and Description, then select the Publish button to send
your query to the Community hub.
8. Once the contribution is complete, you can access your query anytime from the
Me tab.

9. To view the GitHub pull request (PR), go to


https://github.com/Microsoft/configmgr-hub/pulls . You can also access the PR
link from the Your hub page in the Community hub node.

PRs shouldn't be submitted directly to the GitHub repository.

7 Note

Currently, when you publish a query through CMPivot, you can't edit or delete
it after publishing.
Community hub is only available in CMPivot when you run it from the
Configuration Manager console. Community hub isn't available from
standalone CMPivot.

Object type information

Configuration baselines
When you contribute a configuration baseline, each of the child configuration items is
verified. The verification starts at the lowest nested level. This means that configuration
items that are grandchildren are verified before direct child configuration items are. You
can have up to 50 child configuration items and up to 4 nested levels. The following
process occurs to ensure the configuration baseline is usable and complete:

1. Check if the child configuration item is already in the Community hub. If the
configuration item doesn't exist, it's created.

A configuration item with software updates or version-specific references will


cause an error and the contribution will fail.

2. If the configuration item already exists in the Community hub, verify the
contributor is the author. If the contributor isn't the author, a new configuration
item is created in Community hub.
3. If the contributor is the author, check for local updates to the configuration item. If
the configuration item changed, update the item in the Community hub.

Console extensions
You contribute extensions the same way you would any other community hub object.
However, for there are additional requirements and additional information you need to
supply for an extension. When you contribute a console extension to Community hub,
the content must be signed. Content for console extensions isn't hosted by Microsoft.
When you contribute your item, you'll be asked to provide a location to the signed .cab
file along with other information for the extension. The following items are required for
contributing extensions:

Content URL: Location for the downloadable .cab file


SHA-256 hash of the content: SHA-256 hash of the .cab file
License URL: URL of the license for the extension, such as https://mit-
license.org/
Privacy statement URL: URL of your privacy statement

Next steps
Learn more about creating and using the following objects:

Create and run PowerShell scripts


Introduction to reporting
Create and manage task sequences
Create and deploy an application
Create configuration items
Create and contribute console extensions
Console extensions from Community
hub
Article • 10/31/2022

Applies to: Configuration Manager (current branch)

) Important

Starting in March 2023, this feature of Configuration Manager is being removed.


All
future versions, starting with 2303 will not have the Community hub node in the
admin console. The Community hub node in older versions will be redirected to
deprecated features.

When you use Configuration Manager version 2103 or later, you can download console
extensions from the Community hub and have it applied to all consoles connected to a
hierarchy. The Console extensions node allows you to start managing the approval and
installation of console extensions used in your environment. Getting an extension from
community hub doesn't make it immediately available. First, an administrator has to
approve the extension for the site. Then console users can install the extension to their
local console.

After you approve an extension, when you open the console, you'll see a console
notification. From the notification, you can start the extension installer. After the installer
completes, the console restarts automatically, and then you can use the extension.

Find extensions in Community hub


Extensions in Community hub are recognizable by their icon. When browsing All objects
in the Community hub, you can easily notice if a new extension has been added.The
following icon is used for extensions:
You can also use a search filter to find an extension in Community hub. Start with the
search filter for type:extension , then add additional filters as needed. If you're not
finding an extension that's known to be available, double check the displayed categories
hierarchy setting for Community hub.

Filter name Example search Uses a like filter

Type type:report Yes

Curated curated:false No

User user:<GitHubUserName> No

Organization org:<GitHubOrganizationName> No

Name name:test_report Yes

Description desc:description Yes

When filtering Community hub items in search:

The filtering on some items is done using like so you don't need to know the
exact name of an item you are trying to find. For instance, using type:task would
return task sequences.
You can't use the same filter twice in a search. For instance, using type:report and
type:extension would only return reports since the second filter gets ignored.

Search filtering respects the hierarchy setting for displaying Community hub
content categories.
If your hierarchy is set to Display Microsoft and curated community content,
then curated:false is ignored.
If your hierarchy is set to Display Microsoft content, then the curated: filter is
ignored.
Starting in version 2203, the console displays a list of search filters you can use in
Community hub.

Download and deploy the extension


You'll download the extension from Community hub, then use the Console Extensions
node to test the extension and deploy it to other Configuration Manager console users.
In-depth instructions for the deployment process and managing extensions can be
found in the Console Extensions article. Below is a high-level overview of the extension
deployment process:

1. Once you've found an extension in Community hub that you want in your
environment, select Download.
2. The downloaded extension will appear in the Console Extensions node.
3. Change the security scope for the extension, approve it, then install and test it on a
local console. For more information on this process, see Install and test an
extension on a local console.
4. When testing is complete, enable user notifications for installation.

Console extension installation notifications


Users are notified when console extensions are approved for installation. These
notifications occur for users in the following scenarios:

The Configuration Manager console requires a built-in extension, such as


WebView2, to be installed or updated.
Console extensions are approved and notifications are enabled from
Administration > Overview > Updates and Servicing > Console Extensions.
When notifications are enabled, users within the security scope for the
extension receive the following prompts:

1. In the upper-right corner of the console, select the bell icon to display
Configuration Manager console notifications.

2. The notification will say New custom console extensions are available.

3. Select the link Install custom console extensions to launch the install.

4. When the install completes, select Close to restart the console and enable the new
extension.

7 Note

When you upgrade to Configuration Manager 2107, you will be prompted to install
the WebView2 console extension again. For more information about the WebView2
installation, see the WebView2 installation section if the Community hub article.
Next steps
Manage console extensions
Import console extensions
Create and contribute your own console extension
CMPivot overview
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

CMPivot allows you to quickly assess the state of devices in your environment and take
action. When you enter a query, CMPivot will run a query in real time on all currently
connected devices in the selected collection. The data returned can then be filtered,
grouped, and refined to answer business questions, troubleshoot issues in your
environment, or respond to security threats. For more information about using CMPivot,
see Use CMPivot.

Queries
Queries can be used to search terms, identify trends, analyze patterns, and provide
many other insights based on your data. CMPivot uses a subset of the Azure Log
Analytics data flow model for the tabular expression statement. The typical structure of a
tabular expression statement is a composition of client entities and tabular data
operators (such as filters and projections). The composition is represented by the pipe
character (|), giving the statement a regular form that visually represents the flow of
tabular data from left to right. Each operator accepts a tabular data set "from the pipe",
and additional inputs (including other tabular data sets) from the body of the operator,
then emits a tabular data set to the next operator that follows:
entity | operator1 |
operator2 | ...

In the following example, the entity is CCMRecentlyUsedApplications (a reference to the


recently used applications), and the operator is where (which filter out records from its
input according to some per-record predicate):

CCMRecentlyUsedApplications | where CompanyName like '%Microsoft%' | project


CompanyName, ExplorerFileName, LastUsedTime, LaunchCount, FolderPath

Entities
Entities are objects that can be queried from the client. We currently support the
following entities:

Entity Description
Entity Description

AadStatus Status of Azure Active Directory

Administrators Members of the local administrators group

AppCrash Recent application crash reports

AppVClientApplication AppV Client Application

AppVClientPackage AppV Client Package

AutoStartSoftware Software that starts automatically with, or immediately


after, the operating system

BaseBoard BaseBoard

Battery Battery

Bios System BIOS information

BitLocker BitLocker

BitLockerEncryptionDetails BitLocker Encryption Details

BitLockerPolicy BitLocker Policy

BootConfiguration Boot Configuration

BrowserHelperObject Browser Helper Object

BrowserUsage Browser Usage

CcmLog() Lines within 24 hours (by default) from a Ccm Log file

CCMRAX CCM_RAX

CCMRecentlyUsedApplications Recently Used Applications

CCMWebAppInstallInfo Web Applications

CDROM CDROM Drive

ClientEvents Client Events

ComputerSystem Computer System

ComputerSystemEx Computer System Ex

ComputerSystemProduct Computer System Product

ConnectedDevice Connected Device

Connection An active Tcp connection in or out of the device


Entity Description

Desktop Desktop

DesktopMonitor Desktop Monitor

Device Basic information about the device

Disk Local storage device information on a computer system


running Windows

DMA DMA

DMAChannel DMA Channel

DriverVxD Driver - VxD

EmbeddedDeviceInformation Embedded Device Information

Environment Environment

EPStatus Status of antimalware software on the computer


gathered by the Get-MpComputerStatus cmdlet.
Supported on Windows 10 and Server 2016, or later
with defender running.

EventLog() Events within 24 hours (by default) from an event log

File() Information about a specific file

FileShare Active file share information

Firmware Firmware

IDEController IDE Controller

InstalledExecutable Installed Executable

InstalledSoftware An application installed on the device

IPConfig Gets network configuration, including usable interfaces,


IP addresses, and DNS servers

IRQTable IRQ Table

Keyboard Keyboard

LoadOrderGroup Load Order Group

LogicalDisk Logical Disk

MDMDevDetail Device Information


Entity Description

Memory Memory

Modem Modem

Motherboard Motherboard

NetworkAdapter Network Adapter

NetworkAdapterConfiguration Network Adapter Configuration

NetworkClient Network Client

NetworkLoginProfile Network Login Profile

NTEventlogFile NT Eventlog File

Office365ProPlusConfigurations Office 365 Apps Configurations

OfficeAddin Office add-ins

OfficeClientMetric Office Client Metric

OfficeDeviceSummary Office Device Summary

OfficeDocumentMetric Office document metrics

OfficeDocumentSolution Office Document Solution

OfficeMacroError Office Macro Error

OfficeProductInfo Office Product Info

OfficeVbaRuleViolation Office Vba Rule Violation

OfficeVbaSummary Office VBA scan summary

OperatingSystem Operating System

OperatingSystemEx Operating System Ex

OperatingSystemRecoveryConfiguration Operating System Recovery Configuration

OptionalFeature Optional Feature

OS Basic information about the operating system

PageFileSetting Page File Setting

ParallelPort Parallel Port

Partition Disk Partitions


Entity Description

PCMCIAController PCMCIA Controller

PhysicalDisk PhysicalDisk

PhysicalMemory Physical Memory

PNPDEVICEDRIVER PNP Device Driver

PointingDevice Pointing Device

PortableBattery Portable Battery

Ports Ports

PowerCapabilities Power Capabilities

PowerClientOptOutSettings Power Management Exclusion Settings

PowerConfigurations Power Configuration

PowerManagementDaily Power Management Daily Data

PowerManagementInsomniaReasons Power Insomnia Reasons

PowerManagementMonthly Power Management Monthly Data

PowerSettings Power Settings

PrinterConfiguration Printer Configuration

PrinterDevice Printer Device

PrintJobs Print Jobs

Process A process on an operating system

ProcessModule() Modules loaded by specified processes

Processor Processor

ProtectedVolumeInformation Protected Volume Information

Protocol Protocol

QuickFixEngineering Quick Fix Engineering

Registry All values for a specific registry key

Starting in version 2107, Key value was added to the


Registry() entity
Entity Description

SCSIController SCSI Controller

SerialPortConfiguration Serial Port Configuration

SerialPorts Serial Ports

ServerFeature Server Feature

Service A service on a computer system running Windows

Services Services

Shares Shares

SMBConfig SMB Configuration of a device

SMSAdvancedClientPorts Configuration Manager Client Ports

SMSAdvancedClientSSLConfigurations Configuration Manager Client SSL Configurations

SMSAdvancedClientState Configuration Manager Client State

SMSDefaultBrowser Default Browser

SMSSoftwareTag Software Tag

SMSWindows8Application Windows app

SMSWindows8ApplicationUserInfo Windows app User Info

SoftwareShortcut Software Shortcut

SoftwareUpdate A software update applicable but not installed on the


device

SoundDevices Sound Devices

SWLicensingProduct Software Licensing Product

SWLicensingService Software Licensing Service

SystemAccount System Account

SystemBootData System Boot Data

SystemBootSummary System Boot Summary

SystemConsoleUsage System Console Usage

SystemConsoleUser System Console User

SystemDevices System Devices


Entity Description

SystemDrivers System Drivers

SystemEnclosure System Enclosure

TapeDrive Tape Drive

TimeZone Time Zone

TPM TPM

TPMStatus TPM Status

TSIssuedLicense TS Issued License

TSLicenseKeyPack TS License Key Pack

UninterruptiblePowerSupply Uninterruptible Power Supply

USBController USB Controller

USBDevice USB Device

User A user account with an active connection to the device

USMFolderRedirectionHealth Folder Redirection Health

USMUserProfile User Profile Health

VideoController Video Controller

VirtualMachine Virtual Machine

VirtualMachine64 Virtual Machine (64)

Volume Volume

WindowsUpdate Windows Update

WindowsUpdateAgentVersion Windows Update Agent Version

WinEvent() Events within 24 hours (by default) from a Windows


event log

WriteFilterState Write Filter State

Table operators
Table operators can be used filter, summarize, and transform data streams. Currently the
following operators are supported:
Table Description
operators

count Returns a table with a single record containing the number of records

distinct Produces a table with the distinct combination of the provided columns of the
input table

join Merge the rows of two tables to form a new table by matching row for the same
device

order by Sort the rows of the input table into order by one or more columns

project Select the columns to include, rename or drop, and insert new computed
columns

take Return up to the specified number of rows

top Returns the first N records sorted by the specified columns

where Filters a table to the subset of rows that satisfy a predicate

Scalar Operators
The following table summarizes operators:

Operators Description Example

== Equal 1 == 1, 'aBc' ==
'AbC'

!= Not Equal 1 != 2, 'abc' !=


'abcd'

< Less 1 < 2, 'abc' < 'DEF'

> Greater 2 > 1, 'xyz' > 'XYZ'

<= Less or Equal 1 <= 2, 'abc' <=


'abc'

>= Greater or Equal 2 >= 1, 'abc' >=


'ABC'

+ Add 2 + 1, now() + 1d

- Subtract 2 - 1, now() - 1h

* Multiply 2 * 2
Operators Description Example

/ Divide 2 / 1

% Modulo 2 % 1

like Left Hand Side (LHS) contains a match for Right Hand Side 'abc' like '%B%'
(RHS)

!like LHS doesn't contain a match for RHS 'abc' !like '_d_'

contains RHS occurs as a subsequence of LHS 'abc' contains 'b'

!contains RHS doesn't occur in LHS 'team' !contains 'i'

startswith RHS is an initial subsequence of LHS 'team' startswith


'tea'

!startswith RHS isn't an initial subsequence of LHS 'abc' !startswith


'bc'

endswith RHS is a closing subsequence of LHS 'abc' endswith 'bc'

!endswith RHS isn't a closing subsequence of LHS 'abc' !endswith 'a'

and True if and only if RHS and LHS are true (1 == 1) and (2 == 2)

or True if and only if RHS or LHS is true (1 == 1) or (1 == 2)

Aggregation functions
Aggregation functions can be used with the summarize table operator to calculated
summarized values. Currently the following aggregation functions are supported:

Function Description

avg() Returns the average of the values across the group

count() Returns a count of the records per summarization group

countif() Returns a count of rows for which Predicate evaluates to true

dcount() Returns the number of distinct values in the group

max() Returns the maximum value across the group

maxif() Starting in version 2107, you can use maxif with the summarize table operator.

Returns the maximum value across the group for which Predicate evaluates to true .
Function Description

min() Returns the minimum value across the group

minif() Starting in version 2107, you can use minif with the summarize table operator.

Returns the minimum value across the group for which Predicate evaluates to true .

percentile() Returns an estimate for the specified nearest-rank percentile of the population
defined by Expr

sum() Returns the sum of the values across the group

sumif() Returns a sum of Expr for which Predicate evaluates to true

Scalar functions
Scalar functions can be used in expressions. Currently the following scalar functions are
supported:

Function Description

ago() Subtracts the given timespan from the current UTC clock time

bin() Rounds values down to a number of datetime multiple of a given bin size

case() Evaluates a list of predicates and returns the first result expression whose
predicate is satisfied

datetime_add() Calculates a new datetime from a specified datepart multiplied by a specified


amount, added to a specified datetime

datetime_diff() Calculates the difference between two date time values

iif() Evaluates the first argument and returns the value of either the second or third
arguments depending on whether the predicate evaluated to true (second) or
false (third)

indexof() Function reports the zero-based index of the first occurrence of a specified
string within input string

isnotnull() Evaluates its sole argument and returns a Boolean value indicating if the
argument evaluates to a non-null value

isnull() Evaluates its sole argument and returns a Boolean value indicating if the
argument evaluates to a null value

now() Returns the current UTC clock time


Function Description

strcat() Concatenates between 1 and 64 arguments

strlen() Returns the length, in characters, of the input string

substring() Extracts a substring from a source string starting from some index to the end of
the string

tostring() Converts input to a string representation

Additional entities, operators, and functions for


CMPivot from Configuration Manager

) Important

These items aren't supported when you run CMPivot from Microsoft Intune admin
center.

Type Item Description

Entity AccountSID Account SID

Entity FileContent() Content of a specific file

Entity NAPClient NAP Client

Entity NAPSystemHealthAgent NAP System Health Agent

Entity RegistryKey() Returns all registry keys matching the given expression
(starting in version 2107)

Table render Renders results as graphical output


operator

Next steps
To learn more about CMPivot, see Use CMPivot.
CMPivot for real-time data in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager has always provided a large centralized store of device data,
which customers use for reporting purposes. The site typically collects this data on a
weekly basis. Starting in version 1806, CMPivot is a new in-console utility that now
provides access to real-time state of devices in your environment. It immediately runs a
query on all currently connected devices in the target collection and returns the results.
Then filter and group this data in the tool. By providing real-time data from online
clients, you can more quickly answer business questions, troubleshoot issues, and
respond to security incidents.

For example, in mitigating speculative execution side channel vulnerabilities , one of


the requirements is to update the system BIOS. You can use CMPivot to quickly query on
system BIOS information, and find clients that aren't in compliance.

) Important

Some security software may block scripts running from


c:\windows\ccm\scriptstore. This can prevent successful execution of CMPivot
queries. Some security software may also generate audit events or alerts when
running CMPivot PowerShell.
Certain anti-malware software may inadvertently trigger events against the
Configuration Manager Run Scripts or CMPivot features. It is recommended to
exclude %windir%\CCM\ScriptStore so that the anti-malware software permits
those features to run without interference.

Prerequisites
The following components are required to use CMPivot:

Upgrade the target devices to the latest version of the Configuration Manager
client.

Target clients require a minimum of PowerShell version 4.


To gather data for the following entities, target clients require PowerShell version
5.0:
Administrators
Connection
IPConfig
SMBConfig

CMPivot and the Microsoft Edge installer are currently signed with the Microsoft
Code Signing PCA 2011 certificate. If you set PowerShell execution policy to
AllSigned, then you need to make sure that devices trust this signing certificate.
You can export the certificate from a computer where you've installed the
Configuration Manager console. View the certificate on "C:\Program Files
(x86)\Microsoft Endpoint Manager\AdminConsole\bin\CMPivot.exe" , and then
export the code signing certificate from the certification path. Then import it to the
machine's Trusted Publishers store on managed devices. You can use the process
in the following blog, but make sure to export the code signing certificate from the
certification path: Adding a Certificate to Trusted Publishers using Intune .

Permissions
The following permissions are needed for CMPivot:

Run CMPivot permission on the Collection


Read permission on Inventory Reports
Read permission on the SMS Scripts object
Read for SMS Scripts isn't required starting in version 2107
CMPivot doesn't need Read for SMS Scripts for it's primary scenario starting in
version 2107. However, if the administration service is down and the permission
has been removed, then when the administration service falls back, CMPivot will
fail. The SMS Provider still requires Read permission on SMS Scripts if the
administration service falls back to it due to a 503 (Service Unavailable) error, as
seen in the CMPivot.log.
The default scope.
The default scope isn't required starting in version 2107

CMPivot permissions by Configuration Manager version

1902 and Versions 2107 or later


earlier 1906 through
2103
1902 and Versions 2107 or later
earlier 1906 through
2103

Run Script Run CMPivot Run CMPivot permission on the Collection


permission permission on
on the the Collection
Collection

Read Read Read permission on Inventory Reports


permission permission on
on Inventory Inventory
Reports Reports

Read Read N/A

permission permission on
on SMS SMS Scripts The SMS Provider still requires Read permission on SMS Scripts
Scripts if the administration service falls back to it due to a 503 (Service
Unavailable) error, as seen in the CMPivot.log.

Default Default scope N/A


scope permission
permission

Limitations
CMPivot only returns data for clients connected to the current site unless it's run
from the central administration site (CAS).
If a collection contains devices from another site, CMPivot results are only from
devices in the current site unless CMPivot is run from the CAS.
In some environments, additional permissions are needed for CMPivot to run on
the CAS. For more information, see CMPivot changes for version 1902.
You can't customize entity properties, columns for results, or actions on devices.
Only one instance of CMPivot can run at the same time on a computer that is
running the Configuration Manager console.
In CMPivot standalone, you're not able to access CMPivot queries stored in the
Community hub.
When single sign on with multifactor authentication is used, you may not be able
to sign into Community hub from CMPivot when using Configuration Manager
2103 and earlier.

Start CMPivot
1. In the Configuration Manager console, connect to the primary site or the CAS. Go
to the Assets and Compliance workspace, and select the Device Collections node.
Select a target collection, and select Start CMPivot in the ribbon to launch the
tool. If you don't see this option, check the following configurations:

Confirm with a site administrator that your account has the required
permissions. For more information, see Prerequisites.

2. The interface provides further information about using the tool.

Manually enter query strings at the top, or select the links in the in-line
documentation.

Select one of the Entities to add it to the query string.

The links for Table Operators, Aggregation Functions, and Scalar Functions
open language reference documentation in the web browser. CMPivot uses
the Kusto Query Language (KQL).

3. Keep the CMPivot window open to view results from clients. When you close the
CMPivot window, the session is complete.

If the query has been sent, then clients still send a state message response to
the server.

How to use CMPivot

The CMPivot window contains the following elements:


1. The collection that CMPivot currently targets is in the title bar at the top, and the
status bar at the bottom of the window. For example, "PM_Team_Machines" in the
above screenshot.

2. The pane on the left lists the Entities that are available on clients. Some entities
rely upon WMI while others use PowerShell to get data from clients.

Right-click an entity for the following actions:

Insert: Add the entity to the query at the current cursor position. The
query doesn't automatically run. This action is the default when you
double-click an entity. Use this action when building a query.

Query all: Run a query for this entity including all properties. Use this
action to quickly query for a single entity.

Query by device: Run a query for this entity and group the results. For
example, Disk | summarize dcount( Device ) by Name

Expand an entity to see specific properties available for each entity. Double-
click a property to add it to the query at the current cursor position.

3. The Home tab shows general information about CMPivot, including links to
sample queries and supporting documentation.

4. The Query tab displays the query pane, results pane, and status bar. The query tab
is selected in the above screenshot example.

5. The query pane is where you build or type a query to run on clients in the
collection.

CMPivot uses a subset of the Kusto Query Language (KQL).

Cut, copy, or paste content in the query pane.

By default, this pane uses IntelliSense. For example, if you start typing D ,
IntelliSense suggests all of the entities that start with that letter. Select an
option and press Tab to insert it. Type a pipe character and a space | , and
then IntelliSense suggests all of the table operators. Insert summarize and
type a space, and IntelliSense suggests all of the aggregation functions. For
more information on these operators and functions, select the Home tab in
CMPivot.

The query pane also provides the following options:


Run the query.
To rerun your current CMPivot query on the clients, hold Ctrl while
clicking Run.

Move backwards and forwards in the history list of queries.

Create a direct membership collection.

Export the query results to CSV or the clipboard.

6. The results pane displays the data returned by active clients for the query.

The available columns vary based upon the entity and the query.

The color saturation of the data in the results table or chart indicates if the
data is live or from the last hardware inventory scan stored in the site
database. For example, black is real-time data from an online client whereas
grey is cached data.

Select a column name to sort the results by that property.

Right-click on any column name to group the results by the same information
in that column, or sort the results.

Right-click on a device name to take the following additional actions on the


device:

Pivot to: Query for another entity on this device.


Starting in version 2006, Pivot to was replaced by Device Pivot. For
more information, see CMPivot changes for version 2006.

Run Script: Launch the Run Script wizard to run an existing PowerShell
script on this device. For more information, see Run a script.

Remote Control: Launch a Configuration Manager Remote Control session


on this device. For more information, see How to remotely administer a
Windows client computer.

Resource Explorer: Launch Configuration Manager Resource Explorer for


this device. For more information, see View hardware inventory or View
software inventory.

Right-click on any non-device cell to take the following additional actions:

Copy: Copy the text of the cell to the clipboard.


Show devices with: Query for devices with this value for this property. For
example, from the results of the OS query, select this option on a cell in
the Version row: OS | summarize countif( (Version == '10.0.17134') ) by
Device | where (countif_ > 0)

Show devices without: Query for devices without this value for this
property. For example, from the results of the OS query, select this option
on a cell in the Version row: OS | summarize countif( (Version ==
'10.0.17134') ) by Device | where (countif_ == 0) | project Device

Bing it: Launch the default web browser to https://www.bing.com with


this value as the query string.

Select any hyperlinked text to pivot the view on that specific information.

The results pane doesn't show more than 20,000 rows. Either adjust the query
to further filter the data, or restart CMPivot on a smaller collection.

7. The status bar shows the following information (from left to right):

The status of the current query to the target collection. This status includes:

The number of active clients that completed the query (3)

The number of total clients (5)

The number of offline clients (2)

Any clients that returned failure (0)

For example: Query completed on 3 of 5 clients (2 clients offline and


0 failure)

The ID of the client operation. For example: id(16780221)

The current collection. For example: PM_Team_Machines

The total number of rows in the results pane. For example, 1 objects

 Tip

Starting in version 2107, use the Query devices again button, or Ctrl + F5 to force
the client to retrieve the data again for the query. Using Query devices again is
useful when you expect the data to change on the device since the last query, such
as during troubleshooting. Selecting Run query again after the initial results are
returned only parses the data CMPivot has already retrieved from the client.

Publish query to Community hub from


CMPivot
(Applies to version 2107 or later)

Starting in version 2107, you can publish a CMPivot query to the Community hub
directly from the CMPivot window. Submitting your queries directly through CMPivot
makes contributing to the Community hub easier.

You'll need the following requirements for CMPivot and for contributing to the
Community hub:

Meet all of the CMPivot prerequisites and permissions


Enable Community hub.
If needed, install the Microsoft Edge WebView2 extension from the
Configuration Manager console notification.
A GitHub account that's joined to Community hub
You must accept the invitation sent in the email otherwise you won't be able to
contribute content.

1. Go to the Assets and Compliance workspace then select the Device Collections
node.

2. Select a target collection, target device, or group of devices then select Start
CMPivot in the ribbon to launch the tool.

3. From the CMPivot window, select the Community hub icon on the menu.
4. Select Sign in, then sign into GitHub.

5. Create a CMPivot query, then select Run Query to verify it functions as expected.

Optionally, select the folder icon to access your favorites list to use a query
you've already created.

6. Select the Publish link at top of CMPivot's Community hub window when you're
ready to submit your query.

7. Give your query a Name and Description, then select the Publish button to send
your query to the Community hub.

8. Once the contribution is complete, you can access your query anytime from the
Me tab.
9. To view the GitHub pull request (PR), go to
https://github.com/Microsoft/configmgr-hub/pulls . You can also access the PR
link from the Your hub page in the Community hub node.

PRs shouldn't be submitted directly to the GitHub repository.

7 Note

Currently, when you publish a query through CMPivot, you can't edit or delete
it after publishing.
Community hub is only available in CMPivot when you run it from the
Configuration Manager console. Community hub isn't available from
standalone CMPivot.

Example scenarios for CMPivot


The following sections provide examples of how you might use CMPivot in your
environment:

Example 1: Stop a running service


Your security administrator asks you to stop and disable the Computer Browser service
as quickly as possible on all devices in the accounting department. You start CMPivot on
a collection for all devices in accounting, and select Query all on the Service entity.

Service

As results appear, you right-click on the Name column and select Group by.

Service | summarize dcount( Device ) by Name

In the row for the Browser service, you select the hyperlinked number in the dcount_
column.

Service | where (Name == 'Browser') | summarize count() by Device

You multi-select all devices, right-click the selection, and choose Run Script. This action
launches the Run Script wizard, from which you run an existing script you have for
stopping and disabling a service. With CMPivot you quickly respond to the security
incident for all active computers, viewing results in the Run Script wizard. You then
followup to create a configuration baseline to remediate other computers in the
collection as they become active in the future.

Example 2: Proactively resolve application failures


To be proactive with operational maintenance, once a week you run CMPivot against a
collection of servers that you manage, and select Query all on the AppCrash entity. You
right-click the FileName column and select Sort Ascending. One device returns seven
results for sqlsqm.exe with a timestamp about 03:00 every day. You select the file name
in one of the rows, right-click it, and select Bing It. Browsing the search results in the
web browser, you find a Microsoft support article for this issue with more information
and resolution.

Example 3: BIOS version


To mitigate speculative execution side channel vulnerabilities , one of the requirements
is to update the system BIOS. You start with a query for the BIOS entity. You then Group
by the Version property. Then right-click a specific value, such as "LENOVO - 1140", and
select Show devices with.

Bios | summarize countif( (Version == 'LENOVO - 1140') ) by Device | where

(countif_ > 0)

Example 4: Free disk space


You need to temporarily store a large file on a network file server, but aren't sure which
one has enough capacity. Start CMPivot against a collection of file servers, and query
the Disk entity. Modify the query for CMPivot to quickly return a list of active servers
with real-time storage data:

Disk | where (Description == 'Local Fixed Disk') | where isnotnull( FreeSpace ) |

order by FreeSpace asc

CMPivot standalone
You can use CMPivot as a standalone app. CMPivot standalone is only available in
English. Run CMPivot outside of the Configuration Manager console to view the real-
time state of devices in your environment. This change enables you to use CMPivot on a
device without first installing the console.

You can share the power of CMPivot with other personas, such as helpdesk or security
admins, who don't have the console installed on their computer. These other personas
can use CMPivot to query Configuration Manager alongside the other tools that they
traditionally use. By sharing this rich management data, you can work together to
proactively solve business problems that cross roles.

Install CMPivot standalone

1. Set up the permissions needed to run CMPivot. For more information, see
prerequisites. You can also use the Security Administrator role if the permissions
are appropriate for the user.

2. Find the CMPivot app installer in the following path: <site install
path>\tools\CMPivot\CMPivot.msi . You can run it from that path, or copy it to

another location.

3. When you run the CMPivot standalone app, you'll be asked to connect to a site.
Specify the fully qualified domain name or computer name of either the Central
Administration or primary site server.

Each time you open CMPivot standalone you'll be prompted to connect to a


site server.

4. Browse to the collection on which you want to run CMPivot, then run your query.
7 Note

Right-click actions, such as Run Scripts, Resource Explorer, and web search
aren't available in CMPivot standalone. CMPivot standalone's primary use is
querying independently from the Configuration Manager infrastructure. To
help security administrators, CMPivot standalone does include the ability to
connect to Microsoft Defender Security Center.
You can do local device query evaluation using CMPivot standalone.

Inside CMPivot
CMPivot sends queries to clients using the Configuration Manager "fast channel". This
communication channel from server to client is also used by other features such as client
notification actions, client status, and Endpoint Protection. Clients return results via the
similarly quick state message system. State messages are temporarily stored in the
database. For more information about the ports used for client notification, see the
Ports article.

The queries and the results are all just text. The entities InstallSoftware and Process
return some of the largest result sets. During performance testing, the largest state
message file size from one client for these queries was less than 1 KB. Scaled to a large
environment with 50,000 active clients, this one-time query would generate less than 50
MB of data across the network. All the items on the welcome page that are underlined,
will return less than 1 KB of info per client.
Starting in Configuration Manager 1810, CMPivot can query hardware inventory data,
including extended hardware inventory classes. These new entities (entities not
underlined on the welcome page) may return much larger data sets, depending on how
much data is defined for a given hardware inventory property. For example, the
"InstalledExecutable" entity might return multiple MB of data per client, depending on
the specific data you query on. Be mindful of the performance and scalability on your
systems when returning larger hardware inventory data sets from larger collections
using CMPivot.

A query times out after one hour. For example, a collection has 500 devices, and 450 of
the clients are currently online. Those active devices receive the query and return the
results almost immediately. If you leave the CMPivot window open, as the other 50
clients come online, they also receive the query, and return results.

Log files
CMPivot interactions are logged to the following log files:

Server-side:

SmsProv.log
BgbServer.log
StateSys.log

Client-side:

CcmNotificationAgent.log
Scripts.log
StateMessage.log

For more information, see Log files and Troubleshooting CMPivot.


Next steps
Changes to CMPivot
Troubleshooting CMPivot
Create and run PowerShell scripts
Changes to CMPivot
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the following information to learn about changes made to CMPivot between Configuration
Manager versions:

CMPivot changes for version 2107

Simplified CMPivot permissions requirements


We've simplified the CMPivot permissions requirements. The new permissions are applicable for
CMPivot standalone and CMPivot in the on-premises console. The following changes have been
made:

CMPivot no longer requires SMS Scripts read permission


The SMS Provider still requires this permission if the administration service falls back to it
due to a 503 (Service Unavailable) error, as seen in the CMPivot.log.

The default scope permission isn't required.

General improvements to CMPivot


We've made the following improvements to CMPivot:

Added maxif and minif aggregators that can be used with the summarize operator
Improvements to query autocomplete suggestions in the query editor
Added a Key value to the Registry entity
Added a new RegistryKey entity that returns all registry keys matching the given expression

To review the difference between the Registry and RegistryKey entities, you can use the following
samples:

Kusto

// Change the path to match your desired registry hive query

Registry('hklm:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\*')

RegistryKey('hklm:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\*')

RegistryKey('hklm:\SOFTWARE\Microsoft\SMS\*')

Registry('hklm:\SOFTWARE\Microsoft\SMS\*')

CMPivot changes for version 2103


Starting in version 2103, the following improvements have been made for CMPivot:

Warning message and export CMPivot data option when results are too large
Access the top queries shared in the Community hub from CMPivot

Warning message and export CMPivot data option when results


are too large
When results are too large the following warning message is displayed:

Your query returned a large number of results. Narrow the results by modifying the query, or
select this banner to export the results.

This message occurs in the following scenarios:

When results are greater than 100,000 cells.


For instance, the warning threshold is reached for 10,000 devices (rows) with 10 columns
of entity data.
In this case, you'll be given an option to export results to a .csv file

When more than 128 KB of data is requested to be returned from a given device.
For instance, CcmLog('ciagent', 120d) queries log results and is likely to be over the 128
KB limit.
When the results are over 128 KB, you'll get a warning, but you can't export them since
they won't be returned from the client to the server.

Access the top queries shared in the Community hub from


CMPivot
Starting in version 2103, you can access the top CMPivot queries shared in the Community hub
from on-premises CMPivot. By using pre-created CMPivot queries shared by the broader
community, CMPivot users gain access to a wider variety of queries. On-premises CMPivot
accesses the Community hub and returns a list of the top downloaded CMPivot queries. Users can
review the top queries, customize them, and then run on-demand. This improvement gives a
wider selection of queries for immediate usage without having to construct them and also allows
information sharing on how to build queries for future reference.

7 Note

These queries are available when you run CMPivot from the Configuration Manager console.
They're not yet available from standalone CMPivot.

Prerequisites:
Meet all of the CMPivot prerequisites and permissions
Enable Community hub. You don't need a GitHub account to download content.
Verify which content categories are displayed for community hub
Install the Microsoft Edge WebView2 extension from the Configuration Manager console
notification

Use CMPivot to access the top Community hub queries

1. Go to the Assets and Compliance workspace then select the Device Collections node.

2. Select a target collection, target device, or group of devices then select Start CMPivot in the
ribbon to launch the tool.

3. Use the community hub icon on the menu.

4. Review the list of top shared CMPivot queries.

5. Select one of the top queries to load it into the query pane.

6. Edit the query if needed then select Run Query.

7. Optionally, select the folder icon to access your favorites list. Add the original query or your
edited version to your favorites list to run later. Select the community hub icon to search for
another query.

8. Keep the CMPivot window open to view results from clients. When you close the CMPivot
window, the session is complete. If the query has been sent, then clients still send a state
message response to the server.
CMPivot changes for version 2006
Starting in version 2006, the following improvements have been made for CMPivot:

CMPivot standalone and CMPivot launched from the admin console have converged. When
you launch CMPivot from the admin console, it uses the same underlying technology as
CMPivot standalone to give you scenario parity.

Improvements for keyboard navigation in CMPivot.

You can run CMPivot from an individual device or multiple devices from the devices node
without needing to select a device collection. This improvement makes it easier for people,
such as those working as the Helpdesk persona, to create CMPivot queries for specific
devices outside a pre-created collection.
Select an individual device or multi-select devices in a device collection or then select
Start CMPivot.

Upon returning devices within a query list view, you can select Device Pivot on one or more
devices and then pivot and query on just those devices to drill in further. This change allows
you to drill in without querying the larger set of devices from the original collection. Device
Pivot replaced Pivot to.
Within an existing CMPivot operation, select an individual device or multi-select devices
from the output. Right-click and pivot using the Device Pivot option. This action launches
a separate CMPivot instance scoped to just the devices you selected. This makes it easier
to pivot and just query on devices desired without needing to create a collection for
them.

When you run CMPivot for an individual device, the device name is listed at the top of the
window. For multiple devices, the number of devices selected is listed at the top of the
window.

The Create Collection option in the Query Summary tab was removed since CMPivot no
longer requires querying against a collection. Perform a Device Pivot to open a new instance
of CMPivot scoped to just the devices you want to query on. Create Collection is still
available on the main menu.
CMPivot changes for version 2002
We've made it easier to navigate CMPivot entities. Starting in Configuration Manager version
2002, you can search CMPivot entities. New icons have also been added to easily differentiate the
entities and the entity object types.

CMPivot changes for version 1910


Starting in version 1910, CMPivot was significantly optimized to reduce network traffic and load
on your servers. Additionally, a number of entities and entity enhancements were added to aid in
troubleshooting and hunting. The following changes were introduced for CMPivot in version
1910:

Optimizations to the CMPivot engine


Additional entities and entity enhancements:
Windows event logs (WinEvent)
File content (FileContent)
Dlls loaded by processes (ProcessModule)
Azure Active Directory information (AADStatus)
Endpoint protection status (EPStatus)
Local device query evaluation using CMPivot standalone
Other enhancements to CMPivot

Optimizations to the CMPivot engine


To reduce network traffic and load on your servers, CMPivot was optimized in 1910. Many query
operations are now performed directly on the client rather than on the servers. This change also
means that some CMPivot operations return minimal data from the first query. If you decide to
drill into the data for more information, a new query might run to fetch the additional data from
the client. For instance, previously a large data set was returned to the server when you ran a
"summarized count" query. While returning a large data set offered immediate drill-down, many
times only the summarized count was needed. In 1910 when you choose to drill into a specific
client, another collection of the data occurs to return the additional data you've requested. This
change brings better performance and scalability to queries against a large number of clients.

Examples
The CMPivot optimizations drastically reduce the network and server CPU load needed to run
CMPivot queries. With these optimizations, we can now sift through gigabytes of client data in
real time. The following queries illustrate these optimizations:

Search all event logs on all clients in your enterprise for authentication failures.

Kusto

EventLog('Security')

| where EventID == 4673

| summarize count() by Device

| order by count_ desc

Search for a file by hash.

Kusto

Device

| join kind=leftouter ( File('%windir%\\system32\\*.exe')

| where SHA256Hash ==
'A92056D772260B39A876D01552496B2F8B4610A0B1E084952FE1176784E2CE77')

| project Device, MalwareFound = iif( isnull(FileName), 'No', 'Yes')

WinEvent(<logname>,[<timespan>])
This entity is used to get events from event logs and event tracing log files. The entity gets data
from event logs that are generated by the Windows Event Log technology. The entity also gets
events in log files generated by Event Tracing for Windows (ETW). WinEvent looks at events that
have occurred within the last 24 hours by default. However, the 24-hour default can be overridden
by including a timespan.

Kusto

WinEvent('Microsoft-Windows-HelloForBusiness/Operational', 1d)

| where LevelDisplayName =='Error'

| summarize count() by Device

FileContent(<filename>)
FileContent is used to get the contents of a text file.

Kusto

FileContent('c:\\windows\\SMSCFG.ini')

| where Content startswith 'SMS Unique Identifier='

| project Device, SMSId= substring(Content,22)

ProcessModule(<processname>)
This entity is used to enumerate the modules (dlls) loaded by a given process. ProcessModule is
useful when hunting for malware that hides in legitimate processes.

Kusto

ProcessModule('powershell')

| summarize count() by ModuleName

| order by count_ desc

AadStatus
This entity can be used to get the current Azure Active Directory identity information from a
device.

Kusto

AadStatus

| project Device, IsAADJoined=iif( isnull(DeviceId),'No','Yes')

| summarize DeviceCount=count() by IsAADJoined

| render piechart

EPStatus
EPStatus is used to get the status of antimalware software installed on the computer.

Kusto

EPStatus

| project Device, QuickScanAge=datetime_diff('day',now(),QuickScanEndTime)

| summarize DeviceCount=count() by QuickScanAge

| order by QuickScanAge

| render barchart

Local device query evaluation using CMPivot standalone


When using CMPivot outside of the Configuration Manager console, you can query just the local
device without the need for the Configuration Manager infrastructure. You can now leverage the
CMPivot Azure Log Analytics queries to quickly view WMI information on the local device. This
also enables validation and refinement of CMPivot queries, before running them in a larger
environment. CMPivot standalone is only available in English. For more information about
CMPivot standalone, see CMPivot standalone.

Known issues for local device query evaluation


If you query on This PC for a WMI entity that you don't have access to, such as a locked
down WMI class, you may see a crash in CMPivot. Run CMPivot using an account with
elevated privileges to query those entities.
If you query non-WMI entities on This PC, you'll see an Invalid namespace or an ambiguous
exception.
Run CMPivot standalone from the start menu shortcut, not directly from the path of the
executable file.

Other enhancements
You can do regular expression type queries using the new like operator. For example:

Kusto

//Find BIOS manufacture that contains any word like Micro, such as Microsoft

Bios

| where Manufacturer like '%Micro%'

We've updated the CcmLog() and EventLog() entities to only look at messages in the last 24
hours by default. This behavior can be overridden by passing in an optional timespan. For
example, the following query will look at events in the last 1 hour:

Kusto

CcmLog('Scripts',1h)

The File() entity has been updated to collect information about Hidden and System files, and
include the MD5 hash. While an MD5 hash isn't as accurate as the SHA256 hash, it tends to
be the commonly reported hash in most malware bulletins.

You can add comments in queries. This behavior is useful when sharing queries. For example:

Kusto

//Get the top ten devices sorted by user

Device

| top 10 by UserName

CMPivot automatically connects to the last site. After you start CMPivot, you can connect to
a new site if necessary.

From the Export menu, select the new option to Query link to clipboard. This action copies
a link to the clipboard that you can share with others. For example:

cmpivot:Ly8gU2FtcGxlIHF1ZXJ5DQpPcGVyYXRpbmdTeXN0ZW0NCnwgc3VtbWFyaXplIGNvdW50KCkgYnkgQ2F
wdGlvbg0KfCBvcmRlciBieSBjb3VudF8gYXNjDQp8IHJlbmRlciBiYXJjaGFydA==

This link opens CMPivot standalone with the following query:

Kusto

// Sample query

OperatingSystem

| summarize count() by Caption

| order by count_ asc

| render barchart

 Tip

For this link to work, install CMPivot standalone.

In query results, if the device is enrolled in Microsoft Defender for Endpoint, right-click the
device to launch the Microsoft Defender Security Center online portal.

Known issues for CMPivot in version 1910


The maximum results banner may not be displayed when the limit is reached.
Each client is limited to 128 KB worth of data per query.
Results may be truncated if the results of the query exceed 128 KB.

CMPivot changes for version 1906


Starting in version 1906, the following items were added to CMPivot:
Joins, additional operators, and aggregators
Added CMPivot permissions to the Security Administrator role
CMPivot standalone

Add joins, additional operators, and aggregators in CMPivot


You now have additional arithmetic operators, aggregators, and the ability to add query joins such
as using Registry and File together. The following items have been added:

Table operators

Table operators Description

join Merge the rows of two tables to form a new table by matching row for the same device

render Renders results as graphical output

The render operator already exists in CMPivot. Support for multiple series and the with statement
were added. For more information, see the examples section and Kusto's join operator article.

Limitations for joins

1. The join column is always implicitly done on the Device field.


2. You can use a maximum of 5 joins per query.
3. You can use a maximum of 64 combined columns.

Scalar operators

Operator Description Example

+ Add 2 + 1, now() + 1d

- Subtract 2 - 1, now() - 1d

* Multiply 2 * 2

/ Divide 2 / 1

% Modulo 2 % 1

Aggregation functions

Function Description

percentile() Returns an estimate for the specified nearest-rank percentile of the population defined by Expr

sumif() Returns a sum of Expr for which Predicate evaluates to true


Scalar functions

Function Description

case() Evaluates a list of predicates and returns the first result expression whose predicate is satisfied

iff() Evaluates the first argument and returns the value of either the second or third arguments
depending on whether the predicate evaluated to true (second) or false (third)

indexof() Function reports the zero-based index of the first occurrence of a specified string within input
string

strcat() Concatenates between 1 and 64 arguments

strlen() Returns the length, in characters, of the input string

substring() Extracts a substring from a source string starting from some index to the end of the string

tostring() Converts input to a string operation

Examples

Show device, manufacturer, model, and OSVersion:

Kusto

ComputerSystem

| project Device, Manufacturer, Model

| join (OperatingSystem | project Device, OSVersion=Caption)

Show graph of boot times for a device:

Kusto

SystemBootData

| where Device == 'MyDevice'

| project SystemStartTime, BootDuration, OSStart=EventLogStart, GPDuration,


UpdateDuration

| order by SystemStartTime desc

| render barchart with (kind=stacked, title='Boot times for MyDevice',


ytitle='Time (ms)')

Added CMPivot permissions to the Security Administrator role


Starting in version 1906, the following permissions have been added to Configuration Manager's
built-in Security Administrator role:

Read on SMS Script


Run CMPivot on Collection
Read on Inventory Report

7 Note

Run Scripts is a super set of the Run CMPivot permission.

CMPivot standalone
You can use CMPivot as a standalone app. CMPivot standalone is only available in English. Run
CMPivot outside of the Configuration Manager console to view the real-time state of devices in
your environment. This change enables you to use CMPivot on a device without first installing the
console.

You can share the power of CMPivot with other personas, such as helpdesk or security admins,
who don't have the console installed on their computer. These other personas can use CMPivot to
query Configuration Manager alongside the other tools that they traditionally use. By sharing this
rich management data, you can work together to proactively solve business problems that cross
roles.

Install CMPivot standalone


1. Set up the permissions needed to run CMPivot. For more information, see prerequisites. You
can also use the Security Administrator role if the permissions are appropriate for the user.

2. Find the CMPivot app installer in the following path: <site install
path>\tools\CMPivot\CMPivot.msi . You can run it from that path, or copy it to another
location.

3. When you run the CMPivot standalone app, you'll be asked to connect to a site. Specify the
fully qualified domain name or computer name of either the Central Administration or
primary site server.

Each time you open CMPivot standalone you'll be prompted to connect to a site server.

4. Browse to the collection on which you want to run CMPivot, then run your query.

7 Note

Right-click actions, such as Run Scripts, Resource Explorer, and web search aren't
available in CMPivot standalone. CMPivot standalone's primary use is querying
independently from the Configuration Manager infrastructure. To help security
administrators, CMPivot standalone does include the ability to connect to Microsoft
Defender Security Center.
You can do local device query evaluation using CMPivot standalone.

CMPivot changes for version 1902


Starting in Configuration Manager version 1902, you can run CMPivot from the central
administration site (CAS) in a hierarchy. The primary site still handles the communication to the
client. When running CMPivot from the central administration site, it communicates with the
primary site over the high-speed message subscription channel. This communication doesn't rely
upon standard SQL Server replication between sites.

Running CMPivot on the CAS will require additional permissions when SQL Server or the SMS
Provider aren't on the same machine or in the case of SQL Server Always On availability group
configuration. With these remote configurations, you have a "double hop scenario" for CMPivot.

To get CMPivot to work on the CAS in such a "double hop scenario", you can define constrained
delegation. To understand the security implications of this configuration, read the Kerberos
constrained delegation article. Kerberos needs to work through all of the hops between the
machines. If you have more than one remote configuration such as SQL Server or SMS Provider
being colocated with the CAS or not, or multiple trusted forests, you may require a combination
of permission settings. Below are the steps that you may need to take:
CAS has a remote SQL Server
1. Go to each primary site's SQL Server.
a. Add the CAS remote SQL Server and the CAS site server to the Configmgr_DviewAccess
group.

2. Go to Active Directory Users and Computers.


a. For each primary site server, right click and select Properties.
i. In the delegation tab, choose the third option, Trust this computer for delegation to
specified services only.
ii. Choose Use Kerberos only.
iii. Add the CAS's SQL Server service with port and instance.
iv. Make sure these changes align with your company security policy!
b. For the CAS site, right click and select Properties.
i. In the delegation tab, choose the third option, Trust this computer for delegation to
specified services only.
ii. Choose Use Kerberos only.
iii. Add each primary site's SQL Server service with port and instance.
iv. Make sure these changes align with your company security policy!
CAS has a remote provider
1. Go to each primary site's SQL Server.
a. Add the CAS provider machine account and the CAS site server to the
Configmgr_DviewAccess group.
2. Go to Active Directory Users and Computers.
a. Select the CAS provider machine, right click and select Properties.
i. In the delegation tab, choose the third option, Trust this computer for delegation to
specified services only.
ii. Choose Use Kerberos only.
iii. Add each primary site's SQL Server service with port and instance.
iv. Make sure these changes align with your company security policy!
b. Select the CAS site server, right click and select Properties.
i. In the delegation tab, choose the third option, Trust this computer for delegation to
specified services only.
ii. Choose Use Kerberos only.
iii. Add each primary site's SQL Server service with port and instance.
iv. Make sure these changes align with your company security policy!
3. Restart the CAS remote provider machine.

SQL Server Always On availability groups


1. Go to each primary site's SQL Server.
a. Add the CAS site server to the Configmgr_DviewAccess group.
2. Go to Active Directory Users and Computers.
a. For each primary site server, right click and select Properties.
i. In the delegation tab, choose the third option, Trust this computer for delegation to
specified services only.
ii. Choose Use Kerberos only.
iii. Add the CAS's SQL Server service accounts for the SQL Server nodes with port and
instance.
iv. Make sure these changes align with your company security policy!
b. Select the CAS site server, right click and select Properties.
i. In the delegation tab, choose the third option, Trust this computer for delegation to
specified services only.
ii. Choose Use Kerberos only.
iii. Add each primary site's SQL Server service with port and instance.
iv. Make sure these changes align with your company security policy!
3. Make sure the SPN is published for the CAS listener name and each primary listener name.
4. Restart the primary SQL Server nodes.
5. Restart the CAS site server and the CAS SQL Server nodes.

CMPivot changes for version 1810


CMPivot includes the following improvements starting in Configuration Manager version 1810:

CMPivot utility and performance


Scalar functions
Rendering visualizations
Hardware inventory
Scalar operators
Query summary
Audit status messages

CMPivot utility and performance


CMPivot will return up to 100,000 cells rather than 20,000 rows.
If the entity has 5 properties, meaning 5 columns, up to 20,000 rows will be shown.
For an entity with 10 properties, up to 10,000 rows will be shown.
The total data shown will be less than or equal to 100,000 cells.

On the Query Summary tab, select the count of Failed or Offline devices, and then select the
option to Create Collection. This option makes it easy to target those devices with a
remediation deployment.
This option was removed in version 2006 since CMPivot no longer requires querying
against a collection.
Save Favorite queries by clicking the folder icon.

Clients updated to the 1810 version return output less than 80 KB to the site over a fast
communication channel.
This change increases the performance of viewing script or query output.
If the script or query output is greater than 80 KB, the client sends the data via a state
message.
If the client isn't updated to the 1810 client version, it continues to use state messages.

You may see the following error when you start CMPivot:
You can't use CMPivot right now
due to an incompatible script version. This issue may be because the hierarchy is in the
process of upgrading a site. Wait until the upgrade is complete and then try again.
If you see this message, it could mean:
The security scope isn't set up properly.
There are issues with Upgrade in the process.
The underlying CMPivot script is incompatible.

Scalar functions
CMPivot supports the following scalar functions:

ago(): Subtracts the given timespan from the current UTC clock time
datetime_diff(): Calculates the calendar difference between two datetime values
now(): Returns the current UTC clock time
bin(): Rounds values down to an integer multiple of a given bin size

7 Note

The datetime data type represents an instant in time, typically expressed as a date and time
of day. Time values are measured in 1-second units. A datetime value is always in the UTC
time zone. Always express date time literals in ISO 8601 format, for example, yyyy-mm-dd
HH:MM:ss

Examples

datetime(2015-12-31 23:59:59.9) : A specific date time literal


now() : The current time

ago(1d) : The current time minus one day

Rendering visualizations
CMPivot now includes basic support for the KQL render operator. This support includes the
following types:

barchart: First column is x-axis, and can be text, datetime or numeric. The second columns
must be numeric and is displayed as a horizontal strip.
columnchart: Like barchart, with vertical strips instead of horizontal strips.
piechart: First column is color-axis, second column is numeric.
timechart: Line graph. First column is x-axis, and should be datetime. Second column is y-
axis.

Example: bar chart

The following query renders the most recently used applications as a bar chart:

Kusto

CCMRecentlyUsedApplications

| summarize dcount( Device ) by ProductName

| top 10 by dcount_

| render barchart

Example: time chart


To render time charts, use the new bin() operator to group events in time. The following query
shows when devices have started in the last seven days:

Kusto

OperatingSystem

| where LastBootUpTime <= ago(7d)

| summarize count() by bin(LastBootUpTime,1d)

| render timechart

Example: pie chart


The following query displays all OS versions in a pie chart:

Kusto

OperatingSystem

| summarize count() by Caption

| render piechart

Hardware inventory
Use CMPivot to query any hardware inventory class. These classes include any custom extensions
you make to hardware inventory. CMPivot immediately returns cached results from the last
hardware inventory scan stored in the site database. At the same time, it updates the results if
necessary with live data from any online clients.

The color saturation of the data in the results table or chart indicates if the data is live or cached.
For example, dark blue is real-time data from an online client. Light blue is cached data.

Example

Kusto

LogicalDisk

| summarize sum( FreeSpace ) by Device

| order by sum_ desc

| render columnchart

Limitations

The following hardware inventory entities aren't supported:


Array properties, for example IP address
Real32/Real64
Embedded object properties
Inventory entity names must begin with a character
You can't overwrite the built-in entities by creating an inventory entity of the same name

Scalar operators
CMPivot includes the following scalar operators:

7 Note

LHS: string to the left of the operator


RHS: string to the right of the operator

Operator Description Example (yields true)

== Equals "aBc" == "aBc"

!= Not equals "abc" != "ABC"

like LHS contains a match for RHS "FabriKam" like "%Brik%"


Operator Description Example (yields true)

!like LHS doesn't contain a match for RHS "Fabrikam" !like "%xyz%"

contains RHS occurs as a subsequence of LHS "FabriKam" contains "BRik"

!contains RHS doesn't occur in LHS "Fabrikam" !contains "xyz"

startswith RHS is an initial subsequence of LHS "Fabrikam" startswith "fab"

!startswith RHS isn't an initial subsequence of LHS "Fabrikam" !startswith "kam"

endswith RHS is a closing subsequence of LHS "Fabrikam" endswith "Kam"

!endswith RHS isn't a closing subsequence of LHS "Fabrikam" !endswith "brik"

Query summary
Select the Query Summary tab at the bottom of the CMPivot window. This status helps you
identify clients that are offline, or troubleshoot errors that may occur. Select a value in the Count
column to open a list of specific devices with that status.

For example, select the count of devices with a Failure status. See the specific error message, and
export a list of these devices. If the error is that a specific cmdlet isn't recognized, create a
collection from the exported device list to deploy a Windows PowerShell update.

CMPivot audit status messages


Starting in version 1810, when you run CMPivot, an audit status message is created with
MessageID 40805. You can view the status messages by going to Monitoring > System Status >
Status Message Queries. You can run All Audit status Messages for a Specific User, All Audit
status Messages for a Specific Site, or create your own status message query.

The following format is used for the message:

MessageId 40805: User <UserName> ran script <Script-Guid> with hash <Script-Hash> on
collection <Collection-ID>.

7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14 is the Script-Guid for CMPivot.


The Script-Hash can be seen in the client's scripts.log file.
You can also see the hash stored in the client's script store. The filename on the client is
<Script-Guid>_<Script-Hash>.
Example file name: C:\Windows\CCM\ScriptStore\7DC6B6F1-E7F6-43C1-96E0-
E1D16BC25C14_abc1d23e45678901fabc123d456ce789fa1b2cd3e456789123fab4c56789d0123.ps
Next steps
Troubleshooting CMPivot
CMPivot sample scripts
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

Below are a few common query needs and how CMPivot can be used to meet them.
CMPivot uses a subset of the Kusto Query Language (KQL).

Operating system
Gets operating system information.

Kusto

// Sample query for OS information

OperatingSystem

Recently used applications


The following query gets recently used applications (last 2 hours):

Kusto

CCMRecentlyUsedApplications

| where (LastUsedTime > ago(2h))

| project CompanyName, ProductName, ProductVersion, LastUsedTime

Device start times


The following query shows when devices have started in the last seven days:

Kusto

OperatingSystem

| where LastBootUpTime <= ago(7d)

| summarize count() by bin(LastBootUpTime,1d)

Free disk space


The following query shows free disk space:
Kusto

LogicalDisk

| project Device, DeviceID, Name, Description, FileSystem, Size, FreeSpace

| order by DeviceID asc

Device information
Show device, manufacturer, model, and OSVersion:

Kusto

ComputerSystem

| project Device, Manufacturer, Model

| join (OperatingSystem | project Device, OSVersion=Caption)

Boot times for a device


Show boot times for devices:

Kusto

SystemBootData

| project Device, SystemStartTime, BootDuration, OSStart=EventLogStart,


GPDuration, UpdateDuration

| order by SystemStartTime desc

Authentication failures
Search the event logs for authentication failures.

Kusto

EventLog('Security')

| where EventID == 4673

ProcessModule(<processname>)
Enumerates all the modules (dlls) loaded by a given process. ProcessModule is useful
when hunting for malware that hides in legitimate processes.
Kusto

ProcessModule('powershell')

| summarize count() by ModuleName

| order by count_ desc

Antimalware software status


Gets the status of antimalware software installed on the computer gathered by the Get-
MpComputerStatus cmdlet. The entity is supported on Windows 10 and Server 2016, or
later with defender running. |

Kusto

EPStatus

| project Device, QuickScanAge=datetime_diff('day',now(),QuickScanEndTime)

| summarize DeviceCount=count() by QuickScanAge

Find BIOS Manufacturer that contains any word


like Micro
Kusto

Bios

// Find BIOS Manufacturer that contains any word like Micro, such as
Microsoft

| where Manufacturer like '%Micro%'

Find file by its hash


Search for a file by hash.

Kusto

Device

| join kind=leftouter ( File('%windir%\\system32\\*.exe')

| where SHA256Hash ==
'A92056D772260B39A876D01552496B2F8B4610A0B1E084952FE1176784E2CE77')

| project Device, MalwareFound = iif( isnull(FileName), 'No', 'Yes')

Find 'Scripts' in the CCM logs in the last hour


The following query will look at events in the last 1 hour:

Kusto

CcmLog('Scripts',1h)

Find information in the registry


Search for registry information.

Kusto

// Change the path to match your desired registry hive query

// The RegistryKey entity (added in version 2107) isn't supported with


CMPivot for tenant attached devices.

Registry('hklm:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\
*')

RegistryKey('hklm:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificat
es\*')

RegistryKey('hklm:\SOFTWARE\Microsoft\SMS\*')

Registry('hklm:\SOFTWARE\Microsoft\SMS\*')

Next steps
To learn more about CMPivot, see Use CMPivot.
Troubleshoot CMPivot
Article • 10/04/2022

CMPivot is a tool that provides access to a real-time state of the devices in your
environment. CMPivot runs a query on all currently connected devices in the target
collection and returns the results.

Occasionally, you might need to troubleshoot CMPivot. For example, if a state message
from a client to CMPivot gets corrupted, the site server can't process the message. This
article helps you understand the flow of information for CMPivot.

Troubleshoot CMPivot in version 1902 and later


In Configuration Manager versions 1902 and later, you can run CMPivot from the central
administration site (CAS) in a hierarchy. The primary site still handles the communication
to the client.

When you run CMPivot from CAS, it uses the high-speed message subscription channel
to communicate with the primary site. CMPivot doesn't use standard SQL Server
replication between sites. If your SQL Server instance or your SMS provider is remote, or
if you use a SQL Server Always On availability group, you'll have a "double hop scenario"
for CMPivot. For information on how to define constrained delegation for a "double hop
scenario", see CMPivot starting in version 1902.

) Important

When troubleshooting CMPivot, enable verbose logging on your management


points (MPs) and on the site server's SMS_MESSAGE_PROCESSING_ENGINE to get
more information. Also, if the client's output is larger than 80 KB, enable verbose
logging on the MP and the site server's SMS_STATE_SYSTEM component. For
information about how to enable verbose logging, see Site server logging options.

Get information from the site server


By default, the site server log files are located in C:\Program Files\Microsoft
Configuration Manager\logs . This location might be different if you specified a non-

default installation directory or offloaded items like the SMS Provider to another server.
If you run CMPivot from the CAS, the logs are on the primary site server.
Look in smsprov.log for these lines:

Configuration Manager version 1906:

Auditing: User <username> initiated client operation 145 to collection


<CollectionId>.

Configuration Manager version 1902:

Type parameter is 135.

Auditing: User <username> ran script 7DC6B6F1-E7F6-43C1-96E0-


E1D16BC25C14 with hash
dc6c2ad05f1bfda88d880c54121c8b5cea6a394282425a88dd4d8714547dc4a2 on
collection <CollectionId>.

7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14 is the Script-Guid for CMPivot. You can also see


this GUID in CMPivot audit status messages.

Next, find the ID in the CMPivot window. This ID is the ClientOperationID .

Find the TaskID from the ClientAction table. The TaskID corresponds to the UniqueID in
the ClientAction table.

SQL

select * from ClientAction where ClientOperationId=<id>

In BgbServer.log , look for the TaskID you gathered from SQL Server and note the
PushID . The TaskID is labeled TaskGUID . For example:

Starting to send push task (PushID: 9 TaskID: 12 TaskGUID: 9A4E59D2-2F5B-


4067-A9FA-B99602A3A4A0 TaskType: 15 TaskParam:
PFNjcmlwdENvbnRlbnQgU2NyaXB0R3VpZD0nN0RDNkI2RjEtRTdGNi00M0MxL (truncated log
entry)

Finished sending push task (PushID: 9 TaskID: 12) to 2 clients

Client logs
After you have the information from the site server, check the client logs. By default, the
client logs are located in C:\Windows\CCM\Logs .

In CcmNotificationAgent.log , look for log entries that look like the following lines:

Receive task from server with pushid=9, taskid=12, taskguid=9A4E59D2-2F5B-


4067-A9FA-B99602A3A4A0, tasktype=15 and
taskParam=PFNjcmlwdEhhc2ggU2NyaXB0SGF (truncated log entry)

Send Task response message <BgbResponseMessage TimeStamp="2019-09-


13T17:29:09Z"><PushID>5</PushID><TaskID>4</TaskID><ReturnCode>1</ReturnCode>
</BgbResponseMessage> successfuly.

Check Scripts.log for the TaskID . In the following example, you see Task ID
{9A4E59D2-2F5B-4067-A9FA-B99602A3A4A0} :

Sending script state message (fast): {9A4E59D2-2F5B-4067-A9FA-B99602A3A4A0}

Result are sent for ScriptGuid: 7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14 and


TaskID: {9A4E59D2-2F5B-4067-A9FA-B99602A3A4A0}

7 Note

If you don't see "(fast)" in the Scripts.log , then the data is likely over 80 KB. In this
case, the information is sent to the site server as a state message. Use client's
StateMessage.log and the site server's Statesys.log .
Review messages on the site server
When verbose logging is enabled on the management point, you can see how incoming
client messages are handled. In MP_RelayMsgMgr.log , look for the TaskID .

In the MP_RelayMsgMgr.log example, you can see the client's ID (GUID:83F67728-2E6D-


4E4F-8075-ED035C31B783) and the Task ID {9A4E59D2-2F5B-4067-A9FA-B99602A3A4A0} . A
message ID gets assigned to the client's response before it's sent to the message
processing engine:

MessageKey: GUID:83F67728-2E6D-4E4F-8075-ED035C31B783{9A4E59D2-2F5B-4067-
A9FA-B99602A3A4A0}

Create message succeeded for message id 22f00adf-181e-4bad-b35e-d18912f39f89

Add message payload succeeded for message id 22f00adf-181e-4bad-b35e-


d18912f39f89

Put message succeeded for message id 22f00adf-181e-4bad-b35e-d18912f39f89

CRelayMsgMgrHandler::HandleMessage(): ExecuteTask() succeeded

When verbose logging is enabled on SMS_MESSAGE_PROCESSING_ENGINE.log , the client


results are processed. Use the message ID you found from the MP_RelayMsgMgr.log . The
processing log entries are similar to the following example:

Processing 2 messages with type Instant and IDs 22f00adf-181e-4bad-b35e-


d18912f39f89[19], 434d80ae-09d4-4d84-aebf-28a4a29a9852[20]...

Processed 2 messages with type Instant. Failed to process 0 messages. All


message IDs 22f00adf-181e-4bad-b35e-d18912f39f89[19], 434d80ae-09d4-4d84-
aebf-28a4a29a9852[20]

 Tip

If you get an exception during processing, you can review it by running the
following SQL query and looking at the Exception column. After the message is
processed, it will no longer be in the MPE_RequestMessages_Instant table.

SQL

select * from MPE_RequestMessages_Instant where MessageID=<ID from


SMS_MESSAGE_PROCESSING_ENGINE.log>

In BgbServer.log , look for the PushID to see the number of clients that reported or
failed.

Generated BGB task status report c:\ConfigMgr\inboxes\bgb.box\Bgb5c1db.BTS


at 09/16/2019 16:46:39. (PushID: 9 ReportedClients: 2 FailedClients: 0)

Check the monitoring view for CMPivot from SQL Server by using the TaskID .

SQL

select * from vSMS_CMPivotStatus where TaskID='{9A4E59D2-2F5B-4067-A9FA-


B99602A3A4A0}'

Troubleshoot CMPivot in 1810 and earlier


In Configuration Manager versions 1810 and earlier, your site server handles the
communication to the client.

Get information from the site server


By default, the site server log files are located in C:\Program Files\Microsoft
Configuration Manager\logs . This location might be different if you specified a non-
default installation directory or offloaded items like the SMS Provider to another server.

Look in smsprov.log for this line:

Auditing: User <username> initiated client operation 135 to collection


<CollectionId>.

Find the ID in the CMPivot window. This ID is the ClientOperationID .


Find the TaskID from the ClientAction table. The TaskID corresponds to the UniqueID in
the ClientAction table.

SQL

select * from ClientAction where ClientOperationId=<id>

In BgbServer.log , look for the TaskID you gathered from SQL. It's labeled TaskGUID . For
example:

Starting to send push task (PushID: 260 TaskID: 258 TaskGUID: F8C7C37F-B42B-
4C0A-B050-2BB44DF1098A TaskType: 15

TaskParam: PFNjcmlwdEhhc2ggU2NyaXB0SGF...truncated...to 5 clients with


throttling (strategy: 1 param: 42)

Finished sending push task (PushID: 260 TaskID: 258) to 5 clients

Client logs
After you have the information from the site server, check the client logs. By default, the
client logs are located in C:\Windows\CCM\Logs .

In CcmNotificationAgent.log , look for logs that are similar to the following entry:
Error! Bookmark not
defined.+PFNjcmlwdEhhc2ggU2NyaXB0SGFzaEFsZz0nU0hBMjU2Jz42YzZmNDY0OGYzZjU3M2M
yNTQyNWZiNT

g2ZDVjYTIwNzRjNmViZmQ1NTg5MDZlMWI5NDRmYTEzNmFiMDE0ZGNjPC9TY3JpcHRIYXNoPjxTY3
Jp (truncated log entry)

Look in Scripts.log for the TaskID . In the following example, we see Task ID
{F8C7C37F-B42B-4C0A-B050-2BB44DF1098A} :

Sending script state message: 7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14

State message: Task Id {F8C7C37F-B42B-4C0A-B050-2BB44DF1098A}

Look in StateMessage.log . In the following example, you see that TaskID is near the
bottom of the message next to <Param> :

XML

StateMessage body: <?xml version="1.0" encoding="UTF-16"?>

<Report><ReportHeader><Identification><Machine>
<ClientInstalled>1</ClientInstalled><ClientType>1

</ClientType><ClientID>GUID:DBAC52C9-57E6-47D7-A8D6-E0A5A64B57E6</ClientID>
<ClientVersion>5.00.8670.1000</ClientVersion>

<NetBIOSName>R613924</NetBIOSName><CodePage>437</CodePage>

<SystemDefaultLCID>1033</SystemDefaultLCID><Priority>0</Priority></Machine>
</Identification>

<ReportDetails><ReportContent>State Message Data</ReportContent>


<ReportType>Full</ReportType>

<Date>20180703184447.673000+000</Date><Version>1.0</Version>
<Format>1.0</Format>

</ReportDetails></ReportHeader><ReportBody><StateMessage
MessageTime="20180703184447.517000+000"><Topic ID="7DC6B6F1-E7F6-43C1-96E0-
E1D16BC25C14" Type="9003" IDType="0" User="" UserSID=""/><State ID="1"
Criticality="0"/>

<StateDetails Type="1"><!
[CDATA["PAA/AHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgAgAGUAbgBjAG8AZABp
AG4AZwA9ACIAdQB0AGYALQAxADYAIgA/AD4APAByAGUAcwB1AGwAdAAgAFIAZQBzAHUAbAB0AEMA
bwBkAGUAPQAiADAAIgA+ADwAZQAgAE4AYQBtAGUAPQAiAEkAbgB0AGUAbAAoAFIAKQAgAFgAZQBv
AG4AKABSACkAIABDAFAAVQAgAEUANQAtADIANgA3ADMAIAB2ADQAIABAACAAMgAuADMAMABHAEgA
egAiACAATQBhAG4AdQBmAGEAYwB0AHUAcgBlAHIAPQAiAEEAbQBlAHIAaQBjAGEAbgAgAE0AZQBn
AGEAdAByAGUAbgBkAHMAIABJAG4AYwAuACIAIABWAGUAcgBzAGkAbwBuAD0AIgBWAFIAVABVAEEA
TAAgAC0AIAA2ADAAMAAxADcAMAAyACIAIABSAGUAbABlAGEAcwBlAEQAYQB0AGUAPQAiADIAMAAx
ADcALQAwADYALQAwADIAIAAwADAAOgAwADAAOgAwADAAIgAgAFMAZQByAGkAYQBsAE4AdQBtAGIA
ZQByAD0AIgAwADAAMAAwAC0AMAAwADEAOAAtADMANgA4ADIALQA0ADcAMAA4AC0ANwA2ADQAMAAt
ADcANgAwADAALQAzADMAIgAgAFMATQBCAEkATwBTAEIASQBPAFMAVgBlAHIAcwBpAG8AbgA9ACIA
MAA5ADAAMAAwADcAIAAiACAALwA+ADwALwByAGUAcwB1AGwAdAA+AA=="~~]]>
</StateDetails><UserParameters Flags="0" Count="2">

<Param>{F8C7C37F-B42B-4C0A-B050-2BB44DF1098A}</Param><Param>0</Param>
</UserParameters></StateMessage></ReportBody></Report>

Successfully forwarded State Messages to the MP StateMessage 7/3/2018


11:44:47 AM 5036 (0x13AC)

Review messages on the site server


Open statesys.log to see if the message is received and processed. In the following
example, you see TaskID near the bottom of the message next to <Param> . Enable
verbose logging on the SMS_STATE_SYSTEM component to see these log entries.

XML

CMessageProcessor - the cmdline to DB exec dbo.spProcessStateReport N'?<?xml


version="1.0" encoding="UTF-

16"?>~~<Report><ReportHeader><Identification><Machine>
<ClientInstalled>1</ClientInstalled><ClientType>1

</ClientType><ClientID>GUID:DBAC52C9-57E6-47D7-A8D6-E0A5A64B57E6</ClientID>
<ClientVersion>5.00.8670.1000</ClientVersion>

<NetBIOSName>R613924</NetBIOSName><CodePage>437</CodePage>

<SystemDefaultLCID>1033</SystemDefaultLCID><Priority>0</Priority></Machine>
</Identification>

<ReportDetails><ReportContent>State Message Data</ReportContent>


<ReportType>Full</ReportType>

<Date>20180703184447.673000+000</Date><Version>1.0</Version>
<Format>1.0</Format>

</ReportDetails></ReportHeader><ReportBody><StateMessage
MessageTime="20180703184447.517000+000"><Topic ID="7DC6B6F1-E7F6-43C1-96E0-
E1D16BC25C14" Type="9003" IDType="0" User="" UserSID=""/><State ID="1"
Criticality="0"/>

<StateDetails Type="1"><!
[CDATA["PAA/AHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgAgAGUAbgBjAG8AZABp
AG4AZwA9ACIAdQB0AGYALQAxADYAIgA/AD4APAByAGUAcwB1AGwAdAAgAFIAZQBzAHUAbAB0AEMA
bwBkAGUAPQAiADAAIgA+ADwAZQAgAE4AYQBtAGUAPQAiAEkAbgB0AGUAbAAoAFIAKQAgAFgAZQBv
AG4AKABSACkAIABDAFAAVQAgAEUANQAtADIANgA3ADMAIAB2ADQAIABAACAAMgAuADMAMABHAEgA
egAiACAATQBhAG4AdQBmAGEAYwB0AHUAcgBlAHIAPQAiAEEAbQBlAHIAaQBjAGEAbgAgAE0AZQBn
AGEAdAByAGUAbgBkAHMAIABJAG4AYwAuACIAIABWAGUAcgBzAGkAbwBuAD0AIgBWAFIAVABVAEEA
TAAgAC0AIAA2ADAAMAAxADcAMAAyACIAIABSAGUAbABlAGEAcwBlAEQAYQB0AGUAPQAiADIAMAAx
ADcALQAwADYALQAwADIAIAAwADAAOgAwADAAOgAwADAAIgAgAFMAZQByAGkAYQBsAE4AdQBtAGIA
ZQByAD0AIgAwADAAMAAwAC0AMAAwADEAOAAtADMANgA4ADIALQA0ADcAMAA4AC0ANwA2ADQAMAAt
ADcANgAwADAALQAzADMAIgAgAFMATQBCAEkATwBTAEIASQBPAFMAVgBlAHIAcwBpAG8AbgA9ACIA
MAA5ADAAMAAwADcAIAAiACAALwA+ADwALwByAGUAcwB1AGwAdAA+AA=="~~]]>
</StateDetails><UserParameters Flags="0" Count="2">

<Param>{F8C7C37F-B42B-4C0A-B050-2BB44DF1098A}</Param><Param>0</Param>
</UserParameters></StateMessage></ReportBody></Report>~~'

If the message hasn't been processed, check the state message inbox. The default inbox
location is C:\Program Files\Microsoft Configuration
Manager\inboxes\auth\statesys.box\ . Look for the files in these locations:
Incoming
Corrupted
Process

Check the monitoring view for CMPivot via the following SQL query using the TaskID :

SQL

select * from vSMS_CMPivotStatus where TaskID='{F8C7C37F-B42B-4C0A-B050-


2BB44DF1098A}'

7 Note

For clients that are using version 1810 or higher, state messaging isn't used unless
the output is larger than 80 KB. When troubleshooting CMPivot in these cases, you
can get more information when you enable verbose logging on your MPs and the
site server's SMS_MESSAGE_PROCESSING_ENGINE. For information on how to
enable verbose logging, see Site server logging options.

To troubleshoot, refer to the following logs:

MP_Relay.log

SMS_MESSAGE_PROCESSING_ENGINE.log

Next steps
Using CMPivot
Create and run PowerShell scripts
Maintenance tasks for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager sites and hierarchies require regular maintenance and


monitoring to provide services effectively and continuously. Regular maintenance
ensures that the hardware, software, and Configuration Manager database continue to
function correctly and efficiently. Optimal performance greatly reduces the risk of
failure.

To set up alerts and use the status system to monitor the health of Configuration
Manager, see Use the status system and Configure alerts.

Maintenance tasks
Regular maintenance is important to ensure correct site operations. Keep a maintenance
log to document maintenance dates, who did maintenance, and any maintenance-
related comments about the tasks. To maintain your site, consider daily or weekly
maintenance. Some tasks might require a different schedule. Common maintenance can
include both the built-in maintenance tasks and other tasks like account maintenance to
maintain compliance with your company policies.

Use the following information as a guide to help you plan when to do different
maintenance tasks. Use these lists as a starting point, and add tasks that you might
require.

Daily Tasks
The following are maintenance tasks that you might consider for on a daily schedule:

Check that predefined maintenance tasks that are scheduled to run daily are
running successfully.

Check the Configuration Manager database status.

Check site server status.

Check Configuration Manager site system inboxes for file backlogs.


Check site systems status.

Check the operating system event logs from the site systems.

Check the SQL Server error log from the site database computer.

Check system performance.

Check Configuration Manager alerts.

Weekly Tasks
The following are maintenance tasks that you might consider for a weekly schedule:

Check that predefined maintenance tasks that are scheduled to run weekly are
running successfully.

Delete unnecessary files from site systems.

Produce and distribute end-user reports if necessary.

Back up application, security, and system event logs and clear them.

Check the site database size and verify there's enough available disk space on the
site database server so that the site database can grow.

Do SQL Server database maintenance on the site database according to your SQL
Server maintenance plan.

Check available disk space on all site systems.

Run disk defragmentation tools on all site systems.

Periodic Tasks
Some tasks that don't require daily or weekly maintenance are important to ensure
overall site health. These tasks also ensure that security and disaster recovery plans are
up-to-date. The following are maintenance tasks that you might consider for a more
periodic schedule than the daily or weekly tasks:

Change accounts and passwords, if it's necessary, according to your security plan.

Review the maintenance plan to check that scheduled maintenance tasks are
scheduled correctly and effectively depending on configured site settings.

Review the Configuration Manager hierarchy design for any required changes.
Check network performance to ensure that changes haven't been made that affect
site operations.

Check that Active Directory settings that affect site operations haven't changed.
For example, check that subnets that are assigned to Active Directory sites and that
are used as boundaries for Configuration Manager site haven't changed.

Review your disaster recovery plan for any required changes.

Do a site recovery according to the disaster recovery plan in a test lab by using a
backup copy of the most recent backup that the Backup Site Server maintenance
task created.

Check hardware for any errors or for available hardware updates.

Check the overall health of the site.

Maintain the operational health of your site


database
While your Configuration Manager site and hierarchy do the tasks that you schedule
and set up, site components continually add data to the Configuration Manager
database. As the amount of data grows, database performance and the free storage
space in the database decline. You can set up site maintenance tasks to remove aged
data that you no longer require.

Configuration Manager provides predefined maintenance tasks that you can use to
maintain the health of the Configuration Manager database. Not all maintenance tasks
are available at each site, by default. Several tasks are enabled while some aren't, and all
support a schedule that you can set up.

Most maintenance tasks periodically remove out-of-date data from the Configuration
Manager database. Reducing the size of the database by removing unnecessary data
improves the performance and the integrity of the database, which increases the
efficiency of the site and hierarchy. Other tasks, like Rebuild Indexes, help maintain the
database efficiency. Other tasks, like the Backup Site Server task, help you prepare for
disaster recovery.

) Important

When you plan the schedule of any task that deletes data, consider the use of that
data across the hierarchy. When a task that deletes data runs at a site, the
information is removed from the Configuration Manager database, and this change
replicates to all sites in the hierarchy. This deletion can affect other tasks that rely
on that data. For example, at the central administration site, you might set up
Discovery to run one time per month to identify non-client computers. You plan to
install the Configuration Manager client to these computers within two weeks of
their discovery. However, at one site in the hierarchy, an admin sets up the Delete
Aged Discovery Data task to run every seven days. The result is that seven days
after non-client computers are discovered, they are deleted from the Configuration
Manager database. Back at the central administration site, you prepare to push
install the Configuration Manager client to these new computers on day 10.
However, because the Delete Aged Discovery Data task has recently run and
deleted data that's seven days or older, the recently discovered computers are no
longer available in the database.

After you install a Configuration Manager site, review the available maintenance tasks
and enable those tasks that your operations require. Review the default schedule of
each task, and when necessary, set up the schedule to fine-tune the maintenance task to
fit your hierarchy and environment. Although the default schedule of each task should
suit most environments, monitor the performance of your sites and database and expect
to fine-tune tasks to increase your deployment's efficiency. Plan to periodically review
the site and database performance and reconfigure maintenance tasks and their
schedules to maintain that efficiency.

Set up maintenance tasks


Each Configuration Manager site supports maintenance tasks that help maintain the
operational efficiency of the site database. By default, several maintenance tasks are
enabled in each site, and all tasks support independent schedules. Maintenance tasks
are set up individually for each site and apply to the database at that site. However,
some tasks, like Delete Aged Discovery Data, affect information that is available in all
sites in a hierarchy.

Only the maintenance tasks that you can set up at a site are displayed in the
Configuration Manager console. For a complete list of maintenance tasks by site type,
see Reference for maintenance tasks for Configuration Manager.

Use the following procedure to help you set up the common settings of maintenance
tasks.

To set up maintenance tasks for Configuration Manager


Site server maintenance tasks can now be viewed, edited, and monitored from their own
tab on the details view of a site server. You can still edit maintenance tasks by choosing
Site Maintenance in the Settings group like you did in previous Configuration Manager
versions.

1. In the Configuration Manager console, go to Administration > Site Configuration


>Sites.
2. Select a site from your list, then click on the Maintenance Tasks tab in the detail
panel.
3. Only tasks that are available at the selected site are displayed. Right-click one of
the maintenance tasks and choose one of the following options:

Enable - Turn on the task.


Disable - Turn off the task.
Edit - Edit the task schedule or its properties.

The Maintenance Tasks tab gives you information such as:

If the task is enabled


The task schedule
Last start time
Last completion time
If the task completed successfully

Database reindexing can temporarily impact


the replication link status
When the Configuration Manager database is reindexing, either through the built in
maintenance task or SQL Server Management Studio, you may notice that replication
links will temporarily go into a degraded or failed state during this process. The state
degradation occurs because when a reindex is run on the database tables they're
blocked and can't be written to. It's an offline operation and is fundamental to how
DBCC REINDEX functions. In order for a sync on a replication group to be considered
successful, the site actually has to be able to process the data that it received. This
means that during this reindexing process, the link status can bounce between
degraded, failed, active, and back again. Depending on how much data is being
replicated between the sites, the amount of time to go from a failed state to an active
state will vary from environment to environment.

If the state change during a reindex is problematic for your monitoring, each replication
link has a set of thresholds that can be modified to adjust when the link goes into a
degraded state or when it goes into a failed state. Replication links contain multiple
replication groups, which are broken up into two types: global data and site data. Global
data attempts to sync every one minute and site data syncs every five minutes. By
default, the link changes to degraded when the threshold of 12 failures is reached then
changes to the failed state at 24. To set these thresholds, select the link under the
Database Replication node then select Link Properties. In the Alerts tab, there are
thresholds for setting the link to degraded or failed. By default these values are set to 12
and 24 respectively.

Next steps
Reference for maintenance tasks
Reference for maintenance tasks in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article lists the details for each of the Configuration Manager site maintenance
tasks. Each entry specifies the site types where the task is available, and whether it's
enabled by default.

For more information, see Set up maintenance tasks.

Tasks

Backup Site Server


Use this task to create a backup of your critical information to restore a site and the
Configuration Manager database. For more information, see Back up a Configuration
Manager site.

Site type Status

Central administration site Enabled

Primary site Not enabled

Secondary site Not available

Check Application Title with Inventory Information


Use this task to maintain consistency of software titles between software inventory and
the Asset Intelligence catalog. For more information, see Introduction to Asset
Intelligence.

Site type Status

Central administration site Enabled

Primary site Not available

Secondary site Not available


Clear Undiscovered Clients

 Tip

You may also see this task in the console named Clear Install Flag.

Use this task to remove the installed flag for clients that don't submit a Heartbeat
Discovery record during the Client Rediscovery period. The installed flag prevents
automatic client push installation to a computer that might have an active Configuration
Manager client. The default value is 21 days.

) Important

Make sure this value is greater than the interval for Heartbeat discovery, which by
default is seven days. Otherwise, clients will unnecessarily reinstall.

Site type Status

Central administration site Not available

Primary site Not enabled

Secondary site Not available

Delete Aged Application Request Data


Use this task to delete aged application requests from the database. For more
information, see Create and deploy an application.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Unused Application Revisions


Use this task to delete application revisions that are no longer referenced. For more
information, see How to revise and supersede applications.
Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Aged Client Download History


Use this task to delete historical data about the download source used by clients. The
site uses download source information to populate the Client Data Sources dashboard.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Client Operations


Use this task to delete from the site database all aged data for client operations. For
example, this data includes the following operations:

Aged or expired client notifications, like download requests for machine or user
policy
Endpoint Protection, like requests by an administrative user for clients to run a
scan or download updated definitions
Run Scripts status results

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Aged Client Presence History


Use this task to delete history information about the online status of clients recorded by
client notification. It deletes information for clients with status that's older than the
specified time. For more information, see How to monitor clients.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Aged Cloud Management Gateway Traffic Data


Use this task to delete from the site database all aged data about the traffic that passes
through the cloud management gateway. This data includes:

The number of requests


Total request bytes
Total response bytes
Number of failed requests
Maximum number of concurrent requests

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Aged CMPivot Results


Use this task to delete from the site database aged information from clients in CMPivot
queries. For more information, see CMPivot for real-time data.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Collected Diagnostic Files


Use this task to delete collected diagnostic files. Collected client logs are stored
according to the software inventory file collection settings. The files are stored on the
site server in the Inboxes\sinv.box\FileCol directory. Delete Aged Collected Diagnostic
Files uses a default value of 14 days when looking for diagnostic files to clean up and
doesn't affect other collected files. This maintenance task is enabled by default and was
introduced in Configuration Manager version 2010. Earlier Configuration Manager
versions use the Delete Aged Collected Files task for deleting client diagnostic files.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Collected Files


Use this task to delete from the database aged information about collected files. This
task also deletes the collected files from the site server folder structure at the selected
site. By default, the five most-recent copies of collected files are stored on the site server
in the Inboxes\sinv.box\FileCol directory. For more information, see Introduction to
software inventory.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Computer Association Data


Use this task to delete from the database aged OS deployment computer association
data. This information is used when restoring user state during a task sequence. For
more information, see Manage user state.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available


Delete Aged Console Connection Data
This task deletes data from the site database about console connections to the site.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Aged Delete Detection Data


Use this task to delete aged data from the database that has been created by extraction
views. It deletes old data change information used by external systems extracting data
from the database.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Aged Device Wipe Record


Use this task to delete from the database aged data about mobile device wipe actions.
For more information, see Protect data with remote wipe, lock, or passcode reset.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Discovery Data


Use this task to delete aged discovery data from the database. This data can include
records from:

Heartbeat discovery
Network discovery
Active Directory discovery methods: System, User, and Group

This task also removes aged devices marked as decommissioned. When this task runs at
a site, data associated with that site is deleted, and those changes replicate to other
sites. For more information, see Run discovery.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Distribution Point Usage Stats


Use this task to delete from the database aged data for distribution points that has been
stored longer than a specified time.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Aged Endpoint Protection Health Status History


Data
Use this task to delete from the database aged status information for Endpoint
Protection (EP). For more information, see How to monitor Endpoint Protection.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Enrolled Devices


Use this task to delete from the site database the aged data about mobile devices that
haven't reported any information to the site for a specified time.

This task applies to devices that are enrolled with Configuration Manager on-premises
MDM. For more information on these devices, see Supported operating systems for
clients and devices.

Site type Status

Central administration site Not available

Primary site Not enabled

Secondary site Not available

Delete Aged Exchange Partnership

 Tip

You may also see this task in the console named Delete Aged Devices
Managed by the Exchange Server Connector.

Use this task to delete aged data about mobile devices managed by the Exchange
Server connector. The site deletes this data according to the Ignore mobile devices that
are inactive for more than (days) setting on the Discovery tab of the Exchange Server
connector properties. For more information, see Manage mobile devices with
Configuration Manager and Exchange.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Inventory History


Use this task to delete from the database inventory data that has been stored longer
than a specified time. For more information, see How to use Resource Explorer to view
hardware inventory.
Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Log Data


Use this task to delete from the database aged log data used for troubleshooting. This
data isn't related to Configuration Manager component operations.

) Important

By default, this task runs daily at each site. At a central administration site and
primary sites, the task deletes data that's older than 30 days. When you use SQL
Server Express at a secondary site, make sure that this task runs daily and deletes
data that's inactive for seven days.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Enabled

Delete Aged Notification Server History


This task deletes aged client presence history.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Aged Notification Task History


Use this task to delete from the site database information about client notification tasks.
This task applies to data that hasn't been updated for a specified time. For more
information, see Client notifications.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Passcode Records


Use this task at the top-level site of your hierarchy to delete aged Passcode Reset data
for Windows Phone devices. Passcode Reset data is encrypted, but does include the PIN
for devices. By default, this task is enabled, and deletes data that is older than one day.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Aged Replication Data


Use this task to delete from the database aged data about database replication between
Configuration Manager sites. When you change the configuration of this maintenance
task, the configuration applies to each applicable site in the hierarchy. For more
information, see Monitor database replication.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Enabled

Delete Aged Replication Summary Data


Use this task to delete from the site database aged replication summary data when it
hasn't been updated for a specified time. For more information, see Monitor database
replication.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Enabled

Delete Aged Scenario Health History


Use this task to delete from the database aged data for scenario health activity. For
more information, see Monitor scenario health.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Aged Software Metering Data


Use this task to delete from the database aged data for software metering that has been
stored longer than a specified time. For more information, see Software metering.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Software Metering Summary Data


Use this task to delete from the database aged summary data for software metering
that's been stored longer than a specified time. For more information, see Software
metering.
Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Status Messages


Use this task to delete from the database aged status message data as configured in
status filter rules. For more information, see Monitor the status system.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Aged Threat Data


Use this task to delete from the database aged Endpoint Protection threat data that's
been stored longer than a specified time. For more information, see Endpoint
Protection.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Aged Unknown Computers


Use this task to delete information about unknown computers from the site database
when it hasn't been updated for a specified time. For more information, see Prepare for
unknown computer deployments.

Site type Status

Central administration site Not available


Site type Status

Primary site Enabled

Secondary site Not available

Delete Aged User Device Affinity Data


Use this task to delete aged User Device Affinity data from the database. For more
information, see Link users and devices with user device affinity.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Delete Duplicate System Discovery Data


Use this task to delete from the site database any duplicate records generated by
system discovery.

Site type Status

Central administration site Enabled

Primary site Not available

Secondary site Not available

Delete Expired MDM Bulk Enroll Package Records


Use this task to delete old Bulk Enrollment certificates and corresponding profiles after
the enrollment certificate has expired. For more information, see Create certificate
profiles.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available


Delete Inactive Client Discovery Data
Use this task to delete from the database discovery data for inactive clients. The site
marks clients as inactive when the client is flagged as obsolete and by configurations
that are made for client status.

This task operates only on resources that are Configuration Manager clients. It's
different than the Delete Aged Discovery Data task, which deletes any aged discovery
data record. When this task runs at a site, it removes the data from the database at all
sites in a hierarchy. For more information, see How to configure client status.

) Important

When it's enabled, configure this task to run at an interval greater than the
Heartbeat Discovery schedule. This configuration enables active clients to send a
Heartbeat Discovery record to mark their client record as active so this task doesn't
delete them.

Site type Status

Central administration site Not available

Primary site Not enabled

Secondary site Not available

Delete Obsolete Alerts


Use this task to delete from the database expired alerts that have been stored longer
than a specified time. For more information, see Configure alerts.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Obsolete Client Discovery Data


Use this task to delete obsolete client records from the database. A record that's marked
as obsolete has usually been replaced by a newer record for the same client. The newer
record becomes the client's current record. For information about discovery, see Run
discovery.

) Important

When it's enabled, configure this task to run at an interval greater than the
Heartbeat Discovery schedule. This configuration enables the client to send a
Heartbeat Discovery record that correctly sets the obsolete status.

Site type Status

Central administration site Not available

Primary site Not enabled

Secondary site Not available

Delete Obsolete Forest Discovery Sites and Subnets


Use this task to delete data about Active Directory sites, subnets, and domains. It
removes data that the site hasn't discovered by the Active Directory Forest Discovery
method in the last 30 days. This task removes the discovery data, but doesn't affect
boundaries that you create from this discovery data. For more information, see Run
discovery.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Delete Orphaned Client Deployment State Records


Use this task to periodically purge the table that contains client deployment state
information. This task cleans up records associated with obsolete or decommissioned
devices.

Site type Status

Central administration site Not available


Site type Status

Primary site Enabled

Secondary site Not available

Evaluate Collection Members


You configure the Collection Membership Evaluation as a site component. For more
information, see Site components.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Monitor Keys
Use this task to monitor the integrity of the Configuration Manager database primary
keys. A primary key is a column or a combination of columns that uniquely identifies
one row. The key distinguishes the row from any other row in a Microsoft SQL Server
database table.

Site type Status

Central administration site Enabled

Primary site Enabled

Secondary site Not available

Rebuild Indexes
Use this task to rebuild the Configuration Manager database indexes. An index is a
database structure that's created on a database table to speed up data retrieval. For
example, searching an indexed column is often much faster than searching a column
that isn't indexed.

To improve performance, the Configuration Manager database indexes are frequently


updated to remain synchronized with the constantly changing data that's stored in the
database. This task:
Rebuilds indexes when they are more than 10% fragmented
For indexes that are less than 30% fragmented, the index is reorganized
For indexes that are greater than 30% fragmented, the index is rebuilt

Site type Status

Central administration site Not enabled

Primary site Not enabled

Secondary site Not enabled

Summarize Installed Software Data


Use this task to summarize the data from collected asset intelligence software
information through the hardware inventory to merge multiple records into one general
record. Data summarization can compress the amount of data that's stored in the
Configuration Manager database. For more information, see Configure Asset
Intelligence maintenance tasks.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Summarize Software Metering File Usage Metering Data


Use this task to summarize the data from multiple records for software metering file
usage into one general record. Data summarization can compress the amount of data
that's stored in the Configuration Manager database.

To summarize software metering data and to conserve disk space in the database, use
this task with the Summarize Software Metering Monthly Usage Data task. For more
information, see Software metering.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available


Summarize Software Metering Monthly Usage Data
Use this task to summarize the data from multiple records for software metering
monthly usage into one general record. Data summarization can compress the amount
of data that's stored in the Configuration Manager database.

To summarize software metering data and to conserve space in the database, use this
task with the Summarize Software Metering File Usage Data task. For more
information, see Software metering.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Update Application Available Targeting


Use this task to have Configuration Manager recalculate the mapping of policy and
application deployments to resources in collections. When you deploy policy or
applications to a collection, Configuration Manager creates an initial mapping between
the objects that you deploy and the collection members.

These mappings are stored in a table for quick reference. When a collections
membership changes, the site updates these stored mappings to reflect those changes.
However, it's possible for these mappings to fall out of sync. For example, if the site fails
to properly process a notification file, that change might not be reflected in a change to
the mappings. This task refreshes that mapping based on current collection
membership.

Site type Status

Central administration site Not available

Primary site Enabled

Secondary site Not available

Update Application Catalog Tables


This task exists in the site, but isn't used. The application catalog is no longer supported.
See also
Maintenance tasks
Modify your Configuration Manager
infrastructure
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you install one or more sites, you might have need to modify configurations or
take actions that affect your infrastructure.

Manage the SMS provider


The SMS provider provides the point of administrative contact for one or more
Configuration Manager consoles. When you install multiple SMS providers, you can
provide redundancy for contact points to administer your site and hierarchy.

At each Configuration Manager site, you can rerun setup to:

Add an additional instance of the SMS provider. Each additional instance of the
SMS provider must be on a separate computer.

Remove an instance of the SMS provider. To remove the last SMS provider for a
site, you must uninstall the site.

Monitor the installation or removal of the SMS provider by viewing the


ConfigMgrSetup.log in the root folder of the site server on which you run setup.

Before you modify the SMS provider at a site, see Plan for the SMS provider.

Manage the SMS provider configuration for a site


1. Run Configuration Manager Setup from \BIN\X64\setup.exe in the Configuration
Manager site installation folder.

2. On the Getting Started page, select Perform site maintenance or reset this site.

3. On the Site Maintenance page, select Modify SMS provider configuration.

4. On the Manage SMS providers page, select one of the following options:

Add a new SMS provider: Specify the FQDN for a computer to host the SMS
provider that doesn't currently host it.
Uninstall the specified SMS provider: Select the name of the computer from
which you want to remove the SMS provider.

 Tip

To move the SMS provider between two computers, first install it to the new
computer. Then remove it from the original location. There's no option to
move the SMS provider between computers.

After the setup wizard finishes, the SMS provider configuration is complete. In the site
Properties, on the General tab, verify the computers that have an SMS provider installed
for a site.

Manage the Configuration Manager console


The following tasks help you manage the Configuration Manager console:

To modify the language that displays in the Configuration Manager console, see
the Manage Configuration Manager console language section.

To install additional consoles, see Install Configuration Manager consoles.

To configure DCOM permissions to enable consoles that are remote from the site
server, see the Configure DCOM permissions for remote Configuration Manager
consoles section.

To modify administrative permissions to limit what users can see and do in the
console, see Modify the administrative scope of an administrative user.

Manage Configuration Manager console language


During site server installation, the Configuration Manager console installation files and
supported language packs for the site are copied to the \Tools\ConsoleSetup subfolder
of the Configuration Manager installation path on the site server.

When you start the Configuration Manager console installation from this folder on
the site server, it copies the Configuration Manager console and supported
language pack files to the computer.

When a language pack is available for the current language setting on the
computer, the Configuration Manager console opens in that language.
If the associated language pack isn't available for the Configuration Manager
console, the console opens in English (United States).

For example, you install the Configuration Manager console from a site server that
supports English, German, and French. If you open the Configuration Manager console
on a computer with a configured language setting of French, the console opens in
French. If you open the Configuration Manager console on a computer with a
configured language of Japanese, the console opens in English because the Japanese
language pack isn't available.

Each time the Configuration Manager console opens:

Tt determines the configured language settings for the computer


Verifies whether an associated language pack is available for the Configuration
Manager console
Opens the console by using the appropriate language pack

When you want to open the Configuration Manager console in English regardless of the
configured language settings on the computer, remove or rename the language pack
files on the computer.

Use the following procedures to start the Configuration Manager console in English
regardless of the configured locale setting on the computer.

Install an English-only version of the Configuration Manager


console on computers

1. In Windows Explorer, browse to \Tools\ConsoleSetup\LanguagePack in the


Configuration Manager installation path.

2. Rename the .msp and .mst files. For example, you could change <file name>.MSP
to <file name>.MSP.disabled.

3. Install the Configuration Manager console on the computer.

) Important

When new server languages are configured for the site server, the .msp and
.mst files are recopied to the LanguagePack folder, and you must repeat this
procedure to install new Configuration Manager consoles in only English.
Temporarily disable a console language on an existing
Configuration Manager console installation

1. On the computer that is running the Configuration Manager console, close the
Configuration Manager console.

2. In Windows Explorer, browse to <ConsoleInstallationPath>\Bin\ on the


Configuration Manager console computer.

3. Rename the appropriate language folder for the language that is configured on
the computer. For example, if the language settings for the computer were set for
German, you could rename the de folder to de.disabled.

4. To open the Configuration Manager console in the language that is configured for
the computer, rename the folder to the original name. For example, rename
de.disabled to de.

Configure DCOM permissions for remote


consoles
The user account that runs the Configuration Manager console requires permission to
access the site database by using the SMS provider. However, an administrative user
who uses a remote Configuration Manager console also requires Remote Activation
DCOM permissions on:

The site server computer

Each computer that hosts an instance of the SMS provider

The security group named SMS Admins grants access to the SMS provider on a
computer, and can also be used to grant the required DCOM permissions. This group is
local to the computer when the SMS provider runs on a member server. It's a domain
local group when the SMS provider runs on a domain controller.

) Important

The Configuration Manager console uses WMI to connect to the SMS provider, and
WMI internally uses DCOM. If the Configuration Manager console runs on a
computer other than the SMS provider computer, it requires permissions to
activate a DCOM server on the SMS provider computer. By default, Remote
Activation is granted only to the members of the built-in Administrators group.
If you allow the SMS Admins group to have Remote Activation permission, a
member of this group could attempt DCOM attacks against the SMS provider
computer. This configuration also increases the attack surface of the computer. To
mitigate this threat, carefully monitor the membership of the SMS Admins group.

Use the following procedure to configure each central administration site (CAS), primary
site server, and each computer where the SMS provider is installed to grant remote
Configuration Manager console access for administrative users.

Configure DCOM permissions for remote Configuration


Manager console connections
1. As an administrator on the target computer, run Dcomcnfg.exe to open
Component Services.

2. Expand Component Services, expand Computers, and then select My Computer.


On the Action menu, select Properties.

3. In the My Computer Properties window, switch to the COM Security tab. In the
Launch and Activation Permissions section, select Edit Limits.

4. In the Launch and Activation Permissions window, select Add.

5. In the Select Users, Computers, Service Accounts, or Groups window, in the Enter
the object names to select field, type SMS Admins , and then select OK.

 Tip

To locate the SMS Admins group, you might have to change the setting: From
this Location. This group is local to the computer when the SMS provider runs
on a member server, and is a domain local group when the SMS provider runs
on a domain controller.

6. In the Permissions for SMS Admins section, to allow remote activation, select the
Allow column for the Remote Activation row.

7. Select OK to save changes and close all windows.

Your computer is now configured to allow remote Configuration Manager console


access to members of the SMS Admins group.
Repeat this procedure on each SMS provider computer that supports remote
Configuration Manager consoles.

Modify the site database configuration


After you install a site, you can modify the configuration of the site database and site
database server. Run Configuration Manager setup on a CAS server or primary site
server to make changes. You can move the site database to a new instance of SQL
Server on the same computer, or to a different computer that runs a supported version
of SQL Server. These changes aren't supported for the database configuration at
secondary sites.

For more information about the limits of support, see Support policy for manual
database changes in a Configuration Manager environment .

7 Note

When you modify the database configuration for a site, Configuration Manager
restarts or reinstalls Configuration Manager services on the site server and remote
site system servers that communicate with the database.

Modify the database configuration


Run Configuration Manager setup on the site server, and select the option Perform site
maintenance or reset this site. Then select the Modify SQL Server configuration
option. You can change the following site database configurations:

The Windows-based server that hosts the database.

The instance of SQL Server in use on a server that hosts the SQL Server database.

The database name.

SQL Server port in use by Configuration Manager.

SQL Server Service Broker port in use by Configuration Manager.

Move the site database


If you move the site database, also review the following configurations:
When you move the site database to a new computer, add the computer account
of the site server to the local Administrators group on the computer that runs SQL
Server. If you use a SQL Server Always On failover cluster instance for the site
database, add the computer account to the local Administrators group of each
Windows Server cluster node computer.

When you move the database to a new instance on SQL Server, or to a new SQL
Server computer, enable common language runtime (CLR) integration. Use SQL
Server Management Studio to connect to the instance of SQL Server that hosts
the site database. Then run the following stored procedure as a query:
sp_configure 'clr enabled',1; reconfigure

Make sure the new SQL Server has access to the backup location. When you use a
UNC for storing your site database backup, after moving the database to a new
server, make sure the computer account of the new SQL Server has write
permissions to the UNC location. This configuration includes when you move to a
SQL Server Always On availability group or a failover cluster instance.

) Important

Before you move a database that has one or more database replicas for
management points, first remove the database replicas. After you complete the
database move, you can reconfigure database replicas. For more information, see
Database replicas for management points.

Manage the SPN for the site database server


You can choose the account that runs SQL Server services for the site database:

When the services run with the computers system account, it automatically
registers the service principal name (SPN) for you.

When the services run with a domain local user account, manually register the SPN.
The SPN allows SQL Server clients and other site systems to authenticate with
Kerberos. Without Kerberos authentication, communication to the database might
fail.

For more information about SPNs and Kerberos connections, see Register a service
principal name for Kerberos connections.

Register an SPN for the SQL Server service account of the site database server by using
the Setspn tool. Run Setspn as a Domain Administrator on a computer in the same
domain as the SQL Server.

The following procedures are examples of how to manage the SPN for the SQL Server
service account. For more information about Setspn, see Setspn Overview.

Manually create a domain user SPN for the SQL Server


service account
1. Open a command prompt as an administrator.

2. Enter a valid command to create the SPN for both the NetBIOS name and the
FQDN:

) Important

When you create an SPN for a SQL Server Always On failover cluster instance,
specify the virtual name of the failover cluster instance as the SQL Server
computer name.

NetBIOS name: setspn -A MSSQLSvc/<SQL Server computer name>:<port>


<Domain\Account>

For example: setspn -A MSSQLSvc/sqlserver:1433 contoso\sqlservice

FQDN: setspn -A MSSQLSvc/<SQL Server FQDN>:<port> <Domain\Account>

For example: setspn -A MSSQLSvc/sqlserver.contoso.com:1433


contoso\sqlservice

7 Note

The command to register an SPN for a SQL Server named instance is the same
as that you use when you register an SPN for a default instance. The only
exception is that the port number must match the port that the named
instance uses.

Verify the domain user SPN is registered correctly


1. Open a command prompt as an administrator.

2. Enter the following command: setspn -L <domain\SQL Server service account>


For example: setspn -L contoso\sqlservice

3. Review the registered ServicePrincipalName. Make sure that you created a valid
SPN for the SQL Server.

Change the SQL Server service account from local system


to a domain user account
1. Create or select a domain or local system user account that you want to use as the
SQL Server service account.

2. Open SQL Server Configuration Manager.

3. Select SQL Server Services, and then open SQL Server<INSTANCE NAME>.

4. Switch to the Log on tab. Select This account, and then enter the user name and
password for the domain user account from step 1.

5. Confirm the service account change and restart the SQL Server service.

Run a site reset


When a site reset runs at a CAS or primary site, the site:

Reapplies the default Configuration Manager file and registry permissions

Reinstalls all site components and all site system roles

Secondary sites don't support site reset.

You can manually reset a site. They can also run automatically after you modify the site
configuration. For example:

If there has been a change to the accounts used by Configuration Manager


components, consider a manual site reset. This action makes sure the site
components update to use the new account details.

If you modify the client or server languages at a site, Configuration Manager


automatically runs a site reset. The site requires a reset to use the new languages.

7 Note

A site reset doesn't reset access permissions to non-Configuration Manager


objects.
What happens during a site reset
When a site reset runs:

1. Setup stops and restarts the SMS_SITE_COMPONENT_MANAGER service and the


thread components of the SMS_EXECUTIVE service.

2. Setup removes and recreates the site system share folder and the SMS Executive
component on the local computer and on remote site system computers.

3. Setup restarts the SMS_SITE_COMPONENT_MANAGER service, which installs the


SMS_EXECUTIVE and the SMS_SQL_MONITOR services.

Site reset restores the following objects:

The SMS or NAL registry keys, and any default subkeys under these keys.

The Configuration Manager file directory tree, and any default files or
subdirectories in this file directory tree.

Prerequisites for site reset


The account that you use to reset a site must have the following permissions:

To reset the CAS:

A local Administrator on the CAS server

Privileges that are equivalent to the Full Administrator role-based


administration security role

To reset a primary site:

A local Administrator on the primary site server

Privileges that are equivalent to the Full Administrator role-based


administration security role

If the primary site is in a hierarchy with a CAS, this account must also be a local
Administrator on the CAS server.

Limitations for a site reset


If the hierarchy is configured to support testing client upgrades in a pre-production
collection, you can't use a site reset to change the server or client language packs at
sites.

Run a site reset


1. Start Configuration Manager setup on the site server by using one of the following
methods:

On the Start menu, select Configuration Manager Setup.

In the directory for the Configuration Manager installation media, open


\SMSSETUP\BIN\X64\setup.exe . Make sure this version is the same as the site

version.

In the directory where Configuration Manager is installed, open


\BIN\X64\setup.exe .

2. On the Getting Started page, select Perform site maintenance or reset this site.

3. On the Site Maintenance page, select Reset site with no configuration changes.

4. Select Yes to begin the site reset.

Manage language packs at a site


After a site installs, you can change the server and client language packs that are in use.

Server language packs


Applies to: Configuration Manager console installations, new installations of applicable
site system roles

After you update the server language packs at a site, you can add support for the
language packs to Configuration Manager consoles.

To add support for a server language pack to a Configuration Manager console, install
the Configuration Manager console from the ConsoleSetup folder on a site server that
includes the language pack that you want to use. If the Configuration Manager console
is already installed, you must first uninstall it to enable the new installation to identify
the current list of supported language packs.
Client language packs
Changes to the client language packs update the client installation source files. New
client installations and upgrades add support for the updated list of client languages.

After you update the client language packs at a site, install each client that will use the
language packs by using source files that include the client language packs.

For more information about the client and server languages that Configuration Manager
supports, see Language Packs.

Modify the supported language packs at a site


1. Start Configuration Manager setup on the site server by using one of the following
methods:

On the Start menu, select Configuration Manager Setup.

In the directory for the Configuration Manager installation media, open


\SMSSETUP\BIN\X64\setup.exe . Make sure this version is the same as the site
version.

In the directory where Configuration Manager is installed, open


\BIN\X64\setup.exe .

2. On the Getting Started page, select Perform site maintenance or reset this Site.

3. On the Site Maintenance page, select Modify language configuration.

4. On the Prerequisites Downloads page, select one of the following options:

Download required files: Acquire updates to language packs.

Use previously downloaded files: Use previously downloaded files that


include the language packs you want to add to the site.

5. On the Server Language Selection page, select the server languages this site
supports.

6. On the Client Language Selection page, select the client languages that this site
supports.

7. Complete the wizard to modify language support at the site.

7 Note
Configuration Manager initiates a site reset which also reinstalls all site system
roles at the site.

Modify the database server alert threshold


By default, Configuration Manager generates alerts when free disk space on a site
database server is low:

Generate a warning when there's 10 GB or less of free disk space


Generate a critical alert when there's 5 GB or less of free disk space

You can modify these values or disable alerts for each site:

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node.

2. Select the site that you want to configure. In the ribbon, select Properties.

3. Switch to the Alert tab, and then edit the settings.

Uninstall sites and hierarchies


You may need to uninstall a Configuration Manager site system role, site, or hierarchy.
For more information, see Uninstall roles, sites, and hierarchies.

Starting in version 2002, you can also remove the CAS from a hierarchy, but keep the
primary site. For more information, see Remove the CAS.
The CD.Latest folder for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager has a process to deliver updates to the product from within the
Configuration Manager console. To support this new method of updating Configuration
Manager, a new folder is created named CD.Latest . This folder contains a copy of the
Configuration Manager installation files for the updated version of your site.

The CD.Latest folder contains a folder named Redist , which contains the
redistributable files that setup downloads and uses. These files are matched to the
version of Configuration Manager files found in that CD.Latest folder. When you run
Setup from a CD.Latest folder, you must use files that are matched to that version of
Setup. You can either direct Setup to download new and current files from Microsoft, or
direct Setup to use the files from the Redist folder included in the CD.Latest folder.

Baseline media doesn't include a Redist folder. The site doesn't create a Redist folder
until you install an in-console update. In the meantime, use the Redist folder that you
used when installing sites from the baseline media.

 Tip

Make sure the redistributable files you use are current. If you haven't recently
downloaded redistributable files, plan to allow Setup to do so from Microsoft.

The following scenarios create or update the CD.Latest folder on a central


administration site or primary site server:

When you install an update or hotfix from within the Configuration Manager
console, the site creates or updates the folder in the Configuration Manager
installation folder.

When you run the built-in Configuration Manager backup task, the site creates or
updates the folder under the designated backup folder location.

When you install a new site using baseline media, the site creates the CD.Latest
folder.
Supported scenarios
The source files from the CD.Latest folder are supported for the following scenarios:

Backup and recovery


To recover a site, use the source files from a CD.Latest folder that matches your site.
When you run a site backup using the built-in site backup task, the CD.Latest folder is
included as part of the backup.

When you reinstall a site as part of a site recovery, you install the site from the
CD.Latest folder included in your backup. This action installs the site using the file

versions that match your site backup and site database.

If you don't have access to the correct CD.Latest folder version, get the
CD.Latest folder with the correct file versions by installing a site in a lab

environment. Then update that site to match the version you want to recover.

If you don't have the correct CD.Latest folder and its contents available, you
can't recover a site. In this circumstance, you need to reinstall the site.

When you don't have a CD.Latest folder, but do have a working child primary site
or central administration site, you can use that site as a reference site for a site
recovery.

Install a child primary site


When you want to install a new child primary site below a central administration site
that has installed one or more in-console updates, use Setup and the source files from
the CD.Latest folder from the central administration site. This process uses installation
source files that match the version of the central administration site. For more
information, see Use the Setup Wizard to install sites.

Expand a stand-alone primary site


When you expand a stand-alone primary site by installing a new central administration
site, use Setup and the source files from the CD.Latest folder from the primary site. This
process uses installation source files that match the version of the primary site. For more
information, see Expand a stand-alone primary site.
Install a secondary site
When you want to install a new secondary site below a primary site that has installed
one or more in-console updates, use the source files from the CD.Latest folder from the
primary site.

For more information, see Install a secondary site.

Unsupported scenarios
The updated CD.Latest source files aren't supported for:

Installing a new site for a new hierarchy


Upgrading a Microsoft System Center 2012 Configuration Manager site to
Configuration Manager current branch
Installing Configuration Manager clients
Installing Configuration Manager consoles

Next steps
Updates for Configuration Manager
Upgrade on-premises infrastructure that
supports Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the information in this article to help you upgrade the server infrastructure that runs
Configuration Manager.

If you want to upgrade from an earlier version to Configuration Manager, current


branch, see Upgrade to Configuration Manager.

If you want to update your Configuration Manager, current branch, infrastructure


to a new version, see Updates for Configuration Manager.

Upgrade the OS of site systems


Configuration Manager supports the in-place upgrade of the server OS that hosts a site
server and any site system role, in the following situations:

If Configuration Manager still supports the resulting service pack level of Windows,
it supports in-place upgrade to a later Windows Server service pack.

In-place upgrade from:

Windows Server 2019 to Windows Server 2022

Windows Server 2016 to Windows Server 2022

Windows Server 2016 to Windows Server 2019

Windows Server 2012 R2 to Windows Server 2019

Windows Server 2012 R2 to Windows Server 2016

Windows Server 2012 to Windows Server 2016

Windows Server 2012 to Windows Server 2012 R2

Windows Server 2008 R2 to Windows Server 2012 R2

To upgrade a server, use the upgrade procedures provided by the OS you're upgrading
to. See the following articles:
Windows Server Upgrade Center

Upgrade and conversion options for Windows Server 2016

Upgrade Options for Windows Server 2012 R2

Upgrade to Windows Server 2016, 2019, or 2022


Use the steps in this section for any of the following upgrade scenarios:

Upgrade either Windows Server 2016 or Windows Server 2019 to Windows Server
2022

Upgrade either Windows Server 2012 R2 or Windows Server 2016 to Windows


Server 2019

Upgrade either Windows Server 2012 or Windows Server 2012 R2 to Windows


Server 2016

Before upgrade
(Windows Server 2012 or Windows Server 2012 R2 only): Remove the System Center
Endpoint Protection (SCEP) client. Windows Server now has Windows Defender
built in, which replaces the SCEP client. The presence of the SCEP client can
prevent an upgrade to Windows Server.

(Windows Server 2012 or Windows Server 2012 R2 only): Install the latest
Cumulative Update and uninstall Windows Management Framework 5.1 before
attempting the upgrade.

Remove the WSUS role from the server if it's installed. You may keep the SUSDB
and reattach it once WSUS is reinstalled.

If you're upgrading the OS of the site server, make sure file-based replication is
healthy for the site. Check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.
On the sending site, review sender.log.
On the receiving site, review despooler log.

After upgrade
Make sure Windows Defender is enabled, set for automatic start, and running.

Make sure the following Configuration Manager services are running:


SMS_EXECUTIVE

SMS_SITE_COMPONENT_MANAGER

Make sure the Windows Process Activation and WWW/W3svc services are
enabled and set for automatic start. The upgrade process disables these services,
so make sure they're running for the following site system roles:

Site server

Management point

Make sure each server that hosts a site system role continues to meet all
prerequisites. For example, you might need to reinstall BITS, WSUS, or configure
specific settings for IIS.

After restoring any missing prerequisites, restart the server one more time to make
sure services are started and operational.

If you're upgrading the primary site server, then run a site reset.

Known issue for remote Configuration Manager consoles


After you upgrade the site server, or an instance of the SMS Provider, you can't connect
with the Configuration Manager console. To work around this problem, manually restore
permissions for the SMS Admins group in WMI. Permissions must be set on the site
server, and on each remote server that hosts an instance of the SMS Provider:

1. On the applicable servers, open the Microsoft Management Console (MMC) and
add the snap-in for WMI Control, and then select Local computer.

2. In the MMC, open the Properties of WMI Control (Local) and select the Security
tab.

3. Expand the tree below Root, select the SMS node, and then choose Security. Make
sure the SMS Admins group has the following permissions:

Enable Account

Remote Enable

4. On the Security tab below the SMS node, select the site_<sitecode> node, and
then choose Security. Make sure the SMS Admins group has the following
permissions:

Execute Methods
Provider Write

Enable Account

Remote Enable

5. Save the permissions to restore access for the Configuration Manager console.

Known issue for remote site systems

After you upgrade a server that hosts a site system role, the value
Software\Microsoft\SMS may be missing from the following registry key:

HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths

If this value is missing after you upgrade Windows on the server, manually add it.
Otherwise site system roles can have issues uploading files to the site server inboxes.

Upgrade to Windows Server 2012 R2


When you upgrade from either Windows Server 2008 R2 or Windows Server 2012 to
Windows Server 2012 R2, the following conditions apply:

Before upgrade to Server 2012 R2


On Windows Server 2012: Remove the WSUS role from the server if it's installed.
You may keep the SUSDB and reattach it once WSUS is reinstalled.

On Windows Server 2008 R2: Before you upgrade to Windows Server 2012 R2, you
must uninstall WSUS 3.2 from the server. You may keep the SUSDB and reattach it
once WSUS is reinstalled. For more information, see Windows Server Update
Services Overview.

If you're upgrading the OS of the site server, make sure file-based replication is
healthy for the site. Check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.
On the sending site, review sender.log.
On the receiving site, review despooler log.

After upgrade to Server 2012 R2


The upgrade process disables the Windows Deployment Services. Make sure this
service is started and running for the following site system roles:
Site server

Management point

Make sure the Windows Process Activation and WWW/W3svc services are
enabled and set for automatic start. The upgrade process disables these services,
so make sure they're running for the following site system roles:

Site server

Management point

Make sure each server that hosts a site system role continues to meet all
prerequisites. For example, you might need to reinstall BITS, WSUS, or configure
specific settings for IIS.

After restoring any missing prerequisites, restart the server one more time to make
sure services are started and operational.

Unsupported upgrade scenarios


The following Windows Server upgrade scenarios are commonly asked about, but not
supported by Configuration Manager:

Windows Server 2008 to Windows Server 2012 or later

Windows Server 2008 R2 to Windows Server 2012

Upgrade the OS of clients


Configuration Manager supports an in-place upgrade of the OS for Configuration
Manager clients in the following situations:

If Configuration Manager supports the resulting service pack level, it supports in-
place upgrade to a later Windows service pack.

In-place upgrade of Windows from a supported version to Windows 10 or later.


For more information, see Upgrade Windows to the latest version.

Build-to-build servicing upgrades of Windows 10 or later. For more information,


see Manage Windows as a service.

Upgrade SQL Server


Configuration Manager supports an in-place upgrade of SQL Server on the site database
server.

For information about the versions of SQL Server that Configuration Manager supports,
see Support for SQL Server versions.

Upgrade the service pack version of SQL Server


If Configuration Manager still supports the resulting SQL Server service pack level, it
supports the in-place upgrade of SQL Server to a later service pack.

When you have more than one Configuration Manager site in a hierarchy, each site can
run a different service pack version of SQL Server. There's no limitation to the order in
which sites upgrade the service pack version of SQL Server.

) Important

If you use BitLocker management in Configuration Manager, and you encrypt


recovery data in the database, before you upgrade SQL Server, make sure the
certificate is for a supported version. For example, certificates created with SQL
Server 2014 or earlier aren't compatible with SQL Server 2016 or later. For more
information, see Manage the encryption certificate on SQL Server upgrade.

Upgrade to a new version of SQL Server


Configuration Manager supports the in-place upgrade of SQL Server to the following
versions:

SQL Server 2022


SQL Server 2019
SQL Server 2017
SQL Server 2016
SQL Server 2014

This support includes the upgrade of SQL Server Express to a newer version of SQL
Server Express at secondary sites.

When you upgrade the version of SQL Server that hosts the site database, you must
upgrade the SQL Server version that's used at sites in the following order:

1. Upgrade SQL Server at the central administration site first


2. Upgrade secondary sites before you upgrade a secondary site's parent primary site

3. Upgrade parent primary sites last. These sites include both child primary sites that
report to a central administration site, and stand-alone primary sites that are the
top-level site of a hierarchy.

When you upgrade a site database from an earlier version of SQL Server, the database
keeps its existing cardinality estimation level, if it's at the minimum allowed for that
instance of SQL Server. If you upgrade SQL Server with a database at a compatibility
level lower than the allowed level, it automatically sets the database to the lowest
compatibility level allowed by SQL Server. For more information, see Supported SQL
Server versions: Database compatibility level.

For more information about upgrading SQL Server, see the following SQL Server articles:

Upgrade to SQL Server 2022

Upgrade to SQL Server 2019

Upgrade to SQL Server 2017

Upgrade to SQL Server 2016

To upgrade SQL Server on the site database server


1. Stop all Configuration Manager services at the site

2. Upgrade SQL Server to a supported version

3. Restart the Configuration Manager services

7 Note

When you change the SQL Server edition in use at the central administration site
from Standard to either a Datacenter or Enterprise, the database partition doesn't
change. This database partition limits the number of clients the hierarchy supports.
Updates and servicing for Configuration
Manager
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Configuration Manager uses an in-console service method called Updates and


Servicing. This in-console method makes it easy to find and install recommended
updates for your Configuration Manager infrastructure. In-console servicing is
supplemented by out-of-band updates such as hotfixes. The out-of-band updates are
intended for customers who need to resolve issues that might be specific to their
environment.

 Tip

The terms upgrade, update, and install are used to describe three separate concepts
in Configuration Manager. For more information about how each term is used, see
About upgrade, update, and install.

Baseline and update versions


Use the latest baseline version when you install a new site in a new hierarchy.

Also use a baseline version to upgrade from System Center 2012 Configuration
Manager.

After upgrading to Configuration Manager current branch, don't use baseline


versions to stay current. Instead, only use in-console updates to update to the
newest version.

Periodically, another baseline version is released. When you use the latest baseline
version to install a new hierarchy, you avoid installing an outdated or unsupported
version of Configuration Manager, followed by another update to your
infrastructure.

After you install a baseline version, later versions of Configuration Manager are available
as in-console updates. Use these updates to update your infrastructure to the latest
version of Configuration Manager.

You install in-console updates to update the version of your top-level site.
Updates you install at the central administration site (CAS) automatically install at
child primary sites. Control this timing by using a service window at the primary
site. For more information, see Service Windows.

Manually update secondary sites to a new update version from within the console.

When you install an update, the update stores installation files for that version on the
site server in a folder named CD.Latest. For more information about these files, see The
CD.Latest folder.

Use the files in the CD. Latest folder during site recovery. Also, when your hierarchy
no longer runs a baseline version, use these files to install other sites.

You can't use installation files from CD. Latest to install the first site of a new
hierarchy, or to upgrade a site from System Center 2012 Configuration Manager.

Version details
Some updates for Configuration Manager are available as both an in-console update
version for existing infrastructure, and as a new baseline version.

Supported versions
The following supported versions of Configuration Manager are currently available as a
baseline, an update, or both:

Version Availability date Support end date Baseline In-console update

2303
April 10, 2023 October 10, 2024 YesNote 1 Yes
(5.00.9106)

2211
December 5, 2022 June 5, 2024 No Yes
(5.00.9096)

2207
August 12, 2022 February 12, 2024 No Yes
(5.00.9088)

2203
April 8, 2022 October 8, 2023 YesNote 1 Yes
(5.00.9078)

2111
December 1, 2021 June 1, 2023 No Yes
(5.00.9068)

7 Note
The Availability date in this table is when the early update ring was released.
Baseline media will be available on the VLSC soon after the update is globally
available.

Note 1: How to get baseline media

The baseline media is available as part of the following releases on the Volume License
Service Center (VLSC):

Microsoft Configmgr (current branch)

System Center Datacenter


System Center Standard

For example, search the VLSC for Microsoft Configmgr (current branch) . Find the
baseline media in the list of files, and download for that release.

7 Note

The search string may be different on other media sites. For example, on the Visual
Studio Subscriptions Portal , search for Microsoft Configuration Manager .

Historical versions
The following table lists historical versions of Configuration Manager current branch that
are out of support:

Version Availability date Support end date Baseline In-console


update

2107
August 2, 2021 February 2, 2023 No Yes
(5.00.9058)

2103
April 19, 2021 October 19, 2022 Yes Yes
(5.00.9049)

2010
November 30, May 30, 2022 No Yes
(5.00.9040) 2020

2006
August 11, 2020 February 11, 2022 No Yes
(5.00.9012)

2002
April 1, 2020 October 1, 2021 Yes Yes
(5.00.8968)
Version Availability date Support end date Baseline In-console
update

1910
November 29, May 29, 2021 No Yes
(5.00.8913) 2019

1906
July 26, 2019 January 26, 2021 No Yes
(5.00.8853)

1902
March 27, 2019 September 27, Yes Yes
(5.00.8790) 2020

1810
November 27, December 1, 2020 No Yes
(5.00.8740) 2018

1806
July 31, 2018 January 31, 2020 No Yes
(5.00.8692)

1802
March 22, 2018 September 22, Yes Yes
(5.00.8634) 2019

1710
November 20, May 20, 2019 No Yes
(5.00.8577) 2017

1706
July 31, 2017 July 31, 2018 No Yes
(5.00.8540)

1702
March 27, 2017 March 27, 2018 Yes Yes
(5.00.8498)

1610
November 18, November 18, No Yes
(5.00.8458) 2016 2017

1606 with KB3186654 October 12, 2016 October 12, 2017 Yes No
(5.00.8412.1307)

1606
July 22, 2016 July 22, 2017 No Yes
(5.00.8412.1000)

1602
March 11, 2016 March 11, 2017 No Yes
(5.00.8355)

1511
December 8, 2015 December 8, 2016 Yes No
(5.00.8325)

How to check the version

To check the version of your Configuration Manager site, in the console go to About
Configuration Manager at the top-left corner of the console. This dialog displays the
site and console versions.
7 Note

The console version is slightly different from the site version. The minor version of
the console corresponds to the Configuration Manager release version. For
example, in Configuration Manager version 1802 the initial site version is
5.0.8634.1000, and the initial console version is 5.1802.1082.1700. The build (1082)
and revision (1700) numbers may change with future hotfixes.

In-console updates and servicing


When you use a production-ready installation of Configuration Manager current branch,
most updates are available using the Updates and Servicing channel. This method
identifies, downloads, and makes available the updates that apply to your current
infrastructure version and configuration. It includes only updates that Microsoft
recommends for all customers.

These updates include:

New versions, like version 2207, 2211, or 2303.

Updates that include new features for your current version.

Hotfixes for your version of Configuration Manager and that all customers should
install.

7 Note

In-console hotfixes have supersedence relationships. For more information,


see Supersedence for in-console hotfixes.

The in-console updates deliver increased stability and resolve common issues. They
replace the update types seen for previous product versions such as service packs,
cumulative updates, hotfixes that are applicable to all customers, and the extension for
Microsoft Intune.

The in-console updates can apply to one or more of the following systems:

Primary and CAS servers

Site system roles and site system servers

Instances of the SMS Provider


Configuration Manager consoles

Configuration Manager clients

Configuration Manager discovers new updates for you. Synchronize your Configuration
Manager service connection point with the Microsoft cloud service, noting the following
behaviors:

When your service connection point is in online mode, your site synchronizes with
Microsoft every day. It automatically identifies new updates that apply to your
infrastructure. To download updates and redistributable files, the computer that
hosts the service connection point site system role uses the System context to
access the following internet locations: go.microsoft.com and
download.microsoft.com . For more information about other locations used by the

service connection point, see Internet access requirements.

When your service connection point is in offline mode, use the service connection
tool to manually sync with the Microsoft cloud. For more information, see Use the
service connection tool.

In-console updates replace the need to independently locate and install individual
updates, service packs, and new features.

Install only the in-console updates you choose. When installing some updates, you
can select individual features to enable and use. For more information, see Enable
optional features from updates.

When you install an in-console update, the following process occurs:

It automatically runs a prerequisite check. You can also manually run this check
before starting the installation.

It installs at the top-level site in your environment. This site is the CAS if there's
one. In a hierarchy, the update automatically installs at primary sites. Control when
each primary site server is allowed to update by using Service windows for site
servers.

After a site server updates, all affected site system roles automatically update.
These roles include instances of the SMS Provider. After the site installs the update,
Configuration Manager consoles also prompt the console user to update the
console.

If an update includes the Configuration Manager client, you're offered the option
to test the update in pre-production, or to apply the update to all clients
immediately.

After a primary site is updated, secondary sites don't automatically update. Instead,
you must manually start the secondary site update.

7 Note

The Configuration Manager current branch, the long-term servicing branch, and the
technical preview branch are different releases. Updates that apply for one branch
aren't available as in-console updates for the other branches. For more information
about available branches, see Which branch of Configuration Manager should I
use?.

Supersedence for in-console hotfixes


In-console hotfixes have supersedence relationships. When Microsoft publishes a new
Configuration Manager hotfix, the console doesn't display any hotfixes that are
superseded by this new hotfix. This new behavior helps you better determine which
hotfixes to install.

Supersedence example
There are three hotfixes available: Hotfix-A, Hotfix-B, and Hotfix-C. Hotfix-A is
superseded by Hotfix-B, and Hotfix-B is superseded by Hotfix-C.

Hotfix-A Hotfix-B Hotfix-C In-console view

Not installed Not installed Not installed Show all three hotfixes

Installed Installed Not installed Hotfix-B shows as installed

Hotfix-C shows as ready to install

Not installed Not installed Installed Hotfix-C shows as installed

Out-of-band hotfixes
Some hotfixes release with limited availability to address specific issues. Other hotfixes
are applicable to all customers but can't install using the in-console method. These fixes
are delivered out-of-band and not discovered from the Microsoft cloud service.

Typically, when you're seeking to fix or address a problem with your deployment of
Configuration Manager, you can learn about out-of-band hotfixes from Microsoft
customer support services, a Microsoft support knowledge base article, or the
Configuration Manager team blog .

Install these fixes manually, using one of the following two methods:

Update Registration Tool


This tool manually imports the hotfix into your Configuration Manager console. Then
install the update as you would in-console updates that are discovered automatically.

This method is used for hotfixes that use the following file name structure:
<Product>-
<product version>-<KB article ID>-ConfigMgr.Update.exe

For more information, see Use the update registration tool to import hotfixes.

Hotfix Installer
Use this tool to manually install a hotfix that can't be installed using the in-console
method.

This method is used for fixes that use the following file name structure:
<Product>-
<product version>-<KB article ID>-<platform>-<language>.exe

For more information, see Use the hotfix installer to install updates.

Next steps
The following articles can help you understand how to find and install the different
update types for Configuration Manager:

Install in-console updates

Use the service connection tool

Use the update registration tool to import hotfixes

Use the hotfix installer to install updates

For more information about the technical preview branch, see Technical preview.
Prepare to install in-console updates for
Configuration Manager
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Configuration Manager synchronizes with the Microsoft cloud service to get updates.
Use the steps in this article to prepare your environment.

Get available updates


The site only downloads updates that apply to your infrastructure and version. This
synchronization can be automatic or manual, depending on how you configure the
service connection point for your hierarchy:

In online mode, the service connection point automatically connects to the


Microsoft cloud service and downloads applicable updates.

By default, Configuration Manager checks for new updates every 24 hours.


Manually check for updates in the Configuration Manager console. Go to the
Administration workspace, select the Updates and Servicing node, and choose
Check for Updates in the ribbon.

In offline mode, the service connection point doesn't connect to the Microsoft
cloud service. To download and then import available updates, use the Service
Connection Tool.

7 Note

If necessary, import out-of-band fixes into your console. To do so, use the update
registration tool. These out-of-band fixes supplement the updates you get when
you synchronize with the Microsoft cloud service.

After updates synchronize, view them in the Configuration Manager console. Go to the
Administration workspace and select the Updates and Servicing node.

Updates you haven't installed display as Available.

Updates you've installed display as Installed. Only the most recently installed
update is shown. To view previously installed updates, select History in the ribbon.
Before you configure the service connection point, understand and plan for its use. The
following uses might affect how you configure this site system role:

The site uses the service connection point to upload usage information about your
site. This information helps the Microsoft cloud service identify the updates that
are available for the current version of your infrastructure. For more information,
see Diagnostics and usage data.

To better understand what happens when updates are downloaded, see the following
flowcharts:

Flowchart - Download updates

Flowchart - Update replication

Permissions
To view updates in the console, a user must have a role-based administration security
role that includes the security class Update packages. This class grants access to view
and manage updates in the Configuration Manager console.

About the Update packages class


By default, the Update packages class (SMS_CM_Updatepackages) is part of the
following built-in security roles with the listed permissions:

Full Administrator with Modify and Read permissions:

A user with this security role and access to the All security scope can view and
install updates. The user can also enable features during the installation, and
enable individual features after the site updates.

A user with this security role and access to the Default security scope can view
and install updates. The user can also enable features during the installation,
and view features after the site updates. But this user can't enable the features
after the site updates.

Read-only Analyst with Read permissions:


A user with this security role and access to the Default scope can view updates
but not install them. This user can also view features after the site updates, but
can't enable them.

Permissions required for updates and servicing


Use an account to which you assign a security role that includes the Update
packages class with both Modify and Read permissions.

Assign the account to the Default scope.

Permissions to only view updates


Use an account to which you assign a security role that includes the Update
packages class with only the Read permission.

Assign the account to the Default scope.

Permissions required to enable features after the site


updates
Use an account to which you assign a security role that includes the Update
packages class with both Modify and Read permissions.

Assign the account to the All scope.

Before you install an in-console update


Review the following steps before you install an update from within the Configuration
Manager console.

Step 1: Review the update checklist


Review the applicable update checklist for actions to take before you start the update:

Checklist for installing update 2303

Checklist for installing update 2211

Checklist for installing update 2207

Checklist for installing update 2203

Checklist for installing update 2111

Step 2: Run the prerequisite checker before installing an


update
Before you install an update, run the prerequisite checks for that update. If you run the
checks before installing an update:

The site replicates update files to other sites before installing the update.

When you choose to install the update, the prerequisite check automatically runs
again.

7 Note

When you start a prerequisite check and then view the status, the Installation
phase appears to be active. However, the site isn't actually installing the update. To
run the prerequisite check, the update process extracts the package from the
content library. It then puts the package into a staging folder where it can access
the current prerequisite checks. When you install an update, this same process runs.
This behavior is why the Installation phase shows as In progress. Only the Extract
Update package step is shown in the Installation category.

Later, when you install the update, you can configure the update to ignore prerequisite
check warnings.

Process to run the prerequisite checker before installing an update


1. In the Configuration Manager console, go to the Administration workspace, and
select the Updates and Servicing node.

2. Select the update package for which you want to run the prerequisite check.

3. Select Run prerequisite check in the ribbon.

When you run the prerequisite check, content for the update replicates to child
sites. View the distmgr.log on the site server to confirm that content replicates
successfully.

4. To view the results of the prerequisite check:

a. In the Configuration Manager console, go to the Monitoring workspace.

b. Select the Updates and Servicing Status node and look for the prerequisite
status.

c. For more information, see the ConfigMgrPrereq.log on the site server.


Next steps
Now that you've prepared the environment, you're ready to install the updates.

Install in-console updates


Install in-console updates for
Configuration Manager
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

This article describes how to install updates from within the Configuration Manager
console. Before you start, make sure to Prepare to install in-console updates.

When you're ready to install updates from within the Configuration Manager console,
begin with the top-level site of your hierarchy. This site is either the central
administration site (CAS) or a standalone primary site.

Install the update outside of normal business hours for each site to minimize the effect
on business operations. The update installation might include actions like reinstalling
site components and site system roles.

Child primary sites automatically start the update after the CAS completes
installation of the update. This process is by default and recommended. To control
when a primary site installs updates, use Service windows for site servers.

After the primary parent site update is complete, manually update secondary sites
from within the Configuration Manager console. Automatic update of secondary
site servers isn't supported.

When you use a Configuration Manager console after the site is updated, you're
prompted to update the console.

After the site server successfully completes installation of an update, it


automatically updates all applicable site system roles. However, all distribution
points don't reinstall and go offline to update at the same time. Instead, the site
server uses the site's content distribution settings to distribute the update to a
subset of distribution points at a time. The result is that only some distribution
points go offline to install the update. Distribution points that haven't begun to
update or that have completed the update remain online and able to provide
content to clients.

Start the install


At the top-level site of your hierarchy, in the Configuration Manager console, go to the
Administration workspace, and select the Updates and Servicing node. Select an
update with the state of Available, and then choose Install Update Pack in the ribbon.

7 Note

Your user account requires permissions to install updates. For more information,
see Permissions for in-console updates.

Start the update installation at a secondary site


After the parent primary site updates, update the secondary site from within the
Configuration Manager console.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node. Select the secondary site
you want to update, and then choose Upgrade in the ribbon.

2. Select Yes to start the update of the secondary site.

To monitor the update installation on a secondary site, select the secondary site, and
choose Show Install Status in the ribbon. Also add the Version column to the Sites node
so that you can view the version of each secondary site.

The status in the console may not refresh or it might show that the update failed. After a
secondary site successfully updates, use the Retry installation option. This option
doesn't reinstall the update for a secondary site that successfully installed the update,
but forces the console to update the status.

Install process

1. When the update installation starts


You're presented with the Updates Wizard that displays a list of the product areas that
the update applies to.

On the General page of the wizard, configure Prerequisite warnings as necessary:

Prerequisite errors always stop the update installation. Fix errors before you can
successfully retry the update installation. For more information, see Retry
installation of a failed update.

Prerequisite warnings can also stop the update installation. Fix warnings before
you retry the update installation. For more information, see Retry installation of
a failed update.

Ignore any prerequisite check warnings and install this update regardless of
missing requirements: Set a condition for the update installation to ignore
prerequisite warnings. This option allows the update installation to continue. If
you don't select this option, the update installation stops on a warning. Unless
you've previously run the prerequisite check and fixed prerequisite warnings for
a site, don't use this option.

In both the Administration and Monitoring workspaces, the Updates and


Servicing node includes a button on the ribbon named Ignore prerequisite
warnings. This button becomes available when an update package fails to
complete installation because of prerequisite check warnings. For example, you
install an update without using the option to ignore prerequisite warnings (from
within the Updates Wizard). The update installation stops with a state of
prerequisite warning but no errors. Later, you select Ignore prerequisite
warnings in the ribbon. This action triggers an automatic continuation of that
update installation, which ignores prerequisite warnings. When you use this
option, the update installation automatically continues after a few minutes.

When an update applies to the Configuration Manager client, choose to test the
client update with a limited set of clients. For more information, see How to test
client upgrades in a pre-production collection.

Starting in Configuration Manager 2107, sites that aren't already onboarded to


Microsoft Endpoint Manager will be prompted to optionally cloud attach as part of
the upgrade wizard. Environments are considered cloud attached if at least one of
the following features are already enabled:
Tenant attach
Co-management
Endpoint analytics

If you don't wish to onboard, clear both of the Enable Microsoft Intune admin
center and Enable automatic client enrollment for co-management options.

2. During the update installation


As part of the update installation, Configuration Manager does the following actions:

Reinstalls any affected components, like site system roles or the Configuration
Manager console.
Manages updates to clients based on the selections that you made for client
piloting, and for automatic client upgrades.

Site system servers generally don't need to restart as part of the update. If a role
uses .NET, and the package updates that prerequisite component, then the site
system may restart. For more information, see Site and site system prerequisites.

 Tip

When you install Configuration Manager updates, the site also updates the
CD.Latest folder. For more information, see The CD.Latest folder.

3. Monitor the progress of updates as they install


Use the following steps to monitor progress:

In the Configuration Manager console, go to the Administration workspace, and


select the Updates and Servicing node. This node shows the installation status for
all update packages.

In the Configuration Manager console, go to the Monitoring workspace, and select


the Updates and Servicing Status node. This node shows the installation status of
only the current update package that the site is installing.

The update installation is divided into several phases for easier monitoring. For
each of the following phases, more details in the installation status include which
log file to view for more information:

Download: This phase applies only to the top-level site with the service
connection point.

Replication

Prerequisites Check

Installation

Post Installation: For more information, see post installation tasks.

View the CMUpdate.log file in <ConfigMgr_Installation_Directory>\Logs on the


site server.

7 Note
During the Installation phase, you can see the state of the Upgrade ConfigMgr
database task.

If the database upgrade is blocked, then you'll be given the warning In


progress, needs attention.
The cmupdate.log will log the program name and sessionid from SQL
Server that is blocking the database upgrade.
When the database upgrade is no longer blocked, the status will be reset to In
progress or Complete.
When the database upgrade is blocked, a check is done every 5 minutes to
see if it's still blocked.

4. When the update installation completes


After the first site update completes installation:

Child primary sites install the update automatically. No further action is required.

Manually update secondary sites from within the Configuration Manager console.
For more information, see start the update installation at a secondary site.

Until all sites in your hierarchy update to the new version, your hierarchy operates
in a mixed version mode. For more information, see Interoperability between
different versions.

5. Update Configuration Manager consoles


After a CAS or primary site updates, each Configuration Manager console that connects
to the site must also update. You're prompted to update a console:

When you open the console

When you go to a new node in an open console

Update the console right away after the site updates.

After the console update completes, verify the console and site versions are correct. Go
to About Configuration Manager at the top-left corner of the console.

7 Note
The console version is slightly different from the site version. The minor version of
the console corresponds to the Configuration Manager release version. For
example, in Configuration Manager version 1802 the initial site version is
5.0.8634.1000, and the initial console version is 5.1802.1082.1700. The build (1082)
and revision (1700) numbers may change with future hotfixes.

Next steps
Continue reading about what happens after the site updates, or what to do if the update
fails.

After the site updates


After the site updates
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

After you install an in-console update for Configuration Manager, the site does
additional processing in the background. There are also additional steps that you may
need to take after the update is complete. If something goes wrong, use the steps
below to help troubleshoot and retry the update.

Post-installation tasks
When a site installs an update, there are several tasks that can't start until after the
update completes installation on the site server. This list includes the post-installation
tasks that are critical for site and hierarchy operations. Because they're critical, they're
actively monitored. Other tasks that aren't directly monitored include the reinstallation
of site system roles. To view the status of the critical post-installation tasks, select the
Post Installation task while monitoring the update installation for a site.

Not all tasks complete immediately. Some tasks don't start until each site completes
installation of the update. New functionality you might expect can be delayed until
these tasks complete. Turning on new features doesn't start until all sites complete
update installation, so new features might not be visible for some time.

The post installation tasks include:

Installing SMS_EXECUTIVE service


Critical service that runs on the site server.
Reinstallation of this service should complete quickly.

Installing SMS_DATABASE_NOTIFICATION_MONITOR component


Critical site component thread of SMS_EXECUTIVE service.
Reinstallation of this service should complete quickly.

Installing SMS_HIERARCHY_MANAGER component

Critical site component that runs on the site server.

Responsible for reinstalling roles on site system servers. Status for individual site
system role reinstallation doesn't display.

Reinstallation of this service should complete quickly.


7 Note

Some Configuration Manager site roles share the client framework. For
example, the management point and pull distribution point. When these
roles update, the client version on these servers updates at the same time.
For more information, see How to upgrade clients.

Installing SMS_REPLICATION_CONFIGURATION_MONITOR component


Critical site component that runs on the site server.
Reinstallation of this service should complete quickly.

Installing SMS_POLICY_PROVIDER component


Critical site component that runs only on primary sites.
Reinstallation of this service should complete quickly.

Monitoring replication initialization


This task only displays at the CAS and child primary sites.
Dependent on the SMS_REPLICATION_CONFIGURATION_MONITOR.
Should complete quickly.

Updating Configuration Manager Client Preproduction Package


This task displays even when client preproduction (also called client piloting)
isn't enabled for use.
Doesn't start until all sites in the hierarchy finish installing the update.

Updating Client folder on Site Server


This task doesn't display if you use the client in preproduction.
Should complete quickly.

Updating Configuration Manager Client Package


This task doesn't display if you use the client in preproduction.
Finishes only after all sites install the update.

Turning on Features
This task displays only at the top-tier site of the hierarchy.
Doesn't start until all sites in the hierarchy finish installing the update.
Individual features aren't displayed.

Retry installation of a failed update


When an update fails to install, review the in-console feedback to identify resolutions for
warnings and errors. For more details, view the ConfigMgrPrereq.log on the site server.
Before you retry the installation of an update, you must fix errors, and should fix
warnings.

 Tip

If an update has problems downloading or replicating, use the update reset tool.

When you're ready to retry the installation of an update, select the failed update, and
then choose an applicable option. The update installation retry behavior depends on the
node where you start the retry, and the retry option that you use.

Retry installation for the hierarchy


Retry the installation of an update for the entire hierarchy when that update is in one of
the following states:

Prerequisite checks passed with one or more warnings, and the option to ignore
prerequisite check warnings wasn't set in the Update Wizard. (The update's value
for Ignore Prereq Warning in the Updates and Servicing node is No.)

Prerequisite failed

Installation failed

Replication of the content to the site failed

Go to the Administration workspace and select the Updates and Servicing node. Select
the update, and then choose one of the following options:

Retry: When you Retry from Updates and Servicing, the update install starts again
and automatically ignores prerequisite warnings. If content replication previously
failed, content for the update replicates again.

Ignore prerequisite warnings: If the update install stops because of a warning, you
can then choose Ignore prerequisite warnings. This action allows the installation
of the update to continue after a few minutes, and uses the option to ignore
prerequisite warnings.

Retry installation for the site


Retry the installation of an update at a specific site when that update is in one of the
following states:
Prerequisite checks passed with one or more warnings, and the option to ignore
prerequisite check warnings wasn't set in the Update Wizard. (The updates value
for Ignore Prereq Warning in the Updates and Servicing node is No.)

Prerequisite failed

Installation failed

Go to the Monitoring workspace, and select the Site Servicing Status node. Select the
update, and then choose one of the following options:

Retry: When you Retry from Site Servicing Status, you restart the installation of
the update at only that site. Unlike running Retry from the Updates and Servicing
node, this retry doesn't ignore prerequisite warnings.

Ignore prerequisite warnings: If the update install stops because of a warning, you
can then select Ignore prerequisite warnings. This action allows the installation of
the update to continue after a few minutes, and uses the option to ignore
prerequisite warnings.

Report setup and upgrade failures to Microsoft


Starting in Configuration Manager version 2010, if the setup or update process fails to
complete successfully, you can report the error directly to Microsoft. If a failure occurs,
the Report update error to Microsoft button is enabled. When you use the button, an
interactive wizard opens allowing you to provide more information to us. When running
setup from the media rather than the console, you'll also be given the Report update
error to Microsoft option if setup fails.

) Important

For business-impacting issues, contact Microsoft support to open a new support


request. Reporting setup and upgrade failures from the console is for providing
product feedback on setup errors you may have encountered. Reporting an error
doesn't generate a support request.

To report upgrade failures to Microsoft:

1. In the Configuration Manager console, go to Administration > Overview >


Updates and Servicing.

2. Select an update then select Report update error to Microsoft in the ribbon.

3. Before you submit the feedback, you'll be given options to:

Attach other files

Provide your email address if you're willing to be contacted about the error.

4. When you submit feedback, you'll be given a transaction ID for the feedback. A
status message is also generated with this information.

Message ID 53900 is a successful submission.

Message ID 53901 is a failed submission.

After a site installs an update


After the site updates, review the post-update checklist for the applicable version:

Post-update checklist for version 2303

Post-update checklist for version 2211

Post-update checklist for version 2207

Post-update checklist for version 2203

Post-update checklist for version 2111

Next steps
Some updates include optional features, which you can enable during or after
installation.

Optional features
Optional features in Configuration
Manager
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

When an update includes one or more optional features, you can enable those features
in your hierarchy. Enable features when the update installs, or return to the console later
to enable the optional features.

To view available features and their status, in the console go to the Administration
workspace, expand Updates and Servicing, and select the Features node. To enable a
feature, select it in the list, and then select Turn on in the ribbon.

Your user account requires permissions to view and enable optional features. For more
information, see Permissions for in-console updates.

When a feature isn't optional, it's automatically available for use. It doesn't appear in the
Features node.

) Important

In a multi-site hierarchy, enable optional or pre-release features only from the


central administration site (CAS). This behavior makes sure there are no conflicts
across the hierarchy.

When you enable a new feature or pre-release feature, the Configuration Manager
hierarchy manager (HMAN) must process the change before that feature becomes
available. Processing of the change is often immediate. Depending on the HMAN
processing cycle, it can take up to 30 minutes to complete. After the change is
processed, restart the console before you can use the feature.

When new cloud-based features are available in the Microsoft Intune admin center, or
other attached cloud services for your on-premises Configuration Manager installation,
you can opt in to these new features in the Configuration Manager console.

List of optional features


The following features are optional in the latest version of Configuration Manager:
Remove the central administration site
BitLocker management
Application groups

 Tip

For more information on features that require consent to enable, see pre-release
features.

For more information on features that are only available in the technical preview
branch, see Technical Preview.

Next steps
The current branch includes pre-release features for early testing in a production
environment. For more information, see pre-release features.

For answers to common questions, see In-console updates FAQ.


In-console updates FAQ
FAQ

Why don't I see certain updates in my


console?
If you can't find a specific update in your console after a successful sync with the
Microsoft cloud service, this behavior might be because of one of the following reasons:

The update requires a configuration that your infrastructure doesn't use, or your
current product version doesn't fulfill a prerequisite for receiving the update.

If you think you have the required configurations and prerequisites for a missing
update, confirm the service connection point is in online mode. Then, use the
Check for Updates option in the Updates and Servicing node to force a check. If
your service connection point is in offline mode, use the service connection tool to
manually sync with the cloud service.

Your account lacks the correct role-based administration permissions to view


updates in the Configuration Manager console. For more information, see
Permissions to manage updates.

Why did the current branch name


change with version 2103?
To better align with other releases within Microsoft Endpoint Manager, starting in the
year 2021 the current branch version names will be 2103, 2107, and 2111. They will still
release every four months, and release at the same time of the year.
Update reset tool
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Beginning with version 1706, Configuration Manager primary sites, and central
administration sites include the Configuration Manager Update Reset Tool,
CMUpdateReset.exe. Use the tool to fix issues when in-console updates have problems
downloading or replicating. The tool is found in the \cd.latest\SMSSETUP\TOOLS folder
of the site server.

You can use this tool with any version of the current branch that remains in support.

Use this tool when an in-console update has not yet installed and is in a failed state. A
failed state means that the update download is in progress but stuck or taking an
excessively long time. A long time is considered to be hours longer than your historical
expectations for update packages of similar size. It can also be a failure to replicate the
update to child primary sites.

When you run the tool, it runs against the update that you specify. By default, the tool
does not delete successfully installed or downloaded updates.

Prerequisites
The account you use to run the tool requires the following permissions:

Read and Write permissions to the site database of the central administration site
and to each primary site in your hierarchy. To set these permissions, you can add
the user account as a member of the db_datawriter and db_datareader fixed
database roles on the Configuration Manager database of each site. The tool does
not interact with secondary sites.
Local Administrator on the top-level site of your hierarchy.
Local Administrator on the computer that hosts the service connection point.

You need the GUID of the update package that you want to reset. To get the GUID:

1. In the console, go to Administration > Updates and Servicing.


2. In the display pane, right-click the heading of one of the columns (like State), then
select Package Guid to add that column to the display.
3. The column now shows the update package GUID.

 Tip
To copy the GUID, select the row for the update package you want to reset, and
then use CTRL+C to copy that row. If you paste your copied selection into a text
editor, you can then copy only the GUID for use as a command-line parameter
when you run the tool.

Run the tool


The tool must be run on the top-level site of the hierarchy.

When you run the tool, use command-line parameters to specify:

The SQL Server at the top-tier site of the hierarchy.


The site database name at the top-tier site.
The GUID of the update package you want to reset.

Based on the status of the update, the tool identifies the additional servers it needs to
access.

If the update package is in a post download state, the tool does not clean up the
package. As an option, you can force the removal of a successfully downloaded update
by using the force delete parameter (See command-line parameters later in this topic).

After the tool runs:

If a package was deleted, restart the SMS_Executive service at the top-tier site.
Then, check for updates so you can download the package again.
If a package was not deleted, you do not need to take any action. The update
reinitializes and then restarts replication or installation.

Command-line parameters:

Parameter Description

-S <FQDN of the SQL Server Required

of your top-tier site> Specify the FQDN of the SQL Server that hosts the site
database for the top-tier site of your hierarchy.

-D <Database name> Required

Specify the name of the database at the top-tier site.

-P <Package GUID> Required

Specify the GUID for the update package you want to reset.

-I <SQL Server instance Optional

name> Identify the instance of SQL Server that hosts the site database.
Parameter Description

-FDELETE Optional

Force deletion of a successfully downloaded update package.

Examples:

In a typical scenario, you want to reset an update that has download problems. Your SQL
Servers FQDN is server1.fabrikam.com, the site database is CM_XYZ, and the package
GUID is 61F16B3C-F1F6-4F9F-8647-2A524B0C802C. You run: CMUpdateReset.exe -S
server1.fabrikam.com -D CM_XYZ -P 61F16B3C-F1F6-4F9F-8647-2A524B0C802C

In a more extreme scenario, you want to force deletion of problematic update package.
Your SQL Servers FQDN is server1.fabrikam.com, the site database is CM_XYZ, and the
package GUID is 61F16B3C-F1F6-4F9F-8647-2A524B0C802C. You run:
CMUpdateReset.exe -FDELETE -S server1.fabrikam.com -D CM_XYZ -P 61F16B3C-F1F6-
4F9F-8647-2A524B0C802C
Test the database upgrade when
installing an update
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

If necessary, you can run a test database upgrade before you install an in-console
update for the current branch of Configuration Manager.

) Important

The test upgrade is no longer a required or recommend step for most sites.

If your database is suspect, or is modified by customizations not explicitly


supported by Configuration Manager, continue to use this process.

Do I need to run a test upgrade?


The deprecation of this upgrade test is made possible because of changes that are
introduced with Configuration Manager current branch. These changes simplify the
process and speed by which setup can update a production environment to a newer
version. This redesign was done to help you stay current with less risk, and less
operational overhead when installing each new update.

The changes are to how updates install, including logic that automatically rolls back a
failed update without the need to run a site recovery. These changes enable the use of
the console to manage update installations, and include an option to retry installation of
a failed update.

 Tip

When you upgrade to Configuration Manager current branch from an older


product, like System Center 2012 Configuration Manager, test database upgrades
remain a recommended step.

If you still plan to test the upgrade of a site database when you install an in-console
update, the following information supplements the guidance on installing an in-console
update.
Prepare to run a test database upgrade
To run the upgrade test, use the Configuration Manager Setup from the CD.Latest
folder. Use the same version of the source files as the version of Configuration Manager
to which you're updating.

For example, to test the database update for version YYMM:

You need at least one site on version YYMM from which you can get that CD.Latest
folder.

If you don't have a site that runs the required version, consider installing a site in a
lab environment. Then update that site to the new version. This process creates the
CD.Latest folder with the correct version of source files.

The upgrade test runs against a backup of your site database that you restore to a
separate instance of SQL Server. After the test upgrade completes, discard the upgraded
database. It can't be used by a Configuration Manager site.

Run the test upgrade


1. Use Configuration Manager Setup and the source files from the CD.Latest folder of
a site that runs the version that you plan to update to.

2. Copy the CD.Latest folder to a location on the SQL Server instance that you'll use
to run the test database upgrade.

3. Create a backup of the site database that you want to test upgrade. Then restore a
copy of that database to an instance of SQL Server that doesn't host a
Configuration Manager site. The SQL Server instance needs to be the same edition
of SQL Server as your site database. For more information, see Quickstart: Backup
and restore a SQL Server database on-premises.

4. After you restore the database copy, run Setup from the CD.Latest folder. When
you run Setup, use the /TESTDBUPGRADE command-line option. If the SQL Server
instance that hosts the database copy isn't the default instance, provide the
command-line options to identify the instance that hosts the site database copy.

For example, you have a site database with the database name CM_ABC . You restore
a copy of this site database to a supported instance of SQL Server with the
instance name DBTest . To test an upgrade of this copy of the site database, use the
following command line: setup.exe /TESTDBUPGRADE DBtest\CM_ABC
You can find Setup.exe in the following location on the source media for
Configuration Manager: SMSSETUP\BIN\X64

5. On the instance of SQL Server where you run the upgrade test, monitor the
ConfigMgrSetup.log in the root of the system drive for progress and success.

If the test upgrade fails, fix any issues related to the site database upgrade failure.
Then, create a new backup of the site database and retest the upgrade of the new
copy of the database.

Next steps
After the test database update completes successfully, discard the updated database. It
can't be used by a Configuration Manager site. You can then return to your active site
and begin the update installation.

If an update install fails, you shouldn't need to recover the site. Instead, you can retry
the update installation from within the console.
Flowchart - Download updates for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This data flow displays the process by which a site with an on-line service connection
point downloads in-console updates.
Flowchart - Update replication for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

These data flows display the process by which an in-console update you select to install
replicates to additional sites. These flows also display the process of extracting the
update to run prerequisite checks and to install updates at a central administration site
and at primary sites.
Pre-release features in Configuration
Manager
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Pre-release features are features that are in the current branch for early testing in a
production environment. These features are fully supported, but still in active
development. They might receive changes until they move out of the pre-release
category.

Give consent
Before using pre-release features, give consent to use pre-release features. Giving
consent is a one-time action per hierarchy that you can't undo. Until you give consent,
you can't enable new pre-release features included with updates. After you turn on a
pre-release feature, you can't turn it off.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node.

2. In the ribbon, select Hierarchy Settings.

3. On the General tab of Hierarchy Settings Properties, enable the option to Consent
to use pre-release features.

Enable pre-release features


When you install an update that includes pre-release features, those features are visible
in the Updates and Servicing Wizard with the regular features included in the update.

If you have given consent


In the Updates and Servicing Wizard, enable pre-release features. Select the pre-release
features as you would any other feature.

Optionally, wait to enable pre-release features later from the Features node under
Updates and Servicing in the Administration workspace. Select a feature, and then
select Turn on in the ribbon. Until you give consent, this option isn't available for use.
If you haven't given consent
In the Updates and Servicing Wizard, pre-release features are visible but you can't
enable them. After the update is installed, these features are visible in the Features
node. However, you can't enable them until you give consent.

) Important

In a multi-site hierarchy, you can only enable optional or pre-release features from
the central administration site. This behavior ensures there are no conflicts across
the hierarchy.

If you gave consent at a stand-alone primary site, and then expand the hierarchy by
installing a new central administration site, you must give consent again at the
central administration site.

When you enable a pre-release feature, the Configuration Manager hierarchy manager
(HMAN) must process the change before that feature becomes available. Processing of
the change is often immediate. Depending on the HMAN processing cycle, it can take
up to 30 minutes to complete. After the change is processed, restart the console before
using the feature.

List of pre-release features


Feature Added as pre- Added as a full
release feature

Cloud management gateway with virtual machine Version 2010 Version 2107
scale set

Orchestration groups Version 2002 Version 2111

Task sequence deployment type Version 2002

Task sequence debugger Version 1906 Version 2203

Application groups Version 1906 Version 2111

 Tip

For more information on non-pre-release features that you must enable first, see
Enable optional features from updates.
For more information on features that are only available in the technical preview
branch, see Technical Preview.
Service windows for site servers
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To control when in-console updates can install, configure service windows. You can add
service windows at the central administration site (CAS) and primary sites. Each site can
have multiple service windows. The site determines when it can install an update by the
combination of all service windows that it has.

 Tip

A service window is for a site server. A maintenance window is for a client. For more
information, see How to use maintenance windows.

Default behavior
When you don't configure a service window:

On your top-tier site, you choose when to start the update installation. The top-tier
site is either the CAS or a stand-alone primary site.

On a child primary site, the update automatically installs after it successfully


completes at the CAS.

On a secondary site, updates never start automatically. After the parent primary
site updates, manually start the update from the console.

Behavior with a service window


When you create one or more service windows:

On your top-tier site, you can't start the installation of any new update from the
console until the time is in the service window. Even with a service window, the site
still automatically downloads updates so they're ready to install.

On a child primary site, an update from the CAS downloads to the primary site, but
doesn't automatically start. You can't manually start the install of an update outside
of a service window. When service windows no longer block update installation,
the primary site automatically starts the update installation.
Secondary sites don't support service windows, and don't automatically install
updates. After the parent primary site updates, manually start the update from the
console.

Configure a service window


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.

2. Select the site server where you want to configure a service window.

3. In the ribbon, select Properties.

4. Switch to the Service Windows tab.

5. To add a new service window, select the new button (gold asterisk).

6. In the Schedule window, specify a name to describe the service window. This name
helps you identify the service window in the console.

7. Configure the date, time, and recurrence pattern as necessary for this site.
After you create a service window, use the edit and delete buttons to make changes.

Next steps
Install in-console updates
Use the service connection tool for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the service connection tool when your service connection point is in offline mode.
You can also use it when your Configuration Manager site system servers aren't
connected to the internet. The tool can help you keep your site up to date with the
latest updates to Configuration Manager.

When you run the tool, it connects to the Configuration Manager cloud service, uploads
usage information for your hierarchy, and downloads updates. Uploading usage data is
necessary to enable the cloud service to provide the correct updates for your
environment.

Prerequisites
The site has a service connection point, and you configure it for an Offline, on-
demand connection.

Run the tool from a command prompt as an administrator. There's no user


interface.

You run the tool from the service connection point and a computer that can
connect to the internet. Each of these computers needs to have a x64-bit OS, and
have the following components:

Both the Visual C++ Redistributable x86 and x64 files. By default, Configuration
Manager installs the x64 version on the computer that hosts the service
connection point. To download this component, see Visual C++ Redistributable
Packages for Visual Studio 2013 .

Starting in version 2107, this tool requires .NET version 4.6.2, and version 4.8 is
recommended. In version 2103 and earlier, this tool requires .NET 4.5.2 or later.
For more information, Site and site system prerequisites.

The account you use to run the tool needs the following permissions:

Local administrator on the computer that hosts the service connection point

Read permissions to the site database


You need a method to transfer the files between the computer with internet access
and the service connection point. For example, a USB drive with sufficient free
space to store the files and updates.

Overview
1. Prepare: Run the tool on the service connection point. It puts your usage data into
a .cab file at the location you specify. Copy the data file to the computer with an
internet connection.

2. Connect: Run the tool on the computer with an internet connection. It uploads
your usage data, and then downloads Configuration Manager updates. Copy the
downloaded updates to the service connection point.

You can upload multiple data files at one time, each from a different hierarchy. You
can also specify a proxy server and a user for the proxy server.

3. Import: Run the tool on the service connection point. It imports the updates, and
adds them to your site. You can then view and install those updates in the
Configuration Manager console.

Upload multiple data files


Put all exported data files from separate hierarchies into the same folder. Give each
file a unique name. If necessary, you can manually rename them.

When you run the tool to upload data to Microsoft, you specify the folder that
contains the data files.

When you run the tool to import data, the tool only imports the data for that
hierarchy.

Specify a proxy server


If the computer with an internet connection requires a proxy server, the tool supports a
basic proxy configuration. Use the optional parameters -proxyserveruri and -
proxyusername. For more information, see Command-line parameters.

Specify the type of updates to download


The tool supports options to control what files you download. By default, the tool
downloads only the latest available update that applies to the version of your site. It
doesn't download hotfixes.

To modify this behavior, use one of the following parameters to change what files it
downloads:

-downloadall: Download all updates, including updates and hotfixes, whatever the
version of your site.

-downloadhotfix: Download all hotfixes whatever the version of your site.

-downloadsiteversion: Downloads updates and hotfixes with a later version than


the version of your site.

) Important

Because of a known issue in Configuration Manager version 2002, the default


behavior doesn't work as expected. Update to version 2006, or use the -
downloadsiteversion parameter to download the necessary updates for
version 2002.

For more information, see Command-line parameters.

 Tip

The tool determines the version of your site from the data file. To verify the version,
look in the .cab file for the text file named with the site version.

Use the tool


The service connection tool is in the Configuration Manager installation media at the
following path: SMSSETUP\TOOLS\ServiceConnectionTool\ServiceConnectionTool.exe .
Always use the service connection tool that matches the version of Configuration
Manager that you use. All of these files must be in the same folder for the service
connection tool to work.

Copy the ServiceConnectionTool folder with all of its contents to the computer with an
internet connection.

In this procedure, the command-line examples use the following file names and folder
locations. You don't need to use these paths and file names. You can use alternatives
that match your environment and preferences.
The path to the Configuration Manager installation media source files on the
service connection point: C:\Source

The path to a USB drive where you store the data to transfer between computers:
D:\USB\

The name of the data file that you export from the site: UsageData.cab

The name of the empty folder where the tool stores downloaded updates for
Configuration Manager: UpdatePacks

Prepare
1. On the computer that hosts the service connection point, open a command
prompt as an administrator, and change directory to the tool location. For
example:

cd C:\Source\SMSSETUP\TOOLS\ServiceConnectionTool\

2. Run the following command to prepare the data file:

ServiceConnectionTool.exe -prepare -usagedatadest D:\USB\UsageData.cab

7 Note

If you'll upload data files from more than one hierarchy at the same time, give
each data file a unique name. If necessary, you can rename files later.

The data in the file is based on the level of diagnostic and usage data that you
configure for the site. For more information, see Overview of diagnostics and
usage data. You can use the tool to export the data to a CSV file to view the
contents. For more information, see -export.

3. After the tool finishes exporting the usage data, copy the data file to a computer
that has access to the internet.

Connect
1. On the computer with internet access, open a command prompt as an
administrator, and change directory to the tool location. This location is a copy of
the entire ServiceConnectionTool folder. For example:

cd D:\USB\ServiceConnectionTool\
2. Run the following command to upload the data file and download the
Configuration Manager updates:

ServiceConnectionTool.exe -connect -usagedatasrc D:\USB -updatepackdest

D:\USB\UpdatePacks

For more examples, see Command line parameters.

7 Note

When you run this command line, you might see the following error:

Unhandled Exception: System.UnauthorizedAccessException: Access to the


path
'C:\Users\jqpublic\AppData\Local\Temp\extractmanifestcab\95F8A562.sql'
is denied.

You can safely ignore this error. Close the error window to continue.

3. After the tool finishes downloading the updates, copy them to the service
connection point.

Import
1. On the computer that hosts the service connection point, open a command
prompt as an administrator, and change directory to the tool location. For
example:

cd C:\Source\SMSSETUP\TOOLS\ServiceConnectionTool\

2. Run the following command to import the updates:

ServiceConnectionTool.exe -import -updatepacksrc D:\USB\UpdatePacks

3. After the import completes, close the command prompt. It only imports updates
for the applicable hierarchy.

4. In the Configuration Manager console, go to the Administration workspace, and


select the Updates and Servicing node. Imported updates are now available to
install. For more information, see Install in-console updates.

Log files
ServiceConnectionTool.log: Each time you run the service connection tool, it writes
to this log file. The path of the log file is always the same location as the tool. This
log file provides simple details about the tool usage based on the parameters you
use. Each time you run the tool, the tool replaces any existing log file.

ConfigMgrSetup.log: During the Connect phase, the tool writes to this log file at
the root of the system drive. This log file provides more detailed information. For
example, what files the tool downloads, and if the hash checks are successful.

Command-line parameters
This section lists in alphabetical order all of the available parameters for the service
connection tool.

-connect
Use during the Connect phase on the computer with internet access. It connects to the
Configuration Manager cloud service to upload the data file, and download updates.

It requires the following parameters:

-usagedatasrc: The location of the data file to upload


-updatepackdest: A path for the downloaded updates

You can also use the following optional parameters:

-proxyserveruri: The FQDN of the proxy server


-proxyusername: A user name for the proxy server
-downloadall: Download everything, including updates and hotfixes, whatever the
version of your site.
-downloadhotfix: Download all hotfixes, whatever the version of your site.
-downloadsiteversion: Download updates and hotfixes that have a later version
than the version of your site.

Example of connect without a proxy server

ServiceConnectionTool.exe -connect -usagedatasrc D:\USB\ -updatepackdest


D:\USB\UpdatePacks

Example of connect with a proxy server


ServiceConnectionTool.exe -connect -usagedatasrc D:\USB\Usagedata.cab -

updatepackdest D:\USB\UpdatePacks -proxyserveruri itproxy.contoso.com -


proxyusername jqpublic

Example of connect to download only site version applicable


updates

ServiceConnectionTool.exe -connect -downloadsiteversion -usagedatasrc D:\USB -


updatepackdest D:\USB\UpdatePacks

-dest
A required parameter with the -export parameter to specify the path and file name of
the CSV file to export. For more information, see -export.

-downloadall
An optional parameter with the -connect parameter to download everything, including
updates and hotfixes, whatever the version of your site. For more information, see -
connect.

-downloadhotfix
An optional parameter with the -connect parameter to only download all hotfixes,
whatever the version of your site. For more information, see -connect.

-downloadsiteversion
An optional parameter with the -connect parameter to only download updates and
hotfixes that have a later version than the version of your site. For more information, see
-connect.

-export
Use during the Prepare phase to export usage data to a CSV file. Run it as an
administrator on the service connection point. This action lets you review the contents
of the usage data before you upload to Microsoft. It requires the -dest parameter to
specify the location of the CSV file.
Example of export
-export -dest D:\USB\usagedata.csv

-import
Use during the Import phase on the service connection point to import the updates to
the site. It requires the -updatepacksrc parameter to specify the location of the
downloaded updates.

Example of import
ServiceConnectionTool.exe -import -updatepacksrc D:\USB\UpdatePacks

-prepare
Use during the Prepare phase on the service connection point to export usage data
from the site. It requires the -usagedatadest parameter to specify the location of the
exported data file.

Example of prepare

ServiceConnectionTool.exe -prepare -usagedatadest D:\USB\UsageData.cab

-proxyserveruri
An optional parameter with the -connect parameter to specify the FQDN of your proxy
server. For more information, see -connect.

-proxyusername
An optional parameter with the -connect parameter to specify the username to
authenticate with your proxy server. For more information, see -connect.

-updatepackdest
A required parameter with the -connect parameter to specify a path for the downloaded
updates. For more information, see -connect.

-updatepacksrc
A required parameter with the -import parameter to specify a path of the downloaded
updates. For more information, see -import.

-usagedatadest
A required parameter with the -prepare parameter to specify a path and file name of
the exported data file. For more information, see -prepare.

Next steps
Install in-console updates

How to view diagnostics and usage data


Use the update registration tool to
import hotfixes
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Some updates for Configuration Manager aren't available from the Microsoft cloud
service and are only obtained out-of-band. An example is a limited release hotfix to
address a specific issue.

When you must install an out-of-band release, and the update or hotfix file name ends
with the extension update.exe, you use the update registration tool. This tool imports
the update to the Configuration Manager console. It enables you to extract and transfer
the update package to the site server, and register the update with the Configuration
Manager console.

If the hotfix file only has the .exe file extension (not update.exe), use the hotfix installer
to install the update.

7 Note

This article provides general guidance about how to install hotfixes that update
Configuration Manager. For details about a specific hotfix or update, refer to the
corresponding hotfix article.

Prerequisites
This tool only installs out-of-band updates that end with the full .update.exe file
extension.

It is self-contained with the individual updates that you get directly from Microsoft.

The service connection point can be in either online or offline mode.

Run it on the server with the service connection point site system role.

Starting in version 2107, the service connection point requires .NET version 4.6.2,
and version 4.8 is recommended. In version 2103 and earlier, this role requires .NET
4.5.2 or later. For more information, Site and site system prerequisites.
When you run the tool on the service connection point, the account that you use
needs the following configurations:

A local Administrator

Write permissions to the following folder: <Configuration Manager installation


directory>\EasySetupPayload\offline

Process
1. On the computer that hosts the service connection point, open a command
prompt with administrative privileges. Then change directories to the location that
contains the update file. The update file name uses the following format:
<Product>-<product version>-<KB article ID>-ConfigMgr.Update.exe

2. Run the following command to start the update registration tool: <Product>-
<product version>-<KB article ID>-ConfigMgr.Update.exe

After the hotfix is registered, it appears as a new update in the console within 24
hours. To accelerate this process: in the Configuration Manager console, go to
Administration workspace, and select the Updates and Servicing node. In the
ribbon, select Check for Updates.

The update registration tool logs its actions to a .log file on the local computer.
The log file has the same name as the hotfix file and is in the %SystemRoot%/Temp
folder.

After the update is registered, you can close the update registration tool.

3. In the Configuration Manager console, go to the Administration workspace, and


select the Updates and Servicing node. Hotfixes that you've imported are now
available to install.

Next steps
Install in-console updates
Use the Hotfix Installer to install
updates for Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Some updates for Configuration Manager aren't available from the Microsoft cloud
service. These updates are available out-of-band. An example is a limited release hotfix
to address a specific issue.

When you need to install an update that you get from Microsoft:

If the update has the simple file extension .exe: Use the hotfix installer that's
included with that download. Install the update directly to the Configuration
Manager site server.

If the hotfix file has the .update.exe file extension: Use the update registration tool
to import hotfixes to Configuration Manager.

Overview
Hotfixes for Configuration Manager are similar to updates for other Microsoft products,
such as SQL Server. They contain either one individual fix or a bundle, which is a rollup
of fixes.

Individual updates include a single focused update for a specific version of


Configuration Manager.
Update bundles include multiple updates for a specific version of Configuration
Manager.
When an update is a bundle, you can't install individual updates from that bundle.

If you plan to create deployments to install updates on other computers, install the
update bundle on a central administration site (CAS) server or primary site server.

When you run the update bundle, the following process happens:

It extracts the update files for each applicable component from the update bundle.

Starts a wizard that guides you through a process to configure the updates and
deployment options for the updates.
After you complete the wizard, the updates in the bundle that apply to the site
server are installed on the site server.

The wizard also creates deployments that you can use to install the updates on other
computers. Deploy the updates to other computers by using a supported deployment
method. For example, a software deployment package or System Center Updates
Publisher.

When the wizard runs, it creates a .cab file on the site server for use with Updates
Publisher. Optionally, you can configure the wizard to also create one or more packages
for software deployment. You can use these deployments to install updates on
components, such as clients or the Configuration Manager console. You can also install
updates manually on computers that don't run the Configuration Manager client.

You can update the following three groups in Configuration Manager:

Configuration Manager server roles, which include:

CAS

Primary site

Secondary site

Remote SMS Provider

Configuration Manager console

Configuration Manager client

7 Note

Updates for site system roles are installed as part of the update for site servers.
They are serviced by the site component manager. This behavior includes updates
for the site database and the cloud management gateway (CMG).

Pull-distribution points are serviced by distribution manager instead of the site


component manager.

Each update bundle for Configuration Manager is a self-extractable .exe file (SFX). This
file contains the files that are necessary to install the update on the applicable
components of Configuration Manager. Typically, the SFX file can contain the following
files:
File Details

<Product version>-QFE- This file is the update. The command line for this file is managed by
KB<KB article ID>- Updatesetup.exe. For example: CM1511RTM-QFE-KB123456-X64-ENU.exe
<platform>-
<language>.exe

Updatesetup.exe This MSI wrapper manages the installation of the update bundle. When
you run the update, Updatesetup.exe detects the display language of
the computer where it runs. By default, the user interface for the
update is in English. However, when the display language is supported,
the user interface displays in the computer's local language.

License_<language>.rtf When applicable, each update contains one or more license files for
supported languages.

<Product&updatetype>- When the update applies to the Configuration Manager console or


<product version>-<KB clients, the update bundle includes separate Windows Installer patch
article ID>- (.msp) files. For example: ConfigMgr1511-AdminUI-KB1234567-i386.msp
<platform>.msp for the console or ConfigMgr1511-client-KB1234567-x64.msp for the
client.

By default, the update bundle logs its actions to a .log file on the site server. The log file
has the same name as the update bundle and is written to the %SystemRoot%/Temp folder.

When you run the update bundle, it extracts a file with the same name as the update
bundle to a temporary folder on the computer, and then runs Updatesetup.exe.
Updatesetup.exe starts the software update wizard.

As applicable to the scope of the update, the wizard creates a series of folders under the
Configuration Manager installation folder on the site server. The folder structure is
similar to the following example: \Hotfix\<KB Number>\<Update Type>\<Platform>

The following table provides details about the folders in the folder structure:

Folder More information


name

<KB This folder is the ID number for this update bundle.


Number>
Folder More information
name

<Update This folder is the type of update for Configuration Manager. The wizard creates a
type> separate folder for each type of update in the bundle. They include the following
types:

- Server: Includes updates to site servers, site database servers, and SMS Providers.

- Client: Includes updates to the Configuration Manager client.

- AdminConsole: Includes updates to the Configuration Manager console

The wizard also creates a folder named SCUP, which contains the .cab file for
Updates Publisher.

<Platform> This folder is platform-specific. It contains update files that are specific to a type of
processor. These folders include: x64 and I386.

How to install updates


To install updates, first install the update bundle on a site server. When you install an
update bundle, it starts an install wizard for that update. This wizard does the following
actions:

Extracts the update files

Helps you configure deployments

Installs applicable updates on the server components of the local computer

After you install the update bundle on a site server, you can then update other
components for Configuration Manager. The following table describes update actions
for these various components:

Component Instructions

Site server Deploy updates to a remote site server when you don't choose to install the
update bundle directly on that remote site server.

Site database For remote site servers, deploy server updates that include an update to the site
database if you don't install the update bundle directly on that remote site server.

Configuration After initial installation of the Configuration Manager console, you can install
Manager updates for the console on each computer that runs it. You can't modify the
console console installation files to apply the updates during the initial installation of the
console.
Component Instructions

Remote SMS Install updates for each instance of the SMS Provider that runs on a computer
Provider other than the site server where you installed the update bundle.

Configuration After initial installation of the Configuration Manager client, you can install
Manager updates for the Configuration Manager client on each computer that runs the
clients client.

7 Note

You can deploy updates only to computers that run the Configuration Manager
client.

If you reinstall a client, Configuration Manager console, or SMS Provider, also reinstall
the updates for these components.

Update servers
Updates for servers can include updates for sites, the site database, and computers that
run an instance of the SMS Provider.

Update a site

To update a Configuration Manager site, you can install the update bundle directly on
the site server. You can also deploy the updates to a site server after you install the
update bundle on a different site.

When you install an update on a site server, the update installation process manages
other actions that are required to apply the update, such as updating site system roles.
The exception is the site database. The next section contains information about how to
update the site database.

Update a site database


To update the site database, the installation process runs a file named update.sql on the
site database. You can configure the update process to automatically update the site
database, or you can manually update the site database later.

Automatic update of the site database


When you install the update bundle on a site server, you can choose to automatically
update the site database when the server update is installed. This decision applies only
to the site server where you install the update bundle and doesn't apply to deployments
that are created to install the updates on remote site servers.

7 Note

When you choose to automatically update the site database, the process updates a
database regardless whether the database is located on the site server or on a
remote computer.

) Important

Before you update the site database, create a backup of the site database. You can't
uninstall an update to the site database. For information about how to create a
backup for Configuration Manager, see Backup and recovery for Configuration
Manager.

Manual update of the site database

If you choose not to automatically update the site database when you install the update
bundle on the site server, the server update doesn't modify the database on the site
server where the update bundle runs. However, deployments that use the package that
is created for software deployment or that installs always update the site database.

2 Warning

When the update includes updates to both the site server and the site database,
the update isn't functional until the update is completed for both the site server
and site database. Until the update is applied to the site database, the site is in an
unsupported state.

1. On the site server, stop the SMS_SITE_COMPONENT_MANAGER service. Then stop


the SMS_EXECUTIVE service.

2. Close the Configuration Manager console.

3. Run the update script named update.sql on that site's database. For information
about how to run a script to update a SQL Server database, see the documentation
for the version of SQL Server that you use for your site database server.
 Tip

When the update bundle installs, it extracts update.sql to the following


location on the site server: \\<Server Name>\SMS_<Site Code>\Hotfix\<KB
Number>\update.sql .

4. Restart the services that you stopped in the previous step.

Update a computer that runs the SMS Provider


After you install an update bundle that includes updates for the SMS Provider, deploy
the update to each computer that runs the SMS Provider. The only exception is the
instance of the SMS Provider that was previously installed on the site server where you
install the update bundle. The local instance of the SMS Provider on the site server is
updated when you install the update bundle.

If you remove and then reinstall the SMS Provider on a computer, reinstall the update
for the SMS Provider on that computer.

Update clients
When you install an update that includes updates for the Configuration Manager client,
you can automatically upgrade clients with the update installation, or manually upgrade
clients at a later time. For more information about automatic client upgrade, see How to
upgrade clients for Windows computers.

You can deploy updates with Updates Publisher or a software deployment package. You
can also manually install the update on each client. For more information about how to
use deployments to install updates, see Deploy updates for Configuration Manager.

) Important

When you install updates for clients and the update bundle includes updates for
servers, install the server updates on the primary site to which the clients are
assigned.

To manually install the client update, run Msiexec.exe on each Configuration Manager
client. Include the platform-specific client update MSP file in the command line. For
example, you can use the following command line for a client update:
msiexec.exe /p \\<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\Client\<Platform>\

<msp> /L\*v <logfile> REINSTALLMODE=mous REINSTALL=ALL

Update Configuration Manager consoles


To update a Configuration Manager console, install the update on the computer that
runs the console.

) Important

When you install updates for the Configuration Manager console, and the update
bundle includes updates for servers, also install the server updates on the site that
you use with the Configuration Manager console.

If the computer that you update runs the Configuration Manager client:

You can use a deployment to install the update. For more information about how
to use deployments to install updates, see Deploy updates for Configuration
Manager.

If you're signed in to the client computer, run the installation interactively.

To manually install the Configuration Manager console update, run Msiexec.exe. Include
the Configuration Manager console update MSP file in the command line. For example,
you can use the following command line to update a Configuration Manager console:

msiexec.exe /p \\<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\AdminConsole\

<Platform>\<msp> /L\*v <logfile> REINSTALLMODE=mous REINSTALL=ALL

Deploy updates for Configuration Manager


After you install the update bundle on a site server, you can use one of the following
three methods to deploy updates to other computers.

Use Updates Publisher to install updates


When you install the update bundle on a site server, the installation Wizard creates a
catalog file for Updates Publisher. You can use this file to deploy the updates to
applicable computers. The wizard always creates this catalog, even when you select the
option Use package and program to deploy this update.
The catalog for Updates Publisher is named SCUPCatalog.cab. It's in the following
location on the computer where you ran the update bundle: \\
<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\SCUP\SCUPCatalog.cab

) Important

The SCUPCatalog.cab file is created by using paths that are specific to the site
server where the update bundle is installed. It can't be used on other site servers.

After the wizard is finished, import the catalog to Updates Publisher. Then use software
updates to deploy the updates. For more information, see System Center Updates
Publisher.

Import the updates to Updates Publisher

1. Start the Updates Publisher console and select Import.

2. On the Import Type page of the Import Software Updates Catalog Wizard, select
Specify the path to the catalog to import. Then specify the SCUPCatalog.cab file.

3. Select Next, and then select Next again.

4. In the Security Warning - Catalog Validation window, select Accept. Close the
wizard after it's finished.

5. Select the update that you want to deploy, and then select Publish.

6. On the Publish Options page of the Publish Software Updates Wizard, select Full
Content, and then select Next.

7. Complete the wizard to publish the updates.

Use software deployment to install updates


When you install the update bundle on the site server of a primary site or CAS, you can
configure the installation Wizard to create update packages for software deployment.
Then deploy each package to a collection of computers that you want to update.

To create a software deployment package, on the Configure Software Update


Deployment page of the wizard, select each update package type that you want to
update. The available types can include servers, Configuration Manager consoles, and
clients. A separate package is created for each type of update that you select.
7 Note

The package for servers contains updates for the following components:

Site server
SMS Provider
Site database

Next, on the Configure Software Update Deployment Method page of the wizard,
select the option I will use software distribution.

After the wizard is finished, view the packages in the Configuration Manager console. Go
to the Packages node in the Software Library workspace. Use your standard process to
deploy software packages to Configuration Manager clients. When a package runs on a
client, it installs the updates to the applicable components of Configuration Manager on
the client computer.

For more information about how to deploy packages to Configuration Manager clients,
see Packages and programs.

Create collections for deploying updates to Configuration


Manager
You can deploy specific updates to applicable clients. The following information can help
you to create device collections for the different components for Configuration
Manager.

Component of Instructions
Configuration
Manager

CAS server Create a direct membership query and add the CAS server.

All primary site Create a direct membership query and add each primary site server.
servers

All secondary site Create a direct membership query and add each secondary site server.
servers

All x86 clients Create a collection with the following query criteria: Select * from
SMS_R_System inner join SMS_G_System_SYSTEM on
SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where
SMS_G_System_SYSTEM.SystemType = "X86-based PC"
Component of Instructions
Configuration
Manager

All x64 clients Create a collection with the following query criteria: Select * from
SMS_R_System inner join SMS_G_System_SYSTEM on
SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where
SMS_G_System_SYSTEM.SystemType = "X64-based PC"

All computers Create a direct membership query and add each computer.
that run the
Configuration
Manager console

Remote Create a direct membership query and add each computer.


computers that
run an instance of
the SMS Provider

7 Note

To update a site database, deploy the update to the site server for that site.

For more information, see How to create collections.


Checklist for installing update 2303 for
Configuration Manager
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

When you use the current branch of Configuration Manager, you can install the in-
console update for version 2303 to update your hierarchy from a previous version.
Version 2303 will also be available as baseline media soon after global availability of the
in-console update, so you can use the installation media to install the first site of a new
hierarchy.

To get the update for version 2303, you must use a service connection point at the top-
level site of your hierarchy. This site system role can be in online or offline mode. To
download the update when your service connection point is offline, use the service
connection tool.

After your hierarchy downloads the update package from Microsoft, find it in the
console. In the Administration workspace, select the Updates and Servicing node.

When the update is listed as Available, the update is ready to install. Before
installing version 2303, review the following information about installing update
2303 and the pre-update checklist for configurations to make before starting the
update.

If the update displays as Downloading and doesn't change, review the hman.log
and dmpdownloader.log for errors.

The dmpdownloader.log may indicate that the dmpdownloader process is


waiting for an interval before checking for updates. To restart the download of
the update's redistribution files, restart the SMS_Executive service on the site
server.

Another common download issue occurs when proxy server settings prevent
downloads from required internet endpoints.

For more information about installing updates, see In-console updates and servicing.

For more information about current branch versions, see Baseline and update versions.

About installing update 2303


Sites
Install update 2303 at the top-level site of your hierarchy. Start the installation from your
central administration site (CAS) or from your stand-alone primary site. After the update
is installed at the top-level site, child sites have the following update behavior:

Child primary sites install the update automatically after the CAS finishes the
installation of the update. You can use service windows to control when a site
installs the update. For more information, see Service windows for site servers.

Manually update each secondary site from within the Configuration Manager
console after the primary parent site finishes the update installation. Automatic
update of secondary site servers isn't supported.

Site system roles


When a site server installs the update, it automatically updates all of the site system
roles. These roles are on the site server or installed on remote servers. Before installing
the update, make sure that each site system server meets the current prerequisites for
the new update version.

Configuration Manager consoles


The first time you use a Configuration Manager console after the update has finished,
you're prompted to update that console. You can also run the Configuration Manager
setup on the computer that hosts the console, and choose the option to update the
console. Install the update to the console as soon as possible. For more information, see
Install the Configuration Manager console.

) Important

When you install an update at the CAS, be aware of the following limitations and
delays that exist until all child primary sites also complete the update installation:

Client upgrades don't start. This includes automatic updates of clients and
pre-production clients. Additionally, you can't promote pre-production clients
to production until the last site completes the update installation. After the
last site completes the update installation, client updates begin based on your
configuration choices.
New features you enable with the update aren't available. This behavior is to
prevent the CAS replicating data related to that feature to a site that hasn't
yet installed support for that feature. After all primary sites install the update,
the feature is available for use.
Replication links between the CAS and child primary sites display as not
upgraded. This state displays in the update installation status as Completed
with warning for monitoring replication initialization. In the Monitoring
workspace of the console, this state displays as Link is being configured.

Early update ring


As of April 24, 2023, version 2303 is globally available for all customers to install. If you
previously opted in to the early update ring, watch for an update to this current branch
version.

Pre-update checklist

All sites run a supported version of Configuration


Manager
Each site server in the hierarchy must run the same version of Configuration Manager
before you can start the installation. To update to version 2303, use version 2111 or
later.

Review the status of your product licensing


You need an active Software Assurance (SA) agreement or equivalent subscription rights
to install this update. When you update the site, the Licensing page presents the option
to confirm your Software Assurance expiration date.

This value is optional. You can specify as a convenient reminder of your license
expiration date. This date is visible when you install future updates. You might have
previously specified this value during setup or installation of an update. You can also
specify this value in the Configuration Manager console. In the Administration
workspace, expand Site Configuration, and select Sites. Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.

For more information, see Licensing and branches.

Review Microsoft .NET versions


Configuration Manager now requires Microsoft .NET Framework version 4.6.2 for site
servers, specific site systems, clients, and the console. Before you run setup to install or
update the site, first update .NET and restart the system. If possible in your environment,
install the latest version of .NET version 4.8.

This installation can put the site system server into a reboot pending state and report
errors to the Configuration Manager component status viewer. .NET applications on the
server might experience random failures until you restart the server.

For more information including how to manage restarts, see Site and site system
prerequisites.

Review the version of the Windows ADK


The version of the Windows Assessment and Deployment Kit (ADK) should be
supported for Configuration Manager version 2303. For more information, see Support
for the Windows ADK. If you need to update the Windows ADK, do so before you begin
the update of Configuration Manager. This order makes sure the default boot images
are automatically updated to the latest version of Windows PE. Manually update any
custom boot images after updating the site.

If you update the site before you update the Windows ADK, see Update distribution
points with the boot image.

Review SQL Server Native Client version


Install a minimum version of SQL Server 2012 Native Client, which includes support for
TLS 1.2. For more information, see the List of prerequisite checks.

Review the site and hierarchy status for unresolved issues


A site update can fail because of existing operational problems. Before you update a
site, resolve all operational issues for the following systems:

The site server


The site database server
Remote site system roles on other servers

For more information, see Use the status system.

Review file and data replication between sites


Make sure that file and database replication between sites is operational and current.
Delays or backlogs in either can prevent a successful update.

Database replication

For database replication, to help resolve issues before you start the update, use the
Replication Link Analyzer (RLA). For more information, see Monitor database
replication.

Use RLA to answer the following questions:

Is replication per group in a good state?


Are any links degraded?
Are there any errors?

If there's a backlog, wait until it clears out. If the backlog is large, such as millions of
records, then the link is in a bad state. Before updating the site, solve the replication
issue. If you need further assistance, contact Microsoft Support.

File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.

On the sending site, review sender.log.


On the receiving site, review despooler log.

Install all applicable critical Windows updates


Before you install an update for Configuration Manager, install any critical OS updates
for each applicable site system. These servers include the site server, site database
server, and remote site system roles. If an update that you install requires a restart,
restart the applicable servers before you start the upgrade.

Disable database replicas for management points at


primary sites
Configuration Manager can't successfully update a primary site that has a database
replica for management points enabled. Before you install an update for Configuration
Manager, disable database replication.

For more information, see Database replicas for management points.


Set SQL Server Always On availability groups to manual
failover
If you use an availability group, make sure that the availability group is set to manual
failover before you start the update installation. After the site has updated, you can
restore failover to be automatic. For more information, see Prepare to use an availability
group.

Disable site maintenance tasks at each site


Before you install the update, disable any site maintenance task that might run during
the time the update process is active. For example, but not limited to:

Backup Site Server


Delete Aged Client Operations
Delete Aged Discovery Data

When a site database maintenance task runs during the update installation, the update
installation can fail. Before you disable a task, record the schedule of the task so you can
restore its configuration after the update has been installed.

For more information, see Maintenance tasks and Reference for maintenance tasks.

Temporarily stop any antivirus software


Before you update a site, stop antivirus software on the Configuration Manager servers.
The antivirus software can lock some files that need to be updated which causes our
update to fail.

Create a backup of the site database


Before you update a site, back up the site database at the CAS and primary sites. This
backup makes sure you have a successful backup to use for disaster recovery.

For more information, see Backup and recovery.

Back up customized files


If you or a third-party product customizes any Configuration Manager configuration
files, save a copy of your customizations.
For example, you add custom entries to the osdinjection.xml file in the bin\X64 folder
of your Configuration Manager installation directory. After you update Configuration
Manager, these customizations don't persist. Reapply your customizations.

Review hardware inventory customizations


If you changed the state of hardware inventory classes in client settings, when you
update the site, some classes may revert to a default state. For example, if you disable
the SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're
enabled after installing a Configuration Manager update.

When you customize hardware inventory classes, note their configuration before you
install the update.

Plan for client piloting


When you install a site update that also updates the client, test that new client update in
pre-production before you update all production clients. To use this option, configure
your site to support automatic upgrades for pre-production before beginning
installation of the update.

For more information, see Upgrade clients and How to test client upgrades in a pre-
production collection.

7 Note

When you update to version 2107 or later, clients with PKI certificates will recreate
self-signed certificates, but don't reregister with the site. Clients without a PKI
certificate will reregister with the site, which can cause extra processing at the site.
Make sure that your process to update clients allows for randomization. If you
simultaneously update lots of clients, it may cause a backlog on the site server.

Plan to use service windows


To define a period during which updates to a site server can be installed, use service
windows. They can help you control when sites in your hierarchy install the update. For
more information, see Service windows for site servers.

Review supported extensions


If you extend Configuration Manager with other products from Microsoft, Microsoft
partners, or third-party vendors, confirm that those products support and are
compatible with version 2303. Check with the product vendor for this information.

 Tip

If you develop a third-party add-on to Configuration Manager, you should test


your add-on with every monthly technical preview branch release. Regular testing
helps confirm compatibility, and allows for early reporting of any issues with
standard interfaces.

Disable any custom solutions


If your site has any custom solutions based on the Configuration Manager SDK or
PowerShell, disable this code before you update the site. Make sure to test this custom
code in a lab environment to make sure it's compatible with the new version.

7 Note

Starting in version 2111, third-party add-ons that use Microsoft .NET Framework
and rely on Configuration Manager libraries also need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET 4.6.2.

Read the release notes


Before you start the update, review the current release notes. With Configuration
Manager, product release notes are limited to urgent issues. These issues aren't yet fixed
in the product, or detailed in a Microsoft Support article.

Feature-specific documentation may include information about known issues that affect
core scenarios.

For more information, see the Release notes.

Install the update

Run the setup prerequisite checker


When the console lists the update as Available, you can run the prerequisite checker
before installing the update. (When you install the update on the site, prerequisite
checker runs again.)

To run a prerequisite check from the console, go to the Administration workspace, and
select Updates and Servicing. Select the Configuration Manager 2303 update package,
and select Run prerequisite check in the ribbon.

For more information, see the section to Run the prerequisite checker before installing
an update in Before you install an in-console update.

) Important

When the prerequisite checker runs, the process updates some product source files
that are used for site maintenance tasks. After running the prerequisite checker, but
before installing the update, if you need to do a site maintenance task, run
Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site
server.

Update sites
You're now ready to start the update installation for your hierarchy. For more
information about installing the update, see Install in-console updates.

You may plan to install the update outside of normal business hours. Determine when
the process will have the least effect on your business operations. Installing the update
and its actions reinstall site components and site system roles.

For more information, see Updates for Configuration Manager.

Post-update checklist
After the site updates, use the following checklist to complete common tasks and
configurations.

Confirm version and restart (if necessary)


Make sure each site server and site system role is updated to version 2303. In the
console, add the Version column to the Sites and Distribution Points nodes in the
Administration workspace. When necessary, a site system role automatically reinstalls to
update to the new version.
Consider restarting remote site systems that don't successfully update at first. Review
your site infrastructure and make sure that applicable site servers and remote site
system servers successfully restarted. Typically, site servers restart only when
Configuration Manager installs .NET as a prerequisite for a site system role.

Confirm site-to-site replication is active


In the Configuration Manager console, go to the following locations to view the status,
and make sure that replication is active:

Monitoring workspace, Site Hierarchy node

Monitoring workspace, Database Replication node

For more information, see the following articles:

Monitor hierarchy and replication infrastructure


About the Replication Link Analyzer

Update Configuration Manager consoles


Update all remote Configuration Manager consoles to the same version. You're
prompted to update the console when:

You open the console.

You go to a new node in the console.

Reconfigure database replicas for management points


After you update a primary site, reconfigure the database replica for management
points that you uninstalled before you updated the site. For more information, see
Database replicas for management points.

Reconfigure availability groups


If you use an availability group, reset the failover configuration to automatic. For more
information, see Prepare to use an availability group.

Reconfigure any disabled maintenance tasks


If you disabled database maintenance tasks at a site before installing the update,
reconfigure those tasks. Use the same settings that were in place before the update.

Restore hardware inventory customizations


If you changed the state of hardware inventory classes in client settings, when you
update the site, some classes may revert to a default state. For example, if you disable
the SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're
enabled after installing a Configuration Manager update.

When you customize hardware inventory classes, review their configuration after you
install the update to make sure they are configured as you intend.

Update clients
Update clients per the plan you created, especially if you configured client piloting
before installing the update. For more information, see How to upgrade clients for
Windows computers.

Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that
supports and is compatible with Configuration Manager version 2303.

Enable any custom solutions


Enable any custom solutions based on the Configuration Manager SDK or PowerShell
that you've already tested in a lab environment with version 2303.

Update boot images and media


Use the Update Distribution Points action for any boot image that you use, whether it's
a default or custom boot image. This action makes sure that clients can use the latest
version. Even if there isn't a new version of the Windows ADK, the Configuration
Manager client components may change with an update. If you don't update boot
images and media, task sequence deployments may fail on devices.

When you update the site, Configuration Manager automatically updates the default
boot images. It doesn't automatically distribute the updated content to distribution
points. Use the Update Distribution Points action on specific boot images when you're
ready to distribute this content across your network.
7 Note

For default boot images, the site always uses the current version of the
Configuration Manager client that matches the site's version. Even if you configure
automatic client upgrades to use a pre-production collection, that feature doesn't
apply to boot images.

After updating the site, manually update any custom boot images. This action updates
the boot image with the latest client components if necessary, optionally reloads it with
the current Windows PE version, and redistributes the content to the distribution points.

For more information, see Update distribution points with the boot image.

Update PowerShell help content


To get the latest information for the Configuration Manager PowerShell module, use the
Update-Help cmdlet. Run this cmdlet on all computers with the Configuration Manager
console. This help content is the same as what's published for the
ConfigurationManager module.

For more information, see Configuration Manager PowerShell cmdlets: Update help.

Next steps
Review the release notes. This article can be updated regularly, especially right after a
new current branch release. You can use RSS to be notified when this page is updated.
For more information, see How to use the docs.
Checklist for installing update 2211 for
Configuration Manager
Article • 12/19/2022

Applies to: Configuration Manager (current branch)

When you use the current branch of Configuration Manager, you can install the in-
console update for version 2211 to update your hierarchy from a previous version.

To get the update for version 2211, you must use a service connection point at the top-
level site of your hierarchy. This site system role can be in online or offline mode. To
download the update when your service connection point is offline, use the service
connection tool.

After your hierarchy downloads the update package from Microsoft, find it in the
console. In the Administration workspace, select the Updates and Servicing node.

When the update is listed as Available, the update is ready to install. Before
installing version 2211, review the following information about installing update
2211 and the pre-update checklist for configurations to make before starting the
update.

If the update displays as Downloading and doesn't change, review the hman.log
and dmpdownloader.log for errors.

The dmpdownloader.log may indicate that the dmpdownloader process is


waiting for an interval before checking for updates. To restart the download of
the update's redistribution files, restart the SMS_Executive service on the site
server.

Another common download issue occurs when proxy server settings prevent
downloads from required internet endpoints.

For more information about installing updates, see In-console updates and servicing.

For more information about current branch versions, see Baseline and update versions.

About installing update 2211

Sites
Install update 2211 at the top-level site of your hierarchy. Start the installation from your
central administration site (CAS) or from your stand-alone primary site. After the update
is installed at the top-level site, child sites have the following update behavior:

Child primary sites install the update automatically after the CAS finishes the
installation of the update. You can use service windows to control when a site
installs the update. For more information, see Service windows for site servers.

Manually update each secondary site from within the Configuration Manager
console after the primary parent site finishes the update installation. Automatic
update of secondary site servers isn't supported.

Site system roles


When a site server installs the update, it automatically updates all of the site system
roles. These roles are on the site server or installed on remote servers. Before installing
the update, make sure that each site system server meets the current prerequisites for
the new update version.

Configuration Manager consoles


The first time you use a Configuration Manager console after the update has finished,
you're prompted to update that console. You can also run the Configuration Manager
setup on the computer that hosts the console, and choose the option to update the
console. Install the update to the console as soon as possible. For more information, see
Install the Configuration Manager console.

) Important

When you install an update at the CAS, be aware of the following limitations and
delays that exist until all child primary sites also complete the update installation:

Client upgrades don't start. This includes automatic updates of clients and
pre-production clients. Additionally, you can't promote pre-production clients
to production until the last site completes the update installation. After the
last site completes the update installation, client updates begin based on your
configuration choices.
New features you enable with the update aren't available. This behavior is to
prevent the CAS replicating data related to that feature to a site that hasn't
yet installed support for that feature. After all primary sites install the update,
the feature is available for use.
Replication links between the CAS and child primary sites display as not
upgraded. This state displays in the update installation status as Completed
with warning for monitoring replication initialization. In the Monitoring
workspace of the console, this state displays as Link is being configured.

Early update ring


As of December 19, 2022, version 2211 is globally available for all customers to install. If
you previously opted in to the early update ring, watch for an update to this current
branch version.

Pre-update checklist

All sites run a supported version of Configuration


Manager
Each site server in the hierarchy must run the same version of Configuration Manager
before you can start the installation. To update to version 2211, use version 2107 or
later.

Review the status of your product licensing


You need an active Software Assurance (SA) agreement or equivalent subscription rights
to install this update. When you update the site, the Licensing page presents the option
to confirm your Software Assurance expiration date.

This value is optional. You can specify as a convenient reminder of your license
expiration date. This date is visible when you install future updates. You might have
previously specified this value during setup or installation of an update. You can also
specify this value in the Configuration Manager console. In the Administration
workspace, expand Site Configuration, and select Sites. Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.

For more information, see Licensing and branches.

Review Microsoft .NET versions


Configuration Manager now requires Microsoft .NET Framework version 4.6.2 for site
servers, specific site systems, clients, and the console. Before you run setup to install or
update the site, first update .NET and restart the system. If possible in your environment,
install the latest version of .NET version 4.8.

This installation can put the site system server into a reboot pending state and report
errors to the Configuration Manager component status viewer. .NET applications on the
server might experience random failures until you restart the server.

For more information including how to manage restarts, see Site and site system
prerequisites.

Review the version of the Windows ADK


The version of the Windows Assessment and Deployment Kit (ADK) should be
supported for Configuration Manager version 2211. For more information, see Support
for the Windows ADK. If you need to update the Windows ADK, do so before you begin
the update of Configuration Manager. This order makes sure the default boot images
are automatically updated to the latest version of Windows PE. Manually update any
custom boot images after updating the site.

If you update the site before you update the Windows ADK, see Update distribution
points with the boot image.

Review SQL Server Native Client version


Install a minimum version of SQL Server 2012 Native Client, which includes support for
TLS 1.2. For more information, see the List of prerequisite checks.

Review the site and hierarchy status for unresolved issues


A site update can fail because of existing operational problems. Before you update a
site, resolve all operational issues for the following systems:

The site server


The site database server
Remote site system roles on other servers

For more information, see Use the status system.

Review file and data replication between sites


Make sure that file and database replication between sites is operational and current.
Delays or backlogs in either can prevent a successful update.

Database replication

For database replication, to help resolve issues before you start the update, use the
Replication Link Analyzer (RLA). For more information, see Monitor database
replication.

Use RLA to answer the following questions:

Is replication per group in a good state?


Are any links degraded?
Are there any errors?

If there's a backlog, wait until it clears out. If the backlog is large, such as millions of
records, then the link is in a bad state. Before updating the site, solve the replication
issue. If you need further assistance, contact Microsoft Support.

File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.

On the sending site, review sender.log.


On the receiving site, review despooler log.

Install all applicable critical Windows updates


Before you install an update for Configuration Manager, install any critical OS updates
for each applicable site system. These servers include the site server, site database
server, and remote site system roles. If an update that you install requires a restart,
restart the applicable servers before you start the upgrade.

Disable database replicas for management points at


primary sites
Configuration Manager can't successfully update a primary site that has a database
replica for management points enabled. Before you install an update for Configuration
Manager, disable database replication.

For more information, see Database replicas for management points.


Set SQL Server Always On availability groups to manual
failover
If you use an availability group, make sure that the availability group is set to manual
failover before you start the update installation. After the site has updated, you can
restore failover to be automatic. For more information, see Prepare to use an availability
group.

Disable site maintenance tasks at each site


Before you install the update, disable any site maintenance task that might run during
the time the update process is active. For example, but not limited to:

Backup Site Server


Delete Aged Client Operations
Delete Aged Discovery Data

When a site database maintenance task runs during the update installation, the update
installation can fail. Before you disable a task, record the schedule of the task so you can
restore its configuration after the update has been installed.

For more information, see Maintenance tasks and Reference for maintenance tasks.

Temporarily stop any antivirus software


Before you update a site, stop antivirus software on the Configuration Manager servers.
The antivirus software can lock some files that need to be updated which causes our
update to fail.

Create a backup of the site database


Before you update a site, back up the site database at the CAS and primary sites. This
backup makes sure you have a successful backup to use for disaster recovery.

For more information, see Backup and recovery.

Back up customized files


If you or a third-party product customizes any Configuration Manager configuration
files, save a copy of your customizations.
For example, you add custom entries to the osdinjection.xml file in the bin\X64 folder
of your Configuration Manager installation directory. After you update Configuration
Manager, these customizations don't persist. Reapply your customizations.

Review hardware inventory customizations


If you changed the state of hardware inventory classes in client settings, when you
update the site, some classes may revert to a default state. For example, if you disable
the SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're
enabled after installing a Configuration Manager update.

When you customize hardware inventory classes, note their configuration before you
install the update.

Plan for client piloting


When you install a site update that also updates the client, test that new client update in
pre-production before you update all production clients. To use this option, configure
your site to support automatic upgrades for pre-production before beginning
installation of the update.

For more information, see Upgrade clients and How to test client upgrades in a pre-
production collection.

7 Note

When you update to version 2107 or later, clients with PKI certificates will recreate
self-signed certificates, but don't reregister with the site. Clients without a PKI
certificate will reregister with the site, which can cause extra processing at the site.
Make sure that your process to update clients allows for randomization. If you
simultaneously update lots of clients, it may cause a backlog on the site server.

Plan to use service windows


To define a period during which updates to a site server can be installed, use service
windows. They can help you control when sites in your hierarchy install the update. For
more information, see Service windows for site servers.

Review supported extensions


If you extend Configuration Manager with other products from Microsoft, Microsoft
partners, or third-party vendors, confirm that those products support and are
compatible with version 2211. Check with the product vendor for this information.

 Tip

If you develop a third-party add-on to Configuration Manager, you should test


your add-on with every monthly technical preview branch release. Regular testing
helps confirm compatibility, and allows for early reporting of any issues with
standard interfaces.

Disable any custom solutions


If your site has any custom solutions based on the Configuration Manager SDK or
PowerShell, disable this code before you update the site. Make sure to test this custom
code in a lab environment to make sure it's compatible with the new version.

7 Note

Starting in version 2111, third-party add-ons that use Microsoft .NET Framework
and rely on Configuration Manager libraries also need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET 4.6.2.

Read the release notes


Before you start the update, review the current release notes. With Configuration
Manager, product release notes are limited to urgent issues. These issues aren't yet fixed
in the product, or detailed in a Microsoft Support article.

Feature-specific documentation may include information about known issues that affect
core scenarios.

For more information, see the Release notes.

Install the update

Run the setup prerequisite checker


When the console lists the update as Available, you can run the prerequisite checker
before installing the update. (When you install the update on the site, prerequisite
checker runs again.)

To run a prerequisite check from the console, go to the Administration workspace, and
select Updates and Servicing. Select the Configuration Manager 2211 update package,
and select Run prerequisite check in the ribbon.

For more information, see the section to Run the prerequisite checker before installing
an update in Before you install an in-console update.

) Important

When the prerequisite checker runs, the process updates some product source files
that are used for site maintenance tasks. After running the prerequisite checker, but
before installing the update, if you need to do a site maintenance task, run
Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site
server.

Update sites
You're now ready to start the update installation for your hierarchy. For more
information about installing the update, see Install in-console updates.

You may plan to install the update outside of normal business hours. Determine when
the process will have the least effect on your business operations. Installing the update
and its actions reinstall site components and site system roles.

For more information, see Updates for Configuration Manager.

Post-update checklist
After the site updates, use the following checklist to complete common tasks and
configurations.

Confirm version and restart (if necessary)


Make sure each site server and site system role is updated to version 2211. In the
console, add the Version column to the Sites and Distribution Points nodes in the
Administration workspace. When necessary, a site system role automatically reinstalls to
update to the new version.
Consider restarting remote site systems that don't successfully update at first. Review
your site infrastructure and make sure that applicable site servers and remote site
system servers successfully restarted. Typically, site servers restart only when
Configuration Manager installs .NET as a prerequisite for a site system role.

Confirm site-to-site replication is active


In the Configuration Manager console, go to the following locations to view the status,
and make sure that replication is active:

Monitoring workspace, Site Hierarchy node

Monitoring workspace, Database Replication node

For more information, see the following articles:

Monitor hierarchy and replication infrastructure


About the Replication Link Analyzer

Update Configuration Manager consoles


Update all remote Configuration Manager consoles to the same version. You're
prompted to update the console when:

You open the console.

You go to a new node in the console.

Reconfigure database replicas for management points


After you update a primary site, reconfigure the database replica for management
points that you uninstalled before you updated the site. For more information, see
Database replicas for management points.

Reconfigure availability groups


If you use an availability group, reset the failover configuration to automatic. For more
information, see Prepare to use an availability group.

Reconfigure any disabled maintenance tasks


If you disabled database maintenance tasks at a site before installing the update,
reconfigure those tasks. Use the same settings that were in place before the update.

Restore hardware inventory customizations


If you changed the state of hardware inventory classes in client settings, when you
update the site, some classes may revert to a default state. For example, if you disable
the SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're
enabled after installing a Configuration Manager update.

When you customize hardware inventory classes, review their configuration after you
install the update to make sure they are configured as you intend.

Update clients
Update clients per the plan you created, especially if you configured client piloting
before installing the update. For more information, see How to upgrade clients for
Windows computers.

Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that
supports and is compatible with Configuration Manager version 2211.

Enable any custom solutions


Enable any custom solutions based on the Configuration Manager SDK or PowerShell
that you've already tested in a lab environment with version 2211.

Update boot images and media


Use the Update Distribution Points action for any boot image that you use, whether it's
a default or custom boot image. This action makes sure that clients can use the latest
version. Even if there isn't a new version of the Windows ADK, the Configuration
Manager client components may change with an update. If you don't update boot
images and media, task sequence deployments may fail on devices.

When you update the site, Configuration Manager automatically updates the default
boot images. It doesn't automatically distribute the updated content to distribution
points. Use the Update Distribution Points action on specific boot images when you're
ready to distribute this content across your network.
7 Note

For default boot images, the site always uses the current version of the
Configuration Manager client that matches the site's version. Even if you configure
automatic client upgrades to use a pre-production collection, that feature doesn't
apply to boot images.

After updating the site, manually update any custom boot images. This action updates
the boot image with the latest client components if necessary, optionally reloads it with
the current Windows PE version, and redistributes the content to the distribution points.

For more information, see Update distribution points with the boot image.

Update PowerShell help content


To get the latest information for the Configuration Manager PowerShell module, use the
Update-Help cmdlet. Run this cmdlet on all computers with the Configuration Manager
console. This help content is the same as what's published for the
ConfigurationManager module.

For more information, see Configuration Manager PowerShell cmdlets: Update help.

Next steps
Review the release notes. This article can be updated regularly, especially right after a
new current branch release. You can use RSS to be notified when this page is updated.
For more information, see How to use the docs.
Checklist for installing update 2207 for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you use the current branch of Configuration Manager, you can install the in-
console update for version 2207 to update your hierarchy from a previous version.

To get the update for version 2207, you must use a service connection point at the top-
level site of your hierarchy. This site system role can be in online or offline mode. To
download the update when your service connection point is offline, use the service
connection tool.

After your hierarchy downloads the update package from Microsoft, find it in the
console. In the Administration workspace, select the Updates and Servicing node.

When the update is listed as Available, the update is ready to install. Before
installing version 2207, review the following information about installing update
2207 and the pre-update checklist for configurations to make before starting the
update.

If the update displays as Downloading and doesn't change, review the hman.log
and dmpdownloader.log for errors.

The dmpdownloader.log may indicate that the dmpdownloader process is


waiting for an interval before checking for updates. To restart the download of
the update's redistribution files, restart the SMS_Executive service on the site
server.

Another common download issue occurs when proxy server settings prevent
downloads from required internet endpoints.

For more information about installing updates, see In-console updates and servicing.

For more information about current branch versions, see Baseline and update versions.

About installing update 2207

Sites
Install update 2207 at the top-level site of your hierarchy. Start the installation from your
central administration site (CAS) or from your stand-alone primary site. After the update
is installed at the top-level site, child sites have the following update behavior:

Child primary sites install the update automatically after the CAS finishes the
installation of the update. You can use service windows to control when a site
installs the update. For more information, see Service windows for site servers.

Manually update each secondary site from within the Configuration Manager
console after the primary parent site finishes the update installation. Automatic
update of secondary site servers isn't supported.

Site system roles


When a site server installs the update, it automatically updates all of the site system
roles. These roles are on the site server or installed on remote servers. Before installing
the update, make sure that each site system server meets the current prerequisites for
the new update version.

Configuration Manager consoles


The first time you use a Configuration Manager console after the update has finished,
you're prompted to update that console. You can also run the Configuration Manager
setup on the computer that hosts the console, and choose the option to update the
console. Install the update to the console as soon as possible. For more information, see
Install the Configuration Manager console.

) Important

When you install an update at the CAS, be aware of the following limitations and
delays that exist until all child primary sites also complete the update installation:

Client upgrades don't start. This includes automatic updates of clients and
pre-production clients. Additionally, you can't promote pre-production clients
to production until the last site completes the update installation. After the
last site completes the update installation, client updates begin based on your
configuration choices.
New features you enable with the update aren't available. This behavior is to
prevent the CAS replicating data related to that feature to a site that hasn't
yet installed support for that feature. After all primary sites install the update,
the feature is available for use.
Replication links between the CAS and child primary sites display as not
upgraded. This state displays in the update installation status as Completed
with warning for monitoring replication initialization. In the Monitoring
workspace of the console, this state displays as Link is being configured.

Early update ring


As of August 1, 2022, version 2207 is globally available for all customers to install. If you
previously opted in to the early update ring, watch for an update to this current branch
version.

At this time, version 2207 is released for the early update ring. To install this update, you
need to opt in. The following PowerShell script adds your hierarchy or standalone
primary site to the early update ring for version 2207:

Version 2207 opt-in script

Microsoft digitally signs the script, and bundles it inside a signed self-extracting
executable.

7 Note

The version 2207 update is only applicable to sites running version 2103 or later.

To opt in to the early update ring:

1. Open a Windows PowerShell session as administrator.

2. Run the EnableEarlyUpdateRing2207.ps1 script, using the following syntax:

EnableEarlyUpdateRing2207.ps1 <SiteServer_Name> | SiteServer_IP>

Where SiteServer refers to the central administration site or standalone primary


site server. For example, EnableEarlyUpdateRing2207.ps1 cmprimary01

3. Check for updates. For more information, see Get available updates.

The version 2207 update should now be available in the console.

) Important
This script only adds your site to the early update ring for version 2207. It's not a
permanent change.

Pre-update checklist

All sites run a supported version of Configuration


Manager
Each site server in the hierarchy must run the same version of Configuration Manager
before you can start the installation. To update to version 2207, use version 2103 or
later.

Review the status of your product licensing


You need an active Software Assurance (SA) agreement or equivalent subscription rights
to install this update. When you update the site, the Licensing page presents the option
to confirm your Software Assurance expiration date.

This value is optional. You can specify as a convenient reminder of your license
expiration date. This date is visible when you install future updates. You might have
previously specified this value during setup or installation of an update. You can also
specify this value in the Configuration Manager console. In the Administration
workspace, expand Site Configuration, and select Sites. Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.

For more information, see Licensing and branches.

Review Microsoft .NET versions


Configuration Manager now requires Microsoft .NET Framework version 4.6.2 for site
servers, specific site systems, clients, and the console. Before you run setup to install or
update the site, first update .NET and restart the system. If possible in your environment,
install the latest version of .NET version 4.8.

This installation can put the site system server into a reboot pending state and report
errors to the Configuration Manager component status viewer. .NET applications on the
server might experience random failures until you restart the server.

For more information including how to manage restarts, see Site and site system
prerequisites.
Review the version of the Windows ADK
The version of the Windows Assessment and Deployment Kit (ADK) should be
supported for Configuration Manager version 2207. For more information, see Support
for the Windows ADK. If you need to update the Windows ADK, do so before you begin
the update of Configuration Manager. This order makes sure the default boot images
are automatically updated to the latest version of Windows PE. Manually update any
custom boot images after updating the site.

If you update the site before you update the Windows ADK, see Update distribution
points with the boot image.

Review SQL Server Native Client version


Install a minimum version of SQL Server 2012 Native Client, which includes support for
TLS 1.2. For more information, see the List of prerequisite checks.

Review the site and hierarchy status for unresolved issues


A site update can fail because of existing operational problems. Before you update a
site, resolve all operational issues for the following systems:

The site server


The site database server
Remote site system roles on other servers

For more information, see Use the status system.

Review file and data replication between sites


Make sure that file and database replication between sites is operational and current.
Delays or backlogs in either can prevent a successful update.

Database replication

For database replication, to help resolve issues before you start the update, use the
Replication Link Analyzer (RLA). For more information, see Monitor database
replication.

Use RLA to answer the following questions:

Is replication per group in a good state?


Are any links degraded?
Are there any errors?

If there's a backlog, wait until it clears out. If the backlog is large, such as millions of
records, then the link is in a bad state. Before updating the site, solve the replication
issue. If you need further assistance, contact Microsoft Support.

File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.

On the sending site, review sender.log.


On the receiving site, review despooler log.

Install all applicable critical Windows updates


Before you install an update for Configuration Manager, install any critical OS updates
for each applicable site system. These servers include the site server, site database
server, and remote site system roles. If an update that you install requires a restart,
restart the applicable servers before you start the upgrade.

Disable database replicas for management points at


primary sites
Configuration Manager can't successfully update a primary site that has a database
replica for management points enabled. Before you install an update for Configuration
Manager, disable database replication.

For more information, see Database replicas for management points.

Set SQL Server Always On availability groups to manual


failover
If you use an availability group, make sure that the availability group is set to manual
failover before you start the update installation. After the site has updated, you can
restore failover to be automatic. For more information, see Prepare to use an availability
group.

Disable site maintenance tasks at each site


Before you install the update, disable any site maintenance task that might run during
the time the update process is active. For example, but not limited to:

Backup Site Server


Delete Aged Client Operations
Delete Aged Discovery Data

When a site database maintenance task runs during the update installation, the update
installation can fail. Before you disable a task, record the schedule of the task so you can
restore its configuration after the update has been installed.

For more information, see Maintenance tasks and Reference for maintenance tasks.

Temporarily stop any antivirus software


Before you update a site, stop antivirus software on the Configuration Manager servers.
The antivirus software can lock some files that need to be updated which causes our
update to fail.

Create a backup of the site database


Before you update a site, back up the site database at the CAS and primary sites. This
backup makes sure you have a successful backup to use for disaster recovery.

For more information, see Backup and recovery.

Back up customized files


If you or a third-party product customizes any Configuration Manager configuration
files, save a copy of your customizations.

For example, you add custom entries to the osdinjection.xml file in the bin\X64 folder
of your Configuration Manager installation directory. After you update Configuration
Manager, these customizations don't persist. Reapply your customizations.

Review hardware inventory customizations


If you changed the state of hardware inventory classes in client settings, when you
update the site, some classes may revert to a default state. For example, if you disable
the SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're
enabled after installing a Configuration Manager update.
When you customize hardware inventory classes, note their configuration before you
install the update.

Plan for client piloting


When you install a site update that also updates the client, test that new client update in
pre-production before you update all production clients. To use this option, configure
your site to support automatic upgrades for pre-production before beginning
installation of the update.

For more information, see Upgrade clients and How to test client upgrades in a pre-
production collection.

7 Note

When you update to version 2107 or later, clients with PKI certificates will recreate
self-signed certificates, but don't reregister with the site. Clients without a PKI
certificate will reregister with the site, which can cause extra processing at the site.
Make sure that your process to update clients allows for randomization. If you
simultaneously update lots of clients, it may cause a backlog on the site server.

Plan to use service windows


To define a period during which updates to a site server can be installed, use service
windows. They can help you control when sites in your hierarchy install the update. For
more information, see Service windows for site servers.

Review supported extensions


If you extend Configuration Manager with other products from Microsoft, Microsoft
partners, or third-party vendors, confirm that those products support and are
compatible with version 2207. Check with the product vendor for this information.

 Tip

If you develop a third-party add-on to Configuration Manager, you should test


your add-on with every monthly technical preview branch release. Regular testing
helps confirm compatibility, and allows for early reporting of any issues with
standard interfaces.
Disable any custom solutions
If your site has any custom solutions based on the Configuration Manager SDK or
PowerShell, disable this code before you update the site. Make sure to test this custom
code in a lab environment to make sure it's compatible with the new version.

7 Note

Starting in version 2111, third-party add-ons that use Microsoft .NET Framework
and rely on Configuration Manager libraries also need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET 4.6.2.

Read the release notes


Before you start the update, review the current release notes. With Configuration
Manager, product release notes are limited to urgent issues. These issues aren't yet fixed
in the product, or detailed in a Microsoft Support article.

Feature-specific documentation may include information about known issues that affect
core scenarios.

For more information, see the Release notes.

Install the update

Run the setup prerequisite checker


When the console lists the update as Available, you can run the prerequisite checker
before installing the update. (When you install the update on the site, prerequisite
checker runs again.)

To run a prerequisite check from the console, go to the Administration workspace, and
select Updates and Servicing. Select the Configuration Manager 2207 update package,
and select Run prerequisite check in the ribbon.

For more information, see the section to Run the prerequisite checker before installing
an update in Before you install an in-console update.

) Important
When the prerequisite checker runs, the process updates some product source files
that are used for site maintenance tasks. After running the prerequisite checker, but
before installing the update, if you need to do a site maintenance task, run
Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site
server.

Update sites
You're now ready to start the update installation for your hierarchy. For more
information about installing the update, see Install in-console updates.

You may plan to install the update outside of normal business hours. Determine when
the process will have the least effect on your business operations. Installing the update
and its actions reinstall site components and site system roles.

For more information, see Updates for Configuration Manager.

Post-update checklist
After the site updates, use the following checklist to complete common tasks and
configurations.

Confirm version and restart (if necessary)


Make sure each site server and site system role is updated to version 2207. In the
console, add the Version column to the Sites and Distribution Points nodes in the
Administration workspace. When necessary, a site system role automatically reinstalls to
update to the new version.

Consider restarting remote site systems that don't successfully update at first. Review
your site infrastructure and make sure that applicable site servers and remote site
system servers successfully restarted. Typically, site servers restart only when
Configuration Manager installs .NET as a prerequisite for a site system role.

Confirm site-to-site replication is active


In the Configuration Manager console, go to the following locations to view the status,
and make sure that replication is active:

Monitoring workspace, Site Hierarchy node


Monitoring workspace, Database Replication node

For more information, see the following articles:

Monitor hierarchy and replication infrastructure


About the Replication Link Analyzer

Update Configuration Manager consoles


Update all remote Configuration Manager consoles to the same version. You're
prompted to update the console when:

You open the console.

You go to a new node in the console.

Reconfigure database replicas for management points


After you update a primary site, reconfigure the database replica for management
points that you uninstalled before you updated the site. For more information, see
Database replicas for management points.

Reconfigure availability groups


If you use an availability group, reset the failover configuration to automatic. For more
information, see Prepare to use an availability group.

Reconfigure any disabled maintenance tasks


If you disabled database maintenance tasks at a site before installing the update,
reconfigure those tasks. Use the same settings that were in place before the update.

Restore hardware inventory customizations


If you changed the state of hardware inventory classes in client settings, when you
update the site, some classes may revert to a default state. For example, if you disable
the SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're
enabled after installing a Configuration Manager update.

When you customize hardware inventory classes, review their configuration after you
install the update to make sure they are configured as you intend.
Restore user state from active deployments
If you have any active user state migrations, before you update the Configuration
Manager client on those devices, restore the user state. Due to changes to the
encryption algorithm in version 2103, the updated client will fail to restore the user state
when it tries to use a different encryption algorithm.

Update clients
Update clients per the plan you created, especially if you configured client piloting
before installing the update. For more information, see How to upgrade clients for
Windows computers.

Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that
supports and is compatible with Configuration Manager version 2207.

Enable any custom solutions


Enable any custom solutions based on the Configuration Manager SDK or PowerShell
that you've already tested in a lab environment with version 2207.

Update boot images and media


Use the Update Distribution Points action for any boot image that you use, whether it's
a default or custom boot image. This action makes sure that clients can use the latest
version. Even if there isn't a new version of the Windows ADK, the Configuration
Manager client components may change with an update. If you don't update boot
images and media, task sequence deployments may fail on devices.

When you update the site, Configuration Manager automatically updates the default
boot images. It doesn't automatically distribute the updated content to distribution
points. Use the Update Distribution Points action on specific boot images when you're
ready to distribute this content across your network.

7 Note

For default boot images, the site always uses the current version of the
Configuration Manager client that matches the site's version. Even if you configure
automatic client upgrades to use a pre-production collection, that feature doesn't
apply to boot images.

After updating the site, manually update any custom boot images. This action updates
the boot image with the latest client components if necessary, optionally reloads it with
the current Windows PE version, and redistributes the content to the distribution points.

For more information, see Update distribution points with the boot image.

Update PowerShell help content


To get the latest information for the Configuration Manager PowerShell module, use the
Update-Help cmdlet. Run this cmdlet on all computers with the Configuration Manager
console. This help content is the same as what's published for the
ConfigurationManager module.

For more information, see Configuration Manager PowerShell cmdlets: Update help.

Next steps
Review the release notes. This article can be updated regularly, especially right after a
new current branch release. You can use RSS to be notified when this page is updated.
For more information, see How to use the docs.
Checklist for installing update 2203 for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you use the current branch of Configuration Manager, you can install the in-
console update for version 2203 to update your hierarchy from a previous version.
Version 2203 will also be available as baseline media soon after global availability of the
in-console update, so you can use the installation media to install the first site of a new
hierarchy.

To get the update for version 2203, you must use a service connection point at the top-
level site of your hierarchy. This site system role can be in online or offline mode. To
download the update when your service connection point is offline, use the service
connection tool.

After your hierarchy downloads the update package from Microsoft, find it in the
console. In the Administration workspace, select the Updates and Servicing node.

When the update is listed as Available, the update is ready to install. Before
installing version 2203, review the following information about installing update
2203 and the pre-update checklist for configurations to make before starting the
update.

If the update displays as Downloading and doesn't change, review the hman.log
and dmpdownloader.log for errors.

The dmpdownloader.log may indicate that the dmpdownloader process is


waiting for an interval before checking for updates. To restart the download of
the update's redistribution files, restart the SMS_Executive service on the site
server.

Another common download issue occurs when proxy server settings prevent
downloads from required internet endpoints.

For more information about installing updates, see In-console updates and servicing.

For more information about current branch versions, see Baseline and update versions.

About installing update 2203


Sites
Install update 2203 at the top-level site of your hierarchy. Start the installation from your
central administration site (CAS) or from your stand-alone primary site. After the update
is installed at the top-level site, child sites have the following update behavior:

Child primary sites install the update automatically after the CAS finishes the
installation of the update. You can use service windows to control when a site
installs the update. For more information, see Service windows for site servers.

Manually update each secondary site from within the Configuration Manager
console after the primary parent site finishes the update installation. Automatic
update of secondary site servers isn't supported.

Site system roles


When a site server installs the update, it automatically updates all of the site system
roles. These roles are on the site server or installed on remote servers. Before installing
the update, make sure that each site system server meets the current prerequisites for
the new update version.

Configuration Manager consoles


The first time you use a Configuration Manager console after the update has finished,
you're prompted to update that console. You can also run the Configuration Manager
setup on the computer that hosts the console, and choose the option to update the
console. Install the update to the console as soon as possible. For more information, see
Install the Configuration Manager console.

) Important

When you install an update at the CAS, be aware of the following limitations and
delays that exist until all child primary sites also complete the update installation:

Client upgrades don't start. This includes automatic updates of clients and
pre-production clients. Additionally, you can't promote pre-production clients
to production until the last site completes the update installation. After the
last site completes the update installation, client updates begin based on your
configuration choices.
New features you enable with the update aren't available. This behavior is to
prevent the CAS replicating data related to that feature to a site that hasn't
yet installed support for that feature. After all primary sites install the update,
the feature is available for use.
Replication links between the CAS and child primary sites display as not
upgraded. This state displays in the update installation status as Completed
with warning for monitoring replication initialization. In the Monitoring
workspace of the console, this state displays as Link is being configured.

Early update ring


As of April 26, 2022, version 2203 is globally available for all customers to install. If you
previously opted in to the early update ring, watch for an update to this current branch
version.

Pre-update checklist

All sites run a supported version of Configuration


Manager
Each site server in the hierarchy must run the same version of Configuration Manager
before you can start the installation. To update to version 2203, use version 2010 or
later.

Review the status of your product licensing


You need an active Software Assurance (SA) agreement or equivalent subscription rights
to install this update. When you update the site, the Licensing page presents the option
to confirm your Software Assurance expiration date.

This value is optional. You can specify as a convenient reminder of your license
expiration date. This date is visible when you install future updates. You might have
previously specified this value during setup or installation of an update. You can also
specify this value in the Configuration Manager console. In the Administration
workspace, expand Site Configuration, and select Sites. Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.

For more information, see Licensing and branches.

Review Microsoft .NET versions


Configuration Manager now requires Microsoft .NET Framework version 4.6.2 for site
servers, specific site systems, clients, and the console. Before you run setup to install or
update the site, first update .NET and restart the system. If possible in your environment,
install the latest version of .NET version 4.8.

This installation can put the site system server into a reboot pending state and report
errors to the Configuration Manager component status viewer. .NET applications on the
server might experience random failures until you restart the server.

For more information including how to manage restarts, see Site and site system
prerequisites.

Review the version of the Windows ADK


The version of the Windows Assessment and Deployment Kit (ADK) should be
supported for Configuration Manager version 2203. For more information, see Support
for the Windows ADK. If you need to update the Windows ADK, do so before you begin
the update of Configuration Manager. This order makes sure the default boot images
are automatically updated to the latest version of Windows PE. Manually update any
custom boot images after updating the site.

If you update the site before you update the Windows ADK, see Update distribution
points with the boot image.

Review SQL Server Native Client version


Install a minimum version of SQL Server 2012 Native Client, which includes support for
TLS 1.2. For more information, see the List of prerequisite checks.

Review the site and hierarchy status for unresolved issues


A site update can fail because of existing operational problems. Before you update a
site, resolve all operational issues for the following systems:

The site server


The site database server
Remote site system roles on other servers

For more information, see Use the status system.

Review file and data replication between sites


Make sure that file and database replication between sites is operational and current.
Delays or backlogs in either can prevent a successful update.

Database replication

For database replication, to help resolve issues before you start the update, use the
Replication Link Analyzer (RLA). For more information, see Monitor database
replication.

Use RLA to answer the following questions:

Is replication per group in a good state?


Are any links degraded?
Are there any errors?

If there's a backlog, wait until it clears out. If the backlog is large, such as millions of
records, then the link is in a bad state. Before updating the site, solve the replication
issue. If you need further assistance, contact Microsoft Support.

File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.

On the sending site, review sender.log.


On the receiving site, review despooler log.

Install all applicable critical Windows updates


Before you install an update for Configuration Manager, install any critical OS updates
for each applicable site system. These servers include the site server, site database
server, and remote site system roles. If an update that you install requires a restart,
restart the applicable servers before you start the upgrade.

Disable database replicas for management points at


primary sites
Configuration Manager can't successfully update a primary site that has a database
replica for management points enabled. Before you install an update for Configuration
Manager, disable database replication.

For more information, see Database replicas for management points.


Set SQL Server Always On availability groups to manual
failover
If you use an availability group, make sure that the availability group is set to manual
failover before you start the update installation. After the site has updated, you can
restore failover to be automatic. For more information, see Prepare to use an availability
group.

Disable site maintenance tasks at each site


Before you install the update, disable any site maintenance task that might run during
the time the update process is active. For example, but not limited to:

Backup Site Server


Delete Aged Client Operations
Delete Aged Discovery Data

When a site database maintenance task runs during the update installation, the update
installation can fail. Before you disable a task, record the schedule of the task so you can
restore its configuration after the update has been installed.

For more information, see Maintenance tasks and Reference for maintenance tasks.

Temporarily stop any antivirus software


Before you update a site, stop antivirus software on the Configuration Manager servers.
The antivirus software can lock some files that need to be updated which causes our
update to fail.

Create a backup of the site database


Before you update a site, back up the site database at the CAS and primary sites. This
backup makes sure you have a successful backup to use for disaster recovery.

For more information, see Backup and recovery.

Back up customized files


If you or a third-party product customizes any Configuration Manager configuration
files, save a copy of your customizations.
For example, you add custom entries to the osdinjection.xml file in the bin\X64 folder
of your Configuration Manager installation directory. After you update Configuration
Manager, these customizations don't persist. Reapply your customizations.

Review hardware inventory customizations


If you changed the state of hardware inventory classes in client settings, when you
update the site, some classes may revert to a default state. For example, if you disable
the SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're
enabled after installing a Configuration Manager update.

When you customize hardware inventory classes, note their configuration before you
install the update.

Plan for client piloting


When you install a site update that also updates the client, test that new client update in
pre-production before you update all production clients. To use this option, configure
your site to support automatic upgrades for pre-production before beginning
installation of the update.

For more information, see Upgrade clients and How to test client upgrades in a pre-
production collection.

7 Note

When you update to version 2107 or later, clients with PKI certificates will recreate
self-signed certificates, but don't reregister with the site. Clients without a PKI
certificate will reregister with the site, which can cause extra processing at the site.
Make sure that your process to update clients allows for randomization. If you
simultaneously update lots of clients, it may cause a backlog on the site server.

Plan to use service windows


To define a period during which updates to a site server can be installed, use service
windows. They can help you control when sites in your hierarchy install the update. For
more information, see Service windows for site servers.

Review supported extensions


If you extend Configuration Manager with other products from Microsoft, Microsoft
partners, or third-party vendors, confirm that those products support and are
compatible with version 2203. Check with the product vendor for this information.

 Tip

If you develop a third-party add-on to Configuration Manager, you should test


your add-on with every monthly technical preview branch release. Regular testing
helps confirm compatibility, and allows for early reporting of any issues with
standard interfaces.

Disable any custom solutions


If your site has any custom solutions based on the Configuration Manager SDK or
PowerShell, disable this code before you update the site. Make sure to test this custom
code in a lab environment to make sure it's compatible with the new version.

7 Note

Starting in version 2111, third-party add-ons that use Microsoft .NET Framework
and rely on Configuration Manager libraries also need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET 4.6.2.

Read the release notes


Before you start the update, review the current release notes. With Configuration
Manager, product release notes are limited to urgent issues. These issues aren't yet fixed
in the product, or detailed in a Microsoft Support article.

Feature-specific documentation may include information about known issues that affect
core scenarios.

For more information, see the Release notes.

Install the update

Run the setup prerequisite checker


When the console lists the update as Available, you can run the prerequisite checker
before installing the update. (When you install the update on the site, prerequisite
checker runs again.)

To run a prerequisite check from the console, go to the Administration workspace, and
select Updates and Servicing. Select the Configuration Manager 2203 update package,
and select Run prerequisite check in the ribbon.

For more information, see the section to Run the prerequisite checker before installing
an update in Before you install an in-console update.

) Important

When the prerequisite checker runs, the process updates some product source files
that are used for site maintenance tasks. After running the prerequisite checker, but
before installing the update, if you need to do a site maintenance task, run
Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site
server.

Update sites
You're now ready to start the update installation for your hierarchy. For more
information about installing the update, see Install in-console updates.

You may plan to install the update outside of normal business hours. Determine when
the process will have the least effect on your business operations. Installing the update
and its actions reinstall site components and site system roles.

For more information, see Updates for Configuration Manager.

Post-update checklist
After the site updates, use the following checklist to complete common tasks and
configurations.

Confirm version and restart (if necessary)


Make sure each site server and site system role is updated to version 2203. In the
console, add the Version column to the Sites and Distribution Points nodes in the
Administration workspace. When necessary, a site system role automatically reinstalls to
update to the new version.
Consider restarting remote site systems that don't successfully update at first. Review
your site infrastructure and make sure that applicable site servers and remote site
system servers successfully restarted. Typically, site servers restart only when
Configuration Manager installs .NET as a prerequisite for a site system role.

Confirm site-to-site replication is active


In the Configuration Manager console, go to the following locations to view the status,
and make sure that replication is active:

Monitoring workspace, Site Hierarchy node

Monitoring workspace, Database Replication node

For more information, see the following articles:

Monitor hierarchy and replication infrastructure


About the Replication Link Analyzer

Update Configuration Manager consoles


Update all remote Configuration Manager consoles to the same version. You're
prompted to update the console when:

You open the console.

You go to a new node in the console.

Reconfigure database replicas for management points


After you update a primary site, reconfigure the database replica for management
points that you uninstalled before you updated the site. For more information, see
Database replicas for management points.

Reconfigure availability groups


If you use an availability group, reset the failover configuration to automatic. For more
information, see Prepare to use an availability group.

Reconfigure any disabled maintenance tasks


If you disabled database maintenance tasks at a site before installing the update,
reconfigure those tasks. Use the same settings that were in place before the update.

Restore hardware inventory customizations


If you changed the state of hardware inventory classes in client settings, when you
update the site, some classes may revert to a default state. For example, if you disable
the SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're
enabled after installing a Configuration Manager update.

When you customize hardware inventory classes, review their configuration after you
install the update to make sure they are configured as you intend.

Restore user state from active deployments


If you have any active user state migrations, before you update the Configuration
Manager client on those devices, restore the user state. Due to changes to the
encryption algorithm in version 2103, the updated client will fail to restore the user state
when it tries to use a different encryption algorithm.

Update clients
Update clients per the plan you created, especially if you configured client piloting
before installing the update. For more information, see How to upgrade clients for
Windows computers.

Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that
supports and is compatible with Configuration Manager version 2203.

Enable any custom solutions


Enable any custom solutions based on the Configuration Manager SDK or PowerShell
that you've already tested in a lab environment with version 2203.

Update boot images and media


Use the Update Distribution Points action for any boot image that you use, whether it's
a default or custom boot image. This action makes sure that clients can use the latest
version. Even if there isn't a new version of the Windows ADK, the Configuration
Manager client components may change with an update. If you don't update boot
images and media, task sequence deployments may fail on devices.

When you update the site, Configuration Manager automatically updates the default
boot images. It doesn't automatically distribute the updated content to distribution
points. Use the Update Distribution Points action on specific boot images when you're
ready to distribute this content across your network.

7 Note

For default boot images, the site always uses the current version of the
Configuration Manager client that matches the site's version. Even if you configure
automatic client upgrades to use a pre-production collection, that feature doesn't
apply to boot images.

After updating the site, manually update any custom boot images. This action updates
the boot image with the latest client components if necessary, optionally reloads it with
the current Windows PE version, and redistributes the content to the distribution points.

For more information, see Update distribution points with the boot image.

Update PowerShell help content


To get the latest information for the Configuration Manager PowerShell module, use the
Update-Help cmdlet. Run this cmdlet on all computers with the Configuration Manager
console. This help content is the same as what's published for the
ConfigurationManager module.

For more information, see Configuration Manager PowerShell cmdlets: Update help.

Next steps
Review the release notes. This article can be updated regularly, especially right after a
new current branch release. You can use RSS to be notified when this page is updated.
For more information, see How to use the docs.
Checklist for installing update 2111 for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you use the current branch of Configuration Manager, you can install the in-
console update for version 2111 to update your hierarchy from a previous version.

To get the update for version 2111, you must use a service connection point at the top-
level site of your hierarchy. This site system role can be in online or offline mode. To
download the update when your service connection point is offline, use the service
connection tool.

After your hierarchy downloads the update package from Microsoft, find it in the
console. In the Administration workspace, select the Updates and Servicing node.

When the update is listed as Available, the update is ready to install. Before
installing version 2111, review the following information about installing update
2111 and the pre-update checklist for configurations to make before starting the
update.

If the update displays as Downloading and doesn't change, review the hman.log
and dmpdownloader.log for errors.

The dmpdownloader.log may indicate that the dmpdownloader process is


waiting for an interval before checking for updates. To restart the download of
the update's redistribution files, restart the SMS_Executive service on the site
server.

Another common download issue occurs when proxy server settings prevent
downloads from required internet endpoints.

For more information about installing updates, see In-console updates and servicing.

For more information about current branch versions, see Baseline and update versions.

About installing update 2111

Sites
Install update 2111 at the top-level site of your hierarchy. Start the installation from your
central administration site (CAS) or from your stand-alone primary site. After the update
is installed at the top-level site, child sites have the following update behavior:

Child primary sites install the update automatically after the CAS finishes the
installation of the update. You can use service windows to control when a site
installs the update. For more information, see Service windows for site servers.

Manually update each secondary site from within the Configuration Manager
console after the primary parent site finishes the update installation. Automatic
update of secondary site servers isn't supported.

Site system roles


When a site server installs the update, it automatically updates all of the site system
roles. These roles are on the site server or installed on remote servers. Before installing
the update, make sure that each site system server meets the current prerequisites for
the new update version.

Configuration Manager consoles


The first time you use a Configuration Manager console after the update has finished,
you're prompted to update that console. You can also run the Configuration Manager
setup on the computer that hosts the console, and choose the option to update the
console. Install the update to the console as soon as possible. For more information, see
Install the Configuration Manager console.

) Important

When you install an update at the CAS, be aware of the following limitations and
delays that exist until all child primary sites also complete the update installation:

Client upgrades don't start. This includes automatic updates of clients and
pre-production clients. Additionally, you can't promote pre-production clients
to production until the last site completes the update installation. After the
last site completes the update installation, client updates begin based on your
configuration choices.
New features you enable with the update aren't available. This behavior is to
prevent the CAS replicating data related to that feature to a site that hasn't
yet installed support for that feature. After all primary sites install the update,
the feature is available for use.
Replication links between the CAS and child primary sites display as not
upgraded. This state displays in the update installation status as Completed
with warning for monitoring replication initialization. In the Monitoring
workspace of the console, this state displays as Link is being configured.

Early update ring


As of December 15, 2021, version 2111 is globally available for all customers to install. If
you previously opted in to the early update ring, watch for an update to this current
branch version.

Pre-update checklist

All sites run a supported version of Configuration


Manager
Each site server in the hierarchy must run the same version of Configuration Manager
before you can start the installation. To update to version 2111, use version 2006 or
later.

Review the status of your product licensing


You need an active Software Assurance (SA) agreement or equivalent subscription rights
to install this update. When you update the site, the Licensing page presents the option
to confirm your Software Assurance expiration date.

This value is optional. You can specify as a convenient reminder of your license
expiration date. This date is visible when you install future updates. You might have
previously specified this value during setup or installation of an update. You can also
specify this value in the Configuration Manager console. In the Administration
workspace, expand Site Configuration, and select Sites. Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.

For more information, see Licensing and branches.

Review Microsoft .NET versions


Configuration Manager now requires Microsoft .NET Framework version 4.6.2 for site
servers, specific site systems, clients, and the console. Before you run setup to install or
update the site, first update .NET and restart the system. If possible in your environment,
install the latest version of .NET version 4.8.

This installation can put the site system server into a reboot pending state and report
errors to the Configuration Manager component status viewer. .NET applications on the
server might experience random failures until you restart the server.

For more information including how to manage restarts, see Site and site system
prerequisites.

Review the version of the Windows ADK


The version of the Windows Assessment and Deployment Kit (ADK) should be
supported for Configuration Manager version 2111. For more information, see Support
for the Windows ADK. If you need to update the Windows ADK, do so before you begin
the update of Configuration Manager. This order makes sure the default boot images
are automatically updated to the latest version of Windows PE. Manually update any
custom boot images after updating the site.

If you update the site before you update the Windows ADK, see Update distribution
points with the boot image.

Review SQL Server Native Client version


Install a minimum version of SQL Server 2012 Native Client, which includes support for
TLS 1.2. For more information, see the List of prerequisite checks.

Review the site and hierarchy status for unresolved issues


A site update can fail because of existing operational problems. Before you update a
site, resolve all operational issues for the following systems:

The site server


The site database server
Remote site system roles on other servers

For more information, see Use the status system.

Review file and data replication between sites


Make sure that file and database replication between sites is operational and current.
Delays or backlogs in either can prevent a successful update.

Database replication

For database replication, to help resolve issues before you start the update, use the
Replication Link Analyzer (RLA). For more information, see Monitor database
replication.

Use RLA to answer the following questions:

Is replication per group in a good state?


Are any links degraded?
Are there any errors?

If there's a backlog, wait until it clears out. If the backlog is large, such as millions of
records, then the link is in a bad state. Before updating the site, solve the replication
issue. If you need further assistance, contact Microsoft Support.

File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving
sites. If there are lots of stuck or pending replication jobs, wait until they clear out.

On the sending site, review sender.log.


On the receiving site, review despooler log.

Install all applicable critical Windows updates


Before you install an update for Configuration Manager, install any critical OS updates
for each applicable site system. These servers include the site server, site database
server, and remote site system roles. If an update that you install requires a restart,
restart the applicable servers before you start the upgrade.

Disable database replicas for management points at


primary sites
Configuration Manager can't successfully update a primary site that has a database
replica for management points enabled. Before you install an update for Configuration
Manager, disable database replication.

For more information, see Database replicas for management points.


Set SQL Server Always On availability groups to manual
failover
If you use an availability group, make sure that the availability group is set to manual
failover before you start the update installation. After the site has updated, you can
restore failover to be automatic. For more information, see Prepare to use an availability
group.

Disable site maintenance tasks at each site


Before you install the update, disable any site maintenance task that might run during
the time the update process is active. For example, but not limited to:

Backup Site Server


Delete Aged Client Operations
Delete Aged Discovery Data

When a site database maintenance task runs during the update installation, the update
installation can fail. Before you disable a task, record the schedule of the task so you can
restore its configuration after the update has been installed.

For more information, see Maintenance tasks and Reference for maintenance tasks.

Temporarily stop any antivirus software


Before you update a site, stop antivirus software on the Configuration Manager servers.
The antivirus software can lock some files that need to be updated which causes our
update to fail.

Create a backup of the site database


Before you update a site, back up the site database at the CAS and primary sites. This
backup makes sure you have a successful backup to use for disaster recovery.

For more information, see Backup and recovery.

Back up customized files


If you or a third-party product customizes any Configuration Manager configuration
files, save a copy of your customizations.
For example, you add custom entries to the osdinjection.xml file in the bin\X64 folder
of your Configuration Manager installation directory. After you update Configuration
Manager, these customizations don't persist. Reapply your customizations.

Review hardware inventory customizations


If you changed the state of hardware inventory classes in client settings, when you
update the site, some classes may revert to a default state. For example, if you disable
the SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're
enabled after installing a Configuration Manager update.

When you customize hardware inventory classes, note their configuration before you
install the update.

Plan for client piloting


When you install a site update that also updates the client, test that new client update in
pre-production before you update all production clients. To use this option, configure
your site to support automatic upgrades for pre-production before beginning
installation of the update.

For more information, see Upgrade clients and How to test client upgrades in a pre-
production collection.

7 Note

When you update to version 2107 or later, clients with PKI certificates will recreate
self-signed certificates, but don't reregister with the site. Clients without a PKI
certificate will reregister with the site, which can cause extra processing at the site.
Make sure that your process to update clients allows for randomization. If you
simultaneously update lots of clients, it may cause a backlog on the site server.

Plan to use service windows


To define a period during which updates to a site server can be installed, use service
windows. They can help you control when sites in your hierarchy install the update. For
more information, see Service windows for site servers.

Review supported extensions


If you extend Configuration Manager with other products from Microsoft, Microsoft
partners, or third-party vendors, confirm that those products support and are
compatible with version 2111. Check with the product vendor for this information.

 Tip

If you develop a third-party add-on to Configuration Manager, you should test


your add-on with every monthly technical preview branch release. Regular testing
helps confirm compatibility, and allows for early reporting of any issues with
standard interfaces.

Disable any custom solutions


If your site has any custom solutions based on the Configuration Manager SDK or
PowerShell, disable this code before you update the site. Make sure to test this custom
code in a lab environment to make sure it's compatible with the new version.

7 Note

Starting in version 2111, third-party add-ons that use Microsoft .NET Framework
and rely on Configuration Manager libraries also need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET 4.6.2.

Read the release notes


Before you start the update, review the current release notes. With Configuration
Manager, product release notes are limited to urgent issues. These issues aren't yet fixed
in the product, or detailed in a Microsoft Support article.

Feature-specific documentation may include information about known issues that affect
core scenarios.

For more information, see the Release notes.

Install the update

Run the setup prerequisite checker


When the console lists the update as Available, you can run the prerequisite checker
before installing the update. (When you install the update on the site, prerequisite
checker runs again.)

To run a prerequisite check from the console, go to the Administration workspace, and
select Updates and Servicing. Select the Configuration Manager 2111 update package,
and select Run prerequisite check in the ribbon.

For more information, see the section to Run the prerequisite checker before installing
an update in Before you install an in-console update.

) Important

When the prerequisite checker runs, the process updates some product source files
that are used for site maintenance tasks. After running the prerequisite checker, but
before installing the update, if you need to do a site maintenance task, run
Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site
server.

Update sites
You're now ready to start the update installation for your hierarchy. For more
information about installing the update, see Install in-console updates.

You may plan to install the update outside of normal business hours. Determine when
the process will have the least effect on your business operations. Installing the update
and its actions reinstall site components and site system roles.

For more information, see Updates for Configuration Manager.

Post-update checklist
After the site updates, use the following checklist to complete common tasks and
configurations.

Confirm version and restart (if necessary)


Make sure each site server and site system role is updated to version 2111. In the
console, add the Version column to the Sites and Distribution Points nodes in the
Administration workspace. When necessary, a site system role automatically reinstalls to
update to the new version.
Consider restarting remote site systems that don't successfully update at first. Review
your site infrastructure and make sure that applicable site servers and remote site
system servers successfully restarted. Typically, site servers restart only when
Configuration Manager installs .NET as a prerequisite for a site system role.

Confirm site-to-site replication is active


In the Configuration Manager console, go to the following locations to view the status,
and make sure that replication is active:

Monitoring workspace, Site Hierarchy node

Monitoring workspace, Database Replication node

For more information, see the following articles:

Monitor hierarchy and replication infrastructure


About the Replication Link Analyzer

Update Configuration Manager consoles


Update all remote Configuration Manager consoles to the same version. You're
prompted to update the console when:

You open the console.

You go to a new node in the console.

Reconfigure database replicas for management points


After you update a primary site, reconfigure the database replica for management
points that you uninstalled before you updated the site. For more information, see
Database replicas for management points.

Reconfigure availability groups


If you use an availability group, reset the failover configuration to automatic. For more
information, see Prepare to use an availability group.

Reconfigure any disabled maintenance tasks


If you disabled database maintenance tasks at a site before installing the update,
reconfigure those tasks. Use the same settings that were in place before the update.

Restore hardware inventory customizations


If you changed the state of hardware inventory classes in client settings, when you
update the site, some classes may revert to a default state. For example, if you disable
the SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're
enabled after installing a Configuration Manager update.

When you customize hardware inventory classes, review their configuration after you
install the update to make sure they are configured as you intend.

Restore user state from active deployments


If you have any active user state migrations, before you update the Configuration
Manager client on those devices, restore the user state. Due to changes to the
encryption algorithm in version 2103, the updated client will fail to restore the user state
when it tries to use a different encryption algorithm.

Update clients
Update clients per the plan you created, especially if you configured client piloting
before installing the update. For more information, see How to upgrade clients for
Windows computers.

Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that
supports and is compatible with Configuration Manager version 2111.

Enable any custom solutions


Enable any custom solutions based on the Configuration Manager SDK or PowerShell
that you've already tested in a lab environment with version 2111.

Update boot images and media


Use the Update Distribution Points action for any boot image that you use, whether it's
a default or custom boot image. This action makes sure that clients can use the latest
version. Even if there isn't a new version of the Windows ADK, the Configuration
Manager client components may change with an update. If you don't update boot
images and media, task sequence deployments may fail on devices.

When you update the site, Configuration Manager automatically updates the default
boot images. It doesn't automatically distribute the updated content to distribution
points. Use the Update Distribution Points action on specific boot images when you're
ready to distribute this content across your network.

7 Note

For default boot images, the site always uses the current version of the
Configuration Manager client that matches the site's version. Even if you configure
automatic client upgrades to use a pre-production collection, that feature doesn't
apply to boot images.

After updating the site, manually update any custom boot images. This action updates
the boot image with the latest client components if necessary, optionally reloads it with
the current Windows PE version, and redistributes the content to the distribution points.

For more information, see Update distribution points with the boot image.

Update PowerShell help content


To get the latest information for the Configuration Manager PowerShell module, use the
Update-Help cmdlet. Run this cmdlet on all computers with the Configuration Manager
console. This help content is the same as what's published for the
ConfigurationManager module.

For more information, see Configuration Manager PowerShell cmdlets: Update help.

Next steps
Review the release notes. This article can be updated regularly, especially right after a
new current branch release. You can use RSS to be notified when this page is updated.
For more information, see How to use the docs.
Support for Configuration Manager
current branch versions
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Microsoft plans to release updates for Configuration Manager current branch a few
times per year. Each update version remains in support for 18 months from its general
availability release date. Microsoft provides technical support for the entire period of
support. There are two distinct servicing phases that depend on the availability of the
latest current branch version:

Security and Critical Updates servicing phase - When running the latest current
branch version of Configuration Manager, you receive both Security and Critical
Updates.

Security Updates (Only) servicing phase - After the release of a new current
branch version, Microsoft only supports security updates to older versions for the
remainder of that version's support lifecycle.

7 Note

The latest current branch version is always in the Security and Critical Updates
servicing phase. This support statement means that if you encounter a code defect
that warrants a critical update, you must have the latest current branch version
installed in order to receive a fix. All other supported current branch versions are
eligible to receive only security updates.

All support ends after the 18-month lifecycle has expired for a current branch
version.

Update your Configuration Manager environment to the latest version before


support for your current version expires.

For example, version 2203 releases in April 2022. Microsoft provides security and critical
updates to that version for four months, through July 2022. It then switches to only
security updates for the remaining 14 months of its support lifecycle, through
September 2023.

For a list of the current branch versions, see Version details.


For more information about version numbers, and availability as an in-console update or
as a baseline, see Baseline and update versions.
Back up a Configuration Manager site
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Prepare backup and recovery approaches to avoid data loss. For Configuration Manager
sites, a backup and recovery approach can help you to recover sites and hierarchies
more quickly, and with the least data loss.

The sections in this article can help you back up your sites. To recover a site, see
Recovery for Configuration Manager.

2 Warning

The two backup methods supported for Configuration Manager site recovery are:

A successful backup from the Backup Site Server maintenance task


A manually recovered site database backup

Considerations before creating a backup


If you use a SQL Server Always On availability group to host the site database:
Modify your backup and recovery plans as described in Prepare to use an
availability group.

Configuration Manager can recover the site database from the Configuration
Manager backup task. It can also use a backup of the site database that you create
with another process.

For example, you can restore the site database from a backup that's created as
part of a SQL Server maintenance plan. You can also use a backup that's created by
using Data Protection Manager to back up your site database.

You can also install an additional site server in passive mode. The site server in
passive mode is in addition to your existing site server in active mode. A site server
in passive mode is available for immediate use, when needed. For more
information, see Site server high availability. While this role doesn't remove the
need to plan for and practice backup and recovery operations, it significantly
reduces the effort to recover a site when necessary.
Using Data Protection Manager to back up your site
database
You can use System Center Data Protection Manager (DPM) to back up your
Configuration Manager site database.

Create a new protection group in DPM for the site database computer. On the Select
Group Members page of the Create New Protection Group Wizard, you select the SMS
Writer service from the data source list. Then select the site database as an appropriate
member. For more information about using DPM, see the Data Protection Manager
documentation library.

) Important

Configuration Manager doesn't support DPM backup for a SQL Server Always On
failover cluster instance that uses a named instance. It does support DPM backup
on a failover cluster instance that uses the default instance of SQL Server.

After you restore the site database, follow the steps in setup to recover the site. To use
the site database that you backed up with Data Protection Manager, select the recovery
option to Use a site database that has been manually recovered.

Backup maintenance task


You can automate backup for Configuration Manager sites by scheduling the predefined
Backup Site Server maintenance task. This task has the following features:

Runs on a schedule
Backs up the site database
Backs up specific registry keys
Backs up specific folders and files
Backs up the CD.Latest folder

Plan to run the default site backup task at a minimum of every five days. This schedule is
because Configuration Manager uses a SQL Server change tracking retention period of
five days. For more information, see SQL Server change tracking retention period.

To simplify the backup process, you can create an AfterBackup.bat file. This script
automatically runs post-backup actions after the backup task completes successfully.
Use the AfterBackup.bat file to archive the backup snapshot to a secure location. You
can also use the AfterBackup.bat file to copy files to your backup folder, or to start other
backup tasks.

You can back up a central administration site and primary site. Secondary sites or site
system servers don't have backup tasks.

When the Configuration Manager backup service runs, it follows the instructions defined
in the backup control file:
<ConfigMgrInstallationFolder>\Inboxes\Smsbkup.box\Smsbkup.ctl . You can modify the
backup control file to change the behavior of the backup service.

7 Note

Modifications of Smsbkup.ctl will apply after a restart of the service


SMS_SITE_VSS_WRITER on the Site Server.

Site backup status information is written to the Smsbkup.log file. This file is created in
the destination folder that you specify in the properties of the Backup Site Server
maintenance task.

To enable the site backup maintenance task


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.

2. Select the site for which you want to enable the site backup maintenance task.

3. Select Site Maintenance Tasks in the ribbon.

4. Select the Backup Site Server task, and select Edit.

5. Select the option to Enable this task. Select Set Paths to specify the backup
destination. You have the following options:

) Important

To help prevent tampering of the backup files, store the files in a secure
location. The most secure backup path is to a local drive, so you can set NTFS
file permissions on the folder. Configuration Manager doesn't encrypt the
backup data that's stored in the backup path.
Local drive on site server for site data and database: Specifies that the task
stores the backup files for the site and site database in the specified path on
the local disk drive of the site server. Create the local folder before the
backup task runs. The Local System account on the site server must have
Write NTFS file permissions to the local folder for the site server backup. The
Local System account on the computer that's running SQL Server must have
Write NTFS permissions to the folder for the site database backup.

Network path (UNC name) for site data and database: Specifies that the task
stores the backup files for the site and site database in the specified network
path. Create the share before the backup task runs. The computer account of
the site server must have Write NTFS and share permissions to the shared
network folder. If SQL Server is installed on another computer, the computer
account of the SQL Server must have the same permissions.

Local drives on site server and SQL Server: Specifies that the task stores the
backup files for the site in the specified path on the local drive of the site
server. The task stores the backup files for the site database in the specified
path on the local drive of the site database server. Create the local folders
before the backup task runs. The computer account of the site server must
have Write NTFS permissions to the folder that you create on the site server.
The computer account of the SQL Server must have Write NTFS permissions
to the folder that you create on the site database server. This option is
available only when the site database isn't installed on the site server.

7 Note

The option to browse to the backup destination is only available when you
specify the network path of the backup destination.

The folder name or share name that's used for the backup destination doesn't
support the use of Unicode characters.

6. Configure a schedule for the site backup task. Consider a backup schedule that's
outside active working hours. If you have a hierarchy, consider a schedule that runs
at least two times a week. If the site fails, this schedule ensures maximum data
retention.

When you run the Configuration Manager console on the same site server that
you're configuring for backup, the backup task uses local time for the schedule.
When you run the Configuration Manager console from another computer, the
backup task uses Coordinated Universal Time (UTC) for the schedule.
7. Choose whether to create an alert if the site backup task fails. When selected,
Configuration Manager creates a critical alert for the backup failure. You can review
these alerts in the Alerts node of the Monitoring workspace.

Verify that the Backup Site Server maintenance task is running


Check the timestamp on the files in the backup destination folder that the task
created. Verify that the timestamp updates to the time when the task was last
scheduled to run.

Go to the Component Status node of the Monitoring workspace. Review the


status messages for SMS_SITE_BACKUP. When site backup completes successfully,
you see message ID 5035. This message indicates that the site backup completed
without any errors.

When you configure the backup task to create an alert when it fails, look for
backup failure alerts in the Alerts node of the Monitoring workspace.

Open Windows Explorer on the site server and browse to


<ConfigMgrInstallationFolder>\Logs . Review Smsbkup.log for warnings and

errors. When site backup completes successfully, the log shows Backup completed
with message ID STATMSG: ID=5035 .

 Tip

When the backup maintenance task fails, restart the backup task by stopping
and restarting the SMS_SITE_BACKUP Windows service.

Archive the backup snapshot


The backup task creates a backup snapshot the first time it runs. You can use this
snapshot to recover your site server if it fails. When the backup task runs again on
schedule, it creates a new backup snapshot that overwrites the previous snapshot. As a
result, the site has only a single backup snapshot, and you've no way of retrieving an
earlier backup snapshot.

Keep multiple archives of the backup snapshot for the following reasons:

It's common for backup media to fail, get misplaced, or include only a partial
backup. Recovering a failed stand-alone primary site from an older backup is
better than recovering without any backup. For a site server in a hierarchy, the
backup must be in the SQL Server change tracking retention period, or the backup
isn't required.

A corruption in the site can go undetected for several backup cycles. You might
have to use a backup snapshot from before the site became corrupted. This reason
applies to a stand-alone primary site and to sites in a hierarchy where the backup
is in the SQL Server change tracking retention period.

The site might have no backup snapshot at all. For example, if the Backup Site
Server maintenance task fails. Because the backup task removes the previous
backup snapshot before it starts to back up the current data, there won't be a valid
backup snapshot.

Use the AfterBackup.bat file


After successfully backing up the site, the backup task automatically tries to run a script
named AfterBackup.bat. Manually create the AfterBackup.bat file on the site server in
<ConfigMgrInstallationFolder>\Inboxes\Smsbkup.box . If an AfterBackup.bat file exists in
the correct folder, it automatically runs after the backup task completes.

The AfterBackup.bat file lets you archive the backup snapshot at the end of every
backup operation. It can automatically perform other post-backup tasks that aren't part
of the Backup Site Server maintenance task. The AfterBackup.bat file integrates the
archive and the backup operations, thereby ensuring that every new backup snapshot is
archived.

If the AfterBackup.bat file isn't present, the backup task skips it without effect on the
backup operation. To verify that the backup task successfully ran this script, go to the
Component Status node in the Monitoring workspace, and review the status messages
for SMS_SITE_BACKUP. When the task successfully starts the AfterBackup.bat command
file, you see message ID 5040.

 Tip

To archive your site server backup files with AfterBackup.bat, you must use a copy
command tool in the batch file. One such tool is Robocopy in Windows Server. For
example, create the AfterBackup.bat file with the following command: Robocopy
E:\ConfigMgr_Backup \\ServerName\ShareName\ConfigMgr_Backup /MIR

Although the intended use of the AfterBackup.bat is to archive backup snapshots, you
can create an AfterBackup.bat file to run additional tasks at the end of every backup
operation.

Supplemental backup tasks


The Backup Site Server maintenance task provides a backup snapshot for the site server
files and site database. There are other items not backed up that you must consider
when you create your backup strategy. Use these sections to help you complete your
Configuration Manager backup strategy.

Back up custom reports


If you modify predefined or created custom reports in SQL Server Reporting Services,
create a backup for the report server database files. The report server backup must
include the following components:

The source files for reports and models


Encryption keys
Custom assemblies or extensions
Configuration files
Custom SQL Server views used in custom reports
Custom stored procedures

) Important

When Configuration Manager updates to a newer version, the predefined reports


might be overwritten by new reports. If you modify a predefined report, make sure
to back up the report and then restore it in Reporting Services.

For more information about backing up your custom reports in Reporting Services, see
Backup and Restore Operations for Reporting Services.

Back up content files


The content library in Configuration Manager is the location where all content files are
stored for all software deployments. The content library is located on the site server and
on each distribution point. The Backup Site Server maintenance task doesn't back up the
content library or package source files. When a site server fails, the information about
the content library is restored to the site database, but you must restore the content
library and package source files.
The content library must be restored before you can redistribute content to
distribution points. When you start content redistribution, Configuration Manager
copies the files from the site server's content library to the distribution points. For
more information, see The content library.

The package source files must be restored before you can update content on
distribution points. When you start a content update, Configuration Manager
copies new or modified files from the package source to the content library. It then
copies the files to associated distribution points. Run the following SQL query
against the site database to find the package source location for all packages and
applications: SELECT * FROM v_Package . You can identify the package source site by
looking at the first three characters of the package ID. For example, if the package
ID is CEN00001, the site code for the source site is CEN. When you restore the
package source files, they must be restored to the same location where they were
before the failure.

Verify that you include both the content library and package source files in your file
system backup for the site server.

Back up custom software updates


System Center Updates Publisher is a stand-alone tool that lets you manage custom
software updates. Updates Publisher uses a local database for its software update
repository. When you use Updates Publisher to manage custom software updates,
determine whether you should include the Updates Publisher database in your backup
plan. For more information, see System Center Updates Publisher.

Use the following procedure to back up the Updates Publisher database.

Back up the Updates Publisher database


1. On the computer that runs Updates Publisher, browse to the Updates Publisher
database file Scupdb.sdf in %USERPROFILE%\AppData\Local\Microsoft\System Center
Updates Publisher 2011\5.00.1727.0000\ . There's a different database file for each
user that runs Updates Publisher.

2. Copy the database file to your backup destination. For example, if your backup
destination is E:\ConfigMgr_Backup , you could copy the Updates Publisher
database file to E:\ConfigMgr_Backup\SCUP .

 Tip
When there's more than one database file on a computer, consider storing
the file in a subfolder that indicates the user profile associated with the
database file. For example, you could have one database file in
E:\ConfigMgr_Backup\SCUP\User1 and another database file in
E:\ConfigMgr_Backup\SCUP\User2 .

User state migration data


You can use Configuration Manager task sequences to capture and restore the user
state data in OS deployment scenarios. The properties of the state migration point list
the folders that store the user state data. This data isn't backed up as part of the Site
Server Backup maintenance task. As part of your backup plan, you must manually back
up the folders that you specify to store the user state migration data.

Determine the folders used to store user state migration


data
1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Servers and Site System Roles node.

2. Select the site system that hosts the state migration role. Then select State
migration point in the Site System Roles pane.

3. Select Properties in the ribbon.

4. The folders that store the user state migration data are listed in the Folder details
section on the General tab.

About the SMS Writer service


The SMS Writer is a service that interacts with the Windows Volume Shadow Copy
Service (VSS) during the backup process. The SMS Writer service must be running for
the Configuration Manager site back up to complete successfully.

Process
1. SMS Writer registers with the VSS service and binds to its interfaces and events.

2. When VSS broadcasts events, or if it sends specific notifications to the SMS Writer,
the SMS Writer responds to the notification and takes the appropriate action.
3. The SMS Writer reads the backup control file smsbkup.ctl located in
<ConfigMgrInstallationPath>\inboxes\smsbkup.box , and determines the files and
data to back up.

4. The SMS Writer builds metadata, which consists of various components including
specific data from the SMS registry key and subkeys.

a. It sends the metadata to VSS when it's requested.

b. VSS then sends the metadata to the requesting application, the Configuration
Manager Backup Manager.

5. Backup Manager selects the data to back up, and sends this data to the SMS
Writer via VSS.

6. The SMS Writer takes the appropriate steps to prepare for the backup.

7. Later, when VSS is ready to take the snapshot:

a. It sends an event

b. The SMS Writer stops all Configuration Manager services

c. It ensures that the Configuration Manager activities are frozen while the
snapshot is created.

8. After the snapshot is complete, the SMS Writer restarts services and activities.

The SMS Writer service is installed automatically. It must be running when the VSS
application requests a backup or restore.

Writer ID
The writer ID for the SMS Writer is 03ba67dd-dc6d-4729-a038-251f7018463b.

Permissions
The SMS Writer service must run under the Local System account.

Volume Shadow Copy service


The VSS is a set of COM APIs that implements a framework to allow volume backups to
be performed while applications on a system continue to write to the volumes. The VSS
provides a consistent interface that allows coordination between user applications that
update data on disk (the SMS Writer service) and those that back up applications (the
Backup Manager service). For more information, see the Volume Shadow Copy Service.

Next steps
After you create a backup, practice site recovery with that backup. This practice can help
you become familiar with the recovery process before you need to rely on it. It can also
help confirm the backup was successful for its intended purpose.
Recover a Configuration Manager site
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Run a Configuration Manager site recovery after a site fails or data loss occurs in the site
database. Repairing and resynchronizing data are the core tasks of a site recovery and
are required to prevent interruption of operations.

The sections in this article can help you recover a Configuration Manager site. To create
a backup, see Backup for Configuration Manager.

Considerations before recovering a site

) Important

This information applies only to site recovery scenarios. When you're upgrading
your on-premises infrastructure and not actively recovering a failed site, review the
information in the following articles:

Upgrade on-premises infrastructure


Modify your infrastructure

Prepare the server hardware


Make sure existing configurations aren't present on the site server. Any previous
configurations can cause conflicts during the site recovery process. Use one of the
following options for the server hardware:

Use a new server, that meets the general and recovery requirements.

Format the disks, and reinstall the OS on the existing server. Make sure it meets
the general and recovery requirements.

Reuse an existing server that you've cleaned

Use one of the following procedures to clean an existing server:

Clean an existing server for site server recovery only


1. Delete SMS registry keys: HKLM\Software\Microsoft\SMS
2. Delete any registry entries starting with SMS from
HKLM\System\CurrentControlSet\Services . For example:

SMS_DISCOVERY_DATA_MANAGER
SMS_EXECUTIVE
SMS_INBOX_MONITOR
SMS_INVENTORY_DATA_LOADER
SMS_LAN_SENDER
SMS_MP_FILE_DISPATCH_MANAGER
SMS_SCHEDULER
SMS_SITE_BACKUP
SMS_SITE_COMPONENT_MANAGER
SMS_SITE_SQL_BACKUP
SMS_SITE_VSS_WRITER
SMS_SOFTWARE_METERING_PROCESSOR
SMS_STATE_SYSTEM
SMS_STATUS_MANAGER
SMS_WSUS_SYNC_MANAGER
SMSvcHost 3.0.0.0
SMSvcHost 4.0.0.0

3. Uninstall the Configuration Manager console


4. Restart the server
5. Confirm that all of the above registry keys are deleted.

The server is now ready for the Configuration Manager restore procedure.

Clean an existing server for site database recovery only

1. Back up the site database. Also back up any other supporting databases, like
WSUS.
2. Make sure to note the SQL Server name and instance name
3. Manually delete the site database from the SQL Server
4. Restart the SQL Server

The server is now ready for the Configuration Manager restore procedure.

Clean an existing server for full recovery

1. Back up the site database. Also back up any other supporting databases, like
WSUS.
2. Make a copy of the content library

2 Warning

The following step - Uninstall the Configuration Manager site - should only be
performed on a standalone Primary site, or a child Primary site that is unable to
communicate over the network with the Central Administration Site (CAS).
Uninstalling the site in a hierarchy results is the CAS losing the ability to
communicate with that child primary and the restore process will fail. For child
Primary sites, instead follow the Clean an existing server for site server recovery
only steps above.

3. Uninstall the Configuration Manager site


4. Manually delete the site database from the SQL Server
5. Manually delete the Configuration Manager installation folder, and any other
Configuration Manager folders
6. Restart the server
7. Restore the content library and other databases like WSUS.

The server is now ready for the Configuration Manager restore procedure.

Use a supported version and same edition of SQL Server


If possible, use the same version of SQL Server. However, it's supported to restore a
database to a newer version.

Don't change the SQL Server edition. Restoring a site database from Standard edition to
Enterprise edition isn't supported.

Other SQL Server configuration requirements:

SQL Server can't be set to single-user mode.


Make sure the MDF and LDF files are valid. When you recover a site, there's no
check for the state of the files.

SQL Server Always On availability groups


If you use SQL Server Always On availability groups to host the site database, modify
your recovery plans as described in Prepare to use SQL Server Always On.

Database replicas
After you restore a site database that you configured for database replicas, reconfigure
each replica. Before you can use the database replicas, recreate both the publications
and subscriptions.

Determine your recovery options


There are two main areas to consider for Configuration Manager primary site server and
central administration site (CAS) recovery: the site server and the site database.
The
following sections can help you select the best options for your recovery scenario.

7 Note

When Configuration Manager setup detects an existing site on the server, you can
start a site recovery, but the recovery options for the site server are limited. For
example, if you run Setup on an existing site server, when you choose recovery, you
can recover the site database server, but the option to recover the site server is
disabled.

Site server recovery options


Start Configuration Manager setup from a copy of the CD.Latest folder that you created
outside of the Configuration Manager installation folder.

If you run setup from the Start menu on the site server, the Recover a site option
isn't available.

If you installed any updates from within the Configuration Manager console before
you made your backup, you can't reinstall the site by using setup from the
following locations:
Installation media
The Configuration Manager installation path

Then select the Recover a site option. You have the following recovery options for the
failed site server:

Recover the site server using an existing backup


Use this option when you have a Configuration Manager backup of the site server from
before the site failure. The site creates this backup as part of the Backup Site Server
maintenance task. The site is reinstalled, and the site settings are configured based on
the site that was backed up.
Reinstall the site server
Use this option when you don't have a backup of the site server. The site server is
reinstalled, and you must specify the site settings as you would during an initial
installation.

Use the same site code and site database name that you used when the failed site
was first installed.

You can reinstall the site on a new computer that runs a new OS version.

The server must use the same hostname and fully qualified domain name (FQDN)
of the original site server.

Site database recovery options


When you run Configuration Manager setup, you have the following recovery options
for the site database:

Recover the site database using a backup set

Use this option when you have a Configuration Manager backup of the site database
from before the database failure. The site creates this backup as part of the Backup Site
Server maintenance task. In a hierarchy, when restoring a primary site, the recovery
process retrieves from the CAS any changes made to the site database after the last
backup. When restoring the CAS, the recovery process retrieves these changes from a
reference primary site. When you recover the site database for a standalone primary site,
you lose site changes after the last backup.

When you recover the site database for a site in a hierarchy, the recovery behavior is
different for a CAS and primary site. The behavior is also different when the last backup
is inside or outside of the SQL Server change tracking retention period. For more
information, see the Site database recovery scenarios section in this article.

7 Note

If you select to restore the site database by using a backup set, but the site
database already exists, the recovery fails.

Create a new database for this site


Use this option when you don't have a backup of the site database. In a hierarchy, the
recovery process creates a new site database. When restoring a child primary site, it
recovers the data by replicating from the CAS. When restoring the CAS, it replicates data
from a reference primary site. This option isn't available when you're recovering a
standalone primary site or a CAS that doesn't have primary sites.

Use a site database that has been manually recovered


Use this option when you've already recovered the Configuration Manager site
database, but need to complete the recovery process.

Configuration Manager can recover the site database from any of the following
processes:

The Configuration Manager backup maintenance task

A site database backup using Data Protection Manager (DPM)

Another backup process

After you restore the site database by using a method outside Configuration
Manager, run Setup, and select this option to complete the site database
recovery.

7 Note

When you use DPM to back up your site database, use the DPM
procedures to restore the site database to a specified location before you
continue the restore process in Configuration Manager. For more
information about DPM, see the Data Protection Manager documentation
library.

In a hierarchy, when you recover a primary site database, the recovery process
retrieves from the CAS any changes made to the site database after the last
backup. When restoring the CAS, the recovery process retrieves these changes
from a reference primary site. When you recover the site database for a standalone
primary site, you lose site changes after the last backup.

Skip database recovery


Use this option when no data loss has occurred on the Configuration Manager site
database server. This option is only valid when the site database is on a different
computer than the site server that you're recovering.

SQL Server change tracking retention period


Configuration Manager enables change tracking for the site database in SQL Server.
Change tracking lets Configuration Manager query for information about the changes
made to database tables after a previous point in time. The retention period specifies
how long change tracking information is kept. By default, the site database is configured
to have a retention period of five days. When you recover a site database, the recovery
process proceeds differently if your backup is inside or outside the retention period. For
example, if your SQL Server fails, and your last backup is seven days old, it's outside the
retention period.

For more information about SQL Server change tracking internals, see the following
blog posts from the SQL Server team: Change Tracking Cleanup - part 1 and Change
Tracking Cleanup - part 2.

Reinitialization of site or global data


The process to reinitialize site or global data replaces existing data in the site database
with data from another site database. For example, when site ABC reinitializes data from
site XYZ, the following steps occur:

The data is copied from site XYZ to site ABC.


The existing data for site XYZ is removed from the site database on site ABC.
The copied data from site XYZ is inserted into the site database for site ABC.

Example scenario 1: The primary site reinitializes the global data


from the CAS
The recovery process removes the existing global data for the primary site in the
primary site database and replaces the data with the global data copied from the CAS.

Example scenario 2: The CAS reinitializes the site data from a


primary site
The recovery process removes the existing site data for that primary site in the CAS
database. It replaces the data with the site data copied from the primary site. The site
data for other primary sites isn't affected.
Site database recovery scenarios
After a site database is restored from a backup, Configuration Manager tries to restore
the changes in site and global data after the last database backup. Configuration
Manager starts the following actions after a site database is restored from backup:

Recovered site is a CAS


Database backup within change tracking retention period

Global data: The changes in global data after the backup are replicated from all
primary sites.

Site data: The changes in site data after the backup are replicated from all
primary sites.

Database backup older than change tracking retention period

Global data: The CAS reinitializes the global data from the reference primary
site if you specify it. Then all other primary sites reinitialize the global data from
the CAS. If you don't specify a reference site, all primary sites reinitialize the
global data from the CAS. This data is what you restored from backup.

Site data: The CAS reinitializes the site data from each primary site.

Recovered site is a primary site


Database backup within change tracking retention period

Global data: The changes in global data after the backup are replicated from
the CAS.

Site data: The CAS reinitializes the site data from the primary site. Changes after
the backup are lost. Clients regenerate most data when they send information
to the primary site.

Database backup older than change tracking retention period

Global data: The primary site reinitializes the global data from the CAS.

Site data: The CAS reinitializes the site data from the primary site. Changes after
the backup are lost. Clients regenerate most data when they send information
to the primary site.
Site recovery procedures
Use one of the following procedures to help you recover your site server and site
database:

Start a site recovery in the setup wizard


1. Copy the CD.Latest folder to a location outside the Configuration Manager
installation folder. From the copy of the CD.Latest folder, run the Configuration
Manager setup wizard.

2. On the Getting Started page, select Recover a site, and then select Next.

3. Complete the wizard by using the options that are appropriate for your site
recovery.

During the recovery, setup identifies the SQL Server Service Broker (SSB) port
used by the SQL Server. Don't change this port setting during recovery or
data replication won't work properly after the recovery completes.

You can specify the original or a new path to use for the Configuration
Manager installation in the setup wizard.

Start an unattended site recovery


1. Prepare the unattended installation script for the options that you require for the
site recovery. For more information, see Unattended site recovery.

2. Run Configuration Manager setup by using the /script command-line option. For
example, you create a setup initialization file ConfigMgrUnattend.ini. You save it in
the C:\Temp directory of the computer on which you're running setup. Use the
following command:

setup.exe /script C:\temp\ConfigMgrUnattend.ini

7 Note

After you recover a CAS, replication of some site data from child sites can fail to be
established. This data can include hardware inventory, software inventory, and
status messages.

If this issue occurs, reinitialize the ConfigMgrDRSSiteQueue for database


replication. Use SQL Server Manager to run the following query against the site
database for the CAS:

SQL

IF EXISTS (SELECT * FROM sys.service_queues WHERE name =


'ConfigMgrDRSSiteQueue' AND is_receive_enabled = 0)

ALTER QUEUE [dbo].[ConfigMgrDRSSiteQueue] WITH STATUS = ON

Post-recovery tasks
After you recover your site, there are several post-recovery tasks to consider before your
site recovery is complete. Use the following sections to help you complete your site
recovery process.

Reenter user account passwords


After a site server recovery, reenter the passwords for any user accounts in the site.
These passwords are reset during the site recovery. The accounts are listed on the
Finished page of the setup wizard after site recovery is completed. The list is also saved
to C:\ConfigMgrPostRecoveryActions.html on the recovered site server.

Reenter user account passwords after site recovery

1. Open the Configuration Manager console and connect to the recovered site.

2. Go to the Administration workspace, expand Security, and then select Accounts.

3. For each account, do the following steps to reenter the password:

a. Select the account from the list identified after site recovery.

b. Select Properties in the ribbon.

c. On the General tab, select Set, and then reenter the password for the account.

d. Select Verify, choose the appropriate data source for the selected user account,
and then select Test connection. This step tests that the user account can
connect to the data source, and verifies the credentials.

e. Select OK to save the password changes, and then select OK to close the
account properties page.
Reenter PXE passwords
1. In the Configuration Manager console, go to the Administration workspace, and
select the Distribution Points node. Any on-premises distribution point with Yes in
the PXE column is enabled for PXE and may have a password to reenter.

2. Select a PXE-enabled distribution point, and select Properties in the ribbon.

3. Switch to the PXE tab.

4. If the option to Require a password when computers use PXE is enabled, enter
and confirm the password.

5. Select OK to save and close the properties.

Repeat this process for any other PXE-enabled on-premises distribution point.

Reenter task sequence passwords


1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and select the Task Sequences node.

2. Select a task sequence, and then in the ribbon, select Edit.

3. Review the following steps for passwords to reenter:

Apply Windows Settings: If you enable and specify the local administrator
password, reenter and confirm the password.

Apply Network Settings: For the account that has permission to join the
domain, select Set. Enter and confirm the password, and then select Verify.

Capture Operating System Image: For the account used to access the
destination, select Set. Enter and confirm the password, and then select
Verify.

Connect to Network Folder: For the account used to connect a network


folder, select Set. Enter and confirm the password, and then select Verify.

Enable BitLocker: If you use the key management option TPM and PIN,
reenter the PIN.

Join Domain or Workgroup: For the account that has permission to join the
domain, select Set. Enter and confirm the password, and then select Verify.
Run Command Line: If you use the option to Run this step as the following
account, select Set. Enter and confirm the password, and then select Verify.

Run PowerShell Script: If you use the option to Run this step as the
following account, select Set. Enter and confirm the password, and then
select Verify.

Repeat this process for all task sequences.

Recreate bootable media and prestaged media in non-PKI


environments
In non-PKI environments, self-signed certs in bootable media and prestaged media are
based on the machine keys of the server where the media was created. For this reason, if
the hardware changes or the OS is reinstalled as part of a recovery, any bootable media
and prestaged media created on that server need to be recreated. For more information
on how to create bootable media and prestaged media, see Create bootable media and
Create prestaged media.

Reenter sideloading keys


After a site server recovery, reenter Windows sideloading keys specified for the site.
These keys are reset during site recovery. After you reenter the sideloading keys, the site
resets the count in the Activations used column for Windows sideloading keys.

For example, before the site failure the Total activations count shows as 100. The
number of keys that devices have used, or Activations used, is 90. After the site
recovery, the Total activations value still displays 100, but the Activations used column
incorrectly displays 0. After 10 new devices use a sideloading key, there are no more
sideloading keys, and the 11th device fails to apply a sideloading key.

Recreate Azure services


After site recovery, you may see the following error in the cloudmgr.log:

Index (zero-based) must be greater than or equal to zero

To resolve this issue, Renew the secret key for each Azure tenant connection.

Delete and recreate subscriptions for external


notifications on the CAS
After you recover the CAS, you need to delete and recreate any subscriptions for
external notifications. For more information, see External notifications.

Configure HTTPS for site system roles that use IIS


When you recover site systems that run IIS and you configured for HTTPS, reconfigure
IIS to use the web server certificate.

Reinstall hotfixes
After a site recovery, you must reinstall any out-of-band hotfixes that were applied to
the site server. After site recovery, view the list of the previously installed hotfixes on the
Finished page of the setup wizard. This list is also saved to
C:\ConfigMgrPostRecoveryActions.html on the recovered site server.

Recover custom reports


Some customers create custom reports in SQL Server Reporting Services. When this
component fails, recover the reports from a backup of the report server. For more
information about restoring your custom reports in Reporting Services, see Backup and
Restore Operations for Reporting Services.

Recover content files


The site database tracks where the site server stores the content files. The content files
themselves aren't backed up or restored as part of the backup and recovery process. To
fully recover content files, restore the content library and package source files to the
original location. There are several methods for recovering your content files. The easiest
method is to restore the files from a file system backup of the site server.

If you don't have a file system backup for the package source files, manually copy or
download them. This process is similar to when you originally created the package. Run
the following query in SQL Server to find the package source location for all packages
and applications: SELECT * FROM v_Package . Identify the package source site by looking
at the first three characters of the package ID. For example, if the package ID is
CEN00001, the site code for the source site is CEN. When you restore the package
source files, they must be restored to the same location in which they were before the
failure.

If you don't have a file system backup that includes the content library, you have the
following restore options:
Import a prestaged content file: In a Configuration Manager hierarchy, you can
create a prestaged content file with all packages and applications from another
location. Then import the prestaged content file to recover the content library on
the site server.

Update content: Configuration Manager copies the content from the package
source to the content library. For this action to finish successfully, the package
source files must be available in the original location. Do this action on each
package and application.

Recover custom software updates


When you've included System Center Updates Publisher database files in your backup
plan, you can recover the databases if the Updates Publisher computer fails. For more
information about Updates Publisher, see System Center Updates Publisher.

Restore the Updates Publisher database

1. Reinstall Updates Publisher on the recovered computer.

2. Copy the database file Scupdb.sdf from your backup destination to


%USERPROFILE%\AppData\Local\Microsoft\System Center Updates Publisher

2011\5.00.1727.0000\ on the computer that runs Updates Publisher.

3. When more than one user runs Updates Publisher on the computer, copy each
database file to the appropriate user profile location.

User State Migration data


As part of the state migration point properties, you specify the folders that store user
state data. After you recover a state migration point, manually restore the user state
data on the server. Restore it to the same folders that stored the data before the failure.

Regenerate the certificates for distribution points


After you restore a site, the distmgr.log might list the following entry for one or more
distribution points: Failed to decrypt cert PFX data . This entry indicates that the
distribution point certificate data can't be decrypted by the site. To resolve this issue,
regenerate or reimport the certificate for affected distribution points. Use the Set-
CMDistributionPoint PowerShell cmdlet.
Restore database encryption certificates
If you use SQL Server encryption for the entire database or for specific tables, you may
need to restore the certificates after you restore the site database. For example, if you
encrypt recovery data for BitLocker management. For more information, see Restore
certificate for BitLocker management.

Recover a secondary site


Configuration Manager doesn't support the backup of the database at a secondary site,
but does support recovery by reinstalling the secondary site. Secondary site recovery is
required when a Configuration Manager secondary site fails.

Requirements
The server must meet all secondary site prerequisites and have appropriate
security rights configured.

Use the same installation path that was used for the failed site.

Use a server with the same configuration as the failed server. This configuration
includes its fully qualified domain name (FQDN).

The server must have the same SQL Server configuration as the failed site.

During a secondary site recovery, Configuration Manager doesn't install SQL


Server Express if it's not already installed on the computer.

Use the same version of SQL Server and the same instance of SQL Server that
you used for the secondary site database before the failure.

Procedure
Use the Recover Secondary Site action from the Sites node in the Configuration
Manager console. Unlike with other types of sites, recovery for a secondary site doesn't
use a backup file. This process reinstalls the secondary site files on the failed server.
After the site reinstalls, the secondary site data is reinitialized from the parent primary
site.

During the recovery process, Configuration Manager verifies if the content library exists
on the secondary site server. It also checks that the appropriate content is available. The
secondary site uses the existing content library, if it includes the appropriate content.
Otherwise, to recover the content library of a secondary site, redistribute or prestage the
content to the server.

When you have a distribution point that isn't on the secondary site server, you aren't
required to reinstall the distribution point during a recovery of the secondary site. After
the secondary site recovery, the site automatically synchronizes with the distribution
point.

You can verify the status of the secondary site recovery by using the Show Install Status
action from the Sites node in the Configuration Manager console.
Unattended site recovery for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To recover a Configuration Manager central administration site (CAS) or primary site


without user interaction, create an unattended installation script to use with the /script
setup command-line option. The script provides the same type of information that the
setup wizard prompts for, except that there are no default settings. Specify all values for
the setup keys that apply to the type of recovery.

To use the /script setup command-line option, first create an answer file. Then specify
this file name on the command line. The name of the file is your decision, but it requires
the .ini file extension. When you reference this answer file from the command line,
provide the full path to the file. For example, if your setup answer file is named
setup.ini , and it's stored in the C:\setup folder, your command line would be:

setup.exe /script c:\setup\setup.ini

) Important

You need Administrator rights to run Configuration Manager setup. When you run
setup with the unattended script, open the command prompt with the option to
Run as administrator.

The script contains section names, key names, and values. Required section key names
vary depending on the recovery type that you need. The order of the keys within
sections and the order of sections within the file aren't important. The keys aren't case-
sensitive. When you provide values for keys, the name of the key is followed by an equal
sign ( = ) and the value for the key. For example, Action=RecoverCCAR .

For more information, see the following articles:

Command-line options for setup

Unattended setup script file keys


Site failure impacts in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The site server and any of the other site systems can fail and cause a loss of the services
they regularly provide. If you install multiple site systems on the same computer, and
that computer fails, all services regularly provided by those site systems are no longer
available.

Part of your planning process should include understanding the impact on the service
that you provide your organization. Because each site system in the site provides
different functionality, the impact of a failure on the site differs, depending on the role
of the site system that failed.

Use high availability options to help mitigate the failure of any single system. Also plan
for and practice a backup and recovery strategy to reduce the amount of time the
service is unavailable.

The following sections describe the impact when the specified site system isn't
operational:

Site server
No site administration is possible. You can't connect the console to the site.

The management point collects client information and caches it until the site server
is back online.

Users can run existing deployments, and clients can download content from
distribution points.

Site database
No site administration is possible.

If the Configuration Manager client already has a policy assignment with new
policies, and if the management point has cached the policy body, the client can
make a policy body request and receive the policy body reply. However, the site
can't service any new policy assignment requests.
Clients can run deployments, only if they've already received the policy, and the
associated source files are already cached locally at the client.

Management point
Although you can create new deployments, clients don't receive them until a
management point is online.

Clients still collect inventory, software metering, and status information. They store
this data locally until the management point is available.

Clients can run deployments, only if they've already received the policy, and the
associated source files are already cached locally at the client.

Distribution point
Configuration Manager clients can run deployments, only if the associated source
files have already been downloaded locally or are available on a peer source.
Monitor the hierarchy
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To monitor your hierarchy in Configuration Manager, use the Monitoring workspace in


the Configuration Manager console.

7 Note

The exception to this location is when migrating sites. Monitored this process in the
Migration node of the Administration workspace. For more information, see
Operations for migrating to Configuration Manager current branch.

Along with using the Configuration Manager console for monitoring, use the following
features:

Introduction to reporting
Log files.

When you monitor sites, look for signs that indicate problems that require you to take
action. For example:

A backlog of files on site servers and site systems.

Status messages that indicate an error or a problem.

Failing intrasite communication.

Error and warning messages in the system event log on servers.

Error and warning messages in the Microsoft SQL Server error log.

Sites or clients that haven't reported status in a long time.

Sluggish response from the SQL Server database.

Signs of hardware failure.

If monitoring tasks reveal any signs of problems, investigate the source of the problem.
Then quickly repair it to minimize the risk of a site failure.

Monitor common management tasks


Configuration Manager provides built-in monitoring from within the Configuration
Manager console.

Alerts
For more information, see Monitor alerts.

Compliance settings
For more information, see How to monitor compliance settings.

Content
For general information about monitoring content, see Manage content and content
infrastructure.

For more information about monitoring specific types of content:

Monitor applications

Monitor packages and programs

Monitor content for software updates

Monitor content for OS deployments

Endpoint Protection
For more information, see How to monitor Endpoint Protection.

OS deployment
For more information, see Monitor OS deployments.

Monitor power management


For more information, see How to monitor and plan for power management.

Monitor software metering


For more information, see Monitor app usage with software metering.
Monitor software updates
For more information, see Monitor software updates.

Monitor the site hierarchy


The Site Hierarchy node of the Monitoring workspace provides you with an overview of
your Configuration Manager hierarchy and intersite links.

Use the Site Hierarchy node to monitor the health of each site. Also monitor the
intersite replication links and their relationship to external factors, such as a
geographical location.

Both site status and intersite link status replicate as site data and not global data. When
you connect your Configuration Manager console to a child primary site, you can't view
the site or link status for other primary sites or their child secondary sites. For example,
in a hierarchy with multiple primary sites, when you connect the console to a primary
site, you can view the status of child secondary sites, the primary site, and the central
administration site. From this view, you can't see the status for other sites below the
central administration site.

To control the display in the Site Hierarchy node, use the Configure Settings action. The
hierarchy replicates the settings that you configure in this node.

Hierarchy diagram
The hierarchy diagram displays your sites in a topology map. Select a site, and view a
status message summary from that site. Drill through to view status messages, and
access the site Properties.

To view high-level status for a site or replication link between sites, hover your mouse
pointer over the object. Replication link status doesn't replicate globally. To view the
replication link details between all primary sites in a hierarchy, connect the console to
the central administration site.

The following options modify the hierarchy diagram:

Groups
Configure the number of primary sites and secondary sites that trigger a change in the
hierarchy diagram. This change in the display combines the sites into a single object.
Then you see the total number of sites and a high-level rollup of status messages and
site status.

Favorite sites

Specify individual sites to be a favorite site. A star icon identifies a favorite site in the
hierarchy diagram. Favorite sites aren't combined with others sites when you use
groups. They're always displayed individually.

Geographical view

) Important

Starting in August 2020, this feature is deprecated. Use the Hierarchy Diagram
option.

The geographical view displays the location of each site on a geographical map. It only
displays sites that you configure with a location. When you select a site in this view, it
shows replication links to parent or child sites. Unlike the hierarchy diagram view, you
can't display site status message or replication link details in this view.

7 Note

To use the geographical view, the computer to which your Configuration Manager
console connects must have Internet Explorer installed and be able to access Bing
Maps by using the HTTP protocol.

The following option modifies the geographical view:

Site Location

Specify a geographical location for each site using one of the following types:

A street address
A place name such as the name of a city
By latitude and longitude coordinates

For example, to use the latitude and longitude of Redmond, Washington, specify N 47
40 26.3572 W 122 7 17.4432 as the location of the site. You don't need to specify the
symbols for the degree, minutes, or seconds of latitude or longitude. Configuration
Manager uses Bing Maps to display the location on the geographical view. Then you can
view your hierarchy with the geographical locations. This view provides insight into
regional issues that might affect specific sites or intersite replication.

When you specify a location, you can use the Location box to search for a specific site in
your hierarchy. With the site selected, enter the location as a city name or street address
in the Location column. Configuration Manager uses Bing Maps to resolve the location.

Next steps
Monitor database replication
Use the status system in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the built-in status message system to understand the state of your Configuration
Manager environment.

All major site components generate status messages that provide feedback on site and
hierarchy operations. This information can keep you informed about the health of
different site processes. You can tune the alert system to ignore noise for known
problems, and increase early visibility for other issues that might need your attention.

You generally don't need to configure the Configuration Manager status system. By
default, it uses suitable settings for most environments. You can configure the following
components:

Status summarizers: Control the frequency of status messages that indicate a


change for the following four summarizers:

Application deployment summarizer

Application statistics summarizer

Component status summarizer

Site system status summarizer

Status filter rules: Create new status filter rules, modify the priority of rules, disable
or enable rules, and delete unused rules at each site.

7 Note

Status filter rules don't support environment variables to run external


commands.

Status reporting: Configure both server and client component reporting, and
specify where they're sent.

2 Warning
Because the default reporting settings are appropriate for most environments,
change them with caution. When you increase the level of status reporting by
choosing to report all status details, you can increase the amount of status
messages for the site to process. This change increases the processing load
on the Configuration Manager site. If you decrease the level of status
reporting, you might limit the usefulness of the status summarizers.

Because the status system maintains separate configurations for each site, edit each site
individually.

Configure status summarizers


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.

2. Select a site. Then on the Home tab of the ribbon, in the Settings group, select
Status Summarizers.

3. In the Status Summarizers window, select the status summarizer that you want to
configure, and select Edit.

Application deployment or application statistics


summarizers
On the General tab of the summarizer properties page, configure the summarization
intervals.

For the application deployment summarizer, these time periods specify how frequently
the site updates the deployment status for applications, task sequences, and packages.
It's calculated based on the deployment start time. The following values show the
defaults:

Modified in the last 30 days: 60 minutes


Modified in the last 31 to 90 days: 24 hours
Modified over 90 days ago: 7 days

For the application statistics summarizer, these time periods specify how often the site
updates application statistics. They're based on the date you last modified the
application. The following values show the defaults:

Modified in the last 30 days: 240 minutes


Modified in the last 31 to 90 days: 24 hours
Modified over 90 days ago: 7 days

Component status summarizer


1. On the General tab of the summarizer properties page, configure the replication
and threshold period values:

Enable status summarization


Replicate to parent site and select the Replication priority (by default,
Normal)
Threshold period (by default, Since 00:00:00). In other words, by default
component status is reset at midnight.

2. On the Thresholds tab, select the Message type: Informational, Warning, or Error.

3. Select a component and then select the properties icon. You can also double-click
the component, or right-click and select Property.

4. Specify the threshold for the number of status messages on the component before
the site changes the status.

The following table shows the default values:

Message type Warning threshold Critical threshold

Informational 2000 5000

Warning 10 50

Error 1 5

For example, if a component generates 2000 informational status messages in the


threshold period (by default, since midnight), the site sets that component's state to
warning.

Site system status summarizer


1. On the General tab of the summarizer properties page, configure the replication
and schedule values:

Enable status summarization


Replicate to parent site and select the Replication priority (by default,
Medium)
Status summarization schedule (by default, every hour on the hour)
2. On the Thresholds tab, specify values for the Default thresholds for free space on
any site system. The following values are the defaults:

Warning (KB): 10485760 (10 GB)


Critical (KB): 5242880 (5 GB)

For example, if a site system reports less than 10 GB of free space on a drive, that
site system's status changes to warning.

3. The site can also monitor specific thresholds for specific Storage objects. By
default, it includes thresholds for the SQL Server database and transaction log for
the site database. The default values for these default objects are the same as the
default thresholds.

To modify these thresholds, select the object in the list, and then select the
properties icon. (You can also double-click the object, or right-click to access these
actions.)

4. To create a new storage object to monitor, select the gold asterisk "new" icon.
Select a storage object from the list, and specify the free space thresholds.

5. To delete a storage object, select the object, and then select the delete icon.

Manage status filter rules


With status filter rules, the site can take action when specific status message criteria
occurs. There are several default status filter rules, and you can create custom rules.

 Tip

Starting in version 2107, you can enable the site to send notifications to an external
system or application. This capability simplifies the process by using a web service-
based method. You configure subscriptions to send these notifications. These
notifications are in response to specific, defined events as they occur. For example,
status message filter rules. For more information, see External notifications.

Modify a status filter rule


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.
2. Select a site, and then on the Home tab of the ribbon, in the Settings group, select
Status Filter Rules.

3. In the Status Filter Rules window, select the rule that you want to modify.

To change the processing order of the status filter rule, select Increase
Priority or Decrease Priority.

To change the status of the rule, select Disable or Enable.

To delete the status filter rule from the site, select Delete

To change the criteria for the status message rule, select Edit.

Create a status filter rule


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.

2. Select a site, and then on the Home tab of the ribbon, in the Settings group, select
Status Filter Rules.

3. Select Create.

4. On the General page of the Create Status Filter Rule Wizard, specify a Name for
the new status filter rule. Select message-matching criteria for the rule, and specify
values to match. The following criteria are available:

Source: Client, SMS Provider, Site Server


Site code
System
Component
Message type: Milestone, Detail, Audit
Severity: Informational, Warning, Error
Message ID
Property
Property value

5. On the Actions page, specify the actions when a status message matches the
specified criteria. The following actions are available:

Write to the Configuration Manager database


Allow the user to delete messages after how many days
Report to the event log
Replicate to the parent site
Replication priority
Run a program
Specify a command line to run on the site server
Do not forward to status summarizers
Do not process lower-priority status filter rules

6. Complete the wizard.

7 Note

Configuration Manager only requires that a new status filter rule has a name. If you
create a rule, but you don't specify any criteria to process status messages, the
status filter rule has no effect. This behavior allows you to create and organize rules
before you configure the criteria for each rule.

Configure status reporting


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.

2. Select a site, and then on the Home tab of the ribbon, in the Settings group, select
Configure Site Components, and then select Status Reporting.

3. In the Status Reporting Component Properties window, specify the server and
client component status messages that you want to report or log:

Report: Send status messages to the Configuration Manager status message


system. By default, this option is enabled for All Milestones for both server
and client components. The option to Report details on failure is also
enabled by default.

Log: Write the type and severity of status messages to the Windows event
log. By default, this option isn't enabled for either server or client
components.

Monitor the status system


System status in Configuration Manager provides an overview of the general operations
of sites and site server operations of your hierarchy. It can reveal operational problems
for site system servers or components. You can use the system status to review specific
details for different Configuration Manager operations. You monitor system status from
the System Status node of the Monitoring workspace in the Configuration Manager
console.

Most Configuration Manager site system roles and components generate status
messages. Status message details are logged in each component's operational log, but
are also submitted to the site database. The site then summarizes and presents them in
a general health rollup for each component or site system. These status message rollups
provide information details for regular operations, and details of warnings and errors.
You can configure the thresholds at which the site triggers warnings or errors. Tune the
system in your environment to make sure rollup information ignores known issues that
aren't relevant to you. Also configure it to call attention to actual problems that you
need to investigate.

System status is replicated to other sites in a hierarchy as site data, not global data. This
behavior means you can only see the status for the site to which your Configuration
Manager console connects, and any child sites below that site. When you view system
status, use the Configuration Manager console with the top-level site of your hierarchy.
For more information on site data versus global data, see Database replication: Types of
data.

There are different system status views in the Configuration Manager console:

Site Status: View a rollup of the status of each site system to review the health of
each server. The site determines site system health by thresholds that you
configure for each site in the Site System Status Summarizer. In this node:
View status messages for each site system
Set thresholds for status messages
Manage the operation of the components on site systems by using the
Configuration Manager Service Manager

Component Status: View a rollup of the status of each Configuration Manager


component to review its operational health. The site determines component health
by thresholds that you configure for each site in the Component Status
Summarizer. In this node:
View status messages for each component
Set thresholds for status messages
Manage the operation of components by using the Configuration Manager
Service Manager

Conflicting Records: View status messages about clients that might have
conflicting records. Configuration Manager uses the hardware ID to attempt to
identify clients that might be duplicates and alert you to the conflicting records.
For example, if you have to reinstall a computer, the hardware ID would be the
same, but the GUID that Configuration Manager uses might change.

Status Message Queries: Query status messages for specific events and related
details. Use status message queries to find the status messages related to specific
events. You can identify when a specific component, operation, or Configuration
Manager object was modified, and the account that was used to make the
modification. For example, run the built-in Collections Created, Modified, or
Deleted query to identify when a specific collection was created, and the user
account used to create it.

View status messages


1. To view status messages in the Configuration Manager console, select a specific
site system server or component.

2. In the ribbon, select Show Messages, then choose the type of messages to show:
All, Error, Warning, Information.

3. Select the viewing period. Either on or after a specific date and time, or from a
specific time period. By default, the viewing period is 1 day ago.

4. The Status Message Viewer has many controls to customize the view. For example,
to filter the results based on the status messages details, go to the View menu, and
select Filter.
Starting in version 2010, there's an easier way to view status messages for the following
objects:

Devices
Users
Content
Deployments
Monitoring workspace
Phased deployments (select Show Deployments from the Phased
Deployments node)
Deployments tab in the details pane for:
Packages
Task sequences

Select one of these objects in the Configuration Manager console, and then select Show
Status Messages from the ribbon.

Next steps
Configure alerts

Configuration Manager Service Manager


Configure alerts in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configure alerts to understand the state of your Configuration Manager environment.


Configuration Manager generates alerts by some operations when a specific condition
occurs:

Typically, when an error occurs that you need to resolve.

To warn you that a condition exists, so that you can continue to monitor the
situation.

Some alerts you configure, such as alerts for endpoint protection and client status.
Configuration Manager automatically configures other alerts.

You can configure subscriptions to alerts. Subscriptions can send details by email, which
increases your awareness of key issues.

Manage general alerts


In the Configuration Manager console, go to the Monitoring workspace, expand Alerts,
and then select Active Alerts or All Alerts.

The following actions are available on alerts in these nodes:

Postpone: Suspend monitoring this alert until the specified date is reached. At that
time, the site updates the state of the alert. You can only postpone an enabled
alert. When you postpone an alert, you can also add a comment.

Edit Comments: Enter a comment for the selected alerts. These comments display
with the alert in the Configuration Manager console.

Configure: Modify the name, severity, and definition for the selected alert. If you
change the severity of the alert, this configuration affects how the alerts are
displayed in the Configuration Manager console.

Create subscription: Create an email subscription to the selected alert. For more
information, see Email alerts.
Configure client status alerts
1. In the Configuration Manager console, go to the Assets and Compliance
workspace, and select the Device Collections node.

2. Select the collection for which you want to configure alerts. In the Home tab of the
ribbon, in the Properties group, select Properties.

7 Note

You can't configure alerts for user collections.

3. Switch to the Alerts tab, and select Add.

7 Note

The Alerts tab is only visible if your security role has permissions for alerts.

4. Choose the alerts that you want the site to generate when client status thresholds
fall below a specific value:

Client check pass or no results for active clients falls below threshold (%)
Client remediation success falls below the threshold (%)
Client activity falls below threshold (%)

5. In the Conditions list of the Alerts tab, select each client status alert, and then
specify the following information:

Alert Name: Accept the default name or enter a new name for the alert.

Alert Severity: Choose the alert level that displays in the Configuration
Manager console: Information, Warning, or Critical.

Raise alert if...: Specify the threshold percentage for the alert.

6. Select OK to save the alerts and close the collection properties.

Email alerts
You can create an email subscription for alerts. When the site triggers an alert, it can
then send you email notification.
Configure email notification for alerts
Before you can subscribe to email alerts, you need to configure the site to send email
notifications. You'll need information about an SMTP email server.

 Tip

If you use Microsoft 365, use the following information:

SMTP server: smtp.office365.com


Port: 587
This server requires an encrypted connection (SSL)

1. In the Configuration Manager console, go to the Monitoring workspace, expand


Alerts, and select the Subscriptions node.

2. On the Home tab of the ribbon, in the Create group, select Configure Email
Notification.

3. Specify the following information:

Enable email notification for alerts: Allow Configuration Manager to use an


SMTP server to send email alerts.

FQDN or IP Address of the SMTP server to send email alerts: Enter the fully
qualified domain name (FQDN) or IP address for the email server to use for
these alerts.

Port: Specify the SMTP port for the email server to use for these alerts. For
example, 587 .

This server requires an encrypted connection (SSL): Require that the site
creates an encrypted connection with the SMTP server.

SMTP Server Connection Account: Specify the authentication method for


Configuration Manager to use to connect the email server.

) Important

Specify an account that has the least possible permissions to send


emails.
Sender address for email alerts: Specify the email address from which alert
emails are sent.

Test SMTP Server: Sends a test email to the email address specified in Sender
address for email alerts.

4. Select OK to save the settings and to close the window.

Subscribe to email alerts


1. In the Configuration Manager console, go to the Monitoring workspace, expand
Alerts, and select either Active Alerts or All Alerts.

2. Select an alert. On the Home tab of the ribbon, in the Subscription group, select
Create subscription.

3. In the New Subscription window, specify the following information:

Subscription name: Enter a name to identify the email subscription. You can
use up to 255 characters.

Email address: Enter the recipient email addresses to get this alert. Separate
multiple email addresses with a semicolon ( ; ).

Email language: Select the language for the email.

4. Select OK to close the New Subscription window and to create the email
subscription.

To edit or delete a subscription, select the Subscriptions node under Alerts.

Monitor alerts
You can view alerts in one of the Alerts node of the Monitoring workspace. Alerts have
one of the following alert states:

Never triggered: The component hasn't met the condition of the alert.

Active: The site triggered the alert when the component met the condition.

Canceled: The condition that caused the alert is now resolved.

Postponed: An administrator suspended monitoring of the alert. Configuration


Manager will evaluate the state of the alert at a later time.
Disabled: An administrator disabled the alert. Configuration Manager doesn't
update the alert even if the state of the alert changes.

When Configuration Manager generates an alert, you can take one of the following
actions:

Resolve the condition that caused the alert. For example, you resolve a network
issue. After Configuration Manager detects that the issue no longer exists, the alert
state changes to Cancel.

If the alert is a known issue, postpone the alert until a specific time. At that later
time, Configuration Manager updates the alert to its current state.

You can only postpone an alert when it's active.

Edit the Comment of an alert. This action informs other administrators that you're
aware of the alert. For example, in the comment you can identify how to resolve
the condition, provide information about the current status of the condition, or
explain why you postponed the alert.

External notifications
Starting in version 2107, you can enable the site to send notifications to an external
system or application. This capability simplifies the process by using a web service-
based method. You configure subscriptions to send these notifications. These
notifications are in response to specific, defined events as they occur. For example,
status message filter rules. For more information, see External notifications.

Next steps
Configure endpoint protection alerts for a collection

Configure client status alerts for a collection


External notifications
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

In a complex IT environment, you may have an automation system like Azure Logic
Apps. Customers use these systems to define and control automated workflows to
integrate multiple systems. You could integrate Configuration Manager into a separate
automation system through the product's SDK APIs. But this process can be complex
and challenging for IT professionals without a software development background.

Starting in version 2107, you can enable the site to send notifications to an external
system or application. This feature simplifies the process by using a web service-based
method. You configure subscriptions to send these notifications. These notifications are
in response to specific, defined events as they occur. For example, status message filter
rules.

7 Note

The external system or application defines and provides the methods that this
feature calls.

When you set up this feature, the site opens a communication channel with the external
system. That system can then start a complex workflow or action that doesn't exist in
Configuration Manager.

Starting in version 2111, use the Configuration Manager console to create or edit
subscriptions for external notifications. This article now focuses on that experience. If
you're using version 2107, see Configuration Manager version 2107.

Prerequisites
Create the subscription on the top-level site of the hierarchy. This site is either a
standalone primary site, or a central administration site (CAS). You can view and
modify an existing subscription on any site in a hierarchy.

The site's service connection point needs to be in online mode. For more
information, see About the service connection point.

Currently, this feature only supports Azure Logic Apps as the external system. An
active Azure subscription with rights to create a logic app is required.
The service connection point needs to communicate with the notification service,
for example Azure Logic Apps. For more information, see Internet access
requirements.

To create an event type for an application approval request, the site needs an app
that requires approval and is deployed to a user collection. For more information,
see Deploy applications and Approve applications.

Permissions
You can configure the following permissions to the NotificationSubscription object:
Read, Delete, Modify, Create.

The Full administrator default security role has these permissions.


The Read only analyst default security role has the Read permission.

In version 2107, users also need the All security scope. In version 2111 and later, you
can't scope the subscription objects. If needed, you can use scopes on the Site object, to
which users need at least read permission.

Other permissions may be required for custom roles. Use the following table to
understand what's needed:

Action Alerts:
Site:
Notify:
Notify:
Notify:
Notify:
Site:

Read Read Read Modify Create Delete Manage


SFR

View subscription X X

Modify subscription X X X X

Create subscription Note X X X X


1

Delete subscription X X X

Create new SFR X X X Note 2 Note 2 X

Add existing SFR X X X Note 2 Note 2

Add app approval X X X Note 2 Note 2

The above table uses the following shorthand:

Notify: Notification subscription objects


SFR: Status filter rule
Note 1: Top-level site in hierarchy
Create the subscription on the top-level site of the hierarchy. This site is either a
standalone primary site, or a CAS. You can view and modify an existing subscription on
any site in a hierarchy.

Note 2: Modify and Create permissions for event actions

When managing events on the subscription, the permissions to Modify or Create on the
Notification subscription object depend upon whether you need to modify or create
the event. For example, if you have the Create permission, then you can add a status
filter rule to the subscription. If you don't have the Modify permission, then you can't
make changes to the subscription events.

Create an Azure logic app and workflow


Use the following process to create a sample app in Azure Logic Apps to receive the
notification from Configuration Manager.

7 Note

This process is provided as an example to help you get started. It's not intended for
production use.

1. Sign in to the Azure portal .

2. In the Azure search box, enter logic apps , and select Logic Apps.

3. Select Add and choose Consumption. This action creates a new logic app.

4. On the Basics tab, specify the project details as necessary for your environment:
subscription name, resource group, logic app name, and region.

5. Select Review + create. On the validation page, confirm the details that you
provided, and select Create.

6. Under Next steps, select Go to resource.

7. Under the section to Start with a common trigger, select When a HTTP request is
received.

8. At the bottom of the trigger editor, select Use sample payload to generate
schema.
9. Paste the following sample payload:

JSON

"EventID":0,

"EventName":"",

"SiteCode":"",

"ServerName":"",

"MessageID":0,

"Source":"",

"EventPayload":""

10. Select Done and then select Save.

11. Copy the generated URL for the logic app. You'll use this URL later when you create
the subscription in Configuration Manager.

7 Note

The URL from Azure for the logic app includes the secret key. When saved in
Configuration Manager, it's protected the same as any other password or
secret key. If your environment uses a proxy server or other network
inspection device, there's a risk that it will log this URL and expose the secret
key. Control access to such systems, and be prepared to renew the secret key
for the logic app in the Azure portal. You can also set an expiration date for
the secret key in the Azure portal. For more information, see Secure your
logic apps.

12. To add a new step in the designer, select + New Step. Choose an appropriate
action when it receives a notification from Configuration Manager. For example:

To send an email, use the Office 365 Outlook connector.


To post a message to Teams, use the Microsoft Teams connector.

Sign in if necessary and complete the required information for the action. For more
information, see the Create logic apps quickstart in the Azure Logic Apps
documentation.

Notification schema
These notifications use the following standardized schema:
JSON

"properties": {

"EventID": {

"type": "integer"

},

"EventName": {

"type": "string"

},

"EventPayload": {

"type": "string"

},

"MessageID": {

"type": "string"

},

"ServerName": {

"type": "string"

},

"SiteCode": {

"type": "string"

},

"Source": {

"type": "string"

},

"type": "object"

Create an event
There are two types of events that are currently supported:

The site raises a status message that matches conditions specified in a status filter
rule for external notification. You can create a new rule or use an existing one.

A user requests approval for an application in Software Center.

7 Note

In a hierarchy, the scope of events depends upon the event type:

Application approval events only happen at primary sites.


Status filter rules apply to the site where you create the rule using the Create
external service notification event wizard.
If you run the wizard to create the event while connected to the CAS, it
only triggers on matching events from the CAS.
To subscribe to events raised by a child primary site, connect to the primary
site. Modify the notification subscription to create a new status filter rule
for the child primary site.

Use the following process to create an event:

1. In the Configuration Manager console, connect to the top-level site of the


hierarchy. This site is either a standalone primary site, or a CAS.

2. Go to the Monitoring workspace, expand Alerts, and select the External service
notifications node.

3. In the ribbon, select Create subscription.

4. In the New Subscription window, specify a Name for the subscription to identify it
in the Configuration Manager console. The maximum length is 254 characters.
Optionally add a Description.

5. For the External service URL value, paste the URL of the Azure Logic App that you
previously copied.

6. Select the gold asterisk


to add a new event to the subscription.

a. In the Create External Service Notification Event wizard, on the Event type page,
select one of the following event types:

New status filter rule: Create a new status filter rule to use for this event.
Specify a name for the status filter rule, and then configure the filter
criteria. For more information about criteria for status message rules, see
Use the status system.

) Important

Be cautious with the type of status filter rule that you create. For
external notifications, the site can process 300 status messages every
five minutes. If your rule allows more messages than this limit, it will
cause a backlog on the site. Create rules with narrow filters for
specific scenarios. Avoid generic rules that allow a lot of messages.

Existing status filter rule: Reuse a status filter rule for external notification
that already exists. It doesn't display all status filter rules, only the rules
that you created using this wizard.
User submits application request: Send an external notification for
application approval requests.

Manage events
After you create a subscription, use the External service notifications node to do the
following actions:

Properties: Edit the name, description, or events for a subscription. You can't edit
the external service URL.

Delete: Remove a subscription.

7 Note

You can view and modify an existing subscription on any site in a hierarchy.

When you select a subscription, the details pane shows information about the events
that have happened.

Trigger an event
The process to trigger an event depends upon the type of subscription:

For a status filter rule, trigger an event for the site component. For example, use
the Configuration Manager Service Manager to restart the component.

For an app approval request, use Software Center to request an app that requires
approval. For more information, see Software Center user guide.

Monitor the workflow


Within five minutes, the event triggers the logic app workflow. Check the status of the
workflow in the Azure portal. Navigate to the Runs history page of the logic app.

For more information, see Monitor run status, review trigger history, and set up alerts
for Azure Logic Apps.

Troubleshoot
Use the following Configuration Manager log files on the site server to help
troubleshoot this process:

ExternalNotificationsWorker.log: Check if the queue has been processed and


notifications are sent to external system.
statmgr.log: Check if the status filter rules have been processed without errors

Known issues
If you create a status filter rule, you'll see it in the site's list of Status filter rules in the
Configuration Manager console. If you make a change on the Actions tab of the rule
properties, the external notification won't work.

After you recover a central administration site (CAS), delete and recreate the
subscription.

 Tip

Before you remove a CAS, recreate the subscriptions at the child primary site.

Configuration Manager version 2107

) Important

This section and the PowerShell script only apply to version 2107. In version 2111
and later, use the Configuration Manager console to create and manage events.

Other prerequisites for version 2107


To create the objects in Configuration Manager version 2107, you need to use the
PowerShell script SetupExternalServiceNotifications.ps1. Use the following script
sample to properly get the PowerShell script to use for this feature:

PowerShell

$FileName = ".\SetupExternalServiceNotifications.ps1"

Invoke-WebRequest https://aka.ms/cmextnotificationscript -OutFile $FileName

(Get-Content $FileName -Raw).Replace("`n","`r`n") | Set-Content $FileName -


Force

(Get-Content $FileName -Raw).TrimEnd("`r`n") | Set-Content $FileName -Force

7 Note

SetupExternalServiceNotifications.ps1 is digitally signed by Microsoft. This script


sample downloads the file and fixes the line breaks to preserve the digital
signature.

Create an event in version 2107


There are two types of events that are supported in version 2107:

The site raises a status message that matches conditions specified in a status filter
rule.

A user requests approval for an application in Software Center.

Create a status message event in version 2107


1. On the site server, run SetupExternalServiceNotifications.ps1. Since you're running
it on the site server, enter y to continue.

2. Select option 2 to create a new status filter rule.

3. Specify a name for the new status filter rule.

4. Select message-matching criteria for the rule, and specify values to match. Specify
0 to not use a criterion.

The following criteria are available:

Source: Client, SMS Provider, Site Server


Site code
System
Component
Message type: Milestone, Detail, Audit
Severity: Informational, Warning, Error
Message ID
Property
Property value

For more information about criteria for status message rules, see Use the status
system.
) Important

Be cautious with the type of status filter rule that you create. For external
notifications, the site can process 300 status messages every five minutes. If
your rule allows more messages than this limit, it will cause a backlog on the
site. Create rules with narrow filters for specific scenarios. Avoid generic rules
that allow a lot of messages.

5. Rerun the PowerShell script. Select option 3 to create a new subscription.

6. Specify a name and description for the subscription. Then specify the logic app
URL that you previously copied from the Azure portal.

7. Select the new status filter rule.

8. Select 0 to exit the script.

Create an app approval event in version 2107

7 Note

This event type requires an application that requires approval and is deployed to a
user collection. For more information, see Deploy applications and Approve
applications.

1. On the site server, run SetupExternalServiceNotifications.ps1. Since you're running


it on the site server, enter y to continue.

2. Select option 3 to create a new subscription.

3. Specify a name and description for the subscription. Then specify the logic app
URL that you previously copied from the Azure portal.

4. Select the appropriate event for an application request.

5. Select 0 to exit the script.

Remove a subscription in version 2107


If you need to delete a subscription, use the following process:
1. Run the SetupExternalServiceNotifications.ps1 script with option 1 to list the
available subscriptions. Note the subscription ID, which is an integer value.

2. Use the NotificationSubscription API of the administration service. Make a DELETE


call to the URI
https://<SMSProviderFQDN>/AdminService/v1.0/NotificationSubscription/<Subscrip

tion_ID> .

For more information, see How to use the administration service in Configuration
Manager.

After you remove the subscription, the site doesn't send notifications to the external
system.

Script usage in version 2107


When you run SetupExternalServiceNotifications.ps1, it detects whether it's running on
a site server:

Y : Continue on the current server

N : Specify the FQDN of a site server to use

If the script doesn't detect a site server, it prompts for an FQDN.

The following actions are then available:

0 : Skip/continue

1 : List available subscriptions

2 : Create a status filter rule to expose status messages


3 : Create a subscription. This option is only available for the top-level site.

7 Note

This script is only supported for sites running version 2107 or later.

Next steps
Use the status system

Configure alerts
Monitor scenario health in
Configuration Manager
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

You can use Configuration Manager to monitor the health of end-to-end scenarios.
Monitoring scenario health enhances awareness of system latency and component
backlogs which are critical for cloud service-attached features. Configuration Manager
simulates activities to expose performance metrics and failure points.It simulates
activities to expose performance metrics and failure points. These synthetic activities are
similar to methods that Microsoft uses to monitor some components in its cloud
services. Use this additional data to better understand timeframes for activities. If
failures occur, it can help focus your investigation.

Starting in version 2010, Configuration Manager monitors the health for the following
two scenarios:

SQL Server Service Broker: Many of the core subsystems in Configuration


Manager use the service broker.

Client action health: Monitor the health of the fast channel used for client actions.

In the Configuration Manager console, go to the Monitoring workspace, and select the
Scenario Health node. The list view displays the available scenarios:

7 Note
If you use a high availability option, scenario health only monitors the active node.
For the SQL Server Service Broker scenario, it only applies to the primary replica of
the SQL Server Always On availability group. The client action health scenario only
applies to the site server in active mode.

Prerequisites
Full administrator role in Configuration Manager, with scope to the top-level site

Actions for all scenarios


In the Scenario Health node, when you select a scenario, the following actions are
available in the ribbon:

Show Status: This action is the main one you'll use to view the latest results of
tests for the scenario. This action opens a window with more information. The top
section shows the overall status per site. Select a site, to see more detailed status
for that site in the bottom section.

Scenario Settings: Configure the settings for this scenario: such as whether it's
enabled, and the time interval in minutes.
Enable activity simulation and measurement: Enable the scenario health
checks.
Run time interval (minute): How frequently the site runs the scenario health
checks. By default, Configuration Manager tests scenarios every 30 minutes.
Job timeout (minute): How long the site waits for a specific test to complete. By
default, the timeout is one hour (60 minutes).

History: Display the previous instances of the synthetic transaction. Use this history
to track the scenario's health over time. From the history node, you can also Show
Status of a specific instance.

Run Now: Trigger the site to check the scenario health. If a previous check isn't
successful, you might use this action after you make changes to a site component.
This action creates audit status message ID 54099.
SQL Server Service Broker
The SQL Server Service Broker is a required configuration for the site database. Many of
the core subsystems in Configuration Manager use the service broker.

Configuration Manager includes the following tests for this scenario:

Ping all sites through SQL Server services broker


Received ping message
Received acknowledgment: Check the last update times between the first three
tests. If there's a long delay, it will impact Configuration Manager performance.
Check if SQL server service broker queue is enabled: This test makes sure that the
ConfigMgrHMSQueue is enabled. If the queue is disabled, it will impact many core
features of Configuration Manager.

7 Note

Not all sites run all tests.

With this health information, you can see how long it takes for SQL Server to exchange
messages via the service broker. A longer delay or timeout shows a backlog in the
processing queue. A failure indicates a larger problem with the service broker, such as
the queue is disabled. Since SQL Server service broker is a core component, issues with
it can impact many other scenarios. For example, client notifications, client status, and
some tenant attach features.

Client action health


Monitor the health of the fast channel used for client actions. If your environment is
tenant attached with devices uploaded, this feature helps you see potential issues with
client actions from the Microsoft Intune admin center. You can also use this feature for
on-premises client actions. For example, CMPivot, run scripts, and device wake-up.

Configuration Manager includes the following tests for this scenario:

Created client action: Tests that the site can create a client action using the
administration service.
CMPivot configuration: Makes sure that CMPivot is correctly configured on the
central administration site (CAS). For more detail, see rcmctrl.log.
Client action result: Tests that the CAS receives client action results from primary
sites. This test can fail if the SQL Server Service Broker is unhealthy, or the site is in
maintenance mode.
Processed client action: For more detail, see objreplmgr.log.
Client action inbox backlog: Checks the backlog for the objmgr.box inbox. If
there's a large backlog, it impacts how quickly the site sends actions to clients. For
more detail, see objreplmgr.log.
Message Processing Engine backlog: Checks the backlog for the message
processing engine. If there's a large backlog, it impacts how quickly the site
processes results for client actions. For more detail, see
SMS_MESSAGE_PROCESSING_ENGINE.log.
Management point client action backlog: Checks the backlog for the SQL Server
service broker queue ConfigMgrBGBQueue. If there's a large backlog, it impacts
how quickly the management point can push actions to clients. Check the scenario
health for the SQL Server service broker. For more detail, see the management
point's bgbserver.log.
Client action result summary: Checks the task to calculate client operation
summary. For more detail, see statesys.log.
Management point online status: Checks that management points are online and
able to send actions to clients. For details, check the management point's
ccmexec.log, bgbsetup.log, and bgbserver.log.
Client health summary: Checks the client health scheduled task. For more detail,
see statesys.log.
Client state system inbox backlog: Checks the backlog for the inbox
auth\statesys.box\incoming. If there's a large backlog, it impacts how quickly the
site processes results for client actions. For more detail, see statesys.log.

7 Note

Not all sites run all tests.

Next steps
Log file reference

Monitor database replication


Health attestation for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can view the status of Windows 10 Device Health Attestation in the Configuration
Manager console. Device health attestation lets you make sure that client computers
have the following trustworthy BIOS, TPM, and boot software configurations enabled:

Early-launch antimalware (ELAM) protects your computer when it starts up and


before third-party drivers initialize. For more information, see theOverview of Early
Launch AntiMalware.

Windows BitLocker Drive Encryption encrypts all data stored on the OS and data
volumes, including removable disks. For more information, see Plan for BitLocker
management.

Secure Boot is a security standard to help make sure that a device boots using only
software that's trusted by the PC manufacturer. For more information, see Secure
Boot.

Code Integrity improves OS security by validating the integrity of a driver or system


file each time it's loaded into memory. For more information, see Enable
virtualization-based protection of code integrity.

This functionality is available for on-premises resources managed by Configuration


Manager and mobile devices managed with Microsoft Intune. You can specify whether
reporting is done via the cloud or on-premises infrastructure. On-premises device health
attestation monitoring enables you to monitor client PCs without internet access.

Enable health attestation

Requirements
Client devices running a supported version of Windows 10 or Windows Server
2016 or later, with Device health attestation enabled.

TPM 1.2 or TPM 2 enabled devices.


When using cloud management, communication between the Configuration
Manager client agent and the management point with has.spserv.microsoft.com
(port 443) health attestation service. When on-premises, the client needs to
communicate with the device health attestation-enabled management point.

How to enable health attestation service communication


on Configuration Manager client computers
Use this procedure to enable device health attestation monitoring for devices that
connect to the internet.

1. In the Configuration Manager console, choose Administration > Overview >


Client Settings. Select the tab for Computer Agent settings.

2. In the Default Settings dialog box, select Computer Agent and then scroll down to
Enable communication with Health Attestation Service.

3. Set Enable communication with Health Attestation Service to Yes, and then select
OK.

4. Target the collections of devices that should report device health.

How to enable on-premises health attestation service


communication on Configuration Manager client
computers
Use this procedure to enable device health attestation monitoring for on-premises
devices that don't connect to the internet.

You can configure the on-premises device health attestation service URL on the
management point to support client devices without internet access.

1. In the Configuration Manager console, navigate Administration > Overview > Site
Configuration > Sites.

2. Right-click the primary or secondary site with the management point that support
on-premises device health attestation clients, and select Configure site
components > Management Point. The Management Point Component
Properties page opens.

3. On the Advanced Options tab, select Add and specify a valid on-premises device
health attestation service URL. You can add multiple URLs. If multiple on-premises
URLs are specified, clients receive the full set and randomly choose which to use.
4. In the Configuration Manager console, choose Administration > Overview >
Client Settings. Select the tab for Computer Agent settings.

5. Scroll down to Enable communication with Health Attestation Service, and set to
Yes.

6. Select the Use on-premises Health Attestation Service option, and set to Yes.

7. Target the collections of devices that should report device health with the client
agent settings to enable device health attestation reporting.

You can also Edit or Remove device health attestation service URLs.

Monitor device health attestation


To view the device health attestation status, in the Configuration Manager console go to
the Monitoring workspace, expand the Security node, and then select Health
Attestation.

Configuration Manager device health attestation displays the following information:

Health Attestation Status - Shows the share of devices in compliant,


noncompliant, error, and unknown states

Devices Reporting Health Attestation - Shows the percentage of devices


reporting Health Attestation status

Noncompliant Devices by Client Type - Shows share of mobile devices and


computers that are noncompliant

Top Missing Health Attestation Settings - Shows the number of devices missing
the health attestation setting, listed per setting
Monitor database replication
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Monitor details for database replication with the Database Replication node in the
Monitoring workspace of the Configuration Manager console. You can monitor the
status of replication links between sites. It also shows initialization and replication of
replication groups for the site to which you connect.

 Tip

Although a Database Replication node also appears under the Hierarchy


Configuration node in the Administration workspace, you can't view the
replication status for database replication links from that location.

Replication link status


Database replication between sites involves the replication of several sets of
information, called replication groups. Each replication group sends and receives data
with different priorities. By default, you can't modify the data contained in a replication
group and the frequency of replication.

When a replication link is active, and its status isn't failed or degraded, all groups
replicate quickly. If one or more groups fail to complete replication in the expected
period of time, the link displays as degraded. Degraded links can still function, but you
should monitor them to make sure they return to active status. Investigate them to
make sure additional degradation or replication failures don't occur.

For each replication link, specify the number of times that an unsuccessfully replicated
group retries. After this number of retries, the site sets the status of the link to degraded
or failed. Even if all but one group replicates successfully, the site sets the status of the
link to degraded or failed. It sets this status because the one replication group fails to
complete replication in the specified number of attempts. For more information, see the
Database replication thresholds.

Use the following information to understand the status of replication links that might
require further investigation:

Link is active
No problems have been detected, and communication across the link is current.

While a parent site is updating to a new version, and you view the link status from the
child site, the link status displays as active. After the update, until the child site is at the
same version as the parent site, the link status displays as active when viewed from the
parent site. When viewed from the child site, it displays as being configured.

Link is degraded
Replication is functional, but at least one replication object or group is delayed. Monitor
links that are in this state. Review information from both sites on the link for indications
that the link might fail.

A link can also display a status of degraded when the site that receives replicated data is
unable to quickly commit the data to the database. This behavior happens when large
volumes of data replicate. For example, you deploy a software update to a large number
of computers. The parent site on the link might take some time to process this volume
of replicated data. A processing lag at the parent site results in it setting the link status
to degraded until it can successfully process the backlog of data.

Link has failed


Replication isn't functional. It's possible that a replication link might recover without
further action. To investigate and help remediate replication on this link, use the
Replication Link Analyzer (RLA).

This status can also indicate a problem with the physical network between the parent
and child site on the replication link.

Monitor replication status


Use the Database Replication node in the Monitoring workspace to view the status for
a replication link. View details about the database at each site on the replication link.
You can also view details about replication groups. To view these details, select a
replication link, and then select the appropriate tab for the replication status you want
to view.

The following sections give details about the different tabs for replication status:

Summary
View high-level information about the replication of site data and global data between
the two sites on a link.

Select View reports for historical traffic data to view a report that shows details about
the network bandwidth used by replication across the link.

Parent Site
For the parent site on a replication link, view details about the database, which include:

Firewall ports for the SQL Server

Free disk space

Database file locations

Certificates

Child Site
For the child site on a replication link, view details about the database, which include:

Firewall ports for the SQL Server

Free disk space

Database file locations

Certificates

Initialization Detail
View the initialization status for groups that replicate across the link. This information
can help you identify when initialization of replication data is in progress or has failed.

Use this information to identify when a site might be in interoperability mode.


Interoperability mode is when the child site doesn't run the same version of
Configuration Manager as the parent site.

Replication Detail
View the replication status for each group that replicates across the link. Use this
information to help identify problems or delays for the replication of specific data. It can
help determine the appropriate database replication thresholds for this link. For more
information, see Database replication thresholds.

 Tip

Replication groups for site data are sent only from the child site to the parent site.
Replication groups for global data replicate in both directions.

Replication Link Analyzer


Configuration Manager includes the Replication Link Analyzer (RLA), which you use to
analyze and repair replication issues. Use RLA to remediate link failures when replication
fails. It's also useful when replication stops working but the site hasn't yet reported it as
failed.

Use RLA to remediate replication issues between the following computers in the
hierarchy:

Between a site server and the site database server

Between a site's database server and another site's database server, otherwise
known as intersite replication

7 Note

The direction of the replication failure doesn't matter.

Run RLA in either the Configuration Manager console or at a command prompt:

To run in the Configuration Manager console: Go to the Monitoring workspace,


and select the Database Replication node. Select the replication link that you want
to analyze, and then in ribbon, select Replication Link Analyzer.

To run at a command prompt, type the following command:


%ProgramFiles(x86)%\Microsoft Endpoint

Manager\AdminConsole\bin\Microsoft.ConfigurationManager.ReplicationLinkAnalyze
r.Wizard.exe <source site server FQDN> <destination site server FQDN>

) Important
Starting in version 1910, this path changed to use the Microsoft Endpoint
Manager folder. Make sure you don't use an older version of the file that might
exist in another folder.

When you run RLA, it detects problems by using a series of diagnostic rules and checks.
You view the problems that the tool identifies. When it has instructions to resolve an
issue, it displays them. If RLA can automatically remediate a problem, it presents you
with that option.

When RLA finishes, it saves the results in the following XML-based report and a log file
on the desktop of the user who runs the tool:

ReplicationAnalysis.xml

ReplicationLinkAnalysis.log

RLA stops the following services while it remediates some problems. It restarts these
services when remediation is complete:

SMS_SITE_COMPONENT_MANAGER

SMS_EXECUTIVE

If RLA fails to complete remediation, restart these services on the site server if necessary.

RLA logs all investigation and remediation actions to provide additional details that it
doesn't display in the wizard.

RLA prerequisites
The account that you use to run RLA must have the following permissions:

Local administrator rights on each computer that's involved in the replication link.

Sysadmin rights on each SQL Server database that's involved in the replication link.

7 Note

The account doesn't require a specific Configuration Manager role-based


administration security role. An administrative user with access to the Database
Replication node can run the tool in the Configuration Manager console. A system
administrator with sufficient rights to each computer can run the tool at a
command prompt.
RLA known issue
RLA generates SQL Server Service Broker (SSB) certificate errors for primary sites that
upgraded from System Center 2012 Configuration Manager. This issue is because of
changes in the names of the certificates in Configuration Manager current branch. You
can safely ignore these errors.

Monitoring database replication

Monitor high-level site-to-site database replication status


1. In the Configuration Manager console, go to the Monitoring workspace.

2. Select the Site Hierarchy node to open the Hierarchy Diagram view.

3. Hover the mouse pointer on the line between the two sites. View the status of
global and site data replication for these sites.

Monitor the status of a replication link


1. In the Configuration Manager console, go to the Monitoring workspace.

2. Select the Database Replication node, and then select the replication link that you
want to monitor. Then select the appropriate tab to view different details about the
replication status for that link.
Troubleshoot SQL Server replication
Article • 10/04/2022

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer


data between sites. For more information, see Database replication.

To better understand and help troubleshoot issues with SQL Server replication, use these
diagrams.

SQL Server replication


SQL Server configuration
SQL Server performance
SQL Server replication reinitialization (reinit)
Global data reinit
Site data reinit
Reinit missing message

These troubleshooting diagrams are interconnected. Use the following diagram to


understand their relationships:

For more information, see the following series of blogs from Microsoft Support:

ConfigMgr DRS Synchronization Internals


ConfigMgr 2012 Data Replication Service (DRS) Unleashed
ConfigMgr 2012 DRS – Troubleshooting FAQs
ConfigMgr 2012 DRS Initialization Internals
ConfigMgr 2012: DRS and SQL Server service broker certificate issues
SQL Server replication
Article • 10/04/2022

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer


data between sites. For more information, see Database replication.

Use the following diagram to start troubleshooting SQL Server replication when a link
fails:

Troubleshoot SQL replication


Replication link failure
Start

SELECT * FROM
CAS / Check if the replication group
RCM_ReplicationLinkStatus
Primary link is in degraded or failed state
WHERE Status IN (8, 9)

No
Result

Has
Result
DECLARE @cutoffTime DATETIME
SELECT @cutoffTime =
DATEADD(minute, -30,
GETUTCDATE())
Check if replication group
SELECT * FROM link is recently calculated
RCM_ReplicationLinkStatus
WHERE UpdateTime >@cutoffTime

SELECT * FROM ServerData No


Check SQL maintenance mode
WHERE Status = 120 Result

Has
Result

Has No
Result Result

Continue to Continue to Continue to


End
SQL replication reinit SQL performance SQL configuration

Queries
This diagram uses the following queries:

Check if the replication group link is in degraded or failed


state
SQL

SELECT * FROM RCM_ReplicationLinkStatus

WHERE Status IN (8, 9)

Check if replication group link is recently calculated


SQL

DECLARE @cutoffTime DATETIME

SELECT @cutoffTime = DATEADD(minute, -30, GETUTCDATE())

SELECT * FROM RCM_ReplicationLinkStatus

WHERE UpdateTime >@cutoffTime

Check SQL Server maintenance mode


SQL

SELECT * FROM ServerData

WHERE Status = 120

Next steps
SQL Server replication reinitialization (reinit)
SQL Server performance
SQL Server configuration
SQL Server configuration
Article • 10/04/2022

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer


data between sites. For more information, see Database replication.

Use the following diagram to start troubleshooting SQL Server configuration related to
SQL Server Service Broker:

Troubleshoot SQL configuration


Troubleshoot SQL configuration
Start
related to SQL service broker (SSB)

SELECT
transmission_status, *
FROM CAS /
Check if SQL can deliver SSB messages
sys.transmission_queue Primary
ORDER BY enqueue_time
DESC

No
End
Result
Has
Result

Check transmission_status
You may need to refresh the
previous query as it could be blank

Has Transmission_status
Result is empty

Remediate the issues


Run SQL profiler to
End reported from End
trace SSB events
transmission_status

Queries
This diagram has the following queries and actions:

Check if SQL Server can deliver SSB messages


SQL

SELECT transmission_status, *

FROM sys.transmission_queue

ORDER BY enqueue_time DESC

Remediation actions

Remediate the issues reported from transmission_status


Common issues:

Firewall configuration
Network configuration
SSB certificate misconfigured

Run SQL Server profiler to trace SSB events


Run SQL Server profiler on the CAS and primary site database to trace events related to
the SQL Server Service Broker:

Audit Broker Login


Audit Broker Conversation
Events in Broker category
SQL Server performance
Article • 10/04/2022

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer


data between sites. For more information, see Database replication.

Use the following diagram to start troubleshooting SQL Server performance that can
impact replication status:
Queries
This diagram uses the following queries:

Make sure SQL Server change tracking table is cleaned up


SQL

DECLARE @RetentionUnit INT = 0;

DECLARE @RetentionPeriod INT = 0;

DECLARE @CTCutOffTime DATETIME;

DECLARE @CTMinTime DATETIME;

SELECT @RetentionPeriod=retention_period,

@RetentionUnit=retention_period_units

FROM sys.change_tracking_databases

WHERE database_id = DB_ID();

IF @RetentionUnit = 1

SET @CTCutOffTime = DATEADD(MINUTE,-@RetentionPeriod,GETUTCDATE())

ELSE IF @RetentionUnit = 2

SET @CTCutOffTime = DATEADD(HOUR,-@RetentionPeriod,GETUTCDATE())

ELSE IF @RetentionUnit = 3

SET @CTCutOffTime = DATEADD(DAY,-@RetentionPeriod,GETUTCDATE())

-- give a buffer of two days

SET @CTCutOffTime = DATEADD(DAY, -2, @CTCutOffTime)

select top 1 @CTMinTime=commit_time from sys.dm_tran_commit_table order by


commit_ts asc

IF @CTMinTime < @CTCutOffTime

PRINT 'there is change tracking backlog, please contact Microsoft


support'

Change current sessions that handle SQL Server service


broker messages are blocked
SQL

select

req.session_id

,req.blocking_session_id

,req.last_wait_type

,req.wait_type

,req.wait_resource

,t.text

from sys.dm_exec_sessions s

inner join sys.dm_exec_requests req on s.Session_id=req.session_id

cross apply sys.dm_exec_sql_text(sql_handle) t

where program_name='SMS_data_replication_service'

Check sessions asking too much memory


SQL

SELECT * FROM sys.dm_exec_query_memory_grants

ORDER BY requested_memory_kb DESC

Check sessions taking too many locks


SQL

SELECT TOP 10 request_session_id,

program_name = (SELECT program_name FROM sys.dm_exec_sessions WHERE


session_id=request_session_id),

COUNT (*) num_locks

FROM sys.dm_tran_locks

GROUP BY request_session_id

ORDER BY count (*) DESC

See also
SQL Server configuration
SQL Server replication reinit
Article • 10/04/2022

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer


data between sites. For more information, see Database replication.

Use the following diagram to start troubleshooting SQL Server replication reinitialization
(reinit):

Troubleshoot SQL replication reinit


Start SQL replication reinitialization (reinit)

SELECT * FROM ServerData CAS /


Check if site is in maintenance mode
WHERE SiteStatus = 120 Primary

No
End
Result
Has
Result

SELECT * FROM
RCM_DrsInitializationTracking Check which replication group
WHERE InitializationStatus NOT IN hasn't completed reinit
(6,7)

No
Result

Has
Result

SELECT * FROM
RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg
ON dt.ReplicationGroup =
rg.ReplicationGroup Check global data
WHERE dt.InitializationStatus NOT IN
(6,7)
AND rg.ReplicationPattern=N'GLOBAL'

Has No
Result Result

SELECT * FROM
RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg
ON dt.ReplicationGroup =
rg.ReplicationGroup
Check site data
WHERE dt.InitializationStatus NOT IN
(6,7)
AND rg.ReplicationPattern=N'Site'

Continue to Continue to Has No Continue to


Global data reinit Site data reinit Result Result SQL configuration
Queries
This diagram uses the following queries:

Check if site is in maintenance mode


SQL

SELECT * FROM ServerData

WHERE Status = 120

Check which replication group hasn't completed reinit


SQL

SELECT * FROM RCM_DrsInitializationTracking

WHERE InitializationStatus NOT IN (6,7)

Check global data


SQL

SELECT * FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg

ON dt.ReplicationGroup = rg.ReplicationGroup

WHERE dt.InitializationStatus NOT IN (6,7)

AND rg.ReplicationPattern=N'GLOBAL'

Check site data


SQL

SELECT * FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg

ON dt.ReplicationGroup = rg.ReplicationGroup

WHERE dt.InitializationStatus NOT IN (6,7)

AND rg.ReplicationPattern=N'Site'

Next steps
Global data reinit
Site data reinit
SQL Server configuration
Troubleshoot global data reinit
Article • 10/04/2022

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer


data between sites. For more information, see Database replication.

Use the following diagram to start troubleshooting SQL Server replication reinitialization
(reinit) for global data in a Configuration Manager hierarchy:
Troubleshoot global data reinit
Start Troubleshoot SQL replication
reinit for global data

SELECT * FROM SELECT * FROM


RCM_DrsInitializationTracking dt RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg INNER JOIN ReplicationData rg
ON dt.ReplicationGroup =
Check if site replication ON dt.ReplicationGroup =
rg.ReplicationGroup CAS rg.ReplicationGroup Primary
WHERE dt.InitializationStatus NOT hasn't finished reinit WHERE dt.InitializationStatus NOT
IN (6,7) IN (6,7)
AND AND
rg.ReplicationPattern=N'Global' rg.ReplicationPattern=N'Global'

No
End
Result
Has
Result

SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg Get the TrackingGuid &
ON dt.ReplicationGroup =
rg.ReplicationGroup Status from the primary site
WHERE dt.InitializationStatus NOT IN
(6,7)
AND rg.ReplicationPattern=N'Global'

SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
Get the TrackingGuid &
WHERE Status from the CAS
RequestTrackingGUID=@trackingGuid

No Continue to
Result Reinit missing message

Has
Result

Check InitializationStatus

== 3 or Continue to
== 99
== 4 Reinit failed

== 5
SELECT Status FROM
RCM_InitPackageRequest WHERE
Check request status for
RequestTrackingGUID=@trackGuid the tracking ID
Rcmctrl.log (primary site)

RCM on primary site is BCP in the data BcpIn for group <group name>

Failed to BCP in for table <table name>

Rcmctrl.log (CAS)
RCM is preparing the data, check
== 1 Creating init package for replication
rcmctrl.log on CAS for BCP progress group <replication group> for site
<CAS>

Rcmctrl.log (CAS)

RCM has finished BCP the data, Created minijob to send compressed
== 2
create/compress the package copy of DRS INIT BCP Package to site
<CAS>. Transfer root = <CAB file to
transfer>

Sender.log (CAS)
== 3 File replication Job created. Check
sender.log on primary for progress Sending completed [CAB file to transfer]

Despoolr.log (primary site)

Verified Package signature



File replication Job done. Check Executing instruction of type
despoolr.log on Primary for progress MICROSOFT|SMS|MINIJOBINSTRUCTION
|DRSINIT
...
Decompressing snapshot package
<compressed file> to [rcm inbox]

Queries
This diagram uses the following queries:

Check if site replication hasn't finished reinit


SQL

SELECT * FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg

ON dt.ReplicationGroup = rg.ReplicationGroup

WHERE dt.InitializationStatus NOT IN (6,7)

AND rg.ReplicationPattern=N`Global'

Get the TrackingGuid & Status from the primary site


SQL

SELECT RequestTrackingGUID, InitializationStatus

FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg

ON dt.ReplicationGroup = rg.ReplicationGroup

WHERE dt.InitializationStatus NOT IN (6,7)

AND rg.ReplicationPattern=N`Global'

Get the TrackingGuid & Status from the CAS


SQL

SELECT RequestTrackingGUID, InitializationStatus

FROM RCM_DrsInitializationTracking dt

WHERE RequestTrackingGUID=@trackingGuid

Check request status for the tracking ID


SQL

SELECT Status FROM RCM_InitPackageRequest

WHERE RequestTrackingGUID=@trackGuid

Next steps
Reinit missing message
Troubleshoot site data reinit
Article • 10/04/2022

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer


data between sites. For more information, see Database replication.

Use the following diagram to start troubleshooting SQL Server replication reinitialization
(reinit) for site data in a Configuration Manager hierarchy:

Troubleshoot site data reinit


Start

SELECT * FROM SELECT * FROM


RCM_DrsInitializationTracking dt RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = Check if site replication ON dt.ReplicationGroup =
rg.ReplicationGroup CAS rg.ReplicationGroup Primary
hasn't finished reinit
WHERE dt.InitializationStatus NOT WHERE dt.InitializationStatus NOT
IN (6,7) IN (6,7)
AND rg.ReplicationPattern=N'Site' AND rg.ReplicationPattern=N'Site'

No
End
Result

Has
Result

SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg
ON dt.ReplicationGroup =
Get the TrackingGuid &
rg.ReplicationGroup Status from CAS
WHERE dt.InitializationStatus NOT IN
(6,7)
AND rg.ReplicationPattern=N'Site'

SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
Get the TrackingGuid &
WHERE Status from the primary site
RequestTrackingGUID=@trackingGuid

No Continue to
Result Reinit missing message

Has
Result

Check InitializationStatus

Continue to
== 5 == 99
== 4 Reinit failed

== 3

SELECT * FROM ServerData


WHERE SiteStatus = 125 Check primary site isn't
AND SiteCode=dbo.fnGetSiteCode() in maintenance mode
AND ServerRole=N'Peer'

No Continue to
Result Global data reinit
Has
Result

SELECT Status FROM Check request status


RCM_InitPackageRequest WHERE
RequestTrackingGUID=@trackGuid for the tracking ID

== 3
== 2
== 1

Rcmctrl.log (primary site)


RCM is preparing the data, check
rcmctrl.log on primary for BCP progress Creating init package for replication
group <replication group> for site <CAS>

Rcmctrl.log (primary site)


RCM has finished BCP the data,
Created minijob to send compressed copy
create/compress the package of DRS INIT BCP Package to site <CAS>.
Tranfer root = <CAB file to transfer>

Sender.log (primary site)


File replication job created, check
sender.log on primary for progress Sending completed [CAB file to transfer]

Despoolr.log (CAS)

Verified Package signature



File replication job done, check Executing instruction of type
despoolr.log on CAS for progress MICROSOFT|SMS|MINIJOBINSTRUCTION|
DRSINIT
...
Decompressing snapshot package
<compressed file> to [rcm inbox]

Rcmctrl.log (CAS)

RCM on CAS is BCP in the data BcpIn for group <group name>

Failed to BCP in for table <table name>

Queries
This diagram uses the following queries:

Check if site replication hasn't finished reinit


SQL

SELECT * FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg

ON dt.ReplicationGroup = rg.ReplicationGroup

WHERE dt.InitializationStatus NOT IN (6,7)

AND rg.ReplicationPattern=N`Site'

Get the TrackingGuid & Status from the CAS


SQL

SELECT RequestTrackingGUID, InitializationStatus

FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg

ON dt.ReplicationGroup = rg.ReplicationGroup

WHERE dt.InitializationStatus NOT IN (6,7)

AND rg.ReplicationPattern=N'Site'

Get the TrackingGuid & Status from the primary site


SQL

SELECT RequestTrackingGUID, InitializationStatus

FROM RCM_DrsInitializationTracking dt

WHERE RequestTrackingGUID=@trackingGuid

Check primary site isn't in maintenance mode


SQL

SELECT * FROM ServerData

WHERE SiteStatus = 125

AND SiteCode=dbo.fnGetSiteCode()

AND ServerRole=N'Peer'

Check request status for the tracking ID


SQL

SELECT Status FROM RCM_InitPackageRequest

WHERE RequestTrackingGUID=@trackGuid

Next steps
Reinit missing message
Global data reinit
Reinit missing message
Article • 10/04/2022

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer


data between sites. For more information, see Database replication.

Use the following diagram to start troubleshooting a missing message with SQL Server
replication reinitialization (reinit):

Troubleshoot reinit missing message


Start

SELECT * FROM SELECT * FROM


RCM_DrsInitializationTracking dt RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = Subscriber Check if site replication ON dt.ReplicationGroup = Publishing
rg.ReplicationGroup site hasn't finished reinit rg.ReplicationGroup site
WHERE dt.InitializationStatus NOT WHERE dt.InitializationStatus NOT
IN (6,7) IN (6,7)

No
Result

Has
Result End

SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg Get the TrackingGuid &
ON dt.ReplicationGroup = Status from subscriber site
rg.ReplicationGroup
WHERE dt.InitializationStatus NOT IN
(6,7)

SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
Get the TrackingGuid & Status
WHERE from the publishing site
RequestTrackingGUID=@trackingGuid

Has No
Result Result

Go to SQL replication reinit Take remediation actions

Queries
This diagram uses the following queries:
Check if site replication hasn't finished reinit
SQL

SELECT * FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg

ON dt.ReplicationGroup = rg.ReplicationGroup

WHERE dt.InitializationStatus NOT IN (6,7)

Get the TrackingGuid & Status from subscriber site


SQL

SELECT RequestTrackingGUID, InitializationStatus

FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg

ON dt.ReplicationGroup = rg.ReplicationGroup

WHERE dt.InitializationStatus NOT IN (6,7)

Get the TrackingGuid & Status from the publishing site


SQL

SELECT RequestTrackingGUID, InitializationStatus

FROM RCM_DrsInitializationTracking dt

WHERE RequestTrackingGUID=@trackingGuid

Remediation actions

Version 1902 and later


To detect the issue and reinit, run the Replication Link Analyzer.

Version 1810 and earlier


Run the following SQL query to get the ReplicationGroupID :

SQL

SELECT rd.ID AS ReplicationGroupID from ReplicationData rd

INNER JOIN RCM_DrsInitializationTracking it ON rd.ReplicationGroup =


it.ReplicationGroup

WHERE it.RequestTrackingGUID=@trackingGuid

Then use the InitializeData method on the SMS_ReplicationGroup WMI class with the
following values:

ReplicationGroupID: from the SQL query above


SiteCode1: parent site
SiteCode2: child site

For more information, see InitializeData method in class SMS_ReplicationGroup.

Example

PowerShell

Invoke-WmiMethod –Namespace "root\sms\site_CAS" -Class SMS_ReplicationGroup


–Name InitializeData -ArgumentList "20", "CAS", "PR1"

Next steps
SQL Server replication reinitialization (reinit)
Introduction to queries in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can create and run queries to locate objects in a Configuration Manager hierarchy
that match your query criteria. These objects include items like specific types of
computers or user groups. Queries can return most types of Configuration Manager
objects, which include sites, collections, applications, and inventory data.

Query creation overview


When you create a query, you must specify a minimum of two parameters: where you
want to search and what you want to search for. For example, to find the amount of
hard drive space that's available on all computers in a Configuration Manager site, you
can create a query to search the Logical Disk attribute class and the Free Space (MB)
attribute for available hard drive space.

After you create an initial query, you can specify additional query criteria. For example,
you can specify that the query results include only computers that are assigned to a
specified site. You can also change how results are displayed so you can view the results
in an order that's meaningful to you. For example, you can specify that the results are
sorted by the amount of free hard drive space, in either ascending or descending order.

When you create a query, it's stored by Configuration Manager and displayed in the
Queries node in the Monitoring workspace. From this location, you can create new
queries and run, update, and manage existing queries.

You can also import a query into a query rule in a Configuration Manager collection. For
more information, see How to create collections.

Next steps
How to create queries
How to manage queries in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article can help you manage queries in Configuration Manager.

For information about how to create queries, see How to create queries.

Manage queries
In the Monitoring workspace, select Queries, select the query to manage, and then
select a management task.

The following table provides information about the management tasks.

Management Details
task

Run Runs the selected query and displays the results in the Configuration Manager
console.

Install Client Opens the Install Client Wizard, which lets you install the Configuration Manager
client on computers returned by the selected query.

This option isn't available for queries that return mobile devices, users, or user
groups.

For more information about how to install Configuration Manager clients by


using client push, see Deploy clients to Windows computers.

Export Opens the Export Objects Wizard. This wizard lets you export the query to a
Managed Object Format (MOF) file that you can then import at another site.

Move Opens the Move Selected Items dialog box. This dialog box lets you move the
selected query to a folder that you previously created under the Queries node.

Next steps
Create queries
Create queries in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article describes how to create and import queries in Configuration Manager.

Create a query
Use this procedure to create a query in Configuration Manager.

1. In the Configuration Manager console, select Monitoring.

2. In the Monitoring workspace, select Queries. On the Home tab, in the Create
group, select Create Query.

3. On the General tab of the Create Query Wizard, specify a unique name and,
optionally, a comment for the query.

4. If you want to import an existing query to use as a basis for the new query, select
Import Query Statement. In the Browse Query dialog box, select a query that you
want to import, and then select OK.

5. In the Object Type list, select the type of object that you want the query to return.
This table describes some examples of the types of objects you can search for:

Object type Description

System Use to search for typical system attributes, like the NetBIOS name of a
Resource device, the client version, the client IP address, and Active Directory Domain
Services information.

User Use to search for typical user information, like user names, user group
Resource names, and security group names.

Deployment Use to search for typical attributes of a deployment, like the deployment
name, the schedule, and the collection that it was deployed to.

6. Select Edit Query Statement to open the <Query Name> Statement Properties
dialog box.

7. On the General tab of the <Query Name> Statement Properties dialog box,
specify the attributes that the query returns and how they should be displayed.
Select the New icon to add a new attribute. You can also select Show Query
Language to enter or edit the query directly in WMI Query Language (WQL). For
examples of WMI queries, see the Example WQL queries section in this article.

You can use the following reference documentation to help you construct
your own WQL queries:
WQL (SQL for WMI)
WHERE Clause
WQL Operators
Starting in Configuration Manager 2010, you can preview the results when
you're creating or editing a query for collection membership. In the Query
Statement Properties, select the green triangle to show the Query Results
Preview window. Select Stop if you want to stop a long running query.

8. On the Criteria tab of the <Query Name> Statement Properties dialog box,
specify criteria that are used to refine the results of the query. For example, you
could return only resources that have a site code of XYZ. You can configure
multiple criteria for a query.

) Important

If you create a query that contains no criteria, the query will return all devices
in the All Systems collection.

9. On the Joins tab of the <Query Name> Statement Properties dialog box, you can
combine data from two different attributes into your query results. Although
Configuration Manager automatically creates query joins when you choose
different attributes for your query result, the Joins tab provides more advanced
options. Configuration Manager supports these attribute classes:

Join Description
type

Inner Displays only matching results. Always used by joins that are created
automatically.

Left Displays all results for the base attribute and only the matching results for the
join attribute.

Right Displays all results for the join attribute and only the matching results for the
base attribute.

Full Displays all results for both the base attribute and the join attribute.
For more information about how to use join operations, see the SQL Server
documentation.

10. Select OK to close the <Query Name> Statement Properties dialog box.

11. On the General tab of the Create Query Wizard, specify that the results of the
query aren't limited to the members of a collection, that they are limited to the
members of a specified collection, or that a prompt for a collection appears each
time the query is run.

12. Complete the wizard to create the query. The new query appears in the Queries
node in the Monitoring workspace.

Import a query
Use this procedure to import a query into Configuration Manager. For information
about how to export queries, see How to manage queries.

1. In the Configuration Manager console, select Monitoring.

2. In the Monitoring workspace, select Queries. On the Home tab, in the Create
group, select Import Objects.

3. On the MOF File Name page of the Import Objects Wizard, select Browse to
select the Managed Object Format (MOF) file that contains the query that you
want to import.

4. Review the information about the query to be imported and then complete the
wizard. The new query appears on the Queries node in the Monitoring workspace.

Example WQL queries


This section contains example WQL queries that you can use in your hierarchy or modify
for other purposes. To use these queries, select Show Query Language in the Query
Statement Properties dialog box. Then copy and paste the query into the Query
Statement field.

 Tip

Use the wildcard character % to signify any string of characters. For example,
%Visio% returns Microsoft Office Visio 2010.
Computers that run Windows 10
Use the following query to return the NetBIOS name and operating system version of all
computers that run Windows 10.

WQL

select SMS_R_System.NetbiosName,

SMS_R_System.OperatingSystemNameandVersion from

SMS_R_System where

SMS_R_System.OperatingSystemNameandVersion like "%Workstation 10%"

Computers with a specific software package installed


Use the following query to return the NetBIOS name and software package name of all
computers that have a specific software package installed. This example returns all
computers with a version of Microsoft Visio installed. Replace Microsoft%Visio% with the
software package that you want to query for.

 Tip

This query searches for the software package by using the names that are displayed
in the programs list in Windows Control Panel.

WQL

select SMS_R_System.NetbiosName,

SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName from

SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on

SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId =

SMS_R_System.ResourceId where

SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Microsoft%Visio%"

Computers in a specific Active Directory Domain Services


organizational unit
Use the following query to return the NetBIOS name and organizational unit (OU) name
of all computers in a specified OU. Replace the text OU Name with the name of the OU
that you want to query for.

WQL
select SMS_R_System.NetbiosName,

SMS_R_System.SystemOUName from

SMS_R_System where

SMS_R_System.SystemOUName = "OU Name"

Computers with a specific NetBIOS name


Use the following query to return the NetBIOS name of all computers that begin with a
specific string of characters. In this example, the query returns all computers with a
NetBIOS name that begins with ABC .

WQL

select SMS_R_System.NetbiosName from

SMS_R_System where SMS_R_System.NetbiosName like "ABC%"

Devices of a specific type


Device types are stored in the Configuration Manager database under the resource class
sms_r_system and the attribute name AgentEdition. Use this query to retrieve only the
devices that match the agent edition of the device type that you specify:

WQL

Select SMS_R_System.ClientEdition from SMS_R_System where


SMS_R_System.ClientEdition = <Device ID>

Use one of these values for <Device ID>:

Device type Value of AgentEdition

Windows desktop or laptop computer 0

Windows ARM-based device (running Windows RT) 1

Windows Mobile 6.5 2

Nokia Symbian 3

Windows Phone 4

Mac computer 5

Windows Embedded 7
Device type Value of AgentEdition

Intel system on a chip 12

Microsoft HoloLens (MDM) 15

Microsoft Surface Hub (MDM) 16

7 Note

Values that aren't listed in this table are associated with devices that are no longer
supported.

For example, if you want to return only Mac computers, use this query:

WQL

Select SMS_R_System.ClientEdition from SMS_R_System where


SMS_R_System.ClientEdition = 5

Devices that are co-managed


WQL

select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType,


SMS_R_SYSTEM.Name,

SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client

from SMS_R_System

inner join SMS_Client_ComanagementState on


SMS_Client_ComanagementState.ResourceId = SMS_R_System.ResourceId

where SMS_Client_ComanagementState.ComgmtPolicyPresent = 1 AND


SMS_Client_ComanagementState.MDMEnrolled = 1 AND MDMProvisioned = 1

Next steps
How to manage queries
Security and privacy for queries in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Queries in Configuration Manager let you retrieve information from the site database
according to criteria that you specify. Configuration Manager collects site database
information during standard operation. For example, by using information that's been
collected during discovery or inventory, you can configure a query to identify devices
that meet specified criteria.

For more information about queries, see Introduction to queries. For security best
practices and privacy information about Configuration Manager operations that collect
the data you can retrieve by using queries, see Security and privacy for Configuration
Manager.

Security best practices for queries


Use this security best practice for queries.

Security best practice More information

When you export or import a Restrict who can access the network folder.

query that's saved to a network


location, secure the location and Use Server Message Block (SMB) signing or Internet Protocol
the network channel. security (IPsec) between the network location and the site
server to prevent an attacker from tampering with the query
data before it's imported.

Next steps
Security and privacy for Configuration Manager
Introduction to reporting in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Reporting in Configuration Manager provides a set of tools and resources that help you
use the advanced reporting capabilities of SQL Server Reporting Services (SSRS) and
Power BI Report Server. Both reporting platforms provide rich authoring experiences for
custom reports. Reporting helps you gather, organize, and present information about
the wealth of Configuration Manager data in your organization. Configuration Manager
provides many predefined reports in Reporting Services that you can use without
changes. You can duplicate and modify the default reports to meet your requirements,
or you can create custom reports.

SQL Server Reporting Services


SQL Server Reporting Services provides a full range of ready-to-use tools and services to
help you create, deploy, and manage reports for your organization. It also has
programming features that enable you to extend and customize your reporting
functionality. Reporting Services is a server-based reporting platform that provides
comprehensive reporting functionality for different kinds of data sources.

Configuration Manager uses SQL Server Reporting Services as its primary reporting
solution. Integration with Reporting Services provides the following advantages:

Uses an industry standard reporting system to query the Configuration Manager


database.

Displays reports by using the Configuration Manager Report Viewer or by using


Report Manager, which is a web-based connection to the report.

Provides high performance, availability, and scalability.

Provides subscriptions to reports to which users can subscribe. For example, a


manager subscribes to an emailed report each day that details the status of a
software update rollout.

Exports reports in different kinds of popular formats.

For more information, see What is SQL Server Reporting Services (SSRS)?
Power BI Report Server
Starting in version 2002, integrate Power BI Report Server with Configuration Manager
reporting. This integration gives you modern visualization and better performance. It
adds console support for Power BI reports similar to what already exists with SQL Server
Reporting Services. For more information, see Integrate with Power BI Report Server.

Power BI Report Server is an on-premises report server with a web portal in which you
display and manage reports. It includes tools to create Power BI reports, paginated
reports, mobile reports, and KPIs. For more information, see What is Power BI Report
Server?.

Reporting services point


The reporting services point is a site system role that you add on a server that runs
Microsoft SQL Server Reporting Services. The reporting services point does the following
functions:

Copies the Configuration Manager report definitions to Reporting Services


Creates report folders based on report categories
Sets security policy on the report folders and reports. These policies are based on
the role-based permissions for Configuration Manager administrative users. In a
10-minute interval, the reporting services point connects to Reporting Services to
reapply the security policy if you changed it.

For more information about how to plan for and install a reporting services point, see
the following articles:

Plan for reporting

Configure reporting

Configuration Manager reports


Configuration Manager provides report definitions for over 400 reports in over 50 report
folders. During the reporting services point installation process, it copies them to the
root report folder in SQL Server Reporting Services. The Configuration Manager console
shows the reports and organizes them in subfolders based on the report category.

Reports don't propagate up or down the Configuration Manager hierarchy. They run
only against the database of the site in which you create them. Because Configuration
Manager replicates global data throughout the hierarchy, you have access to hierarchy-
wide information in reports. When a report retrieves data from a site database, it has
access to site data for the current site and child sites, and global data for every site in
the hierarchy.

Like other Configuration Manager objects, an administrative user must have the
appropriate permissions to run or modify reports. To run a report, an administrative user
must have the Run Report permission for the object. To create or modify a report, an
administrative user must have the Modify Report permission for the object.

Create and modify reports


For Reporting Services-based reports, Configuration Manager uses Microsoft SQL Server
Report Builder as the exclusive authoring and editing tool for model-based and SQL-
based reports. When you create or edit a report in the Configuration Manager console,
Report Builder opens. For more information, see Operations and maintenance for
reporting.

Starting in version 2002, to create or edit Power BI reports, the console integrates with
Power BI Desktop. For more information, see Create Power BI reports.

Run reports
When you run a Reporting Services-based report in the Configuration Manager console,
Report Viewer opens and connects to Reporting Services. After you specify any required
report parameters, Reporting Services then retrieves the data and displays the results in
the viewer. You can also connect to the SQL Services Reporting Services, connect to the
data source for the site, and run reports.

Starting in version 2002, when you run a Power BI-based report, it opens in the web
browser.

Add to Favorites
Configuration Manager ships with several hundred reports by default, and you might
add more to that list. Instead of continually searching for reports you commonly use,
starting in version 2103 you can make a report a favorite. This action allows you to
quickly access it from the Favorites node.

For more information, see Operations and maintenance for reporting.

Report prompts
You can configure a report prompt or parameter when you create or modify a report.
Create report prompts to limit or target the data that a report retrieves. A report can
contain more than one prompt. Make sure the prompt names are unique and contain
only alphanumeric characters that conform to the SQL Server rules for identifiers.

When you run a report, the prompt requests a value for a required parameter. Based on
the parameter value, it retrieves the report data. For example, the Computer
information for a specific computer report prompts for a computer name. Reporting
Services passes the specified value to a variable defined in the report's SQL statement.

Report links
Report links in Configuration Manager are used in a source report to provide easy
access to other data. For example, it can link to more detailed information about each of
the items in the source report. If the destination report requires one or more prompts to
run, the source report must contain a column with the appropriate values for each
prompt.

The link needs to specify the column number with the value for the prompt. For
example:

There's one report that lists computers that the site recently discovered.
You link from it to another report that lists the last messages that the site receives
for a specific computer.
You create the link, and specify that column 2 in the source report contains the
computer name. This value is a required prompt for the destination report.
You run the source report, and a link icon appears to the left of each row of data.
You select the icon on a row, and Report Viewer passes the value in the specified
column for that row as the prompt value for the destination report.

You can only configure one link for a report, and that link can only connect to a single
destination report.

2 Warning

If you move a destination report to a different report folder, the location for the
destination report changes. Configuration Manager doesn't automatically update
the report link in the source report with the new location, and the link won't work in
the source report.

Report folders
Report folders provide a method to sort and filter reports that Configuration Manager
stores in Reporting Services. Report folders are useful when you have many reports to
manage. When you install a reporting services point, it copies reports to Reporting
Services and organizes them into more than 50 report folders. The report folders are
read-only. You can't modify them in the Configuration Manager console.

Report subscriptions
A report subscription in Reporting Services is a recurring request to deliver a report at a
specific time or in response to an event. You specify in the subscription an application
file format. Subscriptions provide an alternative to running a report on demand. On-
demand reporting requires that you actively select the report each time you want to
view the report. In contrast, subscriptions can be used to schedule and then automate
the delivery of a report.

You can manage report subscriptions in the Configuration Manager console. The report
server processes the subscriptions. It distributes them by using delivery extensions that
are deployed on the server. By default, you can create subscriptions that send reports to
a shared folder or to an email address.

For more information, see Manage report subscriptions.

Report Builder
For Reporting Services-based reports, Configuration Manager uses Microsoft SQL Server
Report Builder as the exclusive authoring and editing tool for both model-based and
SQL-based reports. If you create or edit a report in the Configuration Manager console,
Report Builder opens. When you create or modify a report for the first time, Report
Builder installs automatically. The version of Report Builder associated with the installed
version of SQL Server opens when you run or edit reports.

The Report Builder installation adds support for over 20 languages. When you run
Report Builder, it displays data in the language of the local computer's OS. If Report
Builder doesn't support the language, it displays the data in English. Report Builder
supports the full capabilities of SQL Server Reporting Services, which includes the
following capabilities:

Delivers an intuitive report authoring environment with an appearance similar to


Microsoft 365 Apps.

Offers the flexible report layout of SQL Server report definition language (RDL).
Provides various forms of data visualization including charts and gauges.

Provides richly formatted text boxes.

Exports to Microsoft Word format.

You can also open Report Builder directly from SQL Server Reporting Services.

Report models in SQL Server Reporting


Services
SQL Server Reporting Services uses report models to help you select items from the
Configuration Manager database to include in model-based reports. When you build a
report, report models expose only specified views and items to choose from. To create
model-based reports, at least one report model has to be available.

Report models have the following features:

Give logical business names to database fields and views. To produce reports, you
don't require knowledge of the Configuration Manager database structure.

Group items logically.

Define relationships between items.

Secure model elements so that administrative users can see only the data that they
have permission to see.

Although Configuration Manager provides sample report models, you can also define
report models to meet your own business requirements. For more information about
how to create report models, see Create custom report models.

Next steps
Plan for reporting
Integrate with Power BI Report Server
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can integrate Power BI Report Server with Configuration Manager reporting. This
integration gives you modern visualization and better performance. It adds console
support for Power BI reports similar to what already exists with SQL Server Reporting
Services.

Save Power BI Desktop report files (.PBIX) and deploy them to the Power BI Report
Server. This process is similar as with SQL Server Reporting Services report files (.RDL).
You can also launch the reports in the browser directly from the Configuration Manager
console.

Prerequisites
Power BI Report Server license. For more information, see Licensing Power BI
Report Server.

Download Microsoft Power BI Report Server-September 2019 , or later.


Don't install Power BI Report Server right away. For the proper process based on
your environment, see Configure the reporting services point.
It's recommended that you use a supported version of Power BI Report Server.
For versioning information, see the Change log for Power BI Report Server.

Download Microsoft Power BI Desktop (Optimized for Power BI Report Server -


September 2019), or later. It's recommended that you use a supported version. For
versioning information, see the Change log for Power BI Report Server.

Use versions of Power BI Desktop:


That are from the Microsoft Download Center . Don't use a version from the
Microsoft Store.
That states they're Optimized for Power BI Report Server. Don't use versions
that aren't Optimized for Power BI Report Server.

7 Note

When using Configuration Manager version 2111 or earlier with Power BI


Desktop (Optimized for Power BI Report Server - May 2021) or later, you may
notice the following behavior:
You might experience delays updating the data source on newly updated
reports.
You may receive The remote server returned an error; (400) Bad
Request. errors in the SRSRP.log.
For more information about the relevant

change to Power BI Desktop (optimized for Power BI Report Server) May


2021, see Change data source connection strings in Power BI reports. The
version before the connection change ocurred is January 2021 .

Power BI integration uses the same role-based administration for reporting.


Power BI Report Server doesn't support reports that are enabled for role-based
access. All report viewers will see the same results, whatever their assigned
scope.

Configure the reporting services point


This process varies depending upon whether you already have this role in the site.

You have a reporting services point


Only use this process if you already have a reporting services point in the site. Do all
steps of this process on the same server:

1. In Reporting Services Configuration Manager, back up the Encryption Keys. For


more information, see SSRS Encryption Keys - Back Up and Restore Encryption
Keys.

2 Warning

If you skip this step, you'll lose access to any custom reports in SQL Server
Reporting Services.

2. Remove the reporting services point role from the site.

3. Uninstall SQL Server Reporting Services, but keep the database.

4. Install Power BI Report Server.

5. Configure the Power BI Report Server

a. Use the previous report server database.


b. Use Reporting Services Configuration Manager to restore the Encryption Keys.

Before you add the reporting services point role in Configuration Manager,
use SQL Server Reporting Services Configuration Manager to test and verify
the configuration. For more information, see Verify SQL Server Reporting
Services installation.

6. Add the reporting services point role in Configuration Manager.

You don't have a reporting services point


Only use this process if you don't already have a reporting services point in the site. Do
all steps of this process on the same server:

1. Install Power BI Report Server.

2. Add the reporting services point role in Configuration Manager. For more
information, see Configure reporting.

Configure the Configuration Manager console


1. On a computer that has the Configuration Manager console, update the
Configuration Manager console to the latest version.

2. Install Power BI Desktop. Make sure the language is the same and verify the
versioning prerequisites.

3. After it installs, launch Power BI Desktop at least once before you open the
Configuration Manager console.

Create Power BI reports


1. In the Configuration Manager console, go to the Monitoring workspace, expand
Reporting, and select the new Power BI Reports node.

2. In the ribbon, select Create Report. This action opens Power BI Desktop.

3. Create a report in Power BI Desktop.

In Power BI Desktop, when you connect to a data source, select DirectQuery


for the Connection settings.
Only use supported SQL views in these reports. For more information, see
Creating custom reports by using SQL Server views in Configuration
Manager.

4. When the report is ready to save, go to the File menu, select Save as, then choose
Power BI Report Server.

5. In the Power BI Report Server Selection window, enter the URL for the reporting
services point as the New report server address. For example,
https://rsp.contoso.com/Reports . Select OK.

6. In the Save report window, double-click the ConfigMgr_<SiteCode> folder. For


example, ConfigMgr_PS1 , where PS1 is the ConfigMgr site code. You can optionally
choose or create (from the report server) a sub folder to store it in.

 Tip

Reports and report folders with Power BI reports must be located in the
ConfigMgr_<SiteCode> folder on the report server or they won't appear in the
Configuration Manager console.

7. In File name, enter a name for the report.

In the Configuration Manager console, you see the new report in the list of Power BI
Reports. If you don't see your reports, verify that you saved the reports to the
ConfigMgr_<SiteCode> folder.

There are sample reports available for download. For more information, see Install
Power BI sample reports.

Power BI report templates in Community hub


Using Community hub, you can share Power BI report templates you've created and
download templates that others have shared.

Contributing a Power BI report template (PBIT) files to


Community hub
1. Open the Configuration Manager console and go to Community > Community
hub
2. If needed, select Sign in to sign into GitHub. You'll see the Your hub link after
signing in.
3. Select Your hub then Add an item to launch the Contribute item wizard.
4. For the Type, choose Power BI Report Template then select Browse.
5. Choose the .pbit file you want to contribute, then select Open.
6. Edit the Name and Description for the report template then select Next when
done.
7. On the Organization page, select the GitHub Organization to use for organization
branding if needed. Select Next to upload the template.
8. Once the item is uploaded, you'll be given the pull request URL of the change for
monitoring.
9. Select Close when you're done to exit the wizard.

Downloading a Power BI report template (PBIT) file from


Community hub
1. Open the Configuration Manager console, go to Community > Community hub.

2. From All objects or a search, choose a Power BI report template, then select
Download.

3. Select a file location to save the downloaded .pbit file and choose Save.

4. If Power BI Desktop (Optimized for Power BI Report Server) is installed, you'll be


prompted to open the .pbit file.

5. Select Yes and Power BI Desktop (Optimized for Power BI Report Server) will load
the .pbit file.

6. Specify your Configuration Manager database name and database server name
when prompted, then select Load.

7 Note

When loading or applying the data model, ignore any errors if you come
across one. For example, if you see the following error: "Connecting to tables
from more than one database isn't supported in DirectQuery mode", select
Close. Then refresh the data source settings:
a. In Power BI Desktop, in the ribbon, select Edit Queries, and then select
Data source settings.
b. Select Change Source, confirm your server and database names, and select
OK.
c. Close the data source settings window, and then select Apply changes.

7. When the report data is loaded, select File > Save As, then select Power BI Report
Server.

8. Save the report to a folder on the root Configuration Manager reporting folder on
the reporting point. You may want to create a Downloaded Reports folder for these
items.

9. Repeat the steps for any other report templates that were downloaded. When
you're done, close Microsoft Power BI Desktop (Optimized for Power BI Report
Server).

Known issues
There's a known issue with Power BI Report Server and email subscriptions. After you
configure the email settings in the Reporting Services Configuration Manager, when you
try to create a new subscription, the option to deliver a report by Email isn't available. To
work around this issue, restart the Power BI Report Server service.

Next steps
After you create a report, use the following actions in the Configuration Manager
console:

Run in Browser: Opens the Power BI report in the web browser. Share this URL
with others, for example:
https://rsp.contoso.com/Reports/POWERBI/ConfigMgr_ABC/Windows%2010/Windows10%2
0Dashboard?rs:embed=true

 Tip

You can only view these reports in the web browser.

Edit: Make changes to the report in Power BI Desktop. For an existing report, use
the Save option to save changes back to the report server.
Add to Favorites: Starting in version 2103, you can make a report a favorite. This
action allows you to quickly access it from the Favorites node. For more
information, see Operations and maintenance for reporting.

For more information on log files to use for reporting, see Log file reference - Reporting.
Install Power BI sample reports
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can integrate Power BI Report Server with Configuration Manager reporting. There
are sample reports available for download that you can install in Configuration Manager.
This article explains how to install the Power BI sample reports in Configuration
Manager.

Prerequisites
Configuration Manager reporting services point with Power BI Report Server
integrated

Microsoft Power BI Desktop (Optimized for Power BI Report Server). Use a version
released between September 2019 and January 2021 . For versioning
information, see the Change log for Power BI Report Server.

) Important

Use versions of Power BI Desktop:


That are from the Microsoft Download Center . Don't use a version from
the Microsoft Store
That states they're Optimized for Power BI Report Server. Don't use
versions that aren't Optimized for Power BI Report Server.
That were released no earlier than September 2019 and no later than
January 2021. Microsoft Power BI Desktop (Optimized for Power BI
Report Server - January 2021) is recommended.

Download the sample reports


To download the sample reports:

1. Download the Power BI sample reports from the Microsoft Download Center .

2. Save the ConfigMgrSamplePowerBIReports.exe file.


3. Move the file to a computer with Microsoft Power BI Desktop (Optimized for Power
BI Report Server) installed if you downloaded it from a different device.

4. Run the ConfigMgrSamplePowerBIReports.exe file to extract the .pbit files.

7 Note

Some of the sample reports are also available for download in Community hub.

Community hub direct link to the Software Update Compliance Status


sample report
Community hub direct link to the Software Update Deployment Status
sample report

Install the sample reports


To install the sample reports:

1. On the Power BI Report server, create a new folder called Sample Reports in the
root Configuration Manager reporting folder.

2. Launch Microsoft Power BI Desktop (Optimized for Power BI Report Server).

3. Select File then Open and navigate to where you saved the extracted .pbit files.

4. Select one of the .pbit files you extracted from the


ConfigMgrSamplePowerBIReports.exe file.

5. Specify your Configuration Manager database name and database server name
when prompted, then select Load.

7 Note

When loading or applying the data model, ignore any errors if you come
across one. For example, if you see the following error: "Connecting to tables
from more than one database isn't supported in DirectQuery mode", select
Close. Then refresh the data source settings:
a. In Power BI Desktop, in the ribbon, select Edit Queries, and then select
Data source settings.
b. Select Change Source, confirm your server and database names, and select
OK.
c. Close the data source settings window, and then select Apply changes.

6. When the report data is loaded, select File > Save As, then select Power BI Report
Server.

7. Save the report to the Sample Reports folder you created on the reporting point.

8. Repeat the steps for any other sample reports. When you're done, close Microsoft
Power BI Desktop (Optimized for Power BI Report Server).

9. In the Configuration Manager console, go to Monitoring > Power BI Reports >


Sample Reports.

10. Right-click on one of the reports and select Run in Browser to launch the report.

Sample reports
The following sample Power BI reports are included in the download:

Software Update Compliance Status


Software Update Deployment Status
Client Status
Content Status
Microsoft Edge Management
Plan for reporting in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Reporting in Configuration Manager provides a set of tools and resources that help you
use the advanced reporting capabilities of SQL Server Reporting Services or Power BI
Report Server. Use the following sections to help you plan for reporting in Configuration
Manager.

Where to install the reporting services point


When you run Configuration Manager reports at a site, the reports have access to the
information in the site database in which it connects. Use the following sections to help
you determine where to install the reporting services point and what data source to use.

7 Note

For more information about planning for site systems in Configuration Manager,
see Add site system roles.

Supported site system servers


You can install the reporting services point on a central administration site (CAS) and
primary sites. It works on multiple site systems at a site, and at other sites in the
hierarchy. Configuration Manager doesn't support the reporting services point at
secondary sites. The first reporting services point at a site is set as the default report
server. You can add more reporting services points at a site, but Configuration Manager
reports actively use the default report server at each site. Install the reporting services
point on the site server or a remote site system. For best performance, use SQL Server
Reporting Services on a remote site system server.

Data replication considerations


Consider the following factors to help you determine where to install your reporting
services points:
A reporting services point with the CAS database as its reporting data source has
access to all global and site data in the Configuration Manager hierarchy. If you
require reports that contain site data for multiple sites in a hierarchy, consider
installing the reporting services point on a site system at the CAS. Then use its
database as the reporting data source.

A reporting services point with a child primary site database as its reporting data
source has access to global data and site data for only the local primary site and
any child secondary sites. Site data for other primary sites in the Configuration
Manager hierarchy doesn't replicate to this primary site. Reporting Services can't
access site data for other primary sites. If you require reports that contain site data
for a specific primary site or global data, and you don't want the user to have
access to site data from other primary sites, install a reporting services point on a
site system at the primary site. Then use the primary site's database as the
reporting data source.

For more information on global and site data, see Types of data.

Network bandwidth considerations


Depending on how you configure the site, site systems in the same site communicate
with each other by using server message block (SMB), HTTP, or HTTPS. Configuration
Manager doesn't manage this communication. It can occur at any time without network
bandwidth control. Review your available network bandwidth before you install the
reporting services point role on a site system.

For more information about planning for site systems, see Add site system roles.

Plan for role-based administration


Security for reporting is much like other objects in Configuration Manager where you
can assign security roles and permissions to administrative users. Administrative users
can only run and modify reports for which they have appropriate security rights. To run
reports in the Configuration Manager console, users need the Read right for the Site
permission and the permissions configured for specific objects.

Unlike other objects in Configuration Manager, the security rights that you set for
administrative users in the Configuration Manager console are also configured in
Reporting Services. When you configure security rights in the Configuration Manager
console, the reporting services point connects to Reporting Services and sets
appropriate permissions for reports.
For example, the Software Update Manager security role has the Run Report and
Modify Report permissions. Users with the Software Update Manager role can only run
and modify reports for software updates. The Configuration Manager console doesn't
display reports for other objects to this role. The exception to this behavior is that some
reports aren't associated with specific Configuration Manager securable objects. For
these reports, the administrative user must have the Read right for the Site permission
to run the reports and the Modify right for the Site permission to modify the reports.

) Important

For users from a different domain than that of the reporting services point account
to successfully run reports, establish a two-way trust between the two domains.

Reports are fully enabled for role-based administration. Configuration Manager filters
the data for all included reports based on the permissions of the user who runs the
report. Users with specific roles can only view information defined for their roles.

For more information about security rights for reporting, see Configure reporting.

For more information about role-based administration in Configuration Manager, see


Configure role-based administration.

Reporting recommendations
Consider the following recommendations and tips for reporting in Configuration
Manager:

For best performance, install the reporting services point on a remote site system.
Although you can install it on the site server, the reporting services point performs
best when you install it on a remote site system. When this role does background
processing, it can compete for system resources with other roles. There are many
variables to consider with site and role performance, but in general this
configuration improves reporting and overall site performance.

Optimize SQL Server Reporting Services queries. Typically any reporting delays are
because of the time it takes to run queries and retrieve the results. Microsoft SQL
Server tools such as Query Analyzer and Profiler can help you optimize queries.

Schedule report subscription processing to run outside standard office hours.


Whenever possible, processing subscriptions during off-hours can minimize the
CPU processing on the Configuration Manager site database server. This practice
also improves availability for unpredicted report requests.
Site updates preserve built-in reports. If you modify a standard report, when the
site updates, it renames the report with an underscore prefix ( _ ). This behavior
makes sure that the site update doesn't overwrite the modified report by the
standard report.

Security and privacy


Configuration Manager reports display information that it collects during standard
Configuration Manager management operations. For example, you can display a report
of information that Configuration Manager collected from discovery or inventory.
Reports can also contain the current status information for client management
operations, such as deploying software, and checking for compliance.

For more information about any security recommendations and privacy information for
Configuration Manager operations that might generate data that you can view in
reports, see Security and privacy for Configuration Manager.

Next steps
Prerequisites for reporting
Prerequisites for reporting in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Reporting in Configuration Manager has the following dependencies:

SQL Server Reporting Services


Reporting services point
Power BI Report Server (optional, starting in version 2002)

SQL Server Reporting Services


Before you can use reporting in Configuration Manager, install and configure SQL Server
Reporting Services.

For more information about planning and deploying Reporting Services, see the Install
SQL Server Reporting Services.

Install the Reporting Services database on either the default instance or a named
instance of a 64-bit SQL Server installation. Colocate the SQL Server instance with the
site system server, or configure it on a remote computer.

Configuration Manager supports the same versions of SQL Server for reporting as it
does for the site database. For more information, see Supported SQL Server versions.

Reporting services point


Before you can use reporting in Configuration Manager, configure the reporting services
point site system role.

For more information, see Site and site system prerequisites.

Power BI Report Server


Starting in version 2002, you can integrate reporting with Power BI Report Server. For
more information including prerequisites, see Integrate with Power BI Report Server.
Next steps
Configure reporting
List of reports in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager supplies many built-in reports covering many of the reporting
tasks that you might want to do. You can also use the SQL statements in these reports
to help you to write your own reports.

The following reports are included with Configuration Manager. The reports appear in
various categories.

Administrative security
The following six reports are listed under the Administrative Security category.

Report name Description

Administration activity Displays a record of administrative changes made for administrative


log users, security roles, security scopes, and collections.

Administrative users Displays administrative users, their associated security roles, and the
security assignments security scopes associated with each security role for each user.

Objects secured by a Displays objects that an administrator assigned to only the specified
single security scope security scope. This report doesn't display objects that an administrator
associates with more than one security scope.

Security for a specific Displays securable objects, the security scopes associated with the
or multiple objects, and which administrative users have rights to the objects.
Configuration Manager
objects

Security roles summary Displays security roles and the Configuration Manager administrators
associated with each role.

Security scopes Displays security scopes and the Configuration Manager administrative
summary users and security groups associated with each scope.

Alerts
The following two reports are listed under the Alerts category.

Report name Description


Report name Description

Alert scorecard Displays a summary of all postponed alerts that were generated between the
specified start and finish date.

Alerts Displays a summary of the alerts that were generated most often from today
Generated Most back to the specified date for the specified feature area.
Often

Asset Intelligence
The following 67 reports are listed under the Asset Intelligence category.

Report name Description

Hardware 01A - Summary of Displays an Asset Intelligence summary view of computers in a


computers in a specific collection you specify.
collection

Hardware 03A - Primary Displays users and the count of computers on which they're the
computer users primary user.

Hardware 03B - Computers Displays all computers for which a specified user is the primary
for a specific primary console console user.
user

Hardware 04A - Computers Displays computers that don't have a primary user because no
with multiple users (shared) one user has a signed-in time greater than 66%.

Hardware 05A - Console Displays all of the console users on a specified computer.
users on a specific computer

Hardware 06A - Computers Helps administrative users identify computers that need to have
for which console users security logging turned on.
could not be determined

Hardware 07A - USB devices Displays USB devices, grouped by manufacturer.


by manufacturer

Hardware 07B - USB devices Displays USB devices, grouped by manufacturer and description.
by manufacturer and
description

Hardware 07C - Computers Displays all the computers with a specified USB device.
with a specific USB device

Hardware 07D - USB devices Displays all USB devices on a specified computer.
on a specific computer
Report name Description

Hardware 08A - Hardware Displays hardware that doesn't meet the minimum hardware
that is not ready for a requirements.
software upgrade

Hardware 09A - Search for Displays a summary of computers matching keyword filters.
computers These filters are computer name, Configuration Manager site,
domain, top console user, operating system, manufacturer, or
model.

Hardware 10A - Computers in Displays a list of computers in a specified collection where a


a specified collection that hardware class has changed during a specified time period.
have changed during a
specified timeframe

Hardware 10B - Changes on a Displays the classes that have changed on a specified computer
specified computer within a within a specified time period.
specified timeframe

License 01A - Microsoft Displays an inventory of all Microsoft software titles that are
Volume License ledger for available from the Microsoft Volume Licensing program.
Microsoft license statements

License 01B - Microsoft Identifies and displays sales channel for inventoried Microsoft
Volume License ledger item Volume License software.
by sales channel

License 01C - Computers with Identifies and displays computers that have a specified item from
a specific Microsoft Volume the Microsoft Volume license ledger.
License ledger item and sales
channel

License 01D - Microsoft Identifies and displays all Microsoft Volume license ledger items
Volume License ledger on a specified computer.
products on a specific
computer

License 02A - Count of Displays a count of licenses nearing expiration by a specified


licenses nearing expiration time range. The displayed products have their licenses managed
by time ranges by the Software Licensing Service.

License 02B - Computers Displays the specified computers with licenses that are nearing
with licenses nearing expiration.
expiration

License 02C - License Displays products on a specified computer that have their
information on a specific licenses managed by the Software Licensing Service.
computer
Report name Description

License 03A - Count of Displays products, by license status, which have their licenses
licenses by license status managed by the Software Licensing Service.

License 03B - Computers Displays products, with a specified license status, whose licenses
with a specific license status are managed by the Software Licensing Service.

License 04A - Count of Displays a count of products that have their licenses managed by
products managed by the Software Licensing Service.
software licensing

License 04B - Computers Displays computers, managed by the Software Licensing Service,
with a specific product that include a specified product.
managed by Software
Licensing Service

License 05A - Computers Displays computers that act as Key Management Servers.
providing Key Management
Service

License 06A - Processor Displays the number of processors on computers using Microsoft
counts for per-processor products that support per-processor licensing.
licensed products

License 06B - Computers Displays a list of computers where a specified Microsoft product
with a specific product that that supports per-processor licensing is installed.
supports per-processor
licensing

License 14A - Microsoft Displays reconciliation on software licenses acquired through


Volume Licensing Microsoft Volume License Agreement and the actual inventory
reconciliation report count.

License 14B - List of This report displays Microsoft software titles in use that aren't
Microsoft software inventory found in the Microsoft Volume License Agreement.
not found in MVLS

License 15A - General license Displays reconciliation on general software licenses acquired and
reconciliation report the actual inventory count.

License 15B - General license Displays computers that installed the licensed product with a
reconciliation report by specified version.
computer

Software 01A - Summary of Displays a summary of installed software ordered by the number
installed software in a of instances found from inventory.
specific collection
Report name Description

Software 02A - Product Displays the product families and the count of software in the
families for a specific family for a specified collection.
collection

Software 02B - Product Displays the product categories in a specified product family and
categories for a specific the count of software within the category.
product family

Software 02C - Software in a Displays all software that is in the specified product family and
specific product family and category.
category

Software 02D - Computers Displays all computers with specified software installed.
with specific software
installed

Software 02E - Installed Displays all software installed on a specified computer.


software on a specific
computer

Software 03A - Displays the software that is either categorized as unknown or


Uncategorized software has no categorization.

Software 04A - Software Displays a list of software configured to automatically run on


configured to automatically computers.
run on computers

Software 04B - Computers Displays all computers with specified software configured to
with specific software automatically run.
configured to automatically
run

Software 04C - Software Displays installed software configured to automatically run on a


configured to automatically specified computer.
run on a specific computer

Software 05A - Browser Displays the browser helper objects installed on computers in a
Helper Objects specified collection.

Software 05B - Computers Displays all of the computers with a specified browser helper
with a specific Browser object.
Helper Object

Software 05C - Browser Displays all browser helper objects on the specified computer.
Helper Objects on a specific
computer
Report name Description

Software 06A - Search for This report provides a summary of installed software. It searches
installed software based on the following criteria: product name, publisher, or
version.

Software 06B - Software by Displays a summary of installed software based on a specified


product name product name.

Software 07A - Recently used Displays executable programs that users recently used. It also
executable programs by the includes the count of computers on which users used the
count of computers program. Software metering must be enabled for this site to view
this report.

Software 07B - Computers Displays the computers on which users recently used a specified
that recently used a specified executable program. This report requires that you enable the
executable program software metering client setting.

Software 07C - Recently used Displays executable files that users recently used on a specified
executable programs on a computer. This report requires that you enable the software
specified computer metering client setting.

Software 08A - Recently used Displays executable programs that users recently used. It also
executable programs by the includes a count of users that most recently used the program.
count of users This report requires that you enable the software metering client
setting.

Software 08B - Users that Displays the users that most recently used a specified executable
recently used a specified program. This report requires that you enable the software
executable program metering client setting.

Software 08C - Recently used Displays executable programs that the specified user used
executable programs by a recently. This report requires that you enable the software
specified user metering client setting.

Software 09A - Infrequently Displays software titles that users haven't used during a specified
used software period of time.

Software 09B - Computers Displays computers with installed software that users haven't
with infrequently used used for a specified period of time. The specified period of time
software installed is based on the value specified in the 'Software 09A -
Infrequently used software' report.

Software 10A - Software Displays software titles based on matching of all specified
titles with specific multiple custom label criteria. Up to three custom labels can be selected
custom labels defined to refine a software title search.

Software 10B - Computers Displays all computers in this collection that have the specified
with a specific custom- custom-labeled software title installed.
labeled software title
installed
Report name Description

Software 11A - Software titles Displays software titles based on matching of at least one of the
with a specific custom label specified custom label criteria.
defined

Software 12A - Software Displays all software titles that don't have a custom label defined.
titles without a custom label

Software 14A - Search for Displays a count of installed software with a software
software identification tag identification tag enabled.
enabled software

Software 14B - Computers Displays all computers that have installed software with a
with specific software specified software identification tag enabled.
identification tag enabled
software installed

Software 14C - Installed Displays all installed software with a specified software
software identification tag identification tag enabled on a specified computer.
enabled software on a
specific computer

Lifecycle 01A - Computers View a list of computers on which a specified product is


with a specific software detected.
product

Lifecycle 02A - List of View computers that have expired products on them. You can
machines with expired filter this report by product name.
products in the organization

Lifecycle 03A - List of expired View details for products in your environment that have expired
products found in the lifecycle dates.
organization

Lifecycle 04A - General View a list of product lifecycles. Filter the list by product name
Product Lifecycle overview and days to expiration.

Lifecycle 05A - Product Starting in version 1810, this report includes similar information
lifecycle dashboard as the in-console dashboard.

Client push
The following four reports are listed under the Client Push category.

Report name Description

Client push installation status details Displays information about the client push installation
process for all sites.
Report name Description

Client push installation status details Displays information about the client push installation
for a specified site process for a specified site.

Client push installation status Displays a summary view of the client push installation
summary status for all sites.

Client push installation status Displays a summary view of the client push installation
summary for a specified site status for a specified site.

Client status
The following seven reports are listed under the Client Status category.

Report name Description

Client Displays details of client remediation actions for a collection you specify.
remediation
details

Client Displays a summary of client remediation actions for a specified collection.


remediation
summary

Client status Displays a historical view of overall client status in the site.
history

Client status Displays the client check results of active clients for a given collection.
summary

Client time to Displays the percentage of clients that requested policy at least once in the last
request policy 30 days. Each day represents a percentage of total clients that requested policy
since the first day in the cycle.

Clients with Displays details about clients that client check failed for a specified collection.
failed client
check details

Inactive Displays a detailed list of inactive clients for a given collection.


clients details

Company resource access


The following three reports are listed under the Company Resource Access category.

Report name Description


Report name Description

Certificate issuance Displays the history of certificates issued by the certificate registration
history point to users and devices for the specified date range.

List of assets by Displays the devices or users in a specified certificate issuance state
certificate issuance following the evaluation of a specified certificate profile.
status

List of assets with Displays the devices or users with certificates that expire on or before
certificates nearing the specified date.
expiry

Compliance and settings management


The following 22 reports are listed under the Compliance and Settings Management
category.

Report name Description

Compliance history of a Displays the history of the changes in compliance of a


configuration baseline configuration baseline for the specified date range.

Compliance history of a Displays the history of the changes in compliance of a


configuration item configuration item for the specified date range.

Details of compliant rules of Displays information about the rules evaluated as compliant
configuration items in a for a specified configuration item for a specified device or
configuration baseline for an user.
asset

Details of conflicting rules of Displays information about rules in a deployed configuration


configuration items in a item that conflict with other rules. Include the other rules in
configuration baseline for an the same or another deployed configuration item.
asset

Details of errors of Displays information about errors generated by a specified


configuration items in a configuration item for a specified device or user.
configuration baseline for an
asset

Details of non-compliant rules Displays information about rules that were evaluated as
of configuration items in a noncompliant for a specified configuration item, for a
configuration baseline for an specified device or user.
asset
Report name Description

Details of remediated rules of Displays information about rules that were remediated by a
configuration items in a specified configuration item for a specified device or user.
configuration baseline for an
asset

List of assets by compliance Displays the devices or users in a specified compliance state
state for a configuration following the evaluation of a specified configuration baseline.
baseline

List of assets by compliance Displays the devices or users in a specified compliance state
state for a configuration item in following the evaluation of a specified configuration item.
a configuration baseline

List of noncompliant Apps and Displays information about users and devices that have apps
Devices for a specified user installed that aren't compliant with a policy you specified.

List of rules conflicting with a Displays a list of rules that conflict with a specified rule for a
specified rule for an asset deployed configuration item.

List of unknown assets for a Displays a list of devices or users that haven't yet reported any
configuration baseline compliance data for a specified configuration baseline.

List of unknown assets for a Displays a list of devices or users that haven't yet reported any
configuration item compliance data for a specified configuration item.

Rules and errors summary of Displays a summary of the compliance state of the rules and
configuration items in a any setting errors for a specified configuration item. The
configuration baseline for an configuration item must be deployed to a device or user.
asset

Summary compliance by Displays a summary of the overall compliance of deployed


configuration baseline configuration baselines in the hierarchy.

Summary compliance by Displays a summary of the compliance of configuration items


configuration items for a in a specified configuration baseline.
configuration baseline

Summary compliance by Displays a summary of the compliance of configuration


configuration policies policies.

Summary compliance of a Displays a summary of the overall compliance of a specified


configuration baseline for a configuration baseline. The configuration item must be
collection deployed to the specified collection.

Summary of Users who have Displays information about users that have apps installed that
Noncompliant Apps aren't compliant with a policy you specified.

Terms and Conditions Displays Terms and Conditions items and which version each
acceptance user has accepted.
Data warehouse
The following seven reports are listed under the Data warehouse category.

Report name Description

Application Deployment Historical: View details for application deployment for a


specific application and machine.

Endpoint Protection and Software Historical: View computers that are missing software
Update Compliance updates.

General Hardware Inventory Historical: View all hardware inventory for a specific
machine.

General Software Inventory Historical: View all software inventory for a specific
machine.

Infrastructure Health Overview Historical: Displays an overview of the health of your


Configuration Manager infrastructure.

List of Malware Detected Historical: View malware that has been detected in the
organization.

Software Distribution Summary Historical: A summary of software distribution for a specific


advertisement and machine.

Device management
The following 37 reports are listed under the Device Management category.

7 Note

Configuration Manager version 2006 dropped support for Windows CE 7.0 as a


client. Deprecation was announced with version 1906.

Report name Description

All corporate-owned mobile devices Displays all corporate owned mobile devices.

All mobile device clients Displays information about all mobile device clients.
Devices that are managed by the Exchange Server
connector aren't included.
Report name Description

Certificate issues on mobile devices Displays detailed information about certificate issues on
that are managed by the mobile devices that are managed by the Configuration
Configuration Manager client for Manager client for Windows CE.
Windows CE and that are not
healthy

Client deployment failure for mobile Displays detailed information about deployment failure
devices that are managed by the for mobile devices that are managed by the
Configuration Manager client for Configuration Manager client for Windows CE.
Windows CE

Client deployment status details for Displays information about the status of mobile devices
mobile devices that are managed by that are managed by the Configuration Manager client
the Configuration Manager client for for Windows CE.
Windows CE

Client deployment success for Displays detailed information about deployment success
mobile devices that are managed by for mobile devices that are managed by the
the Configuration Manager client for Configuration Manager client for Windows CE.
Windows CE

Communication issues on mobile This report contains detailed information about


devices that are managed by the communication issues on mobile devices that are
Configuration Manager client for managed by the Configuration Manager client for
Windows CE and that are not Windows CE.
healthy

Compliance status of default Displays a summary of the compliance status with the
ActiveSync mailbox policy for the Default Exchange ActiveSync mailbox policy for the
mobile devices that are managed by mobile devices managed by the Exchange Server
the Exchange Server connector connector.

Count of mobile devices by display This report displays the number of mobile devices by
configurations display settings.

Count of mobile devices by Displays the number of mobile devices by operating


operating system system.

Count of mobile devices by program Displays the number of mobile devices by program
memory memory.

Count of mobile devices by storage Count of mobile devices by storage memory


memory configurations configurations

Health information for mobile Displays detailed health information for mobile devices
devices that are managed by the that are managed by the Configuration Manager client
Configuration Manager client for for Windows CE.
Windows CE
Report name Description

Health summary for mobile devices Displays health summary information for mobile devices
that are managed by the that are managed by the Configuration Manager client
Configuration Manager client for for Windows CE.
Windows CE

Inactive mobile devices that are Displays the mobile devices managed by the Exchange
managed by the Exchange Server Server connector that haven't connected to an Exchange
connector Server in a specified number of days.

List of devices by Health Attestation Displays a list of devices with attributes reported by
state Health Attestation Service

List of Devices enrolled per user in Displays all devices a user has enrolled with Microsoft
Microsoft Intune Intune.

List of devices in a specific device Displays information for all devices within a specific
category device category.

Local client issues on mobile devices This report contains detailed information about local
that are managed by the client issues on mobile devices that are managed by the
Configuration Manager client for Configuration Manager client for Windows CE.
Windows CE and that are not
healthy

Mobile device client information Displays information about the mobile devices that have
the Configuration Manager client installed. You can use
this report to verify which mobile devices can successfully
communicate with a management point.

Mobile device compliance details for Displays the mobile device compliance details for a
the Exchange Server connector default Exchange ActiveSync mailbox policy that is
configured by using the Exchange Server connector.

Mobile devices by operating system Displays the mobile devices by operating system.

Mobile devices that are jailbroken or Displays the mobile devices that are jailbroken or a
a rooted device rooted device.

Mobile devices that are unmanaged Displays the mobile devices that completed enrollment
because they enrolled but failed to with Configuration Manager, have a certificate, but failed
assign to a site to complete site assignment.

Mobile devices with a specific Displays all mobile devices with their specified amount of
amount of free program memory free program memory.

Mobile devices with a specific Displays all mobile devices with the specified amount of
amount of free removable storage free removable memory.
memory
Report name Description

Mobile devices with certificate Displays the enrolled mobile devices that failed to renew
renewal issues their certificate. If you don't renew the certificate before
the expiry period, the mobile devices become
unmanaged.

Mobile devices with low free Displays the mobile devices for which the program
program memory (less than memory is lower than a specified size in KB.
specified KB free)

Mobile devices with low free Displays the mobile devices for which the removable
removable storage memory (less storage memory is lower than a specified size in KB.
than specified KB free)

Number of devices enrolled per user Displays the users enabled for the Microsoft Intune
in Microsoft Intune subscription. It also shows the total number of devices
enrolled for each user.

Pending retire and wipe request for Displays the wipe requests that are pending for mobile
mobile devices devices.

Recently enrolled and assigned Displays mobile devices that recently enrolled with
mobile devices Configuration Manager and successfully assigned to a
site.

Recently wiped mobile devices Displays the list of mobile devices that were recently
successfully wiped.

Settings summary for mobile Displays the number of mobile devices that apply the
devices that are managed by the settings for each Default Exchange ActiveSync mailbox
Exchange Server connector policy managed by the Exchange Server connector.

Windows RT Sideloading Keys Displays detailed status information for a specified


Detailed Status Windows RT sideloading key.

Windows RT Sideloading Keys Displays the status of Windows RT sideloading keys.


Summary

Driver management
The following 13 reports are listed under the Driver Management category.

Report name Description

All drivers Displays a list of all drivers.

All drivers for a specific platform Displays all drivers for a specified platform.
Report name Description

All drivers in a specific boot image Displays all drivers in a specified boot image.

All drivers in a specific category Displays all drivers in a specified category.

All drivers in a specific package Displays all drivers in a specified package.

Categories for a specific driver Displays categories for a specified driver.

Computers that failed to install drivers for a Displays computers that failed to install drivers for
specific collection a specified collection.

Driver catalog matching report for a Displays the driver catalog matching report for a
specific collection specified collection.

Driver catalog matching report for a Displays the driver catalog matching report for a
specific computer specified computer.

Driver catalog matching report for a Displays the driver catalog matching report for a
specific device on a specific computer specified device on a specified computer.

Driver catalog matching report for Displays driver catalog matching report for
computers in a specific collection with a computers in a specified collection with a
specific device specified device.

Drivers that failed to install on a specific Displays drivers that failed to install on a specified
computer computer.

Supported platforms for a specific Driver Displays supported platforms for a specified
driver.

Endpoint Protection
The following six reports are listed under the Endpoint Protection category.

Report name Description

Antimalware activity report Displays an overview of antimalware activity.

Antimalware overall status Displays the antimalware overall status and history.
and history

Computer malware details Displays details about a specified computer and the list of
malware found on it.

Infected computers Displays a list of computers with a specified threat detected.

Top users by threats Displays the list of users with the most number of detected
threats.
Report name Description

User threat list Displays the list of threats found for a specified user account.

Hardware - CD-ROM
The following four reports are listed under the Hardware - CD-ROM category.

Report name Description

CD-ROM information for a Displays information about the CD-ROM drives on a specified
specific computer computer.

Computers for a specific CD- Displays a list of computers that contain a CD-ROM drive
ROM manufacturer made by a manufacturer you specify.

Count CD-ROM drives per Displays the number of CD-ROM drives inventoried per
manufacturer manufacturer.

History - CD-ROM history for a Displays the inventory history for CD-ROM drives on a
specific computer specified computer.

Hardware - Disk
The following eight reports are listed under the Hardware - Disk category.

Report name Description

Computers with a specific Displays a list of computers that have hard disks of a specified
hard disk size size.

Computers with low free disk Displays a list of computers in a specified collection that have
space (less than specified % less that the specified free disk space.
free)

Computers with low free disk Displays a list of computers and disks where the disks are low
space (less that specified MB on space. The amount of free space to check for is specified in
free) MB.

Count physical disk Displays the number of hard disks inventoried by disk capacity.
configurations

Disk information for a specific Displays summary information about the logical disks on a
computer - Logical disks specified computer.

Disk information for a specific Displays summary information about the disk partitions on a
computer - Partitions specified computer.
Report name Description

Disk information for a specific Displays summary information about the physical disks on a
computer - Physical disks specified computer.

History - Logical disk space Displays the inventory history for logical disk drives on a
history for a specific computer specified computer.

Hardware - General
The following five reports are listed under the Hardware - General category.

Report name Description

Computer information for a Displays summary information for a specified computer.


specific computer

Computers in a specific Displays a list of computers in a specified Workgroup or


workgroup or domain domain.

Inventory classes assigned to a Displays the inventory classes that are assigned to a
specific collection specified collection.

Inventory classes enabled on a Displays the inventory classes that are enabled on a
specific computer specified computer.

Windows Autopilot Device Displays client device information that is needed for
Information Windows Autopilot registration.

Hardware - Memory
The following five reports are listed under the Hardware - Memory category.

Report name Description

Computers where physical Displays a list of computers where the amount of RAM has
memory has changed changed since the last inventory cycle.

Computers with a specific Displays a list of computers that have a specified amount of
amount of memory RAM (Total Physical Memory rounded to the nearest MB).

Computers with low memory Displays a list of computers that are low on memory. The
(less than or equal to specified amount of memory to check for is specified in MB.
MB)

Count memory configurations Displays the number of computers inventoried by amount of


RAM.
Report name Description

Memory information for a Displays summary information about the memory on a


specific computer specified computer.

Hardware - Modem
The following three reports are listed under the Hardware - Modem category.

Report name Description

Computers for a specific modem Displays a list of computers that have a modem made by a
manufacturer specified manufacturer.

Count modems by manufacturer Displays the number of modems inventoried for each
modem manufacturer.

Modem information for a specific Displays summary information about the modem on a
computer specified computer.

Hardware - Network adapter


The following three reports are listed under the Hardware - Network Adapter category.

Report name Description

Computers with a specific network Displays a list of computers that have a specified network
adapter adapter.

Count network adapters by type Displays the number of inventoried network adapters
cards of each type.

Network adapter information for a Displays information about the network adapters installed
specific computer on a specified computer.

Hardware - Processor
The following five reports are listed under the Hardware - Processor category.

Report name Description

Computers for a specific processor speed Displays a list of computers that have a processor of
a specified speed.
Report name Description

Computers with fast processors (greater Displays a list of computers that have processors
than or equal to a specified clock speed) with a speed that is faster than the specified speed.

Computers with slow processors (less Displays a list of computers that have processors
than or equal to a specified clock speed) that run at or slower than a specified clock speed.

Count processor speeds Displays the number of computers inventoried by


processor speed.

Processor information for a specific Displays information about the processors installed
computer on a specified computer.

Hardware - SCSI
The following five reports are listed under the Hardware - SCSI category.

Report name Description

Computers with a specific SCSI Displays a list of computers that have a specified SCSI card
card type installed.

Count SCSI card types Displays the number of inventoried SCSI cards by card
type.

SCSI card information for a specific Displays information about the SCSI cards installed on a
computer specified computer.

Hardware - Security
The following one report is listed under the Hardware - Security category.

Report name Description

Details of firmware Displays the details of the states of UEFI, SecureBoot, and TPM. Note:
states on devices This report isn't in version 1810.

Hardware - Sound card


The following three reports are listed under the Hardware - SCSI category.

Report name Description


Report name Description

Computers with a specific sound Displays a list of computers that have a specified sound
card card.

Count sound cards Displays the number of computers inventoried by each


sound card type.

Sound card information for a Displays summary information about the sound cards on a
specific computer specified computer.

Hardware - Video card


The following three reports are listed under the Hardware - Video Card category.

Report name Description

Computers with a specific Displays a list of computers that have a specified video card.
video card

Count video cards by type Displays a list of all of the video cards installed on computers. It
also shows the number of each type of video card.

Video card information for Displays summary information about the video cards installed on a
a specific computer specified computer.

Migration
The following five reports are listed under the Migration category.

Report name Description

Clients in exclusion list Displays clients that are excluded from migration.

Dependency on a Configuration Displays the objects that depend on a collection of the


manager collection source hierarchy.

Migration job properties This report shows the contents of the specified
migration job.

Migration jobs This report shows the list of migration jobs.

Objects that failed to migrate Displays a list of objects that failed to migrate during
the last attempt.

Network
The following six reports are listed under the Network category.

Report name Description

Count IP addresses by subnet Displays the number of IP addresses inventoried for each IP
subnet.

IP - All subnets by subnet Displays a list of IP subnets and subnet masks.


mask

IP - Computers in a specific Displays a list of computers and IP information for a specified IP


subnet subnet.

IP - Information for a specific Displays summary information about IP on a specified computer.


computer

IP - Information for a specific Displays summary information about a specified IP address.


IP address

MAC - Computers for a Displays the computer name and IP address of computers that
specific MAC address have the specified MAC address.

Operating system
The following 10 reports are listed under the Operating System category.

Report name Description

Computer operating system Displays the inventory history for the operating system on
version history a specified computer.

Computers with a specific Displays computers with a specified operating system.


operating system

Computers with a specific Displays computers with a specified operating system and
operating system and service pack service pack.

Count operating system versions Displays the number of computers inventoried by


operating system.

Count operating systems and Displays the number of computers inventoried by


service packs operating system and service pack combinations.

Services - Computers running a Displays a list of computers running a specified service.


specific service

Services - Computers running Displays a list of computers running Remote Access Server.
Remote Access Server
Report name Description

Services - Services information for Displays summary information about the services on a
a specific computer specified computer.

Windows Servicing details for a Displays general information about Windows servicing for
specific collection a specific collection.

Windows Server computers Displays a list of computers that run Windows Server
operating systems.

Power management
The following 18 reports are listed under the Power Management category.

Report name Description

Power Management - Displays a graph showing monitor, computer, and user activity for a
Computer activity specified collection over a specified time period.

Power Management - Displays a graph showing monitor, computer, and user activity for a
Computer activity by specified computer on a specified date.
computer

Power Management - Displays a list of the sleep and wake capabilities of computers in the
Computer activity specified collection for a specified date and time.
details

Power Management - Displays detailed information about the power capabilities, power
Computer details settings, and power plans applied to a specified computer.

Power Management - Displays a list of computers not reporting any power activity for a
Computer not specified date and time.
reporting details

Power Management - Displays a list of computers excluded from the power plan.
Computers excluded

Power Management - Displays a list of computers that have multiple, conflicting power
Computers with settings applied.
multiple power plans

Power Management - Displays the total monthly energy consumption (in kWh) for a specified
Energy consumption collection over a specified time period.

Power Management - Displays the total energy consumption (in kWh) for a specified
Energy consumption collection in the last 31 days.
by day
Report name Description

Power Management - Displays the total monthly energy consumption cost for a specified
Energy cost collection over a specified time period.

Power Management - Displays the total energy consumption cost for a specified collection
Energy cost by day over the past 31 days.

Power Management - Displays a graph showing carbon dioxide (CO2) emissions generated by
Environmental impact a specified collection over a specified time period.

Power Management - Displays a graph showing CO2 emissions generated by a specified


Environmental impact collection over the past 31 days.
by day

Power Management - Displays detailed information about computers that didn't sleep or
Insomnia computer hibernate within a specified time period.
details

Power Management - Displays a list of common causes that prevented computers from
Insomnia report sleeping or hibernating. It also shows the number of computers affected
by each cause over a specified time period.

Power Management - Displays the power management capabilities of computers in the


Power capabilities specified collection.

Power Management - Displays an aggregated list of power settings used by computers in a


Power settings specified collection.

Power Management - Used to display further information about computers that were
Power settings details specified in the Power Management - Power settings report.

Replication traffic
The following 10 reports are listed under the Replication Traffic category.

Report name Description

Global Data Replication Traffic Displays total global data replication traffic on a specified link
Per Link (line chart) for a specified number of days.

Global Data Replication Traffic Displays total global data replication traffic on a specified link
Per Link (pie chart) for a specified number of days.

Hierarchy Replication Traffic By Displays total replication traffic for each link in the hierarchy
Link for a specified number of days.
Report name Description

Hierarchy Top Ten Replication Displays the replication traffic for the top 10 replication groups
Groups Traffic Per Link (pie across the entire hierarchy identified by link.
chart)

Link Replication Traffic Displays total replication traffic for all data for a specified
number of days.

Replication group traffic per Displays the replication group network traffic over a specified
link database replication link for a specified number of days.

Site Data Replication Traffic Per Displays total site data replication traffic on a specified link for
Link (line chart) a specified number of days.

Site Data Replication Traffic Per Displays total site data replication traffic on a specified link for
Link (pie chart) a specified number of days.

Total Hierarchy Replication Displays hierarchy aggregate global and site data replication
Traffic (line chart) for each direction of every link for a specified number of days.

Total Hierarchy Replication Displays hierarchy aggregate global and site data replication
Traffic (pie chart) for each direction of every link for a specified number of days.

Site - Client information


The following 19 reports are listed under the Site - Client Information category.

Report name Description

Client assignment detailed Displays detailed information about client assignment status.
status report

Client assignment failure Displays detailed information about client assignment failures.
details

Client assignment status Displays overview information about client assignment status.
details

Client assignment success Displays detailed information about successfully assigned clients.
details

Client deployment failure Displays detailed information for clients that have failed to deploy.
report

Client deployment status Displays summary information for the status of client installations.
details
Report name Description

Client deployment success Displays detailed information for clients that have successfully
report deployed.

Clients incapable of HTTPS Displays detailed information about each client that runs the
communication HTTPS Communication Readiness Tool, and reports to be
incapable of communicating over HTTPS.

Computers assigned but Displays a list of computers assigned to a specified site, but aren't
not installed for a particular reporting to that site.
site

Computers with a specific Displays a list of computers running a specified version of the
Configuration Manager Configuration Manager client software.
client version

Count of clients and Displays a summary of the communication methods used by


protocol used for clients (HTTP or HTTPS).
communication

Count of clients assigned Displays the number of computers assigned and installed for each
and installed for each site site. Clients with a network location associated to multiple sites are
only counted as installed if they're reporting to that site.

Count of clients capable of Displays detailed information about each client that runs the
HTTPS communication HTTPS Communication Readiness Tool, and reports to be either
capable or incapable of communicating over HTTPS.

Count of clients for each Displays the number of Configuration Manager clients installed by
site site code.

Count of Configuration Displays the number of computers discovered by Configuration


Manager clients by client Manager client version.
versions

Problem details reported to Displays detailed information for issues reported by clients in a
the fallback status point for specified collection. These clients must have an assigned fallback
a specified collection status point.

Problem details reported to Displays detailed information about issues reported by clients in a
the fallback status point for specified site. These clients must have an assigned fallback status
a specified site point.

Summary of problems Displays information about all the issues reported by clients. These
reported to the fallback clients must have an assigned fallback status point.
status point
Report name Description

Summary of problems Displays summary information for issues reported by clients in a


reported to the fallback specified collection. These clients must have an assigned fallback
status point for a specific status point.
collection

Site - Discovery and inventory information


The following 10 reports are listed under the Site - Discovery and Inventory
Information category.

Report name Description

Clients that have not Displays a list of clients that haven't reported discovery data,
reported recently (in a hardware inventory, or software inventory in a specified number of
specified number of days.
days)

Computers discovered Displays a list of all computers that the specified site discovered. It
by a specific site also shows the date of the most recent discovery.

Computers discovered Displays a list of computers that the site discovered within the
recently by discovery specified number of days. It also lists the agents that discovered them.
method If multiple agents discovered a computer, it may appear more than
once in the list.

Computers not Displays a list of computers that the site hasn't recently discovered. It
discovered recently (in a also shows the number of days since the site discovered the
specified number of computer.
days)

Computers not Displays a list of computers that the site hasn't recently inventoried. It
inventoried recently (in also shows the last times the client inventoried the computer.
a specified number of
days)

Computers that might Displays a list of computers that have changed their names. A change
share the same in name is a possible symptom that a computer shares a
Configuration Manager Configuration Manager Unique Identifier with another computer.
unique identifier

Computers with Displays computers that share MAC address.


duplicate MAC
addresses
Report name Description

Count computers in Displays the number of computers in each resource domain or


resource domains or workgroup.
workgroups

Discovery information Displays a list of the agents and sites that discovered a specified
for a specific computer computer.

Inventory dates for a Displays the date and time inventory was last run on a specified
specific computer computer.

Site - General
The following three reports are listed under the Site - General category.

Report name Description

Computers in a specific site Displays a list of client computers in a specified site.

Site status for the hierarchy Displays the list of sites in the hierarchy with site version
and site status information.

Status of Configuration Manager Displays information about Configuration Manager site


update within hierarchy updates for the hierarchy.

Site - Server information


The following one report is listed under the Site - Server Information category.

Report name Description

Site system roles and site system Displays a list of site system server and their site
servers for a specific site system roles for a specified site.

Software - Companies and products


The following 15 reports are listed under the Software - Companies and Products
category.

Report name Description

All inventoried products for Displays a list of the inventoried software products and versions
a specific software company from a specified software company.
Report name Description

All software companies Displays a list of all companies manufacturing inventoried


software.

All Windows apps Displays a summary of installed Windows apps. It searches using
the following criteria: application name, architecture, or
publisher.

Computers with a specific Displays a list of the computers that a specified product is
product inventoried on, and the versions of that product.

Computers with a specific Displays a list of the computers that a specified version of a
product name and version product is inventoried on.

Computers with specific Displays a summary of all computers with specified software
software registered in Add registered in Add Remove Programs or Programs and Features.
Remove Programs

Count all inventoried Displays a list of the inventoried software products and versions,
products and versions and the number of computers each is installed on.

Count inventoried products Displays a list of the inventoried versions of a specified product,
and versions for a specific and the number of computers each is installed on.
product

Count of all instances of Displays a summary of all instances of software installed and
software registered with Add registered with Add or Remove Programs or Programs and
or Remove Programs Features on computers within the specified collection.

Count of instances of specific Displays a count of instances for specified software packages
software registered with Add installed and registered in Add or Remove Programs or Programs
or Remove Programs and Features.

Default Browser counts Shows the count of clients with a specific web browser as the
Windows default.

Use the following reference for common BrowserProgIDs:

- AppXq0fevzme2pys62n3e0fbqa7peapykr8v: Microsoft Edge

- IE.HTTP: Microsoft Internet Explorer

- ChromeHTML: Google Chrome

- OperaStable: Opera Software

- FirefoxURL-308046B0AF4A39CB: Mozilla Firefox

- Unknown: the client OS doesn't support the query, the query


hasn't run, or a user hasn't logged on

Installations of specified This report lists all computers with a specified Windows app.
Windows apps

Products on a specific Displays a summary of the inventoried software products and


computer their manufacturers on a specified computer.
Report name Description

Software registered in Add Displays a summary of the software installed on a specified


Remove Programs on a computer that is registered in Add Remove Programs or
specific computer Programs and Features.

Windows apps installed to Displays all Windows apps installed to the specified user
the specified user

Software - Files
The following five reports are listed under the Software - Files category.

Report name Description

All inventoried Display a summary of the files inventoried that are associated with a
files for a specific specified software product.
product

All inventoried Display a summary of all the files inventoried on a specified computer.
files on a specific
computer

Compare software Displays the differences between the software inventories reported for two
inventory on two specified computers.
computers

Computers with a Displays a list of computers that have collected software inventory for a
specific file specified file name. If a computer contains multiple copies of the file, it
might appear more than once in the list.

Count computers Displays the number of computers that have collected software inventory
with a specific file for a specified file.
name

Software distribution - Application monitoring


The following 10 reports are listed under the Software Distribution - Application
Monitoring category.

Report name Description

All application Displays detailed summary information for all application


deployments deployments.
(advanced)
Report name Description

All application Displays summary information for all application deployments.


deployments (basic)

Application compliance Displays compliance information for the specified application within
the specified collection.

Application Displays applications deployed to a specified device or user.


deployments per asset

Application Displays application infrastructure errors. These errors include internal


infrastructure errors infrastructure issues, or errors resulting from invalid requirement rules.

Application Usage Displays usage details for installed applications.


Detailed Status

Application Usage Displays a usage summary for installed applications.


Summary Status

Task sequence Displays task sequence deployments that install a specified


deployments containing application.
application

Software distribution - Collections


The following three reports are listed under the Software Distribution - Collections
category.

Report name Description

All collections Displays all the collections in the hierarchy.

All resources in a specific collection Displays all the resources in a specified collection.

Maintenance windows available to a Displays all maintenance windows that are applicable to
specified client the specified client.

Software distribution - Content


The following 16 reports are listed under the Software Distribution - Content category.

Report name Description

All active content distributions Displays all distributions points on which content is
currently being installed or removed.
Report name Description

All content Displays all applications and packages at a site.

All content on a specific Displays all content currently installed on a specified


distribution point distribution point.

All distribution points Displays information about the distribution points for each
site.

All status messages for a specific Displays all status messages for a specified package on a
package on a specific distribution specified distribution point.
point

Application content distribution Displays information about the distribution status for
status application content.

Applications targeted to Displays information about application content that was


distribution point group deployed to a specified distribution point group.

Applications that are out of Displays the applications for which associated content files
synchronization on a specified haven't been updated with the latest version on a specified
distribution point group distribution point group.

Distribution point group Displays information about a specified distribution point


group.

Distribution point usage Displays the distribution point usage summary for each
summary distribution point.

Distribution status of specified Displays the distribution status for specified package
package content on each distribution point.

Packages targeted to distribution Displays information about packages that target a specified
point group distribution point group.

Packages that are out of Displays packages for which associated content files haven't
synchronization on a specified been updated with the latest version on a specified
distribution point group distribution point group.

Peer cache source content Displays the number of peer cache source rejections per
rejection boundary group.

Peer cache source content Displays the peer cache sources that rejected to serve
rejection by condition content based on a condition.

Peer cache source content Displays the name of the content that was rejected by a
rejection details peer source.
Software distribution - Package and program
deployment
The following five reports are listed under the Software Distribution - Package and
Program Deployment category.

Report name Description

All deployments for a specified Displays information about all deployments of a


package and program specified package and program.

All package and program deployments Displays all of the package and program deployments
at this site.

All package and program deployments Displays all of the package and program deployments
to a specified collection to a specified collection.

All package and program deployments Displays all of the package and program deployments
to a specified computer that apply to a specified computer.

All package and program deployments Displays all of the package and program deployments
to a specified user to a specified user.

Software distribution - Package and program


deployment status
The following five reports are listed under the Software Distribution - Package and
Program Deployment Status category.

Report name Description

All system resource Displays all package and program deployments for the site with a
package and program summary status of each deployment.
deployments with
status

All system resources Displays a list of resources that are in a specified state for a specified
for a specified package package and program deployment.
and program
deployment in a
specified state

Chart - Hourly Displays the percentage of computers that successfully installed the
package and program package. The list organizes for every hour since an administrator
deployment creates the package and program deployment. It can be used to track
completion status the average time for a package and program deployment.
Report name Description

Package and program Displays the status messages reported for a specified computer and
deployment status for package and program deployment.
a specified client and
deployment

Status of a specified Displays the status summary for a specified package and program
package and program deployment.
deployment

Software metering
The following 13 reports are listed under the Software Metering category.

Report name Description

All software metering rules Displays a list of all software metering rules at the site.
applied to this site

Computers that have a Displays all computers with the specified metered application,
metered program installed but no user has run the program since the specified date.
but haven't run the program
since a specified date

Computers that have run a Displays a list of computers that have run programs matching
specific metered software the specified software metering rule within the specified month
program and year.

Concurrent usage for all Displays the maximum number of users who concurrently ran
metered software programs each metered software program during the specified month and
year.

Concurrent usage trend Displays the maximum number of users who concurrently ran
analysis of a specific metered the specified metered software program during each month for
software program the past year.

Install base for all metered Displays the number of computers that have metered software
software programs programs installed as reported by software inventory. This
report requires that the computer collects software inventory.

Software metering Displays the time at which the most recently summarized
summarization progress metering data was processed on the site server. The software
metering reports only reflect metering data processed before
these dates.

Time of day usage summary Displays the average number of usages of a particular program
for a specific metered for the past 90 days, broken down by hour and day.
software program
Report name Description

Total usage for all metered Displays the number of users who ran programs within the
software programs specified month and year, and that match each software
metering rule. These rules are for locally installed software, or
using Terminal Services.

Total usage for all metered Displays the number of users who ran programs matching each
software programs on software metering rule using Terminal Services within the
Windows Terminal Servers specified month and year.

Total usage trend analysis for Displays the number of users who ran programs during each
a specific metered software month for the past year, and that match the specified software
program metering rule. These rules are for locally installed software, or
using Terminal Services.

Total usage trend analysis for Displays the number of users who ran programs during each
a specific metered software month for the past year, and that match the specified software
program on Windows metering rule. These rules are for using Terminal Services.
Terminal Servers

Users that have run a specific Displays a list of users who have run programs within the
metered software program specified month and year, and that match the specified software
metering rule.

Software updates - A Compliance


The following eight reports are listed under the Software Updates - A Compliance
category.

Report name Description

Compliance 1 - Overall Displays the overall compliance data for a software update
compliance group.

Compliance 2 - Specific Displays the compliance data for a specified software update.
software update

Compliance 3 - Update group Displays the compliance data for software updates defined in a
(per update) software update group.

Compliance 4 - Updates by Displays the compliance data for software updates released by a
vendor month year vendor during a specified month and year.

Compliance 5 - Specific This report returns the software update compliance data for a
computer specified computer. To limit the amount of information returned,
you can specify the vendor and software update classification.
Report name Description

Compliance 6 - Specific Displays the count and percentage of computers in each


software update states compliance state for the specified software update.
(secondary)

Compliance 7 - Computers in Displays all computers in a collection that have a specified


a specific compliance state overall compliance state against a software update group.
for an update group
(secondary)

Compliance 8 - Computers in Displays all computers in a collection that have a specified


a specific compliance state compliance state for a software update.
for an update (secondary)

Compliance 9 - Overall health Displays the overall health and compliance data for a software
and compliance update group. (starting in version 1806)

Software updates - B Deployment management


The following eight reports are listed under the Software Updates - B Deployment
Management category.

Report name Description

Management 1 - Displays all deployments that include all of the software updates defined in
Deployments of a specified software update group.
an update group

Management 2 - Displays all vendor-specific software updates that clients detect as required,
Updates required but an administrator hasn't deployed to a specified collection.
but not deployed

Management 3 - Displays the software updates that are contained in a specified deployment.
Updates in a
deployment

Management 4 - Displays all software update deployments that target a specified collection.
Deployments that
target a collection

Management 5 - Displays all software update deployments that are deployed to a specified
Deployments that computer.
target a computer
Report name Description

Management 6 - Displays all deployments that include a specified software update and the
Deployments that associated target collection for the deployment.
contain a specific
update

Management 7 - Displays the software updates in a specified deployment that don't have all
Updates in a of the associated content retrieved. This state prevents clients from
deployment installing the update, which prevents the deployment from achieving 100%
missing content compliance.

Management 8 - Displays all computers requiring the specified software update, but the
Computers associated content isn't yet distributed to a distribution point.
missing content
(secondary)

Software updates - C Deployment states


The following six reports are listed under the Software Updates - C Deployment States
category.

Report name Description

States 1 - Enforcement states for Displays the enforcement states for a specified software
a deployment update deployment, which is typically the second phase of a
deployment assessment.

States 2 - Evaluation states for a Displays the evaluation state for a specified software update
deployment deployment, which is typically the first phase of a
deployment assessment.

States 3 - States for a Displays the states for all software updates in the specified
deployment and computer deployment for a specified computer.

States 4 - Computers in a specific Displays all computers in a specified state for a software
state for a deployment update deployment.
(secondary)

States 5 - States for an update in Displays a summary of states for a specified software update
a deployment (secondary) targeted by a specified deployment.

States 6 - Computers in a specific Displays all computers in a specified enforcement state for a
enforcement state for an update specified software update.
(secondary)

Software updates - D Scan


The following four reports are listed under the Software Updates - D Scan category.

Report name Description

Scan 1 - Last scan states by Specify a collection to display the count of computers in each
collection compliance scan state. The clients return the state during the last
compliance scan.

Scan 2 - Last scan states by Specify a site to display the count of computers in each
site compliance scan state. The clients return the state during the last
compliance scan.

Scan 3 - Clients of a Displays all computers for a specified collection and a specified
collection reporting a specific compliance scan state during their last compliance scan.
state (secondary)

Scan 4 - Clients of a site Specify a site to display all computers with a specified
reporting a specific state compliance scan state. The clients return the state during their
(secondary) last compliance scan.

Software updates - E Troubleshooting


The following four reports are listed under the Software Updates - E Troubleshooting
category.

Report name Description

Troubleshooting 1 - Scan errors Displays scan errors at the site and a count of
computers that are experiencing each error.

Troubleshooting 2 - Deployment errors Displays the deployment errors at the site and a
count of computers that are experiencing each error.

Troubleshooting 3 - Computers failing Displays a list of the computers that failed a scan
with a specific scan error (secondary) because of a specified error.

Troubleshooting 4 - Computers failing Displays a list of the computers on which the


with a specific deployment error deployment of update is failing because of a
(secondary) specified error.

State migration
The following three reports are listed under the State Migration category.

Report name Description


Report name Description

State migration information for a specific Displays state migration information for a
source computer specified computer.

State migration information for a specific Displays state migration information for a
state migration point specified state migration point.

State migration points for a specific site Displays the state migration points for a specified
site.

Status messages
The following 12 reports are listed under the Status Messages category.

Report name Description

All messages for a specific Displays a list of status messages that have a specified
message ID message ID.

Clients reporting errors in the last Displays a list of computers and components reporting
12 hours for a specific site errors in the last 12 hours, and the number of errors
reported.

Component messages for the last Displays a list of component messages for the last 12 hours
12 hours for a specified site code, computer, and component.

Component messages for the last Displays a list of the status messages created in the last
hour hour by a specified component on a specified computer at
a specified site.

Count component messages for Displays the number of status messages by component and
the last hour for a specific site severity reported in the last hour at a specified site.

Count errors in the last 12 hours Displays the number of server component error status
messages in the last 12 hours.

Fatal errors (by component) Displays a list of computers reporting fatal errors by
component.

Fatal errors (by computer name) Displays a list of computers reporting fatal errors by
computer name.

Last 1000 messages for a specific Displays a summary of the last 1000 error and warning
computer (Errors and Warnings) component status messages for a specified computer.

Last 1000 messages for a specific Displays a summary of the last 1000 error, warning, and
computer (Errors Warnings and informational component status messages for a specified
Information) computer.
Report name Description

Last 1000 messages for a specific Displays a summary of the last 1000 error server
computer (Errors) component status messages for a specified computer.

Last 1000 messages for a specific Displays a summary of the most recent 1000 status
server component messages for a specified server component.

Status messages - Audit


The following three reports are listed under the Status Messages - Audit category.

Report name Description

All audit messages for Displays a summary of all audit status messages for a specified user.
a specific user Audit messages describe actions taken in the Configuration Manager
console that add, modify, or delete objects in Configuration Manager.

Remote Control - All Displays a summary of status messages indicating remote control of
computers remote client computers by a specified user.
controlled by a
specific user

Remote Control - All Displays a summary of status messages related to the remote control of
remote control client computers.
information

Task sequence - Deployment status


The following 11 reports are listed under the Task Sequence - Deployment Status
category.

Report name Description

All system resources for a task Displays a list of the destination computers for the
sequence deployment in a specific specified task sequence deployment in a specified
state deployment state.

All system resources for a task Displays a list of the destination computers for the
sequence deployment that is in a specified task sequence deployment that is in the
specific state and that is available to specified deployment state.
unknown computers

Count of system resources that have Displays the number of computers that have accepted
task sequence deployments task sequences, but haven't run the task sequence.
assigned but not yet run
Report name Description

History of a task sequence Displays the status of each step of the specified task
deployment on a computer sequence deployment on the specified destination
computer. If no record is returned, the task sequence
hasn't started on the computer.

List of computers that exceeded a Displays the list of destination computers that exceeded
specific length of time to run a task the specified length of time to run a task sequence.
sequence deployment

Run time for a specific task Displays the total time that it took to successfully
sequence deployment on a specific complete a specified task sequence on a specified
destination computer computer.

Run time for each step of a task Displays the time that it took to complete each step of
sequence deployment on a specific the specified task sequence deployment on the specified
destination computer destination computer.

Status of a specific task sequence Displays the status summary of a specified task sequence
deployment for a specific computer deployment on a specified computer.

Status of a task sequence Displays the status of the specified task sequence
deployment on an unknown deployment on the specified unknown destination
destination computer computer.

Status summary of a specific task Displays a status summary of all resources that have been
sequence deployment targeted by a deployment.

Status summary of a specific task Displays the status summary of all resources targeted by
sequence deployment available to the specified deployment that is available to a collection
unknown computers containing unknown computers.

Task sequence - Deployments


The following 11 reports are listed under the Task Sequence - Deployments category.

Report name Description

All system resources currently in a Displays a list of computers that are currently running
specific group or phase of a specific in a specified group or phase of a specified task
task sequence deployment sequence deployment.

All system resources where a task Displays a list of computers that failed within a
sequence deployment failed within a specified group/phase of the specified task sequence
specific group or phase deployment.

All task sequence deployments Displays details of all task sequence deployments
initiated from the current site.
Report name Description

All task sequence deployments Displays details of all the task sequence deployments
available to unknown computers initiated from the site, and deployed to collections that
contain unknown computers.

Count of failures in each phase or Displays the number of failures in each phase or group
group of a specific task sequence of the specified task sequence.

Count of failures in each phase or Displays the number of failures in each phase or group
group of a specific task sequence of the specified task sequence deployment.
deployment

Deployment status of all task Displays the overall progress of all task sequence
sequence deployments deployments.

Progress of a running task sequence Displays the progress of the specified task sequence.

Progress of a running task sequence Displays the summary information for the specified task
deployment sequence deployment.

Progress of all deployments for a Displays the progress of all deployments for the
specific task sequence specified task sequence.

Summary report for a task sequence Displays the summary information for the specified task
deployment sequence deployment.

Task sequence - Progress


The following five reports are listed under the Task Sequence - Progress category.

Report name Description

Chart - Weekly progress of Displays the weekly progress of a task sequence, starting from the
a task sequence deployment date.

Progress of a task sequence Displays the progress of the specified task sequence.

Progress of all task Displays a summary of the progress of all task sequences.
sequences

Progress of task sequences Displays the progress of all task sequences that deploy operating
for operating system systems.
deployments

Status of all unknown Displays a list of computers that were unknown at the time they
computers ran a task sequence deployment, and whether they're now known
computers.
Task sequences - References
The following one report is listed under the Task Sequences - References category.

Report name Description

Content referenced by a specific task Displays content that is referenced by a specified task
sequence sequence.

User - Device affinity


The following two reports are listed under the User - Device Affinity category.

Report name Description

Pending user device This report shows all pending user device affinity assignments based
affinity associations by on usage data, for members of a collection.
collection

User device affinity Displays all user device associations for the specified collection, and
associations per collection groups the results by collection type (for example, user or device).

User data and profiles health


The following four reports are listed under the User Data and Profiles Health category.

Report name Description

Folder Redirection Displays the health state details of folder redirection for each of the
Health Report - Details redirected folders for a given user.

Roaming User Profiles Displays the health state details of the roaming user profile for a
Health Report - Details specified user.

User Data and Profiles Displays the error or warning details of folder redirection or roaming
Health Report - Details user profiles. This report is the details target from the summary report.

User Data and Profiles Displays the summary of health states for folder redirection and
Health Report - roaming user profiles.
Summary

Users
The following three reports are listed under the Users category.
Report name Description

Computers for a specific user Displays a list of the computers that were used by a specified
name user.

Count users by domain Displays the number of users in each domain.

Users in a specific domain Displays a list of users and their computers in a specified
domain.

Virtual applications
The following seven reports are listed under the Virtual Applications category.

Report name Description

App-V Virtual Displays information about a specified virtual environment that is in a


Environment Results specified state for a specified collection.

App-V Virtual Displays information about a specified virtual environment for a


Environment Results specified asset. It also shows any deployment types for the specified
For Asset virtual environment.

App-V Virtual Displays compliance information for a specified virtual environment for
Environment Status a specified collection.

Computers with a Displays a summary of computers that have the specified App-V
specific virtual application shortcut as created using the Application Virtualization
application Management Sequencer.

Computers with a Displays a summary of computers that have the specified App-V
specific virtual application package.
application package

Count of all instances Display a count of detected App-V application packages.


of virtual application
packages

Count of all instances Display a count of detected App-V applications.


of virtual applications

Vulnerability assessment
The following one report is listed under the Vulnerability Assessment category.

Report name Description


Report name Description

Vulnerability Assessment Identifies security, administrative, and compliance vulnerabilities


Overall Report for a specific computer

Wake On LAN
The following seven reports are listed under the Wake On LAN category.

Report name Description

All computers targeted for Wake Specify the type of deployment to display a list of
On LAN activity computers targeted for Wake on LAN activity.

All objects pending wake-up Displays objects that are scheduled for wakeup.
activity

All sites that are enabled for Wake Displays a list of all sites in the hierarchy that are enabled
On LAN for Wake On LAN.

Errors received while sending Displays errors received while sending wake-up packets to
wake-up packets for a defined computers for a defined period.
period

History of Wake On LAN activity Displays a history of the wakeup activity that has occurred
since a certain period.

Wake-Up Proxy Deployment State Displays information about the deployment status of
Details Wake-Up Proxy for each device in a specified collection.

Wake-Up Proxy Deployment State Displays a summary of the deployment status of wake-up
Summary proxy for a specified collection.
Configure reporting in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Before you can create, modify, and run reports in the Configuration Manager console,
there are several configuration tasks to complete. Use this article to help you configure
reporting in your Configuration Manager hierarchy.

Before you install and configure SQL Server Reporting Services in your hierarchy, review
the following Configuration Manager reporting articles:

Introduction to reporting

Plan for reporting

SQL Server Reporting Services


SQL Server Reporting Services is a server-based reporting platform that provides
comprehensive reporting functionality for different kinds of data sources. The reporting
services point in Configuration Manager communicates with SQL Server Reporting
Services to:

Copy Configuration Manager reports to a specified report folder


Configure Reporting Services settings
Configure Reporting Services security settings

When you run a report, the Reporting Services component connects to the
Configuration Manager site database to retrieve data.

Before you can install the reporting services point in a Configuration Manager site,
install and configure SQL Server Reporting Services on the target site system. For more
information, see Install SQL Server Reporting Services.

Verify SQL Server Reporting Services installation


Use the following procedure to verify that SQL Server Reporting Services is installed and
running correctly.
1. Go to the Start menu on the site system, and open Report Server Configuration
Manager. You may find it in the Configuration Tools section of the Microsoft SQL
Server group.

2. In the Reporting Services Configuration Connection window, enter the name of


the server that hosts SQL Server Reporting Services. Select the instance of SQL
Server on which you installed SQL Server Reporting Services. Then select Connect
to open Reporting Services Configuration Manager.

3. On the Report Server Status page, verify that Report Service Status is Started. If
it's not in this state, select Start.

4. On the Web Service URL page, select the URL in Report Service Web Service
URLs. This action tests the connection to the report folder. The browser might
prompt you for credentials. Verify that the webpage opens successfully.

5. On the Database page, verify that the Report Server Mode is set to Native.

6. On the Report Manager URL page, select the URL in Report Manager Site
Identification. This action tests the connection to the virtual directory for Report
Manager. The browser might prompt you for credentials. Verify that the webpage
opens successfully.

7 Note

Reporting in Configuration Manager doesn't require Reporting Services


Report Manager. You only need it if you want to run reports in the browser or
manage reports by using Report Manager.

7. Select Exit to close Reporting Services Configuration Manager.

Configure reporting to use Report Builder 3.0


1. On the computer running the Configuration Manager console, open the Windows
Registry Editor.

2. Browse to
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\AdminUI\Reporti

ng .

3. Open the ReportBuilderApplicationManifestName key to edit the value data.


4. Change the value to ReportBuilder_3_0_0_0.application , and then select OK to
save.

5. Close the Windows Registry Editor.

Install a reporting services point


To manage reports at the site, install the reporting services point. The reporting services
point:

Copies report folders and reports to SQL Server Reporting Services


Applies the security policy for the reports and folders
Sets configuration settings in Reporting Services

Requirements and limitations


Before you can view or manage reports in the Configuration Manager console, you need
a reporting services point. Configure this site system role on a server with Microsoft SQL
Server Reporting Services. For more information, see Prerequisites for reporting.

When you select a site to install the reporting services point, users who will access
the reports must be in the same security scope as the site where you install the
role.

After you install a reporting services point on a site system, don't change the URL
for the report server.

For example, you create the reporting services point. You then modify the URL for
the report server in Reporting Services Configuration Manager. The Configuration
Manager console continues to use the old URL. You can't run, edit, or create
reports from the console.

If you need to change the report server URL, first remove the existing reporting
services point. Change the URL, and then reinstall the reporting services point.

When you install a reporting services point, specify a Reporting services point
account. For users from a different domain to run a report, create a two-way trust
between domains. Otherwise the report fails to run.

Install the reporting services point on a site system


For more information about configuring site systems, see Install site system roles.
1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and then select the Servers and Site System Roles
node.

2. Add the reporting services point to a new or existing site system server:

New site system: On the Home tab of the ribbon, in the Create group, select
Create Site System Server. The Create Site System Server Wizard opens.

Existing site system: Select the target server. On the Home tab of the ribbon,
in the Server group, select Add Site System Role. The Add Site System Roles
Wizard opens.

3. On the General page, specify the general settings for the site system server. When
you add the reporting services point to an existing server, verify the values that
you previously configured.

4. On the System Role Selection page, select Reporting services point in the list of
available roles, and then select Next.

5. On the Reporting services point page, configure the following settings:

Site database server name: Specify the name of the server that hosts the
Configuration Manager site database. The wizard typically retrieves the fully
qualified domain name (FQDN) for the server. To specify a database instance,
use the format <server name>&lt;instance name>. For example,
sqlserver\named1 .

Database name: Specify the Configuration Manager site database name.


Select Verify to confirm that the wizard has access to the site database.

) Important

The user account you use to create the reporting services point must
have Read access to the site database. If the connection test fails, a red
warning icon appears. Contextual hover text on the icon has the details
of the failure. Correct the failure, and then select Test again.

Folder name: Specify the folder name to create and use for Configuration
Manager reports in Reporting Services.

Reporting Services server instance: Select the instance of SQL Server for
Reporting Services. If this page doesn't list any instances, verify that SQL
Server Reporting Services is installed, configured, and started.
) Important

Configuration Manager makes a connection in the context of the current


user to WMI on the selected site system. It uses this connection to
retrieve the instance of SQL Server for Reporting Services. The current
user must have Read access to WMI on the site system, or the wizard
can't get the Reporting Services instances.

Reporting services point account: Select Set, and then select an account to
use. SQL Server Reporting Services on the reporting services point uses this
account to connect to the Configuration Manager site database. This
connection is to retrieve the data for a report. Select Existing account to
specify a Windows user account that you previously configured as a
Configuration Manager account. Select New account to specify a Windows
user account that's not currently configured for use. Configuration Manager
automatically grants the specified user access to the site database.

The account that runs Reporting Services must belong to the domain local
security group Windows Authorization Access Group. This grants the
account Allow Read permissions on the tokenGroupsGlobalAndUniversal
attribute for all user objects within the domain. Users in a different domain
than the reporting services point account need a two-way trust between the
domains to successfully run reports.

The specified Windows user account and password are encrypted and stored
in the Reporting Services database. Reporting Services retrieves the data for
reports from the site database by using this account and password.

) Important

The account that you specify must have the Log on locally permission
on the server that hosts the Reporting Services database.

6. Complete the wizard.

After the wizard completes, Configuration Manager creates the report folders in
Reporting Services. It then copies its reports to the specified report folders.

 Tip
To list only site systems that host the reporting services point site role, right-click
Servers and Site System Roles, and select Reporting services point.

Languages for reports


When Configuration Manager creates report folders and copies reports to the report
server, it determines the appropriate language for the objects.

Create report folders, copy reports

Create objects using locale of the site server OS

If the specific language pack isn't available, default to English (ENU)

View reports in a web browser

Folder and report names: the same locale as the site server

Report contents: dynamic based on the browser locale

View reports in the Configuration Manager console

Folder and report names: dynamic based on the locale of the console

Report contents: dynamic based on the locale of the console

When you install a reporting services point on a site without language packs, the reports
are installed in English. If you install a language pack after you install the reporting
services point, you must uninstall and reinstall the reporting services point for the
reports to be available in the appropriate language pack language.

For more information, see Language packs.

File installation and report folder security rights


Configuration Manager does the following actions to install the reporting services point
and to configure Reporting Services:

) Important

The site does these actions in the context of the account that's configured for the
SMS_Executive service. Typically, this account is the site server local System account.

Install the reporting services point site role.


Create the data source in Reporting Services with the stored credentials that you
specified in the wizard. This account is the Windows user account and password
that Reporting Services uses to connect to the site database when you run reports.

Create the Configuration Manager root folder in Reporting Services.

Add the ConfigMgr Report Users and ConfigMgr Report Administrators security
roles in Reporting Services.

Create subfolders, and then deploy Configuration Manager reports from


%ProgramFiles%\SMS_SRSRP on the site server to Reporting Services.

Add the ConfigMgr Report Users role in Reporting Services to the root folders for
all user accounts in Configuration Manager that have Site Read rights.

Add the ConfigMgr Report Administrators role in Reporting Services to the root
folders for all user accounts in Configuration Manager that have Site Modify
rights.

Retrieve the mapping between report folders and Configuration Manager secured
object types. Configuration Manager maintains this map in the site database.

Configure the following rights for administrative users in Configuration Manager to


specific report folders in Reporting Services:

Add users and assign the ConfigMgr Report Users role to the associated report
folder for administrative users who have Run Report permissions for the
Configuration Manager object.

Add users and assign the ConfigMgr Report Administrators role to the
associated report folder for administrative users who have Modify Report
permissions for the Configuration Manager object.

Configuration Manager connects to Reporting Services and sets the permissions for
users on the Configuration Manager and Reporting Services root folders and specific
report folders. After the initial installation of the reporting services point, Configuration
Manager connects to Reporting Services every 10 minutes to verify that the user rights
configured on the report folders are the associated rights that are set for Configuration
Manager users. When users are added or user rights are modified on the report folder
by using Reporting Services Report Manager, Configuration Manager overwrites those
changes by using the role-based assignments stored in the site database. Configuration
Manager also removes users that don't have Reporting rights in Configuration Manager.

Reporting Services security roles


When Configuration Manager installs the reporting services point, it adds the following
security roles in Reporting Services:

ConfigMgr Report Users: Users assigned with this security role can only run
Configuration Manager reports.

ConfigMgr Report Administrators: Users assigned with this security role can do all
tasks related to reporting in Configuration Manager.

Verify installation
Verify the installation of the reporting services point by looking at specific status
messages and log file entries. Use the following procedure to verify that the reporting
services point installation was successful.

7 Note

If you see reports in the Reports subfolder of the Reporting node in the
Monitoring workspace in the Configuration Manager console, you can skip this
procedure.

Verify installation by status message


1. In the Configuration Manager console, go to the Monitoring workspace, expand
System Status, and select the Component Status node.

2. Select the SMS_SRS_REPORTING_POINT component.

3. On the Home tab of the ribbon, in the Component group, select Show Messages,
and then choose All.

4. Specify a date and time for a period before you installed the reporting services
point, and then select OK.

5. Verify status message ID 1015. This status message indicates that the reporting
services point was successfully installed.

Verify installation by log file


Open the Srsrp.log file, located in the Logs directory of the Configuration Manager
installation path. Look for the string Installation was successful .
Step through this log file starting from the time that the reporting services point was
successfully installed. Verify that the report folders were created, the reports were
deployed, and the security policy on each folder was confirmed. After the last line of
security policy confirmations, look for the string Successfully checked that the SRS web
service is healthy on server .

Configure a certificate to author reports


There are many options for you to author reports in SQL Server Reporting Services.
When you create or edit reports in the Configuration Manager console, Configuration
Manager opens Report Builder to use as the authoring environment. Regardless of how
you author your Configuration Manager reports, you need a self-signed certificate for
server authentication to the site database server.

7 Note

For more information about authoring reports with SQL Server Reporting Services,
see Report Builder authoring environment.

Configuration Manager automatically installs the certificate on the site server and any
SMS Provider roles. You can create or edit reports from the Configuration Manager
console when you run it from one of these servers.

When you create or modify reports from a Configuration Manager console on a


different computer, export the certificate from the site server. The specific certificate's
friendly name is the FQDN of the site server in the Trusted People certificate store for
the local computer. Add this certificate to the Trusted People certificate store on the
computer that runs the Configuration Manager console.

Modify reporting services point settings


After you install this role, you can modify the site database connection and
authentication settings in the reporting services point properties.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and then select the Servers and Site System Roles
node.

 Tip
To list only site systems that host the reporting services point, right-click the
Servers and Site System Roles node, and select Reporting services point.

2. Select the site system that hosts the reporting services point. Then select the
Reporting service point site system roles in the details pane.

3. On the Site Role tab of the ribbon, in the Properties group, select Properties.

4. You can modify the following settings in the Reporting Services Point Properties:

Site database server name

Database name

User account

5. Select OK to save the changes and close the properties.

For more information about these settings, see the descriptions in the section to Install
the reporting services point on a site system.

Power BI Report Server


Starting in version 2002, you can integrate reporting with Power BI Report Server. For
more information on configuring it, see Integrate with Power BI Report Server.

Upgrade SQL Server


To upgrade SQL Server and SQL Server Reporting Services, first remove the reporting
services point from the site. After you upgrade SQL Server, then reinstall the reporting
services point in Configuration Manager.

If you don't follow this process, you'll see errors when you run or edit reports from the
Configuration Manager console. You can continue to run and edit reports successfully
from a web browser.

Configure report options


You can select the default reporting services point that you use to manage reports. The
site can have more than one reporting services point, but it only uses the default server
to manage reports. Use the following procedure to configure report options for your
site.
1. In the Configuration Manager console, go to the Monitoring workspace, expand
Reporting, and then select the Reports node.

2. On the Home tab of the ribbon, in the Settings group, select Report Options.

3. Select the default report server in the list, and then select OK.

If it doesn't show any servers, verify that you installed and configured a reporting
services point in the site. For more information, see Verify installation.

Make sure your computer runs a version of SQL Server Report Builder that matches the
version of SQL Server that you use for your report server. Otherwise you'll see an error,
the default report server won't save, and you can't create or edit reports.

Next steps
Operations and maintenance for reporting
Operations and maintenance for
reporting in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After the infrastructure is in place for reporting in Configuration Manager, there are
many operations that you typically do to manage reports and subscriptions.

7 Note

This article focuses on reports in SQL Server Reporting Services. Starting in version
2002, you can integrate reporting with Power BI Report Server. For more
information, see Integrate with Power BI Report Server.

Run a report from Reporting Services


Configuration Manager stores its reports in SQL Server Reporting Services. The report
retrieves data from the Configuration Manager site database. You can access reports in
the Configuration Manager console or by using Report Manager via a web browser.
Open reports from a web browser on any computer that can access the reporting
services point, and the user has sufficient rights to view the reports. To run reports, you
need Read rights for the Site permission and the Run Report permission for specific
objects.

When you run a report, it displays the report title, description, and category in the
language of the local OS. For more information, see Languages for reports.

7 Note

Report Manager is a web-based report access and management tool. You can use it
to administer a single report server instance over an HTTPS connection. Use Report
Manager for operational tasks: view reports, modify report properties, and manage
associated report subscriptions. This article provides the steps to view a report and
modify report properties in Report Manager. For more information about other
options in Report Manager, see What is Report Manager?

Use the following procedures to run a Configuration Manager report.


Run a report in the Configuration Manager console
1. In the Configuration Manager console, go to the Monitoring workspace. Expand
Reporting, and then select Reports. This node lists the available reports.

 Tip

If this node doesn't list any reports, verify that the reporting services point is
installed and configured. For more information, see Configure reporting.

2. Select the report that you want to run. On the Home tab of the ribbon, in the
Report Group section, select Run to open the report.

3. If there are required parameters, specify them and then select View Report.

Run a report in a web browser


1. In your web browser, go to the Report Manager URL, for example,
https://Server1/Reports . Find this address on the Report Manager URL page in

Reporting Services Configuration Manager.

2. In Report Manager, select the report folder for Configuration Manager, for
example, ConfigMgr_CAS.

 Tip

If Report Manager doesn't list any reports, verify that the reporting services
point is installed and configured. For more information, see Configure
reporting.

3. Select the report category for the report that you want to run, and then select the
specific report. The report opens in Report Manager.

4. If there are required parameters, specify them and then select View Report.

Modify the properties of a report


Report properties include the report name and description. You can view the properties
for a report n the Configuration Manager console.

To change the properties, use Report Manager:


1. In your web browser, go to the Report Manager URL, for example,
https://Server1/Reports .

2. In Report Manager, select the report folder for Configuration Manager, for
example, ConfigMgr_CAS.

3. Select the report category, and then select the specific report. The report opens in
Report Manager.

4. Select the Properties tab. Modify the report name and description, and then select
Apply.

Report Manager saves the report properties on the report server. The Configuration
Manager console shows the updated report properties for the report.

Edit a report
When an existing Configuration Manager report doesn't retrieve the information that
you want, edit it in Report Builder. You can also use Report Builder to change the layout
or design of the report. While you can directly edit a default report, it's best to clone it.
Open the report to edit, and then select Save As.

To edit a report, you need Site Modify permission and Modify Report permissions on
the specific objects in the report.

) Important

Site updates preserve built-in reports. If you modify a standard report, when the
site updates, it renames the report with an underscore prefix ( _ ). This behavior
makes sure that the site update doesn't overwrite the modified report by the
standard report.

If you modify predefined reports, before you install a site update, back up your
custom reports. After the update, restore the report in Reporting Services. If make
significant changes to a predefined report, create a new report instead. New
reports that you create before you upgrade a site are not overwritten.

Use the following procedure to edit the properties for a Configuration Manager report.

1. In the Configuration Manager console, go to the Monitoring workspace. Expand


Reporting, and then select the Reports node.
2. Select the report that you want to modify. On the Home tab of the ribbon, in the
Report Group section, select Edit. It may prompt you to enter credentials. If Report
Builder isn't installed on the computer, Configuration Manager prompts you to
install it. Report Builder is required to modify and create reports.

3. In Report Builder, modify the appropriate report settings. Select Save to save the
report to the report server.

Create reports
There are two types of reports that you can create:

A model-based report lets you interactively select the items you want to include in
your report. For more information about creating custom report models, see
Create custom report models for Configuration Manager in SQL Server Reporting
Services.

A SQL-based report lets you retrieve data that's based on a report SQL statement.

) Important

To create a new report, your account needs Site Modify permission. You can only
create a report in folders for which you have Modify Report permissions.

Create a model-based report


Use the following procedure to create a model-based Configuration Manager report.

1. In the Configuration Manager console, go to the Monitoring workspace, expand


Reporting, and select the Reports node.

2. On the Home tab of the ribbon, in the Create section, select Create Report. This
action opens the Create Report Wizard.

3. On the Information page, configure the following settings:

Type: Select Model-based Report.

Name: Specify a name for the report.

Description: Specify a description for the report.

Server: Displays the name of the report server where you create this report.
Path: Select Browse to specify a folder in which to store the report.

4. On the Model Selection page, select an available model in the list to create this
report. The Preview section displays the SQL Server views and entities that are
available in this report model.

5. Complete the Create Report Wizard.

6. Open Report Builder to configure the report settings. For more information, see
Edit a Configuration Manager report.

7. In Report Builder, create the report layout, select data in the available SQL Server
views, and add parameters to the report.

8. Select Run to run your report. Verify that the report provides the information that
you expect. If needed, select Design to modify the report further.

9. Select Save to save the report to the report server.

Create a SQL-based report


When you create an SQL statement for a custom report, don't directly reference SQL
Server tables. Always reference supported reporting SQL Server views from the site
database. These views have names that start with v_ . For more information, see
Creating custom reports by using SQL Server views in Configuration Manager.

You can also reference public stored procedures from the site database. These stored
procedures have names that start with sp_ .

Use the following procedure to create a SQL-based Configuration Manager report.

1. In the Configuration Manager console, go to the Monitoring workspace, expand


Reporting, and select the Reports node.

2. On the Home tab of the ribbon, in the Create section, select Create Report. This
action opens the Create Report Wizard.

3. On the Information page, configure the following settings:

Type: Select SQL-based Report.

Name: Specify a name for the report.

Description: Specify a description for the report.

Server: Displays the name of the report server where you create this report.
Path: Select Browse to specify a folder in which to store the report.

4. Complete the Create Report Wizard.

5. Open Report Builder to configure the report settings. For more information, see
Edit a Configuration Manager report.

6. In Report Builder, provide the SQL statement for the report. You can also build the
SQL statement by using columns in available views. If needed, add parameters to
the report.

7. Select Run to run your report. Verify that the report provides the information that
you expect. If needed, select Design to modify the report further.

8. Select Save to save the report to the report server.

Manage report subscriptions


Report subscriptions in SQL Server Reporting Services let you configure the automatic
delivery of specified reports by email or to a file share at scheduled intervals. To
configure report subscriptions, use the Create Subscription Wizard in Configuration
Manager.

Create a report subscription to deliver a report to a file


share
When you create a report subscription to deliver a report to a file share, Reporting
Services copies the report in the specified format to the file share that you specify. You
can subscribe to and request delivery for only one report at a time.

When you create a subscription that uses a file share, specify an existing shared folder
as the destination. The report server doesn't create the folder or network share. When
you specify the destination folder in a subscription, use a UNC path and don't include
trailing backslashes ( \ ) in the folder path. The following example is a valid UNC path for
the destination folder: \\server\reportfiles\operations\2001 .

7 Note

When you create the subscription, you specify a user name and password. This
account needs access to this share with Write permissions to the destination folder.
Reporting Services can render reports in different file formats. For example, MHTML or
Excel. You select the format when you create the subscription. Although you can select
any supported rendering format, some formats work better than others when rendering
to a file.

Limitations for report subscriptions to a file share


The following list includes the limitations of report subscriptions to a file share:

Unlike reports that you host and manage on a report server, Reporting Services
delivers reports to a shared folder as static files.

Interactive features of the report don't work for reports stored as files. The report
represents any interactive features as static elements.

If the report includes charts, it uses the default presentation.

If the report links through to another report, it renders the link as static text.

If you want to keep interactive features in a delivered report, use email delivery. For
more information, see Create a report subscription to deliver a report by email.

Process to create a report subscription for a file share


Use the following procedure to create a report subscription to deliver a report to a file
share.

1. In the Configuration Manager console, go to the Monitoring workspace, expand


Reporting, and select the Reports node.

2. Select a report folder, then select the report to which you want to subscribe. On
the Home tab of the ribbon, in the Report Group section, select Create
Subscription. This action opens the Create Subscription Wizard.

3. On the Subscription Delivery page, configure the following settings:

Report delivered by: Select Windows File Share.

File Name: Specify the file name for the report. By default, the report file
doesn't include a file name extension. Select Add file extension when
created to automatically add a file name extension based on the format.

Path: Specify a UNC path to an existing folder where you want to deliver this
report. For example, \\server\reportfiles\operations .
Render Format: Select one of the following formats for the report file:
XML file with report data
CSV (comma delimited)
TIFF file
Acrobat (PDF) file
HTML 4.0

7 Note

If your report has images, the HTML 4.0 format doesn't include them.

MHTML (web archive)


RPL Renderer (Report Page Layout)
Excel
Word

User Name: Specify a Windows user account with write permissions to the
specified Path.

Password: Specify the password for the above Windows user account.

Overwrite option: Select one of the following options to configure the


behavior when a file of the same name exists in the destination folder:
Overwrite an existing file with a newer version
Do not overwrite an existing file
Increment file names as newer versions are added: This option appends a
number to the new report's file name to distinguish it from earlier
versions.

Description: Optionally, specify additional information about this report


subscription.

4. On the Subscription Schedule page, select one of the following delivery schedule
options for the report subscription:

Use shared schedule: A shared schedule is a previously defined schedule that


can be used by other report subscriptions. When you select this option, also
select a shared schedule. If there are no shared schedules, select the option
to create a new schedule.

Create new schedule: Configure the schedule on which this report runs. The
schedule includes the interval, start time and date, and the end date for this
subscription. By default, a new subscription creates a new schedule to run
every hour starting at the current date and time.
5. On the Subscription Parameters page, specify any parameters that this report
requires to run unattended. If the report has no parameters, the wizard doesn't
display this page.

6. Complete the wizard.

7. Verify that Configuration Manager successfully created the report subscription.


Select the Subscriptions node to view and modify report subscriptions.

Create a report subscription to deliver a report by email


When you create a report subscription to deliver a report by email, Reporting Services
sends an email to the recipients that you configure. The email includes the report as an
attachment. The report server doesn't validate email addresses or get them from an
email server. You can email reports to any valid email account within or outside of your
organization.

7 Note

To enable the Email subscription option, you need to configure the email settings
in Reporting Services. For more information, see Email delivery in reporting
services.

You can select one or both of the following email delivery options:

Send a notification with a link to the generated report.

Send an embedded or attached report. The rendering format and browser


determine whether it embeds or attaches the report.
If your browser supports HTML 4.0 and MHTML, and you select the MHTML
(web archive) format, the email embeds the report in the message.
All other formats deliver reports as attachments.
Reporting Services doesn't check the size of the attachment or message before
it sends the report. If the attachment or message exceeds the maximum limit
allowed by your mail server, the report isn't delivered.

Use the following procedure to create a report subscription to deliver a report by using
email.

1. In the Configuration Manager console, go to the Monitoring workspace, expand


Reporting, and select the Reports node.
2. Select a report folder, then select the report to which you want to subscribe. On
the Home tab of the ribbon, in the Report Group section, select Create
Subscription. This action opens the Create Subscription Wizard.

3. On the Subscription Delivery page, configure the following settings:

Report delivered by: Select E-mail.

To: Specify a valid email address as the recipient.

7 Note

To enter multiple recipients, separate each email address with a


semicolon ( ; ).

Cc: Optionally, specify an email address to receive a copy of this report.

Bcc: Optionally, specify an email address to receive a blind copy of this


report.

Reply To: Specify the reply address. If the recipient replies to the email
message, the reply goes to this address.

Subject: Specify a subject line for the subscription email message.

Priority: Select the priority flag for this email message: Low, Normal, or High.
Microsoft Exchange uses this flag to indicate the importance of the email
message.

Comment: Specify text for the body of the subscription email message.

Description: Optionally, specify additional information about this report


subscription.

Include Link: Include the URL for this report in the body of the email
message.

Include Report: Attach the report to the email message. Use the Render
Format option to specify the report format to attach.

Render Format: Select one of the following formats for the attached report
file:
XML file with report data
CSV (comma delimited)
TIFF file
Acrobat (PDF) file
MHTML (web archive)
Excel
Word

4. On the Subscription Schedule page, select one of the following delivery schedule
options for the report subscription:

Use shared schedule: A shared schedule is a previously defined schedule that


can be used by other report subscriptions. When you select this option, also
select a shared schedule. If there are no shared schedules, select the option
to create a new schedule.

Create new schedule: Configure the schedule on which this report runs. The
schedule includes the interval, start time and date, and the end date for this
subscription. By default, a new subscription creates a new schedule to run
every hour starting at the current date and time.

5. On the Subscription Parameters page, specify any parameters that this report
requires to run unattended. If the report has no parameters, the wizard doesn't
display this page.

6. Complete the wizard.

7. Verify that Configuration Manager successfully created the report subscription.


Select the Subscriptions node to view and modify report subscriptions.

Favorites
Configuration Manager ships with several hundred reports by default, and you may have
added more to that list. Instead of continually searching for reports you commonly use,
starting in version 2103, you can make a report a favorite. This action allows you to
quickly access it from the new Favorites node.

The list of favorites is per user, not per site or hierarchy.

Prerequisites for report favorites


The version of SQL Server Reporting Services on the site's reporting service point needs
to be SQL Server 2017 or later.

7 Note
All instances of SQL Server Reporting Services on the server need to be version
2017 or later.

Add a favorite
1. In the Configuration Manager console, go to the Monitoring workspace. Expand
the Reporting node, and select either the Reports or Power BI Reports node.

2. Select a report that you frequently use. Then in the ribbon, select Add to Favorites.
The report's icon changes to a yellow star, which indicates that it's a favorite.

 Tip

You can select more than one report to add them all as favorites.

To remove a report from the list of favorites, select it, and then select Remove
from Favorites. When you remove a favorite, Configuration Manager doesn't
delete the report.

3. Under the Reporting node, expand the new Favorites node. To view your list of
favorites, select either the Reports or Power BI Reports node.
 Tip

You can directly connect to your favorite reports in your browser. For example,
https://rsp.contoso.com/Reports/favorites .

You can manage the reports the same from the list of favorites.
Creating custom report models for
Configuration Manager in SQL Server
Reporting Services
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Sample report models are included in Configuration Manager, but you can also define
report models to meet your own business requirements, and then deploy the report
model to Configuration Manager to use when you create new model-based reports. The
following table provides the steps to create and deploy a basic report model.

7 Note

For the steps to create a more advanced report model, see the Steps for Creating
an Advanced Report Model in SQL Server Reporting Services section in this topic.

Step Description More


information

Verify that Report models are designed and built by using SQL Server For more
SQL Server Business Intelligence Development Studio. Verify that SQL information
Business Server Business Intelligence Development Studio is installed on about SQL
Intelligence the computer on which you are creating the custom report Server Business
Development model. Intelligence
Studio is Development
installed Studio, see the
SQL Server
2008
documentation.

Create a A report model project contains the definition of the data For more
report model source (a .ds file), the definition of a data source view (a .dsv information,
project file), and the report model (an .smdl file). see the To
create the
report model
project section
in this topic.
Step Description More
information

Define a data After creating a report model project, you have to define one For more
source for a data source from which you extract business data. Typically, information,
report model this is the Configuration Manager site database. see the To
define the data
source for the
report model
section in this
topic.

Define a data After defining the data sources that you use in your report For more
source view model project, the next step is to define a data source view for information,
for a report the project. A data source view is a logical data model based see the To
model on one or more data sources. Data source views encapsulate define the data
access to the physical objects, such as tables and views, source view for
contained in underlying data sources. SQL Server Reporting the report
Services generates the report model from the data source view.
model section
in this topic.
Data source views facilitate the model design process by
providing you with a useful representation of the data that you
specified. Without changing the underlying data source, you
can rename tables and fields, and add aggregate fields and
derived tables in a data source view. For an efficient model,
add only those tables to the data source view that you intend
to use.

Create a A report model is a layer on top of a database that identifies For more
report model business entities, fields, and roles. When published, by using information,
these models, Report Builder users can develop reports without see the To
having to be familiar with database structures or understand create the
and write queries. Models are composed of sets of related report model
report items that are grouped together under a friendly name, section in this
with predefined relationships between these business items topic.
and with predefined calculations. Models are defined by using
an XML language called Semantic Model Definition Language
(SMDL). The file name extension for report model files is .smdl.

Publish a To build a report by using the model that you just created, you For more
report model must publish it to a report server. The data source and data information,
source view are included in the model when it is published. see the To
publish the
report model
for use in SQL
Server
Reporting
Services section
in this topic.
Step Description More
information

Deploy the Before you can use a custom report model in the Create For more
report model Report Wizard to create a model-based report, you must information,
to deploy the report model to Configuration Manager. see the To
Configuration deploy the
Manager custom report
model to
Configuration
Manager
section in this
topic.

Steps for creating a basic report model in SQL


Server Reporting Services
You can use the following procedures to create a basic report model that users in your
site can use to build particular model-based reports based on data in a single view of
the Configuration Manager database. You create a report model that presents
information about the client computers in your site to the report author. This
information is taken from the v_R_System view in the Configuration Manager database.

On the computer where you perform these procedures, ensure that you have installed
SQL Server Business Intelligence Development Studio and that the computer has
network connectivity to the reporting services point server. For detailed information
about SQL Server Business Intelligence Development Studio, see the SQL Server 2008
documentation.

To create the report model project


1. On the desktop, click Start, click Microsoft SQL Server 2008, and then click SQL
Server Business Intelligence Development Studio.

2. After SQL Server Business Intelligence Development Studio opens in Microsoft


Visual Studio, click File, click New, and then click Project.

3. In the New Project dialog box, select Report Model Project in the Templates list.

4. In the Name box, specify a name for this report model. For this example, type
Simple_Model.

5. To create the report model project, click OK.


6. The Simple_Model solution is displayed in Solution Explorer.

7 Note

If you cannot see the Solution Explorer pane, click View, and then click
Solution Explorer.

To define the data source for the report model


1. In the Solution Explorer pane of SQL Server Business Intelligence Development
Studio, right-click Data Sources to select Add New Data Source.

2. On the Welcome to the Data Source Wizard page, click Next.

3. On the Select how to define the connection page, verify that Create a data source
based on an existing or new connection is selected, and then click New.

4. In the Connection Manager dialog box, specify the following connection


properties for the data source:

Server name: Type the name of your Configuration Manager site database
server, or select it in the list. If you are working with a named instance instead
of the default instance, type <database server>\<instance name>.

Select Use Windows Authentication.

In Select or enter a database name list, select the name of your


Configuration Manager site database.

5. To verify the database connection, click Test Connection.

6. If the connection succeeds, click OK to close the Connection Manager dialog box.
If the connection does not succeed, verify that the information you entered is
correct, and then click Test Connection again.

7. On the Select how to define the connection page, verify that Create a data source
based on an existing or new connection is selected, verify that the data source
you have just specified is selected in Data connections, and then click Next.

8. In Data source name, specify a name for the data source, and then click Finish. For
this example, type Simple_Model.

9. The data source Simple_Model.ds is now displayed in Solution Explorer under the
Data Sources node.
7 Note

To edit the properties of an existing data source, double-click the data source
in the Data Sources folder of the Solution Explorer pane to display the data
source properties in Data Source Designer.

To define the data source view for the report model


1. In Solution Explorer, right-click Data Source Views to select Add New Data
Source View.

2. On the Welcome to the Data Source View Wizard page, click Next. The Select a
Data Source page is displayed.

3. In the Relational data sources window, verify that the Simple_Model data source is
selected, and then click Next.

4. On the Select Tables and Views page, select the following view in the Available
objects list to be used in the report model: v_R_System (dbo).

 Tip

To help locate views in the Available objects list, click the Name heading at
the top of the list to sort the objects in alphabetical order.

5. After selecting the view, click > to transfer the object to the Included objects list.

6. If the Name Matching page is displayed, accept the default selections, and click
Next.

7. When you have selected the objects that you require, click Next, and then specify a
name for the data source view. For this example, type Simple_Model.

8. Click Finish. The Simple_Model.dsv data source view is displayed in the Data
Source Views folder of Solution Explorer.

To create the report model


1. In Solution Explorer, right-click Report Models to select Add New Report Model.

2. On the Welcome to the Report Model Wizard page, click Next.


3. On the Select Data Source Views page, select the data source view in the
Available data source views list, and then click Next. For this example, select
Simple_Model.dsv.

4. On the Select report model generation rules page, accept the default values, and
then click Next.

5. On the Collect Model Statistics page, verify that Update model statistics before
generating is selected, and then click Next.

6. On the Completing the Wizard page, specify a name for the report model. For this
example, verify that Simple_Model is displayed.

7. To complete the wizard and create the report model, click Run.

8. To exit the wizard, click Finish. The report model is shown in the Design window.

To publish the report model for use in SQL Server


Reporting Services
1. In Solution Explorer, right-click the report model to select Deploy. For this
example, the report model is Simple_Model.smdl.

2. Examine the deployment status at the lower left corner of the SQL Server Business
Intelligence Development Studio window. When the deployment has finished,
Deploy Succeeded is displayed. If the deployment fails, the reason for the failure is
displayed in the Output window. The new report model is now available on your
SQL Server Reporting Services website.

3. Click File, click Save All, and then close SQL Server Business Intelligence
Development Studio.

To deploy the custom report model to Configuration


Manager
1. Locate the folder in which you created the report model project. For example,
%USERPROFILE%\Documents\Visual Studio 2008\Projects\<Project Name>.

2. Copy the following files from the report model project folder to a temporary folder
on your computer:

<Model Name> .dsv

<Model Name> .smdl


3. Open the preceding files by using a text editor, such as Notepad.

4. In the file <Model Name>.dsv, locate the first line of the file, which reads as
follows:

<DataSourceView
xmlns="https://schemas.microsoft.com/analysisservices/2003/engine">

Edit this line to read as follows:

<DataSourceView xmlns="
<https://schemas.microsoft.com/analysisservices/2003/engine>"

xmlns:xsi="RelationalDataSourceView">

5. Copy the entire contents of the file to the Windows Clipboard.

6. Close the file <Model Name>.dsv.

7. In the file <Model Name>.smdl, locate the last three lines of the file, which appear
as follows:

</Entity>

</Entities>

</SemanticModel>

8. Paste the contents of the file <Model Name>.dsv directly before the last line of the
file (<SemanticModel>).

9. Save and close the file <Model Name>.smdl.

10. Copy the file <Model Name>.smdl to the folder %programfiles%\Microsoft


Configuration Manager \AdminConsole\XmlStorage\Other on the Configuration
Manager site server.

) Important

After copying the report model file to the Configuration Manager site server,
you must exit and restart the Configuration Manager console before you can
use the report model in the Create Report Wizard.
Steps for Creating an Advanced Report Model
in SQL Server Reporting Services
You can use the following procedures to create an advanced report model that users in
your site can use to build particular model-based reports based on data in multiple
views of the Configuration Manager database. You create a report model that presents
information about the client computers and the operating system installed on these
computers to the report author. This information is taken from the following views in
the Configuration Manager database:

V_R_System: Contains information about discovered computers and the


Configuration Manager client.

V_GS_OPERATING_SYSTEM: Contains information about the operating system


installed on the client computer.

Selected items from the preceding views are consolidated into one list, given
friendly names, and then presented to the report author in Report Builder for
inclusion in particular reports.

On the computer where you perform these procedures, ensure that you have
installed SQL Server Business Intelligence Development Studio and that the
computer has network connectivity to the reporting services point server. For
detailed information about SQL Server Business Intelligence Development Studio,
see the SQL Server documentation.

To create the report model project


1. On the desktop, click Start, click Microsoft SQL Server 2008, and then click SQL
Server Business Intelligence Development Studio.

2. After SQL Server Business Intelligence Development Studio opens in Microsoft


Visual Studio, click File, click New, and then click Project.

3. In the New Project dialog box, select Report Model Project in the Templates list.

4. In the Name box, specify a name for this report model. For this example, type
Advanced_Model.

5. To create the report model project, click OK.

6. The Advanced_Model solution is displayed in Solution Explorer.


7 Note

If you cannot see the Solution Explorer pane, click View, and then click
Solution Explorer.

To define the data source for the report model


1. In the Solution Explorer pane of SQL Server Business Intelligence Development
Studio, right-click Data Sources to select Add New Data Source.

2. On the Welcome to the Data Source Wizard page, click Next.

3. On the Select how to define the connection page, verify that Create a data source
based on an existing or new connection is selected, and then click New.

4. In the Connection Manager dialog box, specify the following connection


properties for the data source:

Server name: Type the name of your Configuration Manager site database
server, or select it in the list. If you are working with a named instance instead
of the default instance, type <database server>\<instance name>.

Select Use Windows Authentication.

In the Select or enter a database name list, select the name of your
Configuration Manager site database.

5. To verify the database connection, click Test Connection.

6. If the connection succeeds, click OK to close the Connection Manager dialog box.
If the connection does not succeed, verify that the information you entered is
correct, and then click Test Connection again.

7. On the Select how to define the connection page, verify that Create a data source
based on an existing or new connection is selected, verify that the data source
you have just specified is selected in the Data connections list box, and then click
Next.

8. In Data source name, specify a name for the data source and then click Finish. For
this example, type Advanced_Model.

9. The data source Advanced_Model.ds is displayed in Solution Explorer under the


Data Sources node.
7 Note

To edit the properties of an existing data source, double-click the data source
in the Data Sources folder of the Solution Explorer pane to display the data
source properties in Data Source Designer.

To define the data source view for the report model

1. In Solution Explorer, right-click Data Source Views to select Add New Data
Source View.

2. On the Welcome to the Data Source View Wizard page, click Next. The Select a
Data Source page is displayed.

3. In the Relational data sources window, verify that the Advanced_Model data
source is selected, and then click Next.

4. On the Select Tables and Views page, select the following views in the Available
objects list to be used in the report model:

v_R_System (dbo)

v_GS_OPERATING_SYSTEM (dbo)

After selecting each view, click > to transfer the object to the Included
objects list.

 Tip

To help locate views in the Available objects list, click the Name heading at
the top of the list to sort the objects in alphabetical order.

5. If the Name Matching dialog box appears, accept the default selections, and click
Next.

6. When you have selected the objects you require, click Next, and then specify a
name for the data source view. For this example, type Advanced_Model.

7. Click Finish. The Advanced_Model.dsv data source view is displayed in the Data
Source Views folder of Solution Explorer.

To define relationships in the data source view


1. In Solution Explorer, double-click Advanced_Model.dsv to open the Design
window.

2. Right-click the title bar of the v_R_System window to select Replace Table, and
then click With New Named Query.

3. In the Create Named Query dialog box, click the Add Table icon (typically the last
icon in the ribbon).

4. In the Add Table dialog box, click the Views tab, select V_GS_OPERATING_SYSTEM
in the list, and then click Add.

5. Click Close to close the Add Table dialog box.

6. In the Create Named Query dialog box, specify the following information:

Name: Specify the name for the query. For this example, type
Advanced_Model.

Description: Specify a description for the query. For this example, type
Example Reporting Services report model.

7. In the v_R_System window, select the following items in the list of objects to
display in the report model:

ResourceID

ResourceType

Active0

AD_Domain_Name0

AD_SiteName0

Client0

Client_Type0

Client_Version0

CPUType0

Hardware_ID0

User_Domain0

User_Name0
Netbios_Name0

Operating_System_Name_and0

8. In the v_GS_OPERATING_SYSTEM box, select the following items in the list of


objects to display in the report model:

ResourceID

Caption0

CountryCode0

CSDVersion0

Description0

InstallDate0

LastBootUpTime0

Locale0

Manufacturer0

Version0

WindowsDirectory0

9. To present the objects in these views as one list to the report author, you must
specify a relationship between the two tables or views by using a join. You can join
the two views by using the object ResourceID, which appears in both views.

10. In the v_R_System window, click and hold the ResourceID object and drag it to the
ResourceID object in the v_GS_OPERATING_SYSTEM window.

11. Click OK.

12. The Advanced_Model window replaces the v_R_System window and contains all of
the necessary objects required for the report model from the v_R_System and the
v_GS_OPERATING_SYSTEM views. You can now delete the
v_GS_OPERATING_SYSTEM window from the Data Source View Designer. Right-
click the title bar of the v_GS_OPERATING_SYSTEM window to select Delete Table
from DSV. In the Delete Objects dialog box, click OK to confirm the deletion.

13. Click File, and then click Save All.


To create the report model
1. In Solution Explorer, right-click Report Models to select Add New Report Model.

2. On the Welcome to the Report Model Wizard page, click Next.

3. On the Select Data Source View page, select the data source view in the Available
data source views list, and then click Next. For this example, select
Simple_Model.dsv.

4. On the Select report model generation rules page, do not change the default
values, and click Next.

5. On the Collect Model Statistics page, verify that Update model statistics before
generating is selected, and then click Next.

6. On the Completing the Wizard page, specify a name for the report model. For this
example, verify that Advanced_Model is displayed.

7. To complete the wizard and create the report model, click Run.

8. To exit the wizard, click Finish.

9. The report model is shown in the Design window.

To modify object names in the report model


1. In Solution Explorer, right-click a report model to select View Designer. For this
example, select Advanced_Model.smdl.

2. In the report model Design view, right-click any object name to select Rename.

3. Type a new name for the selected object, and then press Enter. For example, you
could rename the object CSD_Version_0 to read Windows Service Pack Version.

4. When you have finished renaming objects, click File, and then click Save All.

To publish the report model for use in SQL Server Reporting


Services

1. In Solution Explorer, right-click Advanced_Model.smdl to select Deploy.

2. Examine the deployment status at the lower left corner of the SQL Server Business
Intelligence Development Studio window. When the deployment has finished,
Deploy Succeeded is displayed. If the deployment fails, the reason for the failure is
displayed in the Output window. The new report model is now available on your
SQL Server Reporting Services website.

3. Click File, click Save All, and then close SQL Server Business Intelligence
Development Studio.

To deploy the custom report model to Configuration Manager

1. Locate the folder in which you created the report model project. For example,
%USERPROFILE%\Documents\Visual Studio 2008\Projects\<Project Name>.

2. Copy the following files from the report model project folder to a temporary folder
on your computer:

<Model Name> .dsv

<Model Name> .smdl

3. Open the preceding files by using a text editor, such as Notepad.

4. In the file <Model Name>.dsv, locate the first line of the file, which reads as
follows:

<DataSourceView

xmlns="https://schemas.microsoft.com/analysisservices/2003/engine">

Edit this line to read as follows:

<DataSourceView xmlns="

<https://schemas.microsoft.com/analysisservices/2003/engine>"
xmlns:xsi="RelationalDataSourceView">

5. Copy the entire contents of the file to the Windows Clipboard.

6. Close the file <Model Name>.dsv.

7. In the file <Model Name>.smdl, locate the last three lines of the file, which appear
as follows:

</Entity>

</Entities>

</SemanticModel>
8. Paste the contents of the file <Model Name>.dsv directly before the last line of the
file (<SemanticModel>).

9. Save and close the file <Model Name>.smdl.

10. Copy the file <Model Name>.smdl to the folder %programfiles%\Microsoft


Endpoint Manager\AdminConsole\XmlStorage\Other on the Configuration
Manager site server.

) Important

After copying the report model file to the Configuration Manager site server,
you must exit and restart the Configuration Manager console before you can
use the report model in the Create Report Wizard.
The data warehouse service point for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the data warehouse service point to store and report on long-term historical data
for your Configuration Manager deployment.

The data warehouse supports up to 2 TB of data, with timestamps for change tracking.
The data warehouse stores data by automatically synchronizing data from the
Configuration Manager site database to the data warehouse database. This information
is then accessible from your reporting service point. Data synchronized to the data
warehouse database is kept for three years. Periodically, a built-in task removes data
that's older than three years.

Data that is synchronized includes the following from the global data and site data
groups:

Infrastructure health
Security
Compliance
Malware
Software deployments
Inventory details (however, inventory history isn't synchronized)

When the site system role installs, it installs and configures the data warehouse
database. It also installs several reports so you can easily search for and report on this
data.

Prerequisites
The data warehouse site system role is supported only at the top-tier site of your
hierarchy. For example, a central administration site (CAS) or standalone primary
site.

Starting in version 2107, the server where you install this site system role requires
.NET version 4.6.2, and version 4.8 is recommended. In version 2103 and earlier,
this role requires .NET 4.5.2 or later. For more information, Site and site system
prerequisites.
Grant the Reporting Services Point Account the db_datareader permission on the
data warehouse database.

To synchronize data with the data warehouse database, Configuration Manager


uses the computer account of the site system role. This account requires the
following permissions:

Administrator on the computer that hosts the data warehouse database.

DB_Creator permission on the data warehouse database.

Either DB_owner or DB_reader with execute permissions to the top-tier site's


database.

The data warehouse database requires the use of SQL Server 2012 or later. The
edition can be Standard, Enterprise, or Datacenter. The SQL Server version for the
data warehouse doesn't need to be the same as the site database server.

The warehouse database supports the following SQL Server configurations:

A default or named instance

SQL Server Always On availability group

SQL Server Always On failover cluster instance

If you use distributed views, install the data warehouse service point on the same
server that hosts the CAS's database.

For more information on SQL Server licensing, see the product and licensing FAQ.

Size the data warehouse database the same as your site database. While the data
warehouse is smaller at first, it will grow over time.

Install
Each hierarchy supports a single instance of this role, on any site system of the top-tier
site. The SQL Server that hosts the database for the warehouse can be local to the site
system role, or remote. The data warehouse works with the reporting services point
installed at the same site. You don't need to install the two site system roles on the same
server.

To install the role, use the Add Site System Roles Wizard or the Create Site System
Server Wizard. For more information, see Install site system roles. On the System Role
Selection page of the wizard, select the Data Warehouse service point role.
When you install the role, Configuration Manager creates the data warehouse database
for you on the instance of SQL Server that you specify. If you specify the name of an
existing database, Configuration Manager doesn't create a new database. Instead it uses
the one you specify. This process is the same as when you move the data warehouse
database to a new SQL Server.

Configure properties

General page
SQL Server fully qualified domain name: Specify the full qualified domain name
(FQDN) of the server that hosts the data warehouse service point database.

SQL Server instance name, if applicable: If you don't use a default instance of SQL
Server, specify the named instance.

Database name: Specify a name for the data warehouse database. Configuration
Manager creates the data warehouse database with this name. If you specify a
database name that already exists on the instance of SQL Server, Configuration
Manager uses that database.

SQL Server port used for connection: Specify the TCP/IP port number used by the
SQL Server that hosts the data warehouse database. The data warehouse
synchronization service uses this port to connect to the data warehouse database.
By default, it uses SQL Server port 1433 for communication.

Data warehouse service point account: Set the User name that SQL Server
Reporting Services uses when it connects to the data warehouse database.

Synchronization settings page


Data Synchronization custom setting: Choose the option to Select tables. In the
Database tables window, select the table names to synchronize to the data
warehouse database. Use the filter to search by name, or select the drop-down list
to choose specific groups. Select OK when complete to save.

7 Note

You can't remove tables that the role selects by default.


Start time: Specify the time that you want the data warehouse synchronization to
start.

Recurrence pattern

Daily: Specify that synchronization runs every day.

Weekly: Specify a single day each week, and weekly recurrence for
synchronization.

Reporting
After you install a data warehouse service point, several reports become available on the
reporting services point for the site. If you install the data warehouse service point
before installing a reporting services point, the reports are automatically added when
you later install the reporting services point.

7 Note

The data warehouse point supports alternative credentials. Specify credentials that
SQL Server Reporting Services uses to connect to the data warehouse database.
Data warehouse reports don't open until you add credentials.

To specify an account, set the User name for the data warehouse service point
account in the role properties. For more information, see Configure properties.

The data warehouse site system role includes the following reports, under the Data
Warehouse category:

Application Deployment - Historical: View details for application deployment for a


specific application and machine.

Endpoint Protection and Software Update Compliance - Historical: View


computers that are missing software updates.

General Hardware Inventory - Historical: View all hardware inventory for a specific
machine.

General Software Inventory - Historical: View all software inventory for a specific
machine.

Infrastructure Health Overview - Historical: Displays an overview of the health of


your Configuration Manager infrastructure.
List of Malware Detected - Historical: View malware that has been detected in the
organization.

Software Distribution Summary - Historical: A summary of software distribution


for a specific advertisement and machine.

Exclude data warehouse reporting tables from


synchronization
(Introduced in version 2203)

When you install the data warehouse, it synchronizes a set of default tables from the site
database. These tables are required for data warehouse reports. While troubleshooting
issues, you may want to stop synchronizing these default tables. Starting in version
2203, you can exclude one or more of these required tables from synchronization. To
exclude tables from synchronization:

1. From the Administration workspace, open Site Configuration > Servers and Site
System Roles.
2. Select the server where the data warehouse service point is installed.
3. In the Site System Roles details pane, select the Data Warehouse service point
role, then select Properties.
4. On the Synchronization settings page, choose Select tables.
5. In the Database tables window, deselect one or more tables of type Required.
6. The console will prompt you to confirm the change, since some reports may no
longer work correctly.

Site expansion
Before you can install a CAS to expand an existing standalone primary site, first uninstall
the data warehouse service point role. After you install the CAS, you can then install the
site system role at the CAS.

Unlike a move of the data warehouse database, this change results in a loss of the
historic data you have previously synchronized at the primary site. It isn't supported to
back up the database from the primary site and restore it at the CAS.

Move the database


Use the following steps to move the data warehouse database to a new SQL Server:
1. Use SQL Server Management Studio to back up the data warehouse database.
Then, restore that database to a SQL Server on the new computer that hosts the
data warehouse.

7 Note

After you restore the database to the new server, make sure the database
access permissions are the same on the new data warehouse database as they
were on the original data warehouse database.

2. Use the Configuration Manager console to remove the data warehouse service
point role from the current server.

3. Reinstall the data warehouse service point. Specify the name of the new SQL Server
and instance that hosts the restored data warehouse database.

4. After the site system role installs, the move is complete.

Troubleshoot

Log files
Use the following logs to investigate problems with the installation of the data
warehouse service point, or synchronization of data:

DWSSMSI.log and DWSSSetup.log: Use these logs to investigate errors when


installing the data warehouse service point.

Microsoft.ConfigMgrDataWarehouse.log: Use this log to investigate data


synchronization between the site database to the data warehouse database.

Set up failure
When the data warehouse service point role is the first one that you install on a remote
server, installation fails for the data warehouse.

To work around this issue, make sure that the computer on which you install the data
warehouse service point already hosts at least one other role.

Synchronization failed to populate schema objects


Synchronization fails with the following message in
Microsoft.ConfigMgrDataWarehouse.log: failed to populate schema objects

To work around this issue, make sure that the computer account of the site system role
is a db_owner on the data warehouse database.

Reports fail to open


Data warehouse reports fail to open when the data warehouse database and reporting
service point are on different site systems.

To work around this issue, grant the Reporting Services Point Account the
db_datareader permission on the data warehouse database.

Error opening reports


When you open a data warehouse report, it returns the following error:

Output

An error has occurred during report processing. (rsProcessingAborted)

Cannot create a connection to data source


'AutoGen__39B693BB_524B_47DF_9FDB_9000C3118E82_'. (rsErrorOpeningConnection)

A connection was successfully established with the server, but then an error
occurred during the pre-login handshake. (provider: SSL Provider, error: 0 -
The certificate chain was issued by an authority that is not trusted.)

This issue should only occur when the site database and data warehouse database are
on separate SQL Servers.

To work around this issue, use the following steps to configure certificates:

1. On the server that hosts the data warehouse database:


a. Create a self-signed certificate. Open IIS, select Server Certificates, and then
select the Create Self-Signed Certificate action. Specify the "friendly name" of
the certificate name as Data Warehouse SQL Server Identification Certificate.
Select the certificate store as Personal.

 Tip

If this server doesn't already have IIS, install it first.


a. Manage the certificate. Open the Microsoft Management Console (MMC), and
add the Certificates snap-in. Select Computer account of the local machine.
Expand the Personal folder, and select Certificates.

i. Give the SQL Server service account read permissions to the certificate. Select
the Data Warehouse SQL Server Identification Certificate certificate, then
go to the Action menu, select All Tasks, and select Manage Private Keys.
Add the SQL Server service account, and allow Read permission.

ii. Export the Data Warehouse SQL Server Identification Certificate as a DER
encoded binary X.509 (.CER) file.

b. Reconfigure SQL. Open SQL Server Configuration Manager.

i. Under SQL Server Network Configuration, right-click to select Properties


under Protocols for MSSQLSERVER. Switch to the Certificate tab, select Data
Warehouse SQL Server Identification Certificate as the certificate, and then
save the changes.

ii. Under SQL Server Services, restart the SQL Server service. If SQL Server
Reporting Services is also installed on the server that hosts the data
warehouse database, restart Reporting Service services as well.

2. On the server that hosts SQL Server Reporting Services, open the MMC, and add
the Certificates snap-in. Select Computer account. Under the Trusted Root
Certificate Authorities folder, import the Data Warehouse SQL Server
Identification Certificate.

Data flow

Data storage and synchronization

Step Details

1 The site server transfers and stores data in the site database.

2 Based on its schedule and configuration, the data warehouse service point gets data from
the site database.

3 The data warehouse service point transfers and stores a copy of the synchronized data in
the data warehouse database.

Reporting flow

Step Details

A Using built-in reports, a user requests data. This request is passed to the reporting service
point using SQL Server Reporting Services.

B Most reports are for current information, and these requests are run against the site
database.

C When a report requests historical data by using one of the reports with a Category of Data
Warehouse, the request runs against the data warehouse database.
Support Center for Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use Support Center for client troubleshooting, real-time log viewing, or capturing the
state of a Configuration Manager client computer for later analysis. Support Center is a
single tool to combine many administrator troubleshooting tools.

About
Support Center aims to reduce the challenges and frustration when troubleshooting
Configuration Manager client computers. Previously, when working with support to
address an issue with Configuration Manager clients, you would need to manually
collect log files and other information to help troubleshoot the issue. It was easy to
accidentally forget a crucial log file, causing headaches for you and the support
personnel who you're working with.

Use Support Center to streamline the support experience. It lets you:

Create a troubleshooting bundle (.zip file) that contains the Configuration Manager
client log files. You then have a single file to send to support personnel.

View Configuration Manager client log files, certificates, registry settings, debug
dumps, client policies.

Real-time diagnostic of inventory (replaces ContentSpy), policy (replaces


PolicySpy), and client cache.

Starting in version 2103, Support Center is split into the following tools:

Support Center Client Data Collector: Collects data from a device to view in the
Support Center Viewer. This separate tool encompasses the existing Support
Center action to Collect selected data.

Support Center Client Tools: The other Support Center troubleshooting


functionality, except for Collect selected data.

The following tools are still a part of Support Center:

Support Center Viewer


Support Center OneTrace
Support Center Log File Viewer

Support Center viewer


Support Center includes Support Center Viewer, a tool that support personnel use to
open the bundle of files that you create using Support Center. Support Center's data
collector collects and packages diagnostic logs from a local or remote Configuration
Manager client. To view data collector bundles, use the viewer application.

Support Center log file viewer


Support Center includes a modern log viewer. This tool replaces CMTrace and provides a
customizable interface with support for tabs and dockable windows. It has a fast
presentation layer, and can load large log files in seconds.

Support Center OneTrace


OneTrace is a new log viewer with Support Center. It works similarly to CMTrace, with
improvements. For more information, see Support Center OneTrace.

PowerShell cmdlets
Support Center also includes PowerShell cmdlets. Use these cmdlets to create a remote
connection to another Configuration Manager client, to configure the data collection
options, and to start data collection. These cmdlets are in separate PowerShell module
named ConfigMgrSupportCenter.PS. After you install Support Center, use the following
command to import this module:

PowerShell

Import-Module "C:\Program Files (x86)\Configuration Manager Support


Center\ConfigMgrSupportCenter.PS.psd1"

Prerequisites
Install the following components on the server or client computer on which you install
Support Center:
Any Windows OS version supported by Configuration Manager. For more
information, see Supported OS versions for clients. Support Center doesn't support
mobile devices or macOS.

Starting in version 2107, the all site and client components require .NET version
4.6.2, and version 4.8 is recommended. For more information, Site and site system
prerequisites. In version 2103 and earlier, this tool requires .NET 4.5.2 or later.

Install
Find the Support Center installer on the site server at the following path:
cd.latest\SMSSETUP\Tools\SupportCenter\SupportCenterInstaller.msi .

After you install it, find the following items on the Start menu in the Microsoft Endpoint
Manager group:

Support Center Client Data Collector (starting in version 2103)


Support Center Client Tools (starting in version 2103)
Support Center (version 2010 and earlier)
Support Center Log File Viewer
Support Center OneTrace
Support Center Viewer

Starting in version 2103, the Start menu group for Support Center includes these five
tools:

 Tip

When installing Support Center, you can install tools individually. To install only the
OneTrace log viewer, use the Advanced option when using the Support Center
installer. You can also use the ADDLOCAL property, for example
supportcenterinstaller.msi ADDLOCAL=OneTraceApplication

Command line options


Starting in version 2111, the following new command-line options have been added to
the Support Center Data Collector and Client Tools:

Option Description Use case

-l Specifies to If -l is used, no elevation is requested and local


launch as current connections are disabled

user without
elevation -l can be used exclusively from -m and -p . If -m and/or -p
is used without -l , elevation will still be requested.

-m Allows specifying If -m <machinename> is used, an attempt is made to connect


<machinename> a machine name to the specified machine name using integrated
authentication (unless -p is used)

-p Disables If -p is used, the connection screen is launched when the


integrated client tools are opened. If used with -m , the machine name
authentication gets pre-populated with the specified value

--help Displays help

7 Note

When using -m <machinename> , the account making the connection needs


administrator access on the target machine to collect the data.

Known issues

Remote connections must include computer name or


domain as part of the user name
If you connect to a remote client from Support Center, you must provide the machine
name or domain name for the user account when establishing the connection. If you use
a shorthand computer name or domain name (such as .\administrator ), the connection
succeeds, but Support Center doesn't collect data from the client.
To avoid this issue, use the following user name formats to connect to a remote client:

ComputerName\UserName
DomainName\UserName

Scripted server message block connections to remote


clients might require removal
When connecting to remote clients using the New-CMMachineConnection PowerShell
cmdlet, Support Center creates a server message block (SMB) connection to each
remote client. It keeps those connections after you complete data collection. To avoid
exceeding the maximum number of remote connections for Windows, use the net use
command to see the currently active set of remote connections. Then disable any
unneeded connections by using the following command:
net use <connection_name> /d
where <connection_name> is the name of the remote connection.

Next steps
Support Center quickstart
Support Center quickstart guide
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Support Center has powerful capabilities including troubleshooting and real-time log
viewing. It can also be used in just a few minutes to capture the state of a Configuration
Manager client computer. This ability includes accessing remote clients.

Create a complete troubleshooting bundle file (.zip) that captures the client state. The
bundle doesn't only contain log files. It can include other types of data such as registry
settings and client configurations. Provide the bundle to a support technician who uses
Support Center Viewer.

Prerequisites
Local administrative rights to a Configuration Manager client

The Support Center installer. This file is on the site server at


cd.latest\SMSSETUP\Tools\SupportCenter\SupportCenterInstaller.msi . For more

information, see Support Center - Install.

Step 1: Create a data bundle on a local client


1. Install Support Center on the Configuration Manager client.

2. Go to the Start menu, in the Microsoft Endpoint Manager group, select the option
based on your site version:

For version 2103 and later: Select Support Center Client Data Collector.

For version 2010 and earlier: Select Support Center.

3. On the Home tab of the ribbon, select Collect selected data.

By default, Support Center only collects the minimum data set:

Client log files: All log files from the Configuration Manager clients, by
default in C:\Windows\CCM\logs . It also includes log files for client setup, by
default in C:\Windows\ccmsetup\Logs .
Client configuration: Information from the Configuration Manager client. For
example, the version, the assigned site and management point, and if it's
internet facing. This option is always enabled.

Operating system: Information about the computer. For example, Windows


install, network adapters, and system services. This option is always enabled.

4. Save the troubleshooting bundle file (.zip) to a folder on the computer. By default,
the file name is similar to the following example:
Support_c885cdfed3c7482bba4f9e662978ec07.zip .

Step 2: View the data bundle using Support


Center Viewer
1. Start Support Center Viewer. This action can happen on any computer with
Support Center.

2. Select Open bundle, browse to the bundle file, and select Open.
3. After Support Center Viewer processes the file, switch to each available tab. View
the types of data that Support Center collects by default:

Configuration tab

Configuration Manager client configuration

Operating system

Computer

Services

Network adapters

Logs tab: Choose one or more entries in the list, and select Open. This action
opens the selected log files in Log Viewer. Use this feature to look up error
codes, and use advanced filters to help you more quickly analyze log files.

Collect more data


Beyond these basic capabilities, Support Center can also collect a wide variety of other
client state information. Open Support Center Client Data Collector and select Collect
all data. This process typically lasts several minutes, even on newer computers. Support
Center collects the following data:

Policy: Configuration Manager policy settings, including both the requested policy
configuration and the actual policy configuration.

Client WMI: Client configuration information from WMI. Support Center doesn't
collect client policy.

Certificates: Public key information for client certificates. Support Center doesn't
collect certificate private keys.

Debug dumps: Collect a debug dump of client and related processes. Debug
dumps can be large. Only enable this option when troubleshooting issues with
client performance.

2 Warning

Collecting debug dumps will cause data bundles to become very large. In
some cases, the size can be several hundred MB.

Debug dumps may contain sensitive information, including passwords,


cryptographic secrets, or user data. Only collect debug dumps on the
recommendation of Microsoft Support personnel. Carefully handle data
bundles that contain debug dumps to protect them from unauthorized
access.

This data type isn't supported when you make a remote connection to
another client.

Client registry: Collects client configuration information from the registry. Support
Center only collects Configuration Manager registry information.

Troubleshooting: Real-time troubleshooting data to help diagnose common client


problems with Active Directory, management points, networking, policy
assignments, and registration.

7 Note

This data type isn't supported when you make a remote connection to
another client.

Windows Update log files: Collects log files for Windows Updates, which are
necessary when troubleshooting issues with software updates.

Next steps
User interface reference
Support Center OneTrace
Article • 10/04/2022

OneTrace is a new log viewer with Support Center. It works similarly to CMTrace, with
the following improvements:

A tabbed view
Dockable windows
Improved search capabilities
Ability to enable filters without leaving the log view
Scrollbar hints to quickly identify clusters of errors
Fast log opening for large files
Windows jump lists for recently opened files (version 2103 and later)
Status messages are displayed in an easy to read format (version 2111 and later)
Entries starting with >> are status messages that are automatically converted
into a readable format when a log is opened. Search or filter on the >> string to
find status messages in the log.

OneTrace works with many types of log files, such as:

Configuration Manager client logs


Configuration Manager server logs
Status messages
Windows Update ETW log file on Windows 10 or later
Windows Update log file on Windows 7 & Windows 8.1

Prerequisites
Starting in version 2107, the all site and client components require .NET version 4.6.2,
and version 4.8 is recommended. For more information, Site and site system
prerequisites.

In version 2103 and earlier, this tool requires .NET 4.6 or later.

Install
OneTrace installs with Support Center. Find the Support Center installer on the site
server at the following path:
cd.latest\SMSSETUP\Tools\SupportCenter\SupportCenterInstaller.msi .

By default, the OneTrace application is installed at C:\Program Files


(x86)\Configuration Manager Support Center\CMPowerLogViewer.exe .

7 Note

Support Center Log File Viewer and OneTrace use Windows Presentation
Foundation (WPF). This component isn't available in Windows PE. Continue to use
CMTrace in boot images with task sequence deployments.

Log groups
OneTrace supports customizable log groups, similar to the feature in Support Center.
Log groups allow you to open all log files for a single scenario. OneTrace currently
includes groups for the following scenarios:

Application management
Compliance settings (also referred to as Desired Configuration Management)
Software updates

To show log groups, go to the View menu, and select Log groups.
Customize log groups
You can customize these groups by modifying the configuration XML, which by default
is in the following path: C:\Program Files (x86)\Configuration Manager Support
Center\LogGroups.xml .

The following example is one portion of the default configuration file:

XML

<LogGroups>

<LogGroup Name="Desired Configuration Management" GroupType="1"


GroupFilePath="">

<LogFile>CIAgent.log</LogFile>

<LogFile>CIDownloader.log</LogFile>

<LogFile>CIStateStore.log</LogFile>

<LogFile>CIStore.log</LogFile>

<LogFile>CITaskMgr.log</LogFile>

<LogFile>ccmsdkprovider.log</LogFile>

<LogFile>DCMAgent.log</LogFile>

<LogFile>DCMReporting.log</LogFile>

<LogFile>DcmWmiProvider.log</LogFile>

</LogGroup>

</LogGroups>

The GroupType property accepts the following values:

0 : Unknown or other
1 : Configuration Manager client logs

2 : Configuration Manager server logs

The GroupFilePath property can include an explicit path for the log files. If it's blank,
OneTrace relies upon the registry configuration for the group type. For example, if you
set GroupType=1 , by default OneTrace will automatically look in C:\Windows\CCM\Logs for
the logs in the group. In this example, you don't need to specify GroupFilePath .

Open recent files


Starting in version 2103, OneTrace supports Windows jump lists for recently opened
files. Jump lists let you quickly go to previously opened files, so you can work faster.

There are three methods to open recent files in OneTrace:

Windows taskbar jump list


Windows Start menu recently opened list
In OneTrace from File menu or Recently opened tab.

Windows taskbar jump list


When the OneTrace icon is on the Windows taskbar, right-click it, and then select a file
from the Recently opened list.

Windows Start menu recently opened list


Go to the Start menu, and type onetrace . Select a file from the Recently opened list.
OneTrace recently opened list
There are two locations in OneTrace that show the list of recently opened files:

The Recently opened tab in the lower right corner.


Go to the File menu and select a file at the bottom of the menu.
Next steps
User interface reference
Support Center user interface reference
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article is a reference that describes the user interfaces (UI) of the following Support
Center tools:

Support Center Client Data Collector


Support Center Client Tools
Support Center Viewer
Support Center Log File Viewer

7 Note

In version 2010 and earlier, the Client Data Collector and Client Tools are combined
into a single tool called Support Center.

The Support Center suite also includes OneTrace. For more information, see Support
Center OneTrace.

Support Center Client Data Collector

7 Note

In version 2010 and earlier, this tool is part of the Support Center tool. The Collect
selected data action is on the Home tab of the Support Center tool.

Window menu (Client Data Collector)


In the upper left corner of the Support Center Client Data Collector window, select the
arrow in the blue box to open this menu.

Local Machine Connection: Gather data from the client that's running Support
Center Client Data Collector.

Remote Connection: Establish a remote connection with another Configuration


Manager client. After connecting, gather data from the remote client.
About: Provides information about Support Center Client Data Collector, such as
the version.

Options:
Reduce the movement of animated user interface elements
Change the default save location for data bundle files
Change the location of temporary files
Reset warnings. Any warning messages that you previously suppressed appear
again when triggered.
Reset temporary file path to the default,
%UserProfile%\AppData\Local\Microsoft\ConfigMgrSupportCenter

Exit: Close Support Center Client Data Collector.

Home tab

Collect selected data

Support Center Client Data Collector collects information from the Configuration
Manager client. You can then view this information using Support Center Viewer. By
default, it collects the following types:

Client log files


Client configuration collector
Operating system

To collect other types of information, select the checkbox next to the name for that type.

Select the drop-down at the bottom of the Collect selected data button in the ribbon,
and select Collect all data. This action collects the complete set of client state data.

While Support Center Client Data Collector is collecting data, select Cancel collection to
stop it.

For more information, see Support Center quickstart guide.

Data types
When you select the checkbox for an option, Support Center Client Data Collector
collects that type of data the next time you select Collect selected data. The following
types are available:

Log files: Client log files including setup logs.


Policy: Client policy collection.

Certificates: Public key information for client certificates. Support Center Client
Data Collector doesn't collect certificate private keys.

Client configuration collector: Configuration Manager client information. You can't


disable this data type.

Client registry: Collects client configuration information from the registry. Support
Center Client Data Collector only collects Configuration Manager registry
information.

Client WMI: Client configuration information from WMI. Support Center Client
Data Collector doesn't collect client policy.

Troubleshooting: Real-time troubleshooting data to help diagnose common client


problems with Active Directory, management points, networking, policy
assignments, and registration.

7 Note

This data type isn't supported when you make a remote connection to
another client.

Debug dumps: Create a debug dump of client and related processes. Debug
dumps can be large. Only enable this option when troubleshooting issues with
client performance.

2 Warning

Collecting debug dumps will cause data bundles to become very large. In
some cases, the size can be several hundred MB.

Debug dumps contain may contain sensitive information, including


passwords, cryptographic secrets, or user data. Only collect debug dumps on
the recommendation of Microsoft Support personnel. Carefully handle data
bundles that contain debug dumps to protect them from unauthorized
access.

This data type isn't supported when you make a remote connection to
another client.
Operating system: Collects configuration information about the local machine.
This data includes information about the Windows installation, network adapters,
and system service configuration. You can't disable this data type.

Support Center Client Tools


This section describes the user interface for the Support Center Client Tools tool.

7 Note

In version 2010 and earlier, this tool is called Support Center.

Starting in version 2103, use the Support Center Client Data Collector for the
Collect selected data action.

Window menu
Client tab
Policy tab
Content tab
Inventory tab
Troubleshooting tab
Logs tab

Window menu (Client Tools)


In the upper left corner of the Support Center Client Tools window, select the arrow in
the blue box to open this menu.

Local Machine Connection: Gather log files and troubleshoot the client that's
running Support Center.

Remote Connection: Establish a remote connection with another Configuration


Manager client. After connecting, gather log files and troubleshoot the remote
client.

About: Provides information about Support Center Client Tools, such as the
version.

Options:
Reduce the movement of animated user interface elements
Change the default save location for data bundle files
Change the location of temporary files
Reset warnings. Any warning messages that you previously suppressed appear
again when triggered.
Reset temporary file path to the default,
%UserProfile%\AppData\Local\Microsoft\ConfigMgrSupportCenter

Exit: Close Support Center Client Tools.

Client tab

Load or Refresh (Client)


Load or refresh details for the Configuration Manager client.

Client information
When you load client details, this tool shows the following properties:

Client ID: A unique identifier that Configuration Manager uses to identify the
client.

Hardware ID: A unique identifier that Configuration Manager uses to identify the
client hardware.

Approved: Indicates whether the client is approved in Configuration Manager.

Registration State: Indicates whether the client is registered with Configuration


Manager.

Internet-facing: Indicates whether the client is on the internet.

Version: The version number of the installed Configuration Manager client.

Site Code: The site code for the primary site to which the client is assigned.

Assigned MP: The fully qualified domain name (FQDN) of the client's currently
assigned management point.

Resident MP: The FQDN of the resident management point.

Proxy MP: The hostname or FQDN of the proxy management point (if it exists).

Proxy Site Code: The site code for the secondary site (if it exists).

Proxy State: The state of the Configuration Manager client's proxy management
point. For example, Active or Pending.
Maintenance windows
List all maintenance windows currently defined for this client. The next maintenance
window displays a different status than future windows.

Control client agent service


Do one of the following actions for the Configuration Manager client agent service
(ccmexec) on the connected client:

Restart client

) Important

If the client agent service doesn't successfully restart, the client isn't
manageable by Configuration Manager until the service starts.

Start client

Stop client

) Important

The client isn't manageable by Configuration Manager until the service starts.

Policy tab (Client Tools)


Use the actions on this tab instead of the older PolicySpy tool.

Load policy
This option varies depending upon the view:

Load Actual policy: Select Actual in the View group, and then select this option in
the Policy group. Load the client policy that you've currently selected.

Load Requested policy: Select Requested in the View group, and then select this
option in the Policy group. Load the client policy requested of the client.

Load Default policy: Select Default in the View group, and then select this option
in the Policy group. Load the default policy for this client.
Select the drop-down list at the bottom of this button for other options:

Load or Refresh all: Load or refresh the actual, requested, and default policy at the
same time.

Actual view
Opens the actual policy view.

Requested view
Opens the requested policy view.

Default view
Opens the default policy view. This policy is what devices get when you install the
Configuration Manager client.

Request and evaluate policy


Request the client policy from the management point, and then evaluate that policy on
the client.

Select the drop-down list at the bottom of this button for other options:

Request policy: Request the client policy from the management point.

Evaluate policy: Evaluate the client policy on the client.

Reset policy to default: Tell the Configuration Manager client to reapply the
default policy. It removes all machine and user policies on the client.

Listen for policy events

Listen for policy events. Select this option again to disable listening for policy events. To
view Policy events, select the arrow at the bottom of this tab.

Clear events
Clear any policy events.

Content tab
View content on the client, including cached content. Monitor the progress of software
update and application deployments.

Load or Refresh (Content)

Applies to the Content and Cache views

Load or refresh the list of content currently on the client.

Invoke trigger (Content)


The following items on this menu request a client action related to content:

Location services

Refresh content locations: Refreshes the distribution points used by any active
content downloads.

Refresh management points: Updates the internal list of management points


used by the client.

Time out content requests: If any content location requests have been running
for too long, this action stops the request.

Application deployment evaluation: Starts a task that evaluates deployed


applications.

Software updates deployment evaluation: Starts a task that evaluates deployed


software updates.

Software updates source scan: Starts a task that scans update source locations.

Windows Installer source list update: Starts a task that updates the source
location for Windows Installer (MSI) installations.

Deployment view

See applications, packages, and updates that are loaded on the client. When you select
an application, package, or update, you can view details on that content. For some
applications, you can also do the following actions:

Refresh: Refresh the details view.

Verify or Download: Verify that an application is available for download.


Install: Install the application.

Uninstall: Uninstall the application.

Starting in Configuration Manager version 2107, the view is grouped by Category and
Status. The view can be sorted and filtered to help you find the deployments you're
interested in. Select a deployment in the results pane to display the following
information in the details pane:

Properties tab
Name: The name of the deployment property.
Value: The value assigned to the deployment property.

Policy tab
Display name: Display name of the items in the deployment.
Version: Version for the item in the deployment.
Model name: Model name for the item in the deployment.
CI XML: XML for the configuration item.

Reporting tab
Time: Timestamp of the state message.
State The state that was reported by the client.
Topic ID: ID of what the state message is reporting on, used to map to events in
log files. In this context, it will typically be the Assignment ID of the deployment.
Topic type: The state message type.
Topic type ID: The subtype of the state message.
State ID: The result of the action that you're monitoring.

7 Note

In Configuration Manager versions 2103 and earlier Deployment view is named


Content view.

Cache view
View the client cache configuration and details about the cache contents. When you
connect Support Center Client Tools to a local client, you can also do the following
actions:

To change the cache location, select Change next to the Cache location field.

To adjust the size of the cache, select Change next to the Cache size field.
To clear the client cache, select Clear next to the Cache in use field.

This view shows the following properties:

Location: The location of each cache folder. Select the link to open the folder in
Windows Explorer.
Content ID
Cache ID
Size
Last Referenced: This property is the date when the client last read from or wrote
to this item in the cache.

Monitoring view

View the active progress of software update and application update deployments. This
view shows state messages raised from application and software updates event WMI
messages.

For each event, the view shows the following properties:

Time: The time that the client raised the event.


Topic type: The state message type.
Topic ID: ID of the state message, used to map to events in log files.
Topic ID type: The subtype of the state message.
State ID: The result of the action that you're monitoring.
Details and Event data: More information on the state messages shown in this
view. State details may sometimes be blank.

All updates view

View details about software updates:

State
Article ID
Bulletin
Name
Update ID
Scan Time
Source Version
Source Unique ID

Inventory tab
Load or Refresh (Inventory)
Load or refresh the client inventory list for the currently selected view.

Invoke trigger (Inventory)

7 Note

For tasks other than Software metering report cycle:

If you request the task when another inventory task is already running, the
client queues the new task to run after it completes the current task and other
queued tasks.
Track the progress of the task in InventoryAgent.log.

The following items on this menu request client action related to inventory:

Discovery data collection cycle (heartbeat): Triggers the client task used to collect
device discovery information.

File collection cycle: Triggers the client task used to collect local files.

Hardware inventory cycle: Triggers the client task used to collect hardware
inventory data.

IDMIF collection cycle: Triggers the client task used to collect IDMIF data.

Software inventory cycle: Triggers the client task used to collect software
inventory data.

Software metering report cycle: Triggers the client task used to build a software
metering report and send it to the management point. Track the progress of this
task in SWMTRReportGen.log.

Send unsent state messages in queue: Triggers the client task to flush the queue
of state messages.

Advanced
Hardware inventory cycle (full resynchronization)
Software inventory cycle (full resynchronization)

Views
If a feature isn't enabled, the view doesn't display any data.

Status: Show the inventory data sets the client has collected.

DDR: Information about the client discovery data collected from the client.

HINV: Information about the hardware inventory data collected from the client.

SINV: Information about the software inventory data collected from the client.

File collection: Information about the files collected from the client.

IDMIF: Information about the IDMIF and NOIDMIF data collected from the client.

Metering: Information about the software metering data collected from the client.

Troubleshooting tab (Client Tools)


Troubleshoot some of the most common issues with Configuration Manager clients:

Issues with Active Directory


Windows networking
Configuration Manager
Management points
Policy assignment
Registration

7 Note

This tab isn't available when you connect to a remote Configuration Manager client.

Start
Starts troubleshooting the client.

Active Directory: Queries Active Directory to retrieve published Configuration


Manager site information.
MPCERTIFICATE: Gets management point certificates.
MPLIST: Gets a list of management points.
MPKEYINFORMATION: Gets management point cryptographic key information.
Networking: Troubleshoots issues with networking.
Policy Assignments: Retrieves policy assignments.
Registration: Verifies that the client is registered with the site.
View selected log
After you select a row on the Troubleshooting tab, select this action to view the log file.

Keep previous results

If you troubleshoot the client, and then want to try troubleshooting again, choose this
option to keep results from your first attempt. Otherwise, it overwrites previous
troubleshooting log files.

Logs tab
This tab of Support Center Client Tools is almost identical to the Log Viewer tool. The
Log Viewer tool doesn't include the Configure client logging and Log groups features.
The Support Center Log File Viewer section details the other options available on this
tab.

Tasks: Configure client logging


Set the following options:

Client log level: Log verbosity and file size


Maximum file count: Allow more than one log file of a given type
Maximum file size: The size in bytes of any given log file before the client creates a
new log

7 Note

If you set these values too low, the client may not log any useful information. If you
set these values too high, the client logs can consume large amounts of storage.

For more information, see About log files.

Log groups

Instead of manually selecting log files using the Open logs button, use this drop-down
list to open all log files associated with the following feature areas:

Desired Configuration Management


Inventory
Software Distribution
Software Updates
Application Management
Policy
Client Registration
Operating System Deployment

Support Center Viewer


This section describes the user interface (UI) for the Configuration Manager Support
Center Viewer tool. The available tabs vary based on the contents of the
troubleshooting bundle. The Window menu and Home tab show by default.

Window menu
Home tab
Configuration tab
Logs tab
Debug dumps tab
WMI tab
Registry tab
Policy tab
Certificates tab
Troubleshooting tab

Window menu (Viewer)


In the upper left corner of the Support Center Viewer window, select the arrow in the
blue box to open this menu.

Open bundle: Browse to the location of a data bundle created by one of the
following tools:
Version 2103 and later: Support Center Client Data Collector
Version 2010 and earlier: Support Center

About: Displays information about Support Center Viewer, such as the version.

Options:
Reduce the movement of animated user interface elements.
Change the location of temporary files.
Reset warnings. Any warning messages that you previously suppressed appear
again when triggered.
Reset temporary file path to the default,
%UserProfile%\AppData\Local\Microsoft\ConfigMgrSupportCenterViewer

Exit: Exits Support Center Viewer.

Home tab (Viewer)

Open bundle
Browse to the location of a data bundle created by one of the following tools:

Version 2103 and later: Support Center Client Data Collector


Version 2010 and earlier: Support Center

Open log file


Select one or more log files to open.

Decode certificate (Viewer: Home)


In the Decode certificate window, paste the serialized certificate value for any certificate
on the client. Find this value in the registry, in log files, or in WMI. Select Process to view
general information and details on the certificate. This information includes its
certification path. Select Export to export the certificate as a .cer file.

Configuration tab
The Configuration tab of the Support Center Viewer tool provides the following views
using data retrieved from WMI providers:

Client: This view displays the same information shown on the Client tab of Support
Center.

Operating system: Details for the client's OS. It uses the Win32_OperatingSystem
class.

Computer: Details for the client computer. It uses the Win32_OperatingSystem


class.

Services: Details for services running on the client computer. It uses the
Win32_Service class.
Network adapters: Details for network adapters installed on the client computer. It
uses the Win32_NetworkAdapterConfiguration class.

Logs tab (Viewer)


The Logs tab shows a list of the log files included in the bundle. Each row on this tab
provides the path, name, and size of the log file.

Open

After selecting a log file, select this button to open the Log Viewer. It provides a subset
of the functionality seen on the Support Center Client Tools Logs tab.

Decode certificate (Viewer: Logs)


In the Decode certificate window, paste the serialized certificate value for any certificate
on the client. Find this value in the registry, in log files, or in WMI. Select Process to view
general information and details on the certificate. This information includes its
certification path. Select Export to export the certificate as a .cer file.

Debug dumps tab


Each row on this tab provides details on the debug dump files that are available to
export. Use this tab to export debug dump files (.dmp) for further analysis. This analysis
uses a debugging tool such as WinDbg.

2 Warning

Debug dumps may contain sensitive information, including passwords,


cryptographic secrets, or user data. Only collect debug dumps on the
recommendation of Microsoft Support personnel. Carefully handle data bundles
that contain debug dumps to protect them from unauthorized access.

Export (Viewer: Debug dumps)

Save a copy of the selected debug dump file.

WMI tab
This tab shows the set of WMI data from the Configuration Manager client that the data
bundle includes.

Find (Viewer: WMI)

Opens the Find window, which has the following features:

Find what: Enter a string to search for in the WMI data set. It supports wildcard
characters.

Look at: Choose whether you want to search within the WMI data set for a
matching Class or instance name, Property, or Value.

Match whole string only: By default, it searches for strings that contain the string
for which you're looking. Choose this checkbox to only find strings that are an
exact match to the string that you provided.

Find next (Viewer: WMI)

Open the next instance of the search string in the WMI data set.

Decode certificate (Viewer: WMI)

In the Decode certificate window, paste the serialized certificate value for any certificate
on the client. Find this value in the registry, in log files, or in WMI. Select Process to view
general information and details on the certificate. This information includes its
certification path. Select Export to export the certificate as a .cer file.

Registry tab
Use the Registry tab to view registry data included in the data bundle, and to export
that data for further analysis.

Export (Viewer: Registry)

Save a copy of the registry key and subkeys that you select as a registry (.reg) file.

Find (Viewer: Registry)

Opens the Find window, which has the following features:


Find what: Enter a string to search for in the WMI data set. It supports wildcard
characters.

Look at: Choose whether you want to search within the WMI data set for a
matching Class or instance name, Property, or Value.

Match whole string only: By default, it searches for strings that contain the string
for which you're looking. Choose this checkbox to only find strings that are an
exact match to the string that you provided.

Find next (Viewer: Registry)

Open the next instance of the search string in the WMI data set.

Decode certificate (Viewer: Registry)

In the Decode certificate window, paste the serialized certificate value for any certificate
on the client. Find this value in the registry, in log files, or in WMI. Select Process to view
general information and details on the certificate. This information includes its
certification path. Select Export to export the certificate as a .cer file.

Policy tab (Viewer)


The Policy tab is used to view policy data included in the data bundle.

Find (Viewer: Policy)


Opens the Find window, which has the following features:

Find what: Enter a string to search for in the WMI data set. It supports wildcard
characters.

Look at: Choose whether you want to search within the WMI data set for a
matching Class or instance name, Property, or Value.

Match whole string only: By default, it searches for strings that contain the string
for which you're looking. Choose this checkbox to only find strings that are an
exact match to the string that you provided.

Find next (Viewer: Policy)


Open the next instance of the search string in the WMI data set.
Decode certificate (Viewer: Policy)
In the Decode certificate window, paste the serialized certificate value for any certificate
on the client. Find this value in the registry, in log files, or in WMI. Select Process to view
general information and details on the certificate. This information includes its
certification path. Select Export to export the certificate as a .cer file.

Certificates tab
Use the Certificates tab to view certificates included in the data bundle, and to export
them.

View certificate
Displays information about a selected certificate.

Export (Viewer: Certificates)


Save a copy of the certificate that you select.

Troubleshooting tab (Viewer)


Use the Troubleshooting tab to view log files created using the Troubleshooting tab of
Support Center Client Tools.

View log

After you select a row on the Troubleshooting tab, select this option to view the log file
with Log File Viewer.

Support Center Log File Viewer


This section describes the user interface for the Support Center Log File Viewer tool.

Window menu
Home tab

This tool is almost identical to the Logs tab of Support Center Client Tools. The main
difference is that this tool doesn't include the options to Configure client logging and
Log groups.
Starting in version 2111, Support Center Log File Viewer display status messages in an
easy to read format. Entries starting with >> are status messages that are automatically
converted into a readable format when a log is opened. Search or filter on the >> string
to find status messages in the log.

Window menu (Log File Viewer)


In the upper left corner of the Support Center Log File Viewer window, select the arrow
in the blue box to open this menu.

Open logs: Browse to the location of log files to open.

Options:
Reduce the movement of animated user interface elements.
Register Log File Viewer as the default app for log files with the .log and .lo_
file extensions.
Reset warnings. Any warning messages that you previously suppressed appear
again when triggered.

About: Displays information about Support Center Log File Viewer, such as the
version.

Close: Closes Support Center Log File Viewer

Home tab (Log File Viewer)

Open logs

Support Center Log File Viewer prompts you to select one or more log files to open.

Select the drop-down at the bottom of the Open logs button in the ribbon, and select
one of the following options:

Open logs in current view: Opens the selected log files in the current view.
Open logs in new window: Opens the selected log files in a new Log Viewer
window.

Close and clear logs

Closes any open log files. Also clears any displayed log file entries from the window.
Support Center Log File Viewer won't display these entries in the future.
Select the drop-down at the bottom of the Close and clear logs button in the ribbon,
and select one of the following options:

Clear all entries: Clears any displayed log file entries from the window. Support
Center Log File Viewer won't display these entries in the future.
Close all logs: Closes any open log files.

Find (Log File Viewer)


Opens the Find window. Enter a string to search for. To avoid matches on short strings
in other strings, you can choose to match whole words. You can also choose to do a
case-sensitive match for the string.

Find next (Log File Viewer)

After finding a match for the string that you're searching for, this option takes you to
the next match.

Find previous (Log File Viewer)


After finding two or more matches for the string that you're searching for, this option
takes you to the previous match.

Options

Live updating: Monitor a currently open log file for changes. This feature doesn't
function when multiple log files are open. This option is enabled by default.

Auto-scroll: If you also chose the Live updating option, this option automatically
scrolls the log view to show newly added entries. This feature doesn't function
when multiple log files are open. This option is enabled by default.

Show details: When you select a log file message, the bottom of the Logs tab
displays the details of the log file message. This option is enabled by default.

Quick filter: Filter the log file messages across all open log files to find a specific
string. You can filter by log text, component name, and thread ID. To find similar
log messages, right-click a log message and select Quick filter on log text.

Wrap log text: Wrap long and multi-line messages to fit into a single column. This
behavior makes these messages easier to read. This option is enabled by default.
Raw log entry display: Displays unprocessed log lines.

Advanced filters: Open the Advanced filters window. For more information, see
Advanced log file filters.

Error code links: Error codes in log text are highlighted and clickable. This option is
enabled by default.

Error lookup
Enter an error code to search for that error code in currently open log files. Use the
following error code formats:

32-bit integer (signed): For example, -2147024891


32-bit integer (unsigned): For example, 2147942405
32-bit hexadecimal: For example, 0x80070005

Decode certificate (Log File Viewer)

In the Decode certificate window, paste the serialized certificate value for any certificate
on the client. Find this value in the registry, in log files, or in WMI. Select Process to view
general information and details on the certificate. This information includes its
certification path. Select Export to export the certificate as a .cer file.

Advanced log file filters


Advanced log file filters allow you to include, exclude, or highlight specific strings. These
strings can occur in a log file or log file group when looking at log file entries. Use
wildcard searches when creating a filter. When you have a useful combination of filters,
save them as a filter set.

Advanced log file filters supersede quick filters. Use both together, but quick filters only
apply to the displayed log data. Advanced filters determine what data is initially
displayed before any it applies any quick filters.

In the Advanced filters window, you can create complex filter sets. These filter sets
search for strings across many log file components. These components include
messages, threads, logging levels, and components. A filter set contains multiple filter
statements that you use to include, exclude, or highlight log file messages. A filter
defines a log file column to search within, an operator, and a value. The value can
contain regular expressions, such as the wildcard character * .
Add a filter
1. In the Log File Viewer tool, or on the Support Center Client Tools Logs tab, select
Advanced filters.

2. In the Advanced filters window, select Add. Then select one of the following
options to act on log entries that match your filter:

Include
Exclude
Highlight

3. In the Advanced filter configuration window, choose a column and an operator:

Column: Choose where to look for strings that match your filter:

Log text: Search within the text of a log file

Log severity: Search for logs with a specific severity level. Set these
severity levels in the Value field.

Component: Search for a specific component by name

Thread ID: Search for log messages with a specific thread ID

Source file: Search for log messages that occur in a specific log file

Operator: Choose an operator for your filter

4. Enter a value to filter on in the Value field. If your value contains regular
expressions, select Enable regular expression matching.

Manage filter sets


To edit a filter, select the filter, and then select Edit.

To delete a filter, select the filter, and then select Delete.

To clear all filters, select Clear.

To save the current filter set, select Save filters. Then save your filter set as a
.filterset file.

To load a saved filter set, select Load filters. Then browse to a previously saved
.filterset file.
Customize Support Center
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Support Center tool includes a configuration file that you can customize. By default,
when you install Support Center, this file is in the following path: C:\Program Files
(x86)\Configuration Manager Support Center\ConfigMgrSupportCenter.exe.config . The

configuration file changes the behavior of the program:

Customize data collection: Edit the sets of registry keys and WMI namespaces that
it includes during data collection.

Customize log groups: Define new groups of log files using regular expressions.
Also add other log files to log groups.

Collect other log files using wildcards: Use wildcard searches to collect more log
files.

To make these changes, you need local administrative permissions on the client where
you've installed Support Center. Make these customizations using a text or XML editor,
such as Notepad or Visual Studio.

) Important

The Support Center configuration file is an XML-formatted file. It's essential to the
operation of Support Center. Modifying this file is only recommended for users
who are familiar with XML and regular expressions.

Before you customize the Support Center configuration file, save a backup of the
original. This backup allows you to recover the original Support Center functionality if
you make mistakes while editing the file. If you don't create a backup, and Support
Center doesn't function correctly after you modify the configuration file, reinstall
Support Center. You can also copy a configuration file from another installation of
Support Center.

Customize data collection


To customize the collection of data on the client, modify the Support Center
configuration file using XML elements contained within the <dataCollectorSettings>
element.
WMI data collection
The <CcmWmiDataCollector> element contains a <collectionScopes> element. Use this
element to change the WMI namespaces from which Support Center collects data. It
also includes an <ignoreScopes> element. Use this element to filter out the collection of
data from portions of the namespaces defined in the <collectionScopes> element.

Example for WMI data collection

The default configuration file collects data from the root\ccm namespace. It includes
this path in an <add/> element in <collectionScopes> .

It also ignores everything under the \cimodels , \invagt ,  \events , and \policy paths for
this namespace. It includes these paths in <add/> elements contained within
<ignoreScopes> .

XML

<CcmWmiDataCollector>

<collectionScopes>

<!-- Collect these namespaces (ignoring the sub-scopes in the


ignoreScopes block) -->

<add key="root\ccm"/>

<add key="root\cimv2\sms"/>

</collectionScopes>

<ignoreScopes>

<!-- Collecting these namespaces is known to be problematic/unnecessary


-->

<add key="root\ccm\cimodels"/>

<add key="root\ccm\invagt"/>

<add key="root\ccm\events"/>

<!-- Do not collect policy, there's already a separate policy


collector.-->

<add key="root\ccm\policy"/>

</ignoreScopes>

</CcmWmiDataCollector>

Registry data collection


The <RegistryDataCollector> element contains a <registryKeys> element. Use this
element to change the registry keys and subkeys that Support Center collects under the
HKEY_LOCAL_MACHINE path. Support Center doesn't support the collection of registry data

from other root registry paths.


Example for registry data collection
To collect registry keys for the classic programs installed on the device, add the
following <add/> element in the <registryKeys> element: <add
key="software\\microsoft\\windows\\currentversion\\uninstall"/>

XML

<RegistryDataCollector>

<registryKeys>

<!-- Registry keys (and all subkeys) to collect -->

<add key="software\\microsoft\\ccm"/>

<add key="software\\microsoft\\sms"/>

<add key="software\\microsoft\\ccmsetup"/>
<add key="software\\microsoft\\windows\\currentversion\\uninstall"/>

</registryKeys>

</RegistryDataCollector>

Customize log file groups


To customize which log files Support Center collects, and how it presents them in the
Log groups list, use elements in the <logGroups> element. When you start Support
Center, it scans this section of the configuration file. It then creates a group on the Log
groups list for each unique key attribute value found in the <add/> elements contained
in the <logGroups> element.

Component log group: The <componentLogGroup> element uses a key attribute to


define the name of the log group that appears in the list. It also uses a value
attribute that contains a regular expression (regex). It uses this regex to collect a
set of related log files.

Static log group: The <staticLogGroup> element uses a key attribute to define the
name of the log group that appears in the list. It also uses a value attribute that
defines a log file name.

If the same key attribute value is used in an <add/> element within both the
<componentLogGroup> element and the <staticLogGroup> element, Support Center

creates a single group. This group includes the log files defined by both elements that
use the same key.

Example for log file groups


XML
<logGroups>

<componentLogGroup>

<add key="Application Management"


value="^(app.*|ci.*|contentaccess|contenttransfermanager|datatransferservice
|dcm.*|execmgr.*|UserAffinity.*|.*Handler$|.*Provider$)"/>

<add key="Client Registration"


value="^(clientregistration|locationservices|ccmmessaging|ccmexec)"/>

<add key="Inventory"
value="^(ccmmessaging|inventoryagent|mtrmgr|swmtrreportgen|virtualapp|mtr.*|
filesystemfile)"/>

<add key="Policy"
value="^(ccmmessaging|policyagent_.*|policyevaluator_.*)"/>

<add key="Software Updates"


value="^(ci.*|contentaccess|contenttransfermanager|datatransferservice|dcm.*
|update.*|wuahandler|xmlstore|scanagent)"/>

<add key="Software Distribution"


value="^(datatransferservice|execmgr.*|contenttransfermanager|locationservic
es|contentaccess|filebits)"/>

<add key="Desired Configuration Management" value="^(ci.*|dcm.*)"/>

<add key="Operating System Deployment" value="^(ts.*)"/>

</componentLogGroup>

<staticLogGroup>

<add key="Application Management" value="ccmsdkprovider.log"/>

<add key="Desired Configuration Management" value="ccmsdkprovider.log"/>

<add key="Software Updates" value="ccmsdkprovider.log"/>

</staticLogGroup>

</logGroups>

Collect other log files with wildcards


To collect other log files, use wildcards in the file path or filename. These wildcards
include system-wide environment variables such as %WINDIR% , but exclude user-scoped
environment variables such as %USERPROFILE% . To collect other log files using this non-
recursive log file search, use an <add/> element within the <additionalLogFiles>
element.

These examples show how Support Center uses this feature in the default configuration
file.

Example 1: Collect all Windows Update log files in the


Windows directory
The following element collects any file named WindowsUpdate.log found in the Windows
directory:

<add key="%WINDIR%\WindowsUpdate.log" />


Example 2: Collect all log files in the Windows Logs
directory
The following element collects any file that ends in .log found in the Windows logs
directory:

<add key="%WINDIR%\logs\*.log" />

Full example XML


XML

<CcmLogDataCollector>

<additionalLogFiles>

<!-- Collect these additional log files. Can pass in a wildcard for the
filename. System variables are also supported. -->

<!--

<add key="%WINDIR%\WindowsUpdate.log" />

<add key="%WINDIR%\logs\*.log" />

-->

</additionalLogFiles>

</CcmLogDataCollector>

Accessibility features in Support Center


Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Support Center has many helpful accessibility features that make it easier for everyone
to use.

Use the keyboard to move around the ribbon


Use keyboard shortcuts to access every menu of the Support Center ribbon. This ribbon
contains all commands used by Support Center.

Press Alt or F10 to see keyboard shortcuts for each menu.

To switch to a menu, press the associated shortcut key. For example, to go to the
Logs menu, press Alt and then L.

Use the keyboard to perform common tasks


You can also use a keyboard to perform common tasks in the Support Center suite of
tools. The following table lists the most common tasks that you can perform with the
keyboard:

Task Keyboard shortcut

Open application configuration options F4

Exit Alt + F4

Load or Refresh client details


F5
(on the Support Center Client Details tab)

Load selected policy view


F5
(on the Support Center Client Policy tab)

Refresh a policy
F5
(on the Support Center Client Policy tab, after selecting a
policy)

Copy as MOF
Ctrl + Shift + C
(on the Support Center Client Policy tab, after selecting a
policy; also available for WMI events)
Task Keyboard shortcut

Copy a policy as local client MOF


Ctrl + Shift + X
(on the Support Center Client Policy tab, after selecting a
policy)

Request policy
Ctrl + R
(on the Support Center Client Policy tab)

Evaluate policy
Ctrl + E
(on the Support Center Client Policy tab)

Load or refresh content view


F5
(on the Support Center Content tab)

Load inventory
F5
(on the Support Center Inventory tab)

Start troubleshooting
F5
(on the Support Center Troubleshooting tab)

Open data bundle


Ctrl + O
(on the Support Center Viewer Home tab)

Open log files


Ctrl + O
(on the Support Center Logs tab, and in the Log Viewer
window)

Open log files in current view


Ctrl + Shift + O
(on the Support Center Logs tab, and in the Log Viewer
window)

Open log files in a new Log Viewer window


Ctrl + N
(on the Support Center Logs tab, and in the Log Viewer
window)

Close all log files


Ctrl + W
(on the Support Center Logs tab, and in the Log Viewer
window)

Search in log files - Ctrl + F: Opens the Find dialog to


enter search string

- F3: Find the next match

- Shift + F3: Find the previous


match

Look up an error code


Ctrl + L
(on Logs tab, and in the Log Viewer window)
Task Keyboard shortcut

Copy from a log file - Ctrl + C: Copies log file text

- Ctrl + Shift + C: Copies the log


entry without formatting

Quick filter using log file text


Ctrl + Shift + C
(on Logs tab, and in the Log Viewer window)

Annotate a log file


Ctrl + Shift + N Note 1
(on Logs tab, and in the Log Viewer window)

Open Help F1

Note 1: Annotate a log file


Support Center stores annotations in memory. You can only use them within a log
viewing session. To retain an annotation for future use, take a screen capture to save the
resulting image.

Next steps
Accessibility features in Configuration Manager
Configuration Manager Tools
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Configuration Manager tools primarily include client-based and server-based tools.
Use these tools to help support and troubleshoot your Configuration Manager
infrastructure.

These tools are included in the CD.Latest\SMSSETUP\Tools folder on the site server. No
further installation is required. Use these versions of the tools with supported versions of
Configuration Manager current branch.

All Windows operating systems listed as supported clients in Supported operating


systems for clients and devices are supported for use with these tools.

7 Note

For supported versions of Configuration Manager current branch, use the versions
of the tools in the CD.Latest folder on the site server. Some tools were formerly in
the toolkit but not included current branch. These legacy tools are no longer
supported.

Client tools
These tools are in the ClientTools subfolder:

Client Spy: Troubleshoot issues related to software distribution, inventory, and


metering

Deployment Monitoring Tool: Troubleshoot applications, updates, and baseline


deployments

Policy Spy: View policy assignments

Power Viewer Tool: View status of power management feature

Send Schedule Tool: Trigger schedules and evaluations of configuration baselines

7 Note
The ClientTools folder also includes the file
Microsoft.Diagnostics.Tracing.EventSource.dll. Several client tools require this
library. You can't directly use it.

Server tools
These tools are in the ServerTools subfolder:

DP Job Queue Manager: Troubleshoots content distribution jobs to distribution


points

Collection Evaluation Viewer: View collection evaluation details

) Important

Starting in Configuration Manager version 2103, this standalone tool isn't


supported. The tool is no longer included with the Configuration Manager
installation source. Starting in version 2010, its functionality is built-in to the
console. For more information, see, How to view collection evaluation.

Content Library Explorer: View contents of the content library single instance store

Content Library Transfer: Transfers content library between drives

Content Ownership Tool: Changes ownership of orphaned packages. These


packages exist in the site without an owning site server.

Role-based Administration and Auditing Tool: Helps administrators audit roles


configuration

7 Note

Starting in version 2107, RBAViewer has moved from


<installdir>\tools\servertools\rbaviewer.exe . It's now located in the

Configuration Manager console directory. After you install the console,


RBAViewer.exe will be in the same directory. The default location is C:\Program
Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\rbaviewer.exe .

Run Meter Summarization Tool: Run metering summarization task and analyze
metering data
7 Note

The ServerTools folder also includes the following files:

AdminUI.WqlQueryEngine.dll
Microsoft.ConfigurationManagement.ManagementProvider.dll
Microsoft.Diagnostics.Tracing.EventSource.dll

Several server tools require these libraries. You can't directly use them.

More tools in the folder


The following tools are in the CD.Latest\SMSSETUP\TOOLS folder on the site server:

CMTrace: View, monitor, and analyze Configuration Manager log files.

CMPivot: Use the standalone version of this tool to query real-time data from
clients.

Update reset tool: Fix issues when in-console updates have problems downloading
or replicating.

Configuration Manager group policy administrative template: Configure and assign


client installation properties by using a group policy object.

Content library cleanup tool: Remove orphaned content from a distribution point.

Desktop Analytics log collector: Helps to troubleshoot Desktop Analytics device


enrollment issues.

Extend and migrate on-premises site to Microsoft Azure: Helps you to


programmatically create Azure virtual machines (VMs) for Configuration Manager.

Synchronize Microsoft 365 Apps updates from a disconnected software update


point (OfflineUpdateExporter): Import Microsoft 365 Apps updates from an
internet connected WSUS server into a disconnected Configuration Manager
environment.

Configure client communication ports: Reconfigure the port numbers for existing
clients.

Service Connection Tool: Keep your site up to date when your service connection
point is offline.
Support Center: Gather information from clients for easier analysis when
troubleshooting.

OneTrace is a modern log viewer with Support Center. It works similarly to


CMTrace, with improvements. For more information, see Support Center OneTrace.

Send feedback that you saved for later submission (UploadOfflineFeedback): Save
your product feedback locally and submit it later.

Other tools
Hierarchy Maintenance Tool: Use Preinst.exe in the \
<SiteServerName>\SMS_<SiteCode>\bin\X64\00000409 shared folder on the site server
to pass commands to the hierarchy manager component.

Microsoft Deployment Toolkit (MDT): A collection of tools, processes, and guidance


for automating desktop and server OS deployments.

System Center Updates Publisher (SCUP): A stand-alone tool to manage and


import custom software updates.

Package Conversion Manager: Convert legacy packages into applications.


CMTrace
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

CMTrace is one of the Configuration Manager tools. It allows you to view and monitor
log files, including the following types:

Log files in Configuration Manager or Client Component Manager (CCM) format

Plain ASCII or Unicode text files, such as Windows Installer logs

The tool helps to analyze log files by highlighting, filtering, and error lookup.

7 Note

CMTrace isn't automatically registered with Windows to open the .log file
extension. For more information, see File associations.

Configuration Manager version 2107 includes multiple performance improvements to


the CMTrace log viewer.

Locations
Configuration Manager automatically installs CMTrace in the following locations:

The site server's tools directory. For example:


cd.latest\SMSSETUP\Tools\CMTrace.exe

The Management point's installation directory. For example:


C:\SMS_CCM\CMTrace.exe

The client installation directory. For example: C:\Windows\CCM\CMTrace.exe


OS deployment boot images. For example: X:\sms\bin\x64\CMTrace.exe

If you have a copy of CMTrace in another location, consider removing it and using a
copy in one of the default paths. If it's in a custom location that meets your business
requirements, then make sure you have a process to keep it up to date. If your custom
location might be of benefit to other customers, file product feedback.

For more information, see Direct links to Community hub items.

Usage
Run CMTrace.exe. The first time you run the tool, you see a prompt for file association.
For more information, see File associations.

You take most actions in CMTrace from the following menus:

File
Tools

File menu
The following actions are available in the File menu:

Open
Open on Server
Print
Preferences

The File menu also lists the last eight recent files. Quickly reopen one of these logs by
selecting it from the File menu.

Open
Displays the Open dialog box to browse for a log file.

Filter the view for files of the following types:

Log files (*.log)


Old log files (*.lo_)
All files (*.*)

The following two options aren't selected by default:

Ignore existing lines: When selected, CMTrace ignores the existing contents of the
selected log file and displays new lines only as they're added. Use this option to
monitor only new actions when you don't need the full history of the log file.

Merge selected files: If you enable this option and select more than one log file,
CMTrace merges the selected logs in the view. It displays them as if they're a single
log file. The merged log updates the same, and supports all other CMTrace
features as if it's a single log file.

Open on Server
Browse the Configuration Manager logs folder on a site system computer with the
standard Browse dialog box. You can also browse the network for a remote computer.

When you select a remote computer to browse, CMTrace checks for the Configuration
Manager share. If it can't find a share with Configuration Manager log files, it displays an
error message.

To connect directly to a known computer without browsing, use the Open action. Then
enter a server name and share using the UNC format.

Print

Display the standard Windows Print dialog box. This action sends the current log file to
a printer. It formats the output according to the settings on the Printing tab of CMTrace
Preferences.

Preferences

Configure settings for CMTrace. The following options are available:

General tab

Update Interval: Controls how often CMTrace checks for changes to log files
and loads new lines. By default, this value is 500 milliseconds.

Highlight: Sets the color that CMTrace uses when highlighting log lines that you
choose. By default, this color is basic yellow (Red: 255, Green: 255, Blue: 0).

Columns: Configures the columns that are visible in the log view and the order
in which they appear. By default, it displays Log Text, Component, Date/Time,
and Thread.

Printing tab

Columns: Configure which columns it uses when printing log files and the order
in which they appear. By default, it prints the same columns as it displays.

Orientation: Sets the default print orientation when printing log files. Override
this setting in the Print dialog box. By default, it uses Portrait orientation.

Advanced tab

Refresh Interval: Forces CMTrace to update the log view at a specified interval
when loading a large number of lines. By default, this option is disabled with a
value of zero.

7 Note

In general, don't modify the Refresh Interval. It can significantly increase


the amount of time it takes to open large log files.

Tools menu
The following actions are available in the Tools menu:

Find
Find Next
Copy to Clipboard
Highlight
Filter
Error Lookup
Pause
Show/Hide Details
Show/Hide Info Pane

Find

Search the open log file for a specified text string.

Find Next

Finds the next matching string, as you previously specified in the Find dialog box.

Copy to Clipboard

Copies the selected lines as plain text to the Windows clipboard. If you're examining
Configuration Manager and CCM log files, it copies the columns in the same order as
the view. It separates each column by a tab character. Use this action when copying logs
into email messages or other documents.

Highlight

Enter a string that CMTrace uses to search the text of each log entry. It then highlights
any log text that matches the string you enter.
The highlight uses the color you specified in Preferences.

To turn off highlighting, clearing the string from this field.

If you enter a decimal or hexadecimal number, CMTrace tries to match the value to
the Thread column. Use this behavior to highlight the processing of a single
thread, without filtering out other threads that might interact with it.

To compare strings by case, enable the option for Case sensitive.

Filter
Show or hide log lines based on the specified criteria. Apply filters to any of the four
columns regardless of whether they're visible. These settings apply to each opened log
file.

Examples:

Filter smsts.log on entry text containing "the action" or "the group".


Filter InventoryAgent.log where entry text contains "destination".

Error Lookup
Type or paste an error code in either decimal or hexadecimal format to display a
description. Possible error sources include: Windows, WMI, or Winhttp.

Pause

Suspend or restart log monitoring. The following use cases are some of the possible
reasons to use this action:

When CMTrace is displaying log file information too quickly

When you pause log monitoring, the information that CMTrace displays isn't lost if
the current file rolls over to a new log

When you want to stop CMTrace from displaying new data while you examine the
log file

Show/Hide Details
Show or hide all columns other than the log text. It also expands the log text column to
the width of the window. Use this action when you're viewing logs on a computer with
low display resolution. It displays more of the log text.

7 Note

When viewing plain-text files, CMTrace automatically hides details because they're
always empty.

Show/Hide Info Pane

Show or hide the Info pane. Use this action when you're viewing logs on a computer
with low display resolution. It displays more logging details.

Log pane
The log pane is at the top of the CMTrace window. It displays lines from log files.

When you select a line, it's temporarily highlighted using the Windows selection color
scheme.

Highlighted lines match the criteria you define with the Highlight option in the Tools
menu. The highlight uses the color that you specify in Preferences.

CMTrace displays lines with errors using a red background and yellow text color. In
CCM-format logs, log entries have an explicit type value that indicates the entry as an
error. For other log formats, CMTrace does a case-insensitive search in each entry for
any text string matching "error".

It displays lines with warnings using a yellow background. In CCM-format logs, log
entries have an explicit type value that indicates the entry as a warning. For other log
formats, CMTrace does a case-insensitive search in each entry for any text string
matching "warn".

Info pane
The Info pane is at the bottom of the CMTrace window. It includes the following
features:

Details about the currently selected log entry

A text box that displays the log text

It displays carriage returns so that formatted text is easier to read


Easier to read long entries that aren't fully visible in the Log pane

Show or hide the Info pane with the Show/Hide Info Pane option on the Tools menu. If
the Info pane takes up more than half of the log window, CMTrace automatically hides
it.

Progress bar
When you first open a log file, CMTrace replaces the Info pane by a progress bar. This
progress indicates how much of the existing file contents it's loaded. The progress
reaches 100 percent, CMTrace removes the progress bar, and replaces it with the Info
pane. When you load large files, this behavior provides you with an indication of how
long the load might take.

Status bar
For Configuration Manager-format and CCM-format log files, the status bar displays the
elapsed time for the selected log entries. If you select a single entry, the tool displays
the time from the first log entry to the selected entry. If you select multiple entries, it
calculates the time from the top-most selected entry to the bottom-most selected entry.
CMTrace formats this information as follows:

Elapsed time is <hours>h <minutes>m <seconds>s <milliseconds>ms

(<seconds+milliseconds> seconds)

Windows shell integration


CMTrace supports file associations and drag-and-drop.

File associations
CMTrace can associate itself with .log and .lo_ file name extensions. When the program
starts, it checks the registry to determine whether it's already associated with these file
name extensions. If CMTrace isn't already associated with any file name extensions,
you're prompted to associate the file name extensions with CMTrace. If you select Do
not ask me this again, CMTrace skips this check whenever it's run on this computer.

Drag-and-drop
CMTrace supports basic drag-and-drop functionality. Drag a log file from Windows
Explorer into CMTrace to open it.

Other tips

Last Directory registry key


By default, CMTrace saves the last log location that you opened. This behavior is useful
on the site server, as it defaults to the logs path every time.

The first time you launch it on a client, it defaults to the current working directory. This
location may be the path where you saved CMTrace, or a path like
%userprofile%\Desktop .

The Last Directory value in the registry key


HKEY_CURRENT_USER\Software\Microsoft\Trace32 controls this default location. If you set

this value to %windir%\CCM\Logs on your clients, then CMTrace opens files in the client
log location the first time you run it.

Next steps
Log files

Support Center log file viewer

OneTrace is the log viewer with Support Center. It works similarly to CMTrace, with
improvements. For more information, see Support Center OneTrace.
Client Spy
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Client Spy is one of the Configuration Manager tools. It's a tool for troubleshooting
software distribution, inventory, and software metering on Configuration Manager
clients.

Most of the information retrieved by the tool pertains to software deployments:

All current software deployments


Software distribution history
The client cache configuration
Cached items
Pending required deployments
Available deployments

It also displays the following inventory information

The latest inventory cycle date


The last report date
Software inventory major and minor versions
File collection
Hardware inventory
IDMIF collection
Discovery data records (DDRs)

Software metering rules are also displayed.

7 Note

To improve performance, the tool only collects information for each tab when you
select it. Similarly, when you click Refresh, it only refreshes the information for the
currently displayed tab.

Usage

Tools menu
The following actions are available in the Tools menu:

Connect
Retrieve information from a different computer.

By default, the tool displays information from the current computer.

Connect using the remote computer name, user name, and password for the
account. The tool makes a connection to the IPC$ share on the remote computer.
It deletes the connection when either the tool exits or you connect to another
computer.

It requires an account with sufficient credentials to obtain the information.

If you don't specify a user name and password, Client Spy uses the security context
of the currently signed-in user to attempt to make the connection.

When you connect to a remote computer, all tabs that are displayed show
information from the remote computer.

Software Distribution
Displays the Software Distribution tabs and hides the other tabs. By default, Client Spy
displays the Software Distribution tabs.

Inventory

Displays the Inventory tab and hides the other tabs.

Software Metering

Displays the Software Metering tab and hides the other tabs.

Save current tab to file

Saves the information in the currently displayed tab to a text file that you specify.

Save all tabs to file

Saves the information in all tabs to a text file that you specify. It only saves information
your account can see.
Software Distribution tab
Configure settings on the following four tabs:

Software Distribution Execution Requests


Software Distribution History
Software Distribution Cache Information
Software Distribution Pending Executions

Software Distribution Execution Requests


This tab displays all existing deployments, including both device- and user-targeted
deployments.

Each tree item in the Software Distribution Execution Requests tab contains the
following four attributes:

Advertisement ID. This value might be blank, if it's an available deployment.


Package ID
Program Name
User. This might be the targeted user SID or the SID of the user who initiated the
request. If both are system requests, the displayed user is System.

For each run request, it also displays the following information in a subtree structure:

Program Name
Package ID
Package Name
Request Creation Time
State
Running State, if State is Running
Execution Context (User or Admin)
History State (Success, Failure, or NotRun)
LastRunTime (Never, if the program hasn't been run before)
RetryCount, if State is WaitingRetry
ContentAccess (Retry Count, if State is WaitingRetry)
FailureCode, if State is WaitingRetry
FailureReason, if State is WaitingRetry

If the request requires content, the state is WaitingContent. The Software Distribution
Cache Information tab shows the details for this download request.
If the run request is a download request, it also displays the number of bytes
downloaded.

7 Note

It uses different icons for varying states of a run request.

Software Distribution History


This tab contains information about all previously run programs. This information is
stored in the registry.

The main branches of this tree are the different user histories, including System. It
displays a subtree containing the list of packages from which programs have been run
for each user.

The package ID and package name for each package subtree displays a list of programs
that have run. It displays the following attributes for each:

Program name
Run state
Last run time
Failure code
Failure reason

The failure code and failure reason are blank when a program was successfully run.

Software Distribution Cache Information

Cache Config
Contains information about the Configuration Manager Client cache. This information
includes the cache location, the cache size, and whether it's currently in use.

Cached Items

Contains a subtree of all items currently in the cache. Each tree item includes the
following information about each item:

The item's location (folder) in the cache


Current state
Package ID
Package name
Package version
Package size
Current reference count
Last referenced time (UTC)

Downloading Items
These are the items that the client is currently downloading. Each of them shows the
same information displayed by the cached items, and the number of kilobytes
downloaded.

Software Distribution Pending Executions


This tab contains information that details past and future required deployments and a
list of available deployments.

Each tree branch is for each user account with deployments available, including System.

For each user, a sub tree contains the following three items:

Mandatory Advertisements With Future Executions

These are mandatory advertisements that still have programs remaining to be run.
These can be either recurring, one-time, or multiple schedule advertisements. Each
displays the advertisement ID, the next run time, and the schedule on which the
advertisement runs.

Optional Advertisements
Displays a list of all advertisements that are published. It also displays details such as
advertisement ID, program name, and package name for each.

Past Mandatory Advertisements With No Future Scheduled


Executions
This is a list of advertisements that exist on the client that have no future programs
scheduled to run. The advertisement ID, package name, and program name are
displayed. A subtree item is displayed for any advertisements that are optional.
7 Note

Package name information is only available for packages that have advertised
policies associated to them on the computer being viewed. Packages that no longer
have available policies associated to them display the message "Package Name No
Longer Available".

Inventory tab
There's only one tab containing inventory information. The main tree contains the
following five items:

Software Inventory: Contains the date that the last cycle started, the date of the
last report, and the minor and major versions of the last report.

File Collection: Contains the date that the last cycle started, the date of the last
report, and the minor and major versions of the last report.

Hardware Inventory: Contains the date that the last cycle started, the date of the
last report, and the minor and major versions of the last report.

IDMIF Collection: Contains the date that the last cycle started, the date of the last
report, and the minor and major versions of the last report.

DDR: Contains the date that the last cycle started, the date of the last report, and
the minor and major versions of the last report. The DDR information is also
displayed in a subtree.

Software Metering tab


This tab displays information as a subtree, and includes all software metering rules. It
displays each rule as a node, which it identifies by the file name and rule ID. Expand
each node in the tree, and view the following information:

Explorer file name


Original file name
Rule ID
File version
Language
Deployment Monitoring Tool
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Deployment Monitoring Tool is one of the Configuration Manager tools. It's a
graphical user interface designed to assist in troubleshooting application, software
update, and configuration baseline deployments on a Configuration Manager client. The
tool is read-only as it doesn't change any state on the client. You can safely use it to
diagnose common deployment scenarios.

Features
Run it as an administrator to troubleshoot deployments on a local client.

Troubleshoot deployments on a remote client. Launch the tool and connect to a


remote machine as an administrator.

Export to XML all the data collected in the tool. Share the XML file with others, and
use it as a common platform for talking about troubleshooting deployments.

Import previously exported data to a different machine, and use it to run the tool
in offline mode.

Usage
The Deployment Monitoring Tool supports graphical user interface only. To launch the
tool, run DeploymentMonitoringTool.exe as an administrator. There are three views:

Client Properties: A list of useful attributes about the device and the Configuration
Manager client. This view is the default.

Deployments: View all of the currently targeted deployments. Select a deployment


in the results pane to view more information in the details pane.

All Updates: View all of the software updates and their status.

To copy data in any view, select a cell, and press CTRL + C.

Actions menu
The following actions are available in the Actions menu:
Connect to remote machine: Select a computer to connect to. When you don't
specify a user name and password, it uses the current credentials. Click Save to
connect to remote computer.

Export Data: Select the file to write the data into, and click Save. Use the exported
XML file for remote troubleshooting on a different computer.

Import Data: Select a file to import into the tool.

View Log: Opens an associated log file, depending upon the view:
Client Properties: \\<hostname>\c$\Windows\CCM\Logs\PolicyAgent.log
Deployments: \\<hostname>\c$\Windows\CCM\Logs\PolicyAgent.log
All Updates: C:\Windows\WindowsUpdate.log

See also
Deploy applications
Deploy software updates
Deploy configuration baselines
Policy Spy
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Policy Spy is one of the Configuration Manager tools. It's a tool for viewing and
troubleshooting the policy system on Configuration Manager clients. Run PolicySpy.exe
to open the user interface. For more information on command-line usage, see
Command-line syntax.

) Important

Run Policy Spy as an administrator. If you don't Run as administrator, you see the
following error in Client Info:

There is no client installed on this machine. Connection to client policy

failed with error 80041003

Command-line syntax
Policy Spy is primarily intended for use through its user interface. It does provide limited
command-line options to support automation and batch processing.

PolicySpy.exe [/export <ExportFilename> [<computername>]]

Option: /export
This option silently exports the policy of the local or remote computer.
<ExportFilename> is the file name to which the tool saves the XML exported policy. If
you specify the <computername> option, Policy Spy exports the policy of that computer
instead of the local computer.

7 Note

This command-line option doesn't provide a way to specify user credentials. To use
alternative credentials to access a remote computer, use the runas command to
open a new command prompt with the required security credentials.

Usage
Tools menu
The following actions are available in the Tools menu:

Open Remote: Connects to the Configuration Manager client policy on a remote


computer. Use the Connect dialog box to retrieve the name of the remote
computer and optional user credentials. If the connection fails, it displays error
information in the Client Info pane. If the connection fails again, try connecting by
selecting Refresh on the Edit menu, or by pressing F5.

Open File: Opens a policy export file (XML) created by the Export Policy option.
The tool displays the exported policy exactly the same as a live policy. It disables
some features that only apply when you connect to an actual client.

Request Machine Assignments: Triggers a request for machine policy assignments


on the target computer. This feature is disabled when viewing exported policy.

Evaluate Machine Policy: Triggers a machine policy evaluation on the target


computer. This feature is disabled when viewing an exported policy.

Request User Assignments: Triggers a request for user policy assignments for the
currently signed-in user. This feature is only available when viewing a policy on the
local computer.

Evaluate User Policy: Triggers a user policy evaluation for the currently signed-in
user. This feature is only available when viewing a policy on the local computer.

Reset Policy: Removes all non-default policies and resets the policy cookies for the
site. It then triggers a request for machine policy assignments. This feature is
disabled when viewing an exported policy.

Export Policy: Exports the target computer's policy to an XML file. View this file on
any computer with Policy Spy. To open the export file, select Open File on the
Tools menu. This feature is disabled when viewing an exported policy.

Edit menu
The following actions are available in the Edit menu:

Delete: Deletes the instance selected in the Results pane. This action is only
supported for policy instances. If you try to delete anything other than policy
instances, the tool displays an error message. This feature is disabled when viewing
an exported policy.
Refresh: Refreshes all results to view the latest information. All tree nodes that are
expanded before refreshing are automatically expanded afterward. If Policy Spy
hasn't successfully connected to the target computer's policy, it tries to connect
again. This feature is disabled when viewing an exported policy.

Clear Events: Clears all items from the Events tab.

Results pane
The results pane displays different views of the policy system on the target computer.
Access these views by clicking on one of the following four tabs:

Actual
Requested
Default
Events

Actual
This tab displays the current policy of the client. The current policy determines a client's
behavior and the behavior of its client agents, such as software distribution and
inventory. The tab displays results in a tree format with a root node for the computer
namespace and each user-specific namespace. Expand a namespace node to display a
list of classes. Expand a class to display a list of its instances. The class list includes only
classes that have instances.

Requested
This tab displays the policy assignments that the client retrieved from its assigned site.
The tab displays results in tree format with a root node for the Machine namespace and
each user-specific namespace. Expanding a namespace node displays the following
nodes:

Configuration: Displays a list of configuration classes derived from


CCM_Policy_Config, which includes policy object, assignments, and others.

Settings: Displays all active settings generated by policies. Settings are displayed
under the Configuration node.

7 Note
Multiple instances can exist with the same name because the client hasn't merged
these settings into a final resultant set. Policy Spy displays instances under this
node by using the RealKey properties instead of their true policy keys. Correlate
these instances to the resultant set displayed on the Actual tab.

Default
This tab displays the same information as the Requested tab. It also includes contents of
the DefaultMachine and DefaultUser namespaces.

Events
This tab displays policy agent events as they happen. The view creates a WMI event
subscription for all events derived from CCM_PolicyAgent_Event. The view shows a
maximum of 200 events. It removes the oldest events from the top of the list, as
necessary. If you select the last item in the list, the list automatically scrolls down as it
adds new events. Otherwise, the view maintains its current position, and you must scroll
down or press the End key to view new events. This view is always empty when viewing
an exported policy.

Client Info pane


The Client Info pane displays a list of properties for the target computer. It displays the
following properties, if available:

Name
ID
Version
Site
Assigned MP
Resident MP
Proxy MP
Proxy State

Details pane
The Details pane displays detailed information about the current selection. If no
selection is active, it displays information about Policy Spy itself, including the version.
Otherwise, it displays a Manage Object Format (MOF) representation of the selected
item.

Policy Spy uses its own MOF-generation routine to create a more user-friendly HTML
display than the plain-text MOF generated by WMI. This behavior allows Policy Spy to
add the following features to make the MOF more legible:

Syntax highlighting

Indented objects and arrays

Properties are arranged into system, inherited, and local groups. By default, it
collapses the system and inherited groups. You can immediately see which
properties the instance actually uses.

Copy MOF or copy plain-text MOF to the clipboard. This feature is useful for
pasting the MOF into other applications by directly calling the MofComp tool.

For instances of Policy objects derived from CCM_Policy_Policy, the details pane displays
the policy body below the MOF that displays. If the client hasn't downloaded the policy
body, Policy Spy displays a hyperlink. Click the link to download the policy body directly
from the client's management point. If the tool successfully downloads the policy body,
it replaces the hyperlink with the contents of the reply. Otherwise, Policy Spy updates
the display indicating that the request failed.
Power Viewer Tool
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Power Viewer tool is one of the Configuration Manager tools. Use it to view the
status of the power management feature on a Configuration Manager client.

Run PowerVwr.exe as an administrator. When the tool launches, it displays the power
capabilities and power settings of the local computer on the Power Config tab.

To view the power management data of a remote computer:

1. Go to the File menu, and click Connect.

2. Enter the Computer name, and a Username and Password, if necessary.

There are three tabs in Power Viewer:

Power Config: View the power capabilities and power settings of the targeted
computer.

Daily Activity: View the daily activity charts of the client, which includes the
following information:

Computer on: The power status of the computer in one day. Sleep mode is
considered as power off.

Monitor on: On or off status of monitor in one day.

User Active: User activity information in one day.

Power Events: View all of the daily power events. The client summarizes these
events at 12:00 AM. This summarization generates data for the daily activity chart.
Send Schedule Tool
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Send Schedule Tool is one of the Configuration Manager tools. Use it to trigger a
schedule on a client or trigger the evaluation of a specified configuration baseline. It
works for the local computer or targeting a remote client.

For example, use the tool to trigger an inventory schedule or compliance evaluation. If a
number of Configuration Manager clients haven't recently reported inventory or
compliance status, run the tool to initiate the necessary schedule on each client.

Usage
Run SendSchedule.exe as an administrator.

SendSchedule /L [Computer Name]


SendSchedule "<Message GUID | DCM UID>" [Computer

Name]

After you trigger a message (GUID), see SMSClientMethodProvider.log. For more


information about available message GUIDs, see Message IDs.

After you trigger the evaluation of a configuration baseline (DCM UID), see
DCMAgent.log.

Command-line options

Option: /L
List all Message GUID or DCM UID available for sending. Display the meaningful name
of messages in the data table for each one. If the computer name is absent, it uses the
local computer. If you specify a message without a machine name, then it sends the
message to the local machine.

Examples

List the available messages on the local machine


SendSchedule /L

List the available messages on the client MyPC:


SendSchedule /L MyPC

Trigger hardware inventory on the local machine


SendSchedule {00000000-0000-0000-0000-000000000001}

Trigger hardware inventory on MyPC:


SendSchedule {00000000-0000-0000-0000-000000000001} MyPC

Trigger the evaluation of a specific configuration baseline on MyPC:


SendSchedule ScopeId_611E8382-C064-4B62-B0DE-EFFB52AE8994/Baseline_36722778-69dd-

4423-9632-b61148b2b67e MyPC

Message IDs
Message ID Display Name

{00000000-0000-0000-0000- Hardware Inventory


000000000001}

{00000000-0000-0000-0000- Software Inventory


000000000002}

{00000000-0000-0000-0000- Discovery Inventory


000000000003}

{00000000-0000-0000-0000- File Collection


000000000010}

{00000000-0000-0000-0000- IDMIF Collection


000000000011}

{00000000-0000-0000-0000- Request Machine Assignments


000000000021}

{00000000-0000-0000-0000- Evaluate Machine Policies


000000000022}
Message ID Display Name

{00000000-0000-0000-0000- Refresh Default MP Task


000000000023}

{00000000-0000-0000-0000- LS (Location Service) Refresh Locations Task


000000000024}

{00000000-0000-0000-0000- LS Timeout Refresh Task


000000000025}

{00000000-0000-0000-0000- Policy Agent Request Assignment (User)


000000000026}

{00000000-0000-0000-0000- Policy Agent Evaluate Assignment (User)


000000000027}

{00000000-0000-0000-0000- Software Metering Generating Usage Report


000000000031}

{00000000-0000-0000-0000- Source Update Message


000000000032}

{00000000-0000-0000-0000- Clearing proxy settings cache


000000000037}

{00000000-0000-0000-0000- Machine Policy Agent Cleanup


000000000040}

{00000000-0000-0000-0000- User Policy Agent Cleanup


000000000041}

{00000000-0000-0000-0000- Policy Agent Validate Machine Policy / Assignment


000000000042}

{00000000-0000-0000-0000- Policy Agent Validate User Policy / Assignment


000000000043}

{00000000-0000-0000-0000- Retrying/Refreshing certificates in AD on MP


000000000051}

{00000000-0000-0000-0000- Peer DP Status reporting


000000000061}

{00000000-0000-0000-0000- Peer DP Pending package check schedule


000000000062}

{00000000-0000-0000-0000- SUM Updates install schedule


000000000063}

{00000000-0000-0000-0000- Hardware Inventory Collection Cycle


000000000101}
Message ID Display Name

{00000000-0000-0000-0000- Software Inventory Collection Cycle


000000000102}

{00000000-0000-0000-0000- Discovery Data Collection Cycle


000000000103}

{00000000-0000-0000-0000- File Collection Cycle


000000000104}

{00000000-0000-0000-0000- IDMIF Collection Cycle


000000000105}

{00000000-0000-0000-0000- Software Metering Usage Report Cycle


000000000106}

{00000000-0000-0000-0000- Windows Installer Source List Update Cycle


000000000107}

{00000000-0000-0000-0000- Software Updates Policy Action Software Updates


000000000108} Assignments Evaluation Cycle

{00000000-0000-0000-0000- PDP Maintenance Policy Branch Distribution Point


000000000109} Maintenance Task

{00000000-0000-0000-0000- DCM policy


000000000110}

{00000000-0000-0000-0000- Send Unsent State Message


000000000111}

{00000000-0000-0000-0000- State System policy cache cleanout


000000000112}

{00000000-0000-0000-0000- Update source policy


000000000113}

{00000000-0000-0000-0000- Update Store Policy


000000000114}

{00000000-0000-0000-0000- State system policy bulk send high


000000000115}

{00000000-0000-0000-0000- State system policy bulk send low


000000000116}

{00000000-0000-0000-0000- Application manager policy action


000000000121}

{00000000-0000-0000-0000- Application manager user policy action


000000000122}
Message ID Display Name

{00000000-0000-0000-0000- Application manager global evaluation action


000000000123}

{00000000-0000-0000-0000- Power management start summarizer


000000000131}

{00000000-0000-0000-0000- Endpoint deployment reevaluate


000000000221}

{00000000-0000-0000-0000- Endpoint AM policy reevaluate


000000000222}

{00000000-0000-0000-0000- External event detection


000000000223}
DP Job Queue Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Distribution Point (DP) Job Queue Manager is one of the Configuration Manager
tools. Use it to troubleshoot and manage ongoing content distribution jobs to
Configuration Manager distribution points.

The tool displays the list of jobs that the package transfer manager component has in its
queue. It also shows the status of the jobs: ready to be executed, running, or retrying. It
lets you manipulate the jobs in the queue, move jobs higher on the list, cancel a job, or
manually start running a job.

It also gets information from the site server on which distribution point is running a job.
The tool connects through the provider to the site server. It doesn't connect to every
remote distribution point to gather this information. Because it triggers actions and gets
information through the provider, there's a delay in reflecting changes from remote
distribution points.

Usage
Run DPJobMgr.exe. The main menu of the tool contains the following tabs:

Connect: Establish the initial connection to the primary site server

Overview: Summarizes in a single view all the jobs that are running on all
distribution points

Distribution Point Info: Multi-select distribution points to track them, and manage
a single job of interest

Manage Jobs: Shows in one flat view a list of all the jobs and their statuses.
Manipulate jobs, move them up, cancel, or manually start.

Connect tab
Use this tab to establish the initial connection to the primary site server. It uses the
currently signed-in user's credentials. You can't connect to the central administration site
or secondary sites. The connection requires the Full Administrator security role.
Once the tool successfully establishes a connection, a notification at the bottom of the
tool confirms that it's connected to the site server.

Overview tab
Shows a summary of all the jobs on all distribution points. See the following columns:

Distribution Point: Lists the names of the distribution points

Running Jobs: Shows the number of concurrent jobs that are running on a
particular distribution point.

 Tip

The number of concurrent software distributions is a site setting. Modified this


setting in the Software Distribution Component Properties.

Total Jobs: Shows the number of all the jobs targeted to a particular distribution
point. This number includes the jobs that are running, retrying, or waiting to be
executed.

Total Retries: Shows the number of times jobs have been retrying in a particular
distribution point. A higher number may represent a general problem with that
particular distribution point.

 Tip

To sort each column in this tab, click on the column name

Manually refresh the information in this tab by clicking Refresh

Automatically refresh the information in this tab by clicking Start Auto


Refresh and setting the auto refresh interval. The default refresh interval is
two minutes.

Distribution Point Info tab


Shows the list of all the distribution points under the connected site. The pane on the
left lists all the distribution points. Click Select All or Unselect All as necessary, or multi-
select specific distribution points in this list. The pane on the right shows the jobs for the
selected distribution points.
There are eight columns:

Status Icon: There are three possible status icons:

Ready: Indicates that a particular job has finished all the verification steps. It's
ready to be added to the running concurrent jobs. Jobs in this state are usually
in a waiting stage. They wait for the current running processes to finish to open
up a space for them.

Running: Indicates that a particular job is currently running on a distribution


point. For long running jobs (large packages), usually there's time to get the
progress (%) towards completion. It shows this percentage in the Progress
column in this view. For small packages, the Progress column may stay empty.
The job may already be completed by the time it receives status from the
remote distribution point.

Retry: Indicates that a particular job has failed and is now in a retry state. This
job is retried after the retry interval. This interval is configurable, and set to 30
minutes by default.

Software: Name of the package that's targeted to a particular distribution point

Package ID: Package ID of the package that's targeted to a particular distribution


point

Size: Size of the package in KB

Progress: Job completion percentage. For more information, see the Running
status icon description.

Start/Restart Time: For a running job, this value is the start time (green). For a retry
job, this value is the time that it will retry the job.

Retries: Number of times it has retried this package.

Distribution Point Name: The fully qualified domain name (FQDN) of the
distribution point

 Tip

To sort each column in this tab, click on the column name

Manually refresh the information in this tab by clicking Refresh


Automatically refresh the information in this tab by clicking Start Auto
Refresh and setting the auto refresh interval. The default refresh interval is
two minutes.

If you need to modify a particular job, right-click the job in this view, and
select Manage Job. This action opens the Manage Jobs tab.

Manage Jobs tab


Shows in one flat view a list of all the jobs and their statuses. It contains the same eight
columns as the Distribution Point Info tab. In this view, right-click the jobs for the
following actions:

Run: Starts a job that's in any state other than running

Move To Top: Moves one or more jobs to the top of the queue. This action may
result in the jobs running immediately. A lower priority job may pause because of
this action.

Move Up: Moves a particular job one row above. A lower priority job may pause
running because of this action.

Move Down: Moves a particular job one row below.

Move To Bottom: Moves one or more jobs to the bottom of the queue.

 Tip

Drag-and-drop jobs in the list to move them.

Cancel: Tries to cancel one or more jobs.

7 Note

You can't cancel jobs near their final completion time. If the site server is also
a distribution point, you can't cancel jobs on the site server.

See also
Fundamental concepts for content management
Package transfer manager
Collection Evaluation Viewer
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Collection Evaluation Viewer is one of the Configuration Manager tools. Use it to view
and troubleshoot the collection evaluation process on the primary site server.

) Important

Starting in Configuration Manager version 2103, this standalone tool isn't


supported. The tool is no longer included with the Configuration Manager
installation source. Starting in version 2010, its functionality is built-in to the
console. For more information, see, How to view collection evaluation.

The tool displays the following information:

Both historic and live information for full and incremental collection evaluations

The evaluation queue status

The time for collection evaluations to complete

Which collections are currently being evaluated

The estimated time that a collection evaluation will start and complete

About collection evaluation


The collection evaluation process runs by evaluating the membership rules of a
collection to update its members. The site places a collection that it's evaluating in one
of four different queues:

Manual Queue: For collections that an administrator has manually selected for
evaluation from the console

New Queue: For newly created collections

Full Queue: For collections due for full evaluation

Incremental Queue: For collections with incremental evaluation


There are four threads that run to evaluate the collections in the above queues. Each
queue includes a series of arrays, and each array includes the collections to be
evaluated. The thread that's running for the queue selects a collection from the array
and runs the evaluation. The queue length indicates the number of arrays in the queue.

Requirements
Run the tool on the site server

Run the tool by an administrative user with at least the Read-Only Analyst role

The user also requires Read permission to the site database in SQL

SQL must be on the default port

Usage
Run CEViewer.exe. The main menu of the tool contains the following tabs:

Connect: Establish the initial connection to the primary site server and SQL Server

Full Evaluation: Lists the detailed information about all past full evaluations

Incremental evaluation: Lists the detailed information about all past incremental
evaluations

All Queues: Summarizes the current collection evaluations for all four queues

Manual Queue: Lists the detailed information about the current collection
evaluation in the manual queue

New Queue: Lists the detailed information about the current collection evaluation
in the new queue

Full Queue: Lists the detailed information about the current collection evaluation in
the full queue

Incremental Queue: Lists the detailed information about the current collection
evaluation in the incremental queue

Connect tab
This tab allows you to establish the initial connection to the primary site server. The tool
also establishes a connection to the SQL Server that hosts the site database.
The connections to both primary site server and SQL Servers use the current signed-in
user credential. Connections to the central administration site or a secondary site aren't
supported. No collection evaluation process runs on those sites.

Once the tool successfully establishes a connection, see a notification at the bottom of
the Collection Evaluation Viewer that confirms the tool's connection to the SQL Server.

Full Evaluation tab


Shows detailed information about past full collection evaluations. There are eight
columns:

Collection Name: Name of the collection

Site ID: Site ID of the collection

Run Time: How long the last collection evaluation ran, in seconds

Last Evaluation Completion Time: When the last collection evaluation completed

Next Evaluation Time: When the next full evaluation starts

Member Changes: The member changes in the last collection evaluation. These
changes are either plus (members added) or minus (members removed).

Last Member Change Time: The most recent time that there was a membership
change in the collection evaluation

Percent: The percentage of evaluation time for this collection over the total (all
collections) evaluation time

Incremental evaluation tab


Shows detailed information about past incremental collection evaluations. There are
seven columns:

Collection Name: Name of the collection

Site ID: Site ID of the collection

Run Time: How long the last collection evaluation ran, in seconds

Last Evaluation Completion Time: When the last collection evaluation completed

Member Changes: The member changes in the last collection evaluation. These
changes are either plus (members added) or minus (members removed).
Last Member Change Time: The most recent time that there was a membership
change in the collection evaluation

Percent: The percentage of evaluation time for this collection over the total (all
collections) evaluation time

All Queues tab


Summarizes the live collection evaluations for all four queues. There are six sections:

Summary: Lists the total collection number and the queue length for all collections
in all four queues

Running Evaluation: Lists which collection is currently being evaluated in each


queue, and how long it has been running

Manual Update: Shows a brief summary of the collections being evaluated, the
estimated completion time, and the order of the evaluation in the manual queue

New Collection: Shows a brief summary of the collections being evaluated, the
estimated completion time, and the order of the evaluation in the new collection
queue

Full Evaluation: Shows a brief summary of the collections being evaluated, the
estimated completion time, and the order of the evaluation in the full evaluation
queue

Incremental Evaluation: Shows a brief summary of the collections being evaluated,


the estimated completion time, and the order of the evaluation in the incremental
evaluation queue

Manual Queue tab


Shows information about the manual collection evaluation currently being evaluated.
The order in the list is the order in which the collection will be evaluated. There are four
columns:

Collection Name: Name of the collection

Site ID: Site ID of the collection

Estimated Completion Time: When the evaluation is estimated to complete


Estimated Run Time: How long the evaluation is estimated to run, in
day:hour:minute:second format

New Queue tab


Shows the live information about the new collection evaluation being evaluated. The
order in the list is the order in which the collection will be evaluated. There are four
columns:

Collection Name: Name of the collection

Site ID: Site ID of the collection

Estimated Completion Time: When the evaluation is estimated to complete

Estimated Run Time: How long the evaluation is estimated to run, in


day:hour:minute:second format

Full Queue tab


Shows information about the full collection evaluation currently being evaluated. The
order in the list is the order in which the collection will be evaluated. There are four
columns:

Collection Name: Name of the collection

Site ID: Site ID of the collection

Estimated Completion Time: When the evaluation is estimated to complete

Estimated Run Time: How long the evaluation is estimated to run, in


day:hour:minute:second format

Incremental Queue tab


Shows information about the incremental collection evaluation currently being
evaluated. The order in the list is the order in which the collection will be evaluated.
There are four columns:

Collection Name: Name of the collection

Site ID: Site ID of the collection

Estimated Completion Time: When the evaluation is estimated to complete


Estimated Run Time: How long the evaluation is estimated to run, in
day:hour:minute:second format
Content Library Explorer
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Content Library Explorer is one of the Configuration Manager tools. Use the tool for the
following activities:

Explore the content library on a specific distribution point

Troubleshoot issues with the content library

Copy packages, contents, folders, and files out of the content library

Redistribute packages to the distribution point

Validate packages on remote distribution points

Requirements
Run the tool using an account that has administrative access to:

The target distribution point

The WMI provider on the site server

The Configuration Manager provider

Only the Full Administrator and Read-Only Analyst roles have sufficient rights to
view all information from this tool.

Other roles, such as Application Administrator, can view partial information. For
more information, see Disabled packages.

The Read-Only Analyst can't redistribute packages from this tool.

Run the tool from any computer, as long as it can connect to:

The target distribution point

The primary site server

The Configuration Manager provider

If the distribution point is colocated with the site server, it's still necessary to have
administrative access to the site server.
Usage
When you start ContentLibraryExplorer.exe, enter the fully qualified domain name
(FQDN) of the target distribution point. It then connects to the distribution point. If the
distribution point is part of a secondary site, it prompts you for the FQDN of the primary
site server, and the primary site code.

In the left pane, view the packages that are distributed to this distribution point. Expand
the packages, and explore their folder structure. This structure matches the folder
structure from which you created the package.

When you select a folder, it displays in the right pane any files within the folder. This
view includes the following information:

File name
File size
Which drive it's on
Other packages that use the same file on the drive
When the file was last changed on the distribution point

The tool also connects to the Configuration Manager provider. This connection is to
determine which packages are distributed to the distribution point, and whether they're
actually in the distribution point's content library. For instance, a package that's pending
distribution may not yet exist in the content library. Such a package would appear as
"PENDING" in the tool, and no actions are enabled for this package.

Disabled packages
Some packages are present on the distribution point but not visible in the Configuration
Manager console. These packages are marked with an asterisk (*). No actions may be
performed on these packages. Other packages may also be marked with an asterisk and
have actions disabled.

There are three primary reasons for disabled packages:

The package is the Configuration Manager client upgrade. This package includes
"ccmsetup.exe".

Your user account can't access the package, likely due to role-based
administration. For instance, the Application Author role can't see driver packages
in the console, so any driver packages on the distribution point are marked as
disabled.
The package is orphaned on the distribution point.

Validate packages
Validate packages by using Package > Validate on the toolbar. First select a package
node in the left pane Don't select a content or a folder. The tool connects to the WMI
provider on the distribution point for this action. When the tool starts, packages that are
missing one or more contents are marked invalid. Validating the package reveals which
content is missing. If all content is present but the data is corrupted, validation detects
the corruption.

Redistribute packages
Redistribute packages using Package > Redistribute on the toolbar. First select a
package node in the left pane. This action requires permissions to redistribute packages.

Other actions
Use Edit > Copy to copy packages, contents, folders, and files out of the content library
to a specified folder. You can't copy the content library itself. Select more than one file,
but you can't select multiple folders.

Search for packages using Edit > Find Package. This action searches for your query in
the package name and package ID.

Limitations
The tool can't manipulate the content library directly in any way. Changes to the
content library may result in malfunctions.

The tool can redistribute packages, but only to the target distribution point.

When you colocate the distribution point with the site server, you can't validate
package data. Use the Configuration Manager console instead. The tool still
inspects the package to make sure that all the content is present, though not
necessarily intact.

You can't delete content with this tool.

See also
Fundamental concepts for content management
The content library
Content Library Transfer tool
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Content Library Transfer tool is one of the Configuration Manager tools. It transfers
content from one disk drive to another. The tool is designed to run on distribution point
site systems. It supports distribution points colocated with a site or remote site systems.

The tool is useful for the scenario when the disk drive hosting the content library
becomes full. First add or identify another hard disk with sufficient space to host the
content library. Then use ContentLibraryTransfer.exe to transfer content from the old
filled hard disk to the new, empty drive.

Once the transfer is complete, content is accessible to client computers from the new
location.

Usage
Run ContentLibraryTransfer.exe as a user with administrative permissions on the
distribution point.

Syntax

ContentLibraryTransfer.exe –SourceDrive <drive letter of source drive> –TargetDrive


<drive letter of destination drive>

Example
ContentLibraryTransfer –SourceDrive E –TargetDrive G

Limitations
Run the tool locally on the distribution point. You can't run it from a remote
computer.

Only use it when clients aren't actively accessing the distribution point. If you run
the tool while clients are accessing content, the content library on the destination
drive may have incomplete data. The data transfer might fail altogether leading to
an unusable content library.
Don't distribute content to the distribution point when you run the tool. If you run
the tool while content is being written to the distribution point, the content library
on the destination drive may have incomplete data. The data transfer might fail
altogether leading to an unusable content library.

See also
Fundamental concepts for content management
The content library
Content Ownership Tool
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Content Ownership Tool is one of the Configuration Manager tools. It changes


ownership of orphaned packages in Configuration Manager. Orphaned packages don't
have an owning site server. Packages can become orphaned by removing the site server
while they're still owned by this site server.

Run the Content Ownership Tool on any site server in the Configuration Manager
hierarchy. Sign in as an administrative user with sufficient package permissions.

 Tip

Use ContentLibraryCleanup.exe in
CD.Latest\SMSSETUP\TOOLS\ContentLibraryCleanup to remove orphaned content

from a distribution point. For more information, see Content library cleanup tool.

Features
Display all orphaned packages

Display all packages, even if they're not orphaned

View the status of the connection to a site

Filter packages by name, site code, or package type

Sort by any displayed column

Change assignment of one or more packages with a single action

View progress of the ownership transfer activity

Usage
Run ContentOwnershipTool.exe to start the tool. Local administrator permissions on the
computer aren't required to run the tool.

There are no command-line parameters.


) Important

This tool changes the ownership of an orphaned package. The package itself
doesn't move from the distribution point that it's stored on. This ownership change
doesn't cause the package to update on distribution points. It also doesn't cause
clients to reevaluate policy for deployment of the package. After the ownership
changes, make sure that the new site server can access the source files. It should
have at least Read permissions to the source files of each package.

See also
Fundamental concepts for content management
The content library
Extend and migrate an on-premises site
to Microsoft Azure
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Starting in version 1910, this tool helps you to programmatically create Azure virtual
machines (VMs) for Configuration Manager. It can install with default settings site roles
like a passive site server, management points, and distribution points. Once you validate
the new roles, use them as additional site systems for high availability. You can also
remove the on-premises site system role and only keep the Azure VM role.

Prerequisites
An Azure subscription

Starting in version 2010, it supports environments with virtual networks other than
ExpressRoute. In version 2006 and earlier, it requires an Azure virtual network with
ExpressRoute gateway.

Starting in version 2010, you can use the tool in a hierarchy or a standalone
primary site. In version 2006 and earlier, it only works with a standalone primary
site.

Starting in version 2010, it supports a site with a collocated site database. In


version 2006 and earlier, it requires the database to be on a remote SQL Server.

Your user account needs to be a Configuration Manager Full Administrator and


have administrator rights on the primary site server.

To add a site server in passive mode, the site server must meet the high availability
requirements. For example, it requires a remote content library.

Required Azure permissions


You'll need the following permissions in Azure when you run the tool:

Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
Microsoft.Resources/deployments/validate/action
Microsoft.Compute/virtualMachines/extensions/read
Microsoft.Compute/virtualMachines/extensions/write
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/write
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkSecurityGroups/write
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Storage/storageAccounts/write
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/listkeys/action
Microsoft.Storage/storageAccounts/listServiceSas/action
Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.KeyVault/vaults/deploy/action
Microsoft.KeyVault/vaults/read

For more information about permissions and assigning roles, see Add or remove Azure
role assignments using the Azure portal.

Virtual network support


Starting in version 2010, to support other virtual networks other than ExpressRoute,
make the following configurations:

In the configuration of the virtual network, go to the DNS servers settings. Add a
Custom DNS server with the IP address of a domain controller.

On the site server where you'll run the tool, set the following registry value:
HKCU\Software\Microsoft\ConfigMgr10\ExtendToAzure, SkipVNetCheck = 1

Run the tool


1. Sign on to the site server and run the following tool in the Configuration Manager
installation directory:
Cd.Latest\SMSSETUP\TOOLS\ExtendMigrateToAzure\ExtendMigrateToAzure.exe

2. Review the information on the General tab, and then switch to the Azure
Information tab.

3. On the Azure Information tab, choose your Azure environment, and then Sign in.

 Tip

You may need to add https://*.microsoft.com to your trusted websites list to


correctly sign in.

4. After you sign in, select your Subscription ID and Virtual network.

7 Note

In version 2006 and earlier, the tool only lists networks with an ExpressRoute
gateway.

Site server high availability


1. On the Site Server High Availability tab, select Check to evaluate your site's
readiness.

If any of the checks fail, select More detail to determine how to remediate the
problem. For more information about these prerequisites, see Site server high
availability.

2. If you want to extend or migrate your site server to Azure, select Create a site
server in Azure. Then fill in the following fields:

Name Description

Subscription Read only. Shows the subscription name and ID.

Resource Lists available resource groups. If you need to create a new resource group,
group use the Azure portal , and then rerun this tool.

Location Read only. Determined by your virtual network's location

VM Size Choose a size to fit your workload. Microsoft recommends the


Standard_DS3_v2.

Operating Read only. The tool uses Windows Server 2019.


system

Disk type Read only. The tool uses Premium SSD for best performance.

Virtual Read only.


network

Subnet Select the subnet to use. If you need to create a new subnet, use the Azure
portal .

Machine Enter the name of the passive site server VM in Azure. It's the same name
name shown in the Azure portal .

Local admin Enter the name of the local administrative user that the Azure VM creates
username before it joins the domain.

Local admin The password of the local administrative user. To protect the password
password during Azure deployment, store the password as a secret in Azure Key Vault.
Then, use the reference here. If needed, create a new one from the Azure
portal .

Domain The fully qualified domain name for the Active Directory domain to join. By
FQDN default, the tool gets this value from your current machine.

Domain The name of the domain user allowed to join the domain. By default, the
username tool uses the name of the currently signed in user.
Name Description

Domain The password of the domain user to join the domain. The tool verifies it
password after you select Start. To protect the password during Azure deployment,
store the password as a secret in Azure Key Vault. Then, use the reference
here. If needed, create a new one from the Azure portal .

Domain Used for joining the domain. By default, the tool uses the current DNS from
DNS IP your current machine.

Type Read only. It shows Passive Site Server as the type.

) Important

By default the virtual machines are set to No for Use existing Windows Server
license. If you want to utilize your on-premises Windows Server licenses with
Software Assurance, configure this setting in the Azure portal after the
virtual machines are provisioned. For more information, see Azure Hybrid
Benefit for Windows Server.

3. To start provisioning the Azure VM, select Start. To monitor the deployment status,
switch to the Deployments in Azure tab in the tool. To get the latest status, select
Refresh deployment status.

 Tip

You can also use the Azure portal to check the status, find errors, and
determine potential fixes.

4. When the deployment finishes, go to your SQL Servers, and grant permissions for
the new Azure VM. For more information, see Site server high availability -
Prerequisites.

5. To add the Azure VM as a site server in passive mode, select Add site server in
passive mode.

6. Once the site adds the site server in passive mode, the Site Server High
Availability tab shows the status.

7. Next, switch to the Deployments in Azure tab to finish the deployment.

Site database
The tool doesn't currently have any tasks to migrate the database from on-premises to
Azure. You can choose to move the database from an on-premises SQL Server to an
Azure SQL Server VM. The tool lists the following articles on the Site Database tab to
help:

Backup and restore the database


Configure a SQL Server Always On availability group and allow the data to replicate
Migrate a SQL Server database to an Azure SQL Server VM

Site system roles


1. Switch to the Site System Roles tab. To provision a new site system role with the
default settings, select Create new. You can provision roles such as the
management point, distribution point, and software update point. Not all roles are
currently available in the tool.

2. In the provisioning window, fill in the fields to provision the site role's VM in Azure.
These details are similar to the above list for the site server.

3. To start provisioning the Azure VM, select Start. To monitor the deployment status,
switch to the Deployments in Azure tab in the tool. To get the latest status, select
Refresh deployment status.

 Tip

You can also use the Azure portal to check the status, find errors, and
determine potential fixes.

4. Repeat this process to add more site system roles.

5. Next, go to the Deployments in Azure tab to finish the deployment.

6. When the deployment finishes, go to the Configuration Manager console to make


additional changes to the site role.

Deployments in Azure
1. Once Azure creates the VM, switch to the Deployments in Azure tab in the tool.
Select Deploy to configure the role with the default settings.
2. Select Run to start the PowerShell script.

3. Repeat this process to configure more roles.

Add site roles to an existing VM


Starting in Configuration Manager version 2002, the tool supports provisioning multiple
site system roles on a single Azure VM. You can add site system roles after the initial
Azure VM deployment has completed. To add a new role to an existing VM, do the
following steps:

1. On the Deployments in Azure tab, select on a virtual machine deployment that has
a Completed status.

2. Select Create new to add an additional role to the virtual machine.

Next steps
Review your changes in the Azure portal
Role-based administration and auditing
tool
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The role-based administration and auditing tool is one of the Configuration Manager
tools. Use this tool for the following tasks:

Model security roles with specific permissions

Audit the security scopes and security roles that other users have

Requirements
Run it on the same computer as the Configuration Manager site server

You have the Full Administrator, Read-only Analyst, or Security Administrator


role

Assign your account to the All security scope and all collections

(Optional) To analyze report folder security, you need SQL Server access

(Optional) To analyze report drill-through, run this tool on the site system server
with the reporting services point role

Procedures

Model permissions for a new role


Use the following procedure to model permissions for a new role that you want to
create:

1. Run RBAViewer.exe.

2. Select the base security roles you want to build on, or start from an empty
permission set. Select the necessary permissions.

3. Select Analyze to see the user interface this custom role will see.
7 Note

To see whether there's an existing security role that meets your requirements,
switch to the Similarity tab.

4. Select Export to save the role as an XML file. Then import it to the Configuration
Manager console. For more information, see Create custom security roles.

Audit existing security scopes


Use the following procedure to audit all existing administrative users, collections, and
security scopes in Configuration Manager:

1. Run RBAViewer.exe.

2. Select the Audit RBA button in the toolbar.

a. To view the collection-limited relationships in a tree view, switch to the


Collection Summary tab.

b. To view objects assigned to a security role, switch to the Scope Summary tab.

Audit a specific user


Use the following procedure to audit the role-based administration configuration for a
specific user:

1. Run RBAViewer.exe.

2. Select the Run As button in the toolbar.

3. Input the specific user name to check the permissions for that account.

4. The tool displays the security roles assigned to the user or the security group the
user belongs to. It also displays the objects this user can see and the actions they
can take in the console.

See also
Fundamentals of role-based administration

Configure role-based administration


Run Meter Summarization Tool
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Run Meter Summarization Tool is one of the Configuration Manager tools. Use it to
immediately trigger the maintenance tasks for software metering summarization on
primary sites. By default, these tasks run as scheduled in Site Maintenance tasks, which
start after 12:00 AM every day.

These tasks summarize the data in the MeterData SQL Server table, and write the
summary results into the FileUsageSummary and MonthlyUsageSummary tables. Then
you see the summarized result in software metering reports. Any Configuration
Manager administrative user who can connect to the primary site database can use this
tool to run summarization.

This tool runs the File Usage Summary and Monthly Usage Summary software
metering data summarization tasks. It summarizes all existing meter data without the
usual 12-hour waiting period. Run it on the SQL Server that hosts the site database. If
summarization is successful, the exit code is set to 0 . If there was an error, the exit code
is 1 .

Usage

Command Line
runmetersumm [sms database name] <delay in hours for summarization <default=0>>

Options

Database name

The name of the site database on the SQL Server.

Delay in hours for summarization

The tool summarizes the software metering usage generated before the delay. By
default, this delay is zero.
Example

Summarize the software metering usage generated 12 hours ago


runmetersumm CCM_ABC <12>

See also
Maintenance tasks
Monitor app usage with software metering
Settings to manage high-risk
deployments for Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

With Configuration Manager, you can configure deployment verification site settings.
These settings warn administrators if they create a high-risk task sequence deployment.
A high-risk deployment is:

A deployment that's automatically installed

Has the potential to cause unwanted results

For example, a task sequence with a purpose of Required that deploys an operating
system is considered high-risk.

2 Warning

If you use PXE deployments, and configure device hardware with the network
adapter as the first boot device, these devices can automatically start an OS
deployment task sequence without user interaction. Deployment verification
doesn't manage this configuration. While this configuration may simplify the
process and reduce user interaction, it puts the device at greater risk for accidental
reimage.

Deployment verification settings


To reduce the risk of an unwanted high-risk deployment, you can configure size limits in
these deployment verification settings:

Collection size limits: When you create a deployment, hide collections that include
more clients than your limit.

Default size: When you create a deployment, this setting hides collections by
default that include more clients than this limit. You can still see these
collections when creating the deployment, but they're hidden by default. The
default value is 100. To ignore this setting, enter a value of 0.
Maximum size: When you create a deployment, this setting always hides
collections with more clients than this limit. The default value is 0, which ignores
this setting. The Maximum size value must be greater than the Default size
value.

For example, you set Default size to 100 and the Maximum size to 1000. When
you create a high-risk deployment, the Select Collection window only displays
collections that include fewer than 100 clients. If you clear the setting to Hide
collections with a member count greater than the site's minimum size
configuration, the window displays collections that include fewer than 1000
clients.

Collections with site system servers: When the target collection includes a
computer with a site system role, block deployments or require verification before
creating the deployment. When a deployment is blocked, select a different
collection that meets the deployment verification criteria to continue creating the
deployment.

7 Note

High-risk deployments are always limited to custom collections, collections that


you create, and the built-in Unknown Computers collection. When you create a
high-risk deployment, you can't select a built-in collection such as All Systems.

Configure deployment verification


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, select Sites, and then select the primary site to
configure.

2. In the ribbon, select Properties, and then switch to the Deployment Verification
tab.

3. Configure the settings you want to use, and then select OK to save the
configuration and close the properties.

Next steps
High-impact task sequence settings

Configure sites and hierarchies


Client installation methods in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can use different methods to install the Configuration Manager client software. Use
one method, or a combination of methods. This article describes each method, so you
can learn which one works best for your organization.

Client push installation


Supported client platform: Windows

Advantages

Can be used to install the client on a single computer, a collection of computers, or


to the results from a query.

Can be used to automatically install the client on all discovered computers.

Automatically uses client installation properties defined on the Client tab in the
Client Push Installation Properties dialog box.

Disadvantages
Can cause high network traffic when pushing to large collections.

Can only be used on computers that have been discovered by Configuration


Manager.

Can't be used to install clients in a workgroup.

A client push installation account must be specified that has administrative rights
to the intended client computer.

Windows Firewall must be configured with exceptions on client computers.

You can't cancel client push installation. Configuration Manager tries to install the
client on all discovered resources. It retries any failures for up to seven days.

For more information, see How to install clients with client push.
Software update point-based installation
Supported client platform: Windows

Advantages

Can use your existing software updates infrastructure to manage the client
software.

If Windows Server Update Services (WSUS) and group policy settings in Active
Directory Domain Services are configured correctly, it can automatically install the
client software on new computers.

Doesn't require computers to be discovered before the client can be installed.

Computers can read client installation properties that have been published to
Active Directory Domain Services.

If the client is removed, this method reinstalls it.

Doesn't require you to configure and maintain an installation account for the
intended client computer.

Disadvantages

Requires a functioning software updates infrastructure as a prerequisite.

Must use the same server for client installation and software updates. This server
must reside in a primary site.

To install new clients, you must configure a group policy object in Active Directory
Domain Services with the client's active software update point and port.

If the Active Directory schema isn't extended for Configuration Manager, you must
use group policy settings to provision computers with client installation properties.

For more information, see How to install clients with software update-based installation.

Group policy installation


Supported client platform: Windows

Advantages
Doesn't require computers to be discovered before the client can be installed.

Can be used for new client installations or for upgrades.

Computers can read client installation properties that have been published to
Active Directory Domain Services.

Doesn't require you to configure and maintain an installation account for the
intended client computer.

Disadvantages
If a large number of clients are being installed, it can cause high network traffic.

If the Active Directory schema isn't extended for Configuration Manager, you must
use group policy settings to add client installation properties to computers in your
site.

For more information, see How to install clients with group policy.

Logon script installation


Supported client platform: Windows

Advantages

Doesn't require computers to be discovered before the client can be installed.

Supports using command-line properties for CCMSetup.

Disadvantages
If a large number of clients are being installed over a short time period, it can
cause high network traffic.

If users don't frequently log on to the network, it can take a long time to install on
all client computers.

For more information, see How to install clients with logon scripts.

Manual installation
Supported client platform: Windows, macOS X
Advantages
Doesn't require computers to be discovered before the client can be installed.

Can be useful for testing purposes.

Supports using command-line properties for CCMSetup.

Disadvantages

No automation, therefore time consuming.

For more information about how to manually install the client on each of platform, see
the following articles:

How to deploy clients to Windows computers

How to deploy clients to Macs

Microsoft Intune MDM installation


Supported client platforms: Windows 10 or later

Advantages
Doesn't require computers to be discovered before the client can be installed.

Doesn't require you to configure and maintain an installation account for the
intended client computer.

Can use modern authentication with Azure Active Directory.

Can install and assign computers on the internet.

Can automate with Windows Autopilot and Microsoft Intune for co-management.

Disadvantages
Requires additional technologies outside of Configuration Manager.

Requires the device have access to the internet, even if it is not internet-based.

For more information, see the following articles:

How to install clients to Intune MDM-managed Windows devices


Install and assign Configuration Manager clients using Azure AD for authentication
Prerequisites for deploying clients to
Windows computers
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Deploying Configuration Manager clients in your environment has the following external
dependencies and dependencies within the product. Additionally, each client
deployment method has its own dependencies that must be met for client installations
to be successful.

For more information on the minimum hardware and OS requirements for the
Configuration Manager client, see Supported configurations.

7 Note

The software version numbers shown in this article only list the minimum version
numbers required.

Use the following information to determine the prerequisites for when you install the
Configuration Manager client on Windows devices.

Dependencies external to Configuration


Manager

Windows components
Many of these components are services or features that Windows enables by default.
Don't disable these components on Configuration Manager clients.

Component Description

Windows Installer Required to support the use of Windows Installer files for applications
and software updates.

Background Intelligent Required to allow throttled data transfers between the client
Transfer Service (BITS) computer and Configuration Manager site systems.

Task Scheduler Required for client operations, such as regularly evaluating the health
of the Configuration Manager client.
Component Description

Remote Differential Required to optimize data transmission over the network.


Compression (RDC)

SHA-2 code signing Clients require support for the SHA-2 code signing algorithm. For
support more information, see SHA-2 code signing support.

SHA-2 code signing support


Because of weaknesses in the SHA-1 algorithm and to align to industry standards,
Microsoft now only signs Configuration Manager binaries using the more secure SHA-2
algorithm. Legacy Windows OS versions require an update for SHA-2 code signing
support. For more information, see 2019 SHA-2 code signing support requirement for
Windows and WSUS .

If you don't update these OS versions, you can't install a supported version of the
Configuration Manager current branch client. This behavior applies to either a new client
install or updating it from a previous version.

If you need to manage a client on a version of Windows that's not updated, or older
than the versions listed above, use the Configuration Manager extended interoperability
client (EIC) version 1902. For more information, see Extended interoperability client.

 Tip

If you don't use automatic client update, and update clients with another
mechanism, make sure to update the version of ccmsetup. An older version of
ccmsetup may not properly validate the new SHA-2 code signing certificate on
client binaries. For example, if you copy ccmsetup.exe to a file share, or use
ccmsetup.msi with group policy.

The following client update mechanisms aren't affected:

Client push installation: It uses the client package from the site.
Software update-based installation: The site update republishes to WSUS.
Intune MDM-managed Windows devices: The supported version for this
mechanism already supports SHA-2 code signing, but it's still important to
use the latest ccmsetup.msi.
Components automatically downloaded during
installation
The Configuration Manager client has external dependencies. These dependencies
depend on the OS version and the installed software on the client computer. If the client
requires these dependencies to complete the installation, it automatically installs them.

Component Description

Microsoft Visual C++ 2015-2019 Redistributable (Version 2107 and later) Required to support
version 14.28.29914.0 ( vcredist_x*.exe ) client operations. When you install this
update on client computers, it might require
a restart to complete the installation.

Microsoft Visual C++ 2013 Redistributable version (Version 2103 and earlier) Required to
12.0.40660.0 ( vcredist_x*.exe ) support client operations. When you install
this update on client computers, it might
require a restart to complete the installation.

Windows Imaging APIs 6.0.6001.18000 or later Required to allow Configuration Manager to


( wimgapi.msi ) manage Windows image (.wim) files.

Microsoft Policy Platform 1.2.3514.0 or later Required to allow clients to evaluate


( MicrosoftPolicyPlatformSetup.msi ) compliance settings.

Microsoft .NET Framework version 4.6.2 or later Version 2107 and later: Required to support
( NDP462-KB3151800-x86-x64-AllOS-ENU.exe ) client operations. Automatically installed on
the computer if it doesn't have this version
installed. For more information, see More
details about Microsoft .NET.

Microsoft .NET Framework version 4.5.2 or later Version 2103 and earlier: Required to
( NDP452-KB2901907-x86-x64-AllOS-ENU.exe ) support client operations. Automatically
installed on the computer if it doesn't have
this version installed. For more information,
see More details about Microsoft .NET.

Microsoft Monitoring Agent version 10.20.18053.0 Installed as needed by devices that you
( MMASetup-*.exe ) onboard to Microsoft Defender for
Endpoint.

Windows Firewall configuration Required for certain endpoint protection


( WindowsFirewallConfigurationProvider.msi ) policies.

Microsoft WebView2 Installed as needed when you use Software


( Microsoft.WebView2.FixedVersionRuntime.x86.cab ) Center custom tabs.

7 Note
Starting in version 2107, the Configuration Manager client no longer has an
external dependency on Microsoft SQL Server Compact Edition (CE) 4.0 SP1. It now
uses a built-in version of this component to store information related to client
operations.

More details about Microsoft .NET

When you install or update the Configuration Manager client, if the device doesn't have
at least the required version of the .NET Framework, CCMSetup installs it. Starting in
version 2107, the minimum required version is 4.6.2.

Microsoft recommends that you install the latest version of .NET version 4.8 to get the
latest performance and security improvements. CCMSetup doesn't automatically install
.NET version 4.8. A later version of Configuration Manager will require .NET version 4.8.

7 Note

.NET Framework version 4.6.2 is preinstalled with Windows Server 2016 and
Windows 10 version 1607. Later versions of Windows are preinstalled with a later
version of the .NET Framework.

.NET Framework version 4.8 isn't supported on some OS versions, such as Windows
10 2015 LTSB.

For more information, see .NET Framework system requirements.

Whether you update .NET before updating the Configuration Manager client, or
CCMSetup updates it, .NET may require a restart to complete its installation. CCMSetup
suppresses a restart if necessary. The user sees a Restart required notice in the Windows
notification area.

) Important

When the Configuration Manager client updates to version 2111 or later, client
notifications are dependent upon .NET 4.6.2 or later. Until you update .NET to
version 4.6.2 or later, and restart the device, users won't see notifications from
Configuration Manager. Other client-side functionality may be affected until the
device is updated and restarted.

The following scenarios are common reasons why .NET requires the computer to restart:
.NET applications or services are running on the computer.

One or more software updates required for .NET installation are missing.

The computer is pending a restart from prior installation of .NET framework


software updates.

After .NET Framework is installed, it may require other updates. These updates may also
require the computer to restart.

If you need to manage the device restarts before you update the Configuration
Manager client, use the following recommended process:

1. Install the latest baseline .NET version. For example, starting in version 2107, install
.NET version 4.8.
2. Restart the device.
3. Scan for software updates and install the latest .NET cumulative update.
4. Restart the device.
5. Install the latest Configuration Manager client version.

Known issue with .NET version 4.6.2 on Windows Server 2008 SP2

The release of .NET version 4.6.2 that Configuration Manager redistributes doesn't install
on Windows Server 2008 SP2. This version of the OS is covered under the Extended
Security Updates (ESU) program. While products under this program are no longer
supported for use with Configuration Manager, you can use the latest released version of
Configuration Manager current branch to deploy and install Windows security updates
released under the ESU program.

Microsoft recommends updating the OS to a later version that's fully supported. If your
business requirements necessitate use of this OS version, download the latest release of
.NET version 4.6.2 published on 6/23/2021 or later. For more information, see The .NET
Framework 4.6.2 offline installer for Windows . This .NET release does install on Server
2008 SP2. Manually update .NET on devices with this OS version before you update the
Configuration Manager client to version 2107.

Configuration Manager dependencies


For more information, see Determine the site system roles for clients.

Component Description
Component Description

Management To deploy the Configuration Manager client, you don't require a management
point point. Clients require a management point to transfer information with the site.
Without a management point, you can't manage client computers.

Distribution The distribution point is an optional, but recommended site system role for client
point deployment and management. All distribution points host the client source files.
Clients find the nearest distribution point from which to download the source files
during client deployment or update. If the site doesn't have a distribution point,
computers download the client source files from their management point.

Fallback The fallback status point is an optional, but recommended site system role for
status point client deployment. The fallback status point tracks client deployment and enables
computers in the Configuration Manager site to send state messages when they
can't communicate with a management point.

Reporting The reporting services point is an optional, but recommended site system role. It
services displays reports related to client deployment and management. For more
point information, see Introduction to reporting.

Installation method dependencies


The following prerequisites are specific to the various methods of client installation.

Client push installation


The site uses client push installation accounts to connect to computers to install
the client. Specify these accounts on the Accounts tab of the Client Push
Installation Properties. The account must be a member of the local Administrators
group on the destination computer.

If you don't specify a client push installation account, the site server uses its
computer account.

The site needs to discover the computer on which you're installing the client. At
least one Configuration Manager discovery method is needed.

The computer has an ADMIN$ share.

To automatically push the Configuration Manager client to discovered resources,


select the option to Enable client push installation to assigned resources in the
Client Push Installation Properties.
The client computer needs to communicate with a distribution point or a
management point to download the source files.

When you require Kerberos mutual authentication, clients must be in a trusted


Active Directory forest. Kerberos in Windows relies upon Active Directory for
mutual authentication.

To use client push, you need the following security permissions:

To configure the client push installation account: Modify and Read permission for
the Site object.

To use client push to install the client to collections, devices and queries: Modify
Resource and Read permission for the Collection object.

The Infrastructure Administrator default security role includes the required permissions
to manage client push installations.

Software update point-based installation


If you haven't extended the Active Directory schema, or you're installing clients
from another forest, use group policy to provision installation parameters for
CCMSetup.exe. For more information, see How to provision client installation
properties.

Publish the Configuration Manager client to the software update point.

To download the source files, the client computer needs to communicate with a
distribution point or a management point.

For the security permissions required to manage Configuration Manager software


updates, see Prerequisites for software updates.

Group policy-based installation


If you haven't extended the Active Directory schema, or you're installing clients
from another forest, use group policy to provision installation parameters for
CCMSetup.exe. For more information, see How to provision client installation
properties.

To download the source files, the client computer needs to communicate with a
distribution point or a management point.
Logon script-based installation
To download the source files, the client computer needs to communicate with a
distribution point or a management point. Unless you specified CCMSetup.exe with the
following command-line parameter: ccmsetup /source

Manual installation
To download the source files, the client computer needs to communicate with a
distribution point or a management point. Unless you specified CCMSetup.exe with the
following command-line parameter: ccmsetup /source

Microsoft Intune MDM installation


Requires a Microsoft Intune subscription and appropriate licenses.

Requires the device has internet access, even if it isn't internet-based.

Depending upon the use case, you may also require one or both of the following
technologies:

Azure Active Directory

Cloud management gateway

Workgroup computer installation


To access resources in the Configuration Manager site server's domain, configure a
network access account for the site.

For more information about how to configure the network access account, see the
Fundamental concepts for content management.

Software distribution-based installation (for upgrades


only)
If you haven't extended the Active Directory schema, or you're installing clients
from another forest, use group policy to provision installation parameters for
CCMSetup.exe. For more information, see How to provision client installation
properties.
To download the source files, the client computer needs to communicate with a
distribution point or a management point.

For the security permissions required to upgrade the Configuration Manager client
using application management, see Security and privacy for application management.

Automatic client upgrades


You must be a member of the Full Administrator security role to configure automatic
client upgrades.

Firewall requirements
If there's a firewall between the site system servers and the computers onto which you
want to install the Configuration Manager client, see Windows Firewall and port settings
for clients.

Next steps
Windows firewall and port settings for clients

Prerequisites for deploying clients to mobile devices


Prerequisites for deploying clients to
mobile devices in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

) Important

On-premises MDM and the Configuration Manager client for macOS are both
deprecated.

Migrate management of macOS and mobile devices to Microsoft Intune. For more
information, see Supported clients and devices.

Deploying Configuration Manager clients in your environment has the following external
dependencies and dependencies within the product.

For more information on the minimum hardware and OS requirements for the
Configuration Manager client, see Supported configurations.

7 Note

The software version numbers shown in this article only list the minimum version
numbers required.

When you install the Configuration Manager client on mobile devices and enroll them,
use this information to determine the prerequisites.

Dependencies external to Configuration


Manager
A Microsoft enterprise certification authority (CA) with certificate templates to
deploy and manage the certificates required for mobile devices.

The issuing CA must automatically approve certificate requests from the mobile
device users during the enrollment process.
For more information about the certificate requirements, see Security and privacy
for certificate profiles.

A security group that contains the users that can enroll their mobile devices.

This security group is used to configure the certificate template that is used during
mobile device enrollment.

Optional but recommended: a DNS alias (CNAME record) named ConfigMgrEnroll.


Configure this alias for the server name of the enrollment proxy point.

This DNS alias is required to support automatic discovery for the enrollment
service. If you don't configure this DNS record, users must manually specify the
name of the enrollment proxy point as part of the enrollment process.

Site system role dependencies for the computers that run the enrollment point and
the enrollment proxy point.

For more information, see Supported operating systems for site system servers.

Configuration Manager dependencies


For more information, see Determine the site system roles for clients.

Management point configurations:


HTTPS client connections
Enabled for mobile devices
An internet FQDN
Accept client connections from the internet

Enrollment point and enrollment proxy point

An enrollment proxy point manages enrollment requests from mobile devices and
the enrollment point completes the enrollment process. The enrollment point must
be in the same Active Directory forest as the site server, but the enrollment proxy
point can be in another forest.

Client settings for mobile device enrollment

Configure client settings to allow users to enroll mobile devices and configure at
least one enrollment profile.

Reporting services point


The reporting services point is an optional, but recommended site system role. It
can display reports related to mobile device enrollment and client management.
For more information, see Introduction to reporting.

To configure enrollment for mobile devices, your account needs the following
security permissions:

To add, modify, and delete the enrollment site system roles: Modify permission
for the Site object.

To configure client settings for enrollment: Default client settings require


Modify permission for the Site object, and custom client settings require Client
agent permissions.

The Full Administrator default security role includes the required permissions to
configure the enrollment site system roles.

To manage enrolled mobile devices, your account needs the following security
permissions:

To wipe or retire a mobile device: Delete resource for the Collection object.

To cancel a wipe or retire command: Delete resource for the Collection object.

To allow and block mobile devices: Modify resource for the Collection object.

To remote lock, or reset the passcode on a mobile device: Modify resource for
the Collection object.

The Operations Administrator default security role includes the required


permissions to manage mobile devices.

For more information about how to configure security permissions, see Fundamentals of
role-based administration and Configure role-based administration.

Firewall requirements
Intervening network devices such as routers and firewalls, and Windows Firewall if
applicable, must allow the traffic associated with mobile device enrollment.

Between mobile devices and the enrollment proxy point: HTTPS (by default, TCP
443)

Between the enrollment proxy point and the enrollment point: HTTPS (by default,
TCP 443)
If you use a proxy web server, configure it for SSL tunneling. SSL bridging isn't
supported for mobile devices.

Next steps
Windows firewall and port settings for clients
Windows Firewall and port settings for
clients in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Client computers in Configuration Manager that run Windows Firewall often require you
to configure exceptions to allow communication with their site. The exceptions that you
must configure depend on the management features that you use with the
Configuration Manager client.

Use the following sections to identify these management features and for more
information about how to configure Windows Firewall for these exceptions.

Modifying the Ports and Programs Permitted


by Windows Firewall
Use the following procedure to modify the ports and programs on Windows Firewall for
the Configuration Manager client.

To modify the ports and programs permitted by Windows Firewall

1. On the computer that runs Windows Firewall, open Control Panel.

2. Right-click Windows Firewall, and then click Open.

3. Configure any required exceptions and any custom programs and ports that you
require.

Programs and Ports that Configuration


Manager Requires
The following Configuration Manager features require exceptions on the Windows
Firewall:

Queries
If you run the Configuration Manager console on a computer that runs Windows
Firewall, queries fail the first time that they are run and the operating system displays a
dialog box asking if you want to unblock statview.exe. If you unblock statview.exe, future
queries will run without errors. You can also manually add Statview.exe to the list of
programs and services on the Exceptions tab of the Windows Firewall before you run a
query.

Client Push Installation


To use client push to install the Configuration Manager client, add the following as
exceptions to the Windows Firewall:

Outbound and inbound: File and Printer Sharing

Inbound: Windows Management Instrumentation (WMI)

Client Installation by Using Group Policy


To use Group Policy to install the Configuration Manager client, add File and Printer
Sharing as an exception to the Windows Firewall.

Client Requests
For client computers to communicate with Configuration Manager site systems, add the
following as exceptions to the Windows Firewall:

Outbound: TCP Port 80 (for HTTP communication)

Outbound: TCP Port 443 (for HTTPS communication)

) Important

These are default port numbers that can be changed in Configuration Manager. For
more information, see How to How to configure client communication ports. If
these ports have been changed from the default values, you must also configure
matching exceptions on the Windows Firewall.

Client Notification
For the management point to notify client computers about an action that it must take
when an administrative user selects a client action in the Configuration Manager
console, such as download computer policy or initiate a malware scan, add the following
as an exception to the Windows Firewall:
Outbound: TCP Port 10123

If this communication does not succeed, Configuration Manager automatically falls back
to using the existing client-to-management point communication port of HTTP, or
HTTPS:

Outbound: TCP Port 80 (for HTTP communication)

Outbound: TCP Port 443 (for HTTPS communication)

) Important

These are default port numbers that can be changed in Configuration Manager. For
more information, see How to configure client communication ports. If these
ports have been changed from the default values, you must also configure
matching exceptions on the Windows Firewall.

Remote Control
To use Configuration Manager remote control, allow the following port:

Inbound: TCP Port 2701

Remote Assistance and Remote Desktop


To initiate Remote Assistance from the Configuration Manager console, add the custom
program Helpsvc.exe and the inbound custom port TCP 135 to the list of permitted
programs and services in Windows Firewall on the client computer. You must also
permit Remote Assistance and Remote Desktop. If you initiate Remote Assistance from
the client computer, Windows Firewall automatically configures and permits Remote
Assistance and Remote Desktop.

Wake-Up Proxy
If you enable the wake-up proxy client setting, a new service named ConfigMgr Wake-
up Proxy uses a peer-to-peer protocol to check whether other computers are awake on
the subnet and to wake them up if necessary. This communication uses the following
ports:

Outbound: UDP Port 25536

Outbound: UDP Port 9


These are the default port numbers that can be changed in Configuration Manager by
using the Power Management clients settings of Wake-up proxy port number (UDP)
and Wake On LAN port number (UDP). If you specify the Power Management:
Windows Firewall exception for wake-up proxy client setting, these ports are
automatically configured in Windows Firewall for clients. However, if clients run a
different firewall, you must manually configure the exceptions for these port numbers.

In addition to these ports, wake-up proxy also uses Internet Control Message Protocol
(ICMP) echo request messages from one client computer to another client computer.
This communication is used to confirm whether the other client computer is awake on
the network. ICMP is sometimes referred to as TCP/IP ping commands.

For more information about wake-up proxy, see Plan how to wake up clients.

Windows Event Viewer, Windows Performance Monitor,


and Windows Diagnostics
To access Windows Event Viewer, Windows Performance Monitor, and Windows
Diagnostics from the Configuration Manager console, enable File and Printer Sharing as
an exception on the Windows Firewall.

Ports Used During Configuration Manager


Client Deployment
The following tables list the ports that are used during the client installation process.

) Important

If there is a firewall between the site system servers and the client computer,
confirm whether the firewall permits traffic for the ports that are required for the
client installation method that you choose. For example, firewalls often prevent
client push installation from succeeding because they block Server Message Block
(SMB) and Remote Procedure Calls (RPC). In this scenario, use a different client
installation method, such as manual installation (running CCMSetup.exe) or Group
Policy-based client installation. These alternative client installation methods do not
require SMB or RPC.

For information about how to configure Windows Firewall on the client computer, see
Modifying the Ports and Programs Permitted by Windows Firewall.
Ports that are used for all installation methods

Description UDP TCP

Hypertext Transfer Protocol (HTTP) from the client computer to a -- 80 (See note 1,
fallback status point, when a fallback status point is assigned to the Alternate Port
client. Available)

Ports that are used with client push installation

Description UDP TCP

Server Message Block (SMB) between the site server and client -- 445
computer.

RPC endpoint mapper between the site server and the client 135 135
computer.

RPC dynamic ports between the site server and the client computer. -- DYNAMIC

Hypertext Transfer Protocol (HTTP) from the client computer to a -- 80 (See note 1,
management point when the connection is over HTTP. Alternate Port
Available)

Secure Hypertext Transfer Protocol (HTTPS) from the client computer -- 443 (See note 1,
to a management point when the connection is over HTTPS. Alternate Port
Available)

Ports that are used with software update point-based


installation

Description UDP TCP

Hypertext Transfer Protocol (HTTP) from the client computer to the -- 80 or 8530 (See note
software update point. 2, Windows Server
Update Services)

Secure Hypertext Transfer Protocol (HTTPS) from the client -- 443 or 8531 (See
computer to the software update point. note 2, Windows
Server Update
Services)

Server Message Block (SMB) between the source server and the -- 445
client computer when you specify the CCMSetup command-line
property /source:<Path>.
Ports that are used with Group Policy-based installation

Description UDP TCP

Hypertext Transfer Protocol (HTTP) from the client computer to a -- 80 (See note 1,
management point when the connection is over HTTP. Alternate Port
Available)

Secure Hypertext Transfer Protocol (HTTPS) from the client computer to -- 443 (See note
a management point when the connection is over HTTPS. 1, Alternate
Port Available)

Server Message Block (SMB) between the source server and the client -- 445
computer when you specify the CCMSetup command-line property
/source:<Path>.

Ports that are used with manual installation and logon


script-based installation

Description UDP TCP

Server Message Block (SMB) between the client computer and a network -- 445
share from which you run CCMSetup.exe.

When you install Configuration Manager, the client installation source files are
copied and automatically shared from the <InstallationPath>\Client folder on
management points. However, you can copy these files and create a new
share on any computer on the network. Alternatively, you can eliminate this
network traffic by running CCMSetup.exe locally, for example, by using
removable media.

Hypertext Transfer Protocol (HTTP) from the client computer to a -- 80 (See


management point when the connection is over HTTP, and you do not specify note 1,
the CCMSetup command-line property /source:<Path>. Alternate
Port
Available)

Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a -- 443 (See
management point when the connection is over HTTPS, and you do not note 1,
specify the CCMSetup command-line property /source:<Path>. Alternate
Port
Available)

Server Message Block (SMB) between the source server and the client -- 445
computer when you specify the CCMSetup command-line property /source:
<Path>.
Ports that are used with software distribution-based
installation

Description UDP TCP

Server Message Block (SMB) between the distribution point and the -- 445
client computer.

Hypertext Transfer Protocol (HTTP) from the client to a distribution -- 80 (See note 1,
point when the connection is over HTTP. Alternate Port
Available)

Secure Hypertext Transfer Protocol (HTTPS) from the client to a -- 443 (See note 1,
distribution point when the connection is over HTTPS. Alternate Port
Available)

Notes
1 Alternate Port Available In Configuration Manager, you can define an alternate port
for this value. If a custom port has been defined, substitute that custom port when you
define the IP filter information for IPsec policies or for configuring firewalls.

2 Windows Server Update Services You can install Windows Server Update Service
(WSUS) either on the default Web site (port 80) or a custom Web site (port 8530).

After installation, you can change the port. You do not have to use the same port
number throughout the site hierarchy.

If the HTTP port is 80, the HTTPS port must be 443.

If the HTTP port is anything else, the HTTPS port must be 1 higher. For example, 8530
and 8531.
Determine the site system roles for
Configuration Manager clients
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article can help you determine the site system roles that you need to deploy
Configuration Manager clients.

For more information about where to install these roles in the hierarchy, see Design a
hierarchy of sites.

For more information about how to install and configure these roles, see Install site
system roles.

Management point
By default, all Windows client computers use a distribution point to install the
Configuration Manager client. They can fall back to a management point when a
distribution point is unavailable. However, you can install Windows clients on computers
from an alternative source when you use the CCMSetup command-line property
/source:<Path> . For example, you might do this action if you install clients on the
internet. Another scenario is when you want to avoid sending network packets between
the computer and the management point during client installation. This scenario is
because a firewall blocks the required ports or because you have a low-bandwidth
connection. However, all clients must communicate with a management point to assign
to a site and to be managed by Configuration Manager.

For more information about client command-line properties, see About client
installation properties.

When you install more than one management point in the hierarchy, clients
automatically connect to one point based on their forest membership and network
location. You can't install more than one management point in a secondary site.

Mac computer clients and mobile device clients that you enroll with Configuration
Manager always require a management point for client installation. This management
point must be in a primary site, must be configured to support mobile devices, and must
accept client connections from the Internet. These clients can't use management points
in secondary sites or connect to management points in other primary sites.
Distribution point
You don't need a distribution point to install Configuration Manager clients on Windows
computers. By default, Configuration Manager uses a distribution point to install the
client source files on Windows computers. It can fall back to downloading these files
from a management point. Distribution points aren't used to install mobile device clients
that are enrolled by Configuration Manager, but are used if you install the mobile device
legacy client. If you install the Configuration Manager client as part of an OS
deployment, the OS image is stored and retrieved from a distribution point.

Although you might not need distribution points to install most Configuration Manager
clients, you'll need them to install software such as applications and software updates
on the clients.

Fallback status point


You can use a fallback status point to monitor client deployment for Windows
computers. You can also identify the Windows computer clients that are unmanaged
because they can't communicate with a management point.

The following client types don't use a fallback status point:

Mac computers
Mobile devices that are enrolled by Configuration Manager
Mobile devices that are managed by using the Exchange Server connector

A fallback status point isn't required to monitor client activity and client health.

The fallback status point always communicates with clients over HTTP, which uses
unauthenticated connections and sends data in clear text. This behavior makes the
fallback status point vulnerable to attack, particularly when it's used with internet-based
client management. To help reduce the attack surface, always dedicate a server to
running the fallback status point. Don't install other site system roles on the same server
in a production environment.

Install a fallback status point if all the following conditions apply:

You want client communication errors from Windows computers to be sent to the
site, even if these client computers can't communicate with a management point.

You want to use the Configuration Manager client deployment reports, which
display the data that's sent by the fallback status point.
You have a dedicated server for this site system role and have additional security
measures to help protect the server from attack.

The benefits of using a fallback status point outweigh any security risks associated
with unauthenticated connections and clear text transfers over HTTP traffic.

Don't install a fallback status point if the security risks of running a website with
unauthenticated connections and clear text transfers outweigh the benefits of
identifying client communication problems.

Reporting services point


Configuration Manager provides many reports to help you monitor the installation,
assignment, and management of clients in the Configuration Manager console. Some of
the client deployment reports require that clients are assigned to a fallback status point.

The reports aren't needed to deploy clients. You can see some deployment information
in the Configuration Manager console or use the client log files for detailed information.
However, the client reports provide valuable information to help monitor and
troubleshoot client deployment.

Enrollment point and enrollment proxy point

) Important

With the deprecation of on-premises MDM and the Configuration Manager client
for macOS, these site system roles are also deprecated. For more information, see
Removed and deprecated features for Configuration Manager.

Configuration Manager requires the enrollment point and the enrollment proxy point to
enroll mobile devices and to enroll certificates for Mac computers. You don't need these
site system roles in the following situations:

You plan to manage mobile devices by using the Exchange Server connector
You install the mobile device legacy client
You request and install the client certificate on Mac computers independently from
Configuration Manager

Cloud management gateway connector point


You need a cloud management gateway connector point if you're setting up a cloud
management gateway to manage clients on the internet.
Security and privacy for Configuration
Manager clients
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article describes security and privacy information for Configuration Manager clients.
It also includes information for mobile devices that are managed by the Exchange Server
connector.

Security guidance for clients


The Configuration Manager site accepts data from devices that run the Configuration
Manager client. This behavior introduces the risk that the clients could attack the site.
For example, they could send malformed inventory, or attempt to overload the site
systems. Deploy the Configuration Manager client only to devices that you trust.

Use the following security guidance to help protect the site from rogue or compromised
devices.

Use public key infrastructure (PKI) certificates for client


communications with site systems that run IIS
As a site property, configure Site system settings for HTTPS only. For more
information, see Configure security.

Install clients with the UsePKICert CCMSetup property.

Use a certificate revocation list (CRL). Make sure that clients and communicating
servers can always access it.

Mobile device clients and some internet-based clients require these certificates.
Microsoft recommends these certificates for all client connections on the intranet.

For more information on the use of certificates in Configuration Manager, see Plan for
certificates.

) Important
Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Automatically approve client computers from trusted


domains and manually check and approve other
computers
When you can't use PKI authentication, approval identifies a computer that you trust to
be managed by Configuration Manager. The hierarchy has the following options to
configure client approval:

Manual
Automatic for computers in trusted domains
Automatic for all computers

The most secure approval method is to automatically approve clients that are members
of trusted domains. This option includes cloud-domain joined clients from connected
Azure Active Directory (Azure AD) tenants. Then manually check and approve all other
computers. Automatically approving all clients isn't recommended, unless you have
other access controls to prevent untrustworthy computers from accessing your network.

For more information about how to manually approve computers, see Manage clients
from the devices node.

Don't rely on blocking to prevent clients from accessing


the Configuration Manager hierarchy
Blocked clients are rejected by the Configuration Manager infrastructure. If clients are
blocked, they can't communicate with site systems to download policy, upload inventory
data, or send state or status messages.

Blocking is designed for the following scenarios:

To block lost or compromised boot media when you deploy an OS to clients


When all site systems accept HTTPS client connections

When site systems accept HTTP client connections, don't rely on blocking to protect the
Configuration Manager hierarchy from untrusted computers. In this scenario, a blocked
client could rejoin the site with a new self-signed certificate and hardware ID.
Certificate revocation is the primary line of defense against potentially compromised
certificates. A certificate revocation list (CRL) is only available from a supported public
key infrastructure (PKI). Blocking clients in Configuration Manager offers a second line of
defense to protect your hierarchy.

For more information, see Determine whether to block clients.

Use the most secure client installation methods that are


practical for your environment
For domain computers, group policy client installation and software update-based
client installation methods are more secure than client push installation.

If you apply access controls and change controls, use imaging and manual
installation methods.

Use Kerberos mutual authentication with client push installation.

Of all the client installation methods, client push installation is the least secure because
of the many dependencies it has. These dependencies include local administrative
permissions, the Admin$ share, and firewall exceptions. The number and type of these
dependencies increase your attack surface.

When using client push, the site can require Kerberos mutual authentication by not
allowing fallback to NTLM before establishing the connection. This enhancement helps
to secure the communication between the server and the client. For more information,
see How to install clients with client push.

For more information about the different client installation methods, see Client
installation methods.

Wherever possible, select a client installation method that requires the least security
permissions in Configuration Manager. Restrict the administrative users that are
assigned security roles with permissions that can be used for purposes other than client
deployment. For example, configuring automatic client upgrade requires the Full
Administrator security role, which grants an administrative user all security permissions.

For more information about the dependencies and security permissions required for
each client installation method, see Prerequisites for computer clients.

If you must use client push installation, secure the client


push installation account
The client push installation account must be a member of the local Administrators
group on each computer that installs the Configuration Manager client. Never add the
client push installation account to the Domain Admins group. Instead, create a global
group, and then add that global group to the local Administrators group on your
clients. Create a group policy object to add a Restricted Group setting to add the client
push installation account to the local Administrators group.

For greater security, create multiple client push installation accounts, each with
administrative access to a limited number of computers. If one account is compromised,
only the client computers to which that account has access are compromised.

Remove certificates before imaging clients


When you deploy clients by using OS images, always remove certificates before
capturing the image. These certificates include PKI certificates for client authentication,
and self-signed certificates. If you don't remove these certificates, clients might
impersonate each other. You can't verify the data for each client.

For more information, see Create a task sequence to capture an OS.

Make sure that Configuration Manager client gets an


authorized copy of certificates

The Configuration Manager trusted root key certificate


When both of the following statements are true, clients rely on the Configuration
Manager trusted root key to authenticate valid management points:

You haven't extended the Active Directory schema for Configuration Manager
Clients don't use PKI certificates when they communicate with management points

In this scenario, clients have no way to verify that the management point is trusted for
the hierarchy unless they use the trusted root key. Without the trusted root key, a skilled
attacker could direct clients to a rogue management point.

When clients don't use PKI certificates and can't download the trusted root key from the
Active Directory global catalog, pre-provision the clients with the trusted root key. This
action makes sure that they can't be directed to a rogue management point. For more
information, see Planning for the trusted root key.

The site server signing certificate


Clients use the site server signing certificate to verify that the site server signed the
policy downloaded from a management point. This certificate is self-signed by the site
server and published to Active Directory Domain Services.

When clients can't download this certificate from the Active Directory global catalog, by
default they download it from the management point. If the management point is
exposed to an untrusted network like the internet, manually install the site server
signing certificate on clients. This action makes sure that they can't download tampered
client policies from a compromised management point.

To manually install the site server signing certificate, use the CCMSetup client.msi
property SMSSIGNCERT.

If the client downloads the trusted root key from the first
management point it contacts, don't use automatic site
assignment
To avoid the risk of a new client downloading the trusted root key from a rogue
management point, only use automatic site assignment in the following scenarios:

The client can access Configuration Manager site information that's published to
Active Directory Domain Services.

You pre-provision the client with the trusted root key.

You use PKI certificates from an enterprise certification authority to establish trust
between the client and the management point.

For more information about the trusted root key, see Planning for the trusted root key.

Make sure that maintenance windows are large enough


to deploy critical software updates
Maintenance windows for device collections restrict the times that Configuration
Manager can install software on these devices. If you configure the maintenance
window to be too small, the client may not install critical software updates. This behavior
leaves the client vulnerable to any attack that the software update mitigates.

Take security precautions to reduce the attack surface on


Windows Embedded devices with write filters
When you enable write filters on Windows Embedded devices, any software installations
or changes are only made to the overlay. These changes don't persist after the device
restarts. If you use Configuration Manager to disable the write filters, during this period
the embedded device is vulnerable to changes to all volumes. These volumes include
shared folders.

Configuration Manager locks the computer during this period so that only local
administrators can sign in. Whenever possible, take other security precautions to help
protect the computer. For example, enable restrictions on the firewall.

If you use maintenance windows to persist changes, plan these windows carefully.
Minimize the time that write filters are disabled, but make them long enough to allow
software installations and restarts to complete.

Use the latest client version with software update-based


client installation
If you use software update-based client installation, and install a later version of the
client on the site, update the published software update. Then clients receive the latest
version from the software update point.

When you update the site, the software update for client deployment that's published to
the software update point isn't automatically updated. Republish the Configuration
Manager client to the software update point and update the version number.

For more information, see How to install Configuration Manager clients by using
software update-based installation.

Only suspend BitLocker PIN entry on trusted and


restricted-access devices
Only configure the client setting to Suspend BitLocker PIN entry on restart to Always
for computers that you trust and that have restricted physical access.

When you set this client setting to Always, Configuration Manager can complete the
installation of software. This behavior helps install critical software updates and resume
services. If an attacker intercepts the restart process, they could take control of the
computer. Use this setting only when you trust the computer, and when physical access
to the computer is restricted. For example, this setting might be appropriate for servers
in a data center.

For more information on this client setting, see About client settings.
Don't bypass PowerShell execution policy
If you configure the Configuration Manager client setting for PowerShell execution
policy to Bypass, then Windows allows unsigned PowerShell scripts to run. This behavior
could allow malware to run on client computers. When your organization requires this
option, use a custom client setting. Assign it to only the client computers that must run
unsigned PowerShell scripts.

For more information on this client setting, see About client settings.

Security guidance for mobile devices

Install the enrollment proxy point in a perimeter network


and the enrollment point in the intranet
For internet-based mobile devices that you enroll with Configuration Manager, install
the enrollment proxy point in a perimeter network and the enrollment point in the
intranet. This role separation helps to protect the enrollment point from attack. If an
attacker compromises the enrollment point, they could obtain certificates for
authentication. They can also steal the credentials of users who enroll their mobile
devices.

Configure the password settings to help protect mobile


devices from unauthorized access
For mobile devices that are enrolled by Configuration Manager: Use a mobile device
configuration item to configure the password complexity as the PIN. Specify at least the
default minimum password length.

For mobile devices that don't have the Configuration Manager client installed but are
managed by the Exchange Server connector: Configure the Password Settings for the
Exchange Server connector such that the password complexity is the PIN. Specify at
least the default minimum password length.

Only allow applications to run that are signed by


companies that you trust
Help prevent tampering of inventory information and status information by allowing
applications to run only when they're signed by companies that you trust. Don't allow
devices to install unsigned files.
For mobile devices that are enrolled by Configuration Manager: Use a mobile device
configuration item to configure the security setting Unsigned applications as
Prohibited. Configure Unsigned file installations to be a trusted source.

For mobile devices that don't have the Configuration Manager client installed but are
managed by the Exchange Server connector: Configure the Application Settings for the
Exchange Server connector such that Unsigned file installation and Unsigned
applications are Prohibited.

Lock mobile devices when not in use


Help prevent elevation of privilege attacks by locking the mobile device when it isn't
used.

For mobile devices that are enrolled by Configuration Manager: Use a mobile device
configuration item to configure the password setting Idle time in minutes before
mobile device is locked.

For mobile devices that don't have the Configuration Manager client installed but are
managed by the Exchange Server connector: Configure the Password Settings for the
Exchange Server connector to set the Idle time in minutes before mobile device is
locked.

Restrict the users who can enroll their mobile devices


Help prevent elevation of privileges by restricting the users who can enroll their mobile
devices. Use a custom client setting rather than default client settings to allow only
authorized users to enroll their mobile devices.

User device affinity guidance for mobile devices


Don't deploy applications to users who have mobile devices enrolled by Configuration
Manager in the following scenarios:

The mobile device is used by more than one person.

The device is enrolled by an administrator on behalf of a user.

The device is transferred to another person without retiring and then re-enrolling
the device.

Device enrollment creates a user device affinity relationship. This relationship maps the
user who does enrollment to the mobile device. If another user uses the mobile device,
they can run the applications deployed to the original user, which might result in an
elevation of privileges. Similarly, if an administrator enrolls the mobile device for a user,
applications deployed to the user aren't installed on the mobile device. Instead,
applications deployed to the administrator might be installed.

Protect the connection between the Configuration


Manager site server and the Exchange Server
If the Exchange Server is on-premises, use IPsec. Hosted Exchange automatically secures
the connection with HTTPS.

Use the principle of least privileges for the Exchange


connector
For a list of the minimum cmdlets that the Exchange Server connector requires, see
Manage mobile devices with Configuration Manager and Exchange.

Security guidance for macOS devices

Store and access the client source files from a secured


location
Before installing or enrolling the client on a macOS computer, Configuration Manager
doesn't verify whether these client source files have been tampered with. Download
these files from a trustworthy source. Securely store and access them.

Monitor and track the validity period of the certificate


Monitor and track the validity period of the certificates that you use for macOS
computers. Configuration Manager doesn't support automatic renewal of this certificate,
or warn you that the certificate is about to expire. A typical validity period is one year.

For more information about how to renew the certificate, see Renewing the macOS
client certificate manually.

Configure the trusted root certificate for SSL only


To help protect against elevation of privileges, configure the certificate for the trusted
root certificate authority so that it's only trusted for the SSL protocol.
When you enroll Mac computers, a user certificate to manage the Configuration
Manager client is automatically installed. This user certificate includes the trusted root
certificates in its trust chain. To restrict the trust of this root certificate to the SSL
protocol only, use the following procedure:

1. On the Mac computer, open a terminal window.

2. Enter the following command: sudo /Applications/Utilities/Keychain\


Access.app/Contents/MacOS/Keychain\ Access

3. In the Keychain Access dialog box, in the Keychains section, select System. Then in
the Category section, select Certificates.

4. Locate and open the root CA certificate for the Mac client certificate.

5. In the dialog box for the root CA certificate, expand the Trust section, and then
make the following changes:

a. When using this certificate: Change the Always Trust setting to Use System
Defaults.

b. Secure Sockets Layer (SSL): Change no value specified to Always Trust.

6. Close the dialog box. When prompted, enter the administrator's password, and
then select Update Settings.

After you complete this procedure, the root certificate is only trusted to validate the SSL
protocol. Other protocols that are now untrusted with this root certificate include Secure
Mail (S/MIME), Extensible Authentication (EAP), or code signing.

7 Note

Also use this procedure if you installed the client certificate independently from
Configuration Manager.

Security issues for clients


The following security issues have no mitigation:

Status messages aren't authenticated


The management point doesn't authenticate status messages. When a management
point accepts HTTP client connections, any device can send status messages to the
management point. If the management point accepts HTTPS client connections only, a
device must have a valid client authentication certificate, but could also send any status
message. The management point discards any invalid status message received from a
client.

There are a few potential attacks against this vulnerability:

An attacker could send a bogus status message to gain membership in a collection


that's based on status message queries.
Any client could launch a denial of service against the management point by
flooding it with status messages.
If status messages are triggering actions in status message filter rules, an attacker
could trigger the status message filter rule.
An attacker could send status message that would render reporting information
inaccurate.

Policies can be retargeted to non-targeted clients


There are several methods that attackers could use to make a policy targeted to one
client apply to an entirely different client. For example, an attacker at a trusted client
could send false inventory or discovery information to have the computer added to a
collection to which it shouldn't belong. That client then receives all the deployments to
that collection.

Controls exist to help prevent attackers from directly modifying policy. However,
attackers could take an existing policy that reformats and redeploys an OS and send it
to a different computer. This redirected policy could create a denial of service. These
types of attacks would require precise timing and extensive knowledge of the
Configuration Manager infrastructure.

Client logs allow user access


All the client log files allow the Users group with Read access, and the special
Interactive user with access to write data. If you enable verbose logging, attackers might
read the log files to look for information about compliance or system vulnerabilities.
Processes such as software that the client installs in a user's context must write to logs
with a low-rights user account. This behavior means an attacker could also write to the
logs with a low-rights account.

The most serious risk is that an attacker could remove information in the log files. An
administrator might need this information for auditing and intrusion detection.
A computer could be used to obtain a certificate that's
designed for mobile device enrollment
When Configuration Manager processes an enrollment request, it can't verify the
request originated from a mobile device rather than from a computer. If the request is
from a computer, it can install a PKI certificate that then allows it to register with
Configuration Manager.

To help prevent an elevation of privilege attack in this scenario, only allow trusted users
to enroll their mobile devices. Carefully monitor device enrollment activities in the site.

A blocked client can still send messages to the


management point
When you block a client that you no longer trust, but it established a network
connection for client notification, Configuration Manager doesn't disconnect the
session. The blocked client can continue to send packets to its management point until
the client disconnects from the network. These packets are only small, keep-alive
packets. This client can't be managed by Configuration Manager until it's unblocked.

Automatic client upgrade doesn't verify the management


point
When you use automatic client upgrade, the client can be directed to a management
point to download the client source files. In this scenario, the client doesn't verify the
management point as a trusted source.

When users first enroll macOS computers, they're at risk


from DNS spoofing
When the macOS computer connects to the enrollment proxy point during enrollment,
it's unlikely that the macOS computer already has the trusted root CA certificate. At this
point, the macOS computer doesn't trust the server, and prompts the user to continue.
If a rogue DNS server resolves the fully qualified domain name (FQDN) of the
enrollment proxy point, it could direct the macOS computer to a rogue enrollment
proxy point to install certificates from an untrusted source. To help reduce this risk,
follow DNS guidance to avoid spoofing in your environment.

macOS enrollment doesn't limit certificate requests


Users can re-enroll their macOS computers, each time requesting a new client certificate.
Configuration Manager doesn't check for multiple requests or limit the number of
certificates requested from a single computer. A rogue user could run a script that
repeats the command-line enrollment request. This attack could cause a denial of
service on the network or on the issuing certificate authority (CA). To help reduce this
risk, carefully monitor the issuing CA for this type of suspicious behavior. Immediately
block from the Configuration Manager hierarchy any computer that shows this pattern
of behavior.

A wipe acknowledgment doesn't verify that the device


has been successfully wiped
When you start a wipe action for a mobile device, and Configuration Manager
acknowledges the wipe, the verification is that Configuration Manager successfully sent
the message. It doesn't verify that the device acted on the request.

For mobile devices managed by the Exchange Server connector, a wipe


acknowledgment verifies that the command was received by Exchange, not by the
device.

If you use the options to commit changes on Windows


Embedded devices, accounts might be locked out sooner
than expected
If the Windows Embedded device is running an OS version earlier than Windows 7, and
a user attempts to sign in while the write filters are disabled by Configuration Manager,
Windows allows only half of the configured number of incorrect attempts before the
account is locked out.

For example, you configure the domain policy for Account lockout threshold to six
attempts. A user mistypes their password three times, and the account is locked out.
This behavior effectively creates a denial of service. If users must sign in to embedded
devices in this scenario, caution them about the potential for a reduced lockout
threshold.

Privacy information for clients


When you deploy the Configuration Manager client, you enable client settings for
Configuration Manager features. The settings that you use to configure the features can
apply to all clients in the Configuration Manager hierarchy. This behavior is the same
whether they're directly connected to the internal network, connected through a remote
session, or connected to the internet.

Client information is stored in the Configuration Manager site database in your SQL
Server, and isn't sent to Microsoft. Information is kept in the database until it's deleted
by the site maintenance task Delete Aged Discovery Data every 90 days. You can
configure the deletion interval.

Some summarized or aggregate diagnostics and usage data is sent to Microsoft. For
more information, see Diagnostics and usage data.

You can learn more about Microsoft's data collection and use in the Microsoft Privacy
Statement .

Client status
Configuration Manager monitors the activity of clients. It periodically evaluates the
Configuration Manager client and can remediate issues with the client and its
dependencies. Client status is enabled by default. It uses server-side metrics for the
client activity checks. Client status uses client-side actions for self-checks, remediation,
and for sending client status information to the site. The client runs the self-checks
according to a schedule that you configure. The client sends the results of the checks to
the Configuration Manager site. This information is encrypted during transfer.

Client status information is stored in the Configuration Manager database in your SQL
Server, and isn't sent to Microsoft. The information isn't stored in encrypted format in
the site database. This information is kept in the database until it's deleted according to
the value configured for the Retain client status history for the following number of
days client status setting. The default value for this setting is every 31 days.

Privacy information for the Exchange Server


Connector
The Exchange Server Connector finds and manages devices that connect to an on-
premises or hosted Exchange Server by using the ActiveSync protocol. The records
found by the Exchange Server Connector are stored in the Configuration Manager
database in your SQL Server. The information is collected from the Exchange Server. It
doesn't contain any additional information from what the mobile devices send to
Exchange Server.
The mobile device information isn't sent to Microsoft. The mobile device information is
stored in the Configuration Manager database in your SQL Server. Information is kept in
the database until it's deleted by the site maintenance task Delete Aged Discovery Data
every 90 days. You configure the deletion interval.

You can learn more about Microsoft's data collection and use in the Microsoft Privacy
Statement .
Recommendations for client
deployment in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Planning

Use a phased rollout to manage CPU usage


To minimize the effect of the CPU processing requirements on the site server, use a
phased rollout of clients. Deploy clients outside of business hours. This practice allows
other services to have more available bandwidth during the day. It also doesn't disrupt
user productivity if their computer slows down or requires a restart.

Prepare required PKI certificates in advance


PKI certificates enable the following scenarios:

HTTPS-enabled client communication


Manage devices on the internet
Enroll mobile devices for on-premises MDM
Enroll macOS devices

You need certificates on certain site systems and the client devices. The most common
site systems are management points and distribution points. On production networks,
you might require change management approval to use new certificates or restart site
system servers. Users may also need to sign out of Windows to get new group
membership. Make sure to allow sufficient time for replication of security permissions
and new certificate templates.

For more information, see PKI certificate requirements.

Before you begin

Extend the Active Directory schema and publish the site


so that you can run CCMSetup without command-line
options
When you extend the Active Directory schema for Configuration Manager, and publish
the site to Active Directory Domain Services, the site publishes many client installation
properties to Active Directory. If a computer can locate these client installation
properties, it can use them during Configuration Manager client deployment. Because
the site automatically generates this information, it eliminates the risk of human error
associated with manually entering installation properties.

For more information, see About client installation properties published to Active
Directory Domain Services.

Install client language packs


Before you deploy the client, install any necessary client language packs to enable other
languages. If you install client language packs on a site after you install clients, you need
to reinstall the clients before they can use the new languages.

For more information, see Language packs.

Configure any required client settings and maintenance


windows
Although you can configure client settings and maintenance windows before or after
you install clients, it's better to configure required settings before you install clients.
Then the client can use them as soon as it installs. For more information about settings
download during the client assignment process, see How to assign clients to a site.

Configure maintenance windows for servers and for Windows Embedded devices to
support business continuity on critical devices. Maintenance windows make sure that
required software updates and antimalware software don't restart the computer during
business hours.

For more information, see Configure client settings and How to use maintenance
windows.

Installation

If you install the client with client.msi properties, use


SMSMP and FSP
The SMSMP property specifies the initial management point for the client. It removes
the dependency on service location solutions such as Active Directory Domain Services
and DNS.

Use the FSP property and install a fallback status point. It allows you to better monitor
client installation and assignment, and identify any communication problems.

For more information about these options, see About client installation properties.

Use software update-based client installation for Active


Directory computers
This client deployment method has the following benefits:

Uses existing Windows technologies


Integrates with your Active Directory infrastructure
Requires the least configuration in Configuration Manager
Is the easiest to configure for firewalls
Is the most secure

By using security groups and WMI filtering for the group policy configuration, you also
have flexibility to control which computers install the Configuration Manager client.

For more information, see How to install Configuration Manager clients by using
software update-based installation.

Enable automatic upgrade after your main client


deployment finishes
Performance improvements in Configuration Manager can allow you to use automatic
upgrades as a primary client upgrade method. However, performance will depend on
your hierarchy infrastructure, such as the number of clients.

If you use another client installation method as the primary upgrade method, use
automatic client upgrade to catch computers that it missed. For example, devices that
were offline during the main deployment.

For more information, see Automatic client upgrades.

Assign site systems as clients to the same site


If you install the Configuration Manager client on site systems, assign them to the same
site. Roles like the management point and distribution point have shared binary files
between the role and the client. These collocated clients should always be the same
version as the site system role.

For example, for a management point in site XYZ, assign the client installed on this site
system server to site XYZ.

Other device types

Plan your user enrollment experience for Mac computers


and mobile devices
If users will enroll their own macOS computers and mobile devices with Configuration
Manager, plan the user experience. For example, you might script the installation and
enrollment process by using a web page. Then users only enter the minimum amount of
information necessary. You can also send instructions with a link by email.

Write filters for Windows Embedded devices


Embedded devices that use enhanced write filters (EWF) are likely to experience state
message resynchronization. For example, they send full inventory rather than delta
inventory. If you have just a few embedded devices that use Enhanced Write Filters, you
might not notice anything. However, when you have many embedded devices that
resynchronize their information, this behavior can generate a noticeable increase in
network packets and higher CPU processing on the site server.

When you have a choice of which type of write filter to enable, choose file-based write
filters (FBWF) or unified write filters (UWF). Configure exceptions to persist client state
and inventory data between device restarts. These exceptions improve network and CPU
efficiency on the Configuration Manager client. For more information, see Plan for client
deployment to Windows Embedded devices.

For more information about the maximum number of Windows Embedded clients that a
primary site can support, see Supported operating systems for clients and devices.

) Important

For Windows computers that you plan to protect with a unified write filter (UWF),
configure the device for UWF before you install the client. This configuration
enables Configuration Manager to install the client with a custom credential
provider that locks out low-rights users from signing in to the device during
maintenance mode.
Next steps
How to deploy clients to Windows computers
Determine whether to block clients in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

If a client computer or client mobile device is no longer trusted, you can block the client
in the System Center 2012 Configuration Manager console. Blocked clients are rejected
by the Configuration Manager infrastructure so that they cannot communicate with site
systems to download policy, upload inventory data, or send state or status messages.

You must block and unblock a client from its assigned site rather than from a secondary
site or a central administration site.

) Important

Although blocking in Configuration Manager can help to secure the Configuration


Manager site, do not rely on this feature to protect the site from untrusted
computers or mobile devices if you allow clients to communicate with site systems
by using HTTP, because a blocked client could rejoin the site with a new self-signed
certificate and hardware ID. Instead, use the blocking feature to block lost or
compromised boot media that you use to deploy operating systems, and when site
systems accept HTTPS client connections.

Clients that access the site by using the ISV Proxy certificate cannot be blocked. For
more information about the ISV Proxy certificate, see the Configuration Manager
Software Development Kit (SDK).

If your site systems accept HTTPS client connections and your public key infrastructure
(PKI) supports a certificate revocation list (CRL), always consider certificate revocation to
be the primary line of defense against potentially compromised certificates. Blocking
clients in Configuration Manager offers a second line of defense to protect your
hierarchy.

Considerations for blocking clients


This option is available for HTTP and HTTPS client connections, but has limited
security when clients connect to site systems by using HTTP.
Configuration Manager administrative users have the authority to block a client,
and the action is taken in the Configuration Manager console.

Client communication is rejected from the Configuration Manager hierarchy only.

7 Note

The same client could register with a different Configuration Manager


hierarchy.

The client is immediately blocked from the Configuration Manager site.

Helps to protect site systems from potentially compromised computers and mobile
devices.

Considerations for using certificate revocation


This option is available for HTTPS Windows client connections if the public key
infrastructure supports a certificate revocation list (CRL).

Mac clients always perform CRL checking and this functionality cannot be disabled.

Although mobile device clients do not use certificate revocation lists to check the
certificates for site systems, their certificates can be revoked and checked by
Configuration Manager.

Public key infrastructure administrators have the authority to revoke a certificate,


and the action is taken outside the Configuration Manager console.

Client communication can be rejected from any computer or mobile device that
requires this client certificate.

There is likely to be a delay between revoking a certificate and site systems


downloading the modified certificate revocation list (CRL).

For many PKI deployments, this delay can be a day or longer. For example, in
Active Directory Certificate Services, the default expiration period is one week for a
full CRL, and one day for a delta CRL.

Helps to protect site systems and clients from potentially compromised computers
and mobile devices.

7 Note
You can further protect site systems that run IIS from unknown clients by
configuring a certificate trust list (CTL) in IIS.
Planning for client deployment to Mac
computers in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

) Important

Starting in January 2022, this feature of Configuration Manager is deprecated. For


more information, see Mac computers.

You can install the Configuration Manager client on Mac computers that run macOS X
and use the following management capabilities:

Hardware inventory

You can use Configuration Manager hardware inventory to collect information


about the hardware and installed applications on Mac computers. This information
can then be viewed in Resource Explorer in the Configuration Manager console
and used to create collections, queries and reports. For more information, see How
to use Resource Explorer to view hardware inventory.

Configuration Manager collects the following hardware information from Mac


computers:

Processor

Computer System

Disk Drive

Disk Partition

Network Adapter

Operating System

Service

Process

Installed Software
Computer System Product

USB Controller

USB Device

CDROM Drive

Video Controller

Desktop Monitor

Portable Battery

Physical Memory

Printer

) Important

You cannot extend the hardware information that is collected from Mac
computers during hardware inventory.

Compliance settings

You can use Configuration Manager compliance settings to view the compliance of
and remediate macOS X preference (.plist) settings. For example, you could enforce
settings for the home page in the Safari web browser or ensure that the Apple
firewall is enabled. You can also use shell scripts to monitor and remediate settings
in macOS X.

Application management

Configuration Manager can deploy software to Mac computers. You can deploy
the following software formats to Mac computers:

Apple disk image (.DMG)

Meta package file (.MPKG)

macOS X installer package (.PKG)

macOS X application (.APP)

When you install the Configuration Manager client on Mac computers, you cannot
use the following management capabilities that are supported by the
Configuration Manager client on Windows-based computers:

Client push installation

Operating system deployment

Software updates

7 Note

You can use Configuration Manager application management to deploy


required macOS X software updates to Mac computers. In addition, you can
use compliance settings to make sure that computers have any required
software updates.

Maintenance windows

Remote control

Power management

Client status client check and remediation

For more information about how to install and configure the Configuration
Manager Mac client, see How to deploy clients to Macs.
Planning for client deployment to
Windows Embedded devices in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

If your Windows Embedded device does not include the Configuration Manager client,
you can use any of the client installation methods if the device meets the required
dependencies. If the embedded device supports write filters, you must disable these
filters before you install the client, and then re-enable the filters again after the client is
installed and assigned to a site.

Note that when you disable the filters, you should not disable the filter drivers. Typically
these drivers are started automatically when the computer is started. Disabling the
drivers will either prevent installation of the client, or interfere with write filter
orchestration which will cause client operations to fail. These are the services associated
with each write filter type that must remain running:

Write Filter Driver Type Description


Type

EWF ewf Kernel Implements sector-level I/O redirection on protected


volumes.

FBWF fbwf File Implements file-level I/O redirection on protected


system volumes.

UWF uwfreg Kernel UWF Registry Redirector

UWF uwfs File UWF File Redirector


System

UWF uwfvol Kernel UWF Volume Manager

Write filters control how the operating system on the embedded device is updated
when you make changes, such as when you install software. When write filters are
enabled, instead of making the changes directly to the operating system, these changes
are redirected to a temporary overlay. If the changes are only written to the overlay,
they are lost when the embedded device shuts downs. However, if the write filters are
temporarily disabled, the changes can be made permanent so that you do not have to
make the changes again (or reinstall software) every time that the embedded device
restarts. However, temporarily disabling and then re-enabling the write filters requires
one or more restarts, so that you typically want to control when this happens by
configuring maintenance windows so that restarts occur outside business hours.

You can configure options to automatically disable and re-enable the write filters when
you deploy software such as applications, task sequences, software updates, and the
Endpoint Protection client. The exception is for configuration baselines with
configuration items that use automatic remediation. In this scenario, the remediation
always occurs in the overlay so that it is available only until the device is restarted. The
remediation is applied again at the next evaluation cycle, but only to the overlay, which
is cleared at restart. To force Configuration Manager to commit the remediation
changes, you can deploy the configuration baseline and then another software
deployment that supports committing the change as soon as possible.

If the write filters are disabled, you can install software on Windows Embedded devices
by using Software Center. However, if the write filters are enabled, the installation fails
and Configuration Manager displays an error message that you have insufficient
permissions to install the application.

2 Warning

Even if you do not select the Configuration Manager options to commit the
changes, the changes might be committed if another software installation or
change is made that commits changes. In this scenario, the original changes will be
committed in addition to the new changes.

When Configuration Manager disables the write filters to make changes permanent,
only users who have local administrative rights can log on and use the embedded
device. During this period, low-rights users are locked out and see a message that the
computer is unavailable because it is being serviced. This helps protect the device while
it is in a state where changes can be permanently applied, and this servicing mode
lockout behavior is another reason to configure a maintenance window for a time when
users will not log on to these devices.

Configuration Manager supports managing the following types of write filters:

File-Based Write Filter (FBWF) - For more information, see File-Based Write Filter.

Enhanced Write Filter (EWF) RAM - For more information, see Enhanced Write
Filter.

Unified Write Filter (UWF) - For more information, see Unified Write Filter.
Configuration Manager does not support write filter operations when the Windows
Embedded device is in EWF RAM Reg mode.

) Important

If you have the choice, use File-Based Write Filters (FBWF) with Configuration
Manager for increased efficiency and higher scalability.

For devices that use FBWF only: Configure the following exceptions to persist
client state and inventory data between device restarts:

CCMINSTALLDIR\*.sdf
CCMINSTALLDIR\ServiceData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem

Devices that run Windows Embedded 8.0 and later do not support exclusions
that contain wildcard characters. On these devices, you must configure the
following exclusions individually:

All files in CCMINSTALLDIR with the extension .sdf, typically:


UserAffinityStore.sdf
InventoryStore.sdf
CcmStore.sdf
StateMessageStore.sdf
CertEnrollmentStore.sdf
CCMINSTALLDIR\ServiceData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem

For devices that use FBWF and UWF only:


When clients in a workgroup use
certificates for authentication to management points, you must also exclude the
private key to ensure the client continues to communicate with the management
point. On these devices, configure the following exceptions:

c:\Windows\System32\Microsoft\Protect
c:\ProgramData\Microsoft\Crypto
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SMS\Certifi
cates

7 Note
No additional exceptions are needed by the Configuration Manager client other
than those documented in the above Important box. Adding additional
Configuration Manager or WMI (WBEM) related exceptions may lead to failures of
the Configuration Manager including devices getting stuck in servicing mode or
devices experiencing reboot loops. Unneeded exceptions include the Configuration
Manager client directory, the CCMcache directory, the CCMSetup directory, the Task
Sequence cache directory, the WBEM directory, and Configuration Manager related
registry keys.

For an example scenario to deploy and manage write-filter-enabled Windows


Embedded devices in Configuration Manager see Example scenario for deploying and
managing Configuration Manager clients on Windows Embedded devices.

For more information about how to build images for Windows Embedded devices and
configure write filters, see your Windows Embedded documentation, or contact your
OEM.

7 Note

When you select the applicable platforms for software deployments and
configuration items, these display the Windows Embedded families rather than
specific versions.
Example scenario for deploying and
managing Configuration Manager
clients on Windows Embedded devices
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This scenario demonstrates how you can manage write-filter-enabled Windows


Embedded devices with Configuration Manager.If your embedded devices do not
support write filters, they behave as standard Configuration Manager clients and these
procedures don't apply.

Coho Vineyard & Winery is opening a visitor center and needs kiosks that run Windows
Embedded to run interactive presentations. The building for the new visitor center is not
close to the IT department, so the kiosks must be managed remotely. In addition to the
software that runs the presentations, these devices must run up-to-date antimalware
protection software to comply with the company security policies. The kiosks must run 7
days a week, with no downtime while the visitor center is open.

Coho already runs Configuration Manager to manage devices on their network.


Configuration Manager is configured to run Endpoint Protection, and install software
updates and applications. However, because the IT team has not managed Windows
Embedded devices before, the Configuration Manager administrator runs a pilot to
manage two kiosks in the reception lobby.

To manage these Windows Embedded devices that are write-filter-enabled,


Configuration Manager administrator performs the following steps to install the
Configuration Manager client, protect the client by using Endpoint Protection, and
install the interactive presentation software.

1. The Configuration Manager administrator (the Admin) reads how Windows


Embedded devices uses write filters and how Configuration Manager can make this
easier by automatically disabling and then re-enabling the writer filters to persist a
software installation.

For more information, see Planning for client deployment to Windows Embedded
devices.

2. Before the Admin installs the Configuration Manager client, the Admin creates a
new query-based device collection for the Windows Embedded devices. Because
the company uses standard naming formats to identify their computers, the Admin
can uniquely identify Windows Embedded devices by the first six letters of the
computer name: WEMDVC. The Admin uses the following WQL query to create
this collection: select SMS_R_System.NetbiosName from SMS_R_System where
SMS_R_System.NetbiosName like "WEMDVC%"

This collection allows the Admin to manage the Windows Embedded devices with
different configuration options from the other devices. The Admin will use this
collection to control restarts, deploy Endpoint Protection with client settings, and
deploy the interactive presentation application.

See How to create collections.

3. The Admin configures the collection for a maintenance window to ensure that
restarts that might be required for installing the presentation application and any
upgrades do not occur during opening hours for the visitor center. Opening hours
will be 09:00 through 18:00, Monday through Sunday. The Admin configures the
maintenance window for every day, 18:30 through 06:00.

4. For more information, see How to use maintenance windows.

5. The Admin then configures a custom device client setting to install the Endpoint
Protection client by selecting Yes for the following settings, and then deploys this
custom client setting to the Windows Embedded device collection:

Install Endpoint Protection client on client computers

For Windows Embedded devices with write filters, commit Endpoint


Protection client installation (requires restart)

Allow Endpoint Protection client installation and restart to be performed


outside maintenance windows

When the Configuration Manager client is installed, these settings install the
Endpoint Protection client and ensure that it is persisted in the operating
system as part of the installation, rather than written to the overlay only. The
company security policies require that the antimalware software is always
installed and the Admin does not want to run the risk of the kiosks being
unprotected for even a short period of time if they restart.

7 Note

The restarts that are required to install the Endpoint Protection client are a
one-time occurrence, which happen during the setup period for the devices
and before the visitor center is operational. Unlike the periodic deployment of
applications or software definition updates, the next time the Endpoint
Protection client is installed on the same device will probably be when the
company upgrades to the next version of Configuration Manager.

For more information, see Configuring Endpoint Protection.

6. With the configuration settings for the client now in place, the Admin prepares to
install the Configuration Manager clients. Before the Admin can install the clients,
they must manually disable the write filter on the Windows Embedded devices. The
Admin reads the OEM documentation that accompanies the kiosks and follows
their instructions to disable the write filters.

The Admin renames the device so it uses the company standard naming format,
and then installs the client manually by running CCMSetup with the following
command from a mapped drive that holds the client source files: CCMSetup.exe
/MP:mpserver.cohovineyardandwinery.com SMSSITECODE=CO1

This command installs the client, assigns the client to the management point that
has the intranet FQDN of mpserver.cohovineyardandwinery.com, and assigns the
client to the primary site named CO1.

The Admin knows that it always takes a while for clients to install and send back
their status to the site. So the Admin waits before they confirm that the clients
successfully install, assign to the site, and appear as clients in the collection that
they created for Windows Embedded devices.

As additional confirmation, the Admin checks the properties of Configuration


Manager in Control Panel on the devices and compares them to standard Windows
computers that are managed by the site. For example, on the Components tab, the
Hardware Inventory Agent displays Enabled, and on the Actions tab, there are 11
available actions, which include Application Deployment Evaluation Cycle and
Discovery Data Collection Cycle.

Confident that the clients are successfully installed, assigned, and receiving client
policy from the management point, the Admin then manually enables the write
filters by following the instructions from the OEM.

For more information, see:

How to deploy clients to Windows computers

How to assign clients to a site


7. Now that the Configuration Manager client is installed on the Windows Embedded
devices, the Admin confirms that they can manage them in the same way as they
manage the standard Windows clients. For example, from the Configuration
Manager console, the Admin can remotely manage them by using remote control,
initiate client policy for them, and view client properties and hardware inventory.

Because these devices are joined to an Active Directory domain, the Admin does
not have to manually approve them as trusted clients and confirms from the
Configuration Manager console that they are approved.

For more information, see How to manage clients.

8. To install the interactive presentation software, the Admin runs the Deploy
Software Wizard and configures a required application. On the User Experience
page of the wizard, in the Write filter handling for Windows Embedded devices
section, they accept the default option that selects Commit changes at deadline
or during a maintenance window (requires restarts).

The Admin keeps this default option for write filters to ensure that the application
persists after a restart, so that it is always available to the visitors using the kiosks.
The daily maintenance window provides a safe period during which the restarts for
installation and any updates can occur.

The Admin deploys the application to the Windows Embedded devices collection.

For more information, see How to deploy applications with Configuration


Manager.

9. To configure definition updates for Endpoint Protection, the Admin uses software
updates and runs the Create Automatic Deployment Rule Wizard. They select the
Definition Updates template to prepopulate the wizard with settings that are
appropriate for Endpoint Protection.

These settings include the following on the User Experience page of the wizard:

Deadline behavior: The Software Installation check box is not selected.

Write filter handling for Windows Embedded devices: The Commit changes
at deadline or during a maintenance window (requires restarts) check box is
not selected.

The Admin keeps these default settings. Together, these two options with this
configuration allow any software update definitions for Endpoint Protection
to be installed in the overlay during the day and not wait to be installed and
committed during the maintenance window. This configuration best meets
the company security policy for computers to run up-to-date antimalware
protection.

7 Note

Unlike software installations for applications, software update definitions


for Endpoint Protection can occur very frequently, even multiple times a
day. They are often small files. For these types of security-related
deployments, it can often be beneficial to always install to the overlay
rather than wait until the maintenance window. The Configuration
Manager client will quickly re-install the software definition updates if
the device restarts because this action initiates an evaluation check and
does not wait until the next scheduled evaluation.

The Admin selects the Windows Embedded devices collection for the
automatic deployment rule.

For more information, see

Step 3: Configure Configuration Manager Software Updates to Deliver


Definition Updates to Client Computers in Configuring Endpoint Protection

10. The Admin decides to configure a maintenance task that periodically commits all
changes on the overlay. This task is to support the software update definitions
deployment, to reduce the number of updates that accumulate and must be
installed again, each time the device restarts. In the Admin's experience, this helps
the antimalware programs run more efficiently.

7 Note

These software update definitions would be automatically committed to the


image if the embedded devices ran another management task that supported
committing the changes. For example, installing a new version of the
interactive presentation software would also commit the changes for software
update definitions. Or, installing standard software updates every month that
install during the maintenance window could also commit the changes for
software update definitions. However, in this scenario, where standard
software updates do not run and the interactive presentation software is
unlikely to be updated very often, it might be months before the software
definition updates are automatically committed to the image.
The Admin first creates a custom task sequence that has no settings other than the
name. They run the Create Task Sequence Wizard:

a. On the Create a New Task Sequence page, the Admin selects Create a new
custom task sequence, and then clicks Next.

b. On the Task Sequence Information page, the Admin enters Maintenance task
to commit changes on embedded devices for the task sequence name, and
then clicks Next.

c. On the Summary page, the Admin selects Next, and completes the wizard.

The Admin then deploys this custom task sequence to the Windows Embedded
devices collection, and configures the schedule to run every month. As part of
the deployment settings, they select the Commit changes at deadline or during
a maintenance window (requires restarts) check box to persist the changes
after a restart. To configure this deployment, the Admin selects the custom task
sequence that they just created, and then on the Home tab, in the Deployment
group, they click Deploy to start the Deploy Software Wizard:

d. On the General page, the Admin selects the Windows Embedded devices
collection, and then clicks Next.

e. On the Deployment Settings page, the Admin selects the Purpose of Required,
and then clicks Next.

f. On the Scheduling page, the Admin clicks New to specify a weekly schedule
during the maintenance window, and then clicks Next.

g. The Admin completes the wizard without any further changes.

For more information, see

Manage task sequences to automate tasks.

11. For the kiosks to run automatically, the Admin writes a script to configure the
devices for the following settings:

Automatically log on, using a guest account that has no password.

Automatically run the interactive presentation software on startup.

The Admin uses packages and programs to deploy this script to the Windows
Embedded devices collection. When the Admin runs the Deploy Software
Wizard, they again select the Commit changes at deadline or during a
maintenance window (requires restarts) check box to persist the changes
after a restart.

For more information, see Packages and programs.

12. The following morning, the Admin checks the Windows Embedded devices. They
confirm the following:

The kiosk is automatically logged on by using the guest account.

The interactive presentation software is running.

The Endpoint Protection client is installed and has the latest software update
definitions.

That the device restarted during the maintenance window.

For more information, see:

How to monitor Endpoint Protection

Monitor applications with Configuration Manager

13. The Admin monitors the kiosks and reports the successful management of them to
their manager. As a result, 20 kiosks are ordered for the visitor center.

To avoid the manual installation of the Configuration Manager client, which


requires manually disabling and then enabling the write filters, the Admin ensures
that the order includes a customized image that already includes the installation
and site assignment of the Configuration Manager client. In addition, the devices
are named according to the company naming format.

The kiosks are delivered to the visitor center a week before it opens. During this
time, the kiosks are connected to the network, all device management for them is
automatic, and no local administrator is required. The Admin confirms that the
kiosks are functioning as required:

The clients on the kiosks complete site assignment and download the trusted
root key from Active Directory Domain Services.

The clients on the kiosks are automatically added to the Windows Embedded
devices collection and configured with the maintenance window.

The Endpoint Protection client is installed and has the latest software update
definitions for antimalware protection.
The interactive presentation software is installed and runs automatically,
ready for visitors.

14. After this initial setup, any restarts that might be required for updates occur only
when the visitor center is closed.
Plan how to wake up clients in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager supports traditional wake-up packets to wake up computers in


sleep mode when you want to install required software, such as software updates and
applications.

7 Note

This article describes how an older version of Wake on LAN functions. This
functionality still exists in Configuration Manager version 1810, which also includes
a newer version of Wake on LAN too. Both versions of Wake on LAN can, and in
many cases will, be enabled simultaneously. For more information about how the
new version of Wake on LAN functions starting in 1810 and enabling either or both
versions, see How to configure Wake on LAN.

How to wake up clients in Configuration


Manager
Configuration Manager supports traditional wake-up packets to wake up computers in
sleep mode when you want to install required software, such as software updates and
applications.

You can supplement the traditional wake-up packet method by using the wake-up proxy
client settings. Wake-up proxy uses a peer-to-peer protocol and elected computers to
check whether other computers on the subnet are awake, and to wake them if
necessary. When the site is configured for Wake On LAN and clients are configured for
wake-up proxy, the process works as follows:

1. Computers with the Configuration Manager client installed and that aren't asleep
on the subnet check whether other computers on the subnet are awake. They do
this check by sending each other a TCP/IP ping command every five seconds.

2. If there's no response from other computers, they're assumed to be asleep. The


computers that are awake become manager computer for the subnet.
Because it's possible that a computer might not respond because of a reason other
than it's asleep (for example, it's turned off, removed from the network, or the
proxy wake-up client setting is no longer applied), the computers are sent a wake-
up packet every day at 2 P.M. local time. Computers that don't respond will no
longer be assumed to be asleep and will not be woken up by wake-up proxy.

To support wake-up proxy, at least three computers must be awake for each
subnet. To achieve this requirement, three computers are non-deterministically
chosen to be guardian computers for the subnet. This state means that they stay
awake, despite any configured power policy to sleep or hibernate after a period of
inactivity. Guardian computers honor shutdown or restart commands, for example,
as a result of maintenance tasks. If this action happens, the remaining guardian
computers wake up another computer on the subnet so that the subnet continues
to have three guardian computers.

3. Manager computers ask the network switch to redirect network traffic for the
sleeping computers to themselves.

The redirection is achieved by the manager computer broadcasting an Ethernet


frame that uses the sleeping computer's MAC address as the source address. This
behavior makes the network switch behave as if the sleeping computer has moved
to the same port that the manager computer is on. The manager computer also
sends ARP packets for the sleeping computers to keep the entry fresh in the ARP
cache. The manager computer also responds to ARP requests on behalf of the
sleeping computer and replies with the MAC address of the sleeping computer.

2 Warning

During this process, the IP-to-MAC mapping for the sleeping computer
remains the same. Wake-up proxy works by informing the network switch that
a different network adapter is using the port that was registered by another
network adapter. However, this behavior is known as a MAC flap and is
unusual for standard network operation. Some network monitoring tools look
for this behavior and can assume that something is wrong. Consequently,
these monitoring tools can generate alerts or shut down ports when you use
wake-up proxy.

Do not use wake-up proxy if your network monitoring tools and services do
not allow MAC flaps.

4. When a manager computer sees a new TCP connection request for a sleeping
computer and the request is to a port that the sleeping computer was listening on
before it went to sleep, the manager computer sends a wake-up packet to the
sleeping computer, and then stops redirecting traffic for this computer.

5. The sleeping computer receives the wake-up packet and wakes up. The sending
computer automatically retries the connection and this time, the computer is
awake and can respond.

Wake-up proxy has the following prerequisites and limitations:

) Important

If you have a separate team that is responsible for the network infrastructure and
network services, notify and include this team during your evaluation and testing
period. For example, on a network that uses 802.1X network access control, wake-
up proxy will not work and can disrupt the network service. In addition, wake-up
proxy could cause some network monitoring tools to generate alerts when the
tools detect the traffic to wake-up other computers.

All Windows operating systems listed as supported clients in Supported operating


systems for clients and devices are supported for Wake On LAN.

Guest operating systems that run on a virtual machine are not supported.

Clients must be enabled for wake-up proxy by using client settings. Although
wake-up proxy operation does not depend on hardware inventory, clients do not
report the installation of the wake-up proxy service unless they are enabled for
hardware inventory and submitted at least one hardware inventory.

Network adapters (and possibly the BIOS) must be enabled and configured for
wake-up packets. If the network adapter is not configured for wake-up packets or
this setting is disabled, Configuration Manager will automatically configure and
enable it for a computer when it receives the client setting to enable wake-up
proxy.

If a computer has more than one network adapter, you cannot configure which
adapter to use for wake-up proxy; the choice is non-deterministic. However, the
adapter chosen is recorded in the SleepAgent_<DOMAIN>@SYSTEM_0.log file.

The network must allow ICMP echo requests (at least within the subnet). You
cannot configure the five-second interval that is used to send the ICMP ping
commands.

Communication is unencrypted and unauthenticated, and IPsec is not supported.


The following network configurations are not supported:

802.1X with port authentication

Wireless networks

Network switches that bind MAC addresses to specific ports

IPv6-only networks

DHCP lease durations less than 24 hours

If you want to wake up computers for scheduled software installation, you must
configure each primary site to use wake-up packets.

To use wake-up proxy, you must deploy Power Management wake-up proxy client
settings in addition to configuring the primary site.

Decide whether to use subnet-directed broadcast packets, or unicast packets, and what
UDP port number to use. By default, traditional wake-up packets are transmitted by
using UDP port 9, but to help increase security, you can select an alternative port for the
site if this alternative port is supported by intervening routers and firewalls.

Choose Between Unicast and Subnet-Directed


Broadcast for Wake-on-LAN
If you chose to wake up computers by sending traditional wake-up packets, you must
decide whether to transmit unicast packets or subnet-direct broadcast packets. If you
use wake-up proxy, you must use unicast packets. Otherwise, use the following table to
help you determine which transmission method to choose.

Transmission Advantage Disadvantage


method
Transmission Advantage Disadvantage
method

Unicast More secure solution Wake-up packets do not find destination computers
than subnet-directed that have changed their subnet address after the last
broadcasts because the hardware inventory schedule.

packet is sent directly to


a computer instead of Switches might have to be configured to forward UDP
to all computers on a packets.

subnet.

Some network adapters might not respond to wake-


Might not require up packets in all sleep states when they use unicast as
reconfiguration of the transmission method.
routers (you might have
to configure the ARP
cache).

Consumes less network


bandwidth than subnet-
directed broadcast
transmissions.

Supported with IPv4


and IPv6.

Subnet- Higher success rate than Less secure solution than using unicast because an
Directed unicast if you have attacker could send continuous streams of ICMP echo
Broadcast computers that requests from a falsified source address to the
frequently change their directed broadcast address. This causes all of the
IP address in the same hosts to reply to that source address. If routers are
subnet.
configured to allow subnet-directed broadcasts, the
additional configuration is recommended for security
No switch reasons:

reconfiguration is
required.
- Configure routers to allow only IP-directed
broadcasts from the Configuration Manager site
High compatibility rate server, by using a specified UDP port number.

with computer adapters - Configure Configuration Manager to use the


for all sleep states, specified non-default port number.

because subnet-
directed broadcasts Might require reconfiguration of all intervening
were the original routers to enable subnet-directed broadcasts.

transmission method
for sending wake-up Consumes more network bandwidth than unicast
packets. transmissions.

Supported with IPv4 only; IPv6 is not supported.


2 Warning

There are security risks associated with subnet-directed broadcasts: An attacker


could send continuous streams of Internet Control Message Protocol (ICMP) echo
requests from a falsified source address to the directed broadcast address, which
cause all the hosts to reply to that source address. This type of denial of service
attack is commonly called a smurf attack and is typically mitigated by not enabling
subnet-directed broadcasts.
Manage Configuration Manager clients
in a virtual desktop infrastructure (VDI)
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager supports installing the Configuration Manager client on the


following virtual desktop infrastructure (VDI) scenarios:

Personal virtual machines: The virtual machine (VM) maintains user data and
settings between sessions.

Remote Desktop Services sessions: Host multiple, concurrent client sessions on a


centralized server. Users connect to a session and run applications on that server.

Pooled virtual machines/Non-Persistent: The VM doesn't persist between


sessions. When a user closes a session, the virtual environment discards all data
and settings. Pooled virtual machines are useful when you can't use Remote
Desktop Services. For example, if a required application can't run on the Windows
Server that hosts the client sessions.

Azure Virtual Desktop: A desktop and app virtualization service that runs on
Microsoft Azure. Starting in version 1906, use Configuration Manager to manage
these virtual devices running Windows in Azure.

Personal VMs
Configuration Manager treats personal VMs the same as a physical computer. You can
preinstall the Configuration Manager client on the VM image or after you provision it.

For more information, see Support for virtualization environments.

Remote Desktop Services


You don't install the Configuration Manager client for individual Remote Desktop
sessions. Install it once on the server that hosts Remote Desktop Services. You can use
all Configuration Manager client features on the Remote Desktop Services server.

For more information, see Welcome to Remote Desktop Services.


Pooled VMs/Non-Persistent
When you decommission a pooled virtual machine, any changes made by Configuration
Manager are lost.

Because the VM might only be operational for a short length of time, some
Configuration Manager features may not return relevant data. For example, hardware
inventory, software inventory, and software metering. Consider excluding pooled VM
from inventory tasks.

Azure Virtual Desktop


For more information, see Supported operating systems for clients and devices.

Other considerations
Because virtualization supports running multiple Configuration Manager clients on the
same physical computer, many client operations have a built-in randomized delay for
scheduled actions. For example, hardware and software inventory, antimalware scans,
software installations, and software update scans. This delay helps distribute the CPU
processing and data transfer for a server that has multiple VMs that run the
Configuration Manager client.

Except for Windows Embedded clients in servicing mode, Configuration Manager clients
not in virtualized environments also use this randomized delay. This behavior helps
avoid peaks in network bandwidth. It also reduces the CPU processing on site systems,
such as the management point and site server. The delay interval varies according to the
Configuration Manager capability. For example, see About client settings - Disable
deadline randomization.

To help with Configuration Manager client performance in virtual environments that


support multiple user sessions, it disables user policy by default. Starting in version
1910, you can enable user policy in this scenario. For more information, see About client
settings - Enable user policy for multiple user sessions.
How to configure client communication
ports in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can change the request port numbers that Configuration Manager clients use to
communicate with site systems that use HTTP and HTTPS for communication. Although
HTTP or HTTPS is more likely to be already configured for firewalls, client notification
that uses HTTP or HTTPS requires more CPU usage and memory on the management
point computer than if you use a custom port number. You can also specify the site port
number to use if you wake up clients by using traditional wake-up packets.

When you specify HTTP and HTTPS request ports, you can specify both a default port
number and an alternative port number. If communication fails with the default port,
clients automatically try the alternative port. You can specify port settings for HTTP and
HTTPS data communication.

The default values for client request ports are 80 for HTTP traffic and 443 for HTTPS
traffic. Change them only if you don't want to use these default values. A typical
scenario for using custom ports is when you use a custom website in IIS rather than the
default website. If you change the default port numbers for the default website in IIS,
and other applications also use the default website, they're likely to fail.

) Important

Don't change the port numbers in Configuration Manager without understanding


the consequences. For example:

If you change the port numbers for the client request services as a site
configuration, and existing clients aren't reconfigured to use the new port
numbers, these clients will be unmanaged.
Before you configure a non-default port number, make sure that firewalls and
all intervening network devices support this configuration. If you will manage
clients on the internet, and change the default HTTPS port number of 443,
routers and firewalls on the internet might block this communication.

To make sure that clients don't become unmanaged after you change the request port
numbers, configure clients to use the new request port numbers. When you change the
request ports on a primary site, any attached secondary sites automatically inherit the
same port configuration.

How clients get the port configuration


When the Configuration Manager site is published to Active Directory Domain Services,
new and existing clients that can access this information will automatically be configured
with their site port settings. You don't need to take further action.

Clients that can't access this information published to Active Directory include:

Workgroup clients
Clients from another Active Directory forest
Clients that are configured for internet-only
Clients that are currently on the internet.

If you change the default port numbers after you install these clients, reinstall them.

Install any new clients by using one of the following methods:

Reinstall the clients by using the Client Push Installation Wizard. Client push
installation automatically configures clients with the current site port configuration.
For more information, see How to install Configuration Manager clients with client
push.

Reinstall the clients by using CCMSetup.exe and the client.msi installation


properties of CCMHTTPPORT and CCMHTTPSPORT. For more information, see
About client installation properties.

Reinstall the clients by using a method that searches Active Directory Domain
Services for Configuration Manager client installation properties. For more
information, see About client installation properties published to Active Directory
Domain Services.

To reconfigure the port numbers for existing clients, you can also use the script
Portswitch.vbs. Find this script on the installation media in the
SMSSETUP\Tools\PortConfiguration folder.

) Important

For existing and new clients that are currently on the internet, configure the non-
default port numbers by using the CCMSetup.exe client.msi properties of
CCMHTTPPORT and CCMHTTPSPORT.
After changing the request ports on the site, when you install new clients with the site-
wide client push installation method, they're automatically configured with the current
port numbers for the site.

Configure ports for a site


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.

2. Select the primary site to configure.

3. On the Home tab of the ribbon, select Properties.

4. Switch to the Ports tab.

5. Select a service, and then select the Properties icon to open the Port Detail
window.
6. Specify the port number and description for the item, and then select OK.

7. If you want to use the custom website SMSWeb for site systems that run IIS, select
Use custom web site. For more information, see Websites for site system servers.

8. Select OK to save the configuration and close the site properties window.

Repeat this procedure for all primary sites in the hierarchy.


Configure client computers to find
management points by using DNS
publishing
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Clients in Configuration Manager must locate a management point to complete site


assignment and as an on-going process to remain managed. Active Directory Domain
Services provides the most secure method for clients on the intranet to find
management points. However, if clients cannot use this service location method (for
example, you have not extended the Active Directory schema, or clients are from a
workgroup), use DNS publishing as the preferred alternative service location method.

Before you use DNS publishing for management points, make sure that DNS servers on
the intranet have service location resource records (SRV RR) and corresponding host (A
or AAA) resource records for the site's management points. The service location
resource records can be created automatically by Configuration Manager or manually,
by the DNS administrator who creates the records in DNS.

For more information about DNS publishing as a service location method for
Configuration Manager clients, see Understand how clients find site resources and
services for Configuration Manager.

By default, clients search DNS for management points in their DNS domain. However, if
there are no management points published in the clients' domain, you must manually
configure clients with a management point DNS suffix. You can configure this DNS suffix
on clients either during or after client installation:

To configure clients for a management point suffix during client installation,


configure the CCMSetup Client.msi properties.

To configure clients for a management point suffix after client installation, in


Control Panel, configure the Configuration Manager Properties.

To configure clients for a management point suffix during client


installation
Install the client with the following CCMSetup Client.msi property:

DNSSUFFIX= <management point domain>


If the site has more than one management point and they are in more than one
domain, specify just one domain. When clients connect to a management point
in this domain, they download a list of available management points, which will
include the management points from the other domains.

For more information about the CCMSetup command-line properties, see About
client installation properties.

To configure clients for a management point suffix after client


installation
1. In Control Panel of the client computer, navigate to Configuration Manager, and
then double-click Properties.

2. On the Site tab, specify the DNS suffix of a management point, and then click OK.

If the site has more than one management point and they are in more than one
domain, specify just one domain. When clients connect to a management point in
this domain, they download a list of available management points, which will
include the management points from the other domains.
How to configure client settings in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You manage all client settings in Configuration Manager from the Client Settings node
of the Administration workspace in the console. When you want to configure settings
for all users and devices in the hierarchy, modify the default settings. If you want to
apply different settings to just some users or devices, create custom settings and deploy
to collections. Custom client settings override the default settings.

For information about each client setting, see About client settings.

7 Note

You can also use configuration items to manage clients to assess, track, and
remediate the configuration compliance of devices. For more information, see
Ensure device compliance.

Configure default client settings


1. In the Configuration Manager console, go to the Administration workspace, and
select the Client Settings node.

2. Select Default Client Settings. On the Home tab of the ribbon, select Properties.

3. View and configure the client settings for each group of settings in the navigation
pane.

 Tip

Configuration Manager configures clients with these settings when they next
download policy. To start policy retrieval for a single client, see Start policy retrieval
for a Configuration Manager client.

Create and deploy custom client settings


When you deploy these custom settings, they override the default client settings. Before
you begin this procedure, make sure that you have a collection the deployment. The
collection should contain the users or devices that require these custom client settings.

1. In the Configuration Manager console, go to the Administration workspace, and


select the Client Settings node.

2. On the Home tab of the ribbon, in the Create group, select Create Custom Client
Settings. Then choose either Create Custom Client Device Settings or Create
Custom Client User Settings.

a. Specify a unique name and optional description.

b. Select one or more of the settings groups.

c. Select each group of settings from the navigation pane, configure the available
settings, and then select OK to save the settings.

3. Select the custom client setting that you created. On the Home tab of the ribbon,
in the Client Settings group, choose Deploy.

4. In the Select Collection window, select the appropriate collection, and then choose
OK. To verify the targeted collection, switch to the Deployments tab in the details
pane of the Client Settings node.

5. View the order of the custom client setting that you created. When you have
multiple custom client settings, they're applied according to their order number. If
there are any conflicts between settings, the setting that has the lowest order
number overrides the other settings. To change the order number, on the Home
tab of the ribbon, in the Client Settings group, choose Move Item Up or Move
Item Down.

 Tip

Configuration Manage configures clients with these settings when they next
download policy. To start policy retrieval for a single client, see Start policy retrieval
for a Configuration Manager client.

View client settings


When you deploy multiple client settings to the same device, user, or user group, the
prioritization and combination of settings is complex.
1. In the Configuration Manager console, go to the Assets and Compliance
workspace, and select either the Devices or Users node.

2. Select a device or user, and in the Client Settings group of the ribbon, select
Resultant Client Settings.

3. Select a client setting from the left pane, and it displays the settings. In this view,
the settings are read-only.

7 Note

To view the client settings, your account needs Read access to client settings.

Automate with PowerShell


Optionally, you can use the Configuration Manager PowerShell cmdlets to automate
client settings. For more information, see the following articles in the PowerShell
documentation:

Get-CMClientSetting: Get an existing client settings object.

New-CMClientSetting: Create a new client settings object.

Remove-CMClientSetting: Remove a client settings object.

Use the following cmdlets to configure client settings for the specific group:

Set-CMClientSettingBackgroundIntelligentTransfer
Set-CMClientSettingClientCache
Set-CMClientSettingClientPolicy
Set-CMClientSettingCloudService
Set-CMClientSettingComplianceSetting
Set-CMClientSettingComputerAgent
Set-CMClientSettingComputerRestart
Set-CMClientSettingDeliveryOptimization
Set-CMClientSettingEndpointProtection
Set-CMClientSettingEnrollment
Set-CMClientSettingGeneral
Set-CMClientSettingHardwareInventory
Set-CMClientSettingMeteredInternetConnection
Set-CMClientSettingPowerManagement
Set-CMClientSettingRemoteTool
Set-CMClientSettingSoftwareCenter
Set-CMClientSettingSoftwareDeployment
Set-CMClientSettingSoftwareInventory
Set-CMClientSettingSoftwareMetering
Set-CMClientSettingSoftwareUpdate
Set-CMClientSettingStateMessaging
Set-CMClientSettingUserAndDeviceAffinity

Use the following cmdlets to manage deployments of custom client settings:

New-CMClientSettingDeployment
Remove-CMClientSettingDeployment

Next steps
About client settings
About client settings in Configuration
Manager
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Manage all client settings in the Configuration Manager console from the Client
Settings node in the Administration workspace. Configuration Manager comes with a
set of default settings. When you change the default client settings, these settings are
applied to all clients in the hierarchy. You can also configure custom client settings,
which override the default client settings when you assign them to collections. For more
information, see How to configure client settings.

The following sections describe settings and options in further detail.

Background Intelligent Transfer Service (BITS)

Limit the maximum network bandwidth for BITS


background transfers
When this option is Yes, clients use BITS bandwidth throttling. To configure the other
settings in this group, you must enable this setting.

Throttling window start time


Specify the local start time for the BITS throttling window.

Throttling window end time


Specify the local end time for the BITS throttling window. If the end time is equal to the
Throttling window start time, BITS throttling is always enabled.

Maximum transfer rate during throttling window (Kbps)


Specify the maximum transfer rate that clients can use during the window.

Allow BITS downloads outside the throttling window


Allow clients to use separate BITS settings outside the specified window.

Maximum transfer rate outside the throttling window


(Kbps)
Specify the maximum transfer rate that clients can use outside the BITS throttling
window.

Client cache settings

Configure BranchCache
Set up the client computer for Windows BranchCache. To allow BranchCache caching on
the client, set Enable BranchCache to Yes.

Enable BranchCache: Enables BranchCache on client computers.

Maximum BranchCache cache size (percentage of disk): The percentage of the


disk that you allow BranchCache to use.

 Tip

If you set Configure BranchCache to No, then Configuration Manager doesn't


configure any BranchCache settings.

To disable BranchCache, set Configure BranchCache to Yes, and then set Enable
BranchCache to No.

Configure client cache size


The Configuration Manager client cache on Windows computers stores temporary files
used to install applications and programs. If this option is set to No, the default size is
5,120 MB.

If you choose Yes, then specify:

Maximum cache size (MB)


Maximum cache size (percentage of disk): The client cache size expands to the
maximum size in megabytes (MB), or the percentage of the disk, whichever is less.
Enable as peer cache source
Enables peer cache for Configuration Manager clients. Choose Yes, and then specify the
port through which the client communicates with the peer computer.

Port for initial network broadcast (default UDP 8004): Configuration Manager uses
this port in Windows PE or the full Windows OS. The task sequence engine in
Windows PE sends the broadcast to get content locations before it starts the task
sequence.

Port for content download from peer (default TCP 8003): Configuration Manager
automatically configures Windows Firewall rules to allow this traffic. If you use a
different firewall, you must manually configure rules to allow this traffic.

For more information, see Ports used for connections.

Minimum duration before cached content can be


removed (minutes)
Specify the minimum time for the Configuration Manager client to keep cached content.
This client setting defines the minimum amount of time Configuration Manager agent
should wait before it can remove content from the cache in case more space is needed.

By default this value is 1,440 minutes (24 hours).


The maximum value for this setting is
10,080 minutes (one week).

This setting gives you greater control over the client cache on different types of devices.
You might reduce the value on clients that have small hard drives and don't need to
keep existing content before another deployment runs.

Client policy

Client policy polling interval (minutes)


Specifies how frequently the following Configuration Manager clients download client
policy:

Windows computers (for example, desktops, servers, laptops)


Mobile devices that Configuration Manager enrolls
Mac computers
This value is 60 minutes by default. Reducing this value causes clients to poll the site
more frequently. With many clients, this behavior can have a negative impact on the site
performance. The size and scale guidance is based on the default value. Increasing this
value causes clients to poll the site less often. Any changes to client policies, including
new deployments, take longer for clients to download and process.

Enable user policy on clients


When you set this option to Yes, and use user discovery, then clients receive applications
and programs targeted to the signed-in user.

If this setting is No, users don't receive required applications that you deploy to users.
Users also don't receive any other management tasks in user policies.

This setting applies to users when their computer is on either the intranet or the
internet. It must be Yes if you also want to enable user policies on the internet.

Enable user policy requests from internet clients


Set this option to Yes for users to receive the user policy on internet-based computers.
The following requirements also apply:

The client and site are configured for internet-based client management or a cloud
management gateway.

The Enable user policy on clients setting is Yes.

The internet-based management point successfully authenticates the user by using


Windows authentication (Kerberos or NTLM). For more information, see
Considerations for client communications from the internet.

The cloud management gateway successfully authenticates the user by using


Azure Active Directory. For more information, see Prerequisites to deploy user-
available applications.

If you set this option to No, or any of the previous requirements aren't met, then a
computer on the internet only receives computer policies. If this setting is No, but
Enable user policy on clients is Yes, users don't receive user policies until the computer
is connected to the intranet.

7 Note
For internet-based client management, application approval requests from users
don't require user policies or user authentication. The cloud management gateway
doesn't support application approval requests.

Enable user policy for multiple user sessions


By default, this setting is disabled. Even if you enable user policies, the client disables
them by default on any device that allows multiple concurrent active user sessions. For
example, terminal servers or Windows Enterprise multi-session in Azure Virtual Desktop.

The client only disables user policy when it detects this type of device during a new
installation. For an existing client of this type that you update to a later client version,
the previous behavior persists. On an existing device, it configures the user policy
setting even if it detects that the device allows multiple user sessions.

If you require user policy in this scenario, and accept any potential performance impact,
enable this client setting.

Cloud services

Allow access to cloud distribution point


Set this option to Yes for clients to obtain content from a content-enabled CMG. This
setting doesn't require the device to be internet-based.

Automatically register new Windows 10 or later domain


joined devices with Azure Active Directory
When you configure Azure Active Directory (Azure AD) to support hybrid join,
Configuration Manager configures Windows 10 or later devices for this functionality. For
more information, see How to configure hybrid Azure AD joined devices.

Enable clients to use a cloud management gateway


By default, all internet-roaming clients use any available cloud management gateway.
An example of when to configure this setting to No is to scope usage of the service,
such as during a pilot project or to save costs.

Compliance settings
Enable compliance evaluation on clients
Set this option to Yes to configure the other settings in this group.

Schedule compliance evaluation


Select Schedule to create the default schedule for configuration baseline deployments.
This value is configurable for each baseline in the Deploy Configuration Baseline dialog
box.

Enable User Data and Profiles


Choose Yes if you want to deploy user data and profiles configuration items.

Script Execution Timeout (seconds)


Starting in version 2207, you can define a Script Execution Timeout (seconds). The
timeout value can be set from a minimum of 60 seconds to a maximum of 600 seconds.
This new setting allows you more flexibility for configuration items when you need to
run scripts that may exceed the default of 60 seconds.

Computer agent

User notifications for required deployments


For more information about the following three settings, see User notifications for
required deployments:

Deployment deadline greater than 24 hours, remind user every (hours)


Deployment deadline less than 24 hours, remind user every (hours)
Deployment deadline less than 1 hour, remind user every (minutes)

Legacy settings for the application catalog


The following client settings still appear in the Computer Agent group, but the
functionality is no longer supported:

Default Application Catalog website point


Add default Application Catalog website to Internet Explorer trusted sites zone
Allow Silverlight applications to run in elevated trust mode
For more information, see Removed and deprecated features.

Organization name displayed in Software Center


Type the name that users see in Software Center. This branding information helps users
to identify this application as a trusted source. For more information about the priority
of this setting, see Branding Software Center.

Use new Software Center


The default setting is Yes.

The previous version of Software Center and the application catalog are no longer
supported.

Enable communication with Health Attestation Service


Set this option to Yes for Windows 10 or later devices to use Health attestation. When
you enable this setting, the following setting is also available for configuration.

Use on-premises Health Attestation Service


Set this option to Yes for devices to use an on-premises service. Set to No for devices to
use the Microsoft cloud-based service.

Install permissions
Configure how users can install software, software updates, and task sequences:

All Users: Users with any permission except Guest.

Only Administrators: Users must be a member of the local Administrators group.

Only Administrators and primary users: Users must be a member of the local
Administrators group, or a primary user of the computer.

No Users: No users signed in to a client computer can install software, software


updates, and task sequences. Required deployments for the computer always
install at the deadline. Users can't install software from Software Center.

Suspend BitLocker PIN entry on restart


If computers require BitLocker PIN entry, then this option bypasses the requirement to
enter a PIN when the computer restarts after a software installation.

Always: Configuration Manager temporarily suspends BitLocker after it has


installed software that requires a restart, and it restarts the computer. This setting
only applies when Configuration Manager restarts the computer. This setting
doesn't suspend the requirement to enter the BitLocker PIN when the user restarts
the computer. The BitLocker PIN entry requirement resumes after Windows
startup.

Never: Configuration Manager doesn't suspend BitLocker after it has installed


software that requires a restart. In this scenario, the software installation can't
finish until the user enters the PIN to complete the standard startup process and
load Windows.

Additional software manages the deployment of


applications and software updates
Enable this option only if one of the following conditions applies:

You use a vendor solution that requires this setting to be enabled.

You use the Configuration Manager software development kit (SDK) to manage
client agent notifications, and the installation of applications and software updates.

2 Warning

If you choose this option when neither of these conditions apply, the client doesn't
install software updates and required applications. This setting doesn't prevent
users from installing available software from Software Center, including
applications, packages, and task sequences.

When you enable this setting, toast notifications for new software or required
software don't occur on clients.

PowerShell execution policy


Configure how Configuration Manager clients can run Windows PowerShell scripts. You
might use these scripts for detection in configuration items for compliance settings. You
might also send the scripts in a deployment as a standard script.
Bypass: The Configuration Manager client bypasses the Windows PowerShell
configuration on the client computer, so that unsigned scripts can run.

Restricted: The Configuration Manager client uses the current PowerShell


configuration on the client computer. This configuration determines whether
unsigned scripts can run.

All Signed: The Configuration Manager client runs scripts only if a trusted
publisher has signed them. This restriction applies independently from the current
PowerShell configuration on the client computer.

This option requires at least Windows PowerShell version 2.0. The default is All Signed.

 Tip

If unsigned scripts fail to run because of this client setting, Configuration Manager
reports this error in the following ways:

The Monitoring workspace in the console displays deployment status error ID


0x87D00327. It also displays the description Script is not signed.
Reports display the error type Discovery Error. Then reports display either
error code 0x87D00327 and the description Script is not signed, or error
code 0x87D00320 and the description The script host has not been installed
yet. An example report is: Details of errors of configuration items in a
configuration baseline for an asset.
The DcmWmiProvider.log file displays the message Script is not signed
(Error: 87D00327; Source: CCM).

Show notifications for new deployments


Choose Yes to display a notification for deployments available for less than a week. This
message appears each time the client agent starts.

Disable deadline randomization


After the deployment deadline, this setting determines whether the client uses an
activation delay of up to two hours to install required software updates. By default, the
activation delay is disabled.
For virtual desktop infrastructure (VDI) scenarios, this delay helps distribute the CPU
processing and data transfer for a host machine with multiple virtual machines. Even if
you don't use VDI, having many clients installing the same updates at the same time can
negatively increase CPU usage on the site server. This behavior can also slow down
distribution points, and significantly reduce the available network bandwidth.

If clients must install required software updates at the deployment deadline without
delay, then configure this setting to Yes.

) Important

Disabling randomization only applies to manual software update deployments. The


setting doesn't apply to automatic deployment rules for software updates or for
other deployments such as applications.

Grace period for enforcement after deployment deadline


(hours)
If you want to give users more time to install required application or software update
deployments beyond the deadline, set a value for this option. This grace period is for a
computer turned off for an extended time, and the user needs to install many
application or update deployments. For example, this setting is helpful if a user returns
from vacation, and has to wait for a long time while the client installs overdue
application deployments.

Set a grace period of 0 to 120 hours. Use this setting along with the deployment
property Delay enforcement of this deployment according to user preferences. For
more information, see Deploy applications.

Enable Endpoint analytics data collection


Enables local data collection on the client for upload to Endpoint analytics. Set to Yes to
configure devices for local data collection. Set to No to disable local data collection. For
more information, see Enroll Configuration Manager devices into Endpoint analytics.

Computer restart
For more information about these settings, see Device restart notifications.
Delivery Optimization
You use Configuration Manager boundary groups to define and regulate content
distribution across your corporate network and to remote offices. Windows Delivery
Optimization is a cloud-based, peer-to-peer technology to share content between
Windows devices. Configure Delivery Optimization to use your boundary groups when
sharing content among peers.

7 Note

Delivery Optimization is only available on Windows 10 or later clients.


Internet access to the Delivery Optimization cloud service is a requirement to
utilize its peer-to-peer functionality. For information about the needed
internet endpoints, see Frequently asked questions for Delivery
Optimization.
When using a CMG for content storage, the content for third-party updates
won't download to clients if the Download delta content when available
client setting is enabled.

Use Configuration Manager Boundary Groups for


Delivery Optimization Group ID
Choose Yes to apply the boundary group identifier as the Delivery Optimization group
identifier on the client. When the client communicates with the Delivery Optimization
cloud service, it uses this identifier to locate peers with the content. Enabling this setting
also sets the Delivery Optimization download mode to the Group (2) option on targeted
clients.

7 Note

Microsoft recommends allowing the client to configure this setting via local policy
rather than group policy. This allows the boundary group identifier to be set as the
Delivery Optimization group identifier on the client. For more information, see
Delivery Optimization.

Enable devices managed by Configuration Manager to


use Microsoft Connected Cache servers for content
download
Choose Yes to allow clients to download content from an on-premises distribution point
that you enable as a Microsoft Connected Cache server. For more information, see
Microsoft Connected Cache in Configuration Manager.

Endpoint Protection

 Tip

In addition to the following information, you can find details about using Endpoint
Protection client settings in Example scenario: Using Endpoint Protection to
protect computers from malware.

Manage Endpoint Protection client on client computers


Choose Yes if you want to manage existing Endpoint Protection and Windows Defender
clients on computers in your hierarchy.

Choose this option if you've already installed the Endpoint Protection client, and want to
manage it with Configuration Manager. This separate installation includes a scripted
process that uses a Configuration Manager application or package and program.
Windows 10 or later devices don't need to have the Endpoint Protection agent installed.
However, those devices will still need Manage Endpoint Protection client on client
computers enabled.

Install Endpoint Protection client on client computers


Choose Yes to install and enable the Endpoint Protection client on client computers that
aren't already running the client. Windows 10 or later clients don't need to have the
Endpoint Protection agent installed.

7 Note

If the Endpoint Protection client is already installed, choosing No doesn't uninstall


the Endpoint Protection client. To uninstall the Endpoint Protection client, set the
Manage Endpoint Protection client on client computers client setting to No. Then,
deploy a package and program to uninstall the Endpoint Protection client.
Allow Endpoint Protection client installation and restarts
outside maintenance windows. Maintenance windows
must be at least 30 minutes long for client installation
Set this option to Yes to override typical installation behaviors with maintenance
windows. This setting meets business requirements for the priority of system
maintenance for security purposes.

For Windows Embedded devices with write filters,


commit Endpoint Protection client installation (requires
restarts)
Choose Yes to disable the write filter on the Windows Embedded device, and restart the
device. This action commits the installation on the device.

If you choose No, the client installs on a temporary overlay that clears when the device
restarts. In this scenario, the Endpoint Protection client doesn't fully install until another
installation commits changes to the device. This configuration is the default.

Suppress any required computer restarts after the


Endpoint Protection client is installed
Choose Yes to suppress a computer restart after the Endpoint Protection client installs.

) Important

If the Endpoint Protection client requires a computer restart and this setting is No,
then the computer restarts regardless of any configured maintenance windows.

Allowed period of time users can postpone a required


restart to complete the Endpoint Protection installation
(hours)
If a restart is necessary after the Endpoint Protection client installs, this setting specifies
the number of hours that users can postpone the required restart. This setting requires
that you disable the following setting: Suppress any required computer restarts after
the Endpoint Protection client is installed.
Disable alternate sources (such as Microsoft Windows
Update, Microsoft Windows Server Update Services, or
UNC shares) for the initial definition update on client
computers
Choose Yes if you want Configuration Manager to install only the initial definition
update on client computers. This setting can be helpful to avoid unnecessary network
connections, and reduce network bandwidth, during the initial installation of the
definition update.

Enrollment

Polling interval for mobile device legacy clients


Select Set Interval to specify the length of time, in minutes or hours, that legacy mobile
devices poll for policy. These devices include macOS.

Polling interval for modern devices (minutes)


Enter the number of minutes that modern devices poll for policy. This setting is for
Windows devices that are managed through on-premises mobile device management
(MDM).

Allow users to enroll mobile devices and Mac computers


To enable user-based enrollment of legacy devices, set this option to Yes, and then
configure the following setting:

Enrollment profile: Select Set Profile to create or select an enrollment profile. For
more information, see Configure client settings for enrollment.

Allow users to enroll modern devices


To enable user-based enrollment of modern devices, set this option to Yes, and then
configure the following setting:

Modern device enrollment profile: Select Set Profile to create or select an


enrollment profile. For more information, see Create an enrollment profile that
allows users to enroll modern devices.
Hardware inventory

Enable hardware inventory on clients


By default, this setting is Yes. For more information, see Introduction to hardware
inventory.

Hardware inventory schedule


Select Schedule to adjust the frequency that clients run the hardware inventory cycle. By
default, this cycle occurs every seven days.

Maximum random delay (minutes)


Specify the maximum number of minutes for the Configuration Manager client to
randomize the hardware inventory cycle from the defined schedule. This randomization
across all clients helps load-balance inventory processing on the site server. You can
specify any value between 0 and 480 minutes. By default, this value is set to 240 minutes
(4 hours).

Maximum custom MIF file size (KB)


Specify the maximum size, in kilobytes (KB), allowed for each custom Management
Information Format (MIF) file that the client collects during a hardware inventory cycle.
The Configuration Manager hardware inventory agent doesn't process any custom MIF
files that exceed this size. You can specify a size of 1 KB to 5,120 KB. By default, this
value is set to 250 KB. This setting doesn't affect the size of the regular hardware
inventory data file.

7 Note

This setting is available only in the default client settings.

Hardware inventory classes


Select Set Classes to extend the hardware information that you collect from clients
without manually editing the sms_def.mof file. For more information, see How to
configure hardware inventory.
Collect MIF files
Use this setting to specify whether to collect MIF files from Configuration Manager
clients during hardware inventory.

For a MIF file to be collected by hardware inventory, it must be in the correct location on
the client computer. By default, the files are located in the following paths:

IDMIF files should be in the Windows\System32\CCM\Inventory\Idmif folder.

NOIDMIF files should be in the Windows\System32\CCM\Inventory\Noidmif


folder.

7 Note

This setting is available only in the default client settings.

Metered internet connections


Manage how Windows 8 and later computers use metered internet connections to
communicate with Configuration Manager. Internet providers sometimes charge by the
amount of data that you send and receive when you're on a metered internet
connection.

7 Note

The configured client setting isn't applied in the following scenarios:

If the computer is on a roaming data connection, the Configuration Manager


client doesn't perform any tasks that require data to be transferred to
Configuration Manager sites.
If the Windows network connection properties are configured as non-
metered, the Configuration Manager client behaves as if the connection is
non-metered, and so transfers data to the site.

Client communication on metered internet connections


Choose one of the following options for this setting:
Allow: All client communications are allowed over the metered internet
connection, unless the client device is using a roaming data connection.

Limit: The client only communicates over the metered internet connection for the
following behaviors:

Download client policy

Send client state messages

Request software installs from Software Center

Download additional policy and content for required deployments at the


installation deadline

7 Note

On an application deployment, enable the option to Allow clients on a


metered Internet connection to download content after the installation
deadline. This option is only available for deployments with a purpose of
Required. For more information, see Deploy applications.

If the client reaches the data transfer limit for the metered internet connection, the
client no longer communicates with the site.

Block: When the device is on a metered internet connection, the Configuration


Manager client doesn't try to communicate with the site. This option is the default.

) Important

The client always permits software installations from Software Center, regardless of
the metered internet connection settings. If the user requests a software installation
while the device is on a metered network, Software Center honors the user's intent.

Client install and update both work when you configure this client setting to Allow or
Limit. This behavior allows the client to stay current, but still manage the client
communication on a metered network. You can control this behavior during client install
with the ccmsetup parameter /AllowMetered . For more information, see About client
installation parameters and properties.

Power management
Allow power management of devices
Set this option to Yes to enable power management on clients. For more information,
see Introduction to power management.

Allow users to exclude their device from power


management
Choose Yes to let users of Software Center exclude their computer from any configured
power management settings.

Allow network wake-up


When you enable this setting, the client configures the power settings on the computer
to allow the network adapter to wake up the device. If you disable this setting, the
computer's network adapter can't wake up the device.

Enable wake-up proxy


Specify Yes to supplement the site's Wake On LAN setting, when it's configured for
unicast packets.

For more information about wake-up proxy, see Plan how to wake up clients.

2 Warning

Don't enable wake-up proxy in a production network without first understanding


how it works and evaluating it in a test environment.

Then, configure the following additional settings as needed:

Wake-up proxy port number (UDP): The port number that clients use to send
wake-up packets to sleeping computers. Keep the default port 25536, or change
the number to a value of your choice.

Wake On LAN port number (UDP): Keep the default value of 9, unless you've
changed the Wake On LAN (UDP) port number on the Ports tab of the site
Properties.

) Important
This number must match the number in the site Properties. If you change this
number in one place, it isn't automatically updated in the other place.

Windows Defender Firewall exception for wake-up proxy: The Configuration


Manager client automatically configures the wake-up proxy port number on
devices that run Windows Defender Firewall. Select Configure to specify the
firewall profiles.

If clients run a different firewall, manually configure it to allow the Wake-up proxy
port number (UDP).

IPv6 prefixes if required for DirectAccess or other intervening network devices.


Use a comma to specify multiple entries: Enter the necessary IPv6 prefixes for
wake-up proxy to function on your network.

Remote tools

Enable Remote Control on clients, and Firewall exception


profiles
Select Configure to enable the Configuration Manager remote control feature.
Optionally, configure firewall settings to allow remote control to work on client
computers.

Remote control is disabled by default.

) Important

If you don't configure firewall settings, remote control might not work correctly.

Users can change policy or notification settings in


Software Center
Choose whether users can change remote control options from within Software Center.

Allow Remote Control of an unattended computer


Choose whether an admin can use remote control to access a client computer that is
logged off or locked. Only a logged-on and unlocked computer can be remotely
controlled when this setting is disabled.

Prompt user for Remote Control permission


Choose whether the client computer shows a message asking for the user's permission
before allowing a remote control session.

Prompt user for permission to transfer content from


shared clipboard
Before transferring content from the shared clipboard in a remote control session, allow
your users the opportunity to accept or deny file transfers. Users only need to grant
permission once per session. The viewer can't give themselves permission to transfer the
file.

Grant Remote Control permission to local Administrators


group
Choose whether local admins on the server that starts the remote control connection
can establish remote control sessions to client computers.

Access level allowed


Specify the level of remote control access to allow. Choose from the following settings:

No Access
View Only
Full Control

Permitted viewers of Remote Control and Remote


Assistance
Select Set Viewers to specify the names of the Windows users who can establish remote
control sessions to client computers.

Show session notification icon on taskbar


Configure this setting to Yes to show an icon on the client's Windows taskbar to indicate
an active remote control session.
Show session connection bar
Set this option to Yes to show a high-visibility session connection bar on clients, to
indicate an active remote control session.

Play a sound on client


Set this option to use sound to indicate when a remote control session is active on a
client computer. Select one of the following options:

No sound
Beginning and end of session (default)
Repeatedly during session

Manage unsolicited Remote Assistance settings


Configure this setting to Yes to let Configuration Manager manage unsolicited Remote
Assistance sessions.

In an unsolicited Remote Assistance session, the user at the client computer didn't
request assistance to start the session.

Manage solicited Remote Assistance settings


Set this option to Yes to let Configuration Manager manage solicited Remote Assistance
sessions.

In a solicited Remote Assistance session, the user at the client computer sent a request
to the admin for remote assistance.

Level of access for Remote Assistance


Choose the level of access to assign to Remote Assistance sessions that are started in
the Configuration Manager console. Select one of the following options:

None (default)
Remote Viewing
Full Control

7 Note
The user at the client computer must always grant permission for a Remote
Assistance session to occur.

Manage Remote Desktop settings


Set this option to Yes to let Configuration Manager manage Remote Desktop sessions
for computers.

Allow permitted viewers to connect by using Remote


Desktop connection
Set this option to Yes to add users specified in the permitted viewer list to the Remote
Desktop local user group on clients.

Require network level authentication on computers that


run Windows Vista operating system and later versions
Set this option to Yes to use network-level authentication (NLA) to establish Remote
Desktop connections to client computers. NLA initially requires fewer remote computer
resources, because it finishes user authentication before it establishes a Remote Desktop
connection. Using NLA is a more secure configuration. NLA helps protect the computer
from malicious users or software, and it reduces the risk from denial-of-service attacks.

Software Center

Select the user portal


If you deploy the Company Portal to co-managed devices, configure this setting to
Company Portal. This setting makes sure that notifications from Configuration Manager
and Intune both launch the Company Portal. If a Configuration Manager notification is
for a scenario that the Company Portal doesn't support, selecting the notification
launches Software Center.

If you install the Company Portal on a co-managed device, but configure this setting to
Software Center, then notifications from Configuration Manager launch Software
Center. Notifications from Intune launch the Company Portal. This behavior may be
confusing to users to interact with different portals.
The behavior of the Company Portal depends upon your co-management workload
configuration. For more information, see Use the Company Portal app on co-managed
devices.

Select these new settings to specify company information


Set this option to Yes, and then select Customize to configure Software Center settings
for your organization. This action opens the Software Center Customization window.

Software Center settings

Software Center Customization - General


Company name: Specify the organization name that users see in Software Center.

Color scheme for Software Center: Select the primary color that Software Center
uses. You can choose from 48 basic colors, or define a custom color. By default,
this color is Microsoft blue (Red: 0, Green: 120, Blue: 212).

Foreground color for Software Center: Starting in version 2103, configure a


custom color for the foreground font. By default, this color is white (Red: 255,
Green: 255, Blue: 255). For some customers, their brand color doesn't work well
with the default white font color for a selected item. This setting better supports
these customers and improves accessibility.

Select a logo for Software Center: Enable this setting, and then Browse to select
an image to appear in Software Center. The logo for Software Center has the
following requirements:
A JPG, PNG, or BMP file.
Dimensions of 400 x 100 pixels.
A maximum file size of 750 KB.
No spaces in the file name.

Select a logo for notifications: Starting in version 2111, enable this setting to
display a logo with notifications on devices running Windows 10 or later. Because
of how the image is used, it's separate from the Software Center logo. The logo for
notifications has the following requirements:
A JPG, PNG, or BMP file.
Square aspect ratio. For example, 100 x 100 pixels.
A maximum file size of 2 MB.
No spaces in the file name.
Hide unapproved applications in Software Center: When you enable this option,
user-available applications that require approval are hidden in Software Center.

Hide installed applications in Software Center: When you enable this option,
applications that are already installed no longer show in the Applications tab. This
option is enabled by default. Installed applications are still available for review
under the Installation Status tab.

Hide Application Catalog link in Software Center: Enable this setting. The
application catalog is no longer supported. This link would appear on the
Installation Status tab of Software Center.

Software Center Customization - Tabs

Choose which tabs should be visible in Software Center. To move a tab to Visible tabs
list, select Add. To move it to the Hidden tabs list, select Remove. To change the order
of the tabs in Software Center, select Move Up or Move Down.

Default tabs:

Applications
Updates
Operating Systems
Installation Status
Device Compliance
Options

You can also add up to five custom tabs:

1. Select Add tab.


2. Specify the Tab name and Content URL for your custom tab. Configuration
Manager doesn't validate this URL.

Select Delete Tab to remove a custom tab. Select Edit tab to change the configuration
of a custom tab.

) Important

Some website features may not work in a custom tab in Software Center. Make sure
to test the results before deploying this to clients.

Specify only trusted or intranet website addresses when you add a custom tab.
Display custom tabs with Microsoft Edge WebView2 runtime

Applies to version 2103 and later

Enable this option for Software Center to use the Microsoft Edge WebView2 browser
control. The WebView2 browser control provides improved security and user experience.
For example, more websites should work with these custom tabs without displaying
script errors or security warnings.

If it's not already installed, the Configuration Manager client installs the Microsoft Edge
WebView2 runtime (fixed version) on the device. The installer is over 100 MB in size. If
you need to enable this setting on a large number of clients, and are concerned about
the effect of network usage, predeploy the WebView2 runtime as an application. Use the
software distribution features of Configuration Manager to better control the content
distribution and timing of software installation.

7 Note

If the client device isn't running .NET Framework version 4.6.2 or later, it falls
back to use the Internet Explorer browser control. Starting in version 2107, the
client requires .NET version 4.6.2, and version 4.8 is recommended. For more
information, see Prerequisites for deploying clients to Windows computers.
When using custom tabs in certain circumstances, you may encounter the
following exception: Could not load type
'System.Runtime.InteropServices.Architecture' from assembly 'mscorlib

Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' . To

work around the issue, update .NET Framework to version 4.7.1 or later for the
client.

If you don't enable this option, Software Center uses the Windows built-in Internet
Explorer browser control.

Software Center Customization - Defaults

Configure the Default application filter as either All or only Required applications.
By default, it shows all applications.

Software Center always uses your default setting. Users can change this filter, but
Software Center doesn't persist their preference.
Set the Default application view as either Tile view or List view. By default, it uses
the tile view.

If a user changes this configuration, Software Center persists the user's preference
in the future.

For more information on the appearance of these settings, see the Software Center user
guide.

Software deployment

Schedule re-evaluation for deployments


Configure a schedule for when Configuration Manager reevaluates the requirement
rules for all deployments. The default value is every seven days.

) Important

This setting is more invasive to the local client than it is to the network or site
server. A more aggressive reevaluation schedule negatively affects the performance
of your network and client computers. Microsoft doesn't recommend setting a
lower value than the default. If you change this value, closely monitor performance.

Start this action from a client as follows: in the Configuration Manager control panel,
from the Actions tab, select Application Deployment Evaluation Cycle.

Software inventory

Enable software inventory on clients


This option is set to Yes by default. For more information, see Introduction to software
inventory.

Schedule software inventory and file collection


Select Schedule to adjust the frequency that clients run the software inventory and file
collection cycles. By default, this cycle occurs every seven days.

Inventory reporting detail


Specify one of the following levels of file information to inventory:

File only
Product only
Full details (default)

Inventory these file types


If you want to specify the types of file to inventory, select Set Types, and then configure
the following options:

7 Note

If multiple custom client settings are applied to a computer, the inventory that each
setting returns is merged.

Select New to add a new file type to inventory. Then specify the following
information in the Inventoried File Properties dialog box:

Name: Provide a name for the file that you want to inventory. Use an asterisk
( * ) wildcard to represent any string of text, and a question mark ( ? ) to
represent any single character. For example, if you want to inventory all files
with the extension .doc, specify the file name *.doc .

Location: Select Set to open the Path Properties dialog box. Configure software
inventory to search all client hard disks for the specified file, search a specified
path (for example, C:\Folder ), or search for a specified variable (for example,
%windir% ). You can also search all subfolders under the specified path.

Exclude encrypted and compressed files: When you choose this option, any
compressed or encrypted files aren't inventoried.

Exclude files in the Windows folder: When you choose this option, any files in
the Windows folder and its subfolders aren't inventoried.

Select OK to close the Inventoried File Properties dialog box. Add all the files that
you want to inventory, and then select OK to close the Configure Client Setting
dialog box.

Collect files
If you want to collect files from client computers, select Set Files, and then configure the
following settings:

7 Note

If multiple custom client settings are applied to a computer, the inventory that each
setting returns is merged.

In the Configure Client Setting dialog box, select New to add a file to be collected.

In the Collected File Properties dialog box, provide the following information:

Name: Provide a name for the file that you want to collect. Use an asterisk ( * )
wildcard to represent any string of text, and a question mark ( ? ) to represent
any single character.

Location: Select Set to open the Path Properties dialog box. Configure software
inventory to search all client hard disks for the file that you want to collect,
search a specified path (for example, C:\Folder ), or search for a specified
variable (for example, %windir% ). You can also search all subfolders under the
specified path.

Exclude encrypted and compressed files: When you choose this option, any
compressed or encrypted files aren't collected.

Stop file collection when the total size of the files exceeds (KB): Specify the file
size, in kilobytes (KB), after which the client stops collecting the specified files.

7 Note

The site server collects the five most recently changed versions of collected
files, and stores them in the <ConfigMgr installation
directory>\Inboxes\Sinv.box\Filecol directory. If a file hasn't changed since

the last software inventory cycle, the file isn't collected again.

Software inventory doesn't collect files larger than 20 MB.

The value Maximum size for all collected files (KB) in the Configure Client
Setting dialog box shows the maximum size for all collected files. When this
size is reached, file collection stops. Any files already collected are retained
and sent to the site server.
) Important

If you configure software inventory to collect many large files, this


configuration might negatively affect the performance of your network and
site server.

For information about how to view collected files, see How to use Resource
Explorer to view software inventory.

Select OK to close the Collected File Properties dialog box. Add all the files that
you want to collect, and then select OK to close the Configure Client Setting
dialog box.

Set Names
The software inventory agent retrieves manufacturer and product names from file
header information. These names aren't always standardized in the file header
information. When you view software inventory in Resource Explorer, different versions
of the same manufacturer or product name can appear. To standardize these display
names, select Set Names, and then configure the following settings:

Name type: Software inventory collects information about both manufacturers and
products. Choose whether you want to configure display names for a
Manufacturer or a Product.

Display name: Specify the display name that you want to use in place of the names
in the Inventoried names list. To specify a new display name, select New.

Inventoried names: To add an inventoried name, select New. This name is replaced
in software inventory by the name chosen in the Display name list. You can add
multiple names to replace.

Software Metering

Enable software metering on clients


This setting is set to Yes by default. For more information, see Software metering.

Schedule data collection


Select Schedule to adjust the frequency that clients run the software metering cycle. By
default, this cycle occurs every seven days.

Software updates

Enable software updates on clients


Use this setting to enable software updates on Configuration Manager clients. When
you disable this setting, Configuration Manager removes existing deployment policies
from clients. When you re-enable this setting, the client downloads the current
deployment policy.

) Important

When you disable this setting, compliance policies that rely on software updates
will no longer function.

Software update scan schedule


Select Schedule to specify how often the client starts a compliance assessment scan.
This scan determines the state for software updates on the client (for example, required
or installed). For more information about compliance assessment, see Software updates
compliance assessment.

By default, this scan uses a simple schedule to start every seven days. You can create a
custom schedule. You can specify an exact start day and time, use Universal Coordinated
Time (UTC) or the local time, and configure the recurring interval for a specific day of the
week.

7 Note

If you specify an interval of less than one day, Configuration Manager automatically
defaults to one day.

2 Warning

The actual start time on client computers is the start time plus a random amount of
time, up to two hours. This randomization prevents client computers from initiating
the scan and simultaneously connecting to the active software update point.
Schedule deployment re-evaluation
Select Schedule to configure how often the software updates client agent reevaluates
software updates for installation status on Configuration Manager client computers.
When previously installed software updates are no longer found on clients but are still
required, the client reinstalls the software updates.

Adjust this schedule based on company policy for software update compliance, and
whether users can uninstall software updates. Every deployment re-evaluation cycle
results in network and client computer processor activity. By default, this setting uses a
simple schedule to start the deployment re-evaluation scan every seven days.

7 Note

If you specify an interval of less than one day, Configuration Manager automatically
defaults to one day.

Allow user proxy for software update scans


(Introduced in version 2010)

Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will
be secure by default. A client scanning for updates against an HTTP-based WSUS will no
longer be allowed to leverage a user proxy by default. Set this option to Yes to allow
these connections if you require a user proxy despite the security trade-offs. By default,
this setting is set to No. For more information about the changes for scanning WSUS,
see September 2020 changes to improve security for Windows devices scanning
WSUS . To ensure that the best security protocols are in place, we highly recommend
that you use the TLS/SSL protocol to help secure your software update infrastructure.

Enforce TLS certificate pinning for Windows Update client


for detecting updates
(Introduced in version 2103)

Further increase the security of HTTPS scans against WSUS by enforcing certificate
pinning. To use certificate pinning, ensure your WSUS server is enabled for TLS/SSL, and
add the certificates for the WSUS servers to the new WindowsServerUpdateServices
certificate store on your clients. For more information about certificate pinning for
devices scanning HTTPS-configured WSUS servers, see secure your software update
infrastructure. The following settings are available starting in Configuration Manager
version 2103:

No: Don't enable enforcement of TLS certificate pinning for WSUS scanning
Yes: Enables enforcement of TLS certificate pinning for devices during WSUS
scanning (default)

When any software update deployment deadline is


reached, install all other software update deployments
with deadline coming within a specified period of time
Set this option to Yes to install all software updates from required deployments with
deadlines occurring within a specified period of time. When a required software update
deployment reaches a deadline, the client starts installation for the software updates in
the deployment. This setting determines whether to install software updates from other
required deployments that have a deadline within the specified time.

Use this setting to speed up installation for required software updates. This setting also
has the potential to increase client security, decrease notifications to the user, and
decrease client restarts. By default, this setting is set to No.

Period of time for which all pending deployments with


deadline in this time will also be installed
Use this setting to specify the period of time for the previous setting. You can enter a
value from 1 to 23 hours, and from 1 to 365 days. By default, this setting is configured
for seven days.

Allow clients to download delta content when available


Set this option to Yes to allow clients to use delta content files. This setting allows the
Windows Update Agent on the device to determine what content is needed and
selectively download it.

This client setting replaces Enable installation of Express installation files on


clients. Set this option to Yes to allow clients to use express installation files. For
more information, see Manage Express installation files for Windows 10 updates.

When this option is set, delta download is used for all Windows update installation
files, not just express installation files.
When using a CMG for content storage, the content for third-party updates won't
download to clients if the Download delta content when available client setting is
enabled.

Port that clients use to receive requests for delta content


This setting configures the local port for the HTTP listener to download delta content.
It's set to 8005 by default. You don't need to open this port in the client firewall.

7 Note

This client setting replaces Port used to download content for Express installation
files.

If content is unavailable from distribution points in the


current boundary group, immediately fallback to a
neighbor or the site default
(Introduced in version 2010)

If delta content is unavailable from distribution points in the current boundary group,
you can allow immediate fallback to a neighbor or the site default boundary group
distribution points. This setting is useful when using delta content for software updates
since the timeout setting per download job is 5 minutes. The following options are
available:

Yes: For delta content, the client doesn't wait to reach the fallback time (in minutes)
defined by the Boundary Group relationship. Clients immediately fall back to a
neighbor or the site default content distribution points when both of the following
conditions are met:
- Delta content is unavailable from distribution points in the
current boundary group.
- The software update deployment allows fallback.

No (default): The client honors the fallback time (in minutes) defined by the
Boundary Group relationship when it's allowed on the software update
deployment. Delta download content may fail with a timeout even if the update
content is available on a neighbor or the site default distribution point group.

7 Note

This setting is for delta content only.


Enable management of the Office 365 Client Agent
When you set this option to Yes, it enables the configuration of Microsoft 365 Apps
installation settings. It also enables downloading files from Office Content Delivery
Networks (CDNs), and deploying the files as an application in Configuration Manager.
For more information, see Manage Microsoft 365 Apps.

Enable update notifications from Microsoft 365 Apps


(Introduced in version 2111)

You can configure the end-user experience for Microsoft 365 Apps updates. This client
setting allows you to enable or disable notifications from Microsoft 365 Apps for these
updates. The following options are available for the setting:

No: Doesn't display Microsoft 365 Apps updates notifications from Microsoft 365
Apps (default)
Yes: Displays Microsoft 365 Apps updates notifications from Microsoft 365 Apps

Which notifications are displayed to the user about updates for Microsoft 365 Apps is
also determined by the settings for per deployment notifications from Software Center.
If the deployment's user notifications from Software Center are disabled (found on the
User Experience page for the deployment), then the end user won't receive any
notifications from either Software Center or Microsoft 365 Apps, regardless of how
notifications from Microsoft 365 Apps are set. If notifications from both Software Center
and Microsoft 365 Apps are enabled, then the end user will receive notifications from
Software Center and Microsoft 365 Apps. Below is a chart of which notifications for
Microsoft 365 Apps updates are displayed to the end user for these settings:

  Display per deployment Hide per deployment


Software Center notifications Software Center
notifications

Enable update notifications User receives notifications from No notifications from


from Microsoft 365 Apps: Yes Software Center
Software Center

User receives notifications from No notifications from


Microsoft 365 Apps Microsoft 365 Apps
  Display per deployment Hide per deployment
Software Center notifications Software Center
notifications

Enable update notifications User receives notifications from No notifications from


from Microsoft 365 Apps: No Software Center
Software Center

No notifications from No notifications from


Microsoft 365 Apps Microsoft 365 Apps

Enable installation of software updates in "All


deployments" maintenance window when "Software
Update" maintenance window is available
When you set this option to Yes, and the client has at least one "Software Update"
maintenance window defined, software updates will install during an "All deployments"
maintenance window.

By default, this setting is set to No. This value uses the same behavior as before: if both
types exist, it ignores the window.

7 Note

This setting also applies to maintenance windows that you configure to apply to
Task sequences.

If the client only has an All deployments window available, it still installs software
updates or task sequences in that window.

Maintenance window example


For example, you configure the following maintenance windows:

All deployment: 02:00 - 04:00


Software updates: 04:00 - 06:00

By default, the client only installs software updates during the second maintenance
window. It ignores the maintenance window for all deployments in this scenario. When
you change this setting to Yes, the client installs software updates between 02:00 -
06:00.

Specify thread priority for feature updates


You can adjust the priority with which supported versions of Windows 10 or later clients
install a feature update through Windows servicing. This setting has no impact on
Windows in-place upgrade task sequences.

This client setting provides the following options:

Not Configured: Configuration Manager doesn't change the setting. Admins can
pre-stage their own setupconfig.ini file. This value is the default.

Normal: Windows Setup uses more system resources and updates faster. It uses
more processor time, so the total installation time is shorter, but the user's outage
is longer.

Configures the setupconfig.ini file on the device with the /Priority Normal
Windows setup command-line option.

Low: You can continue to work on the device while it downloads and updates in
the background. The total installation time is longer, but the user's outage is
shorter. You may need to increase the update max run time to avoid a time-out
when you use this option.

Removes the /Priority Windows setup command-line option from the


setupconfig.ini file.

Enable third party software updates


When you set this option to Yes, it sets the policy for Allow signed updates for an
intranet Microsoft update service location and installs the signing certificate to the
Trusted Publisher store on the client.

Enable Dynamic Update for feature updates


Use this setting to configure Dynamic Update for Windows . Dynamic Update installs
language packs, features on demand, drivers, and cumulative updates during Windows
setup by directing the client to download these updates from the internet. When this
setting is set to either Yes or No, Configuration Manager modifies the setupconfig file
that is used during feature update installation.

Not Configured - The default value. No changes are made to the setupconfig file.
Dynamic Update is enabled by default on all supported versions of Windows 10
or later.
For Windows 10, version 1803 and earlier, Dynamic Update checks the
device's WSUS server for approved dynamic updates. In Configuration
Manager environments, dynamic updates are never directly approved in the
WSUS server so these devices don't install them.
Starting with Windows 10, version 1809, Dynamic Update uses the device's
internet connection to get dynamic updates from Microsoft Update. These
dynamic updates aren't published for WSUS use.
Yes - Enables Dynamic Update.
No - Disables Dynamic Update.

Enable features introduced via servicing are off by


default.
To learn more about the settings: “Enable features introduced via servicing are off by
default”, please read this blog . The post describes the Commercial control for
continuous innovation in Windows. The setting for this policy is now integrated with the
Configuration Manager 2303. More information on the Commercial control timeline and
versions of Windows 11 supported by the setting can be found in the blog.

Not Configured - The default value, then features that are shipped via a monthly
quality update (servicing) will remain off until the feature update that includes
these features is installed.
Enable features introduced via servicing are off by default on all supported
versions of Windows 11 22621.1344 or later.
Yes - Enables Feature Update, then all features available in the latest monthly
quality update installed will be on.
No - Disables Feature Update, then features that are shipped via a monthly quality
update (servicing) will remain off until the feature update that includes these
features is installed.

State Messaging

State message reporting cycle (minutes)


Specifies how often clients report state messages. This setting is 15 minutes by default.

User and device affinity

User device affinity usage threshold (minutes)


Specify the number of minutes before Configuration Manager creates a user device
affinity mapping. By default, this value is 2880 minutes (two days).

User device affinity usage threshold (days)


Specify the number of days over which the client measures the threshold for usage-
based device affinity. By default, this value is 30 days.

7 Note

For example, you specify User device affinity usage threshold (minutes) as 60
minutes, and User device affinity usage threshold (days) as 5 days. Then the user
must use the device for 60 minutes over a period of 5 days to create automatic
affinity with the device.

Automatically configure user device affinity from usage


data
Choose Yes to create automatic user device affinity based on the usage information that
Configuration Manager collects.

Allow user to define their primary devices


When this setting is Yes, users can identify their own primary devices in Software Center.
For more information, see the Software Center user guide.

7 Note

Default values are:

User device affinity usage threshold (minutes): 2880


User device affinity usage threshold (days): 30
Automatically configure user device affinity from usage data: No
Allow user to define their primary devices: No

Windows Diagnostic Data

) Important
This group was previously called Windows Analytics. Microsoft retired the
Windows Analytics service on January 31, 2020. For more information, see KB
4521815: Windows Analytics retirement on January 31, 2020 .

Desktop Analytics is the evolution of Windows Analytics. Use Desktop Analytics to


manage Windows diagnostic data settings. For more information, see What is
Desktop Analytics.
Device restart notifications in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The notifications a user receives for a pending device restart can vary depending on the
Computer restart client settings and which version of Configuration Manager you use.
This article helps you configure the user experience for pending device restart
notifications.

7 Note

By default, Windows 11 enables focus assist for the first hour after a user signs on
for the first time. For more information, see Reaching the Desktop and the Quiet
Period.

Software Center notifications are currently suppressed during this time. For more
information, see Turn Focus assist on or off in Windows .

Deployment types for restart notifications


The Computer restart client settings change the user experience for all required
deployments that require a restart of the following types:

Application
Task sequence
Software update

Restart notification types


When a device requires a restart, the client shows a notification to the end user of the
upcoming restart.

Toast notification
A Windows toast notification informs the user that the device needs to restart. The
information in the toast notification can be different depending on which version of
Configuration Manager you're running. This type of notification is native to the
Windows OS. You may also see third-party software using this type of notification.

Software Center notification with snooze


Software Center shows a notification with a snooze option and the time remaining
before it forces the devices to restart. The message may be different depending on your
version of Configuration Manager.

Software Center final countdown notification


Software Center shows this final countdown notification that the user can't close or
snooze. The user won't see a progress bar in the restart notification until the pending
restart is less than 24 hours away.
Software Center notification before deadline
If the user proactively installs required software before the deadline, and it requires a
restart, they'll see a different notification. The following notification occurs when both
the user experience setting allows notifications and you don't use toast notifications for
the deployment. For more information about configuring these settings, see
Deployment User Experience settings and User notifications for required deployments.

Available apps
When you don't use toast notifications, the dialog for software marked as Available is
similar to proactively installed software. For Available software, the notification doesn't
have a deadline for the restart and the user can choose their own snooze interval. For
more information, see Approval settings.

Software Center notification of required restart


You can configure client settings to prevent devices from automatically restarting when
a deployment requires it. When a required deployment needs the device to restart, but
you disable the client setting Configuration Manager can force a device to restart, you
see the following notification:

If you Snooze this notification, it will show again based on how you configure the
frequency of restart reminder notifications. The device won't restart until you select
Restart or manually restart Windows.
7 Note

By default, Configuration Manager can still force devices to restart.

Client settings
To control the client restart behaviors, configure the following device client settings in
the Computer Restart group. For more information, see How to configure client
settings.

To take full advantage of new Configuration Manager features, after you update the site,
also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the complete
scenario isn't functional until the client version is also updated.

Configuration Manager can force a device to restart


You can configure client settings to prevent devices from automatically restarting when
a deployment requires it. Configuration Manager enables this setting by default.

) Important

This client setting applies to all application, software update, and package
deployments to the device. Until a user manually restarts the device:

Software updates and app revisions may not be fully installed


Additional software installs may not happen

When you disable this setting, you can't specify the amounts of time after the deadline
that the device is restarted or the user is presented a final countdown notification.

Specify the amount of time after the deadline before a


device gets restarted (minutes)
This setting must be shorter in duration than the shortest maintenance window applied
to the computer. For more information about maintenance windows, see How to use
maintenance windows.

The default value is 90 minutes. The maximum value is 20160 minutes (two weeks).
7 Note

This setting was previously titled Display a temporary notification to the user that
indicates the interval before the user is logged off or the computer restarts
(minutes).

Specify the amount of time that a user is presented a final


countdown notification before a device gets restarted
(minutes)
This setting must be shorter in duration than the shortest maintenance window applied
to the computer. For more information about maintenance windows, see How to use
maintenance windows.

The default value is 15 minutes.

7 Note

This setting was previously titled Display a dialog box that the user cannot close,
which displays the countdown interval before the user is logged off or the
computer restarts (minutes).

Specify the frequency of reminder notifications presented


to the user, after the deadline, before a device gets
restarted (minutes)
This frequency duration value should be less than the value of Specify the amount of
time after the deadline before a device gets restarted (minutes) minus the value of
Specify the amount of time that a user is presented a final countdown notification
before a device gets restarted (minutes). Otherwise, the reminder notifications won't
work.

The default value is 240 minutes.

7 Note

This setting was previously titled Specify the snooze duration for computer restart
countdown notifications (minutes).
When a deployment requires a restart, show a dialog
window to the user instead of a toast notification
To change the user experience to be more intrusive, configure this setting to Yes. This
setting applies to all deployments of applications, task sequences, and software updates.
For more information, see User notifications.

When a deployment requires a restart, allow low-rights


users to restart a device running Windows Server
For a low-rights user on a device that runs Windows Server, by default they aren't
assigned the user rights to restart Windows. When you target a deployment to this
device, this user can't manually restart. For example, they can't restart Windows to install
software updates.

) Important

Allowing low-rights users to restart a server can potentially impact other users or
services.

Device restart notifications


Some customers prefer frequent restart notifications and allowing users a short time
frame to postpone. Others allow users to postpone a restart for longer periods of time,
and infrequently notify users of the pending restart. You have control over the timing
and frequency of restart notifications.

Install required software at or after the deadline


When required software is installed at or after the deadline, your users will see
notifications depending on what client settings you selected.

If the setting When a deployment requires a restart, show a dialog window to the user
instead of a toast notification is set to:

No: Windows shows toast notifications until the deployment reaches the final
countdown notification.

Yes: Software Center shows a notification:


If the restart is greater than 24 hours away, it shows an estimated restart time.
The timing of this notification is based on the setting: Specify the amount of
time after the deadline before a device gets restarted (minutes).

If the restart is less than 24 hours away, it shows a progress bar. The timing of
this notification is based on the setting: Specify the amount of time after the
deadline before a device gets restarted (minutes).

If the user selects Snooze, another temporary notification shows after the snooze period
elapses. This behavior assumes it hasn't yet reached the final countdown. The timing of
the next notification is based on the setting: Specify the frequency of reminder
notifications presented to the user, after the deadline, before a device gets restarted
(minutes). If the user selects Snooze, and your snooze interval is one hour, then
Software Center notifies the user again in 60 minutes. This behavior assumes it hasn't
yet reached the final countdown.
When it reaches the final countdown, Software Center shows the user a notification they
can't close. The progress bar is in red and the user can't Snooze it.

Proactively install required software before the deadline


If the user proactively installs required software that needs restart before the deadline,
they'll see a different notification. For more information about configuring these
settings, see Deployment User Experience settings and User notifications for required
deployments.

The following notification occurs when both the user experience setting allows
notifications and you don't use toast notifications for the deployment:
Once the deployment reaches its deadline, Software Center follows the behavior to
Install required software at or after the deadline.

Example configurations
The following examples describe how to configure the client settings to achieve specific
behaviors.

7 Note

If the user puts the device to sleep, it doesn't pause or interrupt a countdown. For
example, a restart countdown is halfway into a four-hour timer, and the user puts
the device to sleep. 12 hours later the user wakes up the device. The device restarts,
as it's past the deadline.

Reminders are off

Setting Value

Specify the amount of time after the deadline before a device gets restarted (minutes) 180
Setting Value

Specify the amount of time that a user is presented a final countdown notification before 60
a device gets restarted (minutes)

Specify the frequency of reminder notifications presented to the user, after the deadline, 240
before a device gets restarted (minutes)

When a deployment requires a restart, show a dialog window to the user instead of a No
toast notification

The device will restart three hours (180 minutes) after the deployment deadline. One
hour (60 minutes) before it restarts, the user sees a countdown that they can't close or
snooze. The first reminder notification is set to start four hours (240 minutes) after the
deadline, which is after the restart. So the user doesn't see any reminders.

Low reminder frequency

Setting Value

Specify the amount of time after the deadline before a device gets restarted (minutes) 7200

Specify the amount of time that a user is presented a final countdown notification before 120
a device gets restarted (minutes)

Specify the frequency of reminder notifications presented to the user, after the deadline, 900
before a device gets restarted (minutes)

When a deployment requires a restart, show a dialog window to the user instead of a Yes
toast notification

The device will restart five days (7200 minutes) after the deployment deadline. Two
hours (120 minutes) before it restarts, the user sees a countdown that they can't close or
snooze. This configuration allows for 118 hours to show reminders ( (7200 - 120) / 60 ).
15 hours (900 minutes) after the deadline, Software Center displays the first reminder. It
displays a maximum of six additional reminders every 15 hours (900 minutes). The user
sees the reminder as a window on the screen, instead of a notification that disappears in
a few seconds.

High reminder frequency

Setting Value

Specify the amount of time after the deadline before a device gets restarted (minutes) 2880
Setting Value

Specify the amount of time that a user is presented a final countdown notification before 60
a device gets restarted (minutes)

Specify the frequency of reminder notifications presented to the user, after the deadline, 30
before a device gets restarted (minutes)

When a deployment requires a restart, show a dialog window to the user instead of a Yes
toast notification

The device will restart two days (2880 minutes) after the deployment deadline. One hour
(60 minutes) before it restarts, the user sees a countdown that they can't close or
snooze. This configuration allows for 47 hours to show reminders ( (2880 - 60) / 60 ). 30
minutes after the deadline, Software Center displays the first reminder. It displays a
maximum of 92 additional reminders every 30 minutes. The user sees the reminder as a
window on the screen, instead of a notification that disappears in a few seconds.

Log files
To troubleshoot device restarts, use the RebootCoordinator.log and SCNotify.log files
on the client. Based on the specific type of deployment, you may also have to use
additional client log files.

Next steps
How to configure client settings
Application deployment User Experience settings
User notifications for required app deployments
How to configure Wake on LAN in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Specify Wake on LAN (WoL) settings for Configuration Manager when you want to bring
computers out of a sleep state.

Wake on LAN starting in version 1810


Starting in Configuration Manager 1810, there's a new way to wake up sleeping
machines. You can wake up clients from the Configuration Manager console, even if the
client isn't on the same subnet as the site server. If you need to do maintenance or
query devices, you're not limited by remote clients that are asleep. The site server uses
the client notification channel to identify other clients that are awake on the same
remote subnet, then uses those clients to send a wake on LAN request (magic packet).
Using the client notification channel helps avoid MAC flaps, which could cause the port
to be shut down by the router. The new version of Wake on LAN can be enabled at the
same time as the older version.

Prerequisites and limitations


At least one client in the target subnet must be awake.
This feature doesn't support the following network technologies:
IPv6
802.1x network authentication
802.1x network authentication may work with additional configuration
depending on the hardware and its configuration.
DHCP lease durations can't be set to infinite.
With Configuration Manager version 2010 and later, if the DHCP lease is set to
infinite a client won't be woken up or used as a peer to wake other devices.
With Configuration Manager version 2006 and earlier, you may see the
SleepAgent_<domain>@SYSTEM_0.log become very large and possibly a
broadcast storm in environments where DHCP leases are set to infinite.

Limitations for Configuration Manager version 2006 and earlier:


Machines only wake when you notify them through the Wake Up client
notification.
For wake-up when a deadline occurs, the older version of Wake on LAN is used.
Starting in Configuration Manager version 2010, you can wake up at deadline
with the new version of WoL. For more information, see Notify client to wake
when a deployment deadline occurs.
If the older version isn't enabled, client wake-up won't occur for deployments
created with the settings Use Wake-on-LAN to wake up clients for required
deployments or Send wake-up packets.

Security role permissions


Notify resource under the Collection category

Configure the clients to use Wake on LAN starting in


version 1810
Previously you had to manually enable the client for wake on LAN in the properties of
the network adapter. Configuration Manager 1810 includes a new client setting called
Allow network wake-up. Configure and deploy this setting instead of modifying the
properties of the network adapter.

1. Under Administration, go to Client Settings.

2. Select the client settings you want to edit, or create new custom client settings to
deploy. For more information, see How to configure client settings.

3. Under the Power Management client settings, select Enable for the Allow network
wake-up setting. For more information about this setting, see About client
settings.

4. Starting in Configuration Manager 1902, the new version of Wake on LAN honors
the custom UDP port you specify for the Wake On LAN port number (UDP) client
setting. This setting is shared by both the new and older version of Wake on LAN.

Wake up a client using client notification starting in 1810


You can wake up a single client or any sleeping clients in a collection. For devices that
are already awake in the collection, no action is taken for them. Only clients that are
asleep will be sent a Wake on LAN request. For more information on how to notify a
client to wake, see Client notification.
To wake up a single client:
Right-click on the client, go to Client Notification, then
select Wake up.

To wake up all sleeping clients in a collection: Right-click on the device collection,


go to Client Notification, then select Wake up.
This action can't be run on built-in collections.
When you have a mix of asleep and awake clients in a collection, only the clients
that are asleep are sent a Wake on LAN request.
Starting in Configuration Manager 2002, this action is available from a console
connected to a Central Administration site, a stand-alone site, or child primary
site.
In versions 1910 and earlier, this action is only active when the Configuration
Manager console is connected to a stand-alone or child primary site. When
connected to a Central Administration Site, the action isn't available.

Wake machine at deployment deadline using peer clients


on the same remote subnet
(Introduced in version 2010)

Starting in Configuration Manager version 2010, you can allow the site to wake devices
at the deadline of a deployment, using the client notification channel. Instead of the site
server issuing the magic packet directly, the site uses the client notification channel to
find an online machine in the last known subnet of the target device(s) and instructs the
online client to issue the WoL packet for the target device.

Prerequisites for waking a client at deadline using the client


notification channel
Target computer prerequisites:

Offline
Updated to latest Configuration Manager client version
Targeted with a Required deployment with a Deadline and the Send wake-up
packages option enabled.

Prerequisites for the computer sending the WoL magic packet to the target computer:

Online
Updated to latest client version
On the same subnet as the target computer

Enable waking a client at deadline using the client notification


channel
1. At the site level, enable Wake on LAN:
a. In the Configuration Manager console, go to Administration > Site
Configuration > Sites.
b. Select the primary site to configure, and then choose Properties.
c. In the Wake on LAN tab, select Enable Wake On LAN for this site and send the
wake-up packets Using client notification channel.
d. Select OK and repeat the procedure for all primary sites in the hierarchy.

2. Verify Allow network wake-up under the Power Management client settings is
enabled.

3. Create a deployment as Required with the Send wake-up packages option and a
Deadline. Clients are sent a notification when a deadline is received on
deployments such as task sequences, software distribution, or software updates
installation.

What to expect when only the new version of


Wake on LAN is enabled
When you have only the new version of Wake on LAN enabled, only the Wake Up client
notification is enabled. Clients aren't sent a notification when a deadline is received on
deployments such as task sequences, software distribution, or software updates
installation. Once a sleeping machine is back online, it will be reflected in the console
when it checks in with the Management Point.

Starting in Configuration Manager version 1902, you can specify the Wake on LAN
port. This setting is shared by both the new and older version of Wake on LAN.

Starting in Configuration Manager version 2010, you can use the client notification
channel to wake clients when a deadline is received on deployments such as task
sequences, software distribution, or software updates installation. For more
information, see Use the client notification channel to wake a client when a
deployment deadline occurs.
What to expect when both versions of Wake on
LAN are enabled
When you have both versions of Wake on LAN enabled, you can use the Wake Up client
notification and wake up on deadline. The client notification functions a little differently
than traditional Wake on LAN. For a brief explanation of how the client notification
works, see the Wake on LAN starting in version 1810 section. The new client setting
Allow network wake-up will change the NIC properties to allow Wake on LAN. You no
longer need to manually change it for new machines that are added to your
environment. All other functionality of Wake on LAN hasn't been changed.

Starting in version 1902, the Wake Up client notification honors your existing Wake
On LAN port number (UDP) setting.
Starting in Configuration Manager version 2010, you can use the client notification
channel to wake clients when a deadline is received on deployments such as task
sequences, software distribution, or software updates installation. For more
information, see Use the client notification channel to wake a client when a
deployment deadline occurs.

Wake on LAN for version 1806 and earlier


Specify Wake on LAN settings for Configuration Manager when you want to bring
computers out of a sleep state to install required software, such as software updates,
applications, task sequences, and programs.

You can supplement Wake on LAN by using the wake-up proxy client settings. However,
to use wake-up proxy, you must first enable Wake on LAN for the site and specify Use
wake-up packets only and the Unicast option for the Wake on LAN transmission
method. This wake-up solution also supports ad-hoc connections, such as a remote
desktop connection.

Use the first procedure to configure a primary site for Wake on LAN. Then, use the
second procedure to configure the wake-up proxy client settings. This second procedure
configures the default client settings for the wake-up proxy settings to apply to all
computers in the hierarchy. If you want these settings to apply to only selected
computers, create a custom device setting and assign it to a collection that contains the
computers that you want to configure for wake-up proxy. For more information about
how to create custom client settings, see How to configure client settings.

A computer that receives the wake-up proxy client settings will likely pause its network
connection for 1-3 seconds. This pause occurs because the client must reset the network
interface card to enable the wake-up proxy driver on it.

2 Warning

To avoid unexpected disruption to your network services, first evaluate wake-up


proxy on an isolated and representative network infrastructure. Then use custom
client settings to expand your test to a selected group of computers on several
subnets. For more information about how wake-up proxy works, see Plan how to
wake up clients.

To configure Wake on LAN for a site for version 1806 and


earlier
To use Wake on LAN, you need to enable it for each site in a hierarchy.

1. In the Configuration Manager console, go to Administration > Site Configuration


> Sites.
2. Select the primary site to configure, and then choose Properties.
3. In the Wake on LAN tab, and configure the options that you require for this site.
To support wake-up proxy, make sure you select Use wake-up packets only and
Unicast. For more information, see Plan how to wake up clients.
4. Select OK and repeat the procedure for all primary sites in the hierarchy.
To configure wake-up proxy client settings
1. In the Configuration Manager console, go to Administration > Client Settings.
2. Select Default Client Settings, and then choose Properties.
3. Select Power Management and then choose Yes for Enable wake-up proxy.
4. Review and if necessary, configure the other wake-up proxy settings. For more
information on these settings, see Power management settings.
5. Select OK to close the dialog box, and then OK to close the Default Client Settings
dialog box.

You can use the following Wake On LAN reports to monitor the installation and
configuration of wake-up proxy:

Wake-Up Proxy Deployment State Summary


Wake-Up Proxy Deployment State Details
 Tip

To test whether wake-up proxy is working, test a connection to a sleeping


computer. For example, connect to a shared folder on that computer, or try
connecting to the computer using Remote Desktop. If you use Direct Access, check
that the IPv6 prefixes work by trying the same tests for a sleeping computer that is
currently on the Internet.
How to deploy clients to Windows
computers in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article provides details on how to deploy the Configuration Manager client to
Windows computers. For more information on planning and preparing for client
deployment, see these articles:

Client installation methods


Prerequisites for deploying clients to Windows computers
Security and privacy for Configuration Manager clients
Best practices for client deployment

Client push installation


There are three main ways to use client push:

When you configure client push installation for a site, client installation
automatically runs on computers that the site discovers. This method is scoped to
the site's configured boundaries when those boundaries are configured as a
boundary group.

Start client push installation by running the Client Push Installation Wizard for a
specific collection or resource within a collection.

Use the Client Push Installation Wizard to install the Configuration Manager client,
which you can use to query the result. The installation will succeed only if one of
the items returned by the query is the ResourceID attribute of the System
Resource class.

If the site server can't contact the client computer or start the setup process, it
automatically retries the installation every hour. The server continues to retry for up to
seven days.

To help track the client installation process, install a fallback status point before you
install the clients. When you install a fallback status point, it's automatically assigned to
clients when they're installed by the client push installation method. To track client
installation progress, view the client deployment and assignment reports.
Client log files provide more detailed information for troubleshooting. The log files
don't require a fallback status point. For example, the CCM.log file on the site server
records any problems that occur when the site server connects to the computer. The
CCMSetup.log file on the client records the installation process.

) Important

Client push only succeeds if all prerequisites are met. For more information, see
Installation method dependencies.

Configure the site to automatically use client push for


discovered computers
1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.

2. Select the site for which you want to configure automatic site-wide client push
installation.

3. On the Home tab of the ribbon, in the Settings group, select Client Installation
Settings, and then select Client Push Installation.

4. On the General tab of the Client Push Installation Properties window, select Enable
automatic site-wide client push installation.

5. Starting in version 1806, when you update the site, a Kerberos check for client push
is enabled. The option to Allow connection fallback to NTLM is enabled by
default, which is consistent with previous behavior. If the site can't authenticate the
client by using Kerberos, it retries the connection by using NTLM. The
recommended configuration for improved security is to disable this setting, which
requires Kerberos without NTLM fallback.

7 Note

When it uses client push to install the Configuration Manager client, the site
server creates a remote connection to the client. Starting in version 1806, the
site can require Kerberos mutual authentication by not allowing fallback to
NTLM before establishing the connection. This enhancement helps to secure
the communication between the server and the client.

Depending on your security policies, your environment might already prefer


or require Kerberos over the older NTLM authentication. For more information
on the security considerations of these authentication protocols, read about
the Windows security policy setting to restrict NTLM.

To use this feature, clients must be in a trusted Active Directory forest.


Kerberos in Windows relies on Active Directory for mutual authentication.

6. Select the system types to which Configuration Manager should push the client
software. Select whether you want to install the client on domain controllers.

7. On the Accounts tab, specify one or more accounts for Configuration Manager to
use when it connects to the target computer. Select the Create icon, enter the User
name and Password (no more than 38 characters), confirm the password, and then
select OK. Specify at least one client push installation account. This account must
have local administrator rights on the target computer to install the client. If you
don't specify a client push installation account, Configuration Manager tries to use
the site system computer account. Cross-domain client push fails when using the
site system computer account.

7 Note

To use client push from a secondary site, specify the account at the secondary
site that initiates the client push.

For more information about the client push installation account, see the next
procedure, Use the Client Push Installation Wizard.

8. Specify any required installation properties on the Installation Properties tab.

If you've extended the Active Directory schema for Configuration Manager, the site
publishes the specified client installation properties to Active Directory Domain
Services. When CCMSetup runs without installation properties, it reads these
properties from Active Directory.

7 Note

If you enable client push installation on a secondary site, set the


SMSSITECODE property to the Configuration Manager site code of its parent
primary site. If you've extended the Active Directory schema for Configuration
Manager, to automatically find the correct site assignment, set this property
to AUTO.
Use the Client Push Installation Wizard
1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.

2. Select the site for which you want to configure automatic site-wide client push
installation.

3. On the Home tab of the ribbon, in the Settings group, select Client Installation
Settings, and then select Client Push Installation.

4. Specify any required installation properties on the Installation Properties tab.

If you've extended the Active Directory schema for Configuration Manager, the site
publishes the specified client installation properties to Active Directory Domain
Services. When CCMSetup runs without installation properties, it reads these
properties from Active Directory.

5. In the Configuration Manager console, go to the Assets and Compliance


workspace.

6. In the Devices node, select one or more computers. Or select a collection of


computers in the Device Collections node.

7. On the Home tab of the ribbon, choose one of these options:

To push the client to one or more devices, in the Device group, select Install
Client.

To push the client to a collection of devices, in the Collection group, select


Install Client.

8. On the Before You Begin page of the Install Configuration Manager Client Wizard,
review the information, and then select Next.

9. Select the appropriate options on the Installation Options page.

10. Review the installation settings, and then complete the wizard.

7 Note

Use this wizard to install clients even if the site isn't configured for client push.

Software update-based installation


Software update-based client installation publishes the client to a software update point
as a software update. Use this method for a first-time installation or upgrade.

If the Configuration Manager client is installed on a computer, the computer receives


client policy from the site. This policy includes the software update-point server name
and port from which to get software updates.

) Important

For software update-based installation, use the same Windows Server Update
Services (WSUS) server for client installation and software updates. This server must
be the active software update point in a primary site. For more information, see
Install a software update point.

If the Configuration Manager client isn't installed on a computer, configure and assign a
Group Policy Object. The Group Policy specifies the server name of the software update
point.

You can't add command-line properties to a software update-based client installation. If


you've extended the Active Directory schema for Configuration Manager, the client
installation automatically queries Active Directory Domain Services for the installation
properties.

If you haven't extended the Active Directory schema, use Group Policy to provision client
installation settings. These settings are automatically applied to any software update-
based client installation. For more information, see the section on How to provision
client installation properties and the article on How to assign clients to a site.

Use the following procedures to configure computers without a Configuration Manager


client to use the software update point. There's also a procedure for publishing the
client software to the software update point.

 Tip

If computers are in a pending restart state following a previous software


installation, a software update-based client installation might cause the computer
to restart.

Configure a Group Policy Object to specify the software


update point
1. Use the Group Policy Management Console to open a new or existing Group
Policy Object.

2. Expand Computer Configuration, Administrative Templates, and Windows


Components, and then select Windows Update.

3. Open the properties of the setting Specify intranet Microsoft update service
location, and then select Enabled.

4. Set the intranet update service for detecting updates: Specify the name and port
of the software update point server.

If you've configured the Configuration Manager site system to use a fully


qualified domain name (FQDN), use that format.

If the Configuration Manager site system isn't configured to use an FQDN,


use a short name format.

 Tip

To determine the port number, see How to determine the port settings used
by WSUS.

Example in the FQDN format: http://server1.contoso.com:8530

5. Set the intranet statistics server: This setting is typically configured with the same
server name.

6. Assign the Group Policy Object to the computers on which you want to install the
client and receive software updates.

Publish the Configuration Manager client to the software


update point
1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.

2. Select the site for which you want to configure software update-based client
installation.

3. On the Home tab of the ribbon, in the Settings group, select Client Installation
Settings, and then select Software Update-Based Client Installation.

4. Select Enable software update-based client installation.


5. If the site's client version is more recent than the version on the software update
point, the Later Version of Client Package Detected dialog box opens. Select Yes
to publish the most recent version.

7 Note

If you haven't already published the client software to the software update
point, this dialog box is blank.

The software update for the Configuration Manager client isn't automatically updated
when there's a new version. When you update the site, repeat this procedure to update
the client.

Group Policy installation


Use Group Policy in Active Directory Domain Services to publish or assign the
Configuration Manager client. The client installs when the computer starts. When you
use Group Policy, the client appears in Add or Remove Programs in Control Panel. The
user can install it from there.

Use the Windows Installer package CCMSetup.msi for Group Policy-based installations.
This file is found in the <ConfigMgr installation directory>\bin\i386 folder on the site
server. You can't add properties to this file to change installation behavior.

) Important

You must have administrator permissions to access the client installation files.

If you've extended the Active Directory schema for Configuration Manager, and
you selected the domain on the Publishing tab of the Site Properties dialog box,
client computers automatically search Active Directory Domain Services for
installation properties. For more information, see About client installation
properties published to Active Directory Domain Services.

If you haven't extended the Active Directory schema, see the section on
provisioning client installation properties for information about storing installation
properties in the Windows registry of computers. The client uses these installation
properties when it installs.

For more information, see How to use Group Policy to remotely install software .
Manual installation
Manually install the client software on computers by using CCMSetup.exe. You can find
this program and its supporting files in the Client folder in the Configuration Manager
installation folder on the site server. The site shares this folder to the network as:

\\<site server name>\SMS_<site code>\Client\

<site server name> is the primary site server name. <site code> is the primary site
code to which the client is assigned. To run CCMSetup.exe from the command line on
the client, connect to this network location, and then run the command.

) Important

You must have administrator permissions to access the client installation files.

CCMSetup.exe copies all necessary prerequisites to the client computer and calls the
Windows Installer package (Client.msi) to install the client. You can't run Client.msi
directly.

To modify the behavior of the client installation, specify command-line options for both
CCMSetup.exe and Client.msi. Make sure that you specify CCMSetup parameters that
begin with / before you specify Client.msi properties. For example:

CCMSetup.exe /mp:SMSMP01 /logon SMSSITECODE=AUTO FSP=SMSFP01

In this example, the client installs with the following options:

Option Description

/mp:SMSMP01 This CCMSetup parameter specifies the management point SMSMP01 for
downloading the required client installation files.

/logon This CCMSetup parameter specifies that the installation should stop if an
existing Configuration Manager client is found on the computer.

SMSSITECODE=AUTO This Client.msi property specifies that the client tries to locate the
Configuration Manager site code to use, by using Active Directory Domain
Services, for example.

FSP=SMSFP01 This Client.msi property specifies that the fallback status point named
SMSFP01 is used to receive state messages sent from the client computer.

For more information, see About client installation parameters and properties.
 Tip

For the procedure to install the Configuration Manager client on a modern


Windows device by using Azure Active Directory (Azure AD) identity, see Install and
assign Configuration Manager clients using Azure AD for authentication. That
procedure is for clients on an intranet or the internet.

Manual installation examples


These examples are for Active Directory-joined clients on an intranet. They use the
following values:

MPSERVER: server hosting the management point


FSPSERVER: server hosting the fallback status point
ABC: site code
contoso.com: domain name

Assume that you've configured all site system servers with an intranet FQDN and
published the site information to Active Directory.

Start with the following steps on the client computer:

1. Sign in as a local administrator.


2. Map drive Z to \\MPSERVER\SMS_ABC\Client .
3. Switch the command prompt to drive Z.

Then run one of the following commands:

Manual example 1
CCMSetup.exe

This command installs the client with no additional parameters or properties. The client
is automatically configured with the client installation properties published to Active
Directory Domain Services, including these settings:

Site code: This setting requires the client's network location to be included in a
boundary group that you've configured for client assignment.
Management point.
Fallback status point.
Communicate using HTTPS only.
For more information, see About client installation properties published to Active
Directory Domain Services.

Manual example 2

CCMSetup.exe /MP:mpserver.contoso.com /UsePKICert SMSSITECODE=ABC


CCMHOSTNAME=server05.contoso.com CCMFIRSTCERT=1 FSP=server06.constoso.com

This command overrides the automatic configuration that Active Directory Domain
Services provides. It doesn't require that you include the client's network location in a
boundary group that's configured for client assignment. Instead, the installation
specifies these settings:

Site code
Intranet management point
Internet-based management point
Fallback status point that accepts connections from the internet
Use a client public key infrastructure (PKI) certificate (if available) that has the
longest validity period

Logon script installation


Configuration Manager supports using logon scripts to install the Configuration
Manager client software. Use the program file CCMSetup.exe in a logon script to trigger
the client installation.

Logon script installation uses the same methods as manual client installation. Specify
the /logon installation parameter for CCMSsetup.exe. If any version of the client already
exists on the computer, this parameter prevents the client from installing. This behavior
prevents reinstallation of the client each time the logon script runs.

If you don't specify an installation source by using the /Source parameter and no
management point from which to obtain installation is specified by the /MP parameter,
CCMSetup.exe locates the management point by searching Active Directory Domain
Services. This behavior occurs only if you've extended the schema for Configuration
Manager and published the site to Active Directory Domain Services. Alternatively, the
client can use DNS to locate a management point.

Package and program installation


Use Configuration Manager to create and deploy a package and program that upgrades
the client software for selected devices. Configuration Manager supplies a package
definition file that populates the package properties with typically used values.
Customize the behavior of the client installation by specifying additional command-line
parameters and properties.

7 Note

You can't upgrade Configuration Manager 2007 clients by using this method.
Instead, use automatic client upgrade, which automatically creates and deploys a
package that contains the latest version of the client. For more information, see
Upgrade clients.

For more information about how to migrate from older versions of the
Configuration Manager client, see Planning a client migration strategy.

Create a package and program for the client software


Use the following procedure to create a Configuration Manager package and program
that you can deploy to Configuration Manager client computers to upgrade the client
software.

1. In the Configuration Manager console, go to the Software Library workspace,


expand Application Management, and select the Packages node.

2. On the Home tab of the ribbon, in the Create group, select Create Package from
Definition.

3. On the Package Definition page of the wizard, select Microsoft from the Publisher
list, and select Configuration Manager Client Upgrade from the Package
definition list.

4. On the Source Files page, select Always obtain files from a source folder.

5. On the Source Folder page, select Network path (UNC Name). Then enter the
network path of the server and share that contains the client installation files.

7 Note

The computer on which the Configuration Manager deployment runs must


have access to the specified network folder. Otherwise, the client installation
fails.
To change any of the client installation properties, modify the CCMSetup.exe
command line on the General tab of the Configuration Manager agent silent
upgrade Properties program dialog box. The default installation properties are
/noservice SMSSITECODE=AUTO .

6. Distribute the package to all distribution points that you want to host the client
upgrade package. Then deploy the package to device collections that contain
clients that you want to upgrade.

Intune MDM-managed Windows devices


Deploy the Configuration Manager client to devices that are enrolled with Microsoft
Intune.

This procedure is for a traditional client that's connected to an intranet. It uses


traditional client authentication methods. To make sure the device remains in a
managed state after it installs the client, it must be on the intranet and within a
Configuration Manager site boundary.

For the procedure to install the Configuration Manager client on a Windows device by
using Azure AD identity, see Install and assign Configuration Manager clients using
Azure AD for authentication.

After you install the Configuration Manager client, devices don't unenroll from Intune.
They can use the Configuration Manager client and MDM enrollment at the same time.
For more information, see Co-management overview.

7 Note

You can use other client installation methods to install the Configuration Manager
client on an Intune-managed device. For example, if an Intune-managed device is
on the intranet, and joined to the Active Directory domain, you can use group
policy to install the Configuration Manager client.

Install the Configuration Manager client by using Intune


1. In Intune, add a Windows line-of-business app that contains the Configuration
Manager client installation file CCMSetup.msi. You can find this file in the
\bin\i386 folder of the Configuration Manager installation directory on the site
server.
2. In the Intune Software Publisher, enter command-line parameters. For example,
use this command with a traditional client on an intranet:

CCMSETUPCMD="/MP:<FQDN of management point> SMSMP=<FQDN of management point>

SMSSITECODE=<your site code> DNSSUFFIX=<DNS suffix of management point>"

7 Note

For an example of a command to use with a Windows client using Azure AD


authentication, see How to prepare internet-based devices for co-
management.

3. Assign the app to a group of the enrolled Windows computers.

OS image installation
Preinstall the Configuration Manager client on a reference computer that you use to
create an OS image.

) Important

When you use the Configuration Manager task sequence to deploy an OS image,
the Prepare ConfigMgr Client step completely removes the Configuration Manager
client.

Prepare the client computer for imaging


1. Manually install the Configuration Manager client software on the reference
computer. For more information, see How to install Configuration Manager clients
manually.

) Important

Don't specify a Configuration Manager site code for the client in the
CCMSetup.exe command-line properties.

2. At a command prompt, type net stop ccmexec to stop the SMS Agent Host service
(CcmExec.exe) on the reference computer.

3. Delete the SMSCFG.INI file from the Windows folder on the reference computer.
4. Remove the certificates from the local computer's SMS certificate store.

5. Remove any other valid client authentication certificates that are stored in the local
computer store on the reference computer. For example, if you use PKI certificates,
before you image the computer, remove the certificates in the Personal store for
Computer and User.

6. If the clients are installed in a different Configuration Manager hierarchy than the
hierarchy of the reference computer, remove the trusted root key from the
reference computer.

7 Note

If clients can't query Active Directory Domain Services to locate a


management point, they use the trusted root key to determine trusted
management points. If you deploy all imaged clients in the same hierarchy as
that of the master computer, leave the trusted root key in place.

If you deploy the clients in different hierarchies, remove the trusted root key.
Also provision these clients with the new trusted root key. For more
information, see Planning for the trusted root key.

7. Use your imaging software to capture an image of the reference computer.

8. Deploy the image to the destination computers.

Workgroup computers
Configuration Manager supports client installation for computers in workgroups. Install
the client on workgroup computers by using the method specified in How to install
Configuration Manager clients manually.

Prerequisites
Manually install the client on each workgroup computer. During installation, the
interactive user must have local administrator rights.

To access resources in the Configuration Manager site server domain, configure


the network access account for the site. Specify this account in the software
distribution site component. For more information, see Site components.
Limitations
Workgroup clients can't locate management points from Active Directory Domain
Services. Instead, they use DNS or another management point.

Global roaming isn't supported. Workgroup clients can't query Active Directory
Domain Services for site information.

Active Directory discovery methods can't discover computers in workgroups.

You can't deploy software to users of workgroup computers.

You can't use the client push installation method to install the client on workgroup
computers.

Workgroup clients can't use Kerberos for authentication, and they might require
manual approval.

You can't configure a workgroup client as a distribution point. Configuration


Manager requires that distribution point computers be members of a domain.

Install the client on workgroup computers


Check the prerequisites, and then follow the directions in the section How to install
Configuration Manager clients manually.

Workgroup example 1

This example does the following actions:

Installs the client for intranet client management


Specifies the site code
Specifies the DNS suffix to locate a management point

CCMSetup.exe SMSSITECODE=ABC DNSSUFFIX=constoso.com

Workgroup example 2

This example requires the client to be on a network location that's configured in a


boundary group. If this requirement isn't met, automatic site assignment won't work.
The command includes a fallback status point on server FSPSERVER. This property helps
to track client deployment and to identify any client communication issues.

CCMSetup.exe FSP=fspserver.constoso.com
Internet-based client management

7 Note

This section doesn't apply to clients that use a cloud management gateway. To
install internet-based clients by using a cloud management gateway, see Install
and assign Configuration Manager clients using Azure AD for authentication.

When the Configuration Manager site supports internet-based client management for
clients that are sometimes on an intranet and sometimes on the internet, you have two
options when you install clients on the intranet:

Include the Client.msi property CCMHOSTNAME=<internet FQDN of the internet-based


management point> when you install the client, by using manual installation or client

push, for example. When you use this method, directly assign the client to the site.
You can't use automatic site assignment. See the How to install Configuration
Manager clients manually section, which provides an example of this configuration
method.

Install the client for intranet client management, and then assign an internet-based
client management point to the client. Change the management point by using the
client properties on the Configuration Manager page in Control Panel, or by using
a script. When you use this method, you can use automatic client assignment. For
more information, see the How to configure clients for internet-based client
management after client installation section.

To install clients that are on the internet, choose one of the following supported
methods:

Provide a mechanism for these clients to temporarily connect to the intranet with a
VPN. Then install the client by using any appropriate client installation method.

Use an installation method that's independent of Configuration Manager. For


example, package the client installation source files onto removable media and
send the media to users. The client installation source files are located in the
<installation path>\Client folder on the Configuration Manager site server. On

the media, include a script to manually copy over the client folder. From this folder,
install the client by using CCMSetup.exe and all the appropriate CCMSetup
command-line properties.

7 Note
Configuration Manager doesn't support installing a client directly from the
internet-based management point or from the internet-based software update
point.

Clients that are managed over the internet must communicate with internet-based site
systems. Ensure that these clients also have public key infrastructure (PKI) certificates
before you install the client. Install these certificates independently from Configuration
Manager. For more information, see PKI certificate requirements.

Install clients on the internet by specifying CCMSetup


command-line properties
1. Follow the directions in the section How to install Configuration Manager clients
manually. Always include the following options:

CCMSetup command-line parameter /source:<local path of the copied


Client folder>

CCMSetup command-line parameter /UsePKICert

Client.msi property CCMHOSTNAME=<FQDN of internet-based management point>

Client.msi property SMSSIGNCERT=<local path of exported site server


signing certificate>

Client.msi property SMSSITECODE=<site code of internet-based management


point>

7 Note

If the site has more than one internet-based management point, it doesn't
matter which one you specify for the CCMHOSTNAME property. When a
Configuration Manager client connects to the specified internet-based
management point, it sends the client a list of available internet-based
management points in the site. The client randomly selects one from the list.

2. If you don't want the client to check the certificate revocation list (CRL), specify the
CCMSetup command-line parameter /NoCRLCheck .

3. If you're using an internet-based fallback status point, specify the Client.msi


property FSP=<internet FQDN of the internet-based fallback status point> .
4. If you're installing the client for internet-only client management, specify the
Client.msi property CCMALWAYSINF=1 .

5. Determine whether you have to specify additional CCMSetup command-line


parameters. For example, if the client has more than one valid PKI certificate, you
might have to specify a certificate selection criterion. For a list of available
properties, see About client installation parameters and properties.

Internet-based example
CCMSetup.exe /source: D:\Clients /UsePKICert CCMHOSTNAME=server1.contoso.com

SMSSIGNCERT=siteserver.cer SMSSITECODE=ABC FSP=server2.contoso.com CCMALWAYSINF=1


CCMFIRSTCERT=1

This example installs the client with the following behaviors:

Use source files from a folder on drive D.


Use a client PKI certificate.
Select the certificate with the longest validity period.
Internet-only client management.
Assign the client to use the internet-based management point named SERVER1.
Assign the internet-based fallback status point in the contoso.com domain.
Assign the client to the ABC site.

To configure clients for internet-based client


management after client installation
To assign the internet-based management point after you install the client, use one of
these procedures. The first requires manual configuration and is appropriate for a few
clients. The second is more appropriate for configuring many clients.

Configure clients for internet-based client management after client


installation from the Configuration Manager control panel
1. Open the Configuration Manager control panel on the client.

2. On the Network tab, enter the fully qualified domain name (FQDN) of the internet-
based management point as the Internet FQDN.

7 Note
The Network tab is available only if the client has a client PKI certificate.

3. If the client accesses the internet by using a proxy server, enter the proxy server
settings.

Configure clients for internet-based client management after client


installation by using a script

PowerShell

1. Open a PowerShell in-line editor, like PowerShell ISE or Visual Studio Code. You can
also use a text editor, like Notepad.

2. Copy and insert the following lines of code into the editor. Replace
'mp.contoso.com' with the internet FQDN of your internet-based management
point.

PowerShell

$newInternetBasedManagementPointFQDN = 'mp.contoso.com'

$client = New-Object -ComObject Microsoft.SMS.Client

$client.SetInternetManagementPointFQDN($newInternetBasedManagementPoint
FQDN)

Restart-Service CcmExec

$client.GetInternetManagementPointFQDN()

7 Note

The last line is there only to verify the new internet management point value.

To delete a specified internet-based management point, remove the server


FQDN value inside the quotation marks. The line becomes
$newInternetBasedManagementPointFQDN = '' .

3. Save the file with a .ps1 extension.

4. Run the script with elevated rights on client computers. Use one of these methods:

Deploy the file to existing Configuration Manager clients by using a package


and a program.

Run the file locally on existing Configuration Manager clients by double-


clicking the script file in File Explorer.
You might have to restart the client for the changes to take effect.

Provision client installation properties


Provision client installation properties for group policy and software update-based client
installations. Use Windows Group Policy to provision computers with Configuration
Manager client installation properties. These properties are stored in the registry of the
computer. The client reads them when it installs. This procedure isn't normally required,
but it might be needed for some client installation scenarios, such as:

You're using the group policy settings or software update-based client installation
methods. You haven't extended the Active Directory schema for Configuration
Manager.

You want to override client installation properties on specific computers.

7 Note

If any installation properties are supplied on the CCMSetup.exe command line,


installation properties provisioned on computers aren't used.

A group policy administrative template named ConfigMgrInstallation.adm is supplied


on the Configuration Manager installation media. Use this template to provision client
computers with installation properties.

 Tip

By default, ConfigMgrInstallation.adm doesn't support strings larger than 255


characters. This configuration can impact adding multiple parameters or
parameters with long values, such as CCMCERTISSUERS.

To workaround this issue:

1. Edit ConfigMgrInstallation.adm in Notepad.


2. For the property VALUENAME SetupParameters , change the MAXLEN value to a
larger integer. For example, MAXLEN 511 .

Configure and assign client installation properties by


using a group policy object
1. Import the ConfigMgrInstallation.adm administrative template into a new or
existing group policy object (GPO) by using an editor like Windows Group Policy
Object Editor. You can find this file in the TOOLS\ConfigMgrADMTemplates folder on
the Configuration Manager installation media.

2. Open the properties of the imported setting Configure Client Deployment


Settings.

3. Select Enabled.

4. In the CCMSetup box, enter the required CCMSetup command-line properties. For
a list of all CCMSetup command-line properties and examples of their use, see
About client installation parameters and properties.

5. Assign the GPO to the computers that you want to provision with Configuration
Manager client installation properties.
About client installation parameters and
properties in Configuration Manager
Article • 04/11/2023

Applies to: Configuration Manager (current branch)

Use the CCMSetup.exe command to install the Configuration Manager client. If you
provide client installation parameters on the command line, they modify the installation
behavior. If you provide client installation properties on the command line, they modify
the initial configuration of the installed client agent.

About CCMSetup.exe
The CCMSetup.exe command downloads needed files to install the client from a
management point or a source location. These files might include:

The Windows Installer package client.msi that installs the client software

Client prerequisites

Updates and fixes for the Configuration Manager client

7 Note

You can't directly install client.msi.

CCMSetup.exe provides command-line parameters to customize the installation.


Parameters are prefixed with a slash ( / ) and are generally lower case. You specify the
value of a parameter when necessary using a colon ( : ) immediately followed by the
value. For more information, see CCMSetup.exe command-line parameters.

You can also supply properties at the CCMSetup.exe command line to modify the
behavior of client.msi. Properties by convention are upper case. You specify a value for a
property using an equal sign ( = ) immediately followed by the value. For more
information, see Client.msi properties.

) Important

Specify CCMSetup parameters before you specify properties for client.msi.


CCMSetup.exe and the supporting files are on the site server in the Client folder of the
Configuration Manager installation folder. Configuration Manager shares this folder to
the network under the site share. For example, \\SiteServer\SMS_ABC\Client .

At the command prompt, the CCMSetup.exe command uses the following format:

CCMSetup.exe [<Ccmsetup parameters>] [<client.msi setup properties>]

For example:

CCMSetup.exe /mp:SMSMP01 /logon SMSSITECODE=S01 FSP=SMSFSP01

This example does the following things:

Specifies the management point named SMSMP01 to request a list of distribution


points to download the client installation files.

Specifies that installation should stop if a version of the client already exists on the
computer.

Instructs client.msi to assign the client to the site code S01.

Instructs client.msi to use the fallback status point named SMSFP01.

 Tip

If a parameter value has spaces, surround it with quotation marks.

If you extend the Active Directory schema for Configuration Manager, the site publishes
many client installation properties in Active Directory Domain Services. The
Configuration Manager client automatically reads these properties. For more
information, see About client installation properties published to Active Directory
Domain Services

CCMSetup.exe command-line parameters

/?

Shows available command-line parameters for ccmsetup.exe.

Example: ccmsetup.exe /?

/AllowMetered
Use this parameter to control the client's behavior on a metered network. This
parameter takes no values. When you allow client communication on a metered network
for ccmsetup, it downloads the content, registers with the site, and downloads the initial
policy. Any further client communication follows the configuration of the client setting
from that policy. For more information, see About client settings.

If you reinstall the client on an existing device, it uses the following priority to determine
its configuration:

1. Existing local client policy


2. The last command line stored in the Windows registry
3. Parameters on the ccmsetup command line

/AlwaysExcludeUpgrade

This parameter specifies whether or not a client will auto upgrade when you enable
Automatic client upgrade.

Supported values:

TRUE : The client won't automatically upgrade

FALSE : The client automatically upgrades (default)

For example:

CCMSetup.exe /AlwaysExcludeUpgrade:TRUE

For more information, see Extended interoperability client.

7 Note

When using the /AlwaysExcludeUpgrade parameter, the auto upgrade still runs.
However when CCMSetup runs to perform the upgrade, it will note that
/AlwaysExcludeUpgrade parameter has been set and will log the following line in the
ccmsetup.log:

Client is stamped with /alwaysexcludeupgrade. Stop proceeding.

CCMSetup will then immediately exit and not perform the upgrade.

/BITSPriority
When the device downloads client installation files over an HTTP connection, use this
parameter to specify the download priority. Specify one of the following possible values:

FOREGROUND

HIGH

NORMAL (default)

LOW

Example: ccmsetup.exe /BITSPriority:HIGH

/config

This parameter specifies a text file that lists client installation properties.

If CCMSetup runs as a service, place this file in the CCMSetup system folder:
%Windir%\Ccmsetup .

If you specify the /noservice parameter, place this file in the same folder as
CCMSetup.exe.

Example: CCMSetup.exe /config:"configuration file name.txt"

To provide the correct file format, use the mobileclienttemplate.tcf file in the \bin\
<platform> folder in the Configuration Manager installation directory on the site server.
This file has comments about the sections and how to use them. Specify the client
installation properties in the [Client Install] section, after the following text:
Install=INSTALL=ALL .

Example [Client Install] section entry: Install=INSTALL=ALL SMSSITECODE=ABC


SMSCACHESIZE=100

/downloadtimeout

If CCMSetup fails to download the client installation files, this parameter specifies the
maximum timeout in minutes. After this timeout, CCMSetup stops trying to download
the installation files. The default value is 1440 minutes (one day).

Use the /retry parameter to specify the interval between retry attempts.

Example: ccmsetup.exe /downloadtimeout:100


/ExcludeFeatures

This parameter specifies that CCMSetup.exe doesn't install the specified feature.

Example: CCMSetup.exe /ExcludeFeatures:ClientUI doesn't install Software Center on


the client.

7 Note

ClientUI is the only value that the /ExcludeFeatures parameter supports.

/forceinstall

Specify that CCMSetup.exe uninstalls any existing client, and installs a new client.

/forcereboot

Use this parameter to force the computer to restart if necessary to complete the
installation. If you don't specify this parameter, CCMSetup exits when a restart is
necessary. It then continues after the next manual restart.

Example: CCMSetup.exe /forcereboot

/logon

If any version of the client is already installed, this parameter specifies that the client
installation should stop.

Example: ccmsetup.exe /logon

/mp

Specifies a management point for clients to use to find the nearest distribution point for
the client installation files. If there are no distribution points, or computers can't
download the files from the distribution points after four hours, they download the files
from the specified management point.

For more information on how ccmsetup downloads content, see Boundary groups -
client installation. That article also includes details of ccmsetup behavior if you use both
/mp and /source parameters.
) Important

This parameter specifies an initial management point for computers to find a


download source, and can be any management point in any site. It doesn't assign
the client to the specified management point.

Computers download the files over an HTTP or HTTPS connection, depending on the
site system role configuration for client connections. The download can also use BITS
throttling if you configure it. If you configure all distribution points and management
points for HTTPS client connections only, verify that the client computer has a valid
client certificate.

You can use the /mp command-line parameter to specify more than one management
point. If the computer fails to connect to the first one, it tries the next in the specified
list. When you specify multiple management points, separate the values by semicolons.

If the client connects to a management point using HTTPS, specify the FQDN not the
computer name. The value must match the management point PKI certificate's Subject
or Subject Alternative Name. Although Configuration Manager supports using a
computer name in the certificate for connections on the intranet, using an FQDN is
recommended.

Example with the computer name: ccmsetup.exe /mp:SMSMP01

Example with the FQDN: ccmsetup.exe /mp:smsmp01.contoso.com

This parameter can also specify the URL of a cloud management gateway (CMG). Use
this URL to install the client on an internet-based device. To get the value for this
parameter, use the following steps:

Create a CMG. For more information, see Set up a CMG.

On an active client, open a Windows PowerShell command prompt as an


administrator.

Run the following command:

PowerShell

(Get-WmiObject -Namespace Root\Ccm\LocationServices -Class


SMS_ActiveMPCandidate | Where-Object {$_.Type -eq "Internet"}).MP

Append the https:// prefix to use with the /mp parameter.


Example for when you use the cloud management gateway URL: ccmsetup.exe
/mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057598037248100

) Important

When specifying the URL of a cloud management gateway for the /mp parameter,
it must start with https:// .

7 Note

The /mp command-line parameter doesn't specify the management point used by
the Configuration Manager client once it is installed. To specify the initial
management point used by the Configuration Manager client once it is installed,
use the SMSMP client.msi property. To specify a list of management points for the
Configuration Manager client to use once it is installed, use the SMSMPLIST
client.msi property.

/NoCRLCheck

Specifies that a client shouldn't check the certificate revocation list (CRL) when it
communicates over HTTPS with a PKI certificate. When you don't specify this parameter,
the client checks the CRL before it establishes an HTTPS connection. For more
information about client CRL checking, see Planning for PKI certificate revocation.

Example: CCMSetup.exe /UsePKICert /NoCRLCheck

/noservice

This parameter prevents CCMSetup from running as a service, which it does by default.
When CCMSetup runs as a service, it runs in the context of the Local System account of
the computer. This account might not have sufficient rights to access required network
resources for the installation. With /noservice , CCMSetup.exe runs in the context of the
user account that you use to start the installation.

Example: ccmsetup.exe /noservice

/regtoken
Use this parameter to provide a bulk registration token. An internet-based device uses
this token in the registration process through a cloud management gateway (CMG). For
more information, see Token-based authentication for CMG.

When you use this parameter, also include the following parameters and properties:

/mp
CCMHOSTNAME
SMSSITECODE
SMSMP

The following example command line includes the other required setup parameters and
properties:

ccmsetup.exe

/mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500
CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500

SMSSITECODE=ABC SMSMP=https://mp1.contoso.com
/regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik9Tbzh2Tmd5VldRUjlDYVh5T2lac

HFlMDlXNCJ9.eyJTQ0NNVG9rZW5DYXRlZ29yeSI6IlN7Q01QcmVBdXRoVG9rZW4iLCJBdXRob3JpdHkiOiJ

TQ0NNIiwiTGljZW5zZSI6IlNDQ00iLCJUeXBlIjoiQnVsa1JlZ2lzdHJhdGlvbiIsIlRlbmFudElkIjoiQ0
RDQzVFOTEtMEFERi00QTI0LTgyRDAtMTk2NjY3RjFDMDgxIiwiVW5pcXVlSWQiOiJkYjU5MWUzMy1wNmZkL

TRjNWItODJmMy1iZjY3M2U1YmQwYTIiLCJpc3MiOiJ1cm46c2NjbTpvYXV0aDI6Y2RjYzVlOTEtMGFkZi00
YTI0LTgyZDAtMTk2NjY3ZjFjMDgxIiwiYXVkIjoidXJuOnNjY206c2VydmljZSIsImV4cCI6MTU4MDQxNbU

wNSwibmJmIjoxNTgwMTU2MzA1fQ.ZUJkxCX6lxHUZhMH_WhYXFm_tbXenEdpgnbIqI1h8hYIJw7xDk3wv62
5SCfNfsqxhAwRwJByfkXdVGgIpAcFshzArXUVPPvmiUGaxlbB83etUTQjrLIk-

gvQQZiE5NSgJ63LCp5KtqFCZe8vlZxnOloErFIrebjFikxqAgwOO4i5ukJdl3KQ07YPRhwpuXmwxRf1vsia

wXBvTMhy40SOeZ3mAyCRypQpQNa7NM3adCBwUtYKwHqiX3r1jQU0y57LvU_brBfLUL6JUpk3ri-
LSpwPFarRXzZPJUu4-mQFIgrMmKCYbFk3AaEvvrJienfWSvFYLpIYA7lg-6EVYRcCAA

 Tip

If CCMSetup returns error 0x87d0027e, try removing the /mp parameter from the
command line.

/retry

If CCMSetup.exe fails to download installation files, use this parameter to specify the
retry interval in minutes. CCMSetup continues to retry until it reaches the limit specified
in the /downloadtimeout parameter.
Example: ccmsetup.exe /retry:20

/service

Specifies that CCMSetup should run as a service that uses the Local System account.

 Tip

If you're using a script to run CCMSetup.exe with the /service parameter,


CCMSetup.exe exits after the service starts. It might not correctly report installation
details to the script.

Example: ccmsetup.exe /service

/skipprereq

This parameter specifies that CCMSetup.exe doesn't install the specified prerequisite.
You can enter more than one value. Use the semicolon character ( ; ) to separate each
value.

Examples:

CCMSetup.exe /skipprereq:filename.exe

CCMSetup.exe /skipprereq:filename1.exe;filename2.exe

For more information on client prerequisites, see Windows client prerequisites.

/source

Specifies the file download location. Use a local or UNC path. The device downloads files
using the server message block (SMB) protocol. To use /source , the Windows user
account for client installation needs Read permissions to the location.

For more information on how ccmsetup downloads content, see Boundary groups -
client installation. That article also includes details of ccmsetup behavior if you use both
/mp and /source parameters.

 Tip
You can use the /source parameter more than once in a command line to specify
alternative download locations.

Example: ccmsetup.exe /source:"\\server\share"

/uninstall

Use this parameter to uninstall the Configuration Manager client. For more information,
see Uninstall the client.

Example: ccmsetup.exe /uninstall

7 Note

Starting in version 2111, when you uninstall the client it also removes the client
bootstrap, ccmsetup.msi, if it exists.

/UsePKICert

Specify this parameter for the client to use a PKI client authentication certificate. If you
don't include this parameter, or if the client can't find a valid certificate, it filters out all
HTTPS management points, including cloud management gateways (CMG). The client
uses an HTTP connection with a self-signed certificate.

Example: CCMSetup.exe /UsePKICert

If a device uses Azure Active Directory (Azure AD) for client authentication and also has
a PKI-based client authentication certificate, if you use include this parameter the client
won't be able to get Azure AD onboarding information from a cloud management
gateway (CMG). For a client that uses Azure AD authentication, don't specify this
parameter, but include the AADRESOURCEURI and AADCLIENTAPPID properties.

7 Note

In some scenarios, you don't have to specify this parameter, but still use a client
certificate. For example, client push and software update-based client installation.
Use this parameter when you manually install a client and use the /mp parameter
with an HTTPS-enabled management point.

Also specify this parameter when you install a client for internet-only
communication. Use CCMALWAYSINF=1 together with the properties for the internet-
based management point ( CCMHOSTNAME ) and the site code ( SMSSITECODE ). For more
information about internet-based client management, see Considerations for client
communications from the internet or an untrusted forest.

/IgnoreSkipUpgrade

Specify this parameter to manually upgrade an excluded client. For more information,
see How to exclude clients from upgrade.

CCMSetup.exe return codes


The CCMSetup.exe command provides the following return codes. To troubleshoot,
review %WinDir%\ccmsetup\Logs\ccmsetup.log on the client for context and additional
detail about return codes.

Return code Meaning

0 Success

6 Error

7 Reboot required

8 Setup already running

9 Prerequisite evaluation failure

10 Setup manifest hash validation failure

Ccmsetup.msi properties
The following properties can modify the installation behavior of ccmsetup.msi.

CCMSETUPCMD

Use this ccmsetup.msi property to pass additional command-line parameters and


properties to ccmsetup.exe. Include other parameters and properties inside quotation
marks ( " ). Use this property when you bootstrap the Configuration Manager client with
the Intune MDM installation method.

Example: ccmsetup.msi CCMSETUPCMD="/mp:https://mp.contoso.com


CCMHOSTNAME=mp.contoso.com"
 Tip

Microsoft Intune limits the command line to 1024 characters.

Client.msi properties
The following properties can modify the installation behavior of client.msi, which
ccmsetup.exe installs.

AADCLIENTAPPID

Specifies the Azure Active Directory (Azure AD) client app identifier. You create or import
the client app when you configure Azure services for Cloud Management. An Azure
administrator can get the value for this property from the Azure portal. For more
information, see get application ID. For the AADCLIENTAPPID property, this application ID
is for the Native application type.

Example: ccmsetup.exe AADCLIENTAPPID=aa28e7f1-b88a-43cd-a2e3-f88b257c863b

AADRESOURCEURI

Specifies the Azure AD server app identifier. You create or import the server app when
you configure Azure services for Cloud Management. When you create the server app,
in the Create Server Application window, this property is the App ID URI.

An Azure administrator can get the value for this property from the Azure portal. In
Azure Active Directory, find the server app under App registrations. Look for
application type Web app / API. Open the app, select Settings, and then select
Properties. Use the App ID URI value for this AADRESOURCEURI client installation property.

Example: ccmsetup.exe AADRESOURCEURI=https://contososerver

AADTENANTID

Specifies the Azure AD tenant identifier. Configuration Manager links to this tenant
when you configure Azure services for Cloud Management. To get the value for this
property, use the following steps:

On a device that runs Windows 10 or later and is joined to the same Azure AD
tenant, open a command prompt.
Run the following command: dsregcmd.exe /status

In the Device State section, find the TenantId value. For example, TenantId :
607b7853-6f6f-4d5d-b3d4-811c33fdd49a

7 Note

An Azure administrator can also obtain this value in the Azure portal. For
more information, see get tenant ID.

Example: ccmsetup.exe AADTENANTID=607b7853-6f6f-4d5d-b3d4-811c33fdd49a

CCMADMINS

Specifies one or more Windows user accounts or groups to be given access to client
settings and policies. This property is useful when you don't have local administrative
credentials on the client computer. Specify a list of accounts that are separated by
semicolons ( ; ).

Example: CCMSetup.exe CCMADMINS="domain\account1;domain\group1"

CCMALLOWSILENTREBOOT

If necessary, allow the computer to silently restart after the client installation.

) Important

When you use this property, the computer restarts without warning. This behavior
occurs even if a user is signed in to Windows.

Example: CCMSetup.exe CCMALLOWSILENTREBOOT

CCMALWAYSINF

To specify that the client is always internet-based and never connects to the intranet, set
this property value to 1 . The client's connection type displays Always Internet.

Use this property with CCMHOSTNAME to specify the FQDN of the internet-based
management point. Also use it with the CCMSetup parameter UsePKICert and the
SMSSITECODE property.
For more information about internet-based client management, see Considerations for
client communications from the internet or an untrusted forest.

Example: CCMSetup.exe /UsePKICert CCMALWAYSINF=1 CCMHOSTNAME=SERVER3.CONTOSO.COM


SMSSITECODE=ABC

CCMCERTISSUERS

Use this property to specify the certificate issuers list. This list includes certificate
information for the trusted root certification authorities (CA) that the Configuration
Manager site trusts.

This value is a case-sensitive match for subject attributes that are in the root CA
certificate. Separate attributes by a comma ( , ) or a semicolon ( ; ). Specify more than
one root CA certificate by using a separator bar ( | ).

Example: CCMCERTISSUERS="CN=Contoso Root CA; OU=Servers; O=Contoso, Ltd; C=US |


CN=Litware Corporate Root CA; O=Litware, Inc."

 Tip

Use the value of the CertificateIssuers attribute in the mobileclient.tcf file for the
site. This file is in the \bin\<platform> subfolder of the Configuration Manager
installation directory on the site server.

For more information about the certificate issuers list and how clients use it during the
certificate selection process, see Planning for PKI client certificate selection.

CCMCERTNAMECHECK

Starting in version 2207, this property can be used to skip checking the subject name for
the certificate. CCMCERTNAMECHECK=0 skips checking the subject name of the certificate.

CCMCERTSEL

If the client has more than one certificate for HTTPS communication, this property
specifies the criteria for it to select a valid client authentication certificate.

Use the following keywords to search the certificate Subject Name or Subject Alternative
Name:
Subject : Find an exact match

SubjectStr : Find a partial match

Examples:

CCMCERTSEL="Subject:computer1.contoso.com" : Search for a certificate with an exact


match to the computer name computer1.contoso.com in the Subject Name or the
Subject Alternative Name.

CCMCERTSEL="SubjectStr:contoso.com" : Search for a certificate that contains


contoso.com in the Subject Name or the Subject Alternative Name.

Use the SubjectAttr keyword to search for the Object Identifier (OID) or distinguished
name attributes in the Subject Name or Subject Alternative Name.

Examples:

CCMCERTSEL="SubjectAttr:2.5.4.11 = Computers" : Search for the organizational unit


attribute expressed as an object identifier and named Computers .

CCMCERTSEL="SubjectAttr:OU = Computers" : Search for the organizational unit


attribute expressed as a distinguished name, and named Computers .

) Important

If you use the Subject Name, the Subject keyword is case-sensitive, and the
SubjectStr keyword is case-insensitive.

If you use the Subject Alternative Name, both the Subject and the SubjectStr
keywords are case-insensitive.

For the complete list of attributes that you can use for certificate selection, see
Supported attribute values for PKI certificate selection criteria.

If more than one certificate matches the search, and you set CCMFIRSTCERT to 1 , then
the client installer selects the certificate with the longest validity period.

CCMCERTSTORE

If the client installer can't locate a valid certificate in the default Personal certificate store
for the computer, use this property to specify an alternate certificate store name.

Example: CCMSetup.exe /UsePKICert CCMCERTSTORE="ConfigMgr"


CCMDEBUGLOGGING

This property enables debug logging when the client installs. This property causes the
client to log low-level information for troubleshooting. Avoid using this property in
production sites. Excessive logging can occur, which might make it difficult to find
relevant information in the log files. Also enable CCMENABLELOGGING.

Supported values:

0 : Turn off debug logging (default)

1 : Turn on debug logging

Example: CCMSetup.exe CCMDEBUGLOGGING=1

For more information, see About log files.

CCMENABLELOGGING

Configuration Manager enables logging by default.

Supported values:

TRUE : Turn on logging (default)

FALSE : Turn off logging

Example: CCMSetup.exe CCMENABLELOGGING=TRUE

For more information, see About log files.

CCMEVALINTERVAL

The frequency in minutes at which the client health evaluation tool (ccmeval.exe) runs.
Specify an integer value from 1 to 1440 . By default, ccmeval runs once a day (1440
minutes).

Example: CCMSetup.exe CCMEVALINTERVAL=1440

For more information on client health evaluation, see Monitor clients.

CCMEVALHOUR

The hour during the day when the client health evaluation tool (ccmeval.exe) runs.
Specify an integer value from 0 (midnight) to 23 (11:00 PM). By default, ccmeval runs at
midnight.

For more information on client health evaluation, see Monitor clients.

CCMFIRSTCERT

If you set this property to 1 , the client selects the PKI certificate with the longest validity
period.

Example: CCMSetup.exe /UsePKICert CCMFIRSTCERT=1

CCMHOSTNAME

If the client is managed over the internet, this property specifies the FQDN of the
internet-based management point.

Don't specify this option with the installation property of SMSSITECODE=AUTO . Directly
assign internet-based clients to an internet-based site.

Example: CCMSetup.exe /UsePKICert CCMHOSTNAME="SMSMP01.corp.contoso.com"

This property can specify the address of a cloud management gateway (CMG). To get
the value for this property, use the following steps:

Create a CMG. For more information, see Set up a CMG.

On an active client, open a Windows PowerShell command prompt as an


administrator.

Run the following command:

PowerShell

(Get-WmiObject -Namespace Root\Ccm\LocationServices -Class


SMS_ActiveMPCandidate | Where-Object {$_.Type -eq "Internet"}).MP

Use the returned value as-is with the CCMHOSTNAME property.

For example: ccmsetup.exe


CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057598037248100

) Important
When you specify the address of a CMG for the CCMHOSTNAME property, don't
append a prefix such as https:// . Only use this prefix with the /mp URL of a CMG.

CCMHTTPPORT

Specifies the port for the client to use when it communicates over HTTP to site system
servers. By default, this value is 80 .

Example: CCMSetup.exe CCMHTTPPORT=80

CCMHTTPSPORT

Specifies the port for the client to use when it communicates over HTTPS to site system
servers. By default, this value is 443 .

Example: CCMSetup.exe /UsePKICert CCMHTTPSPORT=443

CCMINSTALLDIR

Use this property to set the folder to install the Configuration Manager client files. By
default, it uses %WinDir%\CCM .

 Tip

Regardless of where you install the client files, it always installs the ccmcore.dll file
in the %WinDir%\System32 folder. On a 64-bit OS, it installs a copy of ccmcore.dll in
the %WinDir%\SysWOW64 folder. This file supports 32-bit applications that use the 32-
bit version of the client APIs from the Configuration Manager SDK.

Example: CCMSetup.exe CCMINSTALLDIR="C:\ConfigMgr"

CCMLOGLEVEL

Use this property to specify the level of detail to write to Configuration Manager log
files.

Supported values:

0 : Verbose

1 : Default
2 : Warnings and errors

3 : Errors only

Example: CCMSetup.exe CCMLOGLEVEL=0

For more information, see About log files.

CCMLOGMAXHISTORY

When a Configuration Manager log file reaches the maximum size, the client renames it
as a backup and creates a new log file. This property specifies how many previous
versions of the log file to keep. The default value is 1 . If you set the value to 0 , the
client doesn't keep any log file history.

Example: CCMSetup.exe CCMLOGMAXHISTORY=5

For more information, see About log files.

CCMLOGMAXSIZE

This property specifies the maximum log file size in bytes. When a log grows to the
specified size, the client renames it as a history file, and creates a new one. The default
size is 250,000 bytes, and the minimum size is 10,000 bytes.

Example: CCMSetup.exe CCMLOGMAXSIZE=300000 (300,000 bytes)

DISABLESITEOPT

Set this property to TRUE to block administrators from changing the assigned site in the
Configuration Manager control panel.

Example: CCMSetup.exe DISABLESITEOPT=TRUE

DISABLECACHEOPT

If set to TRUE, this property disables the ability of administrative users from changing
the client cache folder settings in the Configuration Manager control panel.

Example: CCMSetup.exe DISABLECACHEOPT=TRUE

DNSSUFFIX
Specify a DNS domain for clients to locate management points that you publish in DNS.
When the client locates a management point, it tells the client about other management
points in the hierarchy. This behavior means that the management point that the client
finds from DNS can be any one in the hierarchy.

7 Note

You don't have to specify this property if the client is in the same domain as a
published management point. In that case, the client's domain is automatically
used to search DNS for management points.

For more information about DNS publishing as a service location method for
Configuration Manager clients, see Service location and how clients determine their
assigned management point.

7 Note

By default, Configuration Manager doesn't enable DNS publishing.

Example: CCMSetup.exe SMSSITECODE=ABC DNSSUFFIX=contoso.com

FSP

Specify the fallback status point that receives and processes state messages sent by
Configuration Manager clients.

For more information, see Determine if you need a fallback status point.

Example: CCMSetup.exe FSP=SMSFP01

IGNOREAPPVVERSIONCHECK

If you set this property to TRUE , the client installer doesn't check the minimum required
version of Microsoft Application Virtualization (App-V).

) Important

If you install the Configuration Manager client without installing App-V, you can't
deploy virtual applications.
Example: CCMSetup.exe IGNOREAPPVVERSIONCHECK=TRUE

MANAGEDINSTALLER

If you set this property to 1 then ccmsetup.exe and client.msi are set as managed
installers. For more information, see Automatically allow apps deployed by a managed
installer with Windows Defender Application Control.

Example: CCMSetup.exe MANAGEDINSTALLER=1

NOTIFYONLY

When you enable this property, the client reports status, but doesn't remediate
problems that it finds.

Example: CCMSetup.exe NOTIFYONLY=TRUE

For more information, see How to configure client status.

PROVISIONTS

Use this property to start a task sequence on a client after it successfully registers with
the site.

7 Note

If the task sequence installs software updates or applications, clients need a valid
client authentication certificate. Token authentication alone doesn't work.

For example, you provision a new Windows device with Windows Autopilot, auto-enroll
it to Microsoft Intune, and then install the Configuration Manager client for co-
management. If you specify this new option, the newly provisioned client then runs a
task sequence. This process gives you additional flexibility to install applications and
software updates, or configure settings.

Use the following process:

1. Create a non-OS deployment task sequence to install apps, install software


updates, and configure settings.

2. Deploy this task sequence to the new built-in collection, All Provisioning Devices.
Note the task sequence deployment ID, for example PRI20001 .
 Tip

The deployment's purpose can be either available or required. Since you


specify the deployment ID as the property value, the purpose doesn't matter.

3. Install the Configuration Manager client on a device using ccmsetup.msi, and


include the following property: PROVISIONTS=PRI20001 . Set the value of this
property as the task sequence deployment ID.

If you're installing the client from Intune during co-management enrollment,


see How to prepare internet-based devices for co-management.

7 Note

This method may have additional prerequisites. For example, enrolling


the site to Azure Active Directory, or creating a content-enabled cloud
management gateway.

Regardless the method, only use this property with ccmsetup.msi.

After the client installs and properly registers with the site, it starts the referenced task
sequence. If client registration fails, the task sequence won't start.

7 Note

The task sequence launched by PROVISIONTS uses the Default Client Settings. This
task sequence starts immediately after the client registers, so it won't be part of any
collection to which you've deployed custom client settings. The client doesn't
process or apply custom client settings before this task sequence runs.

For the task sequence to work properly, you may need to change certain settings in
the Default Client Settings. For example:

Cloud Services group: Enable clients to use a cloud management gateway


and Allow access to cloud distribution point
Computer Agent group: PowerShell execution policy

If devices don't need these client settings after the task sequence completes,
deploy new custom client settings to reverse the default settings.

For more information, see About client settings.


RESETKEYINFORMATION

If a client has the wrong Configuration Manager trusted root key, it can't contact a
trusted management point to receive the new trusted root key. Use this property to
remove the old trusted root key. This situation may occur when you move a client from
one site hierarchy to another. This property applies to clients that use HTTP and HTTPS
client communication. For more information, see Planning for the trusted root key.

Example: CCMSetup.exe RESETKEYINFORMATION=TRUE

SITEREASSIGN

Enables automatic site reassignment for client upgrades when used with
SMSSITECODE=AUTO.

Example: CCMSetup.exe SMSSITECODE=AUTO SITEREASSIGN=TRUE

SMSCACHEDIR

Specifies the location of the client cache folder on the client computer. By default, the
cache location is %WinDir%\ccmcache .

Example: CCMSetup.exe SMSCACHEDIR="C:\Temp"

Use this property with the SMSCACHEFLAGS property to control the client cache folder
location. For example, to install the client cache folder on the largest available client disk
drive: CCMSetup.exe SMSCACHEDIR=Cache SMSCACHEFLAGS=MAXDRIVE

SMSCACHEFLAGS

Use this property to specify further installation details for the client cache folder. You
can use SMSCACHEFLAGS properties individually or in combination separated by
semicolons ( ; ).

If you don't include this property:

The client installs the cache folder according to the SMSCACHEDIR property
The folder isn't compressed
The client uses the SMSCACHESIZE property as the size limit in MB of the cache

When you upgrade an existing client, the client installer ignores this property.
Values for the SMSCACHEFLAGS property

PERCENTDISKSPACE : Set the cache size as a percentage of the total disk space. If you
specify this property, also set SMSCACHESIZE to a percentage value.

PERCENTFREEDISKSPACE : Set the cache size as a percentage of the free disk space. If
you specify this property, also set SMSCACHESIZE as a percentage value. For
example, the disk has 10 MB free, and you specify SMSCACHESIZE=50 . The client
installer sets the cache size to 5 MB. You can't use this property with the
PERCENTDISKSPACE property.

MAXDRIVE : Install the cache on the largest available disk. If you specify a path with
the SMSCACHEDIR property, the client installer ignores this value.

MAXDRIVESPACE : Install the cache on the disk drive with the most free space. If you
specify a path with the SMSCACHEDIR property, the client installer ignores this
value.

NTFSONLY : Only install the cache on an NTFS-formatted disk drive. If you specify a
path with the SMSCACHEDIR property, the client installer ignores this value.

COMPRESS : Store the cache in a compressed form.

FAILIFNOSPACE : If there's insufficient space to install the cache, remove the

Configuration Manager client.

Example: CCMSetup.exe SMSCACHEFLAGS=NTFSONLY;COMPRESS

SMSCACHESIZE

) Important

Client settings are available for specifying the client cache folder size. The addition
of those client settings effectively replaces using SMSCACHESIZE as a client.msi
property to specify the size of the client cache. For more information, see the client
settings for cache size.

When you upgrade an existing client, the client installer ignores this setting. The client
also ignores the cache size when it downloads software updates.

Example: CCMSetup.exe SMSCACHESIZE=100


7 Note

If you reinstall a client, you can't use SMSCACHESIZE or SMSCACHEFLAGS to set the
cache size to be smaller than it was previously. The previous size is the minimum
value.

SMSCONFIGSOURCE

Use this property to specify the location and order that the client installer checks for
configuration settings. It's a string of one or more characters, each defining a specific
configuration source:

R : Check for configuration settings in the registry.

For more information, see Provision client installation properties.

P : Check for configuration settings in the installation properties from the


command line.

M : Check for existing settings when you upgrade an older client.

U : Upgrade the installed client to a newer version and use the assigned site code.

By default, the client installer uses PU . It first checks the installation properties ( P ) and
then the existing settings ( U ).

Example: CCMSetup.exe SMSCONFIGSOURCE=RP

SMSMP

Specifies an initial management point for the Configuration Manager client to use.

) Important

If the management point only accepts client connections over HTTPS, prefix the
management point name with https:// .

Examples:

CCMSetup.exe SMSMP=smsmp01.contoso.com

CCMSetup.exe SMSMP=https://smsmp01.contoso.com
SMSMPLIST

Specifies a list of management points for the Configuration Manager client to use. Use a
semicolon ( ; ) as the delimiter when specifying multiple management points.

) Important

If the management point only accepts client connections over HTTPS, prefix the
management point name with https:// .

Examples:

CCMSetup.exe
SMSMPLIST=https://smsmp01.contoso.com;https://smsmp02.contoso.com;smsmp03.cont

oso.com

CCMSetup.exe
SMSMPLIST=https://smsmp01.contoso.com;smsmp02.contoso.com;smsmp03.contoso.com

SMSPUBLICROOTKEY

If the client can't get the Configuration Manager trusted root key from Active Directory
Domain Services, use this property to specify the key. This property applies to clients
that use HTTP and HTTPS communication. For more information, see Planning for the
trusted root key.

Example: CCMSetup.exe SMSPUBLICROOTKEY=<keyvalue>

 Tip

Get the value for the site's trusted root key from the mobileclient.tcf file on the site
server. For more information, see Pre-provision a client with the trusted root key
by using a file.

SMSROOTKEYPATH

Use this property to reinstall the Configuration Manager trusted root key. It specifies the
full path and name of a file that contains the trusted root key. This property applies to
clients that use HTTP and HTTPS client communication. For more information, see
Planning for the trusted root key.
Example: CCMSetup.exe SMSROOTKEYPATH=C:\folder\trk

SMSSIGNCERT

Specifies the full path and name of the exported self-signed certificate on the site server.
The site server stores this certificate in the SMS certificate store. It has the Subject name
Site Server and the friendly name Site Server Signing Certificate.

Export the certificate without the private key, store the file securely, and access it only
from a secured channel.

Example: CCMSetup.exe /UsePKICert SMSSIGNCERT=C:\folder\smssign.cer

SMSSITECODE

This property specifies a Configuration Manager site to which you assign the client. This
value can either be a three-character site code or the word AUTO . If you specify AUTO , or
don't specify this property, the client attempts to determine its site assignment from
Active Directory Domain Services or from a specified management point. To enable
AUTO for client upgrades, also set SITEREASSIGN=TRUE.

7 Note

If you also specify an internet-based management point with the CCMHOSTNAME


property, don't use AUTO with SMSSITECODE . Directly assign the client to its site by
specifying the site code.

Example: CCMSetup.exe SMSSITECODE=XZY

UPGRADETOLATEST

This property forces CCMSetup to send a location request to the management point to
get the latest version of the Configuration Manager client installation source. There are
several scenarios where this property is especially useful:

Pre-production clients. A newly installed client uses the production baseline


because it can't evaluate the pre-production collection until the client is installed.
In that scenario, after the client is installed and it evaluates policy, it will later
upgrade to the pre-production client version. Use this property so that the device
immediately installs the latest version of the client.
This scenario also includes when using Autopilot into co-management. Use this
property to make sure the newly provisioned Autopilot device uses the pre-
production client version right away.

Pull distribution points. Allow pull distribution points to install the latest client
version even if it's not in the pre-production collection. This action makes sure that
the client version on the pull distribution point is the same as the distribution point
binaries. If these versions aren't the same, it may cause issues.

Attribute values for certificate selection criteria


Configuration Manager supports the following attribute values for the PKI certificate
selection criteria:

OID attribute Distinguished Name attribute Attribute definition

0.9.2342.19200300.100.1.25 DC Domain component

1.2.840.113549.1.9.1 E or E-mail Email address

2.5.4.3 CN Common name

2.5.4.4 SN Subject name

2.5.4.5 SERIALNUMBER Serial number

2.5.4.6 C Country code

2.5.4.7 L Locality

2.5.4.8 S or ST State or province name

2.5.4.9 STREET Street address

2.5.4.10 O Organization name

2.5.4.11 OU Organizational unit

2.5.4.12 T or Title Title

2.5.4.42 G or GN or GivenName Given name

2.5.4.43 I or Initials Initials

2.5.29.17 (no value) Subject Alternative Name

Client push installation


If you use the client push installation method, use the following options on the Client
tab of the Client Push Installation Properties in the Configuration Manager console:

Any of the Client.msi properties

The following subset of CCMSetup.exe command-line parameters are allowed for


client push:

/AllowMetered (starting in version 2103)

/AlwaysExcludeUpgrade

/BITSPriority

/downloadtimeout

/ExcludeFeatures

/forcereboot

/logon

/skipprereq

/UsePKICert
About client installation properties
published to Active Directory Domain
Services
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you extend the Active Directory schema for Configuration Manager, and the site
is published to Active Directory Domain Services, many client installation properties are
published to Active Directory Domain Services. If a computer can locate these client
installation properties, it can use them during Configuration Manager client deployment.

The advantages of using Active Directory Domain Services to publish client installation
properties include the following:

Software update point-based client installations and Group Policy client


installations do not require setup parameters to be set up on each computer.

Because this information is automatically generated, the risk of human error


associated with manually entering installation properties is eliminated.

7 Note

For more information about how to extend the Active Directory schema for
Configuration Manager, and how to publish a site, see Schema extensions for
Configuration Manager.

Client installation properties published to


Active Directory Domain Services
The following is a list of client installation properties. For more information about each
item listed below, see About client installation properties.

The Configuration Manager site code.

The site server signing certificate.

The trusted root key.

The client communication ports for HTTP and HTTPS.


The fallback status point. If the site has multiple fallback status points, only the first
one that was installed is published to Active Directory Domain Services.

A setting to indicate that the client must communicate by using HTTPS only.

Settings related to PKI certificates:

Whether to use a client PKI certificate.

The selection criteria for certificate selection. This may be required because the
client has more than one valid PKI certificate that can be used for Configuration
Manager.

A setting to determine which certificate to use if the client has multiple valid
certificates after the certificate selection process.

The certificate issuers list that contains a list of trusted root CA certificates.

Client.msi installation properties that are specified in the Client tab of the Client
Push Installation Properties dialog box.

Client installation (CCMSetup) uses the properties that are published to Active Directory
Domain Services only if no other properties are specified by using either of the
following:

The manual installation method (described later in this article)

The Group Policy installation method (described later in this article)

7 Note

The client installation properties are used to install the client. These properties
might be overwritten with new settings from its assigned site after the client is
installed and has successfully been assigned to a Configuration Manager site.

Use the details in the following sections to determine which Configuration Manager
client installation methods use Active Directory Domain Services to obtain client
installation properties.

Client push installation


Client push installation does not use Active Directory Domain Services to obtain
installation properties.
Instead, you can specify client installation properties in the Installation Properties tab of
the Client Push Installation Properties dialog box. These options and client-related site
settings are stored in a file that the client reads during client installation.

7 Note

You do not have to specify any CCMSetup properties for client push installation, or
the fallback status point, or the trusted root key in the Installation Properties tab.
These settings are automatically supplied to clients when they are installed by using
client push installation.
In addition to Client.msi properties, CCMSetup supports the
following parameters: /forcereboot, /skipprereq, /logon, /BITSPriority,
/downloadtimeout, /forceinstall

Any properties that you specify in the Installation Properties tab are published to Active
Directory Domain Services if the site is published to Active Directory Domain Services.
These settings are read by client installations where CCMSetup is run with no installation
properties.

Software update point-based installation


The software update point-based installation method does not support the addition of
installation properties to the CCMSetup command line.

If no command line properties have been provisioned on the client computer by using
Group Policy, CCMSetup searches Active Directory Domain Services for installation
properties.

Group Policy installation


The Group Policy installation method does not support the addition of installation
properties to the CCMSetup command line.

If no command line properties have been provisioned on the client computer,


CCMSetup searches Active Directory Domain Services for installation properties.

Manual installation
CCMSetup searches Active Directory Domain Services for installation properties under
the following circumstances:
No command line properties are specified after the CCMSetup.exe command.

The computer has not been provisioned with installation properties by using
Group Policy.

Logon script installation


CCMSetup searches Active Directory Domain Services for installation properties under
the following circumstances:

No command line properties are specified after the CCMSetup.exe command.

The computer has not been provisioned with installation properties by using
Group Policy.

Software distribution installation


CCMSetup searches Active Directory Domain Services for installation properties under
the following circumstances:

No command line properties are specified after the CCMSetup.exe command.

The computer has not been provisioned with installation properties by using
Group Policy.

Installations for clients that cannot access


Active Directory Domain Services
These client computers cannot read or access the published installation properties from
Active Directory Domain Services.

These clients include:

Workgroup computers.

Clients that are assigned to a Configuration Manager site that is not published to
Active Directory Domain Services.

Clients that are installed when they are on the Internet.


Prepare to deploy client software to
Macs
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

) Important

Starting in January 2022, this feature of Configuration Manager is deprecated. For


more information, see Mac computers.

Follow these steps to make sure that you're ready to deploy the Configuration Manager
client to Mac computers.

For the list of supported versions, see Supported operating systems for clients and
devices.

Certificate requirements
Client installation and management for Mac computers requires public key
infrastructure (PKI) certificates. PKI certificates secure the communication between the
Mac computers and the Configuration Manager site by using mutual authentication and
encrypted data transfers. Configuration Manager can request and install a user client
certificate. It uses Certificate Services with an enterprise certification authority, and the
Configuration Manager enrollment point and enrollment proxy point. You can also
request and install a computer certificate independently from Configuration Manager.
This certificate must meet the Configuration Manager certificate requirements.

Configuration Manager Mac clients always check for certificate revocation. You can't
disable this function.

If Mac clients can't locate the certificate revocation list (CRL), they can't connect to
Configuration Manager site systems. Especially for Mac clients in a different forest to the
issuing certification authority, check your CRL design. Make sure that Mac clients can
locate and download a CRL.

Before you install the Configuration Manager client on a Mac computer, decide how to
install the client certificate:
Use Configuration Manager enrollment by using the CMEnroll tool. The enrollment
process doesn't support automatic certificate renewal. Re-enroll Mac computers
before the certificate expires.

Use a certificate request and installation method that's independent from


Configuration Manager.

For more information about Mac client certificate requirements, see PKI certificate
requirements for Configuration Manager.

Mac clients are automatically assigned to the Configuration Manager site that manages
them. Mac clients install as internet-only clients, even if communication is restricted to
the intranet. This configuration means that they communicate with internet-enabled
management points and distribution points in their assigned site. Mac computers don't
communicate with site systems outside their assigned site.

) Important

The Configuration Manager client for macOS can't be used to connect to a


management point that's configured to use a database replica.

Deploy a web server certificate to site system


servers
If these site systems don't have it, deploy a web server certificate to the computers that
have these site system roles:

Management point

Distribution point

Enrollment point

Enrollment proxy point

The web server certificate must include the internet FQDN that's specified in the site
system properties. The server doesn't have to be accessible from the internet to support
Mac computers. If you don't require internet-based client management, you can specify
the intranet FQDN value for the internet FQDN.

Specify the site system's internet FQDN value in the web server certificate for the
management point, the distribution point, and the enrollment proxy point.
For more information of an example deployment, see Deploying the web server
certificate for site systems that run IIS.

Deploy a client authentication certificate to site


system servers
If these site systems don't have it, deploy a client authentication certificate to the
computers that host these site system roles:

Management point

Distribution point

For an example deployment that creates and installs the client certificate for
management points, see the Deploying the client certificate for Windows computers.

For an example deployment that creates and installs the client certificate for distribution
points, see the Deploying the client certificate for distribution points.

) Important

To deploy the client to devices running macOS Sierra, the subject name of the
management point certificate must be configured correctly. For example, use the
FQDN of the management point server.

Prepare the client certificate template for Macs


The certificate template must have Read and Enroll permissions for the user account
that enrolls the certificate on the Mac computer.

For more information, see Deploying the client certificate for Mac computers.

Configure the management point and


distribution point
Configure management points for the following options:

HTTPS

Allow client connections from the internet. This configuration value is required to
manage Mac computers. However, it doesn't mean that site system servers must
be accessible from the internet.

Allow mobile devices and Mac computers to use this management point

Distribution points aren't required to install the client for Mac. If you want to deploy
software to these computers after you install the client, configure distribution points to
allow client connections from the internet.

To configure management points and distribution points


to support Macs
Before you start this procedure, make sure to configure the management point and
distribution point with an internet FQDN. If these servers don't support internet-based
client management, specify the intranet FQDN as the internet FQDN value.

The site system roles must be in a primary site.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Servers and Site System Roles node.
Then select the server that has the right site system roles.

2. In the details pane, select the Management point role, and select Properties in the
ribbon. In the Management point Properties window, configure these options:

a. Choose HTTPS.

b. Choose Allow internet-only client connections or Allow intranet and internet


client connections. These options require an internet or intranet FQDN.

c. Choose Allow mobile devices and Mac computers to use this management
point.

d. Select OK to save this configuration.

3. In the details pane of the Server and Site System Roles node, select the
Distribution point role, and select Properties in the ribbon. In the Distribution
point Properties window, configure these options:

Choose HTTPS.

Choose Allow internet-only client connections or Allow intranet and


internet client connections. These options require an internet or intranet
FQDN.
Choose Import certificate, browse to the exported client distribution point
certificate file, and then specify the password.

4. Repeat this procedure for all management points and distribution points in
primary sites that manage Mac computers.

Configure the enrollment proxy point and the


enrollment point
Install both roles in the same site. You don't have to install them on the same site
system server, or in the same Active Directory forest.

For more information about site system role placement and considerations, see Site
system roles.

To add the site system roles to support Mac computers, see Install site system roles.

On the System Role Selection page, select Enrollment proxy point and Enrollment
point from the list of available roles.

Install the reporting services point


For more information, see Install the reporting services point.

Next steps
Deploy the Configuration Manager client to Mac computers
How to deploy clients to Macs
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

) Important

Starting in January 2022, this feature of Configuration Manager is deprecated. For


more information, see Mac computers.

This article describes how to deploy and maintain the Configuration Manager client on
Mac computers. To learn about what you have to configure before deploying clients to
Mac computers, see Prepare to deploy client software to Macs.

When you install a new client for Mac computers, you might have to also install
Configuration Manager updates to reflect the new client information in the
Configuration Manager console.

In these procedures, you have two options for installing client certificates. Read more
about client certificates for Macs in Prepare to deploy client software to Macs.

Use Configuration Manager enrollment by using the CMEnroll tool. The enrollment
process doesn't support automatic certificate renewal. Re-enroll the Mac computer
before the installed certificate expires.

Use a certificate request and installation method that is independent from


Configuration Manager.

) Important

To deploy the client to devices running macOS Sierra, correctly configure the
Subject name of the management point certificate. For example, use the FQDN of
the management point server.

Configure client settings


Use the default client settings to configure enrollment for Mac computers. You can't use
custom client settings. To request and install the certificate, the Configuration Manager
client for Mac requires the default client settings.
1. In the Configuration Manager console, go to the Administration workspace. Select
the Client Settings node, and then select Default Client Settings.

2. On the Home tab of the ribbon, in the Properties group, choose Properties.

3. Select the Enrollment section, and then configure the following settings:

a. Allow users to enroll mobile devices and Mac computers: Yes

b. Enrollment profile: Choose Set Profile.

4. In the Mobile Device Enrollment Profile dialog box, choose Create.

5. In the Create Enrollment Profile dialog box, enter a name for this enrollment
profile. Then configure the Management site code. Select the Configuration
Manager primary site that contains the management points for these Mac
computers.

7 Note

If you can't select the site, make sure that you configure at least one
management point in the site to support mobile devices.

6. Choose Add.

7. In the Add Certification Authority for Mobile Devices window, select the
certification authority server that issues certificates to Mac computers.

8. In the Create Enrollment Profile dialog box, select the Mac computer certificate
template that you previously created.

9. Select OK to close the Enrollment Profile dialog box, and then the Default Client
Settings dialog box.

 Tip

If you want to change the client policy interval, use Client policy polling
interval in the Client Policy client setting group.

The next time the devices download client policy, Configuration Manager applies these
settings for all users. To initiate policy retrieval for a single client, see Initiate policy
retrieval for a Configuration Manager client.
In addition to the enrollment client settings, make sure that you have configured the
following client device settings:

Hardware inventory: Enable and configure this feature if you want to collect
hardware inventory from Mac and Windows client computers. For more
information, see How to extend hardware inventory.

Compliance settings: Enable and configure this feature if you want to evaluate and
remediate settings on Mac and Windows client computers. For more information,
see Plan for and configure compliance settings.

For more information, see How to configure client settings.

Download the client for macOS

7 Note

The macOS client installation package isn't available for new deployments, but
existing deployments are supported until December 31, 2022.

1. Save ConfigmgrMacClient.msi to a computer that runs Windows. This file isn't on


the Configuration Manager installation media.

2. Run the installer on the Windows computer. Extract the Mac client package,
Macclient.dmg, to a folder on the local disk. The default path is C:\Program
Files\Microsoft\System Center Configuration Manager for Mac client .

3. Copy the Macclient.dmg file to a folder on the Mac computer.

4. On the Mac computer, run Macclient.dmg to extract the files to a folder on the
local disk.

5. In the folder, make sure that it contains the following files:

Ccmsetup: Installs the Configuration Manager client on your Mac computers


using CMClient.pkg

CMDiagnostics: Collects diagnostic information related to the Configuration


Manager client on your Mac computers

CMUninstall: Uninstalls the client from your Mac computers

CMAppUtil: Converts Apple application packages into a format that you can
deploy as a Configuration Manager application
CMEnroll: Requests and installs the client certificate for a Mac computer so
that you can then install the Configuration Manager client

Enroll the Mac client


Enroll individual clients with the Mac computer enrollment wizard.

To automate enrollment for many clients, use the CMEnroll tool.

Enroll the client with the Mac computer enrollment


wizard
1. After you install the client, the Computer Enrollment wizard opens. To manually
start the wizard, select Enroll from the Configuration Manager preference page.

2. On the second page of the wizard, provide the following information:

User name: The user name can be in the following formats:

domain\name . For example: contoso\mnorth

user@domain . For example: [email protected]

) Important

When you use an email address to populate the User name field,
Configuration Manager automatically populates the Server name
field. It uses the default name of the enrollment proxy point server
and the domain name of the email address. If these names don't
match the name of the enrollment proxy point server, fix the Server
name during enrollment.

The user name and corresponding password must match an Active


Directory user account that has Read and Enroll permissions on the Mac
client certificate template.

Server name: The name of the enrollment proxy point server.

Client and certificate automation with CMEnroll


Use this procedure for automation of client installation and requesting and enrollment
of client certificates with the CMEnroll tool. To run the tool, you must have an Active
Directory user account.

1. On the Mac computer, navigate to the folder where you extracted the contents of
the Macclient.dmg file.

2. Enter the following command: sudo ./ccmsetup

3. Wait until you see the Completed installation message. Although the installer
displays a message that you must restart now, don't restart, and continue to the
next step.

4. From the Tools folder on the Mac computer, type the following command: sudo
./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u
'<user_name>'

After the client installs, the Mac Computer Enrollment wizard opens to help you
enroll the Mac computer. For more information, see Enroll the client by using the
Mac computer enrollment wizard.

Example: If the enrollment proxy point server is named server02.contoso.com, and


you grant contoso\mnorth permissions for the Mac client certificate template,
type the following command: sudo ./CMEnroll -s server02.contoso.com -
ignorecertchainvalidation -u 'contoso\mnorth'

7 Note

If the user name includes any of the following characters, enrollment fails:
<>"+=, . Use an out-of-band certificate with a user name that doesn't include

these characters.

For a more seamless user experience, script the installation steps. Then users
only have to supply their user name and password.

5. Type the password for the Active Directory user account. When you enter this
command, it prompts for two passwords. The first password is for the super user
account to run the command. The second prompt is for the Active Directory user
account. The prompts look identical, so make sure that you specify them in the
correct sequence.

6. Wait until you see the Successfully enrolled message.

7. To limit the enrolled certificate to Configuration Manager, on the Mac computer,


open a terminal window and make the following changes:
a. Enter the command sudo /Applications/Utilities/Keychain
Access.app/Contents/MacOS/Keychain Access

b. In the Keychain Access window, in the Keychains section, choose System. Then
in the Category section, choose Keys.

c. Expand the keys to view the client certificates. Find the certificate with a private
key that you installed, and open the key.

d. On the Access Control tab, choose Confirm before allowing access.

e. Browse to /Library/Application Support/Microsoft/CCM, select CCMClient, and


then choose Add.

f. Choose Save Changes and close the Keychain Access dialog box.

8. Restart the Mac computer.

To verify that the client installation is successful, open the Configuration Manager item
in System Preferences on the Mac computer. Also update and view the All Systems
collection in the Configuration Manager console. Confirm that the Mac computer
appears in this collection as a managed client.

 Tip

To help troubleshoot the Mac client, use the CMDiagnostics tool included with the
Mac client package. Use it to collect the following diagnostic information:

A list of running processes


The macOS X operating system version
macOS X crash reports relating to the Configuration Manager client including
CCM*.crash and System Preference.crash.
The Bill of Materials (BOM) file and property list (.plist) file created by the
Configuration Manager client installation.
The contents of the folder /Library/Application
Support/Microsoft/CCM/Logs.

The information collected by CmDiagnostics is added to a zip file that is saved to


the desktop of the computer and is named cmdiag-<hostname>-<datetime>.zip
Manage certificates external to Configuration
Manager
You can use a certificate request and installation method independent from
Configuration Manager. Use the same general process, but include the following
additional steps:

When you install the Configuration Manager client, use the MP and SubjectName
command-line options. Enter the following command: sudo ./ccmsetup -MP
<management point internet FQDN> -SubjectName <certificate subject name> . The

certificate subject name is case-sensitive, so type it exactly as it appears in the


certificate details.

Example: The management point's internet FQDN is server03.contoso.com. The


Mac client certificate has the FQDN of mac12.contoso.com as a common name in
the certificate subject. Use the following command: sudo ./ccmsetup -MP
server03.contoso.com -SubjectName mac12.contoso.com

If you have more than one certificate that contains the same subject value, specify
the certificate serial number to use for the Configuration Manager client. Use the
following command: sudo defaults write com.microsoft.ccmclient SerialNumber -
data "<serial number>" .

For example: sudo defaults write com.microsoft.ccmclient SerialNumber -data


"17D4391A00000003DB"

Renew the Mac client certificate


This procedure removes the SMSID. The Configuration Manager client for Mac requires
a new ID to use a new or renewed certificate.

) Important

After you replace the client SMSID, when you delete the old resource in the
Configuration Manager console, you also delete any stored client history. For
example, hardware inventory history for that client.

1. Create and populate a device collection for the Mac computers that must renew
the computer certificates.
2. In the Assets and Compliance workspace, start the Create Configuration Item
Wizard.

3. On the General page of the wizard, specify the following information:

Name: Remove SMSID for Mac

Type: Mac OS X

4. On the Supported Platforms page, select all macOS X versions.

5. On the Settings page, select New. In the Create Setting window, specify the
following information:

Name: Remove SMSID for Mac

Setting type: Script

Data type: String

6. In the Create Setting window, for Discovery script, select Add script. This action
specifies a script to discover Mac computers configured with an SMSID.

7. In the Edit Discovery Script window, enter the following shell script:

Shell

defaults read com.microsoft.ccmclient SMSID

8. Choose OK to close the Edit Discovery Script window.

9. In the Create Setting window, for Remediation script (optional), choose Add
script. This action specifies a script to remove the SMSID when it's found on Mac
computers.

10. In the Create Remediation Script window, enter the following shell script:

Shell

defaults delete com.microsoft.ccmclient SMSID

11. Choose OK to close the Create Remediation Script window.

12. On the Compliance Rules page, choose New. Then in the Create Rule window,
specify the following information:

Name: Remove SMSID for Mac


Selected setting: Choose Browse and then select the discovery script that
you previously specified.

In the following values field: The domain/default pair of


(com.microsoft.ccmclient, SMSID) does not exist.

Enable the option to Run the specified remediation script when this setting
is noncompliant.

13. Complete the wizard.

14. Create a configuration baseline that contains this configuration item. Deploy the
baseline to the target collection.

For more information, see How to create configuration baselines.

15. After you install a new certificate on Mac computers that have the SMSID removed,
run the following command to configure the client to use the new certificate:

Shell

sudo defaults write com.microsoft.ccmclient SubjectName -string


<subject_name_of_new_certificate>

See also
Prepare to deploy clients to Macs

Maintain Mac clients


How to assign clients to a site in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you install the Configuration Manager client, before you can manage the client, it
needs to join a Configuration Manager primary site. The site that a client joins is called
its assigned site. You can't assign a client to a central administration site or a secondary
site.

The assignment process happens after you successfully install the client and it
determines which site manages the computer. You can either directly assign the client to
a site, or use automatic site assignment. With automatic assignment, the client finds an
appropriate site based on its current network location. The client may assign to a
fallback site, if you configure it for the hierarchy.

7 Note

Always assign clients to sites running the same version of Configuration Manager.
Avoid assigning a client from a later release to a site on an earlier release. If
necessary, update the primary site to the same Configuration Manager version that
you use for the clients.

After the client assigns to a site, it remains assigned to that site, even if it changes its IP
address or roams to another site. Only an administrator can manually assign the client
to another site or remove the client assignment.

2 Warning

An exception to a client remaining assigned to a site is if you assign the client on a


Windows Embedded device with write filters enabled. If you don't first disable write
filters before you assign the client, the site assignment status of the client reverts to
its original state when the device next restarts. For example, if you configure the
client for automatic site assignment, it reassigns on startup and might assign to a
different site. If the client requires manual site assignment, you have to manually
reassign it before you can manage it.

To avoid this behavior, disable the write filters before you assign the client on
embedded devices. Then enable the write filters after you have verified that site
assignment was successful.

If assignment fails, the client remains installed, but you can't manage it. A client is
considered unmanaged when it's installed but not assigned to a site. It's also
unmanaged when it's assigned to a site but it can't communicate with a management
point.

Manual site assignment


You can manually assign client computers to a site by using the following two methods:

Use a client installation property that specifies the site code. For more information,
see Client installation properties - SMSSITECODE.

In the Windows Control Panel for Configuration Manager, specify the site code.

7 Note

If you manually assign a client to a site code that doesn't exist, the site assignment
fails.

Automatic site assignment


Automatic site assignment typically happens during client deployment. To manually start
automatic site assignment, select Find Site on the Advanced tab of the Configuration
Manager control panel. The Configuration Manager client compares its network location
with the boundaries for the hierarchy. When the network location of the client falls
within a boundary group you enabled for site assignment, or the hierarchy is configured
for a fallback site, the client is automatically assigned to that site. This behavior lets
clients easily assign to a site and you don't have to specify a site code.

7 Note

If a client computer has multiple network adapters and multiple IP addresses, the IP
address used to evaluate client site assignment is assigned randomly.

For more information about how to configure boundary groups for site assignment, see
Define site boundaries and boundary groups.
Configuration Manager clients that use automatic site assignment attempt to find site
boundary groups that you publish to Active Directory Domain Services. If this process
fails, clients can get boundary group information from a management point. This
process can fail if you don't extend the Active Directory schema for Configuration
Manager, or clients are workgroup computers.

When you install the client, you can specify a management point for it to use, or the
client can locate a management point automatically. For more information, see How
clients find site resources and services.

If the client can't find a site in a boundary group for its network location, and the
hierarchy doesn't have a fallback site, the client retries every 10 minutes. It repeats this
process until it assigns to a site.

Configuration Manager clients can't automatically assign to a site if any of the following
conditions apply:

They are currently assigned to a site.

They are on the internet or configured as internet-only clients.

Their network location doesn't fall within one of the boundary groups in the
hierarchy, and there's no fallback site.

If any of these conditions apply, you have to manually assign the client.

Check site compatibility


After a client has found its assigned site, the site checks the version of the Configuration
Manager client and OS. This check is to make sure that the site can manage the client.
For example, a current branch site can't manage a Configuration Manager 2007 client, or
a client that runs Windows 2000.

If you try to assign a client that runs a legacy OS version, site assignment fails. When you
assign a Configuration Manager 2007 client or a System Center 2012 Configuration
Manager client to a current branch site, assignment succeeds to support automatic
client upgrade. However, until you upgrade the older generation clients, you can't
manage it.

7 Note

To support the site assignment of a Configuration Manager 2007 or a System


Center 2012 Configuration Manager client to a current branch site, configure
automatic client upgrade for the hierarchy. For more information, see the How to
upgrade clients for Windows computers.

Configuration Manager also checks that you've assigned the current branch client to a
site that supports it.

The site compatibility check requires one of the following conditions:

The client can access site information published to Active Directory Domain
Services.

The client can communicate with a management point in the site.

If the site compatibility check fails to finish successfully, the site assignment fails. The
client remains unmanaged until the site compatibility check runs again and succeeds.

An exception to this site compatibility check is when you configure a client for an
internet-based management point. In this case, Configuration Manager doesn't check
site compatibility. If you assign clients to a site that contains internet-based site systems,
and you specify an internet-based management point, make sure that you assign the
client to the correct site.

Scenarios for assignment of legacy clients


The following scenarios might occur during migration from previous versions of
Configuration Manager:

You use automatic site assignment and boundaries overlap


between versions of Configuration Manager

In this case, the client automatically tries to find a current branch site.

The client first checks Active Directory Domain Services. If it finds a current branch site
published, site assignment succeeds. If this check fails, the client then checks for site
information from its assigned management point.

7 Note

You can specify an initial management point for the client during client installation.
For more information, see Client installation properties - SMSMP.

If both these methods fail, site assignment fails. You need to manually assign the client.
Accidental manual assignment to a legacy site version
For example, you assign a current branch client with a specific site code, and mistakenly
specify a site code for a version of Configuration Manager earlier than System Center
2012 R2 Configuration Manager.

In this case, site assignment fails. Manually reassign the client to a current branch site.

Locate a management point


After the client assigns to a site, it then tries to locate a management point. This process
in itself can be complex, depending upon the situation. For more information about how
the client locates management points and other site resources, see How clients find site
resources and services.

Download site settings


After the client finds a management point, it needs to get client-related site settings.
These settings include:

The client certificate selection criteria


Whether to use a certificate revocation list
The client request port numbers

The client continues to check these settings on a periodic basis.

Clients get these settings from one of the following methods:

If the client used Active Directory Domain Services for its site compatibility check, it
downloads these settings for its assigned site from the domain.

When clients can't get site settings from Active Directory, they download them
from the management point.

You specify the settings during client installation. For more information, see About
client installation properties.

Download client settings


All clients download the default client settings policy and any applicable custom client
settings policies. For more information, see About client settings.
Software Center relies on these client configuration policies. It notifies users that it can't
run until the client downloads the configuration information. Depending on the client
settings that you configure, the initial download of client settings might take a while.
Some client management tasks might not run until this process is complete.

Verify site assignment


You can verify site assignment success by any of the following methods:

For clients on Windows computers, use the Configuration Manager control panel.
Verify that it shows the correct site code on the Site tab.

In the Configuration Manager console, go to the Assets and Compliance


workspace, and select the Devices node. Verify that the computer shows Yes in the
Client column and the correct primary site code in the Site Code column.

Use the reports for client assignment.

Use the LocationServices.log file on the client.

Roaming to other sites


A client on the internal network is assigned to a primary site. You change the client
computer's network location. It's now in a boundary group for another site. In this
scenario, the client is roaming in the other site. When this site is a secondary site for the
client's assigned site, the client can use a management point in the secondary site to
download policy and upload data. This behavior avoids sending this data over a
potentially slow network. If the client roams into the boundary of another primary site, it
still uses a management point in its assigned site to download policy and upload data.

Clients that roam to other sites can always use management points in other sites for
content location requests. Management points in the current site can give clients a list
of distribution points that have the requested content.

When you configure clients for internet-only client management, they only
communicate with management points in their assigned site. These clients never
communicate with management points in secondary sites or with management points in
other primary sites. This behavior is the same for macOS and on-premises MDM devices
that you enroll to Configuration Manager.

Next steps
How to monitor client deployment status

Monitor and manage clients


How to configure client status in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Before you can monitor Configuration Manager clients and remediate problems,
configure the site's client status settings. These settings specify the parameters that the
site uses to mark clients as inactive. Also configure options to alert you if client activity
falls below a specified threshold.

Configure client status


1. In the Configuration Manager console, go to the Monitoring workspace, and select
the Client Status node. On the Home tab of the ribbon, in the Client Status group,
select Client Status Settings.

2. Configure the following settings:

7 Note

If a client doesn't meet any of the settings, the site marks it as inactive.

Client policy requests during the following days: Specify the number of days
since the client requested policy from the site. The default value is 7 days.

Compare this value to the Client policy polling interval setting in the Client
Policy group of client settings. Its default is 60 minutes. In other words, a
client should poll the site for policy every hour. If it doesn't request policy
after one week, the site marks it as inactive.

Heartbeat discovery during the following days: Specify the number of days
since the client sent a heartbeat discovery record to the site. The default
value is 7 days.

Compare this value to the schedule for the Heartbeat discovery method. By
default, the site runs heartbeat discovery once a week.

Hardware inventory during the following days: Specify the number of days
since the client sent a hardware inventory record to the site. The default value
is 7 days.

Compare this value to the Hardware inventory schedule setting in the


Hardware Inventory group of client settings. Its default is seven days.

Software inventory during the following days: Specify the number of days
since the client sent a software inventory record to the site. The default value
is 7 days.

Compare this value to the Schedule software inventory and file collection
setting in the Software Inventory group of client settings. Its default is seven
days.

Status messages during the following days: Specify the number of days
since the client sent any status messages to the site. The default value is 7
days. The client can send status messages for different kinds of activities,
such as running a task sequence. The site deletes old status messages as part
of the maintenance task, Delete Aged Status Messages.

3. Specify the following value to determine how long the site keeps client status
history data:

Retain client status history for the following number of days: By default, the
site keeps client status information for 31 days. This setting doesn't have any
impact on client or site behavior. It's similar to a maintenance task for client
status history.

Configure the schedule


1. In the Configuration Manager console, go to the Monitoring workspace, and select
the Client Status node. On the Home tab of the ribbon, in the Client Status group,
select Schedule Client Status Update.

2. Configure the interval at which you want client status to update.

7 Note

When you change the schedule for client status updates, it doesn't take effect
until the next scheduled client status update on the previous schedule.

Configure alerts
1. In the Configuration Manager console, go to the Assets and Compliance
workspace, and select the Device Collections node.

2. Select the collection for which you want to configure alerts. On the Home tab of
the ribbon, in the Properties group, select Properties.

7 Note

You can't configure alerts for user collections.

3. Switch to the Alerts tab, and select Add.

 Tip

You can only view the Alerts tab if your security role has permissions for
alerts.

Choose the alerts that you want the site to generate for client status thresholds,
and select OK.

4. In the Conditions list of the Alerts tab, select each client status alert, and then
specify the following information:

Alert Name: Accept the default name or enter a new name for the alert.

Alert Severity: Choose the alert level that the Configuration Manager console
displays.

Raise alert: Specify the threshold percentage for the alert.

Automatic remediation exclusion


1. On the client computer where you want to disable automatic remediation, open
the registry editor.

2 Warning

If you use the registry editor incorrectly, you can cause serious problems that
could require you to reinstall Windows. Microsoft can't guarantee that you
can solve problems that result from using the registry editor incorrectly. Use it
at your own risk.
2. Navigate to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\CcmEval.

3. Change the value for the NotifyOnly entry:

TRUE : The client won't automatically remediate any problems that it finds. The
site still notifies you in the Monitoring workspace about any problems with
this client.

FALSE : This setting is the default. The client automatically remediates


problems when it finds them, and the site notifies you in the Monitoring
workspace.

When you install clients, you can exclude them from automatic remediation with the
NotifyOnly installation property. For more information, see About client installation
properties.

Next steps
Monitor clients
How to monitor client deployment
status in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Deploying clients across your site takes time and some installations are not successful
the first time. The Configuration Manager console provides a way to keep an eye on
client deployments within a collection by reporting client deployment status in real time.

7 Note

The best and most reliable way to monitor client deployment is with the
Configuration Manager console (as described in this article). The Client Status
section of the Monitoring workspace in the console provides client deployment
status accurately and in real time. You can monitor client deployments with other
tools, such as Server Manager in Windows Server or System Center Operations
Manager, but you may receive alarms from normal client installation activity.
Because of how the client installation program (CCMSetup.exe) runs in various
environments, these other tools may generate false alarms and warnings that do
not accurately reflect the state of client deployments.

In the Monitoring workspace of the console, you can monitor the following statuses for
client deployments taking place within a collection that you specify:

Compliant

In progress

Not compliant

Failed

Unknown

Configuration Manager reports on deployments for production clients or pre-


production clients. The Configuration Manager console also provides a chart of
failed client deployments over a specified period of time to help you determine if
actions you to take to troubleshoot deployments are improving the deployment
success rate over time.
To monitor client deployments
In the Configuration Manager console, click Monitoring > Client Status.

Click Production Client Deployment or Pre-production Client Deployment


depending on the version of client you want to monitor.

Review the charts of client deployment status and client deployment failure.

If you want to change the scope of the report, click Browse... and choose a
different collection.

To learn more about pre-production client deployments, see How to test client
upgrades in a pre-production collection.

7 Note

The deployment status on computers hosting site system roles in a pre-


production collection may be reported as Not compliant even when the client
was successfully deployed. When you promote the client to production, the
deployment status is reported correctly.

To monitor the status of deployed clients, see How to monitor clients

You can use Configuration Manager reports to find out more information about
the status of clients in your site. For more information about how to run reports,
see Introduction to reporting.
Monitor and manage clients in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you install the client on devices in your organization, Configuration Manager
provides several ways to monitor and manage it. You can monitor clients to check their
status, and Configuration Manager can automatically fix some problems it detects. Use
the Configuration Manager console to manage clients for individual devices or device
collections.

How to monitor clients

How to manage clients

Configure the content cache

Manage clients on the internet

Use collections

Co-management enables you to concurrently manage Windows devices by using both


Configuration Manager and Microsoft Intune. It lets you cloud-attach your existing
investment in Configuration Manager by adding new functionality. When you enable co-
management, you can use Intune for additional client management actions. For more
information, see What is co-management?.
How to monitor clients in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Once you install the Configuration Manager client on the Windows devices in your site,
monitor their health and activity in the Configuration Manager console.

About client status


Configuration Manager provides the following types of information as client status:

Client online status: The site considers a device as online if it's connected to its
assigned management point. To indicate that the client is online, it sends ping-like
messages to the management point. If the management point doesn't receive a
message in five minutes, the site considers the client as offline.

 Tip

These messages use the client notification channel. For more information, see
Ports used in Configuration Manager.

Client activity: The site considers the client as active if it has communicated with
Configuration Manager in the past seven days. The site considers the client
inactive if it hasn't done the following actions in seven days:
Requested policy update
Sent a heartbeat message
Sent hardware inventory

Client check: The state of the periodic evaluation that the Configuration Manager
client runs on the device. The evaluation checks the device and can remediate
some of the problems it finds. For more information, see Client health checks.

Client check runs automatically during the Windows maintenance window.

You can configure remediation not to run on specific devices, for example, a
business-critical server. For more information, see How to configure client status.
If there are more items that you want to evaluate, use Configuration Manager
compliance settings to monitor other configurations. For more information about
compliance settings, see Plan for and configure compliance settings.

Decommissioned: The site has marked the device record for deletion. This
behavior can happen when a new registration for same device assigns to the same
or a different primary site in a hierarchy. The site deletes these devices the next
time it runs the site maintenance task Delete Aged Discovery Data.

Obsolete: The site has discovered a new device record with the same hardware ID,
so it marks the old record as obsolete. Reports don't count obsolete records of the
same device multiple times. You can still target policies to obsolete devices. If the
site doesn't get a heartbeat for an obsolete record after 90 days of inactivity, it
removes the obsolete device when it runs the site maintenance task Delete
Obsolete Client Discovery Data.

 Tip

The Power BI sample reports for Configuration Manager includes a report called
Client Status. This report can also help with monitoring clients.

Monitor individual clients


1. In the Configuration Manager console, go to the Assets and Compliance
workspace. Select either the Devices node or choose a collection under Device
Collections.

The icons at the beginning of each row indicate the online status of the device:

Icon Description

Device is online.

Device is offline.

Online status is unknown.

Client isn't installed on the device.


2. For more detailed online status, add the client online status information to the
device view. Right-click the column header and select the online status fields you
want to add:

Device Online Status: Indicates whether the client is currently online or


offline. (This status is the same information given by the icons.)

Last Online Time: Indicates when the client online status changed to online.

Last Offline Time indicates when the status changed to offline.

3. Select an individual client in the list pane to see more status in the detail pane. This
information includes client activity and client check status.

Monitor the status of all clients


1. In the Configuration Manager console, go to the Monitoring workspace, and select
the Client Status node. Review the overall statistics for client activity and client
checks across the site. Change the scope of the information by choosing a
different collection.

2. To drill down into detail about the reported statistics, choose the name of the
reported information. For example, Active clients that have passed client check or
no results. Then review the information about the individual clients.

3. Select Client Activity to see charts showing the client activity in your Configuration
Manager site.

4. Select Client Check to see charts showing the status of client checks in your
Configuration Manager site.

Configure alerts to notify you when client check results or client activity drops
below a specified percentage. The site can also alert you when remediation fails on
a specified percentage of clients. For more information, see How to configure
client status.

For more information on the client's regular checks to keep healthy, see Client health
checks.

Next steps
Use the client health dashboard to view your client health, scenario health, and
common errors. Filter the view by several attributes to see any potential issues by OS
and client versions. For more information, see Client health dashboard.

For more information about the log files used by client deployment and management
operations, see Log files.
Client health dashboard
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You deploy software updates and other apps to help secure your environment, but these
deployments only reach healthy clients. Unhealthy Configuration Manager clients
adversely effect overall compliance. Determining client health can be challenging
depending upon the denominator: how many total devices should be in your scope of
management? For example, if you discover all systems from Active Directory, even if
some of those records are for retired machines, this process increases your
denominator.

Configuration Manager provides a dashboard with information about the health of


clients in your environment. View your client health, scenario health, and common
errors. Filter the view by several attributes to see any potential issues by OS and client
versions.

By default, the client health dashboard shows online clients, and clients active in the
past three days. So you may see different numbers in this dashboard than in other
historical sources of client health. For example, other nodes under Client Status, or
reports in the client status category.

In the Configuration Manager console, go to the Monitoring workspace. Expand Client


status, and select the Client health dashboard node.

7 Note

Configuration Manager version 2111 includes improvements to this dashboard.


This article mainly focuses on the current experience. For more information on the
dashboard appearance and behavior in version 2107 and earlier, see Version 2107
and earlier.

To view this dashboard your account needs the Read Client Status Settings permission
on the Site object.

Configure
There are two actions in the ribbon to configure client health and the dashboard:
Choose Default Collection: Set a persistent user preference for the collection to
scope the dashboard.

When you set the collection on the Filter tile of the dashboard, that selection
resets when you refresh the dashboard.

Client Status Settings: Adjust the evaluation periods for scenario health. By default,
if a client doesn't send scenario-specific data in 7 days, Configuration Manager
considers it unhealthy for that scenario.

 Tip

You can also configure these settings from the ribbon of the Client Status
node.

Scenario health isn't measured from your configuration of client settings.


These values can vary based upon the resultant set of policy per device.

Filters
The single Filter tile at the top of the dashboard lets you adjust the data that it displays.
It includes the following filters:

Include client health for offline clients: By default, the dashboard displays only
online clients. This state comes from the client notification channel that updates a
client's status every five minutes. For more information, see About client status.

Only show unhealthy client details: Scope the view to only devices that are
reporting a client health failure.

 Tip

Combine this filter with the tiles for Client Versions and OS Versions. For
more information, see Version tiles.

Clients active in last number of days: By default, the dashboard displays clients
that are active in the last three days.

Client health for clients in the following collections: By default, the dashboard
displays devices in the All Systems collection. Browse for a device collection to
scope the view to a subset of devices in a specific collection.

 Tip

This filter is temporary. When you refresh the dashboard, it'll reset to the
default. To change the collection scope so it's persistent, use the Choose
default collection action in the ribbon. For more information, see Configure
the dashboard.
Overall client health

This tile shows the percentage of all clients reporting healthy in your hierarchy. This
percentage should be as close to 100% as possible. It's on the top row, which makes it
easier to see when you view the dashboard.

A healthy Configuration Manager client has the following properties:

Online
Actively sending data
Passes all client health evaluation checks

For more information, see About client status.

A healthy client successfully communicates with the site. It reports all data based on the
defined schedules.

Select a segment of this chart to drill down to a device list view.

Clients with any failure


This tile shows the percentage of clients that report any health issue. This percentage
should be as close to 0% as possible.

Hover over the segment to see the number of devices that are unhealthy. Select it to
drill down to a device list view.

 Tip

This tile replaces the Combined (All) and Combined (Any) scenarios from earlier
versions.

Version tiles
Client Versions OS Versions
There are two tiles that show client health by Configuration Manager Client versions
and OS versions. These tiles are useful when you make changes to the filters, such as
Failure only. They can help highlight whether any issues are consistent across a specific
version. Use this information to help you make upgrade decisions.

Select a segment of these charts to drill down to a device list view.

Select Show table to switch to a table view of the data. You can select and copy the data
from the table. Select Show chart to show the donut chart. The following example
shows a chart of Configuration Manager client versions:

Scenario health

This bar chart shows the overall health for the following core scenarios:

Client health evaluation (client policy)


Policy request
Software inventory
Hardware inventory
Heartbeat discovery
Status messaging operational (status messages)
Health trends by scenario

This tile shows the percentage of healthy clients for the selected scenario. To adjust the
number of days the chart displays, use the slider control at the top of the tile.

7 Note

The maximum value for the slider control is the same as the Retain client status
history for the following number of days in Client Status Settings. It's 31 days by
default.

It's limited by the amount of client health data in the site database. For example,
you configure it to display 31 days of history. There's only three days of available
data, so the chart shows three days.

Top 10 client health failures

This chart lists the most common failures in your environment. These errors come from
Windows or Configuration Manager.
Select a row of this table to drill down to a device list view. This action lets you easily
create a collection of devices to target a remediation action or for more detailed
reporting.

Version 2107 and earlier

7 Note

This section applies to version 2107 and earlier.

Filters in 2107 and earlier


At the top of the dashboard, there's a set of filters to adjust the data displayed in the
dashboard.

Client health for clients in the following collections: By default, the dashboard
displays devices in the All Systems collection. Select a device collection to scope
the view to a subset of devices in a specific collection.
Client active in last number of days: By default, the dashboard displays clients that
are active in the last three days.

Include client health for offline clients: By default, the dashboard displays only
online clients. This state comes from the client notification channel that updates a
client's status every five minutes. For more information, see About client status.

Only show unhealthy client details: Scope the view to only devices that are
reporting a client health failure.

 Tip

Use this filter along with the client version and OS version tiles. For more
information, see Version tiles.

Overall client health in 2107 and earlier


This tile shows the overall client health in your hierarchy.

A healthy Configuration Manager client has the following properties:

Online
Actively sending data
Passes all client health evaluation checks

For more information, see About client status.

A healthy client successfully communicates with the site. It reports all data based on the
defined schedules in client settings.

Select a segment of this chart to drill down to a device list view.

Version tiles in 2107 and earlier


There are two tiles that show client health by Configuration Manager client version and
OS version. These tiles are useful when you make changes to the filters, such as Failure
only. They can help highlight whether any issues are consistent across a specific version.
Use this information to help you make upgrade decisions.

Select a segment of these charts to drill down to a device list view.

Scenario health in 2107 and earlier


This bar chart shows the overall health for the following core scenarios:

Client policy
Heartbeat discovery
Hardware inventory
Software inventory
Status messages

Use the selectors to adjust the focus on specific scenarios in the chart.

The following two bars are always shown:

Combined (All): the combination of all scenarios (AND)


Combined (Any): at least one of the scenarios (OR)

Top 10 client health failures in 2107 and earlier


This chart lists the most common failures in your environment. These errors come from
Windows or Configuration Manager.

Next steps
For more information on the client's regular checks to keep healthy, see Client health
checks.

Use the Surface device dashboard to see the use of Surface devices in your
environment.
Client health checks
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Configuration Manager client regularly runs the checks and remediations to keep
healthy. For more information, see How to monitor clients.

Client checks

Verify that the client was installed correctly


If the client isn't correctly installed, start by troubleshooting client install. Review the
ccmsetup.log. Often, remediation requires that you reinstall the client.

Verify that client prerequisites are installed


Verify that the client prerequisites are installed. It reads the file ccmsetup.xml in the
client installation folder to discover the prerequisites. By default:
C:\Windows\ccmsetup\ccmsetup.xml

Most client prerequisites are available by default in Windows, or installed automatically


by the Configuration Manager client. To remediate problems with prerequisites, you can
try to install them manually, or reinstall the client.

Verify the client service


There are three checks for the SMS Agent Host client service ( CcmExec ):

First, it verifies that the service exists. If it doesn't exist, you need to reinstall the
client.

Next, it verifies that the service startup type is automatic. To remediate a failure
with this check, reset the service startup type to automatic. Check group policies to
make sure something isn't automatically configuring the service startup type.

Then it verifies that the client service is running. The remediation for this check is
to start the client service. Then monitor it to make sure it keeps running. Review
Windows event logs to see if there are any related activities that might be stopping
the service. Review client logs to make sure it's not failing to start.
Verify that client check has recently run
Verify that the client check scheduled task ( CcmEval ) has run at least one time in the past
three days. You can manually run the scheduled task. Make sure that Windows can run
scheduled tasks.

Verify that the client database is healthy


The client uses a built-in version of SQL Server Compact Edition (CE) to locally store
information. If this check fails, reinstall the Configuration Manager client to remediate.

Verify WMI
There are several checks specific to WMI. The first three checks are for the Windows
Management Instrumentation (WMI) service ( Winmgmt ).

Verify that the service exists. WMI is a fundamental component of Windows. If this
service doesn't exist, you may need to reinstall Windows.

Verify that the service startup type is automatic. To remediate a failure with this
check, reset the service startup type to automatic. Check group policies to make
sure something isn't automatically configuring the service startup type.

Verify that the service is running. The remediation for this check is to start the WMI
service. Then monitor it to make sure it keeps running. Review Windows event logs
to see if there are any related activities that might be stopping the service.

There are two other checks to test the overall health of WMI on the device:

The WMI repository integrity test checks that Configuration Manager client entries
exist in WMI. If this check fails, reinstall the Configuration Manager client.

The WMI event sink test checks whether the Configuration Manager-related WMI
event sink is lost. If this check fails, restart the client service.

Verify the antimalware service


There are two checks for whatever antimalware service is registered with Windows:

Verify that the antimalware service startup type is automatic. To remediate a failure
with this check, reset the service startup type to automatic. Check group policies to
make sure something isn't automatically configuring the service startup type.
Verify that the antimalware service is running. The remediation for this check is to
start the antimalware service. Then monitor it to make sure it keeps running.
Review Windows event logs to see if there are any related activities that might be
stopping the service.

If you're using Windows Defender, the Configuration Manager client also verifies the
Windows Defender Antivirus Network Inspection Service ( WdNisSvc ). It checks to make
sure the service startup type is manual.

Verify Windows Update service


This check verifies that the Windows Update service ( wuauserv ) startup type is
automatic or manual. To remediate a failure with this check, reset the service startup
type to automatic. Check group policies to make sure something isn't automatically
configuring the service startup type.

Verify the policy platform


There are three checks for the Microsoft Policy Platform service ( lppsvc ):

Verify that the service exists. The policy platform is one of the prerequisite
components that the Configuration Manager client automatically installs. If this
service doesn't exist, reinstall the Configuration Manager client.

Verify that the service startup type is manual. To remediate a failure with this check,
reset the service startup type to manual. Check group policies to make sure
something isn't automatically configuring the service startup type.

Policy platform WMI integrity test. Repair the policy platform.

Verify BITS service


There are two checks for the Background Intelligent Transfer Service ( BITS ):

Verify that the service exists. BITS is a fundamental component of Windows. If this
service doesn't exist, you may need to reinstall Windows.

Verify that the service startup type is automatic or manual. To remediate a failure
with this check, reset the service startup type to automatic. Check group policies to
make sure something isn't automatically configuring the service startup type.

Verify remote control


If you enable the remote control agent in client settings, there are two checks for the
Configuration Manager Remote Control service ( CmRcService ):

Verify that the service type is automatic or manual. To remediate a failure with this
check, reset the service startup type to automatic. Check group policies to make
sure something isn't automatically configuring the service startup type.

Verify that the service is running. The remediation for this check is to start the
remote control service. Then monitor it to make sure it keeps running. Review
Windows event logs to see if there are any related activities that might be stopping
the service.

Verify wake-up proxy


If you enable the wake-up proxy in client settings, there are two checks for the
Configuration Manager Wake-up Proxy service:

Verify that the service startup type is automatic. To remediate a failure with this
check, reset the service startup type to automatic. Check group policies to make
sure something isn't automatically configuring the service startup type.

Verify that the service is running. The remediation for this check is to start the
wake-up proxy service. Then monitor it to make sure it keeps running. Review
Windows event logs to see if there are any related activities that might be stopping
the service.

Most common check failures


The following checks have the most commonly reported failures. The numbers are
included to provide scale between the checks.

Verify CcmEval task has run in recent cycles (4,950)


Verify client prerequisites (554)
Verify Windows Update service startup type (399)
Verify Configuration Manager Remote Control service status (345)
Verify Configuration Manager Remote Control service startup type (294)
Verify SMS Agent Host service status (249)
Verify SQL Server CE database is healthy (157)
Verify client WMI Provider (131)
Verify client installation (120)
WMI event sink test (93)
Next steps
Client health dashboard

How to configure client status

How to deploy clients to Windows computers

Configuration Manager troubleshooting


Surface device dashboard in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Surface device dashboard gives you information about Surface devices found in
your environment at a single glance.

How to open
To open the Surface device dashboard, use the following steps:

1. Open the Configuration Manager console.


2. Select the Monitoring workspace.
3. To load the dashboard, select the Surface Devices node.

Review information
The Surface device dashboard shows three graphs:
Percent of Surface devices: The percentage of Surface devices throughout your
environment.

Surface Models: The number of devices per Surface model. Hover over a graph
section to see the percentage of Surface devices for that model.

Select a graph section to go through to a device list for that model.


Top five firmware versions: The top five firmware models in your environment.
Hover over a graph section to see the number of Surface devices with that
firmware version. Select a graph section to go through to a device list.

Next steps
You can use Configuration Manager to deploy Surface firmware updates. For more
information, see Managing Surface driver updates.

For more information about Surface devices, see the Surface website.
Removed and deprecated features for
Configuration Manager
Article • 07/03/2023

Applies to: Configuration Manager (current branch)

This article lists the features that are deprecated or removed from support for
Configuration Manager. Deprecated features will be removed in a future update. These
future changes might affect your use of Configuration Manager.

This information is subject to change with future releases. It might not include each
deprecated Configuration Manager feature.

Deprecated features
The following features are deprecated. You can still use them now, but Microsoft plans
to end support in the future.

Feature Deprecation Planned


first end of
announced support

Community hub service and integration with ConfigMgr October The first
2022 release
after
March 1,
2023

Windows Information Protection July 2022 TBD

Upgrade from any version of System Center 2012 Configuration April 2022 Version
Manager to current branch. For more information, see Upgrade to 2303
Configuration Manager current branch

The Configuration Manager client for macOS and Mac client January 2022 December
management. For more information, see Supported clients: Mac 31, 2022
computers. Migrate management of macOS devices to Microsoft
Intune. For more information, see Deployment guide: Manage
macOS devices in Microsoft Intune.

The site system roles for on-premises MDM and macOS clients: January 2022 December
enrollment proxy point and enrollment point. 31, 2022
Feature Deprecation Planned
first end of
announced support

The Microsoft Store for Business and Education. For more November The first
information, see Manage apps from the Microsoft Store for Business 2021 release
and Education with Configuration Manager. after
March 1,
2023

Asset intelligence. For more information, see Asset intelligence November The first
deprecation. 2021 release
after
November
1, 2022

On-premises MDM. For more information, see On-premises MDM in November The first
Configuration Manager. 2021 release
after
November
1, 2022

Azure Active Directory (Azure AD) Graph API and Azure AD July 2021 June 30,
Authentication Library (ADAL), which is used by Configuration 2022
Manager for some cloud-attached scenarios. If you use cloud-
attached features such as co-management, tenant attach, or Azure
AD discovery, starting June 30, 2022, these features may not work
correctly in Configuration Manager version 2107 or earlier. Stay
current with Configuration Manager to make sure these features
continue to work. For more information, see CMG FAQ.

The BitLocker management implementation for the recovery service March 2021 The first
has changed. The legacy MBAM-based service is replaced by the release
messaging processing engine on the management point. after May
2022

Older style of console extensions that haven't been approved in the April 2021 TBDNote 1
Console Extension node, will no longer be supported. For more
information about new console extensions, see Manage console
extensions.

Sites that allow HTTP client communication. Configure the site for March 2021 The first
HTTPS or Enhanced HTTP. For more information, see Enable the site release
for HTTPS-only or enhanced HTTP. after
November
1, 2022
Feature Deprecation Planned
first end of
announced support

The geographical view in the Site Hierarchy node of the Monitoring August 2020 The first
workspace in the Configuration Manager console. release
after
October
2023

The implementation for sharing content from Azure has changed. February The first
Use a content-enabled cloud management gateway. Starting in 2019 release
version 2107, you can't create a traditional cloud distribution point. after
October 5,
2022

Cloud management gateway and cloud distribution point November The first
deployments with Azure Service Manager using a management 2018 release
certificate. For more information, see Plan for CMG. after
October 5,
2022

Note 1: Support removed TBD


The specific timeframe is to be determined (TBD). Microsoft recommends that you
change to the new process or feature, but you can continue to use the deprecated
process or feature for the near future.

Unsupported and removed features


The following features are no longer supported. In some cases, they're no longer in the
product.

Feature Deprecation Support removed


first
announced

Desktop Analytics. For more information, see Windows November November 30,
compatibility reports in Intune . 2021 2022

The ability to deploy a cloud management gateway (CMG) as September Version 2203
a cloud service (classic). All CMG deployments should use a 2021
virtual machine scale set.
Feature Deprecation Support removed
first
announced

The following compliance settings for Company resource March 2021 Version 2203
access: Certificate profiles, VPN profiles, Wi-Fi profiles,
Windows Hello for Business settings, and email profiles. This
deprecation includes the co-management resource access
workload. Use Microsoft Intune to deploy resource access
profiles. For more information, see Frequently asked
questions about resource access deprecation.

Desktop Analytics data for Windows 7, Windows 8, and July 2021 January 31, 2022
earlier versions of Windows 10 that don't support the
Windows diagnostic data processor configuration.

Third-party add-ons that use Microsoft .NET Framework September Version 2111
version 4.6.1 or earlier, and rely on Configuration Manager 2021
libraries. Such add-ons need to use .NET 4.6.2 or later. For
more information, see External dependencies require .NET
4.6.2.

Log Analytics connector for Azure Monitor. This feature is November Version 2107
called the OMS Connector in the Azure Services node. 2020

Microsoft Edge legacy browser profiles. For more March 2021 April 2021
information, see New Microsoft Edge to replace Microsoft
Edge Legacy with April’s Windows 10 Update Tuesday
release

The collection evaluation viewer, which was integrated in November Version 2103
version 2010. 2020

Desktop Analytics tile and page for Security Updates December March 2021
2020

Desktop Analytics option to View recent data for device May 2020 July 2020
enrollment and security updates. For more information, see
Data latency.

Windows Analytics and Upgrade Readiness integration. For October 14, January 31, 2020
more information, see KB 4521815: Windows Analytics 2019
retirement on January 31, 2020 .

Device health attestation assessment for conditional access July 3, 2019 Version 1910
compliance policies For more information, see What
happened to hybrid MDM.

The Configuration Manager Company Portal app May 21, Version 1910
2019
Feature Deprecation Support removed
first
announced

The application catalog, including both site system roles: the May 21, Version 1910
application catalog website point and web service point. For 2019
more information, see Remove the application catalog.

Certificate-based authentication with Windows Hello for December Version 1910


Business settings in Configuration Manager
2017
For more information, see Windows Hello for Business
settings.

System Center Endpoint Protection for Mac and Linux


October December 31,
For more information, see End of support blog post . 2018 2018

On-premises conditional access


January 30, September 1, 2019
For more information, see What happened to hybrid MDM. 2019

Hybrid mobile device management (MDM)


August 14, September 1, 2019
For more information, see What happened to hybrid MDM.
2018

Starting with the 1902 Intune service release, expected at the


end of February 2019, new customers can't create a new
hybrid connection.

Security Content Automation Protocol (SCAP) extensions.


September Version 1810
2018

The Silverlight user experience for the application catalog August 11, Version 1806
website point is no longer supported. Users should use the 2017
new Software Center. For more information, see Configure
Software Center.

The previous version of Software Center.


December Version 1802
13, 2016
For more information about the new Software Center, see
Plan for and configure application management.

Management of Virtual Hard Disks (VHDs) with January 6, Version 1710


Configuration Manager.
2017

This deprecation includes removal of options to create a new


VHD or manage a VHD using a task sequence, and the
removal of the Virtual Hard Disks node from the
Configuration Manager console.

Existing VHDs are not deleted, but are no longer accessible


from within the Configuration Manager console.
Feature Deprecation Support removed
first
announced

Task sequences:
November Version 1710
- Convert Disk to Dynamic
18, 2016
- Install Deployment Tools

Upgrade Assessment Tool


September July 11, 2017
12, 2016
The Upgrade Assessment Tool depends on both
Configuration Manager and the Application Compatibility
Toolkit (ACT) 6.x. The final version of ACT was shipped in the
Windows 10 v1511 ADK. As there are no further updates to
ACT, support for the Upgrade Assessment Tool is
discontinued. Deprecation notice was added to the
download page for UAT on September 12, 2016.

Software update points with a network load balancing (NLB) February 27, Version 1702
cluster 2016

Task sequences:
June 20, Version 1606
- OSDPreserveDriveLetter
2016

During an operating system deployment, by default,


Windows Setup now determines the best drive letter to use
(typically C:). If you want to specify a different drive to use,
you can change the location in the Apply Operating System
task sequence step. Go to the Select the location where you
want to apply this operating system setting. Select Specific
logical drive letter and choose the drive that you want to
use.

Network Access Protection (NAP) - as found in System July 10, 2015 Version 1511
Center 2012 Configuration Manager

Out of Band Management - as found in System Center 2012 October 16, Version 1511
Configuration Manager 2015

System Center Configuration Manager Management Pack - October 16, Version 1511
for System Center Operations Manager is not available for 2015
download

WINS
Windows Internet Name Service (WINS) is a legacy computer name registration and
resolution service. It's a deprecated service. You should replace WINS with Domain
Name System (DNS). For more information, see Windows Internet Name Service (WINS).
Out of Band Management
With Configuration Manager, native support for AMT-based computers from within the
Configuration Manager console has been removed.

AMT-based computers remain fully managed when you use the Intel SCS Add-on
for Configuration Manager . The add-on provides you access to the latest
capabilities to manage AMT, while removing limitations introduced until
Configuration Manager could incorporate those changes.

Out of Band Management in System Center 2012 Configuration Manager is not


affected by this change.

Network Access Protection


Configuration Manager has removed support for Network Access Protection. The
feature has been deprecated in Windows Server 2012 R2, and is removed from Windows
10.

For network access protection alternatives, see the Deprecated functionality section of
Network Policy and Access Services Overview.

See also
Removed and deprecated
Microsoft Support Lifecycle
Support for current branch versions of Configuration Manager
How to manage clients in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When the Configuration Manager client installs on a device and successfully assigns to a
site, you see the device in the Assets and Compliance workspace in the Devices node,
and in one or more collections in the Device Collections node. Select the device or a
collection, and then run management operations. However, there are other ways to
manage the client, which might involve other workspaces in the console, or tasks
outside of the console.

7 Note

If you install the Configuration Manager client, but it hasn't yet successfully
assigned to a site, it might not display in the console. After the client assigns to a
site, update collection membership, and then refresh the console view.

A device can also display in the console when the Configuration Manager client
isn't installed. This behavior happens if the site discovers a device but the client
isn't installed and assigned.

Mobile devices managed with the Exchange Server connector or on-premises


MDM don't install the Configuration Manager client.

To manage a device from the console, use the Client column in the Devices node to
determine whether the client is installed.

Manage clients from the Devices node


Depending on the device type, some of these options might not be available.

1. In the Configuration Manager console, go to the Assets and Compliance


workspace, and select the Devices node.

2. Select one or more devices, and then select one of these client management tasks
from the ribbon. You can also right-click the device.

Import user device affinity


Configure the associations between users and devices, so you can efficiently deploy
software to users.

For more information, see Link users and devices with user device affinity.

Import computer information


Launch the Import Computer Information Wizard to import new computer information
into the Configuration Manager database. You can import multiple computers using a
file, or specify information for a single computer.

Add selected items


Provides the following options:

Add selected items to existing device collection: Opens the Select Collection
dialog box. Select the collection to which you want to add this device. The device is
included in this collection by using a Direct membership rule.

Add selected items to new device collection: Opens the Create Device Collection
Wizard where you can create a new collection. The selected collection is included
in this collection by using a Direct membership rule.

For more information, see How to create collections.

Install client
Opens the Install Client Wizard. This wizard uses client push installation to install or
reinstall the Configuration Manager client on the selected device.

 Tip

There are many different ways to install the Configuration Manager client. Although
the Client Push wizard offers a convenient client installation method from the
console, this method has many dependencies and isn't suitable for all
environments. For more information about the dependencies, see Prerequisites for
deploying clients to Windows computers. For more information about the other
client installation methods, see Client installation methods.

For more information, see How to install Configuration Manager clients by using client
push.
Run script
Opens the Run Script wizard to run a PowerShell script on the selected device.

For more information, see Create and run PowerShell scripts.

Install application
Install an application to a device in real time. This feature can help reduce the need for
separate collections for every application.

Starting in version 2111, select the Install Application Group action for an app group.

For more information, see Install applications for a device.

Reassign site
Reassign one or more clients, including managed mobile devices, to another primary
site in the hierarchy. You can individually reassign clients or select more than one to
reassign them in bulk.

Client settings - Resultant client settings


When you deploy multiple client settings to the same device, the prioritization and
combination of settings is complex. Use this option to view the resultant set of client
settings deployed to this device.

For more information, see How to configure client settings.

Start
Run Resource Explorer to see the hardware and software inventory information
from a Windows client. For more information, see the following articles:

How to use Resource Explorer to view hardware inventory

How to use Resource Explorer to view software inventory

Remotely administer the device by using Remote Control, Remote Assistance, or


Remote Desktop Client. For more information, see How to remotely administer a
Windows client computer.
Approve
When the client communicates with site systems using HTTP and a self-signed
certificate, you must approve these clients to identify them as trusted computers. By
default, the site configuration automatically approves clients from the same Active
Directory forest, trusted forests, and connected Azure Active Directory (Azure AD)
tenants. This default behavior means that you don't have to manually approve each
client. Manually approve workgroup computers or clients from an untrusted forest that
you trust, and any other unapproved computers that you trust.

) Important

Although some management functions might work for unapproved clients, this is
an unsupported scenario for Configuration Manager.

You don't have to approve clients that always communicate to site systems using HTTPS,
or clients that use a PKI certificate when they communicate to site systems using HTTP.
These clients establish trust by using the PKI certificates.

Block or unblock
Block a client that you no longer trust. Blocking prevents the client from receiving policy,
and prevents site systems from communicating with the client.

) Important

Blocking a client only prevents communication from the client to Configuration


Manager site systems. It doesn't prevent communication to other devices. When
the client communicates to site systems by using HTTP instead of HTTPS, there are
some security limitations.

You can also unblock a client that is blocked.

For more information, see Determine whether to block clients.

Clear required PXE deployments


You can redeploy a required PXE deployment by clearing the status of the last PXE
deployment assigned to a Configuration Manager collection or a computer. This action
resets the status of that deployment and reinstalls the most recent required
deployments.

For more information, see Use PXE to deploy Windows over the network.

Client notification
For more information, see Client notifications.

Endpoint Protection
For more information, see Client notifications.

Edit primary users


View users of this device in the last 90 days, or specify the primary users of this device.

For more information, see Link users and devices with user device affinity.

Wipe a mobile device


You can wipe mobile devices that support the wipe command. This action permanently
removes all data on the mobile device, including personal settings and personal data.
Typically, this action resets the mobile device back to factory defaults. Wipe a mobile
device when it's no longer trusted. For example, if the device is lost or stolen.

 Tip

Check the manufacturer's documentation for more information about how the
mobile device processes a remote wipe command.

There's often a delay until the mobile device receives the wipe command:

If the mobile device is enrolled by Configuration Manager, the client receives the
command when it downloads its client policy.

If the mobile device is managed by the Exchange Server connector, it receives the
command when it synchronizes with Exchange.

To monitor when the device receives the wipe command, use the Wipe Status column.
Until the device sends a wipe acknowledgment to Configuration Manager, you can
cancel the wipe command.
Retire a mobile device
The Retire option is supported only by mobile devices enrolled by on-premises MDM.

For more information, see Help protect your data with remote wipe, remote lock, or
passcode reset.

Change ownership
If a device isn't domain-joined and doesn't have the Configuration Manager client
installed, use this option to change the ownership to Company or Personal.

You can use this value in application requirements to control deployments, and to
control how much inventory is collected from users' devices.

You may need to add the Device Owner column to the view by right-clicking any
column heading and choosing it.

Delete

2 Warning

Don't delete a client if you want to uninstall the Configuration Manager client or
remove it from a collection.

The Delete action manually removes the client record from the Configuration Manager
database. Only use this action to troubleshoot a problem. If you delete the object, but
the client is still installed and communicating with the site, Heartbeat Discovery
recreates the client record. It reappears in the Configuration Manager console, although
the client history and any previous associations are lost.

7 Note

When you delete a mobile device client that was enrolled by Configuration
Manager, this action also revokes the issued PKI certificate. This certificate is then
rejected by the management point, even if IIS doesn't check the certificate
revocation list (CRL).

Certificates on mobile device legacy clients are not revoked when you delete these
clients.
To uninstall the client, see Uninstall the Configuration Manager client.

To assign the client to a new primary site, see How to assign clients to a site.

To remove the client from a collection, reconfigure the collection properties. For more
information, see How to manage collections.

Refresh
Refresh the console view with the latest data in the database. For example, if a device
appears in the list from discovery, but doesn't show as installed. After you install the
client and make sure it's assigned to the site, select Refresh.

Properties
View the discovery data and deployments targeted for the client.

Switch to the Variables tab to configure variables that task sequences use to deploy an
OS to the device. For more information, see Create task sequence variables for devices
and collections.

Starting in version 2111, switch to the Custom properties tab to manually set custom
properties on the device for reporting or to create collections. For more information, see
Custom properties for devices.

Manage clients from the Device Collections


node
Many of the tasks that are available for devices in the Devices node are also available on
collections. The console automatically applies the operation to all eligible devices in the
collection. This action on an entire collection generates more network packets and
increases CPU usage on the site server.

Consider the following questions before you run collection-level tasks. Once started, you
can't stop the task from the console.

How many devices are in the collection?


Are the devices connected by low-bandwidth network connections?
How much time does this task need to complete for all the devices?

For more information, see How to manage collections.


Restart clients
Use the Configuration Manager console to identify clients that require a restart. Then
use a client notification action to restart them.

 Tip

Enable automatic client upgrade to keep your clients up-to-date with less effort.
For more information, see About automatic client upgrade.

To identify devices that are pending a restart, go to the Assets and Compliance
workspace in the Configuration Manager console and select the Devices node. Then
view the status for each device in the details pane in a new column named Pending
Restart. Each device has one or more of the following values:

No: there's no pending restart


Configuration Manager: this value comes from the client reboot coordinator
component (RebootCoordinator.log)
File rename: this value comes from Windows reporting a pending file rename
operation ( HKLM\SYSTEM\CurrentControlSet\Control\Session Manager,
PendingFileRenameOperations )
Windows Update: this value comes from the Windows Update Agent reporting a
pending restart is required for one or more updates
( HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update\RebootRequired )

Add or remove feature: this value comes from the Windows component-based
servicing reporting the addition or removal of a Windows feature requires a restart
( HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based
Servicing\Reboot Pending )

Create the client notification to restart a device


1. Select the device you want to restart within a collection in the Device Collections
node of the console.
2. In the ribbon, select Client Notification, and then select Restart. An information
window opens about the restart. Select OK to confirm the restart request.

When the notification is received by a client, a Software Center notification window


opens to inform the user about the restart. By default, the restart occurs after 90
minutes. You can modify the restart time by configuring client settings. Settings for the
restart behavior are found on the Computer restart tab of the default settings.

Configure the client content cache


The client cache stores temporary files for when clients install applications and
programs. Software updates also use the client cache, but always attempt to download
to the cache whatever the size setting. Configure the cache settings, such as size and
location, when you manually install the client, when you use client push installation, or
after installation.

For more information, see Configure the client content cache.

Uninstall the client


You can uninstall the Configuration Manager client software from a computer by using
CCMSetup.exe with the /Uninstall property. Run CCMSetup.exe on an individual
computer from the command prompt, or deploy a package to uninstall the client for a
collection of computers.

7 Note

You can't uninstall the Configuration Manager client from a mobile device. If you
must remove the Configuration Manager client from a mobile device, you must
wipe the device, which deletes all data on the mobile device.

1. Open a Windows command prompt as an administrator. Change the folder to the


location in which CCMSetup.exe is located, for example: cd %windir%\ccmsetup

2. Run the following command: CCMSetup.exe /uninstall

 Tip

The uninstall process displays no results on the screen. To verify that the client
successfully uninstalls, see the following log file:
%windir%\ccmsetup\logs\CCMSetup.log

If you need to wait for the uninstall process to complete before doing something
else, run Wait-Process CCMSetup in PowerShell. This command can pause a script
until the CCMSetup process completes.
Starting in version 2111, when you uninstall the client it also removes the client
bootstrap, ccmsetup.msi, if it exists.

Manage conflicting records


Configuration Manager uses the hardware identifier to attempt to identify clients that
might be duplicates and alert you to the conflicting records. For example, if you reinstall
a computer, the hardware identifier would be the same but the GUID used by
Configuration Manager might be changed.

Configuration Manager automatically resolves conflicts by using Windows


authentication of the computer account or a PKI certificate from a trusted source. When
Configuration Manager can't resolve the conflict of duplicate hardware identifiers, a
hierarchy setting determines the behavior.

Change the hierarchy setting for managing conflicting


records
1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.

2. In the ribbon, select Hierarchy Settings.

3. Switch to the Client Approval and Conflicting Records tab, and select one of the
following options:

Automatically resolve conflicting records


Manually resolve conflicting records

Manually resolve conflicting records


1. In the Configuration Manager console, go to the Monitoring workspace, expand
System Status, and select the Conflicting Records node.

2. Select one or more conflicting records, and then choose Conflicting Record.

3. Select one of the following options:

Merge: Combine the newly detected record with the existing client record.

New: Create a new record for the conflicting client record.


Block: Create a new record for the conflicting client record, but mark it as
blocked.

Manage duplicate hardware identifiers


You can provide a list of hardware identifiers that Configuration Manager ignores for
PXE boot and client registration. This list helps to address two common issues:

1. Many new devices don't include an onboard Ethernet port. Technicians use a USB-
to-Ethernet adapter to establish a wired connection for purposes of OS
deployment. These adapters are often shared because of cost and general
usability. The site uses the MAC address of this adapter to identify the device. So
reusing the adapter becomes problematic without other administrator actions
between each deployment. To reuse the adapter in this scenario, exclude its MAC
address.

2. While the SMBIOS attribute should be unique, some specialty hardware devices
have duplicate identifiers. Exclude this duplicate identifier and rely on the unique
MAC address of each device.

Use the following process to add hardware identifiers for Configuration Manager to
ignore:

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Sites node.

2. On the Home tab of the ribbon, in the Sites group, choose Hierarchy Settings.

3. Switch to the Client Approval and Conflicting Records tab. To add new hardware
identifiers, choose Add in the Duplicate hardware identifiers section.

PowerShell for duplicate hardware IDs


You can use the following PowerShell cmdlets to automate the management of
duplicate hardware identifiers:

Get-CMDuplicateHardwareIdGuid
New-CMDuplicateHardwareIdGuid
Remove-CMDuplicateHardwareIdGuid
Get-CMDuplicateHardwareIdMacAddress
New-CMDuplicateHardwareIdMacAddress
Remove-CMDuplicateHardwareIdMacAddress
Start policy retrieval
A Configuration Manager client downloads its client policy on a schedule that you
configure as a client setting. You can also start on-demand policy retrieval from the
client. For example, for troubleshooting or testing situations.

Client notification
The client control panel
Support Center
A script

Start client policy retrieval with client notification


1. In the Configuration Manager console, go to the Assets and Compliance
workspace, and select Devices.

2. Select the device that you want to download policy. On the Home tab of the
ribbon, in the Device group, select Client Notification, and then choose Download
Computer Policy.

7 Note

You can also use client notification to start policy retrieval for all devices in a
collection.

Start client policy retrieval from the Configuration


Manager client control panel
1. Open the Configuration Manager control panel on the computer.

2. Switch to the Actions tab. Select Machine Policy Retrieval & Evaluation Cycle to
start the computer policy, and then select Run Now.

3. Select OK to confirm the prompt.

4. Repeat the previous steps for any other actions. For example, User Policy Retrieval
& Evaluation Cycle for user client settings.

Start client policy retrieval with Support Center Client


Tools
Use Support Center Client Tools to request and view client policy. For more information,
see Support Center reference.

Start client policy retrieval by script


1. Open a script editor, such as Notepad or Windows PowerShell ISE.

2. Copy and insert the following sample PowerShell code into the file:

PowerShell

$trigger = "{00000000-0000-0000-0000-000000000021}"

Invoke-WmiMethod -Namespace root\ccm -Class sms_client -Name


TriggerSchedule $trigger

 Tip

For more information about the schedule IDs, see Message IDs.

3. Save the file with a .ps1 extension.

4. Run the script on the client.

Next steps
Configure the content cache for clients

Client notification
Configure the content cache for
Configuration Manager clients
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The client cache stores temporary files for when clients install applications and
programs. Software updates also use the client cache, but always attempt to download
to the cache whatever of the size setting. Configure the cache settings, such as size and
location, when you manually install the client, when you use client push installation, or
after installation.

You can specify the cache folder size using client settings in the Configuration Manager
console. For more information, see Client cache settings.

The default location for the Configuration Manager client cache is %windir%\ccmcache
and the default disk space is 5120 MB.

) Important

Don't encrypt the folder used for the client cache. Configuration Manager can't
download content to an encrypted folder.

About
The Configuration Manager client downloads the content for required software soon
after the deployment's available time but waits to run it until the deployment's
scheduled time. At the scheduled time, the Configuration Manager client checks to see
whether the content is available in the cache. If content is in the cache and it's the
correct version, the client uses the cached content. When the required version of the
content changes, or if the client deletes the content to make room for another package,
the client downloads the content to the cache again.

If the client attempts to download content for a program or application that's greater
than the size of the cache, the deployment fails because of insufficient cache size. The
client generates status message 10050 for insufficient cache size. If you increase the
cache size later, the result is:

For a required program: The client doesn't automatically retry to download the
content. Redeploy the package and program to the client.
For a required application: The client automatically retries to download the content
when it downloads its client policy.

If the client attempts to download content that's less than the size of the cache, but the
cache is full, all required deployments keep retrying until:

The cache space is available


The download times out
The retry count reaches its limit

If you later increase the cache size, the client attempts to download the content again
during the next retry interval. The client tries to download the content every four hours
until it tries 18 times.

Cached content isn't automatically deleted and is only removed if new content requires
its disk space. It remains in the cache for the configured number of minutes after the
client uses that content. If you configure the content with the option to persist content
in the client cache, the client doesn't automatically delete it. If the cache space is used
by content that was downloaded within the configured number of minutes, and the
client must download new content, either increase the cache size or choose the option
to delete persisted cache content. For more information, see About client settings.

) Important

Don't manually delete files from the client cache folder using Windows Explorer or
the command line. This action can cause issues with the Configuration Manager
client. The client manages the cache and tracks the content apart from the file
system. Always use a supported method to delete files in the cache.

For applications only, if the content for a related deployment currently exists in the
cache, then the client downloads only new or changed files. Related deployments
include those deployments for older revisions of the same deployment type and
superseded applications.

Configure
Use the following procedures to configure the client cache during manual client
installation or after you install the client.

Configure the cache during manual client installation


Run the CCMSetup.exe command from the install source location and specify the
following properties that you require, and separated by spaces:

DISABLECACHEOPT

SMSCACHEDIR

SMSCACHEFLAGS

7 Note

Use the cache size settings available in Client Settings in the Configuration
Manager console instead of SMSCACHESIZE. For more information, see Client
cache settings.

For more information about how to use these command-line properties for
CCMSetup.exe, see About client installation properties.

Configure the cache during client push installation


1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node.

2. Select the appropriate site. On the Home tab of the ribbon, in the Settings group,
select Client Installation Settings, and choose Client Push Installation. Switch to
the Installation Properties tab.

3. Specify the following properties, separated by spaces:

DISABLECACHEOPT

SMSCACHEDIR

SMSCACHEFLAGS

7 Note

Use the cache size settings available in Client Settings in the Configuration
Manager console instead of SMSCACHESIZE. For more information, see Client
cache settings.

For more information about how to use these command-line properties for
CCMSetup.exe, see About client installation properties.
Configure the cache on the client computer
1. On the client computer, open the Configuration Manager control panel.

2. Switch to the Cache tab. Set the space and location properties. The default location
is %windir%\ccmcache .

3. To delete the files in the cache folder, choose Delete Files.

) Important

Don't manually delete files from the ccmcache folder using Windows Explorer
or the command line. This action can cause issues with the Configuration
Manager client. The client manages the cache and tracks the content apart
from the file system. Always use a supported method to delete files in the
cache. For example, the Delete Files option on the control panel.

Configure client cache size in Client Settings


Adjust the size of the client cache without having to reinstall the client. Use the cache
size settings available in Client Settings in the Configuration Manager console. For more
information, see Client cache settings.

Next steps
Client notification
Client notification in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To take immediate action on remote clients, send a client notification action from the
Configuration Manager console. Start these actions on an individual device or on a
collection of devices.

Actions
The following actions are on the ribbon in the Device or Collection group of the Home
tab.

Install client
Opens the Install Client Wizard. This wizard uses client push installation to install a
Configuration Manager client. For more information, see Client push installation.

Permissions - Install client


This action requires the Modify Resource and Read permissions on the Collection
object.

The following built-in roles have these permissions by default:

Application Administrator
Full Administrator
Infrastructure Administrator
Operations Administrator
OS Deployment Manager

Add these permissions to any custom roles that need to push the client.

Run script
Opens the Run Script wizard to run a PowerShell script on all of the clients in the
collection. For more information, see Create and run PowerShell scripts.
Permissions - Run script
This action requires the Run Script permission on the Collection object.

The following built-in roles have this permission by default:

Full Administrator
Infrastructure Administrator
Operations Administrator

Add this permission to any custom roles that need to run scripts.

Start CMPivot
Starts CMPivot, which runs real-time queries against the targeted devices. For more
information, see CMPivot.

Permissions - Start CMPivot

This action requires the Run CMPivot permission on the Collection object.

Client notification
These actions are under the Client notification menu, on the ribbon in the Device or
Collection group of the Home tab. You can start a Client Notification from the Devices
node or within a collection membership view.

7 Note

Starting in version 2203, you can perform client notification actions, including Run
Scripts, from the Deployment Status view. Use the right-click menu on either a
group of clients in a Category or a single client in the Asset details pane to display
the client notification actions.

Permissions - Client notification

Client notification actions require the Notify Resource permission on the Collection
object. This permission applies to all actions under the Client notification menu.

The following built-in roles have this permission by default:

Full Administrator
Operations Administrator

Add this permission to any custom roles that need to use client notification actions.

Download computer policy


Refresh the device policy. For more information, see Initiate policy retrieval for a
Configuration Manager client.

Download user policy


Refresh the user policy.

Collect discovery data


Trigger clients to send a discovery data record (DDR). For more information, see
Heartbeat discovery.

Collect software inventory


Trigger clients to run a software inventory cycle. For more information, see Introduction
to software inventory.

Collect hardware inventory


Trigger clients to run a hardware inventory cycle. For more information, see Introduction
to hardware inventory.

Evaluate application deployments


Trigger clients to run an application deployment evaluation cycle. For more information,
see Schedule re-evaluation for deployments.

Evaluate software update deployments


Trigger clients to run a software updates deployment evaluation cycle. For more
information, see Introduction to software updates.

Switch to the next software update point


Trigger clients to switch to the next available software update point. For more
information, see Software update point switching.

Evaluate device health attestation


Trigger Windows 10 or later clients to check and send their latest device health state. For
more information, see Health attestation.

Check conditional access compliance


Trigger clients to check compliance for conditional access policies. For more information,
see Conditional access.

Wake Up
Trigger devices configured to support Wake-on-LAN to wake up using other devices on
the same subnet to send the Wake-on-LAN package. For more information, see How to
configure Wake on LAN.

Restart
Trigger the selected devices to restart. For more information, see Restart clients.

Client diagnostics
Use the following actions to help troubleshoot clients:

Enable verbose logging: Change the global log level for the CCM component to
verbose, and enable debug logging.

Disable verbose logging: Change the global log level to default, and disable
debug logging.

Collect Client Logs: The site sends a client notification message to the selected
clients to gather the CCM logs. The client sends the logs to the management point
using the same channel as software inventory file collection. You don't need to
enable software inventory in client settings.
The size limit for the compressed client logs is 100 MB.
Use Resource Explorer manage and view these files.

) Important

These actions only change the log verbosity, not the size or history. More
verbose logging can generate more log content.
The management point role also uses the CCM component. If the targeted
device is also a management point, this action also applies to that role.

For more information about these settings, see About log files.

Track the status of the task in the diagnostics.log on the client. When client logs are
collected, additional information is logged in MP_SinvCollFile.log on the management
point and sinvproc.log on the site server.

7 Note

Starting in version 2107, you can inventory client log file settings such as log levels
and size. Enable the hardware inventory class, Client Diagnostics
(CCM_ClientDiagnostics). For more information, see Enable or disable existing
hardware inventory classes.

Prerequisites - Client diagnostics


Update the target client to the latest version.

Your Configuration Manager administrative user needs the Notify resource


permission.

The following built-in roles have this permission by default:


Full Administrator
Infrastructure Administrator

Add this permission to any custom roles that need to use client notification
actions.

Cleanup aged client diagnostic files


Collected client logs are stored according to the software inventory file collection
settings. The files are stored on the site server in the Inboxes\sinv.box\FileCol directory.
There's no defined limit to the number of versions.

The maintenance task to delete aged diagnostic files varies depending on your
Configuration Manager version:

Version 2010 and later uses the Delete Aged Collected Diagnostic Files site
maintenance task to delete diagnostic files.
Version 2006 and earlier uses the Delete Aged Collected Files site maintenance
task to delete diagnostic files.

For more information, see Reference for maintenance tasks in Configuration Manager.

Endpoint Protection
The following actions are under the Endpoint Protection menu. This menu is on the
ribbon in the Collection group of the Home tab. When you select one or more devices,
these actions are on the Selected Object tab of the ribbon.

For more information, see Endpoint Protection in Configuration Manager.

Permissions - Endpoint Protection


This action requires the Enforce Security permission on the Collection object.

The following built-in roles have this permission by default:

Full Administrator
Endpoint Protection Manager
Operations Administrator

Add this permission to any custom roles that need to trigger Endpoint Protection
actions.

Full Scan
Trigger Endpoint Protection or Windows Defender to run a full antimalware scan.

Quick Scan
Trigger Endpoint Protection or Windows Defender to run a quick antimalware scan.
Download Definition
Trigger Endpoint Protection or Windows Defender to download the latest antimalware
definitions.

Monitor client operations


Monitor the operations sent to clients by using the Client Operations node under the
Monitoring workspace. For some instances, you can cancel the operation by using the
Cancel option in the ribbon. Use the Delete option to remove the operation from the
console's view.

Next steps
How to manage clients

How to manage collections


Maintain Mac clients
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

) Important

Starting in January 2022, this feature of Configuration Manager is deprecated. For


more information, see Mac computers.

Here are procedures for uninstalling Mac clients and for renewing their certificates.

Uninstalling the Mac client


1. On a Mac computer, open a terminal window and navigate to the folder containing
macclient.dmg.

2. Navigate to the Tools folder and enter the following command-line:

./CMUninstall -c

7 Note

The -c property instructs the client uninstall to also remove client crash logs
and log files. We recommend this to avoid confusion if you later reinstall the
client.

3. If required, manually remove the client authentication certificate that Configuration


Manager was using, or revoke it. CMUnistall does not remove or revoke this
certificate.

Renewing the Mac client certificate


Use one of the following methods to renew the Mac client certificate:

Renew certificate wizard

Renew certificate manually


Renew certificate wizard
1. Configure the following values as strings in the ccmclient.plist file that controls
when the Renew Certificate Wizard opens:

RenewalPeriod1 - Specifies, in seconds, the first renewal period in which users


can renew the certificate. The default value is 3,888,000 seconds (45 days).
Don't configure a value less than 300, as the period will revert to the default.

RenewalPeriod2 - Specifies, in seconds, the second renewal period in which


users can renew the certificate. The default value is 259,200 seconds (3 days).
If this value is configured and is greater than or equal to 300 seconds and is
less than or equal to RenewalPeriod1, the value will be used. If
RenewalPeriod1 is greater than 3 days, a value of 3 days will be used for
RenewalPeriod2. If RenewalPeriod1 is less than 3 days, then RenewalPeriod2
is set to the same value as RenewalPeriod1.

RenewalReminderInterval1 - Specifies, in seconds, the frequency at which the


Renew Certificate Wizard will be displayed to users during the first renewal
period. The default value is 86,400 seconds (1 day). If
RenewalReminderInterval1 is greater than 300 seconds and less than the
value configured for RenewalPeriod1, then the configured value will be used.
Otherwise, the default value of 1 day will be used.

RenewalReminderInterval2 - Specifies, in seconds the frequency at which the


Renew Certificate Wizard will be displayed to users during the second
renewal period. The default value is 28,800 seconds (8 hours). If
RenewalReminderInterval2 is greater than 300 seconds, less than or equal to
RenewalReminderInterval1 and less than or equal to RenewalPeriod2, then
the configured value will be used. Otherwise, a value of 8 hours will be used.

Example: If the values are left as their defaults, 45 days before the certificate
expires, the wizard will open every 24 hours. Within 3 days of the certificate
expiring, the wizard will open every 8 hours.

Example: Use the following command line, or a script, to set the first renewal
period to 20 days.

sudo defaults write com.microsoft.ccmclient RenewalPeriod1 1728000

2. When the Renew Certificate Wizard opens, the User name and Server name fields
will typically be pre-populated and the user can just enter a password to renew the
certificate.
7 Note

If the wizard does not open, or if you accidentally close the wizard, click
Renew from the Configuration Manager preference page to open the wizard.

Renew certificate manually


A typical validity period for the Mac client certificate is 1 year. Configuration Manager
does not automatically renew the user certificate that it requests during enrollment, so
you must use the following procedure to renew the certificate manually.

) Important

If the certificate expires, you must uninstall, reinstall and then re-enroll the Mac
client.

This procedure removes the SMSID, which is required to request a new certificate for the
same Mac computer. When you remove and replace the client SMSID, any stored client
history such as inventory is deleted after you delete the client from the Configuration
Manager console.

1. Create and populate a device collection for the Mac computers that must renew
the user certificates.

2 Warning

Configuration Manager does not monitor the validity period of the certificate
that it enrolls for Mac computers. You must monitor this independently from
Configuration Manager to identify the Mac computers to add to this
collection.

2. In the Assets and Compliance workspace, start the Create Configuration Item
Wizard.

3. On the General page, specify the following information:

Name:Remove SMSID for Mac

Type:Mac OS X

4. On the Supported Platforms page, ensure that all macOS X versions are selected.
5. On the Settings page, choose New and then, in the Create Setting dialog box,
specify the following information:

Name:Remove SMSID for Mac

Setting type:Script

Data type:String

6. In the Create Setting dialog box, for Discovery script, choose Add script to specify
a script that discovers Mac computers with an SMSID configured.

7. In the Edit Discovery Script dialog box, enter the following Shell Script:

Shell

defaults read com.microsoft.ccmclient SMSID

8. Choose OK to close the Edit Discovery Script dialog box.

9. In the Create Setting dialog box, for Remediation script (optional), choose Add
script to specify a script that removes the SMSID when it is found on Mac
computers.

10. In the Create Remediation Script dialog box, enter the following Shell Script:

Shell

defaults delete com.microsoft.ccmclient SMSID

11. Choose OK to close the Create Remediation Script dialog box.

12. On the Compliance Rules page of the wizard, click New, and then in the Create
Rule dialog box, specify the following information:

Name:Remove SMSID for Mac

Selected setting: Choose Browse and then select the discovery script that
you specified previously.

In the following values field, enter The domain/default pair of


(com.microsoft.ccmclient, SMSID) does not exist.

Enable the option Run the specified remediation script when this setting is
noncompliant.
13. Complete the Create Configuration Item Wizard.

14. Create a configuration baseline that contains the configuration item that you have
just created and deploy it to the device collection that you created in step 1.

For more information about how to create and deploy configuration baselines, see
How to create configuration baselines and How to deploy configuration baselines.

15. On Mac computers that have the SMSID removed, run the following command to
install a new certificate:

Shell

sudo ./CMEnroll -s <enrollment_proxy_server_name> -


ignorecertchainvalidation -u <'user name'>

When prompted, provide the password for the super user account to run the
command and then the password for the Active Directory user account.

16. To limit the enrolled certificate to Configuration Manager, on the Mac computer,
open a terminal window and make the following changes:

a. Enter the command sudo /Applications/Utilities/Keychain\


Access.app/Contents/MacOS/Keychain\ Access

b. In the Keychain Access dialog, in the Keychains section, choose System, and
then, in the Category section, choose Keys.

c. Expand the keys to view the client certificates. When you have identified the
certificate with a private key that you have just installed, double-click the key.

d. On the Access Control tab, choose Confirm before allowing access.

e. Browse to /Library/Application Support/Microsoft/CCM, select CCMClient, and


then choose Add.

f. Choose Save Changes and close the Keychain Access dialog box.

17. Restart the Mac computer.


Introduction to collections in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Collections help you organize resources into manageable units. You can create
collections to match your client management needs, and to perform operations on
multiple resources at one time.

Most management tasks rely on or require using one or more collections. Although you
can use the built-in collection of All Systems, using it for management tasks is not a best
practice. Create custom collections to more specifically identify the devices or users for a
task.

Built-in and custom collections appear in the User Collections and Device Collections
nodes in the Assets and Compliance workspace in the Configuration Manager console.

Collections that you have recently viewed appear in the Users node and in the Devices
node in the Assets and Compliance workspace.

Here are some examples of collection use:

Operation Example

Grouping You can create collections that group resources based on your organization's
resources hierarchy.

For example, you could create a collection of all computers in the "London
Headquarters" Active Directory Organizational Unit (OU). For more information
about how to create this type of collection, see How to create collections.

You could use this collection for operations such as configuring Endpoint
Protection settings, configuring device power management settings, or installing
the Configuration Manager client.

Application You can create a collection of all computers that do not have Microsoft Microsoft
deployment 365 Apps installed and then deploy it to all computers in that collection.

You can also use application requirements to perform this task. For more
information, see How to create applications with Configuration Manager.
Operation Example

Managing Although the default client settings in Configuration Manager apply to all
client settings devices and all users, you can create custom client settings that apply to a
collection of devices or a collection of users.

For example, if you want remote control to be available on all but a few devices,
configure the default client settings to allow remote control and then configure
custom client settings that do not allow remote control, and deploy those to the
collection of exceptional clients.

Power You can configure specific power settings per collection.


management

Role-based Use collections to control which groups of users have access to various
administration functionality in the Configuration Manager console.

Maintenance With maintenance windows you can define a time period when various
Windows Configuration Manager operations can be carried out on members of a device
collection.

Collection types in Configuration Manager


Configuration Manager has built-in collections for common operations, and you can
also create custom collections.

Built-in collections
By default, Configuration Manager includes the following collections, which cannot be
modified.

Collection Description
name

All User Contains the user groups that are discovered by using Active Directory Security
Groups Group Discovery.

All Users Contains the users who are discovered by using Active Directory User Discovery.

All Users and Contains the All Users and the All User Groups collections. This collection
User Groups contains the largest scope of user and user group resources.

All Desktop Contains the server and desktop devices that have the Configuration Manager
and Server client installed. Membership is maintained by Heartbeat Discovery.
Clients
Collection Description
name

All Mobile Contains the mobile devices that are managed by Configuration Manager.
Devices Membership is restricted to those mobile devices that are successfully assigned
to a site or discovered by the Exchange Server connector.

All Systems Contains the All Desktop and Server Clients, the All Mobile Devices, and the All
Unknown Computers collections, and all mobile devices that are enrolled by
Microsoft Intune. This collection contains the largest scope of device resources.

All Unknown Contains generic computer records for multiple computer platforms. You can use
Computers this collection to deploy an operating system by using a task sequence and PXE
boot, bootable media, or prestaged media.

Co- Contains devices that meet the client prerequisites and are eligible for co-
management management enrollment (added in version 2111).
Eligible
Devices

Custom collections
When you create a custom collection in Configuration Manager, the membership of that
collection is determined by one or more collection rules, as described in How to create
collections.
Prerequisites for collections in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Collections in Configuration Manager contain only dependencies within the product.

Configuration Manager dependencies


Dependency More information

Reporting services point The reporting services point site system role must be installed
before you can run reports for collections. For more information,
see Introduction to reporting.

Specific security permissions You must have the following security permissions to manage
must have been granted to compliance settings:

manage collections
- To create and manage collections: Create, Delete, Modify,
Modify Folder, Move Object, Read and Read Resource for the
Collection Object.

- To manage collection settings: Modify Collection Setting for


the Collection Object.

The Modify Folder permission is required for all collection


folders, including the root folder.
Best practices for collections in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Some collection management guidance can be contradictory. For example, for


performance reasons, you should limit the number of collections that update frequently.
But updating collections frequently is convenient, since most Configuration Manager
functionality is dependent on collections. Carefully consider both performance impacts
and business requirements when you design and configure collections and collection
evaluation.

Use the following best practices for collections in Configuration Manager.

Configure maintenance window for updates


You can configure maintenance windows for device collections to restrict the times that
Configuration Manager can install software on these devices. If you configure the
maintenance window to be too small, the client may not install critical software updates.
This state leaves the client vulnerable to the issues the update mitigates.

Important considerations to keep in mind when planning your maintenance windows:

The default software update maximum run time is 60 minutes.


When Configuration Manager calculates whether an update can install, it adds five
minutes to the maximum run time to account for a restart.
The remaining duration of a maintenance window must be longer than the
maximum run time of the software update plus five minutes.

Avoid frequent collection evaluation


A full collection evaluation evaluates not only the targeted collection, but also any
collections that the collection limits if an update occurs. Also, a collection with no
schedule is still evaluated if its limiting collection updates. So it's possible that some
collections may be evaluated more often than you expect.

In a busy Configuration Manager environment, you can improve collection evaluation


performance by scaling back schedules to avoid repeated collection evaluations. In a
deep tree, you can decrease collection evaluation frequency as the collections descend
deeper in the tree, because higher-level collection evaluations will also trigger lower-
level collection evaluations.

Understand the collection evaluation graph


Be aware of how the collection evaluation graph works so you can design an
appropriate collection structure. Don't rely on full collection evaluation to always update
all collections. If an incrementally updated collection updates on a schedule, referencing
collections that aren't enabled for incremental updates may not update. Because
updates likely occurred during incremental evaluations, a full evaluation may not update
the collection, ending the collection evaluation graph for that cycle. In that case, no
referencing collection evaluations occur. For more information, see Collection evaluation
graph.

Limit incremental updates


Enabling incremental updates for many collections might cause evaluation delays. It's
best to limit the number of incrementally updated collections to 200. The exact number
depends on:

The total number of collections


The frequency of new resources being added and changed in the hierarchy
The number of clients in a hierarchy
The complexity of collection membership rules in a hierarchy

If the incremental evaluation cycle is taking longer than the configured update
frequency, then Configuration Manager is constantly processing collection evaluations,
which could affect system performance. Reduce the number of incrementally updated
collections, or increase the time between incremental evaluation cycles.

Given the potential impacts of incremental collections, it's important to have a policy or
procedure for creating the collections and assigning update schedules. Examples of
policy considerations might be:

Only use incremental updates for collections that are used for security scoping,
client settings, and maintenance windows. These collection updates affect client
behavior and access to resources.
For applications with no licensing approval, advertise applications to existing
collections, and use global conditions to restrict availability.
Outline appropriate periods for other collections that have full collection updates
scheduled.
Avoid evaluation of large trees from the CAS
In a Configuration Manager environment, the central administration site (CAS) doesn't
evaluate collection membership. Primary sites are the only sites that evaluate collections.
Secondary sites act as proxies that use only data they replicate from their primary site.

To request a collection update, the CAS sends a request to each primary site. The
primary sites evaluate the collection and send the results back to the CAS. The collection
evaluation results appear only after all collection evaluation instructions replicate to all
sites, all sites evaluate all collections, and all data returns to the CAS and is combined.

The following diagram demonstrates the flow when the CAS requests a manual
collection update:

A collection update from a CAS with multiple primary sites can be time consuming. If a
collection doesn't evaluate in a timely fashion, it's tempting to repeat the request.

Once a collection evaluation thread begins and loads the evaluation graph, evaluation
continues until the collection evaluation graph is empty. The thread then terminates and
becomes available for the next evaluation. However, if another collection evaluation
cycle queues while the thread is evaluating collections, the thread immediately restarts
to attempt an evaluation of the "missed" cycle.

Each evaluation method runs in its own thread. It's possible that within the thread,
Configuration Manager may attempt to graph the same collection more than once.
Configuration Manager then drops the second and later requests.

To prevent these scenarios, avoid manual collection evaluations of large trees, especially
when working from the CAS with multiple sites.
Consider collection depth and cross-
referencing
To strike a balance between business requirements and performance, it's important to
understand the collection structure you create, and its dependencies on other
collections. If you create a collection with rules that reference one or more collections
that also refer to other collections, all of those collections are evaluated to create the
membership of the collection.

The include and exclude collection rules in Configuration Manager make referencing
collections easier than writing a custom WQL query. However, if using include and
exclude collections results in a high-performance toll, you can use the WQL query
method instead. Use the following example queries and replace the example collection
ID XYZ0003F with the ID of the collection you want to include or exclude.

Include:

Select * from SMS_R_System where SMS_R_System.ResourceId in (select ResourceID from


SMS_CM_RES_COLL_XYZ0003F)

Exclude:

Select * from SMS_R_System where SMS_R_System.ResourceId not in (select ResourceID

from SMS_CM_RES_COLL_XYZ0003F)

Use CEViewer to monitor collection evaluation


You can use the Collection Evaluation Viewer (CEViewer) to monitor how many
collections are being evaluated and how long each collection is taking to update. The
CEViewer is in the CD.Latest folder on the site server.

 Tip

Starting in Configuration Manager version 2010, this functionality is built-in to the


console. For more information, see, How to view collection evaluation.

To manually do a similar check with SQL, you can use the following query:

SQL

SELECT [t2].[CollectionName], [t2].[SiteID], [t2].[value] AS [Seconds],


[t2].[LastIncrementalRefreshTime], [t2].[IncrementalMemberChanges] AS
[IncChanges], [t2].[LastMemberChangeTime] AS [MemberChangeTime]

FROM (

SELECT [t0].[CollectionName], [t0].[SiteID], DATEDIFF(Millisecond, [t1].


[IncrementalEvaluationStartTime], [t1].[LastIncrementalRefreshTime]) * 0.001
AS [value], [t1].[LastIncrementalRefreshTime], [t1].
[IncrementalMemberChanges], [t1].[LastMemberChangeTime], [t1].
[IncrementalEvaluationStartTime], v1.[RefreshType]

FROM [dbo].[Collections_G] AS [t0]

INNER JOIN [dbo].[Collections_L] AS [t1] ON [t0].[CollectionID] = [t1].


[CollectionID]

inner join v_Collection v1 on [t0].[siteid] = v1.CollectionID

) AS [t2]

WHERE ([t2].[IncrementalEvaluationStartTime] IS NOT NULL) AND ([t2].


[LastIncrementalRefreshTime] IS NOT NULL) and (refreshtype='4' or
refreshtype='6')

ORDER BY [t2].[value] DESC

Collection evaluation in Configuration


Manager
Article • 10/12/2022

Applies to: Configuration Manager (current branch)

Configuration Manager uses collection evaluation to update collection membership,


based on the collection rules you define. Collection evaluation scope and timing differ
depending on site and collection configuration and evaluation type.

It's important to understand collection evaluation behavior so you can make appropriate
collection design decisions. For collection evaluation guidance and recommendations,
see Best practices for collections.

Evaluation process
The colleval.log records when the collection evaluator creates, changes, and deletes
collections.

At a high level, each individual collection evaluation and update follows these steps:

1. Execute the collection query.


2. Add any systems that are direct members.
3. Add members specified in the Include collections.
4. Perform a logical AND between the returned results and the limiting collection.
5. Remove members specified in the exclude collections.
6. Compare the result set from evaluating the direct members and include collections
with the results of the exclude collections.
7. Write the changes to the database and perform updates.
8. Trigger any dependent collections to update as well. Dependent collections are
collections that the current collection limits, or that refer to the current collection
using include or exclude rules.

 Tip

You can use management insights in the Configuration Manager console to help
you manage your collections. There's a group of insights specific to Collections.
There are also several insights in the Configuration Manager Assessment group for
collections.

Collection evaluation types and triggers


These types of threads handle collection evaluation, depending on evaluation type:

Primary for scheduled collection updates


Auxiliary to manually update collections with dependent collections
Single to manually update collections with no dependent collections
Express for incremental collection updates

The following table describes collection evaluation triggers and their corresponding
evaluation types.

Trigger Evaluation Description


Type

Manual Single or Manual is the highest priority collection evaluation. When an


Auxiliary administrator requests a manual collection evaluation, the collection
evaluator assigns the next available evaluation thread to the
evaluation.

Scheduled Primary The process of scheduled evaluation is the same as manual


evaluation, except the evaluation is time-driven rather than event-
driven.

Staging Single or All collections directly or indirectly depend on All Systems or All
Auxiliary Users and User Groups. Both of these collections do a full collection
evaluation at 4:00 AM daily. A change to either of these collections
triggers updates of dependent collections, based on a full collection
graph.
Trigger Evaluation Description
Type

Incremental Express Incremental evaluation uses a collection evaluation graph to evaluate


and update dependent collections if an update to the incremental
collection membership changes. Configuration Manager monitors
and updates resources objects in all collections that are configured
for incremental updates.

If a collection query is based on information that will be updated


later, like hardware inventory, Configuration Manager only adds or
removes the resource from the collection during the scheduled
collection update.

Collection evaluation graph


A collection evaluation graph maps all collections that relate to the collection targeted
for evaluation. A collection evaluation involves the targeted collection and any related
collections in the collection evaluation graph.

When collection evaluation starts, Configuration Manager builds a graph that includes
all collections that could possibly need evaluating as a result of changes to the target
collection, starting from the highest level in the cycle. The collection evaluator then
moves through the graph in order, evaluating each collection membership in turn. After
the collection is fully evaluated, the collection evaluator removes lower-level collections
that aren't affected by this cycle from the collection evaluation graph.

If one or more of the collections being evaluated has an include or exclude rule, the
collection evaluator adds the included or excluded collection to the graph, along with
any collections that collection limits. If there are any changes during the evaluation of
the include and exclude collections, the graph continues on that branch before it returns
to the main branch.

Configuration Manager builds two types of evaluation graphs, incremental or full.

Incremental collection evaluation


When table data changes, a SQL Server trigger inserts a row in the
CollectionNotifications table. The next time a collection evaluation schedule fires, it
AND s the resource ID with the existing collection query and triggers updates on

collections that are enabled for incremental collections.


Incremental collection evaluation executes one query per machine. The default site
configuration for incremental collection evaluation is every five minutes.

An incremental collection evaluation graph maps referenced collections only if they're


enabled for incremental evaluation. If an incremental evaluation is limited to a collection
that isn't enabled for incremental evaluation, the graph evaluates the collection based
on the existing membership of the limiting collection.

For example, the following diagram shows newly discovered resources that are
applicable to all collections. However, collection evaluation only updates the All Servers
and All Domain Controllers collections. The collection evaluator doesn't evaluate the
other collections, because the All Member Servers collection isn't enabled for
incremental evaluation.

Full collection evaluation


Manual or scheduled collection evaluations build a full collection evaluation graph of all
dependent collections. The graph includes all collections that reference the collection
that is updating and subsequent collections. Configuration Manager continues to
evaluate down the graph as long as updates occur to the collections being processed.

The following diagram shows how a scheduled or manual collection update request for
the All Servers collection produces a full graph that includes all applicable collections.
The new DNS server and domain controller resources are in scope of the membership
queries of all collections, so all the collections update.
A full evaluation doesn't always evaluate all collections. The collection evaluation graph
only continues to evaluate dependent collections if an update occurs to the current
referenced collection. If an incrementally updated collection updates during scheduled
incremental evaluations, referencing collections that aren't enabled for incremental
updates may not update. A full evaluation doesn't update the collection, ending the
collection evaluation graph and any referencing collection evaluations for that cycle.

In the following example, installing DNS on the existing server makes it a member of the
DNS Servers collection, but because there's no update to its limiting All Member
Servers collection, the full evaluation doesn't evaluate the DNS Servers collection. The
next incremental evaluation cycle will evaluate the DNS Servers collection, because it's
an incremental collection.
Next steps
How to create collections
Best practices for collections
View collection evaluation (starting in version 2010)
Collection Evaluation Viewer
How to create collections in
Configuration Manager
Article • 12/05/2022

Applies to: Configuration Manager (current branch)

Collections are groupings of users or devices. Use collections for tasks like managing
applications, deploying compliance settings, or installing software updates. You can also
use collections to manage groups of client settings or use them with role-based
administration to specify the resources that an administrative user can access.
Configuration Manager contains several built-in collections. For more information, see
Introduction to collections.

7 Note

A collection can contain users or devices, but not both.

The information in this article can help you create collections in Configuration Manager.
You can also import collections that were created at the current Configuration Manager
site or at another one. For more information about how to export and import
collections, see How to manage collections.

Collection rules
There are different types of rules that you can use to configure the members of a
collection in Configuration Manager.

Direct rule
Use direct rules to choose the users or computers that you want to add to a collection.
The membership doesn't change unless you remove a resource from Configuration
Manager. Before you can add the resources to a direct rule collection, Configuration
Manager must have discovered them or you must have imported them. Direct rule
collections have more administrative overhead than query rule collections because they
require manual changes.

Query rule
Dynamically update the membership of a collection based on a query that Configuration
Manager runs on a schedule. For example, you can create a collection of users that are a
member of the Human Resources organizational unit in Active Directory Domain
Services. This collection is automatically updated when new users are added to or
removed from the Human Resources organizational unit.

For example queries that you can use to build collections, see How to create queries.

Include collection rule


Include the members of another collection in a Configuration Manager collection. If the
included collection changes, Configuration Manager updates the membership of the
current collection on a schedule.

You can add multiple include collection rules to a collection.

Exclude collection rule


Exclude collection rules let you exclude the members of one collection from another
Configuration Manager collection. If the excluded collection changes, Configuration
Manager updates the membership of the current collection on a schedule.

You can add multiple exclude collection rules to a collection. If a collection includes both
include collection and exclude collection rules and there's a conflict, the exclude
collection rule takes priority.

Example of an exclude collection rule

You create a collection that has one include collection rule and one exclude collection
rule. The include collection rule is for a collection of Dell desktops. The exclude
collection is for a collection of computers that have less than 4 GB of RAM. The new
collection contains Dell desktops that have at least 4 GB of RAM.

Create a collection
1. In the Configuration Manager console, go to the Assets and Compliance
workspace.

To create a device collection, select the Device Collections node. Then, on the
Home tab of the ribbon, in the Create group, select Create Device Collection.
To create a user collection, select the User Collections node. Then, on the
Home tab of the ribbon, in the Create group, select Create User Collection.

2. On the General page of the wizard, provide a Name and a Comment. In the
Limiting collection section, select Browse, and then select a limiting collection. The
collection you're creating will contain only members from the limiting collection.

3. On the Membership Rules page, in the Add Rule list, select the type of
membership rule that you want to use for the collection. You can configure
multiple rules for each collection. The configuration for each rule varies. For more
information on configuring each rule, see the following sections of this article:

Direct rule
Query rule
Include collection rule
Exclude collection rule

4. Also on the Membership Rules page, review the following settings.

Use incremental updates for this collection: Select this option to periodically
scan for and update only new or changed resources from the previous
collection evaluation. This process is independent of a full collection
evaluation. By default, incremental updates occur at 5-minute intervals.

) Important

Collections with query rules that use the following classes don't support
incremental updates:
SMS_G_System_CollectedFile
SMS_G_System_LastSoftwareScan
SMS_G_System_AppClientState
SMS_G_System_DCMDeploymentState
SMS_G_System_DCMDeploymentErrorAssetDetails
SMS_G_System_DCMDeploymentCompliantAssetDetails
SMS_G_System_DCMDeploymentNonCompliantAssetDetails
SMS_G_User_DCMDeploymentCompliantAssetDetails (for collections
of users only)
SMS_G_User_DCMDeploymentNonCompliantAssetDetails (for
collections of users only)
SMS_G_System_SoftwareUsageData
SMS_G_System_CI_ComplianceState
SMS_G_System_EndpointProtectionStatus
SMS_GH_System_*
SMS_GEH_System_*

Schedule a full update on this collection: Schedule a regular full evaluation


of the collection membership.

When you disable this setting, the site clears the schedule. This change
from previous behavior makes sure that the site doesn't continue to
evaluate the query. To stop the site evaluating a collection on a schedule,
disable this option.

You can't disable the evaluation of built-in collections like All Systems, but
you can configure the schedule. This behavior allows you to customize this
action at a time that meets your requirements.

 Tip

On built-in collections, only change the Time of the custom schedule.


Don't change the Recurrence pattern. Future versions of
Configuration Manager might enforce a specific recurrence pattern.

5. Complete the wizard to create the new collection. The new collection is displayed
in the Device Collections node of the Assets and Compliance workspace.

7 Note

To see new collection members, refresh or reload the Configuration Manager


console. They don't appear in the collection until after the first scheduled update.
You can also manually select Update Membership for the collection. It might take a
few minutes for a collection update to complete.

Configure a direct rule for a collection


1. On the Search for Resources page of the Create Direct Membership Rule Wizard,
specify the following information:

Resource class: Select the type of resource you want to search for and add to
the collection. For example:
System Resource: Search for inventory data returned from client
computers.
Unknown Computer: Select from values returned by unknown computers.
User Resource: Search for user information collected by Configuration
Manager.
User Group Resource: Search for user group information collected by
Configuration Manager.

Attribute name: Select the attribute associated with the selected resource
class that you want to search for. For example:

If you want to select computers by their NetBIOS name, select System


Resource in the Resource class list and NetBIOS name in the Attribute
name list.

If you want to select users by their organizational unit (OU) name, select
User Resource in the Resource class list and User OU Name in the
Attribute name list.

Exclude resources marked as obsolete: If a client computer is marked as


obsolete, don't include this value in the search results.

Exclude resources that do not have the Configuration Manager client


installed: These resources won't be displayed in the search results.

Value: Enter a value to search the selected attribute name. Use the percent
character ( % ) as a wildcard. For example:

To search for computers that have a NetBIOS name beginning with M,


enter M% in this field.

To search for users in the Contoso OU, enter Contoso in this field.

2. On the Select Resources page, select the resources that you want to add to the
collection in the Resources list, and then select Next.

Configure a query rule for a collection


In the Query Rule Properties dialog box, specify the following information.

Name: Specify a unique name for the query.

Import Query Statement: Opens the Browse Query dialog box. Select a
Configuration Manager query to use as the query rule for the collection.
Resource class: Select the type of resource you want to search for and add to the
collection. Select a value from System Resource to search for inventory data
returned from client computers or from Unknown Computer to select from values
returned by unknown computers.

Edit Query Statement: Opens the Query Statement Properties dialog box, where
you can write a query to use as the rule for the collection. On the General tab, if
you select the option to Omit duplicate rows (select distinct), it may result in
fewer rows returned but potentially quicker results. For more information about
queries, see Introduction to queries.
Starting in Configuration Manager 2010, you can preview the results when
you're creating or editing a query for collection membership. For more
information, see the Preview collection queries section.

Configure an include collection rule


In the Select Collections dialog box, select the collections you want to include in the
new collection, and then select OK.

Configure an exclude collection rule


In the Select Collections dialog box, select the collections you want to exclude from the
new collection, and then select OK.

Preview collection queries


(Introduced in 2010)

Starting in Configuration Manager 2010, you can preview the results when you're
creating or editing a query for collection membership. In the Query Statement
Properties, select the green triangle to show the Query Results Preview window. Select
Stop if you want to stop a long running query.

Improvements to query preview


(Introduced in 2103)

Starting in Configuration Manager version 2103, you have more options when using the
collection query preview. The following improvements have been made to previewing
collection queries:

Limit the number of rows returned


Your limit can be between 1 to 10,000 rows. The default is 5000 rows.
Omit duplicate rows from the result set
If the Omit duplicate rows option isn't selected, the original query statement
will be executed as is, even if the query contains the word distinct.
When the Omit duplicate rows option is selected, if the query already contains
the word distinct, then the query runs as it is. When the query doesn't contain
the word distinct, it's added to the query for the preview (mean override).
Review statistics for the query preview such as number of rows returned and
elapsed time.

7 Note

Elapsed times shown for the query preview may not be the same as actual
execution of the target query.
Query execution elapsed time and Displaying results elapsed time shouldn't
be added for a total elapsed time since these processes run in parallel.

Import a collection
When you export a collection from a site, Configuration Manager saves it as a Managed
Object Format (MOF) file. Use this procedure to import that file into your site database.
To complete this procedure, you need Create permissions on the collections class.

) Important

Make sure the MOF file contains only collection data, is from a trusted source, and
hasn't been tampered with.

Also make sure to export the file from a site that's the same version of
Configuration Manager as the import site.

For more information about exporting collections, see How to manage collections.
1. In the Configuration Manager console, go to the Assets and Compliance
workspace. Select either the User Collections or the Device Collections node.

2. On the Home tab of the ribbon, in the Create group, select Import Collections.

3. On the General page of the Import Collections Wizard, select Next.

4. On the MOF File Name page, select Browse. Browse to the MOF file that contains
the collection information you want to import.

5. Complete the wizard to import the collection. The new collection is displayed in
the User Collections or Device Collections node of the Assets and Compliance
workspace. Refresh or reload the Configuration Manager console to see the
collection members for the newly imported collection.

Use PowerShell
You can use PowerShell to create and import collections. For more information, see the
following cmdlet articles:

New-CMCollection

Set-CMCollection

Import-CMCollection

Synchronize members to Azure AD groups


Synchronize collection members to Azure AD groups

Next steps
Manage collections

Synchronize collection members to Azure AD groups


How to synchronize collection members
to Azure AD groups
Article • 04/11/2023

You can enable the synchronization of collection memberships to an Azure Active


Directory (Azure AD) group. This synchronization allows you to use your existing on
premises grouping rules in the cloud by creating Azure AD group memberships based
on collection membership results. You can synchronize device or user collections. Only
resources with an Azure AD record are reflected in the Azure AD group. Both hybrid
Azure AD-joined and Azure AD-joined devices are supported. The synchronization of
collection memberships is a one-way process from Configuration Manager to Azure AD.
Ideally, Configuration Manager should be the authority for managing the membership
for the target Azure AD groups.

Synchronizations can either be full or incremental and they have slightly different
behaviors:

Full synchronization: Occurs on the first synchronization after enabling it. You can
force a full synchronization by selecting the collection, and then choosing
Synchronize Membership from the ribbon. A full synchronization will overwrite
members of the Azure AD group.

Incremental synchronization: Occurs every 5 minutes. Changes made in Azure AD


aren't reflected in Configuration Manager collections, but they aren't overwritten
by Configuration Manager.

Example synchronization scenario:

1. From Azure AD, create a group called Group1 and add DeviceA , DeviceB , and
DeviceC .

Ideally, objects wouldn't be added from Azure AD since Configuration


Manager should manage the group membership.

2. From Configuration Manager, create a collection called Collection1 then add


DeviceB , and DeviceC .

3. Enable synchronization for Collection1 to Group1 .


4. The first synchronization is a full synchronization so, Group1 now contains DeviceB ,
and DeviceC . DeviceA was removed from the group during the full
synchronization.
5. Remove DeviceC from Collection1 and wait for an incremental synchronization.
6. Group1 now contains only DeviceB .
7. From Azure AD, add DeviceD to Group1 and wait for an incremental
synchronization.
8. Group1 now contains DeviceB and DeviceD .
9. From Configuration Manager, select Collection1 , and choose Synchronize
Membership from the ribbon to force a full synchronization.
10. Group1 now contains only DeviceB

Prerequisites for Azure AD synchronization


Integration with Azure AD for cloud management

Azure AD user discovery

An HTTPS or Enhanced HTTP-enabled management point

Access to the All Systems collection

Create a group and set the owner in Azure AD


1. Sign in to the Azure portal .

2. Navigate to Azure Active Directory > Groups > All groups.

3. Select New group, enter a Group name, and optionally enter a Group description.

4. Make sure that Membership type is Assigned.

5. Select Owners, then add the identity that will create the synchronization
relationship in Configuration Manager.

 Tip

The Server App (Service Principle) of Azure AD tenant will be the owner for
the created Azure AD group.

6. Select Create to finish creating the Azure AD group.

Enable collection synchronization for the Azure


service
1. In the Configuration Manager console, go to the Administration workspace.
Expand Cloud Services, and select the Azure Services node.

2. Select the cloud management service for the Azure AD tenant where you created
the group. Then in the ribbon, select Properties.

3. Switch to the Collection Synchronization tab, and select the option to Enable
Azure Directory Group Sync.

4. Select OK to save the setting.

Enable the collection to synchronize


1. In the Configuration Manager console, go to the Assets and Compliance
workspace, and select either the Device Collections or User Collections node.

2. Select the collection to sync. Then in the ribbon, select Properties.

3. Switch to the Cloud Sync tab, and select Add.

4. If necessary, change the Tenant to where you created the Azure AD group.

5. Type in your search criteria in the Name starts with field, then select Search. If you
leave the criteria blank, the search returns all groups from the tenant. If it prompts
you to sign in, use the identity you specified as the owner for the Azure AD group.

6. Choose the target group, and then select OK to add the group. Select OK again to
exit the collection's properties.

Wait about five to seven minutes before you can verify the group memberships in the
Azure portal. To start a full synchronization, select the collection, and then in the ribbon
select Synchronize Membership.

Use PowerShell
You can use PowerShell to synchronize collections. For more information, see the
following cmdlet article:

Set-CMCollectionCloudSync

Monitor the collection synchronization status


1. In the Configuration Manager console, go to the Monitoring workspace

2. select Collection Cloud Sync and select either the Device Collections or User
Collections node.

3. The view lists all the collections that are enabled for cloud sync and relevant
details.

4. Right click on column header and add additional columns to view more
information.

5. On clicking each collection, you can view collection member status in the bottom
tab.

6. The members are categorized based on sync status - Success, Failed, In Progress.

7. On clicking Failed tab, you can find the reason for failure across each member.

Default Columns:

Collection Id – Id of Collection

Collection Name – Name of Collection

AAD Group Id – Configured Azure AD Group Id

AAD Group Name – Configured Azure AD Group Name

Cloud Sync Status

Success: If all members are synchronized to target Azure AD Group

Partial Success: If at least one member is synchronized to target Azure AD Group

Failed: If all members failed to synchronize to target Azure AD Group

In Progress: Synchronization is in progress.

Member Count – Count of members of collection

Sync Completed – Count of members successfully synchronized

Sync InProgress – Count of members pending synchronization

Sync Failed – Count of members failed to synchronize

Optional Columns:

Cloud Service Id – Azure Service Id which is used for Cloud Sync

Collection Type – Type of Collection (Device or User)


Last Full Sync Member Count – Count of members synchronized during last full
sync

Last Full Sync Status – Status of last full sync cycle

Last Full Sync Time – Time of last full sync cycle

Last Sync Member Count - Count of members synchronized during last sync

Last Sync Status - Status of last sync cycle

Last Sync Time - Time of last sync cycle

Verify the Azure AD group membership


1. Go to the Azure portal .

2. Navigate to Azure Active Directory > Groups > All groups.

3. Find the group you created and select Members.

4. Confirm that the members reflect the resources in the Configuration Manager
collection. Only resources with Azure AD identity show in the group.
How to manage collections in
Configuration Manager
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

Use the overview information in this article to help you run management tasks for
collections in Configuration Manager.

For information about how to create Configuration Manager collections, see How to
create collections.

Collection actions
In the Configuration Manager console, go to the Assets and Compliance workspace.
Select Device Collections or User Collections, select the collection to manage, and then
select a management task.

Manage device collections

Show Members
Displays all of the resources that are members of the selected collection in a temporary
node under the Devices node.

Add Selected Items


Provides the following options:

Add Selected Items to Existing Device Collection: Opens the Select Collection
window. Select the collection to which you want to add the members of the
selected collection. The selected collection is included in this collection by using an
Include Collections membership rule.

Add Selected Items to New Device Collection: Opens the Create Device
Collection Wizard where you can create a new collection. The selected collection is
included in this collection by using an Include Collections membership rule.

For more information, see How to create collections.


Install Client
Opens the Install Client Wizard. This wizard uses client push installation to install a
Configuration Manager client on all computers in the selected collection. For more
information, see Client push installation.

Run Script

Opens the Run Script wizard to run a PowerShell script on all of the clients in the
collection. For more information, see Create and run PowerShell scripts.

Start CMPivot
Opens CMPivot for this collection. Use CMPivot to query device information and take
action in real time. For more information, see CMPivot for real-time data.

Manage Affinity requests


Opens the Manage User Device Affinity Requests dialog box. Approve or reject
pending requests to establish user device affinities for devices in the selected collection.
For more information, see Link users and devices with user device affinity.

Clear Required PXE deployments


Clears any required PXE boot deployments from all members of the selected collection.
For more information, see Use PXE to deploy Windows over the network.

Update membership

Evaluates the membership for the selected collection. For collections with many
members, this update might take some time to finish. Use the Refresh action to update
the display with the new collections members after the update is completed.

Synchronize membership
If you configured this collection for cloud sync, synchronize the current membership
with an Azure Active Directory group. For more information, see Create collections.

Add resources
Opens the Add Resources to Collection window. Search for new resources to add to the
selected collection. The icon for the selected collection displays an hourglass symbol
while the update is in progress.

Client notification
For more information, see Client notifications.

Client diagnostics
Displays the following options:

Enable verbose logging


Disable verbose logging
Collect client logs

For more information, see Client diagnostics.

Endpoint Protection

For more information, see Client notifications: Endpoint protection.

Export

Opens the Export Collection Wizard that helps you export this collection to a Managed
Object Format (MOF) file. You can then archive this file, or import it to another
Configuration Manager site. When you export a collection, referenced collections aren't
exported. A referenced collection is referenced by the selected collection by using an
Include or Exclude rule.

Copy
Creates a copy of the selected collection. The new collection uses the selected collection
as a limiting collection.

Refresh

Refresh the view.

Delete
Deletes the selected collection. You can also delete all of the resources in the collection
from the site database.

You can't delete the collections that are built into Configuration Manager. For a list of
the built-in collections, see Introduction to collections.

Starting in version 2203, when you delete a collection, you can review and delete its
dependent collections at the same time. For more information, see Delete collection
references.

Simulate deployment

Opens the Simulate Application Deployment Wizard. This wizard lets you test the
results of an application deployment without installing or uninstalling the application.
For more information, see How to simulate application deployments.

Deploy

Displays the following options:

Application: Opens the Deploy Software Wizard. Select and configure an


application deployment to the selected collection. For more information, see How
to deploy applications.

Program: Opens the Deploy Software Wizard. Select and configure a package and
program deployment to the selected collection. For more information, see
Packages and programs.

Configuration Baseline: Opens the Deploy Configuration Baselines window.


Configure the deployment of one or more configuration baselines to the selected
collection. For more information, see How to deploy configuration baselines.

Task Sequence: Opens the Deploy Software Wizard. Select and configure a task
sequence deployment to the selected collection. For more information, see Deploy
a task sequence.

Software Updates: Opens the Deploy Software Updates Wizard. Configure the
deployment of software updates to resources in the selected collection. For more
information, see Deploy software updates.

View relationships

For more information, see View collection relationships.


Move
Move the selected collection to another folder in the Device Collections node.

Properties

For more information, see Collection properties.

Delete collection references


Previously, when you would delete a collection with dependent collections, you first had
to delete the dependencies. The process of finding and deleting all of these collections
could be difficult and time consuming. Starting in version 2203, when you delete a
collection, you can review and delete its dependent collections at the same time.

A new Details window shows more information about the relationship types, and lets
you view collection relationships in a graphical chart.

1. Delete a collection that has dependent collections.

2. In the Delete Collection Error window, select Details.

3. Once the relationship types finish loading, select View Relationships to see the
graph.

4. If all of the dependent collections can be deleted, select Delete all listed
collections.

5. Review the list of collections and any software deployments that the site will also
remove. You also can Delete each collection member from the database.

There are several reasons why the site can't delete a dependent collection:

Assigned to user: For more information, see Modify the administrative scope of an
administrative user.
Used by cloud attach: For more information, see Enable cloud attach for
Configuration Manager.

Use for upload to Microsoft Intune: For more information, see Make
Configuration Manager collections available to assign Endpoint security policies.

The details window lists collections that can't be deleted with the reason why.

Known issue when deleting collection references


Consider the scenario where you're deleting collections with references, and another
administrative user is simultaneously creating a reference to a collection that you're
deleting. When this behavior occurs, the console displays an error, and the collection
isn't deleted.

Manage user collections


The following actions are available on user collections. The behaviors are the same as
with device collections, other than they apply to user collections and the users within.
For more information, see the corresponding action under Manage device collections.

Show Members
Add Selected Items
Add Selected Items to Existing User Collection
Add Selected Items to New User Collection
Manage Affinity Requests
Update Membership
Synchronize Membership
Add Resources
Export
Copy
Refresh
Delete
Simulate Deployment
Deploy
Application
Program
Configuration Baseline
View Relationships
Move
Properties
Collection properties
When you view properties for a collection, you can view and configure the following
options:

General: View and configure general information about the selected collection
including the collection name, the limiting collection, the collection ID, and last
update times.

Membership Rules: Configure the membership rules that define the membership
of this collection. For more information, see How to create collections.

Power Management: Configure power management plans that you've assigned to


computers in the selected collection. For more information, see Introduction to
power management.

Deployments: Displays any software that you've deployed to members of the


selected collection.

Maintenance Windows: View and configure maintenance windows that are


applied to members of the selected collection. For more information, see How to
use maintenance windows.

Collection Variables: Configure variables that apply to this collection and can be
used by task sequences. For more information, see How to set task sequence
variables.

Distribution Point Groups: Associate one or more distribution point groups to


members of the selected collection. For more information, see Manage content
and content infrastructure.

Cloud Sync: Synchronize collection membership results to Azure Active Directory


groups. For more information, see Create collections.

Starting in version 2006, you can also make this collection available to assign
endpoint security policies when you tenant-attach the site. For more information,
see Tenant attach: Onboard Configuration Manager clients to Microsoft Defender
for Endpoint from the admin center.

Security: Displays the administrative users who have permissions for the selected
collection from associated roles and security scopes. For more information, see
Fundamentals of role-based administration.

Alerts: Configure when alerts are generated for client status and endpoint
protection. For more information, see How to configure client status and How to
monitor endpoint protection.

Automate with Windows PowerShell


You can use the following PowerShell cmdlets to manage collections:

Generic cmdlets for all collection types

Basic cmdlets
Get-CMCollection
New-CMCollection
Remove-CMCollection
Set-CMCollection

Other actions

Copy-CMCollection
Export-CMCollection
Get-CMCollectionMember
Get-CMCollectionSetting
Import-CMCollection
Invoke-CMCollectionUpdate

Get membership rules

Get-CMCollectionDirectMembershipRule
Get-CMCollectionExcludeMembershipRule
Get-CMCollectionIncludeMembershipRule
Get-CMCollectionQueryMembershipRule

Remove membership rules

Remove-CMCollectionDirectMembershipRule
Remove-CMCollectionExcludeMembershipRule
Remove-CMCollectionIncludeMembershipRule
Remove-CMCollectionQueryMembershipRule

Device collection-specific cmdlets


Basic actions for device collections
Get-CMDeviceCollection
New-CMDeviceCollection

Device collection variables


Get-CMDeviceCollectionVariable
New-CMDeviceCollectionVariable
Remove-CMDeviceCollectionVariable
Set-CMDeviceCollectionVariable

Add device collection membership rules

Add-CMDeviceCollectionDirectMembershipRule
Add-CMDeviceCollectionExcludeMembershipRule
Add-CMDeviceCollectionIncludeMembershipRule
Add-CMDeviceCollectionQueryMembershipRule

Get device collection membership rules

Get-CMDeviceCollectionDirectMembershipRule
Get-CMDeviceCollectionExcludeMembershipRule
Get-CMDeviceCollectionIncludeMembershipRule
Get-CMDeviceCollectionQueryMembershipRule

Remove device collection membership rules

Remove-CMDeviceCollectionDirectMembershipRule
Remove-CMDeviceCollectionExcludeMembershipRule
Remove-CMDeviceCollectionIncludeMembershipRule
Remove-CMDeviceCollectionQueryMembershipRule

User collection-specific cmdlets


Get-CMUserCollection
New-CMUserCollection

Add user collection membership rules


Add-CMUserCollectionDirectMembershipRule
Add-CMUserCollectionExcludeMembershipRule
Add-CMUserCollectionIncludeMembershipRule
Add-CMUserCollectionQueryMembershipRule

Get user collection membership rules

Get-CMUserCollectionDirectMembershipRule
Get-CMUserCollectionExcludeMembershipRule
Get-CMUserCollectionIncludeMembershipRule
Get-CMUserCollectionQueryMembershipRule

Remove user collection membership rules

Remove-CMUserCollectionDirectMembershipRule
Remove-CMUserCollectionExcludeMembershipRule
Remove-CMUserCollectionIncludeMembershipRule
Remove-CMUserCollectionQueryMembershipRule

Next steps
Client notifications

View collection relationships


View collection relationships
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can view dependency relationships between collections in a graphical format. It


shows limiting, include, and exclude relationships.

If you want to change or delete collections, view the relationships to understand the
effect of the proposed change. Before you create a deployment, look at the potential
target collection for any include or exclude relationships that might affect the
deployment.

When you select the View Relationships action on a device or user collection:

To view the relationships with parent collections, select Dependency.

To view the relationships with child collections, select Dependent.

For example, if you select the All Systems collection to view its relationships, the
Dependency node will be 0 as it has no parent collections.

Use the following tips to navigate the relationship viewer:

Select the plus ( + ) or minus ( - ) icons next to the collection name to expand or
collapse members of a node.

The number in parentheses after the collection name is the number of


relationships. If the number is 0, then that collection is the final or leaf node in that
relationship tree.
The style and color of the line between the collections determines the type of
relationship:

If you hover over a specific line, a tooltip shows the relationship type.

The maximum number of child nodes displayed depends upon the level of the
graph:
First level: five nodes
Second level: three nodes
Third level: two nodes
Fourth level: one node

If there are more objects than the graph can display at that level, you'll see the
More icon.

When the width of the tree is larger than the window, use the green arrows to the
right or the left to view more.

When a node of the relationship tree is larger than the available space, select More
to change the view to just that node.

To navigate to a prior view, select the Back arrow in the upper right corner. Select
the Home icon to return to the main page.

Use the Search box in the upper right corner to locate a collection in the current
tree view.

Use the Navigator in the lower right corner to zoom and pan around the tree. You
can also print the current view.

You can only see relationships between collections to which you have permission:

If you have permission for All Systems or All Users and User Groups, then you'll
see all relationships.
If you don't have permission for a specific collection, you don't see it in the
graph, and can't view its relationships.

Improvements in version 2103


Starting in version 2103, you can view both dependency and dependent relationships
together in a single graph. This change allows you to quickly see an overview of all the
relationships of a collection at once and then drill down into specific related collections.
It also includes other filtering and navigation improvements.

The following example shows the relationships for the "c1" collection in the center. It's
dependent upon the collections above it (parents), and has dependencies below it
(children).

To see the relationships of another collection in the graph, select it to open a new
window targeted on that collection.

Other improvements:

There's a new Filter button in the upper right corner. This action lets you reduce
the graph to specific relationship types: Limiting, Include, or Exclude.

If you don't have permissions to all related collections, the graph includes a
warning message that the graph may be incomplete.
When the graph is wider than the window can display, use the page navigation
controls in the upper left corner. The first number is the page for parents (above),
and the second number is the page for children (below). The window title also
shows the page numbers.

The tooltip for a collection displays the count of dependencies it has and the count
of dependant collections where applicable. This count only includes unique
subcollections. The count no longer displays in the parentheses next to the
collection name.

Previously the Back button took you through your viewing history. Now it takes
you to the previously selected collection. For example, changing pages for the
current collection doesn't activate the Back button. When you select a new
collection, you can select Back to return to the original collection graph.

 Tip

Hold the Ctrl key and scroll the mouse wheel to zoom the graph.

For more information on how to navigate the collection dependency graph with a
keyboard, see Accessibility features.

Next steps
How to view collection evaluation
How to view collection evaluation
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Starting in Configuration Manager version 2010, the functionality of Collection


Evaluation Viewer is integrated into the Configuration Manager console. On each
primary site, this functionality provides administrators a central location to view and
troubleshoot the collection evaluation process. The console displays the following
information:

Historic and live information for full and incremental collection evaluations
The evaluation queue status
The time for collection evaluations to complete
Which collections are currently being evaluated
The estimated time that a collection evaluation will start and complete

 Tip

Viewing collection evaluation at the CAS changed in Configuration Manager


version 2103. For more information, see the Collection evaluation information at
the CAS section.

When using the console connected to a CAS using Configuration Manager 2010,
you'll see the following behavior:

Evaluation-related columns for device collections won't contain data.


The Collection Evaluation node under the Monitoring workspace isn't shown.
Evaluation-related information, such as evaluation status and links to the
collection evaluation queues, won't be shown in the collection Summary
group pane.

Collection evaluation queues


The collection evaluation process evaluates the membership rules of a collection to
update its members. A primary site places a collection that it's evaluating into one of
four different queues:

Full Evaluation Queue: For collections due for full evaluation


Incremental Evaluation Queue: For collections with incremental evaluation
Manual Evaluation Queue: For collections that an administrator has manually
selected for evaluation from the console
New Evaluation Queue: For newly created collections

Add columns for the Device Collections node


Adding columns to the Device Collections node allows you to view collection evaluation
information for multiple collections.

1. Connect the Configuration Manager console to a primary site.


2. Go to Assets and Compliance > Overview > Device Collections.
3. Add any or all of the following columns prefixed by the type of evaluation:

Evaluation (Full)
Last Completion Time: When the last collection evaluation completed
(default column)
Run Time: How long the last collection evaluation ran, in seconds
Next Refresh Time: When the next full evaluation starts
Member Changes: The member changes in the last collection evaluation.
Positive numbers mean members were added while negative numbers
mean members were removed.
Last Member Change Time: The most recent time that there was a
membership change in the collection evaluation
Evaluation (Incremental)
Last Evaluation Completion Time: When the last collection evaluation
completed
Run Time: How long the last collection evaluation ran, in seconds
Member Changes: The member changes in the last collection evaluation.
These changes are either plus (members added) or minus (members
removed).
Last Member Change Time: The most recent time that there was a
membership change in the collection evaluation

View evaluation information from the


collection summary
View the collection summary information to get information specific to the evaluation of
a single collection.

1. Connect the Configuration Manager console to a primary site.


2. Go to Assets and Compliance > Overview > Device Collections.
3. Select a collection from the Device Collections node.
4. In the Summary group pane for collection, review the evaluation-related
information for the selected collection.


5. The Related Objects give links to view status of the collection in the specific queue.
These links take you to the queues in the Monitoring workspace under the
Collection Evaluation node.

This action creates a new node is created where you can see the evaluation
status for the specific collection.

Monitoring collection evaluation queues


Monitoring the collection evaluation queues can give you deeper insight into the
collection evaluation process.

1. Connect the Configuration Manager console to a primary site.


2. From the Monitoring workspace, go to the Collection Evaluation node. Starting in
Configuration Manager 2103, go to Monitoring > Collection Evaluation >
Collection Evaluation Queue. The following queues are summarized and have their
own nodes:

Full Evaluation Queue: For collections due for full evaluation


Incremental Evaluation Queue: For collections with incremental evaluation
Manual Evaluation Queue: For collections that an administrator has manually
selected for evaluation from the console
New Evaluation Queue: For newly created collections

3. The total number of collections in queue and queue length is listed as a summary.
Additionally, the following status summaries for the evaluation queues are listed:

Number of collections in queue


Queue length
Current evaluation collection
Current evaluation started on
Current evaluation elapsed (seconds)

4. Starting in Configuration Manager 2103, you can:

Configure a primary site's refresh interval for the Collection Evaluation


statistics page to be between 1 minute and 1440 minutes (1 day). Typically,
collection evaluation occurs over the course of seconds or minutes. However,
you can change the statistics refresh to accommodate your environment. The
default Refresh Interval (minutes) is 5.
Copy collection evaluation statistics as structured text to the clipboard. Use
the Copy button in the ribbon to copy the statistics. When the text is pasted
into a text editor, it's structured to make it easy to read.
5. Selecting the node for a queue brings up detailed status for the queue including:

Name: Name of the collection


Collection ID: ID of the collection
Estimated Completion Time: When the evaluation is estimated to complete
Estimated Run Time: How long the evaluation is estimated to run, in
day:hour:minute:second format

Full and incremental evaluation status nodes


(Introduced in 2103)

The Full Evaluation Status and Incremental Evaluation Status subnodes have been
added to the Collection Evaluation node in the Monitoring workspace.

On a primary site, Full Evaluation Status and Incremental Evaluation Status show
the data for the local evaluations.

On a CAS, Full Evaluation Status and Incremental Evaluation Status shows the
data from the primary site with the longest run time.
Using the longest runtime for these nodes is the same logic that's used for the
collection evaluation columns at the CAS.

Collection evaluation information at the CAS


(Introduced in 2103)

Since collection evaluation happens at the primary site level, the collection evaluation
view on the CAS is a summary of what's occurring on the primary sites. Starting in
Configuration Manager version 2103, there are two new tabs in the details pane of the
collection view in the console. The following new tabs show collection evaluation
information from all primary sites in hierarchy:

Evaluation (Full) In Hierarchy


Evaluation (Incremental) In Hierarchy


From the Device Collections node at the CAS, the evaluation columns display the
evaluation status from the primary site with the longest run time. The column
information at the CAS for the full evaluation status could be from a different primary
site than the incremental information since the longest runtime for the incremental
might have occurred at a different primary.

For instance, incremental evaluation for the All Systems collection on the WMI primary
site takes longer than the other primary sites. The full evaluation columns on the CAS
display the information from primary site WMI for the All Systems collection in the
Device Collections node.

Drill through from collection evaluation queue


or status view to a collection
(Introduced in 2103)

You can navigate to a collection in the Assets and Compliance workspace from a
collection evaluation status view or evaluation queue in the Monitoring workspace.
Select a collection from one of the status views or queues, then choose View collection
from the ribbon or right-click menu to open the collection.

Navigation to the collection from queues won't occur if the collection evaluation has
completed. You can only drill though from an item in a queue that's still currently
running its evaluation. If the evaluation has already completed, the View collection
action takes you to the main collection view. Drill though from the evaluation status
views, Full Evaluation Status and Incremental Evaluation Status, will always take you to
the collection.

Next steps
Learn more about Collection evaluation in Configuration Manager.
How to use maintenance windows in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use maintenance windows to define when Configuration Manager can run impacting
tasks on devices. Maintenance windows help make sure that client configuration
changes occur during times that don't affect productivity. With Software Center, users
can see the device's next maintenance window on the Installation status tab.

The following tasks support maintenance windows:

Application and package deployments

Software update deployments

Compliance settings deployment and evaluation

OS and custom task sequence deployments

Configure maintenance windows with an effective date, a start and end time, and a
recurrence pattern. The maximum duration of a window has to be less than 24 hours.
The console doesn't allow a single maintenance window longer than 24 hours. For
example, if you want to allow maintenance all day Saturday and Sunday, then create two
24-hour maintenance windows for each day.

By default, computer restarts caused by a deployment aren't allowed outside of a


maintenance window, but you can override the default. Maintenance windows affect
only the time when the deployment runs. Deployments that you configure to download
and run locally can download content outside of the window.

When a client is a member of a device collection that has a maintenance window, a


deployment runs only if its maximum allowed run time doesn't exceed the duration of
the window. If the deployment fails to run, the client generates an alert. It then reruns
the deployment during the next scheduled maintenance window that has available time.

 Tip

A maintenance window is for a client. A service window is for a site server. For more
information, see Service windows for site servers.
Multiple maintenance windows
When a client computer is a member of multiple device collections that have
maintenance windows, these rules apply:

If the maintenance windows don't overlap, the client treats them as two
independent maintenance windows.

If the maintenance windows overlap, the client treats them as a single window for
the entire time of both windows. For example, you create two maintenance
windows on a collection. The first is effective from 6:00 to 7:00, and the second is
effective from 6:30 to 7:30. Because they overlap by 30 minutes, the effective
duration of the combined maintenance window is 90 minutes from 6:00 to 7:30.

When a user installs an application from Software Center, the client starts it immediately.
It prioritizes the user's intent over the administrator's.

If an application deployment with a purpose of Required reaches its installation


deadline during the non-business hours that a user configures in Software Center, the
client installs the application. It prioritizes the administrator's intent over the user's.

By default, with multiple maintenance windows, the client only installs software updates
during Software Update type windows. It ignores any All deployments maintenance
windows, unless they're the only type. You can configure this behavior with the following
client setting in the Software updates group: Enable installation of software updates in
"All deployments" maintenance window when "Software Update" maintenance
window is available. For more information, see About client settings.

7 Note

This setting also applies to maintenance windows that you configure to apply to
Task sequences.

If the client only has an All deployments window available, it still installs software
updates or task sequences in that window.

Configure maintenance windows


1. In the Configuration Manager console, go to the Assets and Compliance
workspace.

2. Select the Device Collections node, and then select a collection.


7 Note

You can't create maintenance windows for the All Systems collection.

3. On the Home tab of the ribbon, in the Properties group, choose Properties.

4. Switch to the Maintenance Windows tab, and select the New icon.

a. Specify a Name to uniquely identify this maintenance window for the collection.

b. Configure the Time settings:

Effective date: The date when the maintenance windows starts. The
default is the current date.

Start and End: The start and end times of the maintenance window. It
calculates the Duration for the window. The minimum duration is five
minutes, and the maximum is 24 hours. The default duration is three
hours, from 01:00 to 04:00.

Coordinated Universal Time (UTC): Enable this option for the client to
interpret the start and end times in the UTC time zone. For regionally or
globally distributed devices in the same collection, this option sets the
maintenance window to occur simultaneously on all devices in the
collection. Disable this option for the client to use the device's local time
zone. This option is disabled by default.

c. Configure the recurrence pattern. The default is once per week on the current
day of the week.

7 Note

Starting in version 2207, you can offset monthly maintenance window


schedules to better align deployments with the release of monthly security
updates. For example, using an offset of two days after the second Tuesday
of the month, sets the maintenance window for Thursday.

d. Apply this schedule to: By default the window applies to All deployments. You
can select either Software updates or Task sequences to further control what
deployments run during this window.

 Tip
If you configure multiple maintenance windows of different types on the
same collection, make sure you understand the client behaviors. For more
information, see Multiple maintenance windows.

5. Select OK to save and close the window.

The Maintenance Windows tab of the collection properties displays all configured
windows.

Use PowerShell
You can use PowerShell to configure maintenance windows. For more information, see
the following articles:

Get-CMMaintenanceWindow
New-CMMaintenanceWindow
Remove-CMMaintenanceWindow
Set-CMMaintenanceWindow
Security and privacy for collections in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article contains security recommendations and privacy information for collections in
Configuration Manager.

Security recommendations
When you export or import a collection by using a managed object format (MOF) file
that's saved to a network location, secure the location and the network channel. Restrict
who can access the network folder. Use Server Message Block (SMB) signing or Internet
Protocol security (IPsec) between the network location and the site server. These
mechanisms help prevent an attacker from tampering with the exported collection data.
Use IPsec to encrypt the data on the network to prevent information disclosure.

Security issues
Collections have the following security issues:

If you use collection variables, local administrators can read potentially sensitive
information. Collection variables are only used when you deploy an OS. For more
information, see Collection and device variables.

Privacy information
There's no privacy information specifically for collections in Configuration Manager.
Collections are containers for resources, such as users and devices. Collection
membership often depends on the information that Configuration Manager collects
during standard operation.

Configuration Manager can collect resource information from discovery or inventory.


Using this information, you can configure a collection to contain the devices that meet
your specified criteria. Collections might also be based on the current status information
for client management operations. For example, deploying software or checking for
compliance. Along with query-based collections, you can also directly add resources to
collections.
Next steps
For more information about collections, see Introduction to collections.

For more information about other security features in Configuration Manager, see the
Security documentation hub.
Introduction to hardware inventory
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use hardware inventory in Configuration Manager to collect information about the


hardware configuration of client devices in your organization. To collect hardware
inventory, you must select the Enable hardware inventory on clients setting in client
settings.

After hardware inventory is enabled and the client runs a hardware inventory cycle, the
client sends the information to a management point in the client's site. The
management point then forwards the inventory information to the Configuration
Manager site server, which stores the inventory information in the site database.
Hardware inventory runs on clients according to the schedule that you specify in client
settings.

View hardware inventory


You can use several methods to view the hardware inventory data that Configuration
Manager collects:

Create queries that return devices that are based on a specific hardware
configuration.

Create query-based collections that are based on a specific hardware


configuration. Query-based collection memberships automatically update on a
schedule. You can use collections for several tasks, including software deployment.

Run reports that display specific details about hardware configurations in your
organization.

Use Resource Explorer to view detailed information about the hardware inventory
that's collected from client devices.

When hardware inventory runs on a client device, the first inventory data that the client
returns is always a full inventory. The next set of inventory data contains only delta
inventory information. The site server processes delta inventory information in the order
received. If delta information for a client is missing, the site server rejects more delta
information and directs the client to run a full inventory cycle.
Configuration Manager provides limited support for dual-boot computers.
Configuration Manager can discover dual-boot computers but returns inventory
information only from the OS that's active when the inventory cycle runs.

Extend inventory
To collect more information than what Configuration Manager inventories by default,
you can also use one of these methods to extend hardware inventory:

Enable, disable, add, and remove inventory classes for hardware inventory from the
Configuration Manager console.

Use NOIDMIF files to collect information about client devices that can't be
inventoried by Configuration Manager. For example, you might want to collect
device asset number information that exists only as a label on the device. NOIDMIF
inventory is automatically associated with the client device that it was collected
from.

Use IDMIF files to collect information about assets that aren't associated with a
Configuration Manager client, for example, projectors, photocopiers, and network
printers.

Starting in version 2107, you can use the administration service to set custom
properties on devices. You can then use the custom properties in Configuration
Manager for reporting or to create collections. For more information, see Custom
properties for devices.

Next steps
How to configure hardware inventory
How to extend hardware inventory in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Hardware inventory reads information from Windows PCs by using Windows


Management Instrumentation (WMI). WMI is the Microsoft implementation of web-
based Enterprise Management (WBEM), an industry standard for accessing management
information in an enterprise. In previous versions of Configuration Manager, you
extended hardware inventory by modifying the file sms_def.mof on the site server. This
file contained a list of WMI classes that could be read by hardware inventory. Editing
this file, you could enable and disable existing classes, and also create new classes to
inventory.

The Configuration.mof file is used to define the data classes to be inventoried by


hardware inventory on the client and is unchanged from Configuration Manager 2012.
You can create data classes to inventory existing or custom WMI repository data classes
or registry keys present on client systems.

The Configuration.mof file also defines and registers the WMI providers that access
device information during hardware inventory. Registering providers defines the type of
provider to be used and the classes that the provider supports.

When Configuration Manager clients request policy, the Configuration.mof is attached


to the policy body. This file is then downloaded and compiled by clients. When you add,
modify, or delete data classes from the Configuration.mof file, clients automatically
compile these changes that are made to inventory-related data classes. No further
action is necessary to inventory new or modified data classes on Configuration Manager
clients. This file is located in the Inboxes\clifiles.src\hinv\ folder of the Configuration
Manager installation directory on the primary site server or central administration site
(CAS) server.

In Configuration Manager current branch, you don't edit the sms_def.mof file as with
earlier versions. Instead, make these changes with client settings. Configuration
Manager provides the following methods to extend hardware inventory.

7 Note

If you changed the state of classes in client settings, when you update the site,
some classes may revert to a default state. For example, if you disable the
SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're

enabled after installing a Configuration Manager update. When you customize


hardware inventory classes, make sure to review their configuration before and
after a site update.

If you've manually changed the Configuration.mof file to add custom inventory


classes, these changes will be overwritten when you update the site. To keep using
custom classes after you update, add them to the Added extensions section of the
Configuration.mof file. Don't modify anything above this section. The other sections
are reserved for modification by Configuration Manager. The site backs up your
custom Configuration.mof in the data\hinvarchive\ folder of the Configuration
Manager installation directory on the site server.

Starting in version 2107, you can use the administration service to set custom properties
on devices. You can then use the custom properties in Configuration Manager for
reporting or to create collections. For more information, see Custom properties for
devices.

Methods

Enable or disable
Enable or disable some of all attributes of a class that already exists on the client. This
action instructs the hardware inventory agent to collect it on clients. You can do this
action in default client settings, or custom device client settings. For more information,
see Enable or disable existing classes.

Add
If a WMI class exists on the client and is known to the site, this action includes it to the
possible set of hardware inventory classes. You can add a new inventory class from the
WMI namespace of another device. This action is only on default client settings. For
more information, see Add a new class.

Extend
Add a new WMI class to the client. To manually extend hardware inventory, edit the
configuration.mof on the top-level site.
If the WMI class doesn't already exist on the client, you need to extend the WMI
schema:

1. Edit the configuration.mof on the top-level site. Review dataldr.log to see the site
add it.

2. Refresh policy on a client, and wait for the new class to compile.

3. Use default client settings to Add the new class to hardware inventory. You don't
have to enable this class in default client settings. You can then enable it in a
custom device client setting.

Import and export


Use the Configuration Manager console to import and export Managed Object Format
(MOF) files that contain inventory classes. For more information, see How to import
classes and How to export classes.

About NOIDMIF files


Use NOIDMIF files to collect information about client devices that Configuration
Manager can't inventory. For example, collect device asset number information that
exists only as a label on the device. NOIDMIF inventory is automatically associated with
the client device that it was collected from. For more information, see Create NOIDMIF
files.

About IDMIF files


Use IDMIF files to collect information about assets in your organization that aren't
associated with a Configuration Manager client. For example, projectors, photocopiers,
and network printers. For more information, see Create IDMIF files.

Procedures
These procedures help you to configure the default client settings for hardware
inventory and they apply to all the clients in your hierarchy. If you want these settings to
apply to only some clients, create a custom client device setting and assign it to a
collection of specific clients. For more information, see How to configure client settings.

Enable or disable existing classes


1. In the Configuration Manager console, go to the Administration workspace, and
select the Client Settings node.

2. Select the Default Client Settings. On the Home tab, in the Properties group,
choose Properties.

3. In the Default Client Settings dialog box, choose Hardware Inventory.

4. In the Device Settings list, select Set Classes.

5. In the Hardware Inventory Classes dialog box, select or clear the classes and class
properties to be collected by hardware inventory. You can expand classes to select
or clear individual properties within that class. Use the Search for inventory classes
field to search for individual classes.

) Important

When you add new classes to Configuration Manager hardware inventory, the size
of the inventory file that is collected and sent to the site server will increase. This
might negatively affect the performance of your network and Configuration
Manager site. Enable only the inventory classes that you want to collect.

Add a new class


You can only add inventory classes from the hierarchy's top-level server by modifying
the default client settings. This option isn't available when you create custom device
settings.

1. In the Configuration Manager console, go to the Administration workspace, and


select the Client Settings node.

2. Select the Default Client Settings. On the Home tab, in the Properties group,
choose Properties.

3. In the Default Client Settings dialog box, choose Hardware Inventory.

4. In the Device Settings list, choose Set Classes.

5. In the Hardware Inventory Classes dialog box, choose Add.

6. In the Add Hardware Inventory Class dialog box, select Connect.

7. In the Connect to Windows Management Instrumentation (WMI) dialog box,


specify the name of the computer from which you'll get the WMI classes and the
WMI namespace to use to get the classes. If you want to get all classes below the
specified WMI namespace, select Recursive. If the computer you're connecting to
isn't the local computer, supply credentials for an account that has permission to
access WMI on the remote computer.

8. Choose Connect.

9. In the Add Hardware Inventory Class dialog box, in the Inventory classes list,
select the WMI classes that you want to add to Configuration Manager hardware
inventory.

10. If you want to edit information about the selected WMI class, choose Edit, and in
the Class qualifiers dialog box, provide the following information:

Display name: This name will be displayed in Resource Explorer.

Properties: Specify the units in which each property of the WMI class will be
displayed.

You can also set properties as a key property to help uniquely identify each
instance of the class. If no key is defined for the class, and multiple instances
of the class are reported from the client, only the latest instance that's found
is stored in the database.

When you've finished configuring the properties, select OK to close the Class
qualifiers dialog box and the other open dialogs.

How to import classes


You can only import inventory classes when you modify the default client settings.
However, you can use custom client settings to import information that doesn't include
a schema change, such as changing the property of an existing class from True to False.

1. In the Configuration Manager console, go to the Administration workspace, and


select the Client Settings node.

2. Select the Default Client Settings. On the Home tab, in the Properties group,
choose Properties.

3. In the Default Client Settings dialog box, choose Hardware Inventory.

4. In the Device Settings list, choose Set Classes.

5. In the Hardware Inventory Classes dialog box, choose Import.


6. In the Import dialog box, select the Managed Object Format (MOF) file that you
want to import, and then choose OK. Review the items that will be imported, and
then select Import.

How to export classes


1. In the Configuration Manager console, go to the Administration workspace, and
select the Client Settings node.

2. Select the Default Client Settings. On the Home tab, in the Properties group,
choose Properties.

3. In the Default Client Settings dialog box, choose Hardware Inventory.

4. In the Device Settings list, choose Set Classes.

5. In the Hardware Inventory Classes dialog box, choose Export.

7 Note

When you export classes, all currently selected classes will be exported.

6. In the Export dialog box, specify the Managed Object Format (MOF) file that you
want to export the classes to, and then choose Save.

Collect strings larger than 255 characters


You can specify the length of strings to be greater than 255 characters for hardware
inventory properties. This action applies only to newly added classes and for hardware
inventory properties that aren't keys.

1. In the Administration workspace, select Client Settings. Choose a client device


setting to edit, then select Properties.

2. Select Hardware Inventory, then Set Classes, and Add.

3. Select Connect.

4. Fill in Computer Name, WMI namespace, select recursive if needed. Provide


credentials if necessary to connect. Select Connect to view the namespace classes.

5. Select a new class, then select Edit.


6. Change the Length of your property that's a string, other than the key, to be
greater than 255. Select OK.

7. Make sure that the edited property is selected for Add Hardware Inventory Class,
and select OK.

Use MIF files


Use Management Information Format (MIF) files to extend hardware inventory
information collected from clients by Configuration Manager. During hardware
inventory, the information stored in MIF files is added to the client inventory report and
stored in the site database, where you can use the data in the same ways that you use
default client inventory data. There are two types of MIF files: NOIDMIF and IDMIF.

) Important

Before you can add information from MIF files to the Configuration Manager
database, create or import the class. For more information, see Add a new class or
How to import classes in this article.

Create NOIDMIF files


NOIDMIF files can be used to add information to a client hardware inventory that can't
normally be collected by Configuration Manager and is associated with a particular
client device. For example, many companies label each computer in the organization
with an asset number and then catalog these numbers manually. When you create a
NOIDMIF file, this information can be added to the Configuration Manager database
and be used for queries and reporting.

For more information about creating NOIDMIF files, see About inventory in the
Configuration Manager SDK documentation.

) Important

When you create a NOIDMIF file, save it in an ANSI-encoded format. If you save
NOIDMIF files in UTF-8 encoded format, Configuration Manager can't read it.

After you create a NOIDMIF file, store it in the %Windir%\CCM\Inventory\noidmifs folder


on each client. Configuration Manager collects information from NODMIF files in this
folder during the next scheduled hardware inventory cycle.
Create IDMIF files
IDMIF files can be used to add information about assets that couldn't normally be
inventoried by Configuration Manager and isn't associated with a particular client
device, to the Configuration Manager database. For example, you could use IDMIFS to
collect information about projectors, DVD players, photocopiers, or other equipment
that doesn't have a Configuration Manager client.

For more information about creating IDMIF files, see About inventory in the
Configuration Manager SDK documentation.

After you create an IDMIF file, store it in the %Windir%\CCM\Inventory\idmifs folder on


client computers. Configuration Manager collects information from this file during the
next scheduled hardware inventory cycle. Declare new classes for information contained
in the file by adding or importing them.

7 Note

MIF files could contain large amounts of data and collecting this data could
negatively affect the performance of your site. Enable MIF collection only when
required. Configure the option Maximum custom MIF file size (KB) in the hardware
inventory settings. For more information, see Introduction to hardware inventory.
How to configure hardware inventory in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This procedure configures the default client settings for hardware inventory and will
apply to all the clients in your hierarchy. If you want these settings to apply to only some
clients, create a custom device client setting and assign it to a collection that contains
the devices that you want to use hardware inventory. See How to configure client
settings.

7 Note

If a client device receives hardware inventory settings from multiple sets of client
settings, then the hardware inventory classes from each set of settings will be
merged when the client reports hardware inventory. Additionally, not checking a
class in a custom client setting with a higher priority doesn't disable the client from
inventorying that class.

To disable a specific hardware inventory class on a majority of systems except a few, the
class needs to be unchecked in the default client settings. Then create a custom client
setting to enable the class, and deploy it to the target systems.

To configure hardware inventory


1. In the Configuration Manager console, choose Administration > Client Settings >
Default Client Settings.

2. On the Home tab, in the Properties group, choose Properties.

3. In the Default Settings dialog box, choose Hardware Inventory.

4. In the Device Settings list, configure the following:

Enable hardware inventory on clients - Select Yes.

Hardware inventory schedule - Click Schedule to specify the interval at


which clients collect hardware inventory.

5. Configure other hardware inventory client settings that you require.


Client devices will be configured with these settings when they next download client
policy. To initiate policy retrieval for a single client, see How to manage clients.
How to use Resource Explorer to view
hardware inventory in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use Resource Explorer in Configuration Manager to view information about hardware


inventory. The site collects this information from clients in your hierarchy.

 Tip

Resource Explorer doesn't display any data until a hardware inventory cycle runs on
the client to which you're connecting.

Overview
Resource Explorer has the following sections related to hardware inventory:

Hardware: Shows the most recent hardware inventory collected from the specified
client device.
The Workstation Status node shows the time and date of the last hardware
inventory from the device.

Hardware History: A history of inventoried items that changed since the last
hardware inventory cycle.
Expand an item to see a Current node and one or more nodes with the
historical date. Compare the information in the current node to one of the
historical nodes to see the items that changed.

7 Note

By default, Configuration Manager deletes hardware inventory data that's been


inactive for 90 days. Adjust this number of days in the Delete Aged Inventory
History site maintenance task. For more information, see Maintenance tasks.

How to open Resource Explorer


1. In the Configuration Manager console, go to the Assets and Compliance
workspace, and select the Devices node. You can also select any collection in the
Device Collections node.

2. Select a device. In the ribbon, on the Home tab and Devices group, click Start, and
then select Resource Explorer.

 Tip

In Resource Explorer, right-click an item in the right results pane for additional
actions. Click Properties to view that item in a different format.

Use of large integer values


In Configuration Manager versions 1802 and prior, hardware inventory has a limit for
integers larger than 4,294,967,296 (2^32). This limit can be reached for attributes such
as hard drive sizes in bytes. The management point doesn't process integer values
above this limit, so no value is stored in the database.

Starting in version 1806, the limit is increased to 18,446,744,073,709,551,616 (2^64).

For a property with a value that doesn't change, like total disk size, you may not
immediately see the value after upgrading the site. Most hardware inventory is a delta
report. The client only sends values that change. To work around this behavior, add
another property to the same class. This action causes the client to update all properties
in the class that changed.

See also
Resource Explorer also shows Software Inventory. For more information, see How to use
Resource Explorer to view software inventory.
Resource Explorer default inventory
classes
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article describes the default inventory classes in Resource Explorer.

These are the default inventory classes:

1394 Controller
Namespace: root\cimv2

class Win32_1394Controller

(String) DeviceID

(UInt16) Availability

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(Boolean) ErrorCleared

(String) ErrorDescription

(DateTime) InstallDate

(UInt32) LastErrorCode

(String) Manufacturer

(UInt32) MaxNumberControlled

(String) Name

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported

(UInt16) ProtocolSupported

(String) Status

(UInt16) StatusInfo

(String) SystemName

(DateTime) TimeOfLastReset

Account SID
Namespace: root\cimv2

class Win32_AccountSID

(String) Element

(String) Setting

ActiveSync Service
Namespace: root\SmsDm

class SMS_ActiveSyncService

(UInt32) MajorVersion

(UInt32) MinorVersion

(String) LastSyncTime

AMT Agent
Namespace: root\cimv2\sms

class SMS_AMTObject

(UInt32) DeviceID

(String) AMT

(String) AMTApps
(String) BiosVersion

(String) BuildNumber

(String) Flash

(String) LegacyMode

(String) Netstack

(UInt32) ProvisionMode

(UInt32) ProvisionState

(String) RecoveryBuildNum

(String) RecoveryVersion

(String) Sku

(UInt32) TLSMode

(String) VendorID

(UInt32) ZTCEnabled

AppV Client Application


Namespace: root\AppV

class AppvClientApplication

(String) ApplicationId

(String) PackageId

(String) PackageVersionId

(Boolean) EnabledForUser

(Boolean) EnabledGlobally

(String) Name

(String) TargetPath

(String) Version
AppV Client Package
Namespace: root\AppV

class AppvClientPackage

(String) PackageId

(String) VersionId

(String) Assets[]

(String) DeploymentMachineData

(String) DeploymentUserData

(Boolean) HasAssetIntelligence

(Boolean) InUse

(Boolean) IsPublishedGlobally

(Boolean) IsPublishedToUser

(String) Name

(UInt64) PackageSize

(String) Path

(UInt16) PercentLoaded

(String) UserConfigurationData

(String) Version

AutoStart Software
Namespace: root\cimv2\sms

class SMS_AutoStartSoftware

(String) FilePropertiesHash

(String) BinFileVersion

(String) BinProductVersion
(String) Description

(String) FileName

(String) FilePropertiesHashEx

(String) FileVersion

(String) Location

(String) Product

(String) ProductVersion

(String) Publisher

(String) StartupType

(String) StartupValue

BaseBoard
Namespace: root\cimv2

class Win32_BaseBoard

(String) Tag

(String) Caption

(String) ConfigOptions[]

(String) Description

(Boolean) HostingBoard

(Boolean) HotSwappable

(DateTime) InstallDate

(String) Manufacturer

(String) Model

(String) Name

(String) OtherIdentifyingInfo
(String) PartNumber

(Boolean) PoweredOn

(String) Product

(Boolean) Removable

(Boolean) Replaceable

(String) RequirementsDescription

(Boolean) RequiresDaughterBoard

(String) SerialNumber

(String) SKU

(String) SlotLayout

(Boolean) SpecialRequirements

(String) Status

(String) Version

Battery
Namespace: root\cimv2

class Win32_Battery

(String) DeviceID

(UInt16) Availability

(UInt16) BatteryStatus

(String) Caption

(UInt16) Chemistry

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description
(UInt32) DesignCapacity

(UInt64) DesignVoltage

(Boolean) ErrorCleared

(String) ErrorDescription

(UInt16) EstimatedChargeRemaining

(UInt32) EstimatedRunTime

(UInt32) ExpectedLife

(UInt32) FullChargeCapacity

(DateTime) InstallDate

(UInt32) LastErrorCode

(UInt32) MaxRechargeTime

(String) Name

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) SmartBatteryVersion

(String) Status

(UInt16) StatusInfo

(String) SystemName

(UInt32) TimeOnBattery

(UInt32) TimeToFullCharge

BitLocker
Namespace: root\cimv2\security\MicrosoftVolumeEncryption

class Win32_EncryptableVolume
(String) DeviceID

(String) DriveLetter

(String) PersistentVolumeID

(UInt32) ProtectionStatus

BitLocker Encryption Details


Namespace: root\cimv2

class Win32_BitLockerEncryptionDetails

(String) BitlockerPersistentVolumeId

(SInt32) Compliant

(SInt32) ConversionStatus

(String) DeviceId

(String) DriveLetter

(SInt32) EncryptionMethod

(String) EnforcePolicyDate

(Boolean) IsAutoUnlockEnabled

(SInt32) KeyProtectorTypes[]

(String) MbamPersistentVolumeId

(SInt32) MbamVolumeType

(String) NoncomplianceDetectedDate

(SInt32) ProtectionStatus

(SInt32) ReasonsForNonCompliance[]

BitLocker Policy
Namespace: root\cimv2

class Win32Reg_MBAMPolicy
(String) EncodedComputerName

(UInt32) EncryptionMethod

(UInt32) FixedDataDriveAutoUnlock

(UInt32) FixedDataDriveEncryption

(UInt32) FixedDataDrivePassphrase

(String) KeyName

(String) LastConsoleUser

(UInt32) MBAMMachineError

(UInt32) MBAMPolicyEnforced

(UInt32) OsDriveEncryption

(UInt32) OsDriveProtector

(DateTime) UserExemptionDate

Boot Configuration
Namespace: root\cimv2

class Win32_BootConfiguration

(String) Name

(String) BootDirectory

(String) ConfigurationPath

(String) Description

(String) LastDrive

(String) ScratchDirectory

(String) SettingID

(String) TempDirectory

Browser Helper Object


Namespace: root\cimv2\sms

class SMS_BrowserHelperObject

(String) FilePropertiesHash

(String) BinFileVersion

(String) BinProductVersion

(String) CLSID

(String) Description

(String) FileName

(String) FilePropertiesHashEx

(String) FileVersion

(String) Product

(String) ProductVersion

(String) Publisher

(String) Version

CCM_RAX
Namespace: root\ccm\cimodels

class CCM_RAXInfo

(String) AppID

(String) FeedURL

(String) UserSID

CD-ROM
Namespace: root\cimv2

class Win32_CDROMDrive

(String) DeviceID
(UInt16) Availability

(UInt16) Capabilities[]

(String) CapabilityDescriptions[]

(String) Caption

(String) CompressionMethod

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(UInt64) DefaultBlockSize

(String) Description

(String) Drive

(Boolean) DriveIntegrity

(Boolean) ErrorCleared

(String) ErrorDescription

(String) ErrorMethodology

(UInt16) FileSystemFlags

(UInt32) FileSystemFlagsEx

(String) ID

(DateTime) InstallDate

(UInt32) LastErrorCode

(String) Manufacturer

(UInt64) MaxBlockSize

(UInt32) MaximumComponentLength

(UInt64) MaxMediaSize

(Boolean) MediaLoaded

(String) MediaType
(UInt64) MinBlockSize

(String) Name

(Boolean) NeedsCleaning

(UInt32) NumberOfMediaSupported

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) RevisionLevel

(UInt32) SCSIBus

(UInt16) SCSILogicalUnit

(UInt16) SCSIPort

(UInt16) SCSITargetId

(UInt64) Size

(String) Status

(UInt16) StatusInfo

(String) SystemName

(String) VolumeName

(String) VolumeSerialNumber

Client Diagnostics
Starting in version 2107

Namespace: root\cimv2

class CCM_ClientDiagnostics

(String) Identifier

(String) DebugLoggingEnabled
(UInt32) LogEnabled

(UInt32) LogLevel

(UInt32) LogMaxHistory

(UInt32) LogMaxSize

Client Events
Namespace: root\ccm\invagt

class ClientEvents

(String) EventName

(UInt16) Count

Computer System
Namespace: root\cimv2

class Win32_ComputerSystem

(String) Name

(UInt16) AdminPasswordStatus

(Boolean) AutomaticResetBootOption

(Boolean) AutomaticResetCapability

(UInt16) BootOptionOnLimit

(UInt16) BootOptionOnWatchDog

(Boolean) BootROMSupported

(String) BootupState

(String) Caption

(UInt16) ChassisBootupState

(SInt16) CurrentTimeZone

(Boolean) DaylightInEffect
(String) Description

(String) Domain

(UInt16) DomainRole

(UInt16) FrontPanelResetStatus

(Boolean) InfraredSupported

(String) InitialLoadInfo[]

(DateTime) InstallDate

(UInt16) KeyboardPasswordStatus

(String) LastLoadInfo

(String) Manufacturer

(String) Model

(String) NameFormat

(Boolean) NetworkServerModeEnabled

(UInt32) NumberOfProcessors

(String) OEMLogoBitmap

(String) OEMStringArray[]

(SInt64) PauseAfterReset

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(UInt16) PowerOnPasswordStatus

(UInt16) PowerState

(UInt16) PowerSupplyState

(String) PrimaryOwnerContact

(String) PrimaryOwnerName

(UInt16) ResetCapability
(SInt16) ResetCount

(SInt16) ResetLimit

(String) Roles[]

(String) Status

(String) SupportContactDescription[]

(UInt16) SystemStartupDelay

(String) SystemStartupOptions[]

(UInt8) SystemStartupSetting

(String) SystemType

(UInt16) ThermalState

(UInt64) TotalPhysicalMemory

(String) UserName

(UInt16) WakeUpType

Computer System Ex
Namespace: root\cimv2

class CCM_ComputerSystemExtended

(String) Name

(UInt16) PCSystemType

Computer System Product


Namespace: root\cimv2

class Win32_ComputerSystemProduct

(String) IdentifyingNumber

(String) Name

(String) Version
(String) Caption

(String) Description

(String) SKUNumber

(String) UUID

(String) Vendor

SMS Advanced Client Ports


Namespace: root\cimv2

class Win32Reg_SMSAdvancedClientPorts

(String) InstanceKey

(UInt32) HttpsPortName

(UInt32) PortName

SMS Advanced Client SSL Configurations


Namespace: root\cimv2

class Win32Reg_SMSAdvancedClientSSLConfiguration

(String) InstanceKey

(String) CertificateSelectionCriteria

(String) CertificateStore

(UInt32) ClientAlwaysOnInternet

(UInt32) HttpsStateFlags

(String) InternetMPHostName

(UInt32) SelectFirstCertificate

SMS Advanced Client State


Namespace: root\ccm
class CCM_InstalledComponent

(String) Name

(String) DisplayName

(String) Version

Connected Device
Namespace: root\SmsDm

class SMS_ActiveSyncConnectedDevice

(String) DeviceOEMInfo

(String) DeviceType

(String) OS_Major

(String) OS_Minor

(String) OS_Platform

(String) ProcessorArchitecture

(String) ProcessorLevel

(String) ProcessorRevision

(String) InstalledClientID

(String) InstalledClientServer

(String) InstalledClientVersion

(String) LastSyncTime

(String) OS_AdditionalInfo

(String) OS_Build

SMS_DefaultBrowser
Namespace: root\cimv2\sms

class SMS_DefaultBrowser
(String) BrowserProgId

Desktop
Namespace: root\cimv2

class Win32_Desktop

(String) Name

(UInt32) BorderWidth

(String) Caption

(Boolean) CoolSwitch

(UInt32) CursorBlinkRate

(String) Description

(Boolean) DragFullWindows

(UInt32) GridGranularity

(UInt32) IconSpacing

(String) IconTitleFaceName

(UInt32) IconTitleSize

(Boolean) IconTitleWrap

(String) Pattern

(Boolean) ScreenSaverActive

(String) ScreenSaverExecutable

(Boolean) ScreenSaverSecure

(UInt32) ScreenSaverTimeout

(String) SettingID

(String) Wallpaper

(Boolean) WallpaperStretched
(Boolean) WallpaperTiled

Desktop Monitor
Namespace: root\cimv2

class Win32_DesktopMonitor

(String) DeviceID

(UInt16) Availability

(UInt32) Bandwidth

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(UInt16) DisplayType

(Boolean) ErrorCleared

(String) ErrorDescription

(DateTime) InstallDate

(Boolean) IsLocked

(UInt32) LastErrorCode

(String) MonitorManufacturer

(String) MonitorType

(String) Name

(UInt32) PixelsPerXLogicalInch

(UInt32) PixelsPerYLogicalInch

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported

(UInt32) ScreenHeight

(UInt32) ScreenWidth

(String) Status

(UInt16) StatusInfo

(String) SystemName

Device Info
Namespace: Reserved

class Device_Info

(String) CertExpiry

(String) DeviceName

(String) Manufacturer

(String) Model

(String) OS

MDM DevDetail
Namespace: root\cimv2\mdm\dmmap

class MDM_DevDetail_Ext01

(String) InstanceID

(String) ParentID

(String) DeviceHardwareData

(String) WLANMACAddress

Disk
Namespace: root\cimv2
class Win32_DiskDrive

(String) DeviceID

(UInt16) Availability

(UInt32) BytesPerSector

(UInt16) Capabilities[]

(String) CapabilityDescriptions[]

(String) Caption

(String) CompressionMethod

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(UInt64) DefaultBlockSize

(String) Description

(Boolean) ErrorCleared

(String) ErrorDescription

(String) ErrorMethodology

(UInt32) Index

(DateTime) InstallDate

(String) InterfaceType

(UInt32) LastErrorCode

(String) Manufacturer

(UInt64) MaxBlockSize

(UInt64) MaxMediaSize

(Boolean) MediaLoaded

(String) MediaType

(UInt64) MinBlockSize
(String) Model

(String) Name

(Boolean) NeedsCleaning

(UInt32) NumberOfMediaSupported

(UInt32) Partitions

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(UInt32) SCSIBus

(UInt16) SCSILogicalUnit

(UInt16) SCSIPort

(UInt16) SCSITargetId

(UInt32) SectorsPerTrack

(UInt64) Size

(String) Status

(UInt16) StatusInfo

(String) SystemName

(UInt64) TotalCylinders

(UInt32) TotalHeads

(UInt64) TotalSectors

(UInt64) TotalTracks

(UInt32) TracksPerCylinder

Partition
Namespace: root\cimv2
class Win32_DiskPartition

(String) DeviceID

(UInt16) Access

(UInt16) Availability

(UInt64) BlockSize

(Boolean) Bootable

(Boolean) BootPartition

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(UInt32) DiskIndex

(Boolean) ErrorCleared

(String) ErrorDescription

(String) ErrorMethodology

(UInt32) HiddenSectors

(UInt32) Index

(DateTime) InstallDate

(UInt32) LastErrorCode

(String) Name

(UInt64) NumberOfBlocks

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(Boolean) PrimaryPartition
(String) Purpose

(Boolean) RewritePartition

(UInt64) Size

(UInt64) StartingOffset

(String) Status

(UInt16) StatusInfo

(String) SystemName

(String) Type

DMA
Namespace: root\cimv2

class Win32_DeviceMemoryAddress

(UInt64) StartingAddress

(String) Caption

(String) Description

(UInt64) EndingAddress

(DateTime) InstallDate

(String) MemoryType

(String) Name

(String) Status

DMA Channel
Namespace: root\cimv2

class Win32_DMAChannel

(UInt32) DMAChannel

(UInt16) AddressSize
(UInt16) Availability

(Boolean) BurstMode

(UInt16) ByteMode

(String) Caption

(UInt16) ChannelTiming

(String) Description

(DateTime) InstallDate

(UInt32) MaxTransferSize

(String) Name

(UInt32) Port

(String) Status

(UInt16) TransferWidths[]

(UInt16) TypeCTiming

(UInt16) WordMode

Driver - VxD
Namespace: root\cimv2

class Win32_DriverVXD

(String) Name

(String) SoftwareElementID

(UInt16) SoftwareElementState

(UInt16) TargetOperatingSystem

(String) Version

(String) BuildNumber

(String) Caption
(String) CodeSet

(String) Control

(String) Description

(String) DeviceDescriptorBlock

(String) IdentificationCode

(DateTime) InstallDate

(String) LanguageEdition

(String) Manufacturer

(String) OtherTargetOS

(String) PM_API

(String) SerialNumber

(UInt32) ServiceTableSize

(String) Status

(String) V86_API

Embedded Device Information


Namespace: root\cimv2\sms

class CCM_EmbeddedDeviceInformation

(String) DeviceType

(String) Model

(String) OEMName

Environment
Namespace: root\cimv2

class Win32_Environment

(String) Name
(String) UserName

(String) Caption

(String) Description

(DateTime) InstallDate

(String) Status

(Boolean) SystemVariable

(String) VariableValue

Firmware
Namespace: root\cimv2\sms

class SMS_Firmware

(Boolean) UEFI

(Boolean) SecureBoot

USM Folder Redirection Health


Namespace: root\cimv2\sms

class SMS_FolderRedirectionHealth

(String) FolderName

(String) SID

(UInt8) HealthStatus

(DateTime) LastSuccessfulSyncTime

(UInt8) LastSyncStatus

(DateTime) LastSyncTime

(Boolean) OfflineAccessEnabled

(String) OfflineFileNameFolderGUID

(Boolean) Redirected
IDE Controller
Namespace: root\cimv2

class Win32_IDEController

(String) DeviceID

(UInt16) Availability

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(Boolean) ErrorCleared

(String) ErrorDescription

(DateTime) InstallDate

(UInt32) LastErrorCode

(String) Manufacturer

(UInt32) MaxNumberControlled

(String) Name

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(UInt16) ProtocolSupported

(String) Status

(UInt16) StatusInfo

(String) SystemName

(DateTime) TimeOfLastReset
Add Remove Programs (64)
Namespace: root\cimv2

class Win32Reg_AddRemovePrograms64

(String) ProdID

(String) DisplayName

(String) InstallDate

(String) Publisher

(String) Version

Add Remove Programs


Namespace: root\cimv2

class Win32Reg_AddRemovePrograms

(String) ProdID

(String) DisplayName

(String) InstallDate

(String) Publisher

(String) Version

Installed Executable
Namespace: root\cimv2\sms

class SMS_InstalledExecutable

(String) ExecutableName

(String) ProductCode

(String) BinFileVersion

(String) BinProductVersion
(String) Description

(String) FilePropertiesHash

(String) FilePropertiesHashEx

(UInt32) FileSize

(String) FileVersion

(Boolean) HasPatchAdded

(String) InstalledFilePath

(Boolean) IsSystemFile

(Boolean) IsVitalFile

(UInt32) Language

(String) Product

(String) ProductVersion

(String) Publisher

Installed Software
Namespace: root\cimv2\sms

class SMS_InstalledSoftware

(String) SoftwareCode

(String) ARPDisplayName

(String) ChannelCode

(String) ChannelID

(String) CM_DSLID

(String) EvidenceSource

(DateTime) InstallDate

(UInt32) InstallDirectoryValidation
(String) InstalledLocation

(String) InstallSource

(UInt32) InstallType

(UInt32) Language

(String) LocalPackage

(String) MPC

(UInt32) OsComponent

(String) PackageCode

(String) ProductID

(String) ProductName

(String) ProductVersion

(String) Publisher

(String) RegisteredUser

(String) ServicePack

(String) SoftwarePropertiesHash

(String) SoftwarePropertiesHashEx

(String) UninstallString

(String) UpgradeCode

(UInt32) VersionMajor

(UInt32) VersionMinor

IRQ Table
Namespace: root\cimv2

class Win32_IRQResource

(UInt32) IRQNumber
(UInt16) Availability

(String) Caption

(String) Description

(Boolean) Hardware

(DateTime) InstallDate

(String) Name

(Boolean) Shareable

(String) Status

(UInt16) TriggerLevel

(UInt16) TriggerType

(UInt32) Vector

Keyboard
Namespace: root\cimv2

class Win32_Keyboard

(String) DeviceID

(UInt16) Availability

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(Boolean) ErrorCleared

(String) ErrorDescription

(DateTime) InstallDate

(Boolean) IsLocked
(UInt32) LastErrorCode

(String) Layout

(String) Name

(UInt16) NumberOfFunctionKeys

(UInt16) Password

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) Status

(UInt16) StatusInfo

(String) SystemName

Load Order Group


Namespace: root\cimv2

class Win32_LoadOrderGroup

(String) Name

(String) Caption

(String) Description

(Boolean) DriverEnabled

(UInt32) GroupOrder

(DateTime) InstallDate

(String) Status

Logical Disk
Namespace: root\cimv2\sms

class SMS_LogicalDisk
(String) DeviceID

(UInt16) Access

(UInt16) Availability

(UInt64) BlockSize

(String) Caption

(Boolean) Compressed

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(UInt32) DriveType

(Boolean) ErrorCleared

(String) ErrorDescription

(String) ErrorMethodology

(String) FileSystem

(UInt64) FreeSpace

(DateTime) InstallDate

(UInt32) LastErrorCode

(UInt32) MaximumComponentLength

(UInt32) MediaType

(String) Name

(UInt64) NumberOfBlocks

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) ProviderName
(String) Purpose

(UInt64) Size

(String) Status

(UInt16) StatusInfo

(Boolean) SupportsFileBasedCompression

(String) SystemName

(String) VolumeName

(String) VolumeSerialNumber

Memory
Namespace: root\cimv2

class CCM_LogicalMemoryConfiguration

(String) Name

(UInt64) AvailableVirtualMemory

(UInt64) TotalPageFileSpace

(UInt64) TotalPhysicalMemory

(UInt64) TotalVirtualMemory

Device Bluetooth
Namespace: Reserved

class Device_Bluetooth

(Boolean) Enabled

Device Camera
Namespace: Reserved

class Device_Camera
(Boolean) Enabled

Device Certificates
Namespace: Reserved

class Device_Certificates

(String) Thumbprint

(String) Type

(String) IssuedBy

(String) IssuedTo

(DateTime) ValidFrom

(DateTime) ValidTo

Device Client
Namespace: Reserved

class Device_Client

(Boolean) DownloadWhenRoaming

(Boolean) SyncWhenRoaming

Device Client Agent version


Namespace: Reserved

class Device_ClientAgentVersion

(String) Version

Device Computer System


Namespace: Reserved

class Device_ComputerSystem
(String) CellularTechnology

(String) DeviceClientID

(String) DeviceManufacturer

(String) DeviceModel

(String) DMVersion

(String) FirmwareVersion

(String) HardwareVersion

(String) IMEI

(String) IMSI

(UInt8) IsActivationLockEnabled

(UInt8) Jailbroken

(String) MEID

(String) OEM

(String) PhoneNumber

(String) PlatformType

(UInt32) ProcessorArchitecture

(UInt32) ProcessorLevel

(UInt32) ProcessorRevision

(String) Product

(String) ProductVersion

(String) SerialNumber

(String) SoftwareVersion

(String) SubscriberCarrierNetwork

Device Display
Namespace: Reserved

class Device_Display

(UInt32) HorizontalResolution

(UInt64) NumberOfColors

(UInt32) VerticalResolution

Device Email
Namespace: Reserved

class Device_Email

(String) OwnerEmailAddress

(String) SyncDomain

(String) SyncServer

(String) SyncUser

(String) Type

Device Encryption
Namespace: Reserved

class Device_Encryption

(UInt32) EmailEncryptionAlgorithm

(UInt32) EmailEncryptionNegotiation

(Boolean) EmailEncryptionRequired

(Boolean) EmailSigningAlgorithm

(Boolean) EmailSigningRequired

(Boolean) EncryptionCompliance

(Boolean) PhoneMemoryEncrypted

(Boolean) StorageCardEncrypted
Device Exchange
Namespace: Reserved

class Device_Exchange

(Boolean) ConflictResolution

(SInt32) HTMLEmailTruncation

(UInt32) MailFormat

(UInt32) MaxCalendarAge

(UInt32) MaxEmailAge

(SInt32) MaxMailFileAttachmentSize

(UInt32) OffPeakSyncFrequency

(UInt32) PeakDays

(String) PeakEndTime

(String) PeakStartTime

(UInt32) PeakSyncFrequency

(SInt32) PlainTextEmailTruncation

(Boolean) SendEmailImmediately

(Boolean) SyncCalendar

(Boolean) SyncContacts

(Boolean) SyncEmail

(Boolean) SyncTasks

(Boolean) SyncWhenRoaming

Device Installed Applications


Namespace: Reserved

class Device_InstalledApplications
(String) Name

(String) Version

Device IrDA
Namespace: Reserved

class Device_IrDA

(Boolean) Enabled

Mobile Device Location


Namespace: Reserved

class MDM_RemoteFind

(Real32) Latitude

(Real32) Longitude

Device Memory
Namespace: Reserved

class Device_Memory

(UInt64) ProgramFree

(UInt64) ProgramTotal

(UInt64) RemovableStorageFree

(UInt64) RemovableStorageTotal

(UInt64) StorageFree

(UInt64) StorageTotal

Device OS Information
Namespace: Reserved
class Device_OSInformation

(String) Language

(String) Platform

(String) Version

Device Password
Namespace: Reserved

class Device_Password

(Boolean) AllowRecoveryPassword

(UInt32) AutolockTimeout

(Boolean) Enabled

(UInt32) Expiration

(UInt32) History

(UInt32) MaxAttemptsBeforeWipe

(UInt32) MinComplexChars

(UInt32) MinLength

(UInt8) PasswordQuality

(UInt32) Type

Device Policy
Namespace: Reserved

class Device_Policy

(String) Name

(Boolean) Enforced

Device Power
Namespace: Reserved

class Device_Power

(UInt32) BacklightACTimeout

(UInt32) BacklightBatTimeout

(SInt32) BackupPercent

(SInt32) BatteryPercent

Mobile Device Security Status


Namespace: Reserved

class MDM_SecurityStatus

(UInt32) HardwareEncryptionCaps

(UInt8) PasscodeCompliant

(UInt8) PasscodeCompliantWithProfiles

(UInt8) PasscodePresent

(UInt8) RequireEncryption

Device Windows Security Policy


Namespace: Reserved

class Device_WindowsSecurityPolicy

(UInt32) ID

(String) Name

(UInt32) Value

Device WLAN
Namespace: Reserved

class Device_WLAN
(Boolean) Enabled

(String) EthernetMAC

(String) WiFiMAC

Modem
Namespace: root\cimv2

class Win32_POTSModem

(String) DeviceID

(UInt16) AnswerMode

(String) AttachedTo

(UInt16) Availability

(String) BlindOff

(String) BlindOn

(String) Caption

(String) CompatibilityFlags

(UInt16) CompressionInfo

(String) CompressionOff

(String) CompressionOn

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) ConfigurationDialog

(String) CountriesSupported[]

(String) CountrySelected

(String) CurrentPasswords[]

(String) DCB
(String) Default

(String) Description

(String) DeviceLoader

(String) DeviceType

(UInt16) DialType

(DateTime) DriverDate

(Boolean) ErrorCleared

(String) ErrorControlForced

(UInt16) ErrorControlInfo

(String) ErrorControlOff

(String) ErrorControlOn

(String) ErrorDescription

(String) FlowControlHard

(String) FlowControlOff

(String) FlowControlSoft

(String) InactivityScale

(UInt32) InactivityTimeout

(UInt32) Index

(DateTime) InstallDate

(UInt32) LastErrorCode

(UInt32) MaxBaudRateToPhone

(UInt32) MaxBaudRateToSerialPort

(UInt16) MaxNumberOfPasswords

(String) Model

(String) ModemInfPath
(String) ModemInfSection

(String) ModulationBell

(String) ModulationCCITT

(UInt16) ModulationScheme

(String) Name

(String) PNPDeviceID

(String) PortSubClass

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) Prefix

(String) Properties

(String) ProviderName

(String) Pulse

(String) Reset

(String) ResponsesKeyName

(UInt8) RingsBeforeAnswer

(String) SpeakerModeDial

(String) SpeakerModeOff

(String) SpeakerModeOn

(String) SpeakerModeSetup

(String) SpeakerVolumeHigh

(UInt16) SpeakerVolumeInfo

(String) SpeakerVolumeLow

(String) SpeakerVolumeMed

(String) Status
(UInt16) StatusInfo

(String) StringFormat

(Boolean) SupportsCallback

(Boolean) SupportsSynchronousConnect

(String) SystemName

(String) Terminator

(DateTime) TimeOfLastReset

(String) Tone

(String) VoiceSwitchFeature

Motherboard
Namespace: root\cimv2

class Win32_MotherboardDevice

(String) DeviceID

(UInt16) Availability

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(Boolean) ErrorCleared

(String) ErrorDescription

(DateTime) InstallDate

(UInt32) LastErrorCode

(String) Name

(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) PrimaryBusType

(String) RevisionNumber

(String) SecondaryBusType

(String) Status

(UInt16) StatusInfo

(String) SystemName

NAP Client
Namespace: root\Nap

class NAP_Client

(String) name

(String) description

(String) fixupURL

(Boolean) napEnabled

(String) napProtocolVersion

(String) probationTime

(UInt32) systemIsolationState

NAP System Health Agent


Namespace: root\Nap

class NAP_SystemHealthAgent

(UInt32) ID

(String) description

(UInt32) fixupState
(String) friendlyName

(String) infoClsid

(Boolean) isBound

(UInt8) percentage

(String) registrationDate

(String) vendorName

(String) version

Network Adapter
Namespace: root\cimv2

class Win32_NetworkAdapter

(String) DeviceID

(String) AdapterType

(Boolean) AutoSense

(UInt16) Availability

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(Boolean) ErrorCleared

(String) ErrorDescription

(UInt32) Index

(DateTime) InstallDate

(Boolean) Installed

(UInt32) LastErrorCode
(String) MACAddress

(String) Manufacturer

(UInt32) MaxNumberControlled

(UInt64) MaxSpeed

(String) Name

(String) NetworkAddresses[]

(String) PermanentAddress

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) ProductName

(String) ServiceName

(UInt64) Speed

(String) Status

(UInt16) StatusInfo

(String) SystemName

(DateTime) TimeOfLastReset

Network Adapter Configuration


Namespace: root\cimv2

class Win32_NetworkAdapterConfiguration

(UInt32) Index

(Boolean) ArpAlwaysSourceRoute

(Boolean) ArpUseEtherSNAP

(String) Caption
(String) DatabasePath

(Boolean) DeadGWDetectEnabled

(String) DefaultIPGateway[]

(UInt8) DefaultTOS

(UInt8) DefaultTTL

(String) Description

(Boolean) DHCPEnabled

(DateTime) DHCPLeaseExpires

(DateTime) DHCPLeaseObtained

(String) DHCPServer

(String) DNSDomain

(String) DNSDomainSuffixSearchOrder[]

(Boolean) DNSEnabledForWINSResolution

(String) DNSHostName

(String) DNSServerSearchOrder[]

(Boolean) DomainDNSRegistrationEnabled

(UInt32) ForwardBufferMemory

(Boolean) FullDNSRegistrationEnabled

(UInt16) GatewayCostMetric[]

(UInt8) IGMPLevel

(String) IPAddress[]

(UInt32) IPConnectionMetric

(Boolean) IPEnabled

(Boolean) IPFilterSecurityEnabled

(Boolean) IPPortSecurityEnabled
(String) IPSecPermitIPProtocols[]

(String) IPSecPermitTCPPorts[]

(String) IPSecPermitUDPPorts[]

(String) IPSubnet[]

(Boolean) IPUseZeroBroadcast

(String) IPXAddress

(Boolean) IPXEnabled

(String) IPXFrameType

(UInt32) IPXMediaType

(String) IPXNetworkNumber[]

(String) IPXVirtualNetNumber

(UInt32) KeepAliveInterval

(UInt32) KeepAliveTime

(String) MACAddress

(UInt32) MTU

(UInt32) NumForwardPackets

(Boolean) PMTUBHDetectEnabled

(Boolean) PMTUDiscoveryEnabled

(String) ServiceName

(String) SettingID

(UInt32) TcpipNetbiosOptions

(UInt32) TcpMaxConnectRetransmissions

(UInt32) TcpMaxDataRetransmissions

(UInt32) TcpNumConnections

(Boolean) TcpUseRFC1122UrgentPointer
(UInt16) TcpWindowSize

(Boolean) WINSEnableLMHostsLookup

(String) WINSHostLookupFile

(String) WINSPrimaryServer

(String) WINSScopeID

(String) WINSSecondaryServer

Network Client
Namespace: root\cimv2

class Win32_NetworkClient

(String) Name

(String) Caption

(String) Description

(DateTime) InstallDate

(String) Manufacturer

(String) Status

Network Login Profile


Namespace: root\cimv2

class Win32_NetworkLoginProfile

(String) Name

(DateTime) AccountExpires

(UInt32) AuthorizationFlags

(UInt32) BadPasswordCount

(String) Caption

(UInt32) CodePage
(String) Comment

(UInt32) CountryCode

(String) Description

(UInt32) Flags

(String) FullName

(String) HomeDirectory

(String) HomeDirectoryDrive

(DateTime) LastLogoff

(DateTime) LastLogon

(String) LogonHours

(String) LogonServer

(UInt64) MaximumStorage

(UInt32) NumberOfLogons

(String) Parameters

(DateTime) PasswordAge

(DateTime) PasswordExpires

(UInt32) PrimaryGroupId

(UInt32) Privileges

(String) Profile

(String) ScriptPath

(String) SettingID

(UInt32) UnitsPerWeek

(String) UserComment

(UInt32) UserId

(String) UserType
(String) Workstations

NT Eventlog File
Namespace: root\cimv2

class Win32_NTEventlogFile

(String) Name

(UInt32) AccessMask

(Boolean) Archive

(String) Caption

(Boolean) Compressed

(String) CompressionMethod

(DateTime) CreationDate

(String) Description

(String) Drive

(String) EightDotThreeFileName

(Boolean) Encrypted

(String) EncryptionMethod

(String) Extension

(String) FileName

(UInt64) FileSize

(String) FileType

(String) FSName

(Boolean) Hidden

(DateTime) InstallDate

(UInt64) InUseCount
(DateTime) LastAccessed

(DateTime) LastModified

(String) LogfileName

(String) Manufacturer

(UInt32) MaxFileSize

(UInt32) NumberOfRecords

(UInt32) OverwriteOutDated

(String) OverWritePolicy

(String) Path

(Boolean) Readable

(String) Sources[]

(String) Status

(Boolean) System

(String) Version

(Boolean) Writeable

Office365ProPlusConfigurations
Namespace: root\cimv2

class Office365ProPlusConfigurations

(String) KeyName

(String) AutoUpgrade

(String) CCMManaged

(String) CDNBaseUrl

(String) cfgUpdateChannel

(String) ClientCulture
(String) ClientFolder

(String) GPOChannel

(String) GPOOfficeMgmtCOM

(String) InstallationPath

(String) LastScenario

(String) LastScenarioResult

(String) OfficeMgmtCOM

(String) Platform

(String) SharedComputerLicensing

(String) UpdateChannel

(String) UpdatePath

(String) UpdatesEnabled

(String) UpdateUrl

(String) VersionToReport

Office Addin
Namespace: root\ccm\InvAgt

class CCM_OfficeAddin

(String) Architecture

(String) ID

(String) OfficeApp

(String) Type

(UInt32) AverageLoadTimeInMilliseconds

(String) CLSID

(String) CompanyName
(UInt32) CrashCount

(String) Description

(UInt32) ErrorCount

(String) FileName

(UInt64) FileSize

(UInt32) FileTimestamp

(String) FileVersion

(String) FriendlyName

(String) FriendlyNameHash

(String) IdHash

(UInt32) LoadBehavior

(UInt32) LoadCount

(UInt32) LoadFailCount

(String) ProductName

(String) ProductVersion

Office Client Metric


Namespace: root\ccm\InvAgt

class CCM_OfficeClientMetric

(String) OfficeApp

(UInt32) CompatibilityErrorCount

(UInt32) CrashedSessionCount

(UInt32) MacroCompileErrorCount

(UInt32) MacroRuntimeErrorCount

(UInt32) SessionCount
Office Device Summary
Namespace: root\ccm\InvAgt

class CCM_OfficeDeviceSummary

(Boolean) IsProPlusInstalled

(Boolean) IsTelemetryEnabled

Office Document Metric


Namespace: root\ccm\InvAgt

class CCM_OfficeDocumentMetric

(String) OfficeApp

(UInt32) TotalCloudDocs

(UInt32) TotalLegacyDocs

(UInt32) TotalLocalDocs

(UInt32) TotalMacroDocs

(UInt32) TotalNonMacroDocs

(UInt32) TotalUncDocs

Office Document Solution


Namespace: root\ccm\InvAgt

class CCM_OfficeDocumentSolution

(String) DocumentSolutionId

(String) OfficeApp

(UInt32) CompatibilityErrorCount

(UInt32) CrashCount

(String) ExampleFileName
(UInt32) LoadCount

(UInt32) LoadFailCount

(UInt32) MacroCompileErrorCount

(UInt32) MacroRuntimeErrorCount

(String) Type

Office Macro Error


Namespace: root\ccm\InvAgt

class CCM_OfficeMacroError

(String) DocumentSolutionId

(UInt32) ErrorCode

(UInt32) Count

(UInt64) LastOccurrence

(String) Type

Office Product Info


Namespace: root\ccm\InvAgt

class CCM_OfficeProductInfo

(String) ProductName

(String) ProductVersion

(String) Architecture

(String) Channel

(UInt32) IsProPlusInstalled

(String) Language

(String) LicenseState
Office Vba Rule Violation
Namespace: root\ccm\InvAgt

class CCM_OfficeVbaRuleViolation

(UInt32) RuleId

(UInt32) FileCount

(String) OfficeApp

Office VbaSummary
Namespace: root\ccm\InvAgt

class CCM_OfficeVbaScanResultsSummary

(UInt32) Design

(UInt32) Design64

(UInt32) DuplicateVba

(Boolean) HasResults

(UInt32) HasVba

(UInt32) Inaccessible

(UInt32) Issues

(UInt32) Issues64

(UInt32) IssuesNone

(UInt32) IssuesNone64

(UInt32) Locked

(UInt32) NoVba

(UInt32) Protected

(UInt32) RemLimited

(UInt32) RemLimited64
(UInt32) RemSignificant

(UInt32) RemSignificant64

(UInt32) Score

(UInt32) Score64

(UInt32) Total

(UInt32) Validation

(UInt32) Validation64

Operating System
Namespace: root\cimv2

class Win32_OperatingSystem

(String) Name

(String) BootDevice

(String) BuildNumber

(String) BuildType

(String) Caption

(String) CodeSet

(String) CountryCode

(String) CSDVersion

(SInt16) CurrentTimeZone

(Boolean) Debug

(String) Description

(Boolean) Distributed

(UInt8) ForegroundApplicationBoost

(UInt64) FreePhysicalMemory
(UInt64) FreeSpaceInPagingFiles

(UInt64) FreeVirtualMemory

(DateTime) InstallDate

(DateTime) LastBootUpTime

(DateTime) LocalDateTime

(String) Locale

(String) Manufacturer

(UInt32) MaxNumberOfProcesses

(UInt64) MaxProcessMemorySize

(String) MUILanguages[]

(UInt32) NumberOfLicensedUsers

(UInt32) NumberOfProcesses

(UInt32) NumberOfUsers

(UInt32) OperatingSystemSKU

(String) Organization

(String) OSArchitecture

(UInt32) OSLanguage

(UInt32) OSProductSuite

(UInt16) OSType

(String) OtherTypeDescription

(String) PlusProductID

(String) PlusVersionNumber

(Boolean) Primary

(UInt32) ProductType

(String) RegisteredUser
(String) SerialNumber

(UInt16) ServicePackMajorVersion

(UInt16) ServicePackMinorVersion

(UInt64) SizeStoredInPagingFiles

(String) Status

(String) SystemDevice

(String) SystemDirectory

(UInt64) TotalSwapSpaceSize

(UInt64) TotalVirtualMemorySize

(UInt64) TotalVisibleMemorySize

(String) Version

(String) WindowsDirectory

Operating System Ex
Namespace: root\cimv2

class CCM_OperatingSystemExtended

(String) Name

(UInt32) SKU

Operating System Recovery Configuration


Namespace: root\cimv2

class Win32_OSRecoveryConfiguration

(String) Name

(Boolean) AutoReboot

(String) Caption

(String) DebugFilePath
(String) Description

(Boolean) KernelDumpOnly

(Boolean) OverwriteExistingDebugFile

(Boolean) SendAdminAlert

(String) SettingID

(Boolean) WriteDebugInfo

(Boolean) WriteToSystemLog

Optional Feature
Namespace: root\cimv2

class Win32_OptionalFeature

(String) Name

(String) Caption

(String) Description

(DateTime) InstallDate

(UInt32) InstallState

(String) Status

Page File Setting


Namespace: root\cimv2

class Win32_PageFileSetting

(String) Name

(String) Caption

(String) Description

(UInt32) InitialSize

(UInt32) MaximumSize
(String) SettingID

Parallel Port
Namespace: root\cimv2

class Win32_ParallelPort

(String) DeviceID

(UInt16) Availability

(UInt16) Capabilities[]

(String) CapabilityDescriptions[]

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(Boolean) DMASupport

(Boolean) ErrorCleared

(String) ErrorDescription

(DateTime) InstallDate

(UInt32) LastErrorCode

(UInt32) MaxNumberControlled

(String) Name

(Boolean) OSAutoDiscovered

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(UInt16) ProtocolSupported
(String) Status

(UInt16) StatusInfo

(String) SystemName

(DateTime) TimeOfLastReset

BIOS
Namespace: root\cimv2

class Win32_BIOS

(String) Name

(String) SoftwareElementID

(UInt16) SoftwareElementState

(UInt16) TargetOperatingSystem

(String) Version

(UInt16) BiosCharacteristics[]

(String) BIOSVersion[]

(String) BuildNumber

(String) Caption

(String) CodeSet

(String) CurrentLanguage

(String) Description

(String) IdentificationCode

(UInt16) InstallableLanguages

(DateTime) InstallDate

(String) LanguageEdition

(String) ListOfLanguages[]
(String) Manufacturer

(String) OtherTargetOS

(Boolean) PrimaryBIOS

(DateTime) ReleaseDate

(String) SerialNumber

(String) SMBIOSBIOSVersion

(UInt16) SMBIOSMajorVersion

(UInt16) SMBIOSMinorVersion

(Boolean) SMBIOSPresent

(String) Status

PCMCIA Controller
Namespace: root\cimv2

class Win32_PCMCIAController

(String) DeviceID

(UInt16) Availability

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(Boolean) ErrorCleared

(String) ErrorDescription

(DateTime) InstallDate

(UInt32) LastErrorCode

(String) Manufacturer
(UInt32) MaxNumberControlled

(String) Name

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(UInt16) ProtocolSupported

(String) Status

(UInt16) StatusInfo

(String) SystemName

(DateTime) TimeOfLastReset

Physical Memory
Namespace: root\cimv2

class Win32_PhysicalMemory

(String) CreationClassName

(String) Tag

(String) BankLabel

(UInt64) Capacity

(String) Caption

(UInt16) DataWidth

(String) Description

(String) DeviceLocator

(UInt16) FormFactor

(Boolean) HotSwappable

(DateTime) InstallDate
(UInt16) InterleaveDataDepth

(UInt32) InterleavePosition

(String) Manufacturer

(UInt16) MemoryType

(String) Model

(String) Name

(String) OtherIdentifyingInfo

(String) PartNumber

(UInt32) PositionInRow

(Boolean) PoweredOn

(Boolean) Removable

(Boolean) Replaceable

(String) SerialNumber

(String) SKU

(UInt32) Speed

(String) Status

(UInt16) TotalWidth

(UInt16) TypeDetail

(String) Version

PhysicalDisk
Namespace: root\microsoft\windows\storage

class MSFT_PhysicalDisk

(String) ObjectId

(UInt64) AllocatedSize
(UInt16) BusType

(UInt16) CannotPoolReason[]

(Boolean) CanPool

(String) Description

(String) DeviceId

(UInt16) EnclosureNumber

(String) FirmwareVersion

(String) FriendlyName

(UInt16) HealthStatus

(Boolean) IsIndicationEnabled

(Boolean) IsPartial

(UInt64) LogicalSectorSize

(String) Manufacturer

(UInt16) MediaType

(String) Model

(UInt16) OperationalStatus[]

(String) OtherCannotPoolReasonDescription

(String) PartNumber

(String) PhysicalLocation

(UInt64) PhysicalSectorSize

(String) SerialNumber

(UInt64) Size

(UInt16) SlotNumber

(String) SoftwareVersion

(UInt32) SpindleSpeed
(UInt16) SupportedUsages[]

(String) UniqueId

(UInt16) Usage

PNP DEVICE DRIVER


Namespace: root\cimv2

class Win32_PnpEntity

(String) DeviceID

(UInt16) Availability

(String) Caption

(String) ClassGuid

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) CreationClassName

(String) Description

(Boolean) ErrorCleared

(String) ErrorDescription

(DateTime) InstallDate

(UInt32) LastErrorCode

(String) Manufacturer

(String) Name

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) Service
(String) Status

(UInt16) StatusInfo

(String) SystemCreationClassName

(String) SystemName

Pointing Device
Namespace: root\cimv2

class Win32_PointingDevice

(String) DeviceID

(UInt16) Availability

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(UInt16) DeviceInterface

(UInt32) DoubleSpeedThreshold

(Boolean) ErrorCleared

(String) ErrorDescription

(UInt16) Handedness

(String) HardwareType

(String) InfFileName

(String) InfSection

(DateTime) InstallDate

(Boolean) IsLocked

(UInt32) LastErrorCode
(String) Manufacturer

(String) Name

(UInt8) NumberOfButtons

(String) PNPDeviceID

(UInt16) PointingType

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(UInt32) QuadSpeedThreshold

(UInt32) Resolution

(UInt32) SampleRate

(String) Status

(UInt16) StatusInfo

(UInt32) Synch

(String) SystemName

Portable Battery
Namespace: root\cimv2

class Win32_PortableBattery

(String) DeviceID

(UInt16) Availability

(UInt16) BatteryStatus

(UInt16) CapacityMultiplier

(String) Caption

(UInt16) Chemistry

(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig

(String) Description

(UInt32) DesignCapacity

(UInt64) DesignVoltage

(Boolean) ErrorCleared

(String) ErrorDescription

(UInt16) EstimatedChargeRemaining

(UInt32) EstimatedRunTime

(UInt32) ExpectedLife

(UInt32) FullChargeCapacity

(DateTime) InstallDate

(UInt32) LastErrorCode

(String) Location

(String) ManufactureDate

(String) Manufacturer

(UInt16) MaxBatteryError

(UInt32) MaxRechargeTime

(String) Name

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) SmartBatteryVersion

(String) Status

(UInt16) StatusInfo

(String) SystemName
(UInt32) TimeOnBattery

(UInt32) TimeToFullCharge

Ports
Namespace: root\cimv2

class Win32_PortResource

(UInt64) StartingAddress

(Boolean) Alias

(String) Caption

(String) Description

(UInt64) EndingAddress

(DateTime) InstallDate

(String) Name

(String) Status

Power Capabilities
Namespace: root\CCM\powermanagementagent

class CCM_PwrMgmtSystemPowerCapabilities

(UInt32) PreferredPMProfile

(Boolean) ApmPresent

(Boolean) BatteriesAreShortTerm

(Boolean) FullWake

(Boolean) LidPresent

(String) MinDeviceWakeState

(Boolean) ProcessorThrottle

(String) RtcWake
(Boolean) SystemBatteriesPresent

(Boolean) SystemS1

(Boolean) SystemS2

(Boolean) SystemS3

(Boolean) SystemS4

(Boolean) SystemS5

(Boolean) UpsPresent

(Boolean) VideoDimPresent

Power Configurations
Namespace: root\CCM\policy\machine\actualconfig

class CCM_PowerConfig

(String) PowerConfigID

(UInt32) DurationInSec

(String) NonPeakPowerPlan

(String) NonPeakPowerPlanName

(String) PeakPowerPlan

(String) PeakPowerPlanName

(String) PeakStartTimeHoursMin

(String) WakeUpTimeHoursMin

Power Management Insomnia Reasons


Namespace: root\CCM\powermanagementagent

class CCM_PwrMgmtLastSuspendError

(String) Requester

(String) RequesterType
(String) RequestType

(DateTime) Time

(UInt32) AdditionalCode

(String) AdditionalInfo

(String) RequesterInfo

(Boolean) UnknownRequester

Power Management Daily


Namespace: root\CCM\powermanagementagent

class CCM_PwrMgmtActualDay

(DateTime) Date

(String) TypeOfEvent

(UInt32) hr0_1

(UInt32) hr1_2

(UInt32) hr10_11

(UInt32) hr11_12

(UInt32) hr12_13

(UInt32) hr13_14

(UInt32) hr14_15

(UInt32) hr15_16

(UInt32) hr16_17

(UInt32) hr17_18

(UInt32) hr18_19

(UInt32) hr19_20

(UInt32) hr2_3
(UInt32) hr20_21

(UInt32) hr21_22

(UInt32) hr22_23

(UInt32) hr23_0

(UInt32) hr3_4

(UInt32) hr4_5

(UInt32) hr5_6

(UInt32) hr6_7

(UInt32) hr7_8

(UInt32) hr8_9

(UInt32) hr9_10

(UInt32) minutesTotal

Power Client Opt Out Settings


Namespace: root\ccm\ClientSDK

class CCM_PowerManagementClientOptoutSetting

(Boolean) AdminAllowOptout

(Boolean) EffectiveClientOptOut

(Boolean) IsClientOptOut

Power Management Monthly


Namespace: root\CCM\powermanagementagent

class CCM_PwrMgmtMonth

(DateTime) MonthStart

(UInt32) minutesComputerActive

(UInt32) minutesComputerOn
(UInt32) minutesComputerShutdown

(UInt32) minutesComputerSleep

(UInt32) minutesMonitorOn

(UInt32) minutesTotal

(String) TypeOfEvent

Power Settings
Namespace: root\cimv2\sms

class SMS_PowerSettings

(String) GUID

(String) ACSettingIndex

(String) ACValue

(String) DCSettingIndex

(String) DCValue

(String) Name

(String) UnitSpecifier

Print Jobs
Namespace: root\cimv2

class Win32_PrintJob

(String) Name

(String) Caption

(String) DataType

(String) Description

(String) Document

(String) DriverName
(DateTime) ElapsedTime

(String) HostPrintQueue

(DateTime) InstallDate

(UInt32) JobId

(String) JobStatus

(String) Notify

(String) Owner

(UInt32) PagesPrinted

(String) Parameters

(String) PrintProcessor

(UInt32) Priority

(UInt32) Size

(DateTime) StartTime

(String) Status

(UInt32) StatusMask

(DateTime) TimeSubmitted

(UInt32) TotalPages

(DateTime) UntilTime

Printer Configuration
Namespace: root\cimv2

class Win32_PrinterConfiguration

(String) Name

(UInt32) BitsPerPel

(String) Caption
(Boolean) Collate

(UInt32) Color

(UInt32) Copies

(String) Description

(String) DeviceName

(UInt32) DisplayFlags

(UInt32) DisplayFrequency

(UInt32) DitherType

(UInt32) DriverVersion

(Boolean) Duplex

(String) FormName

(UInt32) HorizontalResolution

(UInt32) ICMIntent

(UInt32) ICMMethod

(UInt32) LogPixels

(UInt32) MediaType

(UInt32) Orientation

(UInt32) PaperLength

(String) PaperSize

(UInt32) PaperWidth

(UInt32) PelsHeight

(UInt32) PelsWidth

(UInt32) PrintQuality

(UInt32) Scale

(String) SettingID
(UInt32) SpecificationVersion

(UInt32) TTOption

(UInt32) VerticalResolution

(UInt32) XResolution

(UInt32) YResolution

Printer Device
Namespace: root\cimv2

class Win32_Printer

(String) DeviceID

(UInt32) Attributes

(UInt16) Availability

(UInt32) AveragePagesPerMinute

(UInt16) Capabilities[]

(String) CapabilityDescriptions[]

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(UInt32) DefaultPriority

(String) Description

(UInt16) DetectedErrorState

(String) DriverName

(Boolean) ErrorCleared

(String) ErrorDescription

(UInt32) HorizontalResolution
(DateTime) InstallDate

(UInt32) JobCountSinceLastReset

(UInt16) LanguagesSupported[]

(UInt32) LastErrorCode

(String) Location

(String) Name

(UInt16) PaperSizesSupported[]

(String) PNPDeviceID

(String) PortName

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) PrinterPaperNames[]

(UInt32) PrinterState

(UInt16) PrinterStatus

(String) PrintJobDataType

(String) PrintProcessor

(String) SeparatorFile

(String) ServerName

(String) ShareName

(Boolean) SpoolEnabled

(DateTime) StartTime

(String) Status

(UInt16) StatusInfo

(String) SystemName

(DateTime) TimeOfLastReset
(DateTime) UntilTime

(UInt32) VerticalResolution

Process
Namespace: root\cimv2

class Win32_Process

(String) Handle

(String) Caption

(DateTime) CreationDate

(String) Description

(String) ExecutablePath

(UInt16) ExecutionState

(UInt32) HandleCount

(DateTime) InstallDate

(UInt64) KernelModeTime

(UInt32) MaximumWorkingSetSize

(UInt32) MinimumWorkingSetSize

(String) Name

(String) OSName

(UInt64) OtherOperationCount

(UInt64) OtherTransferCount

(UInt32) PageFaults

(UInt32) PageFileUsage

(UInt32) ParentProcessId

(UInt32) PeakPageFileUsage
(UInt64) PeakVirtualSize

(UInt32) PeakWorkingSetSize

(UInt32) Priority

(UInt64) PrivatePageCount

(UInt32) ProcessId

(UInt32) QuotaNonPagedPoolUsage

(UInt32) QuotaPagedPoolUsage

(UInt32) QuotaPeakNonPagedPoolUsage

(UInt32) QuotaPeakPagedPoolUsage

(UInt64) ReadOperationCount

(UInt64) ReadTransferCount

(UInt32) SessionId

(String) Status

(DateTime) TerminationDate

(UInt32) ThreadCount

(UInt64) UserModeTime

(UInt64) VirtualSize

(String) WindowsVersion

(UInt64) WorkingSetSize

(UInt64) WriteOperationCount

(UInt64) WriteTransferCount

Processor
Namespace: root\cimv2\sms

class SMS_Processor
(String) DeviceID

(UInt16) AddressWidth

(UInt16) Architecture

(UInt16) Availability

(UInt16) BrandID

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) CPUHash

(String) CPUKey

(UInt16) CpuStatus

(UInt32) CurrentClockSpeed

(UInt16) CurrentVoltage

(UInt16) DataWidth

(String) Description

(Boolean) ErrorCleared

(String) ErrorDescription

(UInt32) ExtClock

(UInt16) Family

(DateTime) InstallDate

(Boolean) Is64Bit

(Boolean) IsHyperthreadCapable

(Boolean) IsHyperthreadEnabled

(Boolean) IsMobile

(Boolean) IsTrustedExecutionCapable
(Boolean) IsVitualizationCapable

(UInt32) L2CacheSize

(UInt32) L2CacheSpeed

(UInt32) L3CacheSize

(UInt32) L3CacheSpeed

(UInt32) LastErrorCode

(UInt16) Level

(UInt16) LoadPercentage

(String) Manufacturer

(UInt32) MaxClockSpeed

(String) Name

(UInt32) NormSpeed

(UInt32) NumberOfCores

(UInt32) NumberOfLogicalProcessors

(String) OtherFamilyDescription

(Boolean) PartOfDomain

(UInt32) PCache

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) ProcessorId

(UInt16) ProcessorType

(UInt16) Revision

(String) Role

(String) SocketDesignation
(String) Status

(UInt16) StatusInfo

(String) Stepping

(String) SystemName

(String) UniqueId

(UInt16) UpgradeMethod

(String) Version

(UInt32) VoltageCaps

(String) Workgroup

Protected Volume Information


Namespace: root\cimv2\sms

class CCM_ProtectedVolumeInfo

(String) Name

(String) DriveLetter

(UInt32) ProtectionType

Protocol
Namespace: root\cimv2

class Win32_NetworkProtocol

(String) Name

(String) Caption

(Boolean) ConnectionlessService

(String) Description

(Boolean) GuaranteesDelivery

(Boolean) GuaranteesSequencing
(DateTime) InstallDate

(UInt32) MaximumAddressSize

(UInt32) MaximumMessageSize

(Boolean) MessageOriented

(UInt32) MinimumAddressSize

(Boolean) PseudoStreamOriented

(String) Status

(Boolean) SupportsBroadcasting

(Boolean) SupportsConnectData

(Boolean) SupportsDisconnectData

(Boolean) SupportsEncryption

(Boolean) SupportsExpeditedData

(Boolean) SupportsFragmentation

(Boolean) SupportsGracefulClosing

(Boolean) SupportsGuaranteedBandwidth

(Boolean) SupportsMulticasting

(Boolean) SupportsQualityofService

Quick Fix Engineering


Namespace: root\cimv2

class Win32_QuickFixEngineering

(String) HotFixID

(String) ServicePackInEffect

(String) Caption

(String) Description
(String) FixComments

(DateTime) InstallDate

(String) InstalledBy

(String) InstalledOn

(String) Name

(String) Status

CCM Recently Used Applications


Namespace: root\cimv2\sms

class CCM_RecentlyUsedApps

(String) ExplorerFileName

(String) FolderPath

(String) LastUserName

(String) AdditionalProductCodes

(String) CompanyName

(String) FileDescription

(String) FilePropertiesHash

(UInt32) FileSize

(String) FileVersion

(DateTime) LastUsedTime

(UInt32) LaunchCount

(String) msiDisplayName

(String) msiPublisher

(String) msiVersion

(String) OriginalFileName
(String) ProductCode

(UInt32) ProductLanguage

(String) ProductName

(String) ProductVersion

(String) SoftwarePropertiesHash

Registry
Namespace: root\cimv2

class Win32_Registry

(String) Name

(String) Caption

(UInt32) CurrentSize

(String) Description

(DateTime) InstallDate

(UInt32) MaximumSize

(UInt32) ProposedSize

(String) Status

SCSI Controller
Namespace: root\cimv2

class Win32_SCSIController

(String) DeviceID

(UInt16) Availability

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig
(UInt32) ControllerTimeouts

(String) Description

(String) DeviceMap

(String) DriverName

(Boolean) ErrorCleared

(String) ErrorDescription

(String) HardwareVersion

(UInt32) Index

(DateTime) InstallDate

(UInt32) LastErrorCode

(String) Manufacturer

(UInt32) MaxDataWidth

(UInt32) MaxNumberControlled

(UInt64) MaxTransferRate

(String) Name

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(UInt16) ProtectionManagement

(UInt16) ProtocolSupported

(String) Status

(UInt16) StatusInfo

(String) SystemName

(DateTime) TimeOfLastReset
Serial Port Configuration
Namespace: root\cimv2

class Win32_SerialPortConfiguration

(String) Name

(Boolean) AbortReadWriteOnError

(UInt32) BaudRate

(Boolean) BinaryModeEnabled

(UInt32) BitsPerByte

(String) Caption

(Boolean) ContinueXMitOnXOff

(Boolean) CTSOutflowControl

(String) Description

(Boolean) DiscardNULLBytes

(Boolean) DSROutflowControl

(Boolean) DSRSensitivity

(String) DTRFlowControlType

(UInt32) EOFCharacter

(UInt32) ErrorReplaceCharacter

(Boolean) ErrorReplacementEnabled

(UInt32) EventCharacter

(Boolean) IsBusy

(String) Parity

(Boolean) ParityCheckEnabled

(String) RTSFlowControlType

(String) SettingID
(String) StopBits

(UInt32) XOffCharacter

(UInt32) XOffXMitThreshold

(UInt32) XOnCharacter

(UInt32) XOnXMitThreshold

(UInt32) XOnXOffInFlowControl

(UInt32) XOnXOffOutFlowControl

Serial Ports
Namespace: root\cimv2

class Win32_SerialPort

(String) DeviceID

(UInt16) Availability

(Boolean) Binary

(UInt16) Capabilities[]

(String) CapabilityDescriptions[]

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(Boolean) ErrorCleared

(String) ErrorDescription

(DateTime) InstallDate

(UInt32) LastErrorCode

(UInt32) MaxBaudRate
(UInt32) MaximumInputBufferSize

(UInt32) MaximumOutputBufferSize

(UInt32) MaxNumberControlled

(String) Name

(Boolean) OSAutoDiscovered

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(UInt16) ProtocolSupported

(String) ProviderType

(Boolean) SettableBaudRate

(Boolean) SettableDataBits

(Boolean) SettableFlowControl

(Boolean) SettableParity

(Boolean) SettableParityCheck

(Boolean) SettableRLSD

(Boolean) SettableStopBits

(String) Status

(UInt16) StatusInfo

(Boolean) Supports16BitMode

(Boolean) SupportsDTRDSR

(Boolean) SupportsElapsedTimeouts

(Boolean) SupportsIntTimeouts

(Boolean) SupportsParityCheck

(Boolean) SupportsRLSD
(Boolean) SupportsRTSCTS

(Boolean) SupportsSpecialCharacters

(Boolean) SupportsXOnXOff

(Boolean) SupportsXOnXOffSet

(String) SystemName

(DateTime) TimeOfLastReset

Server Feature
Namespace: root\cimv2

class Win32_ServerFeature

(UInt32) ID

(String) Name

(UInt32) ParentID

Services
Namespace: root\cimv2

class Win32_Service

(String) Name

(Boolean) AcceptPause

(Boolean) AcceptStop

(String) Caption

(UInt32) CheckPoint

(String) Description

(Boolean) DesktopInteract

(String) DisplayName

(String) ErrorControl
(UInt32) ExitCode

(DateTime) InstallDate

(String) PathName

(UInt32) ProcessId

(UInt32) ServiceSpecificExitCode

(String) ServiceType

(Boolean) Started

(String) StartMode

(String) StartName

(String) State

(String) Status

(String) SystemName

(UInt32) TagId

(UInt32) WaitHint

Shares
Namespace: root\cimv2

class Win32_Share

(String) Name

(UInt32) AccessMask

(Boolean) AllowMaximum

(String) Caption

(String) Description

(DateTime) InstallDate

(UInt32) MaximumAllowed
(String) Path

(String) Status

(UInt32) Type

SW Licensing Product
Namespace: root\cimv2

class SoftwareLicensingProduct

(String) ID

(String) ApplicationID

(String) Description

(DateTime) EvaluationEndDate

(UInt32) GracePeriodRemaining

(UInt32) LicenseStatus

(String) MachineURL

(String) Name

(String) OfflineInstallationId

(String) PartialProductKey

(String) ProcessorURL

(String) ProductKeyID

(String) ProductKeyURL

(String) UseLicenseURL

SW Licensing Service
Namespace: root\cimv2

class SoftwareLicensingService

(String) Version
(String) ClientMachineID

(UInt32) IsKeyManagementServiceMachine

(UInt32) KeyManagementServiceCurrentCount

(String) KeyManagementServiceMachine

(String) KeyManagementServiceProductKeyID

(UInt32) PolicyCacheRefreshRequired

(UInt32) RequiredClientCount

(UInt32) VLActivationInterval

(UInt32) VLRenewalInterval

Software Shortcut
Namespace: root\cimv2\sms

class SMS_SoftwareShortcut

(String) ShortcutKey

(String) BinFileVersion

(String) BinProductVersion

(String) Description

(String) FilePropertiesHash

(String) FilePropertiesHashEx

(UInt32) FileSize

(String) FileVersion

(UInt32) Language

(String) ParentName

(String) Product

(String) ProductCode
(String) ProductVersion

(String) Publisher

(String) ShortcutName

(UInt32) ShortcutType

(String) TargetExecutable

SMS_SoftwareTag
Namespace: root\cimv2\sms

class SMS_SoftwareTag

(String) TagCreatorRegid

(String) UniqueID

(String) DisplayVersion

(Boolean) EntitlementRequired

(String) ProductName

(String) SoftwareCreator

(String) SoftwareCreatorRegid

(String) SoftwareLicensor

(String) SoftwareLicensorRegid

(String) TagCreator

(SInt32) VersionMajor

(SInt32) VersionMinor

Sound Devices
Namespace: root\cimv2

class Win32_SoundDevice

(String) DeviceID
(UInt16) Availability

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(UInt16) DMABufferSize

(Boolean) ErrorCleared

(String) ErrorDescription

(DateTime) InstallDate

(UInt32) LastErrorCode

(String) Manufacturer

(UInt32) MPU401Address

(String) Name

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) ProductName

(String) Status

(UInt16) StatusInfo

(String) SystemName

System Account
Namespace: root\cimv2

class Win32_SystemAccount

(String) Domain
(String) Name

(String) Caption

(String) Description

(DateTime) InstallDate

(String) SID

(UInt8) SIDType

(String) Status

System Boot Data


Namespace: root\CCM

class CCM_SystemBootData

(UInt64) SystemStartTime

(UInt32) BiosDuration

(UInt16) BootDiskMediaType

(UInt32) BootDuration

(UInt32) EventLogStart

(UInt32) GPDuration

(String) OSVersion

(UInt32) UpdateDuration

System Boot Summary


Namespace: root\CCM

class CCM_SystemBootSummary

(UInt32) AverageBootFrequency

(UInt32) LatestBiosDuration

(UInt32) LatestBootDuration
(UInt32) LatestCoreBootDuration

(UInt32) LatestEventLogStart

(UInt32) LatestGPDuration

(UInt32) LatestUpdateDuration

(UInt32) MaxBiosDuration

(UInt32) MaxBootDuration

(UInt32) MaxCoreBootDuration

(UInt32) MaxEventLogStart

(UInt32) MaxGPDuration

(UInt32) MaxUpdateDuration

(UInt32) MedianBiosDuration

(UInt32) MedianBootDuration

(UInt32) MedianCoreBootDuration

(UInt32) MedianEventLogStart

(UInt32) MedianGPDuration

(UInt32) MedianUpdateDuration

System Console Usage


Namespace: root\cimv2\sms

class SMS_SystemConsoleUsage

(DateTime) SecurityLogStartDate

(String) TopConsoleUser

(UInt32) TotalConsoleTime

(UInt32) TotalConsoleUsers

(UInt32) TotalSecurityLogTime
System Console User
Namespace: root\cimv2\sms

class SMS_SystemConsoleUser

(String) SystemConsoleUser

(DateTime) LastConsoleUse

(UInt32) NumberOfConsoleLogons

(UInt32) TotalUserConsoleMinutes

System Devices
Namespace: root\cimv2\sms

class CCM_SystemDevices

(String) Name

(String) CompatibleIDs[]

(String) DeviceID

(String) HardwareIDs[]

(Boolean) IsPnP

System Drivers
Namespace: root\cimv2

class Win32_SystemDriver

(String) Name

(Boolean) AcceptPause

(Boolean) AcceptStop

(String) Caption

(String) Description
(Boolean) DesktopInteract

(String) DisplayName

(String) ErrorControl

(UInt32) ExitCode

(DateTime) InstallDate

(String) PathName

(UInt32) ServiceSpecificExitCode

(String) ServiceType

(Boolean) Started

(String) StartMode

(String) StartName

(String) State

(String) Status

(String) SystemName

(UInt32) TagId

System Enclosure
Namespace: root\cimv2

class Win32_SystemEnclosure

(String) Tag

(Boolean) AudibleAlarm

(String) BreachDescription

(String) CableManagementStrategy

(String) Caption

(UInt16) ChassisTypes[]
(SInt16) CurrentRequiredOrProduced

(String) Description

(UInt16) HeatGeneration

(Boolean) HotSwappable

(DateTime) InstallDate

(Boolean) LockPresent

(String) Manufacturer

(String) Model

(String) Name

(UInt16) NumberOfPowerCords

(String) OtherIdentifyingInfo

(String) PartNumber

(Boolean) PoweredOn

(Boolean) Removable

(Boolean) Replaceable

(UInt16) SecurityBreach

(UInt16) SecurityStatus

(String) SerialNumber

(String) ServiceDescriptions[]

(UInt16) ServicePhilosophy[]

(String) SKU

(String) SMBIOSAssetTag

(String) Status

(String) TypeDescriptions[]

(String) Version
(Boolean) VisibleAlarm

Tape Drive
Namespace: root\cimv2

class Win32_TapeDrive

(String) DeviceID

(UInt16) Availability

(UInt16) Capabilities[]

(String) CapabilityDescriptions[]

(String) Caption

(UInt32) Compression

(String) CompressionMethod

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(UInt64) DefaultBlockSize

(String) Description

(UInt32) ECC

(UInt32) EOTWarningZoneSize

(Boolean) ErrorCleared

(String) ErrorDescription

(String) ErrorMethodology

(UInt32) FeaturesHigh

(UInt32) FeaturesLow

(String) ID

(DateTime) InstallDate
(UInt32) LastErrorCode

(String) Manufacturer

(UInt64) MaxBlockSize

(UInt64) MaxMediaSize

(UInt32) MaxPartitionCount

(String) MediaType

(UInt64) MinBlockSize

(String) Name

(Boolean) NeedsCleaning

(UInt32) NumberOfMediaSupported

(UInt32) Padding

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(UInt32) ReportSetMarks

(String) Status

(UInt16) StatusInfo

(String) SystemName

Time Zone
Namespace: root\cimv2

class Win32_TimeZone

(String) StandardName

(SInt32) Bias

(String) Caption
(SInt32) DaylightBias

(UInt32) DaylightDay

(UInt8) DaylightDayOfWeek

(UInt32) DaylightHour

(UInt32) DaylightMillisecond

(UInt32) DaylightMinute

(UInt32) DaylightMonth

(String) DaylightName

(UInt32) DaylightSecond

(UInt32) DaylightYear

(String) Description

(String) SettingID

(UInt32) StandardBias

(UInt32) StandardDay

(UInt8) StandardDayOfWeek

(UInt32) StandardHour

(UInt32) StandardMillisecond

(UInt32) StandardMinute

(UInt32) StandardMonth

(UInt32) StandardSecond

(UInt32) StandardYear

TPM
Namespace: root\CIMv2\Security\MicrosoftTpm

class Win32_Tpm
(Boolean) IsActivated_InitialValue

(Boolean) IsEnabled_InitialValue

(Boolean) IsOwned_InitialValue

(UInt32) ManufacturerId

(String) ManufacturerVersion

(String) ManufacturerVersionInfo

(String) PhysicalPresenceVersionInfo

(String) SpecVersion

TPM Status
Namespace: root\cimv2\sms

class SMS_TPM

(Boolean) IsReady

(UInt32) Information

(Boolean) IsApplicable

TS Issued License
Namespace: root\cimv2

class Win32_TSIssuedLicense

(UInt32) LicenseId

(DateTime) ExpirationDate

(DateTime) IssueDate

(UInt32) KeyPackId

(UInt32) LicenseStatus

(String) sHardwareId

(String) sIssuedToComputer
(String) sIssuedToUser

TS License Key Pack


Namespace: root\cimv2

class Win32_TSLicenseKeyPack

(UInt32) KeyPackId

(UInt32) AvailableLicenses

(String) Description

(UInt32) IssuedLicenses

(UInt32) KeyPackType

(UInt32) ProductType

(String) ProductVersion

(UInt32) TotalLicenses

Uninterruptible Power Supply


Namespace: root\cimv2

class Win32_UninterruptiblePowerSupply

(String) DeviceID

(UInt16) ActiveInputVoltage

(UInt16) Availability

(Boolean) BatteryInstalled

(Boolean) CanTurnOffRemotely

(String) Caption

(String) CommandFile

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig
(String) Description

(Boolean) ErrorCleared

(String) ErrorDescription

(UInt16) EstimatedChargeRemaining

(UInt32) EstimatedRunTime

(UInt32) FirstMessageDelay

(DateTime) InstallDate

(Boolean) IsSwitchingSupply

(UInt32) LastErrorCode

(Boolean) LowBatterySignal

(UInt32) MessageInterval

(String) Name

(String) PNPDeviceID

(Boolean) PowerFailSignal

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(UInt32) Range1InputFrequencyHigh

(UInt32) Range1InputFrequencyLow

(UInt32) Range1InputVoltageHigh

(UInt32) Range1InputVoltageLow

(UInt32) Range2InputFrequencyHigh

(UInt32) Range2InputFrequencyLow

(UInt32) Range2InputVoltageHigh

(UInt32) Range2InputVoltageLow

(UInt16) RemainingCapacityStatus
(String) Status

(UInt16) StatusInfo

(String) SystemName

(UInt32) TimeOnBackup

(UInt32) TotalOutputPower

(UInt16) TypeOfRangeSwitching

(String) UPSPort

USB Controller
Namespace: root\cimv2

class Win32_USBController

(String) DeviceID

(UInt16) Availability

(String) Caption

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) Description

(Boolean) ErrorCleared

(String) ErrorDescription

(DateTime) InstallDate

(UInt32) LastErrorCode

(String) Manufacturer

(UInt32) MaxNumberControlled

(String) Name

(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(UInt16) ProtocolSupported

(String) Status

(UInt16) StatusInfo

(String) SystemName

(DateTime) TimeOfLastReset

USB Device
Namespace: root\cimv2

class Win32_USBDevice

(String) DeviceID

(String) Caption

(String) ClassGuid

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) CreationClassName

(String) Description

(String) Manufacturer

(String) Name

(String) PNPDeviceID

(String) Service

(String) Status

(String) SystemCreationClassName

(String) SystemName
USM User Profile
Namespace: root\cimv2

class Win32_UserProfile

(String) SID

(UInt8) HealthStatus

(String) LastAttemptedProfileDownloadTime

(String) LastAttemptedProfileUploadTime

(String) LastBackgroundRegistryUploadTime

(DateTime) LastDownloadTime

(DateTime) LastUploadTime

(DateTime) LastUseTime

(Boolean) Loaded

(String) LocalPath

(UInt32) RefCount

(Boolean) RoamingConfigured

(String) RoamingPath

(Boolean) RoamingPreference

(Boolean) Special

(UInt32) Status

Video Controller
Namespace: root\cimv2

class Win32_VideoController

(String) DeviceID

(UInt16) AcceleratorCapabilities[]
(String) AdapterCompatibility

(String) AdapterDACType

(UInt32) AdapterRAM

(UInt16) Availability

(String) CapabilityDescriptions[]

(String) Caption

(UInt32) ColorTableEntries

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(UInt32) CurrentBitsPerPixel

(UInt32) CurrentHorizontalResolution

(UInt64) CurrentNumberOfColors

(UInt32) CurrentNumberOfColumns

(UInt32) CurrentNumberOfRows

(UInt32) CurrentRefreshRate

(UInt16) CurrentScanMode

(UInt32) CurrentVerticalResolution

(String) Description

(UInt32) DeviceSpecificPens

(UInt32) DitherType

(DateTime) DriverDate

(String) DriverVersion

(Boolean) ErrorCleared

(String) ErrorDescription

(UInt32) ICMIntent
(UInt32) ICMMethod

(String) InfFilename

(String) InfSection

(DateTime) InstallDate

(String) InstalledDisplayDrivers

(UInt32) LastErrorCode

(UInt32) MaxMemorySupported

(UInt32) MaxNumberControlled

(UInt32) MaxRefreshRate

(UInt32) MinRefreshRate

(Boolean) Monochrome

(String) Name

(UInt16) NumberOfColorPlanes

(UInt32) NumberOfVideoPages

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(UInt16) ProtocolSupported

(UInt32) ReservedSystemPaletteEntries

(UInt32) SpecificationVersion

(String) Status

(UInt16) StatusInfo

(String) SystemName

(UInt32) SystemPaletteEntries

(DateTime) TimeOfLastReset
(UInt16) VideoArchitecture

(UInt16) VideoMemoryType

(UInt16) VideoMode

(String) VideoModeDescription

(String) VideoProcessor

Virtual Application Packages


Namespace: root\Microsoft\appvirt\client

class Package

(String) PackageGUID

(UInt64) CachedLaunchSize

(UInt16) CachedPercentage

(UInt64) CachedSize

(UInt64) LaunchSize

(String) Name

(String) SftPath

(UInt64) TotalSize

(String) Version

(String) VersionGUID

Virtual Applications
Namespace: root\Microsoft\appvirt\client

class Application

(String) Name

(String) Version

(String) CachedOsdPath
(UInt32) GlobalRunningCount

(DateTime) LastLaunchOnSystem

(Boolean) Loading

(String) OriginalOsdPath

(String) PackageGUID

Virtual Machine (64)


Namespace: root\cimv2

class Win32Reg_SMSGuestVirtualMachine64

(String) InstanceKey

(String) PhysicalHostName

(String) PhysicalHostNameFullyQualified

Virtual Machine
Namespace: root\cimv2

class Win32Reg_SMSGuestVirtualMachine

(String) InstanceKey

(String) PhysicalHostName

(String) PhysicalHostNameFullyQualified

Virtual Machine Details


Namespace: root\vm\VirtualServer

class VirtualMachine

(String) Name

(UInt32) CpuUtilization

(UInt64) DiskBytesRead
(UInt64) DiskBytesWritten

(UInt64) DiskSpaceUsed

(UInt64) HeartbeatCount

(UInt32) HeartbeatInterval

(UInt32) HeartbeatPercentage

(UInt32) HeartbeatRate

(UInt64) NetworkBytesReceived

(UInt64) NetworkBytesSent

(UInt64) PhysicalMemoryAllocated

(UInt32) Uptime

Volume
Namespace: root\cimv2

class Win32_Volume

(String) DeviceID

(UInt16) Access

(Boolean) Automount

(UInt16) Availability

(UInt64) BlockSize

(UInt64) Capacity

(String) Caption

(Boolean) Compressed

(UInt32) ConfigManagerErrorCode

(Boolean) ConfigManagerUserConfig

(String) CreationClassName
(String) Description

(Boolean) DirtyBitSet

(String) DriveLetter

(UInt32) DriveType

(Boolean) ErrorCleared

(String) ErrorDescription

(String) ErrorMethodology

(String) FileSystem

(UInt64) FreeSpace

(Boolean) IndexingEnabled

(DateTime) InstallDate

(String) Label

(UInt32) LastErrorCode

(UInt32) MaximumFileNameLength

(String) Name

(UInt64) NumberOfBlocks

(String) PNPDeviceID

(UInt16) PowerManagementCapabilities[]

(Boolean) PowerManagementSupported

(String) Purpose

(Boolean) QuotasEnabled

(Boolean) QuotasIncomplete

(Boolean) QuotasRebuilding

(UInt32) SerialNumber

(String) Status
(UInt16) StatusInfo

(Boolean) SupportsDiskQuotas

(Boolean) SupportsFileBasedCompression

(String) SystemCreationClassName

(String) SystemName

CCM_WebAppInstallInfo
Namespace: root\ccm\cimodels

class CCM_WebAppInstallInfo

(String) AppDeliveryTypeId

(UInt32) AppDtRevision

(String) TargetURL

(String) UserSID

(String) URLFileName

(String) URLPath

SMS_Windows8Application
Namespace: root\cimv2\sms

class SMS_Windows8Application

(String) FullName

(String) ApplicationName

(String) Architecture

(Boolean) ConfigMgrManaged

(String) DependencyApplicationNames

(String) FamilyName

(String) InstalledLocation
(Boolean) IsFramework

(String) Publisher

(String) PublisherId

(String) Version

SMS_Windows8ApplicationUserInfo
Namespace: root\cimv2\sms

class SMS_Windows8ApplicationUserInfo

(String) FullName

(String) UserSecurityId

(String) InstallState

(String) UserAccountName

Windows Update
Namespace: root\cimv2

class Win32Reg_SMSWindowsUpdate

(String) InstanceKey

(UInt32) AUOptions

(UInt32) NoAutoUpdate

(UInt32) UseWUServer

Windows Update Agent Version


Namespace: root\cimv2\sms

class Win32_WindowsUpdateAgentVersion

(String) Version
Write Filter State
Namespace: root\cimv2\sms

class CCM_WriteFilterState

(Boolean) WriteFilterEnabled
Security and privacy for hardware
inventory in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This topic contains security and privacy information for hardware inventory in
Configuration Manager.

Security best practices for hardware inventory


Use the following security best practices for when you collect hardware inventory data
from clients:

Security best More information


practice

Sign and When clients communicate with management points by using HTTPS, all data that
encrypt they send is encrypted by using SSL. However, when client computers use HTTP
inventory to communicate with management points on the intranet, client inventory data
data and collected files can be sent unsigned and unencrypted. Make sure that the site
is configured to require signing and use encryption. In addition, if clients can
support the SHA-256 algorithm, select the option to require SHA-256.

Do not You can use IDMIF and NOIDMIF file collection to extend hardware inventory
collect IDMIF collection. When necessary, Configuration Manager creates new tables or
and NOIDMIF modifies existing tables in the Configuration Manager database to accommodate
files in high- the properties in IDMIF and NOIDMIF files. However, Configuration Manager
security does not validate IDMIF and NOIDMIF files, so these files could be used to alter
environments tables that you do not want altered. Valid data could be overwritten by invalid
data. In addition, large amounts of data could be added and the processing of
this data might cause delays in all Configuration Manager functions. To mitigate
these risks, configure the hardware inventory client setting Collect MIF files as
None.

Security issues for hardware inventory


Collecting inventory exposes potential vulnerabilities. Attackers can perform the
following:

Send invalid data, which will be accepted by the management point even when the
software inventory client setting is disabled and file collection is not enabled.
Send excessively large amounts of data in a single file and in lots of files, which
might cause a denial of service.

Access inventory information as it is transferred to Configuration Manager.

Because a user with local administrative privileges can send any information as
inventory data, do not consider inventory data that is collected by Configuration
Manager to be authoritative.

Hardware inventory is enabled by default as a client setting.

Privacy information for hardware inventory


Hardware inventory allows you to retrieve any information that is stored in the registry
and in WMI on Configuration Manager clients. Software inventory allows you to discover
all files of a specified type or to collect any specified files from clients. Asset Intelligence
enhances the inventory capabilities by extending hardware and software inventory and
adding new license management functionality.

Hardware inventory is enabled by default as a client setting and the WMI information
collected is determined by options that you select. Software inventory is enabled by
default but files are not collected by default. Asset Intelligence data collection is
automatically enabled, although you can select the hardware inventory reporting classes
to enable.

Inventory information is not sent to Microsoft. Inventory information is stored in the


Configuration Manager database. When clients use HTTPS to connect to management
points, the inventory data that they send to the site is encrypted during the transfer. If
clients use HTTP to connect to management points, you have the option to enable
inventory encryption. The inventory data is not stored in encrypted format in the
database. Information is retained in the database until it is deleted by the site
maintenance tasks Delete Aged Inventory History or Delete Aged Collected Files every
90 days. You can configure the deletion interval.

Before you configure hardware inventory, software inventory, file collection, or Asset
Intelligence data collection, consider your privacy requirements.
Introduction to software inventory in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use software inventory to collect information about files on client devices. Software
inventory can also collect files from client devices and store them on the site server.
Software inventory is collected when you select the Enable software inventory on
clients setting in client settings. You can also schedule the operation in client settings.

After you enable software inventory and the clients run a software inventory cycle, the
client sends the information to a management point in the client's site. The
management point then forwards the inventory information to the Configuration
Manager site server, which stores the information in the site database.

There are a few ways to view software inventory data:

Create queries that return devices with specified files.

Create query-based collections that include devices with specified files.

Run reports that provide details about files on devices.

Use Resource Explorer to examine detailed information about the files that were
inventoried and collected from client devices.

When software inventory runs on a client device, the first report is a full inventory.
Subsequent reports contain only delta inventory information. The site server processes
delta information in the order received. If delta information for a client is missing, the
site server rejects further delta information and directs the client to run a full inventory.

Configuration Manager can discover dual-boot computers but only returns inventory
information from the operating system that's active at the time of inventory.
How to configure software inventory in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This procedure configures the default client settings for software inventory and applies
to all the computers in your hierarchy. If you want to apply these settings to only some
computers, create a custom device client setting and assign it to a collection. For more
information about how to create custom device settings, see How to configure client
settings.

To configure software inventory


1. In the Configuration Manager console, choose Administration > Client Settings
Default Client Settings.

2. On the Home tab, in the Properties group, choose Properties.

3. In the Default Settings dialog box, choose Software Inventory.

4. In the Device Settings list, configure the following values:

Enable software inventory on clients - From the drop-down list, select True.

Schedule software inventory and file collection schedule - Configures the


interval at which clients collect software inventory and files.

5. Configure the client settings that you require. The Software inventory section of
the About client settings article has a list of the client settings.

Client computers will be configured with these settings when they next download
client policy. To initiate policy retrieval for a single client, see How to manage
clients.

 Tip

Error code 80041006 in inventoryprovider.log means the WMI provider is out


of memory. That is, the memory quota limit for a provider has been hit and
inventory provider cannot continue.
In this case, the inventory agent creates a
report with 0 entries so no inventory items are reported.

A possible solution for this error would be to reduce the scope of the software
inventory collection. In circumstances when the error occurs after limiting the
inventory scope, increasing the MemoryPerHost property defined in the
_ProviderHostQuotaConfiguration class can provide a solution.

To exclude folders from software inventory


1. Using Notepad.exe, create an empty file named Skpswi.dat.

2. Right-click the Skpswi.dat file and click Properties. In the file properties for the
Skpswi.dat file, select the Hidden attribute.

3. Place the Skpswi.dat file at the root of each client hard drive or folder structure
that you want to exclude from software inventory.

7 Note

Software inventory will not inventory the client drive again unless this file is deleted
from the drive on the client computer.
How to use Resource Explorer to view
software inventory in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use Resource Explorer in Configuration Manager to view information about software


inventory that has been collected from computers in your hierarchy.

7 Note

Resource Explorer will not display any inventory data until a software inventory
cycle has run on the client.

Resource Explorer provides the following software inventory information:

Software:

Collected Files - Files that were collected during software inventory.

File Details - Files that were inventoried during software inventory that are not
associated with a specific product or manufacturer.

Last Software Scan - Date and time of the last software inventory and file
collection for the client computer.

Product Details - Software products that were inventoried by software


inventory, grouped by manufacturer.

To run Resource Explorer from the


Configuration Manager console
1. In the Configuration Manager console, choose Assets and Compliance

2. In the Assets and Compliance workspace, choose Devices or open any collection
that displays devices.

3. Choose the computer containing the inventory that you want to view and then, in
the Home tab > Devices group, choose Start > Resource Explorer.
4. You can right-click any item in the right-pane of the Resource Explorer window and
choose Properties to view the collected inventory information in a more readable
format.

View and manage collected diagnostic files


Starting in Configuration Manager version 2002, use Resource Explorer to view and
manage the files gathered when you use client notification to collect client logs.

1. From the Devices node, right-click on the device you want to view logs for.
2. Select Start, then Resource Explorer.
3. From Resource Explorer, click on Diagnostic Files.
4. In the Diagnostic Files list, you can see the collection date for the files. The name
format of the client logs is Support_<guid>.zip .
5. Right-click on the zip file and select one of the following options:

Open Support Center: Launches Support Center.


Copy: Copies the row information from Resource Explorer.
View file: Opens the folder where the zip file is located with File Explorer.
Save: Opens a Save File dialog for the selected file.
Export: Saves the Resource Explorer columns shown in Diagnostic Files.
Refresh: Refreshes the file list.
Properties: Returns the properties on the selected file.

Next steps
Use Support Center to view collected diagnostic files.
Security and privacy for software
inventory in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This topic contains security and privacy information for software inventory in
Configuration Manager.

Security best practices for software inventory


Use the following security best practices for when you collect software inventory data
from clients:

Security best More information


practice

Sign and When clients communicate with management points by using HTTPS, all data
encrypt that they send is encrypted by using SSL. However, when client computers use
inventory HTTP to communicate with management points on the intranet, client inventory
data data and collected files can be sent unsigned and unencrypted. Make sure that
the site is configured to require signing and use encryption. In addition, if clients
can support the SHA-256 algorithm, select the option to require SHA-256.

Do not use Configuration Manager software inventory uses all the rights of the LocalSystem
file collection account, which has the ability to collect copies of critical system files, such as the
to collect registry or security account database. When these files are available at the site
critical files or server, someone with the Read Resource rights or NTFS rights to the stored file
sensitive location could analyze their contents and possibly discern important details
information about the client in order to be able to compromise its security.

Restrict local A user with local administrative rights can send invalid data as inventory
administrative information.
rights on
client
computers

Security issues for software inventory


Collecting inventory exposes potential vulnerabilities. Attackers can perform the
following:
Send invalid data, which will be accepted by the management point even when the
software inventory client setting is disabled and file collection is not enabled.

Send excessively large amounts of data in a single file and in lots of files, which
might cause a denial of service.

Access inventory information as it is transferred to Configuration Manager.

If users know that they can create a hidden file named Skpswi.dat and place it in
the root of a client hard drive to exclude it from software inventory, you will not be
able to collect software inventory data from that computer.

Because a user with local administrative privileges can send any information as
inventory data, do not consider inventory data that is collected by Configuration
Manager to be authoritative.

Software inventory is enabled by default as a client setting.

Privacy information for software inventory


Hardware inventory allows you to retrieve any information that is stored in the registry
and in WMI on Configuration Manager clients. Software inventory allows you to discover
all files of a specified type or to collect any specified files from clients. Asset Intelligence
enhances the inventory capabilities by extending hardware and software inventory and
adding new license management functionality.

Hardware inventory is enabled by default as a client setting and the WMI information
collected is determined by options that you select. Software inventory is enabled by
default but files are not collected by default. Asset Intelligence data collection is
automatically enabled, although you can select the hardware inventory reporting classes
to enable.

Inventory information is not sent to Microsoft. Inventory information is stored in the


Configuration Manager database. When clients use HTTPS to connect to management
points, the inventory data that they send to the site is encrypted during the transfer. If
clients use HTTP to connect to management points, you have the option to enable
inventory encryption. The inventory data is not stored in encrypted format in the
database. Information is retained in the database until it is deleted by the site
maintenance tasks Delete Aged Inventory History or Delete Aged Collected Files every
90 days. You can configure the deletion interval.

Before you configure hardware inventory, software inventory, file collection, or Asset
Intelligence data collection, consider your privacy requirements.
Introduction to asset intelligence in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

) Important

Starting in November 2021, this feature of Configuration Manager is deprecated.


For more information, see Asset intelligence deprecation.

This deprecation plan doesn't include the product lifecycle dashboard.

Inventory and manage software license usage throughout your enterprise by using the
asset intelligence catalog. Asset intelligence adds hardware inventory classes to improve
the breadth of information that Configuration Manager collects. This information
includes the hardware and software titles used in your environment. Over 60 reports
present this information in an easy-to-use format. Many of these reports link to more
specific reports. Query for general information and drill down to more detailed
information.

Add custom information to the asset intelligence catalog. For example, custom software
categories, software families, software labels, and hardware requirements. To
dynamically update the asset intelligence catalog with the most current information
available, connect it to the Microsoft Cloud.

Use asset intelligence to help reconcile your enterprise software license usage. Import
software license information into the Configuration Manager site database to view it
against what software is being used.

Asset intelligence catalog


The asset intelligence catalog is a set of database tables stored in the site database.
These tables include categorization and identification information for over 300,000
software titles and versions. They also help manage hardware requirements for specific
software titles.

Asset intelligence provides software license information for software titles that are being
used, both of Microsoft and of non-Microsoft software. A predefined set of hardware
requirements for software titles is available in the asset intelligence catalog, and you can
create new user-defined hardware requirement information to meet custom
requirements. You can also customize information in the asset intelligence catalog, and
you can upload software title information to the Microsoft cloud for categorization.

Asset intelligence catalog updates that include newly released software are available for
download periodically to perform bulk catalog updates. It can also be dynamically
updated by using the asset intelligence synchronization point.

Software categories
Asset intelligence software categories are used to widely categorize inventoried
software titles and as high-level groupings of more specific software families. For
example, a software category could be energy companies, and a software family within
that software category could be oil and gas or hydroelectric. Many software categories
are predefined in the asset intelligence catalog. You can create user-defined categories
to additionally define inventoried software. The validation state for all predefined
software categories is always Validated. Custom software category information added to
the asset intelligence catalog is User Defined.

For more information about how to manage software categories, see Configuring asset
intelligence.

7 Note

Predefined software category information stored in the asset intelligence catalog is


read-only. You can't change or delete it. Administrative users can add, modify, or
delete user-defined software categories.

Software families
Asset intelligence software families are used to define inventoried software titles within
software categories. Many software families are predefined in the asset intelligence
catalog. You can create user-defined categories to additionally define inventoried
software. The validation state for all predefined software families is always Validated.
Custom software family information added to the asset intelligence catalog is User-
Defined.

For more information about how to manage software families, see Configuring asset
intelligence.

7 Note
Predefined software family information is read-only and can't be changed.
Administrative users can add, modify, or delete user-defined software families.

Software labels
Asset intelligence custom software labels let you create filters to group software titles
and to view them in asset intelligence reports. Use software labels to create user-
defined groups of software titles that share a common attribute. For example, you could
create a software label called Shareware, associate it with inventoried shareware titles,
and run a report to display all software titles with that label. There are no predefined
labels. The validation state for software labels is always User Defined.

For more information about how to manage software labels, see Configuring asset
intelligence.

Hardware requirements
Use the hardware requirements information to verify that computers meet the hardware
requirements for software titles before they're targeted for software deployments.
Manage hardware requirements for software titles in the Assets and Compliance
workspace in the Hardware Requirements node under the Asset Intelligence node.

Many hardware requirements are predefined in the asset intelligence catalog. Create
new user-defined hardware requirement information to meet custom requirements. The
validation state for all predefined hardware requirements is always Validated. User-
defined hardware requirements information added to the asset intelligence catalog is
User Defined.

For more information about how to manage hardware requirements, see Configuring
asset intelligence.

7 Note

The hardware requirements displayed in the Configuration Manager console are


retrieved from the asset intelligence catalog. They aren't based on inventoried
software title information from clients.

Hardware requirement information isn't updated as part of the synchronization


process with Microsoft.

You can create user-defined hardware requirements for inventoried software that
doesn't have associated hardware requirements.
By default, the following information is displayed for each listed hardware requirement:

Software Title: The software title associated with the hardware requirement

Minimum CPU (MHz): The minimum processor speed in megahertz (MHz)


required by the software title

Minimum RAM (KB): The minimum RAM in kilobytes (KB) required by the software
title

Minimum Disk Space (KB): The minimum free hard disk space in KB required by
the software title

Minimum Disk Size (KB): The minimum hard disk size in KB required by the
software title

Validation State: The validation state for the hardware requirement

Predefined hardware requirements stored in the asset intelligence catalog are read-only
and can't be deleted. Administrative users can add, modify, or delete user-defined
hardware requirements for software titles that aren't stored in the asset intelligence
catalog.

Inventoried software titles


To view inventoried software title information in the Configuration Manager console, go
to the Assets and Compliance workspace, expand the Asset Intelligence node, and
select the Inventoried Software node. The hardware inventory agent collects the
inventoried software information from Configuration Manager clients based on the
software titles stored in the asset intelligence catalog.

7 Note

The hardware inventory agent collects inventory based on the asset intelligence
hardware inventory reporting classes that you enable. For more information about
how to enable the reporting classes, see Configuring asset intelligence.

By default, the following information is displayed for each inventoried software title:

Name: The name of the inventoried software title

Vendor: The name of the vendor that developed the inventoried software title
Version: The product version of the inventoried software title

Category: The software category that's currently assigned to the inventoried


software title

Family: The software family that's currently assigned to the inventoried software
title

Label [1, 2, and 3]: The custom labels associated with the software title. Inventoried
software titles can have up to three custom labels associated with them.

Count: The number of Configuration Manager clients that have inventoried the
software title

State: The validation state for the inventoried software title

7 Note

You can change the categorization information for inventoried software only at the
top-level site in your hierarchy. This information includes product name, vendor,
software category, and software family. After you modify the categorization
information for predefined software, the validation state for the software changes
from Validated to User Defined.

Asset intelligence synchronization point


The asset intelligence synchronization point is a Configuration Manager site system role.
It's used to connect to the Microsoft cloud on TCP port 443 to manage dynamic catalog
information updates. Install this site role only on the top-level site of the hierarchy.
Configure all asset intelligence catalog customization by using a Configuration Manager
console connected to the top-level site.

While you configure all updates at the top-level site, catalog information is replicated to
other sites in the hierarchy. The site role lets you request on-demand catalog
synchronization with Microsoft, or schedule automatic catalog synchronization. In
addition to downloading new catalog information, the asset intelligence synchronization
point can upload custom software title information to Microsoft for categorization.
Microsoft treats all uploaded software titles as public information. Make sure that your
custom software titles don't include confidential or proprietary information.

After you submit an uncategorized software title, Microsoft doesn't review it until there
are at least four categorization requests from customers for the same software title.
Then Microsoft researchers identify, categorize, and make the software title
categorization information available to all customers who are using the online service.
Software titles that represent the most requests for categorization receive the highest
priority to categorize. Custom software and line-of-business applications are unlikely to
receive a category. Don't send these software titles to Microsoft for categorization.

An asset intelligence synchronization point is required to connect to the Microsoft


cloud. For information about how to install the role, see Configuring asset intelligence.

Asset intelligence home page


The Asset Intelligence node in the Assets and Compliance workspace is the home page
for asset intelligence in Configuration Manager. This home page displays a summary
dashboard view for asset intelligence catalog information.

7 Note

The Asset Intelligence home page doesn't automatically update while you're
viewing it.

The Asset Intelligence home page includes the following sections:

Catalog Synchronization: Information about whether asset intelligence is enabled


and the current status of the asset intelligence synchronization point.

7 Note

The home page only displays this section when you install an asset
intelligence synchronization point.

The section also provides the following information:

Synchronization schedule

If you've imported a customer license statement

The last status update

The time for the next scheduled update

The number of changes after you installed the asset intelligence synchronization
point
Inventoried Software Status: The count and percentage of inventoried software,
software categories, and software families that are identified by Microsoft,
identified by an administrator, pending online identification, or unidentified and
not pending. The information displayed in table format shows the count for each,
and the information displayed in the chart shows the percentage for each.

Asset intelligence reports


The asset intelligence reports are located in the Configuration Manager console, in the
Monitoring workspace, in the Asset intelligence folder under the Reporting node. The
reports provide information about hardware, license management, and software. For
more information about reports in Configuration Manager, see Introduction to
reporting.

7 Note

The accuracy of the quantity of installed software titles and license information
displayed in asset intelligence reports might vary from the actual number of
software titles installed or licenses that are used in the environment. This variation
is because of the complex dependencies and limitations involved in inventorying
software license information for software titles that are installed in enterprise
environments. Don't use asset intelligence reports as the sole source for
determining purchased software license compliance.

Hardware reports
Asset intelligence hardware reports provide information about hardware assets in the
organization. By using hardware inventory information such as speed, memory, and
peripheral devices, asset intelligence hardware reports can present information about
USB devices, about hardware that must be upgraded, and even about computers that
aren't ready for a specific software upgrade.

7 Note

Some user data in asset intelligence hardware reports is collected from the
Windows security event log. For better report accuracy, clear this log when you
reassign a computer to a new user.

License management reports


Asset intelligence license management reports provide data about licenses that are
being used. The License Ledger report lists installed Microsoft applications in a format
congruent with a Microsoft License Statement (MLS). This format provides a convenient
method of matching acquired licenses with used licenses. Other license management
reports provide information about computers acting as servers that run the key
management service (KMS) for Windows activation statistics.

) Important

Several of the asset intelligence license management reports present information


about the function of KMS, a method of administering volume licensing. If you
haven't implemented a KMS server, some reports might not return any data.

Software reports
Asset intelligence software reports provide information about software families,
categories, and specific software titles that are installed on computers in the
organization. The software reports present information such as browser helper objects
and software that starts automatically. These reports can be used to identify adware,
spyware, and other malware. You can also use them to identify software redundancy to
help streamline software acquisition and support.

Software identification tag reports


Asset intelligence software identification tag reports provide information about software
that includes a software identification tag compliant with ISO/IEC 19770-2. The software
identification tags provide authoritative information used to identify installed software.
When you enable the SMS_SoftwareTag hardware inventory reporting class,
Configuration Manager collects information about the software with software
identification tags.

The following reports provide information about the software:

Software 14A - Search for software identification tag enabled software: The
count of installed software with a software identification tag enabled

Software 14B - Computers with specific software identification tag enabled


software installed: All computers that have installed software with a specific
software identification tag enabled
Software 14C - Installed software identification tag enabled software on a
specific computer: All installed software with a specific software identification tag
enabled on a specific computer

Reporting limitations
Asset intelligence reports can provide large amounts of information about installed
software titles and acquired software licenses that are being used. Don't use this
information as the only source for determining acquired software license compliance.

Example dependencies

The accuracy of the quantity displayed in the asset intelligence reports for installed
software titles and license information can vary from the actual amounts currently used.
This variation is caused by the complex dependencies involved in inventorying software
license information for software titles in use in enterprise environments. The following
examples show the dependencies involved in inventorying installed software in the
enterprise by using asset intelligence that might affect the accuracy of asset intelligence
reports:

Client hardware inventory dependencies: Asset intelligence installed software


reports are based on data collected from Configuration Manager clients by
extending hardware inventory to enable asset intelligence reporting. Because of
this dependency on hardware inventory reporting, asset intelligence reports reflect
data only from clients that successfully complete hardware inventory processes
with the required asset intelligence WMI reporting classes enabled. Because
Configuration Manager clients perform hardware inventory processes on a
schedule defined by the administrative user, a delay might occur in data reporting
that affects the accuracy of asset intelligence reports.

For example, an inventoried licensed software title might be uninstalled after the
client finishes a successful hardware inventory cycle. Asset intelligence reports
display the software title as installed until the client's next scheduled hardware
inventory reporting cycle.

Software packaging dependencies: Asset intelligence reports are based on


installed software title data collected by using standard Configuration Manager
client hardware inventory processes. Some software title data might not be
collected correctly. Examples that could cause inaccurate asset intelligence
reporting:

Software installations that don't comply with standard installation processes


Software installations that were changed before installation

Legal limitations
The information displayed in asset intelligence reports is subject to many limitations.
The information displayed in them doesn't represent legal, accounting, or other
professional advice. The information provided by asset intelligence reports is for
information only. Don't use it as the only source of information for determining software
license usage compliance.

The following limitations are examples of using asset intelligence that might affect the
accuracy of the reports:

Microsoft license usage quantity limitations:

The quantity of acquired Microsoft software licenses is based on information


that administrators supply. Closely review it to make sure that the correct
number of software licenses is provided.

The reported quantity of Microsoft software licenses includes information only


about Microsoft software licenses acquired through volume licensing programs.
It doesn't reflect information for software licenses acquired through retail, OEM,
or other software license sales channels.

Software licenses acquired in the last 45 days might not be included in the
quantity of Microsoft software licenses reported because of software reseller
reporting requirements and schedules.

Software license transfers from company mergers or acquisitions might not be


reflected in Microsoft software license quantities.

Nonstandard terms and conditions in a Microsoft Volume Licensing (MVLS)


agreement might affect the number of software licenses reported. They might
require additional review by a Microsoft representative.

Installed software title quantity limitations: Configuration Manager clients must


successfully complete hardware inventory reporting cycles for the asset
intelligence reports to accurately report the quantity of installed software titles.
There might be a delay between the installation or uninstallation of a licensed
software title after a successful hardware inventory reporting cycle. This action may
not be reflected in asset intelligence reports run before the client reports its next
scheduled hardware inventory.
License reconciliation limitations: The reconciliation of the quantity of installed
software titles to the quantity of acquired software licenses is calculated by using a
comparison of the license quantity specified by the administrator and the quantity
of installed software titles collected from Configuration Manager client hardware
inventories based on the schedule set by the administrator. This comparison
doesn't represent a final Microsoft conclusion of the license positions. The actual
license position depends on the specific software title license and usage rights
granted by the license terms.

Asset intelligence validation states


Asset intelligence validation states represent the source and current validation status of
asset intelligence catalog information. The following table shows possible asset
intelligence validation states and administrator actions that can cause them.

State Definition Administrator action Comment

Validated Microsoft researchers None Best state


defined the catalog item

User Defined Microsoft researchers Customize the local catalog This state is
haven't defined the information displayed in asset
catalog item intelligence reports

Pending Microsoft researchers No further action after Catalog item


haven't defined the requesting categorization remains in this state
catalog item, but you until Microsoft
submitted the item to researchers
Microsoft for categorize the item,
categorization and you synchronize
your asset
intelligence catalog

Updateable A user-defined catalog Use the Resolve Conflict After you resolve a
item has been action to decide whether to categorization
categorized differently by use the new categorization conflict, the item
Microsoft during catalog information or the previous isn't validated as
synchronization. user-defined value. For conflicting again
more information about unless later
how to resolve conflicts, see categorization
Operations for asset updates introduce
intelligence. new information
about the item.
State Definition Administrator action Comment

Uncategorized Catalog item hasn't been Request categorization or None


defined by Microsoft customize your local catalog
researchers, the item information. For more
hasn't been submitted to information, see Operations
Microsoft for for asset intelligence.
categorization, and the
administrator hasn't
assigned a user-defined
categorization value.

7 Note

Catalog items that you submit to Microsoft for categorization have a validation
state of Pending on a central administration site, but continue to be displayed with
a validation state of Uncategorized on child primary sites.

For examples of when a validation state might transition from one state to another, see
Example validation state transitions for asset intelligence.
Prerequisites for Asset Intelligence in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Asset Intelligence in Configuration Manager has external dependencies and


dependencies within the product.

Dependencies external to Configuration


Manager
The following table provides the dependencies for Asset Intelligence that are external to
Configuration Manager.

Dependency More Information

Auditing of Four Asset Intelligence reports display information gathered from the Windows
Success Security event logs on client computers. If the Security event log settings are not
Logon configured to log all Success logon events, these reports contain no data even if
Events the appropriate hardware inventory reporting class is enabled.

Prerequisites
The following Asset Intelligence reports depend on collected Windows Security
event log information:

- Hardware 03A - Primary Computer Users

- Hardware 03B - Computers for a Specific Primary Console User

- Hardware 04A - Shared (Multi-user) Computers

- Hardware 05A - Console Users on a Specific Computer

To enable the Hardware Inventory Client Agent to inventory the information


required to support these reports, you must first modify the Windows Security
event log settings on clients to log all Success logon events, and enable the
SMS_SystemConsoleUser hardware inventory reporting class. For more
information about modifying Security event log settings to log all Success logon
events, see Enable auditing of success logon events.

7 Note

The SMS_SystemConsoleUser hardware inventory reporting class retains successful


logon event data for only the previous 90 days of the Security event log, regardless
of the length of the log. If the Security event log has fewer than 90 days of data, the
entire log is read.

Dependencies Internal to Configuration


Manager
The following table provides the dependencies for Asset Intelligence that are internal to
Configuration Manager.

Dependency More Information

Client Agent The Asset Intelligence reports depend on client information that is obtained
Prerequisites through client hardware and software inventory reports. To obtain the
information necessary for all Asset Intelligence reports, the following client
agents must be enabled:

- Hardware Inventory Client Agent

- Software Metering Client Agent

Hardware To collect inventory data required for some Asset Intelligence reports, the
Inventory Hardware Inventory Client Agent must be enabled. In addition, some hardware
Client Agent inventory reporting classes that Asset Intelligence reports depend on must be
Dependencies enabled on primary site server computers.

For information about enabling the Hardware Inventory Client Agent, see How to
extend hardware inventory.

Software A number of Asset Intelligence software reports depend on the Software


Metering Metering Client Agent for data. For information about enabling the Software
Client Agent Metering Client Agent, see Monitor app usage with software metering.

Dependencies
The following Asset Intelligence reports depend on the Software Metering Client
Agent to provide data:

- Software 07A - Recently Used Executables by Number of Computers

- Software 07B - Computers that Recently Used a Specified Executable

- Software 07C - Recently Used Executables on a Specific Computer

- Software 08A - Recently Used Executables by Number of Users


- Software 08B - Users that Recently Used a Specified Executable

- Software 08C - Recently Used Executables by a Specified User


Dependency More Information

Asset Asset Intelligence reports in Configuration Manager depend on specific hardware


Intelligence inventory reporting classes. Until the hardware inventory reporting classes are
Hardware enabled and clients have reported hardware inventory based on these classes,
Inventory the associated Asset Intelligence reports do not contain any data. You can enable
Reporting the following hardware inventory reporting classes to support Asset Intelligence
Class reporting requirements:

Prerequisites
- SMS_SystemConsoleUsage1

- SMS_SystemConsoleUser1

- SMS_InstalledSoftware

- SMS_AutoStartSoftware

- SMS_BrowserHelperObject

- Win32_USBDevice

- SMS_InstalledExecutable

- SMS_SoftwareShortcut

- SoftwareLicensingService

- SoftwareLicensingProduct

- SMS_SoftwareTag

1 By default, the SMS_SystemConsoleUsage and SMS_SystemConsoleUser Asset


Intelligence hardware inventory reporting classes are enabled.

You can edit the Asset Intelligence hardware inventory reporting classes in the
Configuration Manager console, in the Assets and Compliance workspace, when
you click the Asset Intelligence node. For more information, see the Enable Asset
Intelligence hardware inventory reporting classes section in the Configuring
Asset Intelligence topic.

Reporting The reporting services point site system role must be installed before software
services point updates reports can be displayed. For more information about creating a
reporting services point, see Configuring reporting.
Configure Asset Intelligence in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Asset Intelligence inventories and manages software license usage.

Steps to configure Asset Intelligence


Step 1:To collect the inventory data required for Asset Intelligence reports, you
have to enable the hardware inventory client agent as described in How to extend
hardware inventory.
Step 2: Enable Asset Intelligence Hardware Inventory Reporting Classes.
Step 3: Install an Asset Intelligence Synchronization Point
Step 4: Enable auditing of success logon events
Step 5: Import Software License Information
Step 6: Configure Asset Intelligence maintenance tasks

Enable Asset Intelligence hardware inventory reporting


classes
To enable Asset Intelligence in Configuration Manager sites, you must enable one or
more Asset Intelligence hardware inventory reporting classes. You can enable the classes
on the Asset Intelligence home page, or, in the Administration workspace, in the Client
Settings node, in client settings properties. Use one of the following procedures.

To enable Asset Intelligence hardware inventory reporting classes


from the Asset Intelligence home page

1. In the Configuration Manager console, choose Asset and Compliance > Asset
Intelligence.

2. On the Home tab, in the Asset Intelligence group, choose Edit Inventory Classes.

3. To enable Asset Intelligence reporting, select Enable all Asset Intelligence


reporting classes or Enable only the selected Asset Intelligence reporting classes,
and select at least one reporting class from the classes displayed.
7 Note

Asset Intelligence reports that depend on the hardware inventory classes that
you enable by using this procedure do not display data until clients have
scanned for and returned hardware inventory.

To enable Asset Intelligence hardware inventory reporting classes


from client settings properties

1. In the Configuration Manager console, choose Administration > Client Settings >
Default Client Agent Settings. If you have created custom client settings, you can
select those instead.

2. On the Home tab > Properties group, choose Properties.

3. Choose Hardware Inventory > Set Classes. .

4. Choose Filter by category > Asset Intelligence Reporting Classes. The list of
classes is refreshed with only the Asset Intelligence hardware inventory reporting
classes.

5. Select at least one reporting class from the list.

7 Note

Asset Intelligence reports that depend on the hardware inventory classes that
you enable by using this procedure do not display data until clients have
scanned for and returned hardware inventory.

Install an Asset Intelligence Synchronization Point


The Asset Intelligence synchronization point site system role is used to connect
Configuration Manager sites to System Center Online to synchronize Asset Intelligence
catalog information. The Asset Intelligence synchronization point can only be installed
on a site system located at the top-level site of the Configuration Manager hierarchy
and requires Internet access to synchronize with System Center Online by using TCP port
443.

In addition to downloading new Asset Intelligence catalog information, the Asset


Intelligence synchronization point can upload custom software title information to
System Center Online for categorization. Microsoft treats all uploaded software titles as
public information. Ensure that your custom software titles do not contain confidential
or proprietary information. For more information about requesting software title
categorization, see Request a catalog update for uncategorized software titles.

To install an Asset Intelligence synchronization point site system


role

1. In the Configuration Manager console, choose Administration> Site


Configuration > Servers and Site System Roles.

2. Add the Asset Intelligence synchronization point site system role to a new or
existing site system server:

For a New site system server: On the Home tab, in the Create group, choose
Create Site System Server to start the wizard.

7 Note

By default, when Configuration Manager installs a site system role, the


installation files are installed on the first available NTFS-formatted hard
disk drive that has the most available free hard disk space. To prevent
Configuration Manager from installing on specific drives, create an
empty file named NO_SMS_ON_DRIVE.SMS and copy it to the root
folder of the drive before you install the site system server.

For an Existing site system server: Choose the server on which you want to
install the Asset Intelligence synchronization point site system role. When you
choose a server, a list of the site system roles that are already installed on the
server are displayed in the details pane.

On the Home tab, in the Server group, choose Add Site System Role to start
the wizard.

3. Complete the General page. When you add the Asset Intelligence synchronization
point to an existing site system server, verify the values that were previously
configured.

4. On the System Role Selection page, select Asset Intelligence Synchronization


Point from the list of available roles.

5. On the Asset Intelligence Synchronization Point Connection Settings page,


choose Next.
By default, the Use this Asset Intelligence Synchronization Point setting is
selected and cannot be configured on this page. System Center Online accepts
network traffic only over TCP port 443, therefore the SSL port number setting
cannot be configured on this page of the wizard.

6. Optionally, you can specify a path to the System Center Online authentication
certificate (.pfx) file. Typically, you do not specify a path for the certificate because
the connection certificate is automatically provisioned during site role installation.

7. On the Proxy Server Settings page, specify whether the Asset Intelligence
synchronization point will use a proxy server when connecting to System Center
Online to synchronize the catalog and whether to use credentials to connect to the
proxy server.

2 Warning

If a proxy server is required to connect to System Center Online, the


connection certificate might also be deleted if the user account password
expires for the account configured for proxy server authentication.

8. On the Synchronization Schedule page, specify whether to synchronize the Asset


Intelligence catalog on a schedule. When you enable the synchronization schedule,
you specify a simple or custom synchronization schedule. During scheduled
synchronization, the Asset Intelligence synchronization point connects to System
Center Online to retrieve the latest Asset Intelligence catalog. You can manually
synchronize the Asset Intelligence catalog from the Asset Intelligence node in the
Configuration Manager console. For the steps to manually synchronize the Asset
Intelligence catalog, see the To manually synchronize the Asset Intelligence catalog
section in the Operations for Asset Intelligence.

9. Complete the wizard

Enable auditing of success logon events


Four Asset Intelligence reports display information gathered from the Windows Security
event logs on client computers. Here's how to configure computer security policy logon
settings to enable auditing of Success logon events.

To enable success logon event logging by using a local security


policy
1. On a Configuration Manager client computer, choose Start > Administrative Tools
> Local Security Policy.

2. In the Local Security Policy dialog box, under Security Settings, expand Local
Policies, and then choose Audit Policy.

3. In the results pane, double-click Audit logon events, ensure that the Success check
box is selected, and then choose OK.

To enable success logon event logging by using an Active


Directory domain security policy

1. On a domain controller computer, choose Start, point to Administrative Tools, and


then choose Domain Security Policy.

2. In the Local Security Policy dialog box, under Security Settings, expand Local
Policies, and then choose Audit Policy.

3. In the results pane, double-click Audit logon events, ensure that the Success check
box is selected, and then choose OK.

Import software license information


The following sections describe the procedures necessary to import both Microsoft and
general software licensing information into the Configuration Manager site database by
using the Import Software License Wizard. When you import software license
information into the site database from license statement files, the site server computer
account requires Full Control permissions for the NTFS file system to the file share that
is used to import software license information.

) Important

When software license information is imported into the site database, existing
software license information is overwritten. Ensure that the software license
information file that you use with the Import Software License Wizard contains a
complete listing of all necessary software license information.

To import software license information into the Asset Intelligence


catalog

1. In the Asset and Compliance workspace, choose Asset Intelligence.


2. On the Home tab, in the Asset Intelligence group, choose Import Software
Licenses.

3. On the Import page, specify whether you are importing a Microsoft Volume
Licensing (MVLS) file (.xml or .csv) or a General License Statement file (.csv). For
more information about creating a General License Statement file, see Create a
general license statement information file for import later in this topic.

2 Warning

To download an MVLS file in .csv format that you can import to the Asset
Intelligence catalog, see Microsoft Volume Licensing Service Center . To
access this information, you must have a registered account on the website.
You must contact your Microsoft account representative for information about
how to get your MVLS file in .xml format.

4. Enter the UNC path to the license statement file or choose Browse to select a
network shared folder and file.

7 Note

The shared folder should be correctly secured to prevent unauthorized access


to the licensing information file, and the computer account of the computer
that the wizard is being run on must have Full Control permissions to the
share that contains the license import file.

5. Complete the wizard.

Create a general license statement information file for


import
A general license statement can also be imported into the Asset Intelligence catalog by
using a manually created license import file in comma delimited (.csv) file format.

7 Note

While only the Name, Publisher, Version, and EffectiveQuantity fields are required
to contain data, all fields must be entered on the first row of the license import file.
All date fields should be displayed in the following format: Month/Day/Year, for
example, 08/04/2008.
Asset Intelligence matches the products that you specify in the general license
statement by using the product name and product version, but not publisher name. You
must use a product name in the general license statement that is an exact match with
the product name stored in the site database. Asset Intelligence takes the
EffectiveQuantity number given in the general license statement and compares the
number with the number of installed products found in Configuration Manager
inventory.

 Tip

To get a complete list of the product names stored in the Configuration Manager
site database, you can run the following query on the site database: SELECT
DISTINCT ProductName0 FROM v_GS_INSTALLED_SOFTWARE.

You can specify exact versions for a product or specify part of the version, such as only
the major version. The following examples provide the resulting version matches for a
general license statement version entry for a specific product.

General license statement Matching site database entries


entry

Name: "MySoftware", ProductName0: "Mysoftware", ProductVersion0: "2.01.1234"

ProductVersion0:"2"
ProductName0: "MySoftware", ProductVersion0: "2.02.5678"

ProductName0: "MySoftware", ProductVersion0: "2.05.1234"

ProductName0: "MySoftware", ProductVersion0: "2.05.5678"

ProductName0: "MySoftware", ProductVersion0: "2.05.3579.000"

ProductName0: "MySoftware", ProductVersion0: "2.10.1234"

Name: "MySoftware", ProductName0: "MySoftware", ProductVersion0: "2.05.1234"

Version "2.05"
ProductName0: "MySoftware", ProductVersion0: "2.05.5678"

ProductName0: "MySoftware", ProductVersion0: "2.05.3579.000"

Name: "Mysoftware", Error during import. The import fails when more than one entry
Version "2"
matches the same product version.

Name: "Mysoftware",
Version "2.05"
To create a general license statement import file by using
Microsoft Excel

1. Open Microsoft Excel and create a new spreadsheet.

2. On the first row of the new spreadsheet, enter all software license data field names.

3. On the second and subsequent rows of the new spreadsheet, enter software
license information as required. Ensure that at least all of the required software
license data fields are entered on subsequent rows for each software license to be
imported. The software title name entered in the spreadsheet must be the same as
the software title that is displayed in Resource Explorer for a client computer after
hardware inventory has run.

4. Save the file in .csv format.

5. Copy the .csv file to the file share that is used to import software license
information into the Asset Intelligence catalog.

6. In the Configuration Manager console, use the Import Software License Wizard to
import the newly created .csv file.

7. Run the Asset Intelligence License 15A - Third Party Software Reconciliation
Report to verify that the licensing information has been successfully imported into
the Asset Intelligence catalog.

7 Note

For an example of a general software license file that you can use for testing
purposes, see Example Asset Intelligence general license import file.

Sample table to describe software licenses


When creating a general license statement import file, the information in the following
table can be used to describe software licenses to be imported into the Asset
Intelligence catalog.

Column name Data type Required Example

Name Up to 255 characters Yes Software title

Publisher Up to 255 characters Yes Software publisher

Version Up to 255 characters Yes Software title version


Column name Data type Required Example

Language Up to 255 characters Yes Software title


language

EffectiveQuantity Integer value Yes Number of licenses


purchased

PONumber Up to 255 characters No Purchase order


information

ResellerName Up to 255 characters No Reseller information

DateOfPurchase Date value in the following format: No Date of license


MM/DD/YYYY purchase

SupportPurchased Bit value No 0 or 1: Enter 0 for


Yes, or 1 for No

SupportExpirationDate Date value in the following format: No End date of


MM/DD/YYYY purchased support

Comments Up to 255 characters No Optional comments

Configure Asset Intelligence maintenance tasks


The following maintenance tasks are available for Asset Intelligence:

Check Application Title with Inventory Information: Checks that the software title
that is reported in software inventory is reconciled with the software title in the
Asset Intelligence catalog. By default, this task is enabled and scheduled to run on
Saturday after 12:00 A.M. and before 5:00 A.M. This maintenance task is only
available at the top-level site in your Configuration Manager hierarchy.

Summarize Installed Software Data: Provides the information that is displayed in


the Assets and Compliance workspace, in the Inventoried Software node, under
the Asset Intelligence node. When the task runs, Configuration Manager gathers a
count for all inventoried software titles at the primary site. By default, this task is
enabled and scheduled to run every day after 12:00 A.M. and before 5:00 A.M. This
maintenance task is available only on primary sites.

To configure Asset Intelligence maintenance tasks

1. In the Configuration Manager console, choose Administration > Site


Configuration > Sites.
2. Select the site on which to configure the Asset Intelligence maintenance task.

3. On the Home tab, in the Settings group, choose Site Maintenance. Select a task,
and choose Edit to modify the settings.

We recommend that you set the time period to off-peak hours of the site. The time
period is the time interval in which the task can run. It is defined by the Start after
and Latest start time specified in the Task Properties dialog box.

You can initiate the task right away by selecting the current day and setting the
Start after time to a couple minutes after the present time.

4. Choose OK to save your settings. The task now runs according to its schedule.

7 Note

If a task fails to run on the first attempt, Configuration Manager attempts to


rerun the task until either the task runs successfully or until the time period in
which the task can run has passed.
How to use Asset Intelligence in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This topic contains information to help you manage typical Asset Intelligence tasks in
your Configuration Manager hierarchy:

View Asset Intelligence information


You can view Asset Intelligence information on the Asset Intelligence home page and in
Asset Intelligence reports.

Asset Intelligence home page


The Asset Intelligence home page displays a summary dashboard for Asset Intelligence
catalog information. On the home page, you can view information about catalog
synchronization and inventoried software status. The Asset Intelligence home page is
divided into the following sections:

Catalog Synchronization: Provides information about whether Asset Intelligence is


enabled, the current status of the Asset Intelligence synchronization point, the
synchronization schedule, whether the customer license statement is imported,
when status was last updated and the time for the next scheduled update, and the
number of changes that occurred after the Asset Intelligence synchronization point
site system was installed.

7 Note

The Asset Intelligence catalog synchronization section of the Asset


Intelligence home page is only displayed if an Asset Intelligence
synchronization point site system role has been installed.

Inventoried Software Status: Provides the count and percentage of inventoried


software, software categories, and software families that are identified by
Microsoft, identified by an administrative user, pending online identification, or
unidentified and not pending. The information displayed in table format shows the
count for each, while the information displayed in the chart shows the percentage
for each.

Use the following procedure to view Asset Intelligence information on the Asset
Intelligence home page.

To view Asset Intelligence information on the Asset Intelligence


home page

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Asset and Compliance workspace, click Asset Intelligence. The Asset
Intelligence reports are displayed.

Asset Intelligence reports


There are over 60 Asset Intelligence reports that display the information collected by
Asset Intelligence. Many of these reports link to more specific reports in which you can
query for general information and drill down to more detailed information. The Asset
Intelligence reports are located in the Configuration Manager console, in the
Monitoring workspace, under the Reporting node. The reports provide information
about hardware, license management, and software. For more information about reports
in Configuration Manager, see Introduction to reporting.

7 Note

The accuracy of installed software title quantities and license information displayed
in Asset Intelligence reports might vary from the actual number of software titles
installed or licenses in use in the environment because of the complex
dependencies and limitations involved in inventorying software license information
for software titles installed in enterprise environments. Asset Intelligence reports
should not be used as the sole source for determining purchased software license
compliance.

Use the following procedure to view Asset Intelligence information by using the Asset
Intelligence reports.

To view collected Asset Intelligence information by using Asset


Intelligence reports

1. In the Configuration Manager console, click Monitoring.


2. In the Monitoring workspace, expand Reporting, expand Reports, and click Asset
Intelligence. The Asset Intelligence reports are displayed.

2 Warning

If no report folders exist under the Reports node, verify that you have
configured reporting. For more information, see Configuring reporting.

3. Select the Asset Intelligence report that you want to run, and then on the Home
tab, in the Report Group group, click Run.

Synchronize the Asset Intelligence catalog


You can synchronize the local Asset Intelligence catalog with System Center Online to
retrieve the latest software title categorization. When you manually request catalog
synchronization with System Center Online, it could take 15 minutes or longer to
complete the synchronization process with System Center Online. Configuration
Manager updates the Last Successful Update setting on the Asset Intelligence home
page with the current time for when synchronization successfully finishes.

7 Note

An Asset Intelligence synchronization point site system role must first be installed
before by using the procedures. For information about installing an Asset
Intelligence synchronization point, see Configuring Asset Intelligence.

Use the following procedure to create a synchronization schedule for the Asset
Intelligence catalog.

To create a synchronization schedule for the Asset Intelligence


catalog

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, click Asset Intelligence.

3. On the Home tab, in the Create group, click Synchronize, and then click Schedule
Synchronization.

4. In the Asset Intelligence Synchronization Point Schedule dialog box, select Enable
synchronization on a schedule, and then configure a simple or custom schedule.
5. Click OK to save the changes.

7 Note

For information about the synchronization schedule, including the next


scheduled synchronization, see the Asset Intelligence node in the Assets and
Compliance workspace on the top-level site of the hierarchy.

Use the following procedure to manually synchronize the Asset Intelligence


catalog.

2 Warning

System Center Online accepts only one manual synchronization request in a 12-
hour period.

To manually synchronize the Asset Intelligence catalog


1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, click Asset Intelligence.

3. On the Home tab, in the Create group, click Synchronize, click Synchronize Asset
Intelligence Catalog, and then click OK.

Customize the Asset Intelligence catalog


Asset Intelligence catalog categorization information received from System Center
Online is stored in the site database with read-only permissions and cannot be modified
or deleted. However, you can create, modify, and delete custom software categories,
software families, software labels, and hardware requirements catalog information. Then
you can use custom categorization data instead of the information supplied by System
Center Online for existing or user-defined software title information. When you change
or add categorization information, the catalog information is considered user-defined.
User-defined categorization information is stored in different database tables than
validated catalog information.

Software categories
Asset Intelligence software categories are used to broadly categorize inventoried
software titles and are also used as high-level groupings of more specific software
families. For example, a software category could be energy companies, and a software
family within that software category could be oil and gas or hydroelectric. Many
software categories are predefined in the Asset Intelligence catalog, and additional user-
defined categories can be created to further define inventoried software. The validation
state for all predefined software categories is always Validated, while custom software
category information added to the Asset Intelligence catalog is User Defined.

Use the following procedure to create a user-defined software category.

To create a user-defined software category

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Catalog.

3. On the Home tab, in the Create group, click Create Software Category.

4. On the General page, enter a name for the new software category and, optionally,
a description.

7 Note

The validation state for all new custom software categories is always set to
User Defined.

Click Next.

5. On the Summary page, review the settings, and then click Next.

6. On the Completion page, click Close to exit the wizard.

Software families
Asset Intelligence software families are used to further define inventoried software titles
within software categories. For example, a software category could be energy
companies, and a software family within that software category could be oil and gas or
hydroelectric. Many software families are predefined in the Asset Intelligence catalog,
and additional user-defined families can be created to define inventoried software. The
validation state for all predefined software families is always Validated, while custom
software family information added to the Asset Intelligence catalog is User Defined.

Use the following procedure to create a user-defined software family.

To create a user-defined software family

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Catalog.

3. On the Home tab, in the Create group, click Create Software Family.

4. On the General page, enter a name for the new software family and, optionally, a
description.

7 Note

The validation state for all new custom software families is always set to User
Defined.

5. On the Summary page, review the settings, and then click Next.

6. On the Completion page, click Close to exit the wizard.

Software labels
Asset Intelligence custom software labels let you create filters that you can use to group
software titles and view them by using Asset Intelligence reports. For example, you can
create a software label called shareware, associate it with a number of applications, and
then run a report that shows you all titles with the software label of shareware. The
validation state is User Defined for all custom software labels that you add to the Asset
Intelligence catalog.

Use the following procedure to create a user-defined custom label.

To create a user-defined software label

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Catalog.
3. On the Home tab, in the Create group, click Create Software Label.

4. On the General page, enter a name for the new software family and, optionally, a
description.

7 Note

The validation state for all new custom software labels is always set to User
Defined.

5. On the Summary page, review the settings, and then click Next.

6. On the Completion page, click Close to exit the wizard.

Hardware requirements
Hardware requirements information can help you verify that computers meet the
hardware requirements for software titles before they are targeted for software
deployments. Many hardware requirements are predefined in the Asset Intelligence
catalog, and you can create new user-defined hardware requirement information to
meet custom requirements. The validation state for all predefined hardware
requirements is always Validated, while user-defined hardware requirements
information added to the Asset Intelligence catalog is User Defined.

) Important

The hardware requirements displayed in the Configuration Manager console are


retrieved from the Asset Intelligence catalog on the local computer and are not
based on inventoried software title information from System Center 2012
Configuration Manager clients. Hardware requirements information is not updated
as part of the synchronization process with System Center Online. You can create
user-defined hardware requirements for inventoried software that does not have
associated hardware requirements.

Use the following procedure to create a user-defined hardware requirement.

To create a user-defined hardware requirements

1. In the Configuration Manager console, click Assets and Compliance.


2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Hardware Requirements.

3. On the Home tab, in the Create group, click Create Hardware Requirements.

4. On the General page, enter the following information:

a. Software title: Specifies the software title for which the hardware requirements
are associated. The software title cannot already exist in the Asset Intelligence
catalog.

b. Validation state: Lists the validation state as User Defined for the hardware
requirements. You cannot modify this setting.

c. Minimum CPU (MHz): Specifies the minimum processor speed, in megahertz


(MHz), required by the software title.

d. Minimum RAM (KB): Specifies the minimum RAM, in kilobytes (KB), required by
the software title.

e. Minimum Disk Space (KB): Specifies the minimum free disk space, in KB,
required by the software title.

f. Minimum Disk Size (KB): Specifies the minimum hard disk size, in KB, required
by the software title.

Click Next.

5. On the Summary page, review the settings, and then click Next.

6. On the Completion page, click Close to exit the wizard.

Modify categorization information for inventoried


software
Predefined software in the Asset Intelligence catalog is configured with specific
categorization information, such as product name, vendor, software category, and
software family. When the predefined categorization information does not meet your
requirements, you can modify the information in the properties for the software title.
When you modify categorization information for predefined software, the validation
state for the software changes from Validated to User Defined.

) Important
The categorization information can only be modified at the top-level site.

Use the following procedure to modify categorization information for inventoried


software.

To modify the categorizations for software titles

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Inventoried Software.

3. Select a software title or select multiple software titles for which you want to
modify categorizations.

4. On the Home tab, in the Properties group, click Properties.

5. On the General tab, you can modify the following categorization information:

Product Name: Specifies the name of the inventoried software title.

Vendor: Specifies the name of the vendor that developed the inventoried
software title.

Category: Specifies the software category that is currently assigned to the


inventoried software title.

Family: Specifies the software family that is currently assigned to the


inventoried software title.

6. Click OK to save the changes.

Use the following procedure to revert software to the original categorization


information.

Revert categorization information to original settings for


software
Configuration Manager stores categorization information obtained from System Center
Online in the database. The information cannot be deleted. After the information has
been modified, you can revert the categorization information back to the System Center
Online categorization. Inventoried software that is not in the Asset Intelligence catalog
can also be reverted back to the original settings.
Use the following procedure to revert categorization information to the original settings.

To revert categorization information to original settings

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Inventoried Software.

3. Select a software title or select multiple software titles that you want to revert to
the original settings. Only software that has a User Defined state can be reverted.

 Tip

Click the State column to sort by the validation state. Sorting lets you see all
software by validation state and quickly select multiple items to revert to the
original settings.

4. On the Home tab, in the Product group, click Revert.

5. Click Yes to revert the software to the original categorization information.

6. When you revert categorization information for software that is in the Asset
Intelligence catalog, the validation state changes from User Defined to Validated.
When you revert software that is not in the catalog, the validation state changes
from User Defined to Uncategorized.

Request a catalog update for uncategorized


software titles
Uncategorized software title information can be submitted to System Center Online for
research and categorization. After an uncategorized software title is submitted, and
there are at least 4 categorization requests from customers for the same software title,
researchers identify, categorize, and then make the software title categorization
information available to all customers that are using the System Center Online service.
Microsoft gives the highest priority to software titles that have the most requests for
categorization. Custom software and line-of-business applications are unlikely to receive
a category, and as a best practice, you should not send these software titles to Microsoft
for categorization.
When software title information is submitted to System Center Online for categorization,
the following conditions apply:

Only basic software title information is transmitted to System Center Online, and
software title information to be categorized can be reviewed before submission.

Software license information is never transmitted.

Any software title that is uploaded becomes publicly available as part of the
System Center Online catalog and can be downloaded by other customers.

The source of the software title is not stored in the System Center Online catalog.
However, application titles containing confidential or proprietary information
should not be submitted for categorization by System Center Online.

7 Note

For more information about Asset Intelligence privacy information, see Security
and privacy for Asset Intelligence.

Use the following procedure to request Asset Intelligence catalog software title
categorization from System Center Online.

To request a catalog update for uncategorized software titles


1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Inventoried Software.

3. Select a product name or select multiple product names, to be submitted to


System Center Online for categorization. Only uncategorized inventoried software
titles can be submitted to System Center Online for categorization. If an
inventoried software title has been categorized by an administrator resulting in a
user-defined state, you must right-click the inventoried software title, and then
click Revert to revert the software title to the Uncategorized state before it can be
submitted to System Center Online for categorization.

7 Note

Configuration Manager can process up to 2000 software titles for


categorization at a time. If you select more than 2000 software titles, only the
first 2000 software titles will be processed. You must select the remaining
software titles for categorization in batches of less than 2000.

 Tip

Click the State column to sort by the validation state. This lets you see all
uncategorized product names and quickly select multiple items to submit for
categorization.

4. On Home tab, in the Product group, click Request Catalog Update.

5. Review the System Center Online categorization submission privacy message. Click
Details to view the information that will be sent to System Center Online.

6. Select I have read and understood this message, and then click OK to allow the
selected software titles to be submitted for categorization.

7. Verify that the state of the inventoried software product names submitted to
System Center Online for categorization has changed from Uncategorized to
Pending.

7 Note

Software that is submitted to System Center Online for categorization has a


validation state of Pending on a central administration site is still displayed
with a validation state of Uncategorized on child primary sites.

Resolve software details conflicts


After newly updated software categorization details have been received from System
Center Online that conflict with existing software details information, you can choose
how to resolve the conflict. Software that has a current conflict has a validation state of
Updatable. After a software details conflict has been resolved, the software
categorization information is retained in the Asset Intelligence catalog according to the
setting that you specify. A software details conflict does not occur for the same software
categorization value again unless the System Center Online value changes after the
conflict has been resolved.

Use the following procedure to resolve a software details conflict.


To resolve a software details conflict
1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, click Asset Intelligence, and then click
Inventoried Software.

3. Review the State column for software titles in the Updatable state.

4. Select the software title for which you have to resolve a conflict, and then on the
Home tab, in the Product group, and click Resolve Conflict.

5. Review the following information:

Local value: Specifies the existing software categorization information in the


Asset Intelligence catalog that conflicts with newer System Center Online
software categorization details.

Downloaded value: Specifies the new System Center Online software


categorization information for conflicting Asset Intelligence catalog software
categorization information.

6. Select one of the following settings to resolve the software details conflict:

Do not change the locally edited catalog information value: Resolves the
software details conflict by retaining the existing Asset Intelligence catalog
software categorization information. When you select this setting, the
software title state changes from Updatable to User Defined.

Overwrite the locally edited catalog information value with the


downloaded System Center Online value: Resolves the software details
conflict by overwriting the existing Asset Intelligence catalog software
categorization information with new information obtained from System
Center Online. When you select this setting, the software title state changes
from Updatable to Validated.

Click OK to save the conflict resolution.


Security and privacy for Asset
Intelligence in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article contains security guidance and privacy information for Asset Intelligence in
Configuration Manager.

Security guidance

Secure license files


When you import a Microsoft Volume Licensing file or a General License Statement file,
secure the file and communication channel. Configure NTFS permissions to make sure
that only authorized users can access the license files. Use Server Message Block (SMB)
signing to keep the integrity of the data when it's transferred to the site server during
the import process.

Limit permissions for users who import license files


Use the principle of least permissions to import the license files. Use role-based
administration to grant the Manage Asset Intelligence permission to the administrative
user who imports license files. The built-in role of Asset Manager includes this
permission.

Privacy information
Asset Intelligence extends the inventory capabilities of Configuration Manager to
provide a higher level of asset visibility. Asset Intelligence information collection isn't
automatically enabled. You can modify the type of information collected by enabling
hardware inventory reporting classes. For more information, see Configure Asset
Intelligence.

Configuration Manager stores Asset Intelligence information in the site database the
same as inventory information. When clients connect to management points by using
HTTPS, the data is always encrypted during transfer to the management point. When
clients connect by using HTTP, configure the inventory data transfer to be signed and
encrypted. Inventory data isn't stored in an encrypted format in the database.
Information is kept in the database until the site maintenance task Delete Aged
Inventory History deletes it every 90 days by default. You can configure the deletion
interval.

Asset Intelligence doesn't send information about users, computers, or license usage to
Microsoft. You can choose to send System Center Online requests for categorization. For
these requests, you tag one or more uncategorized software titles and send them to
Microsoft for research and categorization. After you upload a software title, Microsoft
researchers identify and categorize the software. They then make that information
available to all customers who use the online service.

When you submit information to System Center Online, understand the following
privacy implications:

Upload applies only to generic software title information that you choose to send
to Microsoft. For example, software name and publisher. Inventory information
isn't sent to Microsoft.

Upload never occurs automatically, and the system isn't designed for this task to
be automated. Manually select and approve the upload of each software title.

Before the upload process starts, the Configuration Manager console shows you
exactly what data it will upload.

License information isn't sent to Microsoft. Configuration Manager stores the


license information in a separate area of the site database, and it can't be sent to
Microsoft.

Any software title that you upload becomes public. The knowledge of that
software and its categorization become part of the online Asset Intelligence
catalog. Other customers can then download the catalog updates.

The source of the software title isn't recorded in the Asset Intelligence catalog, and
it isn't made available to other customers. Still verify that you don't include any
application titles that contain any private information.

You can't recall uploaded data.


Example validation state transitions for
Asset Intelligence
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Asset Intelligence validation states in Configuration Manager are not static and can
change from administrative actions that you take to affect the data that are stored in the
Asset Intelligence catalog. This topic provides examples for possible validation state
transitions.

Uncategorized catalog item is categorized by


the administrative user
State State transition description
transition

Uncategorized An inventoried software title that has not been previously categorized by System
Center Online or that the administrative user has entered into the Asset
Intelligence catalog.

Uncategorized The uncategorized item is categorized by the administrative user.


to
UserDefined

Categorized catalog item is recategorized by


the administrative user
State transition State transition description

Validated Catalog item has been defined by System Center Online researchers and is
present in the Asset Intelligence catalog.

Validated to The validated catalog item is re-categorized by the administrative user.


User Defined

7 Note

Because categorization information obtained from System Center Online is stored


in the database and cannot be deleted, the administrative user can revert back to
the System Center Online categorization later.

User-defined catalog item is recategorized by


System Center Online
State State transition description
transition

Uncategorized An inventoried software title is entered into the Asset Intelligence catalog that
has not been previously categorized by System Center Online or the
administrative user.

User Defined The uncategorized item is categorized by the administrative user.

User Defined A user-defined catalog item has been categorized differently by System Center
to Updateable Online during subsequent manual bulk updates of the Asset Intelligence
catalog.

The administrative user can use the Software Details Conflict Resolution dialog
box to decide whether to use the new categorization information or the
previous user-defined value.

Updateable to The administrative user uses the Software Details Conflict Resolution dialog
Validated box to use the new categorization information received from System Center
Online during the previous catalog update.

or

Updateable to The administrative user uses the Software Details Conflict Resolution dialog
User Defined box to use the previous user-defined value.

7 Note

Because categorization information obtained from System Center Online is stored


in the database and cannot be deleted, the administrative user can revert back to
the System Center Online categorization later.

Uncategorized catalog item is submitted to


System Center Online for categorization
State State transition description
transition
State State transition description
transition

Uncategorized An inventoried software title is entered into the Asset Intelligence database that
has not been previously categorized by System Center Online or the
administrative user.

Uncategorized The uncategorized item is submitted to System Center Online for categorization
to Pending by the administrative user.

Pending to The item is categorized by System Center Online. The administrative user
Validated imports the item into the Asset Intelligence catalog by using a bulk catalog
update or Asset Intelligence catalog synchronization. Both are available by using
the Asset Intelligence synchronization point site system role.

User-defined catalog item is submitted to


System Center Online for categorization
State State transition description
transition

Uncategorized An inventoried software title is entered into the Asset Intelligence database that
has not been previously categorized by an administrative user or System Center
Online.

User Defined You categorized the uncategorized item.

User Defined You submit the user-defined item to System Center Online for categorization.
to Pending

Pending to A user-defined catalog item has been categorized differently by System Center
Updateable Online during subsequent catalog synchronization. You can use the Resolve
Conflict action to decide whether to use the new categorization information or
the previous user-defined value. For more information about resolving conflicts,
see Resolve software details conflicts.

Updateable to You use the Resolve Conflict action and select the new categorization
Validated information received from System Center Online during the previous catalog
update. For more information about resolving conflicts, see Resolve software
details conflicts.

or

Updateable to You use the Resolve Conflict action and select to use the previous user-defined
User Defined value. For more information about resolving conflicts, see Resolve software
details conflicts.
7 Note

Because categorization information obtained from System Center Online is stored


in the database and cannot be deleted, you can revert back to the System Center
Online categorization later.
Example Asset Intelligence general license import file in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The example information in this topic can be used to create a sample general software license file to import software licenses into the Asset
Intelligence catalog by using the Import Software License Wizard. You can copy and paste the following table into a new Microsoft Excel
spreadsheet and save it with a .csv file name extension to be used as an example general software license import file for testing purposes.
When creating the license import file, all header fields are required while only Name, Publisher, Version, and EffectiveQuantity data values
are required in the spreadsheet. For more information about importing software licenses to the Asset Intelligence catalog, see Configuring
Asset Intelligence.

Name Publisher Version Language EffectiveQuantity PONumber ResellerName DateOfPurchase SupportPurchased SupportExpirationDat

Software Software 1.01 English 1 Purchase Reseller name 10/10/2010 0 10/10/2012


Title 1 publisher number

Software Software 1.02 English 1 Purchase Reseller name 10/10/2010 0 10/10/2012


title 2 publisher number

Software Software 1.03 English 1 Purchase Reseller name 10/10/2010 0 10/10/2012


title 3 publisher number

Software Software 1.04 English 1 Purchase Reseller name 10/10/2010 0 10/10/2012


title 4 publisher number

Software Software 1.05 English 1 Purchase Reseller name 10/10/2010 0 10/10/2012


title 5 publisher number

Software Software 1.06 English 1 Purchase Reseller name 10/10/2010 0 10/10/2012


title 6 publisher number

Software Software 1.07 English 1 Purchase Reseller name 10/10/2010 0 10/10/2012


title 7 publisher number

Software Software 1.08 English 1 Purchase Reseller name 10/10/2010 0 10/10/2012


title 8 publisher number

Software Software 1.09 English 1 Purchase Reseller name 10/10/2010 0 10/10/2012


title 9 publisher number

Software Software 1.10 English 1 Purchase Reseller name 10/10/2010 0 10/10/2012


title 10 publisher number
Manage Microsoft Lifecycle Policy with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the Configuration Manager product lifecycle dashboard to view the Microsoft
Lifecycle Policy. The dashboard shows the state of the Microsoft Lifecycle Policy for
Microsoft products installed on devices managed with Configuration Manager. It also
provides you with information about Microsoft products in your environment,
supportability state, and support end dates. Use the dashboard to understand the
availability of support for each product. This information helps you plan for when to
update the Microsoft products you use before their current end of support is reached.

For more information, see the Microsoft Lifecycle Policy.

Prerequisites
To see data in the product lifecycle dashboard, the following components are required:

Install Internet Explorer 9 or later on the computer that runs the Configuration
Manager console.

To get updates for the data on this dashboard, the service connection point must
be online. If the service connection point is in offline mode, synchronize it
regularly. For more information, see About the service connection point.

In version 2111 and earlier: Configure and synchronize the asset intelligence
synchronization point. The dashboard uses the asset intelligence catalog as
metadata for product titles. Configuration Manager compares this metadata
against inventory data in your hierarchy. For more information, see Configure asset
intelligence in Configuration Manager.

7 Note

Starting in version 2203, the product lifecycle dashboard isn't dependent on


the asset intelligence synchronization point.

Enable asset intelligence hardware inventory classes. The lifecycle dashboard


depends on these classes. The dashboard won't display data until clients scan for
and return hardware inventory.

Use the product lifecycle dashboard


To access the lifecycle dashboard in the Configuration Manager console, go to the
Assets and Compliance workspace, expand Asset Intelligence, and select the Product
Lifecycle node.

Based on inventory data the site collects from managed devices, the dashboard displays
information about all current products. However, the information displayed for
operating systems and SQL Server is limited to the following versions:

Windows Server 2008 and later


Windows XP and later
SQL Server 2008 and later

7 Note

The data in the dashboard is based on the site the Configuration Manager console
connects to. If the console connects to your top-tier site, you see data for the entire
hierarchy. When connected to a child primary site, only data from that site displays.

Product lifecycle dashboard


Change the view by selecting one of the following options from the Product category
list:

All: View all products together


Windows Client: View Windows client OS versions
Windows Server: View Windows server OS versions
Database: View SQL Server versions
Configuration Manager: View Configuration Manager versions
Microsoft Office: View information for installed versions of Office 2003 through
Office 2016

The dashboard has the following tiles:

Top 5 products past end-of-support: This tile is a consolidated data view of


products found in your environment past their end-of-support. The graph shows
installed software that's expired when compared against the support lifecycle for
operating systems and SQL Server products.

Top 5 products nearing end-of-support: This tile is a consolidated data view of


products found in your environment that are nearing end-of-support in next 18
months. The graph shows installed software that's within 18 months of end-of-
support when compared against the support lifecycle for operating systems and
SQL Server products.
Starting in version 2103, use the time slider to control the timeframe for this tile.
The default is 18 months, but you can adjust it from 1 to 36 months.

Lifecycle data for installed products: This tile gives you a general idea of when a
product transitions from supported to the expired state. The chart provides a
breakdown of the number of clients where the product is installed, the support
availability state, and a link to learn more about the next steps to take. The
following information is included in the chart:
Support time remaining
Number in environment
Mainstream support end date
Extended support end date
Next steps

Starting in version 2103, the dashboard also has a subnode, All Product Lifecycle Data.
You can sort and filter the product lifecycle information, which gives you multiple ways
to view it. When you select a product, you can View devices for that product. From the
list of devices, you can create a direct membership collection. Use this action to deploy
the latest software versions to these collections so that the devices are kept current.

) Important

The information shown in this dashboard is provided for your convenience and
only for use internally within your company. You should not solely rely on this
information to confirm compliance. Be sure to verify the accuracy of the
information provided to you, along with availability of support information by
visiting the Microsoft Lifecycle Policy.
Reporting
Other reports are available as well. In the Configuration Manager console, go to the
Monitoring workspace, expand Reporting, and expand Reports. The following reports
are added under the category Asset Intelligence:

Lifecycle 01A - Computers with a specific software product: View a list of


computers on which a specified product is detected.

Lifecycle 02A - List of machines with expired products in the organization: View
computers that have expired products on them. You can filter this report by
product name.

Lifecycle 03A - List of expired products found in the organization: View details
for products in your environment that have expired lifecycle dates.

Lifecycle 04A - General Product Lifecycle overview: View a list of product


lifecycles. Filter the list by product name and days to expiration.

Lifecycle 05A - Product lifecycle dashboard: This report includes similar


information as the in-console dashboard. Select a category to view the count of
products in your environment, and the days of support remaining.

For more information, see List of reports.


Asset intelligence deprecation
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Starting in November 2021, the asset intelligence feature of Configuration Manager is


deprecated. This article provides more detail about the specific functional areas of asset
intelligence that are deprecated or still supported.

Deprecated functionality
The following functional areas are deprecated and may be removed in a future version.
Support for these areas will end November 2022.

The asset intelligence catalog, which includes the following functionality:

Cloud updates to the predefined software title information such as product


name and vendor

Cloud updates to the predefined software categories and software families and
the associated SQL views and reports

Cloud updates to the predefined hardware requirements for software titles and
the associated SQL views and reports

The asset intelligence synchronization point, which includes the following


functionality:

Catalog synchronization

The ability to request catalog updates for uncategorized software

The Microsoft Volume License import and reconciliation including the associated
SQL views and reports

Supported functionality
The following functional areas aren't currently included in the deprecation and will
remain supported:

The inventoried software titles, which includes the following functionality:

Asset intelligence hardware inventory reporting WMI classes


The associated SQL views:

Asset intelligence hardware inventory views

Asset intelligence status view

The associated reports

The product lifecycle dashboard and its associated reports

The General License Statement import and reconciliation and the associated SQL
views and reports

The ability to view the asset intelligence inventory in the console from the
Inventoried Software node

The existing static, predefined software title information provided with setup for
new and existing sites:
Product name
Vendor
Product category
Product family
Hardware requirement

The ability to customize the inventoried software title information such as the
product name and vendor

The ability to add custom software categories, families, and labels to inventoried
software titles

The ability for an administrator to add custom hardware requirements to


inventoried software titles

References
Asset intelligence reports

Asset intelligence client WMI classes

Asset intelligence views


Introduction to remote control in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use remote control to remotely administer, provide assistance, or view any client
computer in the hierarchy. You can use remote control to troubleshoot hardware and
software configuration problems on client computers and to provide support.
Configuration Manager supports the remote control of all workgroup computers and
domain-joined computers that run supported operating systems for the Configuration
Manager client. For more information, see Supported operating systems for clients and
devices for Configuration Manager

Configuration Manager also lets you configure client settings to run Windows Remote
Desktop and Remote Assistance from the Configuration Manager console.

7 Note

You cannot establish a Remote Assistance session from the Configuration Manager
console to a client computer that is in a workgroup.

You can start a remote control session in the Configuration Manager console from
Assets and Compliance > Devices, from any device collection, from the Windows
Command Prompt window, or from the Windows Start menu.
Prerequisites for remote control in
Configuration Manager
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

Remote control in Configuration Manager has external dependencies and dependencies


in the product.

Dependencies external to Configuration


Manager
To help improve performance, install the most up-to-date video driver on client devices.

You can't use Configuration Manager remote control to remotely administer client
computers that run versions of the Configuration Manager client earlier than current
branch.

7 Note

No Windows services are required as an external dependency for remote control.

Supported operating systems for the remote control


viewer
The remote control viewer is supported on all operating systems that are supported for
the Configuration Manager console. For information, see Supported configurations for
Configuration Manager consoles.

The following OS versions don't support the remote control viewer, but they do support
the remote control client:

Windows Embedded
Windows Embedded for Point of Service (POS)
Windows Fundamentals for Legacy PCs

Configuration Manager dependencies


Enable remote control
By default, remote control isn't enabled when you install Configuration Manager. For
more information about how to enable and configure remote control, see Configure
remote control.

Reporting
Before you can run reports for remote control, install the reporting services point site
system role. For more information, see Introduction to reporting.

Security permissions
To access collection resources and to start a remote control session from the
Configuration Manager console, your account needs the Read, Read Resource, and
Remote Control permissions for the Collection object.

The Remote Tools Operator security role includes the permissions that are
required to manage remote control in Configuration Manager.

Permitted viewers must be given permission to use remote control by adding these
users to the Permitted viewers of Remote Control and Remote Assistance list in
the Remote Tools client settings.

For more information, see Configure role-based administration.

Remote clients
Remote tools aren't supported for clients that are connected remotely. For example, you
can't remote control a client that communicates with the site through a cloud
management gateway (CMG). For more information about the network ports required
for remote tools, see Ports used in Configuration Manager.

 Tip

For tenant-attached devices, remote tools are available in the Microsoft Intune
admin center. For more information, see Support for remote tools.

Next steps
Configure remote control
Configuring remote control in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This procedure describes configuring the default client settings for remote control.
These settings apply to all computers in your hierarchy. If you want these settings to
apply to only some computers, assign a custom device client setting to a collection that
contains those computers. For more information a see How to configure client settings.

To use Remote Assistance or Remote Desktop, it must be installed and configured on


the computer that runs the Configuration Manager console. For more information about
how to install and configure Remote Assistance or Remote Desktop, see your Windows
documentation.

To enable remote control and configure client settings

1. In the Configuration Manager console, choose Administration > Client Settings >
Default Client Settings.

2. On the Home tab, in the Properties group, choose Properties.

3. In the Default dialog box, choose Remote Tools.

4. Configure the remote control, Remote Assistance and Remote Desktop client
settings. For a list of remote tools client settings that you can configure, see
Remote Tools.

You can change the company name that appears in the ConfigMgr Remote
Control dialog box by configuring a value for Organization name displayed in
Software Center in the Computer Agent client settings.

Client computers are configured with these settings the next time they download
client policy. To initiate policy retrieval for a single client, see How to manage
clients.

Enable keyboard translation

By default, Configuration Manager transmits the key position from the viewer's location
to the sharer's location. This can present a problem for keyboard configurations that
differ from viewer to sharer. For example, a viewer with an English keyboard would type
an "A", but the sharer's French keyboard would provide a "Q". You now have the option
of configuring remote control so that the character itself is transmitted from the viewer's
keyboard to the sharer, and what the viewer intends to type arrives at the sharer.

To turn on keyboard translation, in Configuration Manager Remote Control, choose


Action,and choose Enable keyboard translation to transmit key position.

7 Note

Special keys, such as ~!#@$%, will not be translated correctly.

Keyboard shortcuts for the remote control


viewer
Keyboard shortcut Description

Alt+Page Up Switches between running programs from left to right.

Alt+Page Down Switches between running programs from right to left.

Alt+Insert Cycles through running programs in the order that they were
opened.

Alt+Home Displays the Start menu.

Ctrl+Alt+End Displays the Windows Security dialog box (Ctrl+Alt+Del).

Alt+Delete Displays the Windows menu.

Ctrl+Alt+Minus Sign (on the Copies the active window of the local computer to the remote
numeric keypad) computer Clipboard.

Ctrl+Alt+Plus Sign (on the Copies the entire local computer's window area to the remote
numeric keypad) computer Clipboard.
How to remotely administer a Windows
client computer by using Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager allows you to connect to client computers using Configuration


Manager Remote Control. Before you begin to use remote control, ensure that you
review the information in the following articles:

Prerequisites for remote control

Configuring remote control

Here are three ways to start the remote control viewer:

In the Configuration Manager console.

In a Windows command prompt.

From the Windows Start menu, on a computer that runs the Configuration
Manager console, in the Microsoft Endpoint Manager program group.

7 Note

The above Start menu path is for versions from November 2019 (version 1910)
or later. In earlier versions, the folder name is Microsoft System Center.

To remotely administer a client computer from


the Configuration Manager console
1. In the Configuration Manager console, choose Assets and Compliance > Devices
or Device Collections.

2. Select the computer that you want to remotely administer and then, in the Home
tab, in the Device group, choose Start > Remote Control.

) Important
If the client setting Prompt user for Remote Control permission is set to True,
the connection does not initiate until the user at the remote computer agrees
to the remote control prompt. For more information, see Configuring remote
control.

3. After the Configuration Manager Remote Control window opens, you can
remotely administer the client computer. Use the following options to configure
the connection.

7 Note

If the computer that you connect to has multiple monitors, the display from
all the monitors is shown in the remote control window.

File
Connect - Connect to another computer. This option is unavailable when a
remote control session is active.
Disconnect - Disconnects the active remote control session but doesn't
close the Configuration Manager Remote Control window.
Exit - Disconnects the active remote control session and closes the
Configuration Manager Remote Control window.

7 Note

When you disconnect a remote control session, the contents of the


Windows Clipboard on the computer that you are viewing is deleted.

View
Color depth - Choose either 16 bits or 32 bits per pixel.
Full Screen - Maximizes the Configuration Manager Remote Control
window. To exit full screen mode, press Ctrl+Alt+Break.
Optimize for low bandwidth connection - Choose this option if the
connection is low bandwidth.
Display:
All Screens - If the computer that you connect to has multiple monitors,
the display from all the monitors is shown in the remote control
window.
First Screen - The first screen is at the top and far left as shown in
Windows display settings. You can't select a specific screen. When you
switch the configuration of the viewer, reconnect the remote session.
The viewer saves your preference for future connections.
Scale to Fit - Scales the display of the remote computer to fit the size of
the Configuration Manager Remote Control window.
Status Bar - Toggles the display of the Configuration Manager Remote
Control window status bar.

7 Note

The viewer saves your preference for future connections.

Action
Send Ctrl+Alt+Del Key - Sends a Ctrl+Alt+Del key combination to the
remote computer.
Enable Clipboard Sharing - Lets you copy and paste items to and from the
remote computer. If you change this value, you must restart the remote
control session for the change to take effect.
If you don't want clipboard sharing to be enabled in the Configuration
Manager console, on the computer running the console, set the value
of the registry key
HKEY_CURRENT_USER\Software\Microsoft\ConfigMgr10\Remote
Control\Clipboard Sharing to 0.
Enable Keyboard Translation - Translates the keyboard layout of the
computer running the console to the connected device's layout.
Lock Remote Keyboard and Mouse - Locks the remote keyboard and
mouse to prevent the user from operating the remote computer.

Help
About Remote Control - Displays the current version of the viewer.

4. Users at the remote computer can view more information about the remote
control session when they click the Configuration Manager Remote Control icon.
The icon is in the Windows notification area or the icon on the remote control
session bar.

To start the remote control viewer from the


Windows command line
At the Windows command prompt, type <Configuration Manager Installation
Folder>\AdminConsole\Bin\i386\CmRcViewer.exe
CmRcViewer.exe supports the following command-line options:

Address - Specifies the NetBIOS name, the fully qualified domain name (FQDN), or
the IP address of the client computer that you want to connect to.
Site Server Name - Specifies the name of the Configuration Manager site server to
which you want to send status messages that are related to the remote control
session.
/? - Displays the command-line options for the remote control viewer.

Example: CmRcViewer.exe <Address> <\\Site Server Name>

7 Note

The remote control viewer is supported on all operating systems that are supported
for the Configuration Manager console. For more information, see Supported
configurations for Configuration Manager consoles and Prerequisites for remote
control.

Next steps
Audit remote control usage
How to audit remote control usage in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can use Configuration Manager reports to view audit information for remote
control.

For more information about how to configure reporting in Configuration Manager, see
Introduction to reporting.

The following two reports are available with the category Status Messages - Audit:

Remote Control - All computers remote controlled by a specific user - Displays a


summary of remote control activity that a specific user initiated.

Remote Control - All remote control information - Displays a summary of status


messages about remote control of client computers.

To run the report Remote Control - All computers remote


controlled by a specific user
1. In the Configuration Manager console, click Monitoring.

2. In the Monitoring workspace, expand Reporting, and then click Reports.

3. In the Reports node, click the Category column to sort the reports so that you can
more easily find the reports in the category Status Messages - Audit.

4. Select the report Remote Control - All computers remote controlled by a specific
user, and then, on the Home tab, in the Report Group, click Run.

5. In the User Name list of the Remote Control - All computers remote controlled
by a specific user, specify the user that you want to report audit information for,
and then click View Report.

6. When you have finished viewing the data in the report, close the report window.

To run the report Remote Control - All remote control


information
1. In the Configuration Manager console, click Monitoring.

2. In the Monitoring workspace, expand Reporting, and then click Reports.

3. In the Reports node, click the Category column to sort the reports so that you can
more easily find the reports in the category Status Messages - Audit.

4. Select the report Remote Control - All remote control information, and then, on
the Home tab, in the Report Group, click Run to open the Remote Control - All
remote control information window.

5. When you have finished viewing data in the report, close the report window.
Security and privacy for remote control
in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This topic contains security and privacy information for remote control in Configuration
Manager.

Security best practices for remote control


Use the following security best practices when you manage client computers by using
remote control.

Security best practice More information

When you connect to a When Configuration Manager detects that the remote control session
remote computer, do is authenticated by using NTLM instead of Kerberos, you see a prompt
not continue if NTLM that warns you that the identity of the remote computer cannot be
instead of Kerberos verified. Do not continue with the remote control session. NTLM
authentication is used. authentication is a weaker authentication protocol than Kerberos and
is vulnerable to replay and impersonation.

Do not enable The Clipboard supports objects such as executable files and text and
Clipboard sharing in the could be used by the user on the host computer during the remote
remote control viewer. control session to run a program on the originating computer.

Do not enter passwords Software that observes keyboard input could capture the password. Or,
for privileged accounts if the program that is being run on the client computer is not the
when remotely program that the remote control user assumes, the program might be
administering a capturing the password. When accounts and passwords are required,
computer. the end user should enter them.

Lock the keyboard and If Configuration Manager detects that the remote control connection is
mouse during a remote terminated, Configuration Manager automatically locks the keyboard
control session. and mouse so that a user cannot take control of the open remote
control session. However, this detection might not occur immediately
and does not occur if the remote control service is terminated.

Select the action Lock Remote Keyboard and Mouse in the ConfigMgr
Remote Control window.
Security best practice More information

Do not let users Do not enable the client setting Users can change policy or
configure remote notification settings in Software Center to help prevent users from
control settings in being spied on. If one user changes it, it can allow a different user on
Software Center. the same machine to be viewed remotely.

This setting is for the computer, not for the logged-on user.

Enable the Domain Enable the client setting Enable remote control on clients Firewall
Windows Firewall exception profiles and then select the Domain Windows Firewall for
profile. intranet computers.

If you log off during a If you do not log off in this scenario, the session remains open.
remote control session
and log on as a
different user, ensure
that you log off before
you disconnect the
remote control session.

Do not give users local When you give users local administrator rights, they might be able to
administrator rights. take over your remote control session or compromise your credentials.

Use either Group Policy You can use Configuration Manager and Group Policy to make
or Configuration configuration changes to the Remote Assistance settings. When Group
Manager to configure Policy is refreshed on the client, by default, it optimizes the process by
Remote Assistance changing only the policies that have changed on the server.
settings, but not both. Configuration Manager changes the settings in the local security
policy, which might not be overwritten unless the Group Policy update
is forced.

Setting policy in both places might lead to inconsistent results. Choose


one of these methods to configure your Remote Assistance settings.

Enable the client setting Although there are ways around this client setting that prompts a user
Prompt user for to confirm a remote control session, enable this setting to reduce the
Remote Control chance of users being spied upon while working on confidential tasks.

permission.
In addition, educate users to verify the account name that is displayed
during the remote control session and disconnect the session if they
suspect that the account is unauthorized.

Limit the Permitted Local administrator rights are not required for a user to be able to use
Viewers list. remote control.

Security issues for remote control


Managing client computers by using remote control has the following security issues:
Do not consider remote control audit messages to be reliable.

If you start a remote control session and then log on by using alternative
credentials, the original account sends the audit messages, not the account that
used the alternative credentials.

Audit messages are not sent if you copy the binary files for remote control rather
than install the Configuration Manager console, and then run remote control at the
command prompt.

Privacy information for remote control


Remote control lets you view active sessions on Configuration Manager client
computers and potentially view any information stored on those computers. By default,
remote control is not enabled.

Although you can configure remote control to provide prominent notice and get
consent from a user before a remote control session begins, it can also monitor users
without their permission or awareness. You can configure View Only access level so that
nothing can be changed on the remote control, or Full Control. The account of the
connecting administrator is displayed in the remote control session, to help users
identify who is connecting to their computer.

By default, Configuration Manager grants the local Administrators group Remote


Control permissions.

Before you configure remote control, consider your privacy requirements.


Introduction to power management in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Power Management in Configuration Manager addresses the need that many


organizations have to monitor and reduce the power consumption of their computers.
The feature takes advantage of the power management features built into Windows to
apply relevant and consistent settings to computers in the organization. You can apply
different power settings to computers during business hours and nonbusiness hours.
For example, you might want to apply a more restrictive power plan to computers
during nonbusiness hours. In cases where computers must always remain turned on, you
can prevent power management settings from being applied.

Power management in Configuration Manager includes several reports to help you


analyze power consumption and computer power settings in your organization. You can
also use the reports to help you troubleshoot problems with power management.

For a detailed workflow about how to configure and use power management, see
Administrator checklist for power management.

) Important

Configuration Manager power management is not supported on virtual machines.


You cannot apply power plans to virtual machines, nor can you or report power
data from them.

The power management workflow


Use the following three phases to plan and implement power management in
Configuration Manager.

Monitoring and planning phase


Power Management uses Configuration Manager hardware inventory to collect data
about computer usage and power settings for computers in the site. There are a number
of reports that you can use to analyze this data and determine the optimal power
management settings for computers. For example, during the monitoring and planning
phase of the power management workflow, you can create collections that are based on
the data that is included in the Power Capabilities report and use that data to identify
the computers that are not capable of power management. Then, you can exclude those
computers from power management.

) Important

Do not apply power plans to computers in your site until you collect and analyze
the power data from client computers. If you apply new power management
settings to computers without first examining the existing settings, you might
experience an increase in power consumption.

Enforcement phase
Power management lets you create power plans that you can apply to collections of
computers in your site. These power plans configure Windows power management
settings on computers. You can use the power plans that are included with
Configuration Manager, or you can configure your own custom power plans. You can
use the power data that is collected during the monitoring and planning phase as a
baseline to help you evaluate power savings after you apply a power plan to computers.
For more information, see Administrator checklist for power management.

Compliance phase
In the compliance phase, you can run reports that help you to evaluate power usage
and power cost savings in your organization. You can also run reports that describe the
improvements in the amount of CO2 generated by computers. Reports are also available
that help you validate that power settings were correctly applied to computers and that
help you troubleshoot problems with the power management feature.
Prerequisites for power management in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Power management in Configuration Manager has external dependencies and


dependencies within the product.

Dependencies external to Configuration


Manager
The following table lists the dependencies external to Configuration Manager for using
power management.

Dependency More information

Client To use all features of power management, client computers must be able to
computers support the sleep, hibernate, wake from sleep, and wake from hibernate actions.
must be able You can use the Power Capabilities report to determine if computers can support
to support these actions. For more information, see Power Capabilities report in the topic
the required How to monitor and plan for power management.
power states

Configuration Manager dependencies


The following table lists the dependencies within Configuration Manager for using
power management.

Dependency More Information

Power management must be For information about how to enable and configure power
enabled before you can create management, see Configuring power management.
and monitor power plans.

Reporting services point You must configure a reporting services point before you
can view power management reports. For more information,
see Introduction to reporting.
Recommendations for power
management in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the following recommendations for power management in Configuration Manager.

Monitor at a representative time


The monitoring phase of power management provides you with the following
information from computers in your organization:

Power consumption
Activity
Power management capabilities
Environmental impact

Choose a representative time to monitor the devices. For example, monitoring during a
public holiday doesn't provide a realistic report on computer power usage.

Create a control collection


Create two collections of computers to help you monitor the effects of applying power
plans to computers. The first collection should contain the majority of the computers to
which you want to apply power settings. The control collection should contain the
remaining computers. Apply the required power management plan to the first
collection. Then run reports to compare the impact between the two collections.

Run reports before you apply a plan


Before you apply a power management plan to a collection of computers, run the Power
Settings report. Use this report to help you understand the power management settings
that are already configured on computers in the collection. If you apply new power
management settings to computers without first examining the existing settings, it
might increase their power consumption.

Exclude servers
Power management for computers that run Windows Server isn't supported. Add
servers to a collection and exclude it from power management.

7 Note

Although Configuration Manager doesn't support power management of Windows


Server, it still collects power usage data for analysis and reporting.

Exclude other computers


If you have computers that you don't want to manage with power management, add
these computers to an exclusion collection.

You might want to exclude from power management the following types of computers:

Computers that must remain turned on.

Computers that users need to connect to remotely.

Computers that can't use power management.

Computers that have the distribution point site system role.

Public computers such as kiosk computers, information displays, or monitoring


consoles where the computer and the monitor must always be turned on.

For more information, see Configuring power management.

Apply power plans to a test collection


Always test the effect of applying a power management plan on a test collection of
computers before you apply the power plan to a larger collection of computers.

When you exclude a computer from power management, all power settings revert to
their original values. You can't revert individual power settings to their original values.

Apply power plan settings individually


Monitor the effect of applying each power setting before you apply the next one. This
process makes sure that each setting has the required effect. For more information
about power plan settings, see Available power management plan settings.
Regularly monitor computers for multiple
power plans
Power management includes a report that displays computers that have more than one
power plan applied: Computers with Multiple Power Plans.

If a computer is a member of multiple collections, each applying different power plans,


then the following behaviors apply:

Power plan: If you apply multiple values for power settings to a computer, it uses
the least restrictive value.

Wakeup time: If you apply multiple wakeup times to a desktop computer, it uses
the time closest to midnight.

For more information, see Computers with multiple power plans.

Save or export power management


information
When you run reports during the monitoring and compliance phases, save or export the
results. Keep the data for later comparison in case Configuration Manager later removes
the data.

Configuration Manager keeps in the site database the following power management
information:

Power management information used by daily reports: 31 days

Power management information used by monthly reports: 13 months


Administrator checklist for power
management in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This administrator checklist provides the recommended steps for using Configuration
Manager power management in your organization.

Configuring power management


Use these steps to help you configure your hierarchy to collect power management
information from client computers.

) Important

Do not apply power plans to computers in your hierarchy until you have collected
and analyzed power data from client computers. If you apply new power
management settings to computers without first examining the existing settings,
this might lead to an increase in power consumption.

Task Details

Review the See Introduction to power management.


power
management
concepts in the
Configuration
Manager
documentation
library.

Review the See Prerequisites for power management.


power
management
prerequisites in
the
Configuration
Manager
documentation
library.
Task Details

Review the See Best practices for power management.


best practices
information for
power
management.

Configure your Use the Collection for reporting of baseline data, Collection for reporting of
collections to baseline data, Collection of computers incapable of power management,
manage power Collections of computers to which power plans will be applied, Collections of
consumption computers to which power plans will be applied, and Collections of
from computers that are running Windows Server to help you manage power
computers settings for computers in your hierarchy. You can create multiple collections and
within your apply different power plans to each collection.
environment.

Enable power Before you can begin to use power management, you must enable it and
management. configure the required client settings. For more information, see Configuring
power management.

Collect power Power management data is reported by clients through Configuration Manager
management hardware inventory. Depending on the hardware inventory schedule that you
information have configured, it might take some time to retrieve inventory from all client
from client computers.
computers.

Monitoring and planning phase


Task Details

Run the report The Computer Activity report displays a graph showing monitor, computer, and
Computer user activity for a specified collection over a specified time period. This report
Activity. links to the Computer Activity Details report which displays the sleep and wake
capabilities of computers in the specified collection. For more information, see
How to monitor and plan for power management.

Run the report The Energy Consumption and Energy Consumption by Day reports display the
Energy total monthly power consumption in kilowatt per hour (kWh) for a specified
Consumption collection over a specified time period. For more information, see How to
or Energy monitor and plan for power management.
Consumption
by Day.
Task Details

Run the report The Environmental Impact and Environmental Impact by Day reports display a
Environmental graph showing carbon dioxide (CO2) emissions saved by a specified collection of
Impact or computers for a specified period of time. For more information, see How to
Environmental monitor and plan for power management.
Impact by
Day.

Run the report The Energy Cost and Energy Cost by Day reports display the total power
Energy Cost consumption cost for a specified period of time. For more information, see How
or Energy to monitor and plan for power management.
Cost by Day.

Run the report The Power Capabilities report displays the power management capabilities of
Power computers in the specified collection. For more information, see How to monitor
Capabilities. and plan for power management.

Run the report The Power Settings report displays an aggregated list of the current power
Power settings used by computers in a specified collection. For more information, see
Settings. How to monitor and plan for power management.

Exclude any See Configuring power management.


required
collections of
computers
from power
management.

) Important

Ensure that you save the information from power management reports generated
during the monitoring and planning phase. You can compare this data to power
management information generated during the enforcement and compliance
phases to help you evaluate, the power usage, power cost and environmental
impact savings from applying a power plan to computers in your hierarchy.

Enforcement phase
Task Details

Select existing power plans or create new power plans for See How to create and
collections of computers in your organization. apply power plans.

Apply these power plans to computers. See How to create and


apply power plans.
Compliance phase
Task Details

Run the report The Computer Activity report displays a graph showing monitor, computer, and
Computer user activity for a specified collection over a specified time period. This report
Activity. links to the Power Computer Activity Details report which displays the sleep
and wake capabilities of computers in the specified collection. For more
information, see How to monitor and plan for power management.

Run the report The Energy Consumption and Energy Consumption by Day reports display the
Energy total monthly power consumption in kilowatt per hour (kWh) for a specified
Consumption collection over a specified time period. For more information, see How to
or Energy monitor and plan for power management.
Consumption
by Day.

Run the report The Environmental Impact and Environmental Impact by Day reports display a
Environmental graph showing carbon dioxide (CO2) emissions saved by a specified collection of
Impact or computers for a specified period of time. For more information, see How to
Environmental monitor and plan for power management.
Impact by
Day.

Run the report The Energy Cost and Energy Cost by Day reports display the total power
Energy Cost consumption cost for a specified period of time. For more information, see How
or Energy to monitor and plan for power management.
Cost by Day.

Troubleshooting
Task Details

If computers in your hierarchy have not The Insomnia Report displays a list of common causes
entered sleep or hibernate, run the that prevented computers from entering sleep or
report Insomnia Report to display hibernate and the number of computers affected by
possible causes. each cause for a specified time period. For more
information, see How to monitor and plan for power
management.

If multiple power plans are applied to See Computers with Multiple Power Plans in How to
one computer, then the least restrictive monitor and plan for power management.
power plan is applied. Run the report
Computers with Multiple Power Plans
to see computers with multiple power
plans applied.
Configure power management in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article explains how to set up power management in Configuration Manager.

Enable and configure client settings


This procedure configures the default client settings for power management. It applies to
all the computers in your hierarchy.

If you want to apply these settings to only some computers, create a custom device
client setting. Then assign it to a collection that contains the computers for power
management. For more information, see How to configure client settings.

1. In the Configuration Manager console, go to the Administration workspace, select


the Client Settings node, and select Default Client Settings.

2. On the Home tab of the ribbon, in the Properties group, select Properties.

3. Select the Power Management group.

4. Enable the client setting to Allow power management of devices.

5. Configure the additional client settings that you require. For more information, see
About client settings - Power Management.

Clients configure these settings when they next download client policy. To initiate policy
retrieval for a single client, see How to manage clients.

Exclude computers
You can prevent collections of computers from receiving power management settings. If
a computer is a member of any collection that you exclude from power management
settings, that computer doesn't apply power management settings. This behavior
applies even if it's a member of another collection that does apply power management
settings.
You might want to exclude computers from power management for the following
reasons:

You have a business requirement for computers to be turned on at all times.

You have a control collection of computers on which you don't want to apply
power management settings.

Some of your computers are incapable of applying power management settings.

You want to exclude computers that run Windows Server from power
management.

7 Note

If you configure the client setting to Allow users to exclude their device from
power management, users can exclude their own computers from power
management by using Software Center.

To find out which computers are excluded from power management, run the report
Computers Excluded. For more information about this report see How to monitor and
plan for power management.

) Important

Excluding a computer from power management causes all power settings to be


reverted to their original values. You cannot revert individual power settings to their
original values.

How to exclude a collection of computers from power


management
1. In the Configuration Manager console, go to the Assets and Compliance
workspace, and select the Device Collections node.

2. Select the collection that you want to exclude from power management. In the
Home tab of the ribbon, in the Properties group, select Properties.

3. Switch to the Power Management tab, and select Never apply power
management settings to computers in this collection.
Next steps
How to create and apply power plans

How to monitor and plan for power management


How to create and apply power plans in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Power management in Configuration Manager enables you to apply power plans to


collections of computers in your hierarchy. Configuration Manager defines several
power plans, or you can create your own custom power plans.

You can only apply Configuration Manager power plans to device collections. If a
computer is a member of multiple collections, each with different power plans, then the
following actions happen:

Power plan: If policy applies multiple values for power settings on a computer, it
uses the least restrictive value.

Wakeup time: If policy applies multiple wakeup times to a desktop computer, it


uses the time closest to midnight.

To display all computers that have multiple power plans applied to them, use the
Computers with Multiple Power Plans report. This report can help you discover
computers that have power conflicts. For more information about power management
reports, see How to monitor and plan for power management.

Make sure to review any power settings that you apply from group policy. Power
settings configured by using group policy will override settings configured by
Configuration Manager power management.

) Important

Systems that you enable for Modern Standby (S0) won't apply Configuration
Manager power policies. You'll see a message similar to the following in the
PwrProvider.log: The "Required idleness to sleep" setting (<738eddaa-52e2-467f-
b453-821ef2884d47>) is not supported on this operating system. This setting
will be ignored.

Create and apply a power plan


1. In the Configuration Manager console, go to the Assets and Compliance
workspace.

2. In the Assets and Compliance workspace, select the Device Collections node.

3. In the Device Collections list, choose the collection to which you want to apply
power management settings. In the Home tab of the ribbon, in the Properties
group, select Properties.

4. Switch to the Power Management tab of the collection, and select Specify power
management settings for this collection.

7 Note

You can also select Browse, and copy the power management settings from
another collection to this collection.

5. Specify the Start and End time for peak (or business) hours.

6. To specify a time when a desktop computer wakes from sleep or hibernate, Enable
Wakeup time (desktop computers). When the client wakes up, it can install
scheduled software updates or other deployments.

) Important

Power management uses the internal Windows wakeup time feature to wake
computers from sleep or hibernate. Wakeup time settings aren't applied to
portable computers to prevent scenarios in which they might wake when not
plugged in. The wake up time is randomized and computers will be woken
over a one hour period from the specified wakeup time.

7. If you want to configure a custom power plan for business hours, select
Customized Peak (ConfigMgr) from the Peak plan list, and then select Edit. If you
want to configure a power plan for non-business hours, select Customized Non-
Peak (ConfigMgr) from the Non-peak plan list, and then select Edit.

7 Note

You can use the Computer Activity report to help you decide the schedules to
use for peak and non-peak hours when you apply power plans to collections
of computers. For more information, see How to monitor and plan for power
management.
You can also select from the built-in power plans: Balanced (ConfigMgr), High
Performance (ConfigMgr), and Power Saver (ConfigMgr). Select View to display
the properties of each power plan.

7 Note

You can't modify the built-in power plans.

8. For the power plan properties, configure the following settings:

Name: Specify a name for this power plan or use the supplied default value.

Description: Specify an optional description to further describe the plan in


the console.

Specify the properties for this power plan: Configure the power plan
properties. For more information, see Available power management plan
settings.

) Important

When the Configuration Manager client applies the power plan to the
device, it applies the enabled settings. If you unselect a power setting in
the policy, the value on the client computer doesn't change when it
applies the power plan. This action also doesn't restore the power
setting to its previous value before a power plan was applied.

9. Select OK to save and close the power plan properties.

10. Select OK to save and close the collection properties, and to apply the power plan.

Available power plan settings


The following table lists the power management settings available in Configuration
Manager. You can configure separate settings for when the computer is plugged in or
running on battery power. Depending on the version of Windows you use, some
settings might not be configurable.

7 Note
Power settings that you don't configure keep their current value on client
computers.

Name Description

Turn off display Specifies the length of time, in minutes, that the computer must be inactive
after (minutes) before the display is turned off. If you don't want power management to turn
off the display, specify a value of 0 .

Sleep after Specifies the length of time, in minutes, that the computer must be inactive
(minutes) before it enters sleep. If you don't want the device to sleep, specify a value of
0.

Require a Yes specifies that a user has to unlock the computer when it wakes up.
password on
wakeup

Power button Specifies the action when you press the computer's power button: Do
action nothing, Sleep, Hibernate, or Shut down.

Start menu Specifies the action when you press the computer's Start menu power button:
power button Sleep, Hibernate, or Shut down.

Sleep button Specifies the action when you press the computer's Sleep button: Do nothing,
action Sleep, Hibernate, or Shut down.

Lid close action Specifies the action when the user closes the lid of a portable computer: Do
nothing, Sleep, Hibernate, and Shut down.

Turn off hard Specifies the length of time, in minutes, that the computer's hard disk must be
disk after inactive before it's turned off. If you don't want power management to turn off
(minutes) the computer's hard disk, specify a value of 0 .

Hibernate after Specifies the length of time, in minutes, that the computer must be inactive
(minutes) before it hibernates. If you don't want the device to hibernate, specify a value
of 0 .

Low battery Specifies the action when the computer's battery reaches the specified low
action battery notification level: Do nothing, Sleep, Hibernate, or Shut down.

Critical battery Specifies the action when the computer's battery reaches the specified critical
action battery notification level. When it's on battery: Sleep, Hibernate, or Shut
down. When it's plugged in: Do nothing, Sleep, Hibernate, or Shut down.
Name Description

Allow hybrid On specifies that Windows saves a hibernation file when it enters sleep. If
sleep there's a power loss while it's asleep, Windows uses this file to restore the
computer's state.

Hybrid sleep is designed for desktop computers. By default, it's not enabled
on portable computers. Enabling hybrid sleep disables the hibernate
functionality.

Allow standby On enables the computer to be on standby. This state still consumes some
state when power, but enables the computer to wake faster. If this setting is Off , the
sleeping action computer can only hibernate or turn off.

Required Specifies the percentage of idle time on the computer processor time required
idleness to sleep for the computer to enter sleep. For computers running Windows 7 and alter,
(%) this value is always 0 .

Enable Windows Set Enable to enable the built-in Windows timer to wake a desktop computer.
wake up timer When this timer wakes a desktop computer, it stays awake for 10 minutes by
for desktop default. This time period allows the client to install any updates or to receive
computers policy.

Wakeup timers aren't supported on portable computers. This behavior


prevents scenarios where they might wake when they're on limited battery
power.
How to monitor and plan for power
management in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the following information to help you monitor and plan for power management in
Configuration Manager.

How to use reports for power management


Power management in Configuration Manager includes several reports to help you
analyze power consumption and computer power settings in your organization. The
reports can also be used to help you troubleshoot problems.

Before you can use the power management reports, you must configure reporting for
your hierarchy. For more information about reporting in Configuration Manager, see
Introduction to reporting.

7 Note

Power management information used by daily reports is retained in the


Configuration Manager site database for 31 days.

Power management information used by monthly reports is retained in the


Configuration Manager site database for 13 months.

When you run reports during the monitoring and planning and compliance phases
of power management, save or export the results from any reports for which you
want to retain the data for later comparison in case they are later removed by
Configuration Manager.

List of power management reports


The following lists details the power management reports that are available in
Configuration Manager.

7 Note
Power management reports display the number of physical computers and the
number of virtual computers in a selected collection. However, only power
management information from physical computers is displayed in power
management reports.

Computer Activity report


The Computer Activity report displays a graph showing the following activity for a
specified collection over a specified period:

Computer On – The computer has been turned on.

Monitor On – The monitor has been turned on.

User Active – Activity has been detected from the computer mouse, computer
keyboard, or from a Remote Desktop connection to the computer

This report is used during the monitoring and planning and enforcement stages to
help you understand the alignment between computer activity, monitor activity
and user activity over a 24 hour period. If you run the report over a number of days
then the data is aggregated over this period. This report can help you to determine
typical business (peak) and nonbusiness (non-peak) hours for a selected collection
to help you decide when to apply configured power management plans.

The graph shows time periods where a computer might be turned on, but there is
no user activity. Consider applying more restrictive power settings during these
times to save on the power costs of computers that are turned on, but are not
being used. A computer is counted as being active if there has been computer,
user or monitor activity for one minute or more for a displayed hour on the graph.
If a computer is not reporting power management data, it will not be included in
the Computer Activity report.

Use the following parameters to configure this report.

Required report parameters

The following parameters must be specified to run this report.

Parameter Description
Name

Start date From the drop-down list, select the start date for this report.
Parameter Description
Name

End date From the drop-down list, select an optional end date for this report.
(Optional)

Collection From the drop-down list, select a collection to use for this report.
name

Device From the drop-down list, select the type of computer for which you want a report.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only).

Hidden report parameters

This report has no hidden parameters that you can set.

Report links

If a value for End date (optional) is not specified, this report contains a link to the
following report which provides further information.

Report Name Details

Computer Click the Click for detailed information link to see a list of active, inactive and
Activity Details non-reporting computers for the specified date.

For more information, see Computer Activity Details Report in this topic.

Computer Activity by Computer report


The Computer Activity by Computer report displays a graph showing the following
activity for a specified computer on a specified date:

Computer On – The computer has been turned on.

Monitor On – The monitor has been turned on.

User Active – Activity has been detected from the computer mouse, computer
keyboard, or from a Remote Desktop connection to the computer.

This report can be run independently or called by the Computer Activity Details
report.
7 Note

Information about computer activity is collected from client computers during


hardware inventory. Depending on the time at which hardware inventory runs,
activity during an applied peak or non-peak power plan might be collected.

Use the following parameters to configure this report.

Required report parameters


The following parameters must be specified to run this report.

Parameter Name Description

Report date From the drop-down list, select a date for this report.

Computer name Enter a computer name for which you want a report.

Hidden report parameters


This report has no hidden parameters that you can set.

Report links

This report contains links to the following report which provides further information
about the selected item.

Report Details
Name

Computer Click the Click for detailed information link to see the power capabilities, power
Details settings, and applied power plans for the selected computer.

Computer Activity Details report


The Computer Activity Details report displays a list of active or inactive computers with
their sleep and wake capabilities. This report is called by the Computer Activity Report
and is not designed to be run directly by the site administrator.

Use the following parameters to configure this report.


Required report parameters
The following parameters must be specified to run this report.

Parameter Description
Name

Collection From the drop-down list, select a collection to use for this report.
name

Report From the drop-down list, select a date to use for this report.
date

Report From the drop-down list, select an hour from the specified date for which to run this
hour report. Valid values are between 12am and 11pm.

Computer From the drop-down list, select the computer state for which to run this report. Valid
state values are All (computers that were turned on or off), On (computers that were
turned on), and Off (computers that were turned off, in sleep, or in hibernate). These
values are only returned for the chosen reporting period.

Device From the drop-down list, select the type of computer for which you want a report.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.

Sleep From the drop-down list, select if you want to display computers capable of sleep in
capable the report. Valid values are All (both computers capable and incapable of sleep), No
(computers that are incapable of sleep), and Yes (computers that are capable of
sleep).

Wake From the drop-down list, select if you want to display computers capable of wake
from sleep from sleep in the report. Valid values are All (both computers capable and incapable
capable of wake from sleep), No (computers that are incapable of wake from sleep), and Yes
(computers that are capable of wake from sleep).

Power From the drop-down list, select the power plan types you want to display in the
plan report. Valid values are All (computers that do not have any power management
plans applied; computers that have a power management plan applied; computers
excluded from power management), Not specified (computers that do not have a
power management plan applied), Defined (computers that have a power
management plan applied), and Excluded (computers that have been excluded from
power management).

Operating From the drop-down list, select the computer operating systems that you want to
system display in the report or select All to display all operating systems.

Hidden report parameters


This report has no hidden parameters that you can set.

Report links
This report contains links to the following report which provides further information
about the selected item.

Report Details
Name

Computer Click a computer name to see specific activity for that computer over a chosen
Activity reporting period. These activities include Computer on (has the computer been
by turned on?), Monitor on (has the monitor been turned on?), and User Active (activity
Computer has been detected from the computer's mouse, keyboard, or a remote desktop
connection).

For more information, see Computer Activity by Computer Report in this topic.

Computer Details report


The Computer Details report displays detailed information about the power capabilities,
power settings, and power plans applied to a specified computer. This report is called by
the Computer Activity by Computer report, the Computers with Multiple Power Plans
report, the Power Capabilities report and the Power Settings Details report. It is not
designed to be run directly by the site administrator.

Required report parameters

The following parameters must be specified to run this report.

Parameter Description
Name

Computer Enter a computer name for which you want a report.


name

Power From the drop down list, select the type of power settings you want to display in the
mode report results. Select Plugged In to view the power settings configured for when the
computer is plugged in and On Battery to view the power settings configured for
when the computer is running on battery power.

Hidden report parameters

This report has no hidden parameters you can set.


Report links
This report does not link to any other power management reports.

Computer Not Reporting Details report


The Computer Not Reporting Details report displays a list of computers in a specified
collection that have not reported any power activity on a specified date and time. This
report is called by the Computer Activity Report and is not designed to be run directly
by the site administrator.

7 Note

Computers report power management information as part of their hardware


inventory schedule. Before you consider a computer to not be reporting, ensure it
has reported hardware inventory.

Use the following parameters to configure this report.

Required report parameters

The following parameters must be specified to run this report.

Parameter Description
Name

Collection From the drop-down list, select a collection to use for this report.
name

Report From the drop-down list, select a date for this report.
date

Report From the drop-down list, select an hour from the specified date for which to run this
hour report. Valid values are between 12am and 11pm.

Device From the drop-down list, select the type of computer for which you want a report.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.

Hidden report parameters

This report has no hidden parameters that you can set.


Report links
This report does not link to any other power management reports.

Computers Excluded
The Computers Excluded report displays a list of computers in a specified collection
that have been excluded from Configuration Manager power management.

Use the following parameters to configure this report.

Required report parameters


The following parameters must be specified to run this report.

Parameter Description
Name

Collection From the drop-down list, select a collection for this report.

Reason From the drop-down list, select the reason why the computers were excluded from
power management. You can display All (all excluded computers), Excluded by
administrator (only computers that were excluded by an administrative user), and
Excluded by user (only computers that were excluded by a user of Software Center).

Hidden report parameters


This report has no hidden parameters that you can set.

Report links
This report contains links to the following report which provides further information
about the selected item.

Report Name Details

Power Click a computer name to see the power capabilities, power settings, and
Computer applied power plans for the selected computer.

Details
For more information, see Computer Details Report in this topic.

Computers with Multiple Power Plans


The Computers with Multiple Power Plans report displays a list of computers that are
members of multiple collections, each applying different power plans. For each
computer with potentially conflicting power settings, the report displays the computer
name and the power plans being applied for each collection that the computer is a
member of.

) Important

If a computer is a member of multiple collections, where each collection has


different power plans, then the least restrictive power plan will be applied.

If a computer is a member of multiple collections, where each collection has


different wakeup times, then the time closest to midnight will be used.

Use the following parameters to configure this report.

Required report parameters


The following parameters must be specified to run this report.

Parameter Name Description

Collection name From the drop-down list, select a collection for this report.

Hidden report parameters


This report has no hidden parameters that you can set.

Report links
This report contains links to the following report which provides further information
about the selected item.

Report Name Details

Power Click a computer name to see the power capabilities, power settings, and
Computer applied power plans for the selected computer.

Details
For more information, see Computer Details Report in this topic.

Energy Consumption report


The Energy Consumption report displays the following information:

A graph showing the total monthly power consumption of computers in kiloWatt


per hour (kWh) in the specified collection for the specified time period.

A graph showing the average power consumption in kiloWatt per hour (kWh) of
each computer in the specified collection for the specified time period.

A table showing the total monthly power consumption in kiloWatt per hour (kWh)
and the average power consumption of computers in the specified collection for
the specified time period.

This information can be used to help you to understand power consumption


trends in your environment. After applying a power plan to computers in the
selected collection, the power consumption of computers should decrease.

7 Note

If you add or remove members to the collection after you have applied a power
plan, this will affect the results shown by the Energy Consumption report and
might make it more difficult to compare the results from the monitoring and
planning phase and the enforcement phase.

Use the following parameters to configure this report.

Required report parameters

The following parameters must be specified to run this report.

Parameter Description
Name

Start date From the drop-down list, select a start date for this report.

End date From the drop-down list, select an end date for this report.

Collection From the drop-down list, select a collection for this report.
name

Device From the drop-down list, select the type of computer for which you want a report.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.
Hidden report parameters
The following hidden parameters can optionally be specified to change the behavior of
this report.

Parameter Description
Name

Desktop Specify the power consumption of a desktop computer when it is turned on.
computer on The default value is 0.07 kW per hour.

Laptop Specify the power consumption of a portable computer when it is turned on.
computer on The default value is 0.02 kW per hour.

Desktop Specify the power consumption of a desktop computer that has entered sleep.
computer The default value is 0.003 kW per hour.
sleep

Laptop Specify the power consumption of a portable computer that has entered sleep.
computer The default value is 0.001 kW per hour.
sleep

Desktop Specify the power consumption of a desktop computer when it is turned off.
computer off The default value is 0 kW per hour.

Laptop Specify the power consumption of a portable computer when it is turned off.
computer off The default value is 0 kW per hour.

Desktop Specify the power consumption of a desktop computer monitor when it is


monitor on turned on. The default value is 0.028 kW per hour.

Laptop Specify the power consumption of a portable computer monitor when it is


monitor on turned on. The default value is 0 kW per hour.

Report links
This report does not link to any other power management reports.

Energy Consumption by Day report


The Energy Consumption by Day report displays the following information:

A graph showing the total daily power consumption of computers in kiloWatt per
hour (kWh) in the specified collection for the last 31 days.

A graph showing the average daily power consumption in kiloWatt per hour (kWh)
of each computer in the specified collection for last 31 days.
A table showing the total daily power consumption in kiloWatt per hour (kWh) and
the average daily power consumption of computers in the specified collection for
the last 31 days.

This information can be used to help you to understand power consumption


trends in your environment. After applying a power plan to computers in the
selected collection, the power consumption of computers should decrease.

7 Note

If you add or remove members to the collection after you have applied a power
plan, this will affect the results shown by the Energy Consumption report and
might make it more difficult to compare the results from the monitoring and
planning phase and the enforcement phase.

Use the following parameters to configure this report.

Required report parameters

The following parameters must be specified to run this report.

Parameter Description
Name

Collection From the drop-down list, select a collection for this report.

Device From the drop-down list, select the type of computer for which you want to report.
Type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of
this report.

Parameter Description
Name

Desktop Specify the power consumption of a desktop computer when it is turned on.
computer on The default value is 0.07 kW per hour.

Laptop Specify the power consumption of a portable computer when it is turned on.
computer on The default value is 0.02 kW per hour.
Parameter Description
Name

Desktop Specify the power consumption of a desktop computer that has entered sleep.
computer The default value is 0.003 kW per hour.
sleep

Laptop Specify the power consumption of a portable computer that has entered sleep.
computer The default value is 0.001 kW per hour.
sleep

Desktop Specify the power consumption of a desktop computer when it is turned off.
computer off The default value is 0 kW per hour.

Laptop Specify the power consumption of a portable computer when it is turned off.
computer off The default value is 0 kW per hour.

Desktop Specify the power consumption of a desktop computer monitor when it is


monitor on turned on. The default value is 0.028 kW per hour.

Laptop Specify the power consumption of a portable computer monitor when it is


monitor on turned on. The default value is 0 kW per hour.

Report links
This report does not link to any other power management reports.

Energy Cost report


The Energy Cost report displays the following information:

A graph showing the total monthly power cost for computers in the specified
collection for specified time period.

A graph showing the average monthly power cost for each computer in the
specified collection for the specified time period.

A table showing the total monthly power cost and the average monthly power cost
for computers in the specified collection for the last 31 days.

This information can be used to help you to understand power cost trends in your
environment. After applying a power plan to computers in the selected collection,
the power cost for computers should decrease.

Use the following parameters to configure this report.


Required report parameters
The following parameters must be specified to run this report.

Parameter Description
Name

Start date From the drop-down list, select a start date for this report.

End date From the drop-down list, select an end date for this report.

Cost of Specify the cost per kWh of electricity. The default value is 0.09.

KwH
You can modify the unit of currency used by this report in the hidden parameters
section.

Collection From the drop-down list, select a collection to use for this report.
name

Device From the drop-down list, select the type of computer for which you want to report.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of
this report.

Parameter Description
Name

Desktop Specify the power consumption of a desktop computer when it is turned on.
computer on The default value is 0.07 kW per hour.

Laptop Specify the power consumption of a portable computer when it is turned on.
computer on The default value is 0.02 kW per hour.

Desktop Specify the power consumption of a desktop computer that has entered sleep.
computer The default value is 0.003 kW per hour.
sleep

Laptop Specify the power consumption of a portable computer that has entered sleep.
computer The default value is 0.001 kW per hour.
sleep

Desktop Specify the power consumption of a desktop computer when it is turned off.
computer off The default value is 0 kW per hour.
Parameter Description
Name

Laptop Specify the power consumption of a portable computer when it is turned off.
computer off The default value is 0 kW per hour.

Desktop Specify the power consumption of a desktop computer monitor when it is


monitor on turned on. The default value is 0.028 kW per hour.

Laptop Specify the power consumption of a portable computer monitor when it is


monitor on turned on. The default value is 0 kW per hour.

Currency Specify the currency label to use for this report. The default value is USD ($).

Report links
This report does not link to any other power management reports.

Energy Cost by Day report


The Energy Cost by Day report displays the following information:

A graph showing the total daily power cost for computers in the specified
collection for the last 31 days.

A graph showing the average daily power cost for each computer in the specified
collection for the last 31 days.

A table showing the total daily power cost and the average daily power cost for
computers in the specified collection for the last 31 days.

This information can be used to help you to understand power cost trends in your
environment. After applying a power plan to computers in the selected collection,
the power cost for computers should decrease.

Use the following parameters to configure this report.

Required report parameters

The following parameters must be specified to run this report.

Parameter Description
Name
Parameter Description
Name

Collection From the drop-down list, select a collection to use for this report.
name

Device From the drop-down list, select the type of computer you want to report about.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.

Cost of Specify the cost per kWh of electricity. The default value is 0.09.

KwH
You can modify the unit of currency used by this report in the hidden parameters
section.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of
this report.

Parameter Description
Name

Desktop Specify the power consumption of a desktop computer when it is turned on.
computer on The default value is 0.07 kW per hour.

Laptop Specify the power consumption of a portable computer when it is turned on.
computer on The default value is 0.02 kW per hour.

Desktop Specify the power consumption of a desktop computer that has entered sleep.
computer The default value is 0.003 kW per hour.
sleep

Laptop Specify the power consumption of a portable computer that has entered sleep.
computer The default value is 0.001 kW per hour.
sleep

Desktop Specify the power consumption of a desktop computer when it is turned off.
computer off The default value is 0 kW per hour.

Laptop Specify the power consumption of a portable computer when it is turned off.
computer off The default value is 0 kW per hour.

Desktop Specify the power consumption of a desktop computer monitor when it is


monitor on turned on. The default value is 0.028 kW per hour.

Laptop Specify the power consumption of a portable computer monitor when it is


monitor on turned on. The default value is 0 kW per hour.
Parameter Description
Name

Currency Specify the currency label to use for this report. The default value is USD ($).

Report links
This report does not link to any other power management reports.

Environmental Impact report


The Environmental Impact report displays the following information:

A graph showing the total monthly CO2 generated (in tons) for computers in the
specified collection for the specified time period.

A graph showing the average monthly CO2 generated (in tons) for each computer
in the specified collection for the specified time period.

A table showing the total monthly CO2 generated and the average monthly CO2
generated for computers in the specified collection for specified time period.

The Environmental Impact report calculates the amount of CO2 generated (in
tons) by using the time that a computer or monitor was turned on in a 24 hour
period.

Use the following parameters to configure this report.

Required report parameters

The following parameters must be specified to run this report.

Parameter Description
Name

Report From the drop-down list, select a start date for this report.
start date

Report From the drop-down list, select an end date for this report.
end date

Collection From the drop-down list, select a collection for this report.
name
Parameter Description
Name

Device From the drop-down list, select the type of computer for which you want a report.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of
this report.

Parameter Name Description

Desktop Specify the power consumption of a desktop computer when it is turned on.
computer on The default value is 0.07 kW per hour.

Laptop computer Specify the power consumption of a portable computer when it is turned on.
on The default value is 0.02 kW per hour.

Desktop Specify the power consumption of a desktop computer that has entered
computer sleep sleep. The default value is 0.003 kW per hour.

Laptop computer Specify the power consumption of a portable computer that has entered
sleep sleep. The default value is 0.001 kW per hour.

Desktop Specify the power consumption of a desktop computer when it is turned off.
computer off The default value is 0 kW per hour.

Laptop computer Specify the power consumption of a portable computer when it is turned off.
off The default value is 0 kW per hour.

Desktop monitor Specify the power consumption of a desktop computer monitor when it is
on turned on. The default value is 0.028 kW per hour.

Laptop monitor Specify the power consumption of a portable computer monitor when it is
on turned on. The default value is 0 kW per hour.

Carbon Factor Specify the value for carbon factor (in tons/kWh) that you typically can obtain
(tons/kWh) from your power company. The default value is 0.0015 tons per kWh.
(CO2Mix)

Report links
This report does not link to any other power management reports.
Environmental Impact by Day report
The Environmental Impact by Day report displays the following information:

A graph showing the total daily CO2 generated (in tons) for computers in the
specified collection for the last 31 days.

A graph showing the average daily CO2 generated (in tons) for each computer in
the specified collection for the last 31 days.

A table showing the total daily CO2 generated and the average daily CO2
generated for computers in the specified collection for the last 31 days.

The Environmental Impact by Day report calculates the amount of CO2 generated
(in tons) by using the time that a computer or monitor was turned on in a 24 hour
period.

Required report parameters


The following parameters must be specified to run this report.

Parameter Description
Name

Collection From the drop-down list, select a collection for this report.
name

Device From the drop-down list, select the type of computer you want to report about.
type Valid values are All (both desktop and portable computers), Desktop (desktop
computers only), and Laptop (portable computers only). These values are only
returned for the chosen reporting period.

Hidden report parameters


The following hidden parameters can optionally be specified to change the behavior of
this report.

Parameter Name Description

Desktop Specify the power consumption of a desktop computer when it is turned on.
computer on The default value is 0.07 kWh.

Laptop computer Specify the power consumption of a portable computer when it is turned on.
on The default value is 0.02 kWh.
Parameter Name Description

Desktop Specify the power consumption of a desktop computer when it is turned off.
computer off The default value is 0 kWh.

Laptop computer Specify the power consumption of a portable computer when it is turned off.
off The default value is 0 kWh.

Desktop Specify the power consumption of a desktop computer that has entered
computer sleep sleep. The default value is 0.003 kWh.

Laptop computer Specify the power consumption of a portable computer has entered sleep.
sleep The default value is 0.001 kWh.

Desktop monitor Specify the power consumption of a desktop computer monitor when it is
on turned on. The default value is 0.028 kWh.

Laptop monitor Specify the power consumption of a portable computer monitor when it is
on turned on. The default value is 0 kWh.

Carbon Factor Specify a value for the carbon factor (in tons/kWh) that you typically can
(tons/kWh) obtain from your power company. The default value is 0.0015 tons per kWh.
(CO2Mix)

Report links
This report does not link to any other power management reports.

Insomnia Computer Details report


The Insomnia Computer Details report displays a list of computers that did not sleep or
hibernate for a specific reason within a specified time period. This report is called by the
Insomnia Report and is not designed to be run directly by the site administrator.

The Insomnia Report displays computers as Not sleep capable when they are not
capable of sleep and have been turned on during the entire specified report interval.
The report displays computers as Not hibernate capable when they are not capable of
hibernate and have been turned on during the entire specified report interval.

7 Note

Power management can only collect causes that prevented computers from
entering sleep or hibernate from computers running Windows 7 or Windows Server
2008 R2.
Use the following parameters to configure this report.

Required report parameters


The following parameters must be specified to run this report.

Parameter Description
Name

Collection From the drop-down list, select a collection to use for this report.
name

Report Specify the number of days to report. The default value is 7 days.
interval (days)

Cause of From the drop-down list, select one of the causes that can prevent computers
Insomnia from entering sleep or hibernate.

Hidden report parameters


This report has no hidden parameters that you can set.

Report links
This report contains links to the following report which provides further information
about the selected item.

Report Details
Name

Computer Click the Click for detailed information link to see the power capabilities, power
Details settings, and applied power plans for the selected computer.

For more information, see Computer Details Report in this topic.

Insomnia report
The Insomnia Report displays a list of common causes that prevented computers from
entering sleep or hibernate and the number of computers affected by each cause for a
specified time period. There are a number of causes that might prevent a computer
from entering sleep or hibernate such as a process running on the computer, an open
Remote Desktop session, or that the computer is incapable of sleep or hibernate. From
this report, you can open the Insomnia Computer Details report which displays a list of
computers affected by each cause of computers not sleeping or hibernating.

The Power Insomnia report displays computers as Not sleep capable when they are not
capable of sleep and have been turned on during the entire specified report interval.
The report displays computers as Not hibernate capable when they are not capable of
hibernate and have been turned on during the entire specified report interval.

7 Note

Power management can only collect causes that prevented computers from
entering sleep or hibernate from computers running Windows 7 or Windows Server
2008 R2.

Use the following parameters to configure this report.

Required report parameters


The following parameters must be specified to run this report.

Parameter Description
Name

Collection From the drop-down list, select a collection to use for this report.
name

Report Specify the number of days to report. The default value is 7 days. The maximum
interval value is 365 days. Specify 0 to run the report for today.
(days)

Hidden report parameters


This report has no hidden parameters that you can set.

Report links
This report contains links to the following report which provides further information
about the selected item.

Report Name Details


Report Name Details

Insomnia Click a number in the Affected Computers column to see a list of computers
Computer that could not sleep or hibernate because of the selected cause.

Details
For more information, see Insomnia Computer Details Report in this topic.

Power Capabilities report


The Power Capabilities report displays the power management hardware capabilities of
computers in the specified collection. This report is typically used in the monitoring
phase of power management to determine the power management capabilities of
computers in your organization. The information displayed in the report can then be
used to create collections of computers to apply power plans to, or to exclude from
power management. The power management capabilities displayed by this report are:

Sleep Capable - Indicates whether the computer has the capability to enter sleep if
it is configured to do so.

Hibernate Capable – Indicates whether the computer can enter hibernate if it is


configured to do so.

Wake from Sleep – Indicates whether the computer can wake from sleep if it is
configured to do so.

Wake from Hibernate – Indicates whether the computer can wake from hibernate
if it is configured to do so.

The values reported by the Power Capabilities report indicate the sleep and
hibernate capabilities of computers as reported by Windows. However, the
reported values do not reflect cases where Windows or BIOS settings prevent these
functions from working.

Use the following parameters to configure this report.

Required report parameters

The following parameters must be specified to run this report.

Parameter Description
Name

Collection From the drop-down list, select a collection for this report.
Parameter Description
Name

Display From the drop-down list, select Not Supported to display only computers in the
Filter specified collection that are incapable of sleep, hibernate, wake from sleep, or wake
from hibernate. Select Show All to display all computers in the specified collection.

Hidden report parameters

This report has no hidden parameters that you can set.

Report links
This report contains links to the following report which provides further information
about the selected item.

Report Details
Name

Computer Click a computer name to see the power capabilities, power settings, and applied
Details power plans for the selected computer.

For more information, see Computer Details Report in this topic.

Power Settings report


The Power Settings report displays an aggregated list of power settings used by
computers in the specified collection. For each power setting, the possible power
modes, values, and units are displayed, together with a count of the number of
computers that use those values. This report can be used during the monitoring phase
of power management to help the administrator understand the existing power settings
used by computers in the site and to help plan optimal power settings to be applied by
using a power management plan. The report is also useful when troubleshooting to
validate that power settings were correctly applied.

7 Note

The settings displayed are collected from client computers during hardware
inventory. Depending on the time at which hardware inventory runs, settings from
applied peak or non-peak power plans might be collected.

Use the following parameters to configure this report.


Required report parameters
The following parameters must be specified to run this report.

Parameter Name Description

Collection name From the drop-down list, select a collection for this report.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of
this report.

Parameter Name Description

numberOfLocalizations Specify the number of languages in which you want to view power
setting names reported by client computers. If you only want to view
the most popular language, leave this setting at the default of 1. To
view all languages, set this value to 0.

Report links
This report contains links to the following report which provides further information
about the selected item.

Report Details
Name

Power Click the number of computers in the Computers column to see a list of all
Settings computers that use the power settings in that row.

Details
For more information, see Power Settings Details Report in this topic.

Power Settings Details report


The Power Settings Details report displays further information about computers
selected in the Power Settings report. This report is called by the Power Settings report
and is not designed to be run directly by the site administrator.

Required report parameters


The following parameters must be specified to run this report.
Parameter Description
Name

Collection From the drop-down list, select a collection to use for this report.

Power From the drop-down list, select the power setting GUID on which you want to
Setting report. For a list of all power settings and their uses, see Available power
GUID management plan settings in the topic How to create and apply power plans.

Power From the drop down list, select the type of power settings you want to display in the
Mode report results. Select Plugged In to view the power settings configured for when the
computer is plugged in and On Battery to view the power settings configured for
when the computer is running on battery power.

Setting From the drop-down list, select the value for the selected power setting name on
Index which you want to report. For example, if you want to display all computers with the
turn off hard disk after setting set to 10 minutes, select turn off hard disk after for
Power Setting Name and 10 for Setting Index.

Hidden report parameters


The following hidden parameters can optionally be specified to change the behavior of
this report.

Parameter Name Description

numberOfLocalizations Specify the number of languages in which you want to view power
setting names reported by client computers. If you only want to view
the most popular language, leave this setting at the default of 1. To
view all languages, set this value to 0.

Report links
This report contains links to the following report which provides further information
about the selected item.

Report Details
Name

Computer Click a computer name to see the power capabilities, power settings, and applied
Details power plans for the selected computer.

For more information, see Computer Details Report in this topic.


Security and privacy for power
management in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This section contains security and privacy information for power management in
Configuration Manager.

Security best practices for power management


There are no security-related best practices for power management.

Privacy information for power management


Power management uses features that are built into Windows to monitor power usage
and to apply power settings to computers during business hours and nonbusiness
hours. Configuration Manager collects power usage information from computers, which
includes data about when a user is using a computer. Although Configuration Manager
monitors power usage for a collection rather than for each computer, a collection can
contain just one computer. Power management is not enabled by default and must be
configured by an administrator.

The power usage information is stored in the Configuration Manager database and is
not sent to Microsoft. Detailed information is retained in the database for 31 days and
summarized information is retained for 13 months. You cannot configure the deletion
interval.

Before you configure power management, consider your privacy requirements.


Upgrade clients in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can use different methods to upgrade the Configuration Manager client software on
Windows computers and Mac computers. Here are the advantages and disadvantages
of each method.

 Tip

If you are upgrading your server infrastructure from System Center 2012
Configuration Manager, before upgrading the Configuration Manager clients,
complete the server upgrades including installing all current branch updates. This
process makes sure that you'll have the most recent version of the client software.

Group Policy installation


Supported client platform: Windows

Advantages:

Doesn't require computers to be discovered before the client can be upgraded.

Can be used for new client installations or for upgrades.

Computers can read client installation properties that have been published to
Active Directory Domain Services.

Doesn't require you to configure and maintain an installation account for the
intended client computer.

Disadvantages:

Can cause high network traffic if you're upgrading many clients.

If you don't extend the Active Directory schema for Configuration Manager, use
Group Policy settings. These settings add client installation properties to
computers in your site.
Logon script installation
Supported client platform: Windows

Advantages:

Doesn't require computers to be discovered before the client can be installed.

Can be used for new client installations or for upgrades.

Supports using command-line properties for CCMSetup.

Disadvantages:

Can cause high network traffic if you're upgrading many clients in a short time.

Can take a long time to upgrade all client computers if users don't frequently sign
in to the network.

For more information, see How to install clients by using logon scripts.

Manual installation
Supported client platform: Windows, macOS

Advantages:

Doesn't require computers to be discovered before the client can be upgraded.

Can be useful for testing purposes.

Supports using command-line properties for CCMSetup.

Disadvantages:

No automation, so can be time consuming.

For more information, see the following articles:

How to install clients manually

How to upgrade clients on Mac computers

Upgrade installation (application management)


Supported client platform: Windows
Advantages:

Supports using command-line properties for CCMSetup.

Disadvantages:

Can cause high network traffic if you distribute the client to large collections.

Can only be used to upgrade the client software on computers that have been
discovered and assigned to the site.

For more information, see How to install clients by using a package and program.

Automatic client upgrade


Supported client platform: Windows

Advantages:

Because of the randomization over the specified period, only auto-upgrade is


suitable for large-scale client upgrades. Other methods are either too slow on
large scale, or don't have randomization.

7 Note

Client piloting isn't good for large scale as it doesn't randomize at all.

Can be used to automatically keep clients in your site at the latest version.

Requires minimal administration.

Disadvantages:

Can only be used to upgrade the client software and can't be used to install a new
client.

Applies to all clients in the hierarchy that are assigned to a site. Can't be scoped by
collection.

Limited scheduling options.

For more information, see How to upgrade clients for Windows computers.

Client testing
Supported client platform: Windows

Advantages:

Can be used to test new client versions in a smaller pre-production collection.

When testing is complete, clients in pre-production are promoted to production


and automatically upgraded across the Configuration Manager site.

Disadvantages:

Can only be used to upgrade the client software and can't be used to install a new
client.

For more information, see How to test client upgrades in a pre-production collection.

Next steps
How to test client upgrades in a pre-production collection

How to exclude clients from upgrade

How to upgrade clients for Windows computers


How to test client upgrades in a pre-
production collection
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can test a new Configuration Manager client version in a pre-production collection
before upgrading the rest of the site with it. When you do this process, the site only
updates devices that are part of the test collection. Once you've had a chance to test the
client, you can promote the client. Client promotion makes the new version of the client
software available to the rest of the site.

7 Note

Only a user with the Full Administrator security role and the All security scope can
promote a test client to production. For more information, see Fundamentals of
role-based administration. This action is only available when connected to the
central administration site (CAS) or a standalone primary site.

There are three steps to test clients in pre-production:

1. Configure automatic client upgrades to use a pre-production collection.

2. Install a Configuration Manager update that includes a new version of the client.

3. Promote the new client to production.

Configure automatic client upgrades to use a


pre-production collection

) Important

Pre-production client deployment isn't supported for workgroup computers. They


can't use the authentication required for the distribution point to access the pre-
production client package. They'll receive the latest client when it's promoted to be
the production client.

1. Set up a collection that contains the computers to which you want to deploy the
pre-production client.
2. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select the Sites node. In the ribbon, select
Hierarchy Settings.

3. Switch to the Client Upgrade tab, and configure the following settings:

Select Upgrade all clients in the pre-production collection automatically


using pre-production client.

Select a collection to use as the Pre-production collection.

7 Note

Only a user with the Full Administrator security role and the All security scope can
change these settings.

Configure client upgrades during site update


1. In the Configuration Manager console, go to the Administration workspace, and
select the Updates and Servicing node. Select an available update, and then in the
ribbon select Install Update Pack.

For more information on installing updates, see Updates for Configuration


Manager.

2. During installation of the update, on the Client Options page of the wizard, select
Test in pre-production collection.

3. Complete the rest of the wizard and install the update pack.

After the wizard complete, clients in the pre-production collection will begin to deploy
the updated client. You can monitor the deployment of upgraded clients in the console.
Go to the Monitoring workspace, expand Client Status, and select the Pre-production
Client Deployment node. For more information, see How to monitor client deployment
status.

7 Note

For computers in a pre-production collection that also host site system roles, their
deployment status may report as Not compliant. This state may show even when
the client was successfully updated. When you promote the client to production,
the deployment status reports correctly.

Promote a new client to production


1. In the Configuration Manager console, go to the Administration workspace, and
select the Updates and Servicing node. In the ribbon, select Promote Pre-
production Client.

 Tip

The Promote Pre-production Client action is also available when you monitor
client deployments in the console at Monitoring > Client Status > Pre-
production Client Deployment.

2. Review the client versions in production and pre-production, and make sure the
correct pre-production collection is specified. When ready, select Promote, and
then select Yes to confirm.
The updated client version now replaces the client version in use in your hierarchy. You
can then upgrade the clients for your whole site. For more information, see How to
upgrade clients for Windows computers.

7 Note

To enable the pre-production client, or to promote a pre-production client to a


production client, your account must be a member of a security role that has Read
and Modify permissions for the Update Packages object.

Client upgrades honor any Configuration Manager maintenance windows you


configure. For more information on a known issue, see Client upgrade and
maintenance windows.

Known issues

Pre-production client and site server high availability


Consider the following scenario:

You enable the pre-production client.


The site has a site server in passive mode.
You update the site to the latest version.
You promote the passive mode site server to the active site server.

After you promote the site server, the pre-production client version shows as the
production version. Depending on your configuration, it may automatically deploy to all
systems.

When you install an update, Configuration Manager currently updates the Client folder
of the site server in passive mode with the pre-production client version.

To work around this issue:

Wait to promote the site server in passive mode until after you promote the pre-
production client version to production version.

If you have to fail over for high availability, manually correct the client version in
the Client folder.

Next steps
How to exclude clients from upgrade

How to upgrade clients for Windows computers


How to exclude clients from upgrade in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can exclude a collection of clients from automatically installing updated client
versions. Use this exclusion for a collection of computers that need greater care when
upgrading the client. A client that's in an excluded collection ignores requests to install
updated client software.

This exclusion applies to the following methods:

Automatic upgrade
Software update-based upgrade
Logon scripts
Group policy

7 Note

Although the user interface states that clients won't upgrade via any method, there
are two methods you can use to override these settings. Use client push or manual
client installation to override this configuration. For more information, see How to
upgrade an excluded client.

Configure exclusion
1. In the Configuration Manager console, go to the Administration workspace.
Expand Site Configuration, select the Sites node, and then select Hierarchy
Settings in the ribbon.

2. Switch to the Client Upgrade tab.

3. Select the option to Exclude specified clients from upgrade. Then select the
Exclusion collection you want to exclude. You can only select a single collection for
exclusion.

4. Select OK to close and save the configuration.


After clients in the excluded collection update policy, they don't automatically install
client updates. For more information, see How to upgrade clients for Windows
computers.

7 Note

Excluded clients still download and run Ccmsetup, but don't upgrade.

When you remove a client from the exclude collection, it doesn't automatically upgrade
until the next auto-upgrade cycle.

How to upgrade an excluded client


If a device is a member of a collection that you excluded from upgrade, you can still
upgrade the client using one of the following methods:

Client push installation: Ccmsetup allows client push installation because it's your
direct intent. This method lets you upgrade a client without removing it from the
collection, or removing the entire collection from exclusion.
Manual client installation: Manually upgrade an excluded client by using the
following Ccmsetup command-line parameter: /IgnoreSkipUpgrade

If you attempt to manually upgrade a client that's a member of the excluded


collection, and don't use this parameter, the client doesn't upgrade. For more
information, see How to install Configuration Manager clients manually.

Next steps
How to upgrade clients for Windows computers

Extended interoperability client


How to upgrade clients for Windows
computers in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Upgrade the Configuration Manager client on Windows computers using client


installation methods or the automatic client upgrade feature. The following client
installation methods are valid ways to upgrade client software on Windows computers:

Group policy installation

Logon script installation

Manual installation

Upgrade installation

For more information, see How to deploy clients to Windows computers.

Exclude clients from upgrade by specifying an exclusion collection. For more


information, see How to exclude clients from upgrade. Excluded clients still download
and run CCMSETUP, but won't upgrade.

 Tip

If upgrade your server infrastructure from a previous version of Configuration


Manager, complete the server upgrades before upgrading the Configuration
Manager clients. This process includes installing all current branch updates. The
latest current branch update contains the latest version of the client. Upgrade
clients after you have installed all of the Configuration Manager updates.

7 Note

If you plan to reassign the site for the clients during upgrade, specify the new site
using the SMSSITECODE client.msi property. If you use the value of AUTO for the
SMSSITECODE , also specify SITEREASSIGN=TRUE . This property allows for automatic

site reassignment during upgrade. For more information, see Client installation
properties - SMSSITECODE.
About automatic client upgrade
Configure the site to automatically upgrade clients to the latest Configuration Manager
version. When Configuration Manager identifies an assigned client's version is earlier
than the hierarchy version, it automatically upgrades the client. This scenario includes
upgrading the client to the latest version when it attempts to assign to a Configuration
Manager site.

A client can automatically upgrade in the following scenarios:

The client version is earlier than the version used in the hierarchy.

The client on the central administration site (CAS) has a language pack installed
and the existing client doesn't.

A client prerequisite in the hierarchy is a different version than the one installed on
the client.

One or more of the client installation files are a different version.

7 Note

To identify the different versions of the Configuration Manager client in your


hierarchy, use the report Count of Configuration Manager clients by client
versions in the report folder Site - Client Information.

Configuration Manager creates an upgrade package by default. It automatically sends


the package to all distribution points in the hierarchy. If you make changes to the client
package on the CAS, Configuration Manager automatically updates the package, and
redistributes it. An example change is when you add a client language pack. If you
enable automatic client upgrade, every client automatically installs the new client
language package.

Enable automatic client upgrade across your hierarchy. This configuration keeps your
clients up to date with less effort.

If you also manage your Configuration Manager site systems as clients, determine
whether to include them as part of the automatic upgrade process. You can exclude all
servers, or a specific collection from client upgrade. Some Configuration Manager site
roles share the client framework. For example, the management point and pull
distribution point. These roles upgrade when you update the site, so the client version
on these servers updates at the same time.
Configure automatic client upgrade
Use the following procedure to configure automatic client upgrade at the CAS. This
configuration applies to all clients in your hierarchy.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and then select the Sites node.

2. On the Home tab of the ribbon, in the Sites group, select Hierarchy Settings.

3. Switch to the Client Upgrade tab. Review the version and date of the production
client. Make sure it's the version you want to use to upgrade your clients. If it's not
the client version you expect, you may need to promote the pre-production client
to production. For more information, see How to test client upgrades in a pre-
production collection.

4. Select Upgrade all clients in the hierarchy using the production client. Select OK
to confirm.

5. If you don't want client upgrades to apply to servers, select Do not upgrade
servers.

6. Specify the number of days in which devices must upgrade the client. After the
device receives policy, it upgrades the client at a random interval within this
number of days. This behavior prevents a large number of clients simultaneously
upgrading.

7 Note

A computer must be running to upgrade the client. If a computer isn't running


when it's scheduled to receive the upgrade, the upgrade doesn't occur. When
the computer turns on, and it receives policy, it schedules the upgrade for a
random time within the allowed number of days. If this occurs after the
number of days to upgrade has expired, it schedules the upgrade at a random
time within 24 hours after the computer was turned on.

Because of this behavior, computers that are routinely shut down may take
longer to upgrade than expected if the randomly scheduled upgrade time
isn't within the normal working hours.

7. To exclude clients from upgrade, select Exclude specified clients from upgrade,
and specify the collection to exclude. For more information, see Exclude clients
from upgrade.
8. If you want the site to copy the client installation package to distribution points
that you've enabled for prestaged content, select the option to Automatically
distribute client installation package to distribution points that are enabled for
prestaged content.

9. Select OK to save the settings and close Hierarchy Settings Properties.

Clients receive these settings when they next download policy.

7 Note

Client upgrades honor any Configuration Manager maintenance windows you've


configured. The ClientServicing thread only runs the client setup bootstrap
program (ccmsetup.exe) during a maintenance window. For more information on a
known issue, see Client upgrade and maintenance windows.

If the device runs an edition of Windows with a write filter, ccmsetup tries to
download and install at the same time. Otherwise, ccmsetup randomizes a time to
download content. After it downloads content and compiles the local policy,
ClientServicing schedules the client upgrade during the next maintenance window.

Known issues

Client upgrade and maintenance windows


For clients version 2111 or earlier, when you upgrade them to a later version, the
process only honors any business hours that the user defines. It doesn't use the
administrator-defined maintenance window. For example:

Administrator-defined maintenance window: 12 AM - 5 AM


User-defined business hours: 5 AM - 10 PM

The client upgrade starts at 10 PM after the business hours. It doesn't wait until the start
of the maintenance window at 12 AM.

This issue is fixed with the version 2203 client. When you upgrade clients from version
2203 to a later version, they will honor maintenance windows.

Next steps
For alternative methods to upgrade clients, see How to deploy clients to Windows
computers.

Exclude specific clients from automatic upgrade. For more information, see How to
exclude clients from upgrade.
How to upgrade clients on Mac
computers in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

) Important

Starting in January 2022, this feature of Configuration Manager is deprecated. For


more information, see Mac computers.

Follow the high-level steps in this article to upgrade the client for Mac computers by
using a Configuration Manager application. You can also download the Mac client
installation file, copy it to a shared network location or a local folder on the Mac
computer, and then instruct users to manually run the installation.

7 Note

Before you do these steps, make sure that your Mac computer meets the
prerequisites. For more information, see Supported operating systems for Mac
computers.

Download the latest Mac client


The Mac client for Configuration Manager isn't supplied on the Configuration Manager
installation media. The Mac client installation files are contained in a Windows Installer
file named ConfigmgrMacClient.msi.

7 Note

The macOS client installation package isn't available for new deployments, but
existing deployments are supported until December 31, 2022.

Create the Mac client installation file


On a computer that runs Windows, run ConfigmgrMacClient.msi. This installer unpacks
the Mac client installation file, named Macclient.dmg. By default, you can find this file in
the following folder: C:\Program Files\Microsoft\System Center Configuration
Manager for Mac client.

Extract the client installation files


Copy Macclient.dmg to a Mac computer. Mount the Macclient.dmg file in macOS, and
then copy the contents to a folder on the Mac computer.

Create a .cmmac file


1. Open the Tools folder of the Mac client installation files. Use the CMAppUtil tool
to create a .cmmac file from the client installation package. You'll use this file to
create the Configuration Manager application.

2. Copy the new CMClient.pkg.cmmac file to a network location that's available to


the computer running the Configuration Manager console.

For more information, see the Supplemental procedures to create and deploy
applications for Mac computers.

Create and deploy the app


1. In the Configuration Manager console, create an application from the
CMClient.pkg.cmmac file.

2. Deploy this application to Mac computers in your hierarchy.

Install the updated client


The existing Configuration Manager client on Mac computers will prompt the user that
an update is available to install. After users install the client, they must restart their Mac
computer.

After the computer restarts, the Computer Enrollment wizard automatically runs to
request a new user certificate.

If you don't use Configuration Manager enrollment, but install the client certificate
independently from Configuration Manager, see Configure clients to use an existing
certificate.
Configure clients to use an existing certificate
Use this procedure to prevent the Computer Enrollment Wizard from running, and to
configure the upgraded client to use an existing client certificate.

1. In the Configuration Manager console, create a configuration item of the type Mac
OS X.

2. Add a setting to this configuration item with the setting type Script.

3. Add the following script to the setting:

Shell

#!/bin/sh

echo "Starting script\n"

echo "Changing directory to MAC Client\n"

cd /Users/Administrator/Desktop/'MAC Client'/

echo "Import root cert\n"

/usr/bin/sudo /usr/bin/security import


/Users/Administrator/Desktop/'MAC Client'/Root.pfx -A -k
/Library/Keychains/System.Keychain -P ROOT

echo "Using openssl to convert pfx to a crt\n"

/usr/bin/sudo openssl pkcs12 -in /Users/Administrator/Desktop/'MAC


Client'/Root.pfx -out Root1.crt -nokeys -clcerts -passin pass:ROOT

echo "Adding trust to root cert\n"

/usr/bin/sudo /usr/bin/security add-trusted-cert -d -r trustRoot -k


/Library/Keychains/System.Keychain Root1.crt

echo "Import client cert\n"

/usr/bin/sudo /usr/bin/security import


/Users/Administrator/Desktop/'MAC Client'/MacClient.pfx -A -k
/Library/Keychains/System.Keychain -P MAC

echo "Executing ccmclient with MP\n"

sudo ./ccmsetup -MP


https://SCCM34387.SCCM34387DOM.NET/omadm/cimhandler.ashx

echo "Editing Plist file\n"

sudo /usr/libexec/Plistbuddy -c 'Add:SubjectName string CMMAC003L'


/Library/'Application Support'/Microsoft/CCM/ccmclient.plist

echo "Changing directory to CCM\n"

cd /Library/'Application Support'/Microsoft/CCM/

echo "Making connection to the server\n"

sudo open ./CCMClient

echo "Ending Script\n"

exit

4. Add the configuration item to a configuration baseline. Then deploy the


configuration baseline to all Mac computers that install a certificate independently
from Configuration Manager.
Manage clients over the internet with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Typically in Configuration Manager, most of the managed computers and servers are
physically on the same internal network as the site system servers that perform
management functions. However, you can manage clients outside your internal network
when they are connected to the internet. This ability doesn't require the clients to
connect via VPN to reach the site system servers.

Configuration Manager provides two ways to manage internet-connected clients:

Cloud management gateway

Internet-based client management

7 Note

You can have a combination of both services for a single site. If a device gets policy
from the site for both IBCM and CMG, then it randomizes between them for
communication. The only mechanism available to control communication is client
authentication. For example, if an Azure AD-joined client doesn't trust the server
authentication certificate of the internet-based management point, it can only use
the CMG. If a domain-joined client doesn't trust the server authentication certificate
of the CMG, it can only use the internet-based management point.

Cloud management gateway


The cloud management gateway provides management of internet-based clients. It uses
a combination of a Microsoft Azure cloud service, and an on-premises site system role
that communicates with that service. Internet-based clients use the cloud service to
communicate with the on-premises Configuration Manager.

CMG advantages
No additional on-premises infrastructure investment required.

Does not expose on-premises infrastructure to the internet.


Cloud virtual machines that run the service are fully managed by Azure and require
no maintenance.

Easily set up and configured in the Configuration Manager console.

CMG disadvantages
Cloud subscription cost.

Management data sent through cloud service.

Internet-based client management


This method relies on internet-facing site system servers to which clients directly
communicate for management purposes. It requires clients and site system servers to be
configured for internet-based client management (IBCM).

IBCM advantages
No cloud service dependency.

No additional cost associated with a cloud subscription.

Full control of servers and roles providing the service.

IBCM disadvantages
Require additional infrastructure investment.

Overhead and operational cost of additional infrastructure.

Infrastructure must be exposed to the internet.

Next steps
Overview of cloud management gateway

Plan for internet-based client management


Cloud management gateway overview
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The cloud management gateway (CMG) provides a simple way to manage Configuration
Manager clients over the internet. You deploy CMG as a cloud service in Microsoft
Azure. Then without more on-premises infrastructure, you can manage clients that roam
on the internet or are in branch offices across the WAN. You also don't need to expose
your on-premises infrastructure to the internet.

After establishing the prerequisites, creating the CMG consists of the following three
steps in the Configuration Manager console:

1. Deploy the CMG cloud service to Azure.


2. Add the CMG connection point role.
3. Configure the site and site roles for the service.

Once deployed and configured, clients seamlessly access on-premises site roles whether
they're on the intranet or internet.

This article provides the foundational knowledge to learn about the CMG and the
scenarios where you can use it.

Scenarios
There are several scenarios for which a CMG is beneficial. The following scenarios are
some of the more common:

Manage traditional Windows clients with Active Directory domain-joined identity.


These clients include any supported version of Windows. It uses PKI certificates to
secure the communication channel. Management activities include:
Software updates and endpoint protection
Inventory and client status
Compliance settings
Software distribution to the device
Windows in-place upgrade task sequence

Manage traditional Windows 10 or later clients with modern identity, either hybrid
or pure cloud domain-joined with Azure Active Directory (Azure AD). Clients use
Azure AD to authenticate rather than PKI certificates. Using Azure AD is simpler to
set up, configure and maintain than more complex PKI systems. Management
activities are the same as the first scenario plus:
Software distribution to the user

Install the Configuration Manager client on Windows 10 or later devices over the
internet. Using Azure AD allows the device to authenticate to the CMG for client
registration and assignment. You can install the client manually, or using another
software distribution method, such as Microsoft Intune.

New device provisioning with co-management. When auto-enrolling existing


clients, CMG isn't required for co-management. It's required for new devices
involving Windows Autopilot, Azure AD, Microsoft Intune, and Configuration
Manager. For more information, see Paths to co-management.

Specific use cases


Across these scenarios, the following specific device use cases may apply:

Roaming devices such as laptops

Remote/branch office devices that are less expensive and more efficient to manage
over the internet than across a WAN or through a VPN.

Mergers and acquisitions, where it may be easiest to join devices to Azure AD and
manage through a CMG.

Workgroup clients. These devices may require other configurations, such as


certificates.
To help with management of remote workgroup clients, use Configuration
Manager token-based authentication. For more information, see Token-based
authentication for CMG.

) Important

By default all clients receive policy for a CMG, and start using it when they become
internet-based. Depending upon the scenario and use case that applies to your
organization, you may need to scope usage of the CMG. For more information, see
the Enable clients to use a cloud management gateway client setting.

Next steps
Develop your design and plan for implementing a CMG in your environment:

Plan for the CMG


Plan for the CMG in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To simplify management of internet-based clients, first develop a plan for the cloud
management gateway (CMG). Design how it fits in your environment and prepare for
your implementation.

For more foundational knowledge of CMG scenarios and use cases, see Overview of
CMG.

7 Note

Some sections that were previously in this article have moved:

Hierarchy design: CMG hierarchy design


Performance and scale: CMG performance and scale

Planning checklist
The overall CMG planning process is divided into the following parts:

Components and requirements: This article summarizes the components that make
up the CMG system. It also lists the system requirements.

Client authentication: Determine which authentication method you'll use for clients
from potentially untrusted networks.

Hierarchy design: Plan where to place the CMG in your environment.

Supported configurations: Understand which Configuration Manager features you


can support on internet-based clients that connect to the CMG.

Performance and scale: Decide how many service components you'll need to best
support your number of clients.

Cost: Understand the cost of the Azure-based components.


CMG components
Deployment and operation of the CMG includes the following components:

The CMG cloud service in Azure authenticates and forwards Configuration


Manager client requests over the internet to the on-premises CMG connection
point.

The CMG connection point site system role enables a consistent and high-
performance connection from the on-premises network to the CMG service in
Azure. It also publishes settings to the CMG including connection information and
security settings. The CMG connection point forwards client requests from the
CMG to on-premises roles according to URL mappings. For example, the
management point and software update point.

The service connection point site system role runs the cloud service manager
component, which handles all CMG deployment tasks. Additionally, it monitors and
reports service health and logging information from Azure Active Directory (Azure
AD). Make sure your service connection point is in online mode.

The management point and software update point site system roles service client
requests per normal.

The CMG uses a certificate-based HTTPS web service to help secure network
communication with clients.

Internet-based clients connect to the CMG to access on-premises Configuration


Manager components. There are multiple options for client identity and
authentication:
Azure AD
PKI certificates
Configuration Manager site-issued tokens

For more information, see Plan for CMG client authentication.

The CMG creates an Azure storage account, which it uses for its standard
operations. By default, the CMG is also content-enabled to provide deployment
content to internet-based clients. This storage account doesn't support
customizations, such as virtual network restrictions.

7 Note
The cloud-based distribution point (CDP) is deprecated. Starting in version
2107, you can't create new CDP instances. To provide content to internet-
based devices, enable the CMG to distribute content.

Azure Resource Manager


You create the CMG using an Azure Resource Manager deployment. Azure Resource
Manager is a modern platform for managing all solution resources as a single entity,
called a resource group. When you deploy a CMG with Azure Resource Manager, the
site uses Azure Active Directory (Azure AD) to authenticate and create the necessary
cloud resources.

) Important

Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is
removed. All CMG deployments should use a virtual machine scale set. For more
information, see Removed and deprecated features.

Virtual machine scale sets

7 Note

This feature was first introduced in version 2010 as a pre-release feature. Starting
in version 2107, it's no longer a pre-release feature.

Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.

Starting in version 2010, customers with a Cloud Solution Provider (CSP) subscription
can deploy the CMG with a virtual machine scale set in Azure. This support is only if
they don't currently have a CMG deployed using classic cloud services to another
subscription.

Starting in version 2107, all customers can deploy a CMG with a virtual machine scale
set. If you have an existing CMG deployed with the classic cloud service, convert the
CMG to use a virtual machine scale set.
With a few exceptions, the configuration, operation, and functionality of the CMG
remains the same.

Other Azure resource providers in your Azure subscription.

Different deployment names, for example,


GraniteFalls.EastUS.CloudApp.Azure.Com for a deployment in the East US Azure
region. This name change can affect how you create and manage the CMG server
authentication certificate.

The CMG connection point only communicates with the virtual machine scale set in
Azure over HTTPS. It doesn't require TCP-TLS ports.

Limitations for a CMG with a virtual machine scale set

Limitations with versions 2107 and later

7 Note

Starting in version 2111, CMG deployments with a virtual machine scale set support
Azure US Government cloud environments.

Users may experience a delay of up to three seconds for actions in Software


Center.
You can't approve/deny application requests through the CMG.
Version 2107 doesn't support Azure US Government cloud environments.

Limitations with versions 2010 and 2103


If you require more than one CMG instance, they all have to use the same
deployment method.
The supported number of concurrent client connections is 2,000 per VM instance.
For more information, see CMG performance and scale.
It's only supported with a standalone primary site.
It doesn't support Azure US Government cloud environments.
Users may experience a delay of up to three seconds for actions in Software
Center.
Configuration Manager currently creates the Azure storage container based on the
name of the resource group. Azure has different naming requirements for resource
groups and storage containers. Make sure the name of the resource group for this
service only has lowercase letters, numbers, and hyphens. If you have an existing
resource group that doesn't work, rename it in the Azure portal, or create a new
resource group.
If you have more than one HTTPS management point, then you can't install the
Configuration Manager client on devices over the internet. If you need to Install
off-premises clients using a CMG, then you can only have one HTTPS management
point. You also need to enable the CMG for content.
You can't approve/deny application requests through the CMG.

Requirements

 Tip

To clarify some Azure terminology:

The Azure AD tenant is the directory of user accounts and app registrations.
One tenant can have multiple subscriptions.
An Azure subscription separates billing, resources, and services. It's associated
with a single tenant.

For more information, see Subscriptions, licenses, accounts, and tenants for
Microsoft's cloud offerings.

An Azure subscription to host the CMG. This subscription can be in one of the
following environments:
Global Azure cloud
Azure US Government cloud

Customers with a Cloud Service Provider (CSP) subscription need to use version
2010 or later with a virtual machine scale set deployment.

Integrate the site with Azure AD to deploy the service with Azure Resource
Manager. For more information, see Configure Azure AD for CMG.

When you onboard the site to Azure AD, you can optionally enable Azure AD user
discovery. It isn't required to create the CMG, but required if you plan to use Azure
AD authentication with hybrid identities. For more information, see Install clients
using Azure AD and see About Azure AD user discovery.

An Azure administrator needs to participate in the initial creation of certain


components. This persona can be the same as the Configuration Manager
administrator, or separate. If separate, they don't require permissions in
Configuration Manager.

When you integrate the site with Azure AD for deploying the CMG using Azure
Resource Manager, you need a Global Administrator.

When you create the CMG, you need an account that is an Azure Subscription
Owner and an Azure AD Global Administrator.

Your user account needs to be a Full administrator or Infrastructure administrator


in Configuration Manager.

At least one on-premises Windows server to host the CMG connection point. You
can colocate this role with other Configuration Manager site system roles.

The service connection point must be in online mode.

Configure the management point to allow traffic from the CMG. It also needs to
require HTTPS, or configure the site for Enhanced HTTP.

A server authentication certificate for the CMG.

CMG names need to be between 3-24 alphanumeric characters. The name must
begin with a letter, end with a letter or digit, and not contain consecutive hyphens.

Other certificates may be required, depending upon your client OS version and
authentication model. For more information, see Configure client authentication.

Clients must use IPv4.

Make sure the following client settings in the Cloud services group are enabled for
devices that will use the CMG:
Enable clients to use a cloud management gateway
Allow access to cloud distribution point

7 Note

If you enable the client setting to Download delta content when available,
the content for third-party updates won't download to clients.

Next steps
Next, determine how clients will authenticate with the CMG:
Plan for CMG client authentication
CMG client authentication
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Clients that connect to a cloud management gateway (CMG) are potentially on the
untrusted public internet. Because of the client's origin, they have a higher
authentication requirement. There are three options for identity and authentication with
a CMG:

Azure AD
PKI certificates
Configuration Manager site-issued tokens

The following table summarizes the key factors for each method:

Azure AD PKI certificate Site token

ConfigMgr version All supported All supported All supported

Windows client version Windows 10 or later All supported All supported

Scenario support User and device Device-only Device-only

Management point E-HTTP or HTTPS E-HTTP or HTTPS E-HTTP or HTTPS

Microsoft recommends joining devices to Azure AD. Internet-based devices can use
Azure AD modern authentication with Configuration Manager. It also enables both
device and user scenarios whether the device is on the internet or connected to the
internal network.

You can use one or more methods. All clients don't have to use the same method.

Which ever method you choose, you may also need to reconfigure one or more
management points. For more information, see Configure client authentication for CMG.

Azure AD
If your internet-based devices are running Windows 10 or later, consider using Azure AD
modern authentication with the CMG. This authentication method is the only one that
enables user-centric scenarios. For example, deploying apps to a user collection.

First, the devices need to be either cloud domain-joined or hybrid Azure AD-joined, and
the user also needs an Azure AD identity. If your organization is already using Azure AD
identities, then you should be set with this prerequisite. If not, talk with your Azure
administrator to plan for cloud-based identities. For more information, see Azure AD
device identity. Until that process is complete, consider token-based authentication for
internet-based clients with your CMG.

There are a few other requirements, depending upon your environment:

Enable user discovery methods for hybrid identities


Enable ASP.NET 4.5 on the management point
Configure client settings

For more information on these prerequisites, see Install clients using Azure AD.

7 Note

If your devices are in an Azure AD tenant that's separate from the tenant with a
subscription for the CMG compute resources, starting in version 2010 you can
disable authentication for tenants not associated with users and devices. For more
information, see Configure Azure services.

PKI certificate
If you have a public key infrastructure (PKI) that can issue client authentication
certificates to devices, then consider this authentication method for internet-based
devices with your CMG. It doesn't support user-centric scenarios, but supports devices
running any supported version of Windows.

 Tip

Windows devices that are hybrid or cloud domain-joined don't require this
certificate because they use Azure AD to authenticate.

This certificate may also be required on the CMG connection point.

Site token
If you can't join devices to Azure AD or use PKI client authentication certificates, then
use Configuration Manager token-based authentication. Site-issued client
authentication tokens work on all supported client OS versions, but only support device
scenarios.
If clients occasionally connect to your internal network, they're automatically issued a
token. They need to communicate directly with an on-premises management point to
register with the site and get this client token.

If you can't register clients on the internal network, you can create and deploy a bulk
registration token. The bulk registration token enables the client to initially install and
communicate with the site. This initial communication is long enough for the site to
issue the client its own, unique client authentication token. The client then uses its
authentication token for all communication with the site while it's on the internet.

Next steps
Next, design how to use a CMG in your hierarchy:

CMG hierarchy design


CMG hierarchy design
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Whether you have a central administration site (CAS), a standalone primary site, or a
small test lab, design the cloud management gateway (CMG) for that environment. This
article provides the information to help you decide how to position the CMG in your
environment.

Create the CMG at the top-tier site of your hierarchy. If that's a CAS, then create CMG
connection points at child primary sites. The cloud service manager component is on the
service connection point, which is also on the CAS. This design can share the service
across different primary sites if needed.

You can create multiple CMG services in Azure, and you can create multiple CMG
connection points. Multiple CMG connection points provide load balancing of client
traffic from the CMG to the on-premises roles.

Other factors, such as the number of clients to manage, also affect your CMG design.
For more information, see Performance and scale.

Design examples

Example 1: Standalone primary site


Contoso has a standalone primary site in an on-premises datacenter at their
headquarters in New York City.

They create a CMG in the East US Azure region to reduce network latency.
They create two CMG connection points, both linked to the single CMG service.

As clients roam onto the internet, they communicate with the CMG in the East US Azure
region. The CMG forwards this communication through both of the CMG connection
points.

Example 2: Hierarchy
Fourth Coffee has a CAS in an on-premises datacenter at their headquarters in Seattle.
One primary site is in the same datacenter, and the other primary site is in their main
European office in Paris.
On the CAS, they create a CMG service in the West US Azure region. They scale the
number of VMs for the expected load of roaming clients in the entire hierarchy.
On the Seattle-based primary site, they create a CMG connection point linked to
the single CMG.
On the Paris-based primary site, they create a CMG connection point linked to the
single CMG.

As clients roam onto the internet, they communicate with the CMG in the West US
Azure region. The CMG forwards this communication to the CMG connection point in
the client's assigned primary site.

 Tip

You don't need to deploy more than one CMG for the purposes of geolocation. The
Configuration Manager client is mostly unaffected by the slight latency that can
occur with the cloud service, even when geographically distant.

Test environments
Many organizations have separate environments for production, test, development, or
quality assurance. When you plan your CMG deployment, consider the following
questions:

How many Azure AD tenants does your organization have?


Is there a separate tenant for testing?
Are user and device identities in the same tenant?

How many subscriptions are in each tenant?


Are there subscriptions that are specific for testing?

Configuration Manager's Azure service for Cloud management supports multiple


tenants. Multiple Configuration Manager sites can connect to the same tenant. A single
site can deploy multiple CMG services into different subscriptions. Multiple sites can
deploy CMG services into the same subscription. Configuration Manager provides
flexibility depending upon your environment and business requirements.

For more information, see the following FAQ: Do the user accounts have to be in the
same Azure AD tenant as the tenant associated with the subscription that hosts the
CMG cloud service?

Boundary groups
You can associate a CMG with a boundary group. This configuration allows clients to
default or fall back to the CMG for client communication according to boundary group
relationships. This behavior is especially useful in branch office and VPN scenarios. You
can direct client traffic away from expensive and slow WAN links to instead use faster
services in Microsoft Azure.

Intranet clients can access a CMG-enabled software update point when it's assigned to a
boundary group. For more information, see Configure boundary groups.

Internet-based clients don't rely on boundary groups. They only use internet-facing or
cloud content sources. If you're only using content-enabled CMGs for these types of
clients, then you don't need to include them in boundary groups.

If you want clients on your internal network to get content from a CMG, then it needs to
be in the same boundary group as the clients. By default, clients prioritize cloud-based
sources last in their list of content sources. This behavior is because there's a cost
associated with downloading content from Azure. Cloud-based sources are typically
used as a fallback source for intranet-based clients. If you want a cloud-first design, then
design your boundary groups to meet this business requirement. For more information,
see Configure boundary groups. For more information on content location priority and
when intranet-based clients use a cloud-based content source, see Content source
priority.

Even though you install the CMG in a specific region of Azure, clients aren't aware of the
Azure regions. They randomly select an available CMG as a content source. If you have
CMGs in multiple regions, and a client receives more than one in the content location
list, it may not download content from the same Azure region.

Next steps
Next, review the features and configurations that the CMG supports:

Supported configurations for CMG


Supported configurations for cloud
management gateway
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

Use this article as a reference for the features and configurations that are supported by
the Configuration Manager cloud management gateway (CMG).

Specifications
All Windows versions listed in Supported operating systems for clients and devices
are supported for CMG.

CMG only supports the management point and software update point roles.

CMG doesn't support clients that only communicate with IPv6 addresses.

Software update points using a network load balancer don't work with CMG.

Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is
removed. All CMG deployments should use a virtual machine scale set. For more
information, see Removed and deprecated features.

CMG names need to be between 3-24 alphanumeric characters. The name must
begin with a letter, end with a letter or digit, and not contain consecutive hyphens.

Support for Configuration Manager features


The following table lists CMG support for Configuration Manager features:

Feature Support

Software updates

Endpoint protection
Note 1

Hardware and software inventory

Client status and notifications

Run scripts
Feature Support

CMPivot

Compliance settings

Automatic client upgrade

Client install

(with Azure AD integration)

Client install

(with token authentication)

Software distribution (device-targeted)

Software distribution (user-targeted, required)

(with Azure AD integration)

Software distribution (user-targeted, available)

(all requirements)

BitLocker Management

Pull distribution point source

Windows in-place upgrade task sequence Note 2

Task sequence without a boot image, deployed with the option to Download all
content locally before starting task sequence Note 2

Task sequence without a boot image, deployed with either download option Note 2

Task sequence with a boot image, started from Software Center Note 2

Task sequence with a boot image, started from bootable media Note 2

Any other task sequence scenario Note 2

Content for PXE or multicast-enabled deployments

Client push

Automatic site assignment

Software approval requests

Configuration Manager console

Remote tools
Note 3
Feature Support

Reporting website

Wake on LAN

macOS clients

Peer cache

On-premises MDM

Alternate content providers


Note 4

Content for App-V streaming applications

Content for Microsoft 365 Apps updates

Prestage content

Key


= This feature is supported with CMG by all supported versions of Configuration Manager


(YYMM) = This feature is supported with CMG starting with version YYMM of Configuration
Manager


= This feature isn't supported with CMG

Support notes

Note 1: Support for endpoint protection


Clients that communicate via a CMG can immediately apply endpoint protection policies
without an active connection to Active Directory.

Note 2: Support for task sequences


For more information about support for deploying a task sequence to a client via the
CMG, see Deploy a task sequence over the internet.

Note 3: Support for remote tools


As announced at Microsoft Ignite 2021, a public preview of the new remote assistance
solution is now available in the Microsoft Intune admin center. This cloud-based tool
can help you more securely support users of Windows devices.

For more information, see the following resources:

Remote Help: a new remote assistance tool from Microsoft (blog post)

Enable remote help scenarios with Microsoft Intune (demo video)

Use Remote Help with Intune and Configuration Manager

Note 4: Support for alternate content providers

Alternate content providers aren't supported to get content from a content-enabled


CMG. You can still use them on a client that communicates with a CMG and gets content
from other supported content locations.

 Tip

Starting in version 2203, you can also configure the task sequence to allow token
authentication with alternate content providers. For more information, see Task
sequence variables: SMSTSAllowTokenAuthURLForACP.

Next steps
Next, plan how the design the CMG for the best performance at the appropriate scale:

CMG performance and scale


CMG performance and scale
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The supported scale and performance of the cloud management gateway (CMG) is
based on the number of devices that you expect to simultaneously connect to the
service. Use the information in this article to determine how many of the following
components you need in your environment for the best performance at the appropriate
scale:

CMG cloud service


Virtual machine instances for each CMG
CMG connection point site system on your internal network

7 Note

Sizing guidance for management points and software update points doesn't
change whether they service on-premises or internet-based clients. For more
information, see Size and scale numbers.

Size and scale for CMG


Unless otherwise noted, this guidance is the same for all deployment models and VM
sizes.

You can install multiple instances of the cloud management gateway (CMG) at
primary sites, or the central administration site (CAS).

 Tip

In a hierarchy, create the CMG at the CAS.

One CMG supports up to 16 virtual machine (VM) instances in the Azure cloud
service.

Simultaneous client connections per each CMG VM instance depend upon the
deployment model and VM size. When the CMG is under high load with more than
the supported number of clients, it still handles requests but there may be delay.
Virtual machine scale-set (version 2107 and later)
Lab (B2s): 10
Standard (A2_v2): 6,000
Large (A4_v2): 10,000

) Important

The Lab (B2s) size VM is only intended for lab testing and small proof-of-
concept environments. They aren't intended for production use with the
CMG. The B2s VMs are low cost and low performing. The Configuration
Manager technical preview branch only supports 10 clients, which is why
this size supports that number of clients.

Virtual machine scale set (version 2010 and 2103 for Cloud Service Provider
(CSP) subscriptions): 2,000

Cloud service (classic) (version 2111 and earlier): 6,000

) Important

Starting in version 2203, the option to deploy a CMG as a cloud service


(classic) is removed. All CMG deployments should use a virtual machine
scale set. For more information, see Removed and deprecated features.

Size and scale for CMG connection point


This guidance is the same for all deployment models and VM sizes.

You can install multiple instances of the CMG connection point at primary sites.

One CMG connection point can support a CMG with up to four VM instances. If the
CMG has more than four VM instances, add a second CMG connection point for
load balancing. A CMG with 16 VM instances should be linked with four CMG
connection points.

7 Note

When considering hardware requirements for the CMG connection point, see
Recommended hardware for remote site system servers.
Improve performance
The following recommendations can help you improve CMG performance:

The connection between the Configuration Manager client and the CMG isn't
region-aware. Client communication is largely unaffected by latency and
geographic separation. It's generally not necessary to deploy multiple CMG for the
purposes of geo-proximity. Deploy the CMG at the top-level site in your hierarchy.
To increase scale, add VM instances.

For high availability of the service, create a CMG with at least two VM instances
and two CMG connection points per site.

Scale the CMG to support more clients by adding more VM instances. The Azure
load balancer controls client connections to the service.

Create more CMG connection points to distribute the load among them. The CMG
distributes the traffic to its connecting CMG connection points in a round-robin
fashion.

7 Note

The CMG connection point creates a TCP connection to the management point for
each client. While Configuration Manager has no hard limit on the number of
clients for a CMG connection point, Windows Server has a default maximum TCP
dynamic port range of 16,384. If a Configuration Manager site manages more than
16,384 clients with a single CMG connection point, add another site system or
increase the Windows Server limit. All clients maintain a channel for client
notifications, which holds a port open on the CMG connection point. For more
information on how to increase this limit, see Microsoft Support article 929851 .

Content performance
As with any distribution point design, consider the following factors for a content-
enabled CMG:

Number of concurrent client connections


The size of the content that clients download
The length of time allowed to meet your business requirements

Depending upon your design, if clients have the option of more than one CMG for any
given content, then they naturally randomize across those cloud sources. If you only
distribute a certain piece of content to a single CMG, and a large number of clients try
to download this content at the same time, it puts higher load on that single CMG.
Adding another CMG includes a separate Azure storage service. For more information
on how the client communicates with the CMG components and downloads content,
see Data flow.

7 Note

The Azure storage service supports 500 requests per second for a single file.
Performance testing of a single cloud-based content source supported distribution
of a single 100-MB file to 50,000 clients in 24 hours.

Next steps
Next, understand the costs associated with operating an Azure service for the CMG:

Cost of CMG
Cost of CMG
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The cloud management gateway (CMG) in Configuration Manager uses several


components in Microsoft Azure. These components incur charges to the Azure
subscription account. Some costs are fixed, but some vary depending upon usage.

) Important

The following cost information is for estimating purposes only. Your environment
may have other variables that affect the overall cost of using CMG.

To help determine potential costs, use the following Azure resources:

Azure pricing calculator

7 Note

Virtual machine costs vary by region.

Azure bandwidth pricing details

7 Note

Pricing for data transfer is tiered. The more you use, the less you pay per
gigabyte.

Compute costs
CMG uses Azure platform as a service (PaaS), which uses virtual machines (VMs). These
VMs incur compute costs. The specific type to use when estimating costs depends upon
which deployment method you use.

Virtual machine scale set


When you deploy the CMG as a virtual machine scale set, the following factors affect the
cost of the service:
In version 2107 and later, you can configure the VM size:
Lab (B2s)
Standard (A2_v2)
Large (A4_v2)

) Important

The Lab (B2s) size VM is only intended for lab testing and small proof-of-
concept environments. It isn't intended for production use with the CMG. The
B2s VMs are low cost and low performing.

You can change the VM size after you deploy the CMG. This action updates the
Azure service to use a new VM.

In version 2103 and earlier, the CMG uses a Standard A2_v2 VM. The VM size isn't
configurable. To change the VM size, you need to Redeploy the service.

You select how many VM instances support the CMG. One is the default, and 16 is
the maximum. This number is set when you create the CMG, but you can change it
afterwards to scale the service as needed.

For more information on how many VMs you need to support your clients, see
CMG performance and scale.

Virtual machine

) Important

Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is
removed. All CMG deployments should use a virtual machine scale set. For more
information, see Removed and deprecated features.

If you deployed the CMG as a classic cloud service, when estimating cost, this
deployment method replaces the virtual machine scale set. The specific details are
otherwise the same. With this deployment method, it uses a Standard A2_v2 VM. The
VM size isn't configurable. The cost difference between a virtual machine and a virtual
machine scale set should be negligible, but may vary by Azure region.

Outbound data transfer


Charges are based on data flowing out of Azure, otherwise referred to as egress or
download.

CMG data flows out of Azure include policy to the client, client notifications, and
client responses that the CMG forwards to the site. These responses include
inventory reports, status messages, and compliance status.

Even without any clients communicating with a CMG, some background


communication causes network traffic between the CMG and the on-premises site.

View the Outbound data transfer (GB) in the Configuration Manager console. For
more information, see Monitor clients on CMG.

For estimating purposes only, expect approximately 100-300 MB per client per
month for internet-based clients. The lower estimate is for a default client
configuration. The upper estimate is for a more aggressive client configuration.
Your actual usage may vary depending upon how you configure client settings.

7 Note

Other administrative actions can increase the amount of outbound data


transfer from Azure. For example, deployments for software updates or
applications.

Internet-based clients get Microsoft software update content from Windows


Update at no charge. Don't distribute update packages with Microsoft update
content to a content-enabled CMG. If you do distribute software update packages
to your cloud content sources, you may incur storage and data egress costs.

Misconfiguration of the CMG option to Verify client certificate revocation can


cause more traffic from clients to the CMG. This other traffic can increase the Azure
egress data, which can increase your Azure costs. For more information, see
Publish the certificate revocation list.

 Tip

Any data flows into Azure are free. These flows are otherwise referred to as ingress
or upload. When you distribute content from the site to the content-enabled CMG,
you're uploading the content to Azure.

Content storage
Internet-based clients get Microsoft software update content from Windows
Update at no charge. Don't distribute update packages with Microsoft update
content to a content-enabled CMG. If you do distribute software update packages
to your cloud content sources, you may incur storage and data egress costs.

7 Note

The cloud-based distribution point (CDP) is deprecated. Starting in version 2107,


you can't create new CDP instances. To provide content to internet-based devices,
enable the CMG to distribute content.

CMG uses Azure locally redundant storage (LRS). For more information, see Locally
redundant storage.

For any other necessary content, distribute it to a content-enabled CMG. This other
content includes applications or third-party software updates.

7 Note

If you enable the client setting to Download delta content when available,
the content for third-party updates won't download to clients.

Other costs
Each distinct CMG has one Basic (ARM) dynamic IP address. If you add other VMs to a
CMG, it doesn't increase the number of these IP addresses. For more information, see IP
addresses pricing .

If you deploy the CMG as a virtual machine scale set, it uses Azure Key Vault. The CMG
usage of Key Vault is low, significantly less than 10,000 operations per month. For more
information, see Key Vault pricing .

If you get a CMG server authentication certificate from a public provider, there's
generally a cost associated with this certificate. For more information, see CMG server
authentication certificate.

Control and monitor


Configuration Manager includes the following options to help control costs and monitor
data access:
Control and monitor the amount of content that you store in a cloud service.

Configure Configuration Manager to alert you when thresholds for client


downloads meet or exceed monthly limits.

For more information, see Monitor CMG.

To help reduce the number of data transfers from cloud-based sources by clients, use
one of the following peer caching technologies:

Configuration Manager peer cache

Windows Delivery Optimization

Windows BranchCache

7 Note

To enable a content-enabled CMG to use Windows BranchCache, install the


BranchCache feature on the site server. For more information, see Set up
CMG: BranchCache

For more information, see Fundamental concepts for content management.

Next steps
Now that you have your CMG design, understand the supported configurations and
cost, you're ready to set up the CMG:

Set up checklist for cloud management gateway


Set up checklist for CMG
Article • 11/02/2022

Applies to: Configuration Manager (current branch)

Before you deploy a cloud management gateway (CMG), use this article to understand
the setup process. Also make sure you have all of the prerequisites ready to get started.

First, develop your design and plan for implementing a CMG in your environment. For
more information, see Plan for cloud management gateway. Use that section of articles
to determine your CMG design.

The overall CMG setup process is divided into the following five main parts:

1. Get the CMG server authentication certificate: The CMG uses HTTPS for secure
client communication over the public internet. You can get a certificate from a
public provider, or issue one from your public key infrastructure (PKI).

2. Configure Azure Active Directory (Azure AD): Configuration Manager requires app
registrations in Azure AD. You can let Configuration Manager create them, or an
Azure administrator can pre-create the registrations.

3. Configure client authentication: Because clients communicate across the internet,


Configuration Manager requires more security for this channel. You can use Azure
Active Directory (Azure AD), PKI certificates, or token-based authentication from
the site server.

4. Set up the CMG: This step also includes configuring the site, and adding the CMG
connection point site system role.

5. Configure clients to use the CMG.

The other articles in this section step through each part of the process.

Terminology
The following terms are used in the context of setting up a CMG. They're defined here
for clarity.

Azure AD tenant: The directory of user accounts and app registrations. One tenant
can have multiple subscriptions.
Azure subscription: A subscription separates billing, resources, and services. It's
associated with a single tenant.

 Tip

For more information, see Subscriptions, licenses, accounts, and tenants for
Microsoft's cloud offerings.

Azure resource group: A container that holds related resources for an Azure
solution. The resource group includes those resources that you want to manage as
a group. You decide which resources belong in a resource group based on what
makes the most sense for your organization. For more information, see Resource
groups.

CMG service name: The common name (CN) of the CMG server authentication
certificate. Clients and the CMG connection point site system role communicate
with this service name. For example, GraniteFalls.Contoso.Com or
GraniteFalls.WestUS.CloudApp.Azure.Com .

CMG deployment name: The first part of the service name plus the Azure location
for the cloud service deployment. The cloud service manager component of the
service connection point uses this name when it deploys the CMG in Azure. The
deployment name is always in an Azure domain. The Azure location depends upon
the deployment method, for example:
Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
Classic deployment: GraniteFalls.CloudApp.Net

Checklist
Use the following checklist to make sure you have the necessary information and
prerequisites to create a CMG:

The Azure environment to use. For example, the Azure Public Cloud or the Azure
US Government Cloud.

The Azure region for this CMG deployment.

How many VM instances you need for scale and redundancy.

An Azure application developer, cloud application administrator, application


administrator, or global administrator role to register apps in Azure AD.
An Azure subscription owner role for when you create the CMG in Azure.

At least one existing site system server on which you plan to add the CMG
connection point role.

Review the internet access requirements to make sure each required services can
be reached.

Enable this optional feature.

You'll set up other prerequisite components during the next steps in the process.

Automate with PowerShell


Optionally, you can automate aspects of the CMG setup using PowerShell. While some
cmdlets were available in earlier versions, version 2010 includes new cmdlets and
significant improvements to existing cmdlets.

For example, an Azure administrator first creates the two required apps in Azure Active
Directory (Azure AD). Then you write a script that uses the following cmdlets to deploy a
CMG:

1. Import-CMAADServerApplication: Create the Azure AD server app definition in


Configuration Manager.
2. Import-CMAADClientApplication: Create the Azure AD client app definition in
Configuration Manager.
3. Use Get-CMAADApplication to get the app objects, and then pass to New-
CMCloudManagementAzureService to create the Azure service connection in
Configuration Manager.
4. New-CMCloudManagementGateway: Create the CMG service in Azure.
5. Add-CMCloudManagementGatewayConnectionPoint: Create the CMG
connection point site system.

You can use these cmdlets to automate the creation, configuration, and management of
the CMG service and Azure Active Directory (Azure AD) requirements.

Azure AD app definitions in Configuration Manager:

Get-CMAADApplication
Import-CMAADClientApplication
Import-CMAADServerApplication

The Cloud Management Azure service in Configuration Manager:


New-CMCloudManagementAzureService
Set-CMCloudManagementAzureService
Get-CMAzureService
Remove-CMAzureService

The cloud management gateway service in Configuration Manager:

Get-CMCloudManagementGateway
New-CMCloudManagementGateway
Remove-CMCloudManagementGateway
Set-CMCloudManagementGateway
Start-CMCloudManagementGateway
Stop-CMCloudManagementGateway

The CMG connection point site system role:

Add-CMCloudManagementGatewayConnectionPoint
Get-CMCloudManagementGatewayConnectionPoint
Remove-CMCloudManagementGatewayConnectionPoint
Set-CMCloudManagementGatewayConnectionPoint

Next steps
Get started with your CMG setup by getting a server authentication certificate:

CMG server authentication certificate


CMG server authentication certificate
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The first step when you set up a cloud management gateway (CMG) is to get the server
authentication certificate. The CMG creates an HTTPS service to which internet-based
clients connect. The server requires a server authentication certificate to build the secure
channel. You can acquire a certificate for this purpose from a public provider, or issue it
from your public key infrastructure (PKI).

When you create the CMG in the Configuration Manager console, you provide this
certificate. The common name (CN) of this certificate defines the service name of the
CMG.

7 Note

You may need additional certificates for clients and management points. These
certificates are covered in the third step of the CMG setup process, Configure client
authentication.

A reminder of some CMG terminology that's used in this article:

Service name: The common name (CN) of the CMG server authentication
certificate. Clients and the CMG connection point site system role communicate
with this service name. For example, GraniteFalls.contoso.com or
GraniteFalls.WestUS.CloudApp.Azure.Com .

Deployment name: The first part of the service name plus the Azure location for
the cloud service deployment. The cloud service manager component of the
service connection point uses this name when it deploys the CMG in Azure. The
deployment name is always in an Azure domain. The Azure location depends upon
the deployment method, for example:
Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
Classic deployment: GraniteFalls.CloudApp.Net

) Important

This article uses examples with a virtual machine scale set as the
recommended deployment method in version 2107 and later. If you use a
classic deployment, note the difference as you read this article and prepare
the server authentication certificate.

Choose the certificate type


First, decide where you want to get the certificate. There are several factors to consider.

Clients must trust the CMG server authentication certificate to establish the HTTPS
channel with the CMG service. There are two methods to accomplish this trust:

1. Use a certificate from a public and globally trusted certificate provider.

Windows clients include trusted root certificate authorities (CAs) from these
providers. By using a certificate issued by one of these providers, your clients
automatically trust it.

There's a cost associated with this certificate, which is specific to the provider.

2. Use a certificate issued by an enterprise CA from your public key infrastructure


(PKI).

Most enterprise PKI implementations add the trusted root CAs to Windows
clients. For example, if you use Active Directory Certificate Services with
group policy. If you issue the CMG server authentication certificate from a CA
that your clients don't automatically trust, add the CA trusted root certificate
to internet-based clients.

If you plan to install the Configuration Manager client from Intune, you can
also use Intune certificate profiles to provision certificates on clients. For
more information, see Configure a certificate profile.

Your organization may have an internal cost to issue certificates, but there are
generally no external costs associated with this certificate.

) Important

Before you get this certificate, make sure the service name is globally unique for
the cloud service and storage account. Also make sure the name uses supported
characters. For more information, see Globally unique name.

Summary comparison of certificate types


Public provider Enterprise PKI

Client trust Trusted in Windows by Automatic with some implementations, otherwise


default need to deploy

Cost Yes Not typical

Service name GraniteFalls.contoso.com GraniteFalls.contoso.com or


example GraniteFalls.WestUS.CloudApp.Azure.Com

DNS CNAME Yes No for Azure domain service name


required ( GraniteFalls.WestUS.CloudApp.Azure.Com )

7 Note

The CMG server authentication certificate supports wildcards. Some certificate


authorities issue certificates using a wildcard character for the service name prefix.
For example, *.contoso.com . Some organizations use wildcard certificates to
simplify their PKI and reduce maintenance costs.

For more information on how to use a wildcard certificate with a CMG, see Set up a
CMG.

Globally unique name


This certificate requires a globally unique name to identify the service in Azure. Before
you request a certificate, confirm that the Azure deployment name you want is unique.
For example, GraniteFalls.WestUS.CloudApp.Azure.Com .

Virtual machine scale set


1. Sign in to the Azure portal .

2. From the Azure portal home page, select Create a resource under Azure services.

3. Search for Virtual machine scale set. Select Create.

4. Select the Subscription and Resource group that you'll use for the CMG.

5. In the Virtual machine scale set name field, type the prefix that you want. For
example, GraniteFalls .

6. Select the Region that you'll use for the CMG. For example, (US) West US.
The interface reflects whether the domain name is available or already in use by another
service.

) Important

Don't create the service in the portal, just use this process to check the name
availability.

Repeat this process for the Key Vault resource. The virtual machine scale set deployment
creates a key vault with the same name, which also needs to be globally unique.

Content-enabled CMG storage account


If you also enable the CMG for content, confirm that it's also a unique Azure storage
account name. If the CMG deployment name is unique, but the storage account isn't,
Configuration Manager fails to provision the service in Azure. Repeat the above process
in the Azure portal with the following changes:

Search for Storage account.

Test your name in the Storage account name field.

) Important

The DNS name prefix should be 3 to 24 characters long, and contain numbers and
lowercase letters only. Don't use special characters, like a dash ( - ). For example:
granitefalls .

Issue the certificate


The CMG server authentication certificate supports the following configurations:

2048-bit or 4096-bit key length

This certificate supports key storage providers for certificate private keys (v3). For
more information, see CNG v3 certificates overview.

Use a public provider certificate


A third-party certificate provider can't create a certificate for an Azure domain like
cloudapp.azure.com , because Microsoft owns those domains. You can only get a
certificate issued for a domain you own. The main reason for acquiring a certificate from
a third-party provider is that your clients already trust that provider's root certificate.

The specific process to get this certificate varies by provider. For more information,
contact your third-party certificate provider.

For the web server certificate common name (CN):

You've made sure the deployment name is globally unique in Azure for the cloud
service and storage account. For example,
GraniteFalls.WestUS.CloudApp.Azure.Com .

To determine the service name, append the deployment name prefix ( GraniteFalls )
to your organization's domain name ( contoso.com ).

Use this service name for the certificate common name (CN). For example,
GraniteFalls.contoso.com .

Next, you need to create a DNS CNAME alias.

Use an enterprise PKI certificate


Issuing a web server certificate from your organization's PKI varies by product. The
instructions for Deploying the service certificate for cloud-based distribution points are
for Active Directory Certificate Services. This process generally applies for the CMG
server authentication certificate.

For the web server certificate common name (CN):

You've made sure the deployment name is globally unique in Azure for the cloud
service and storage account. For example,
GraniteFalls.WestUS.CloudApp.Azure.Com .

To determine the service name, you have two options:

Use your domain name (recommended). Append the deployment name prefix
( GraniteFalls ) to your organization's domain name ( contoso.com ). For example,
GraniteFalls.contoso.com . For this option, you also need to create a DNS

CNAME alias.

Use the Azure deployment name. This option doesn't require a DNS CNAME
alias. For example:
For the Azure public cloud: GraniteFalls.WestUS.CloudApp.Azure.Com .

For the Azure US Government cloud: GraniteFalls.usgovcloudapp.net .

7 Note

If the Azure deployment name changes, you'll need to redeploy the service
to change this service name. For example, if your service name is in the
cloudapp.net domain, you can't convert the classic cloud service CMG to a

virtual machine scale set. If you use your domain name for the CMG service
name, then you can update the DNS CNAME for the new deployment
name.

Use this service name for the certificate common name (CN).

Create a DNS CNAME alias


If the CMG service name uses your organization's domain name
( GraniteFalls.contoso.com ), you need to create a DNS canonical name record (CNAME).
This alias maps the service name to the deployment name.

Create a CNAME record in your organization's public DNS. The CMG service in Azure
and all clients that use it need to resolve the service name. For example:

Contoso names their CMG GraniteFalls.

The deployment name in Azure is GraniteFalls.WestUS.CloudApp.Azure.Com .

In Contoso's public DNS contoso.com namespace, the DNS administrator creates a


new CNAME record for the service name GraniteFalls.contoso.com to the Azure
deployment name, GraniteFalls.WestUS.CloudApp.Azure.Com .

When you create the CMG, while the certificate has GraniteFalls.contoso.com as the
CN, Configuration Manager only extracts the service name prefix, for example:
GraniteFalls. It appends this prefix to the Azure service domain ( cloudapp.azure.com )
with the region ( westus ) to create the deployment name. For example,
GraniteFalls.WestUS.CloudApp.Azure.Com . The CNAME alias in the DNS namespace for
your domain ( contoso.com ) maps together these two FQDNs.

The Configuration Manager client policy includes the CMG service name,
GraniteFalls.contoso.com . The client resolves the service name via the CNAME alias to
the deployment name, GraniteFalls.WestUS.CloudApp.Azure.Com . It then can resolve the
IP address of the deployment name to communicate with the service in Azure.

Next steps
Continue your CMG setup by configuring Azure Active Directory (Azure AD):

Configure Azure AD
Configure Azure Active Directory for
CMG
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The second primary step to set up a cloud management gateway (CMG) is to integrate
the Configuration Manager site with your Azure Active Directory (Azure AD) tenant. This
integration allows the site to authenticate with Azure AD, which it uses to deploy and
monitor the CMG service. If you choose the Azure AD authentication method for clients
in the next step, then this integration is a prerequisite for that authentication method.

 Tip

This article provides prescriptive guidance to integrate the site specifically for the
cloud management gateway. For more information on this process and other uses
of the Azure Services node in the Configuration Manager console, see Configure
Azure services.

When you integrate the site, you create app registrations in Azure AD. The CMG requires
two app registrations:

Web app (also referred to as a server app in Configuration Manager)


Native app (also referred to as a client app in Configuration Manager)

There are two methods to create these apps, both of which require a global
administrator role in Azure AD:

Use Configuration Manager to automate the creation of the apps when you
integrate the site.
Manually create the apps in advance, and then import them when you integrate
the site.

This article primarily follows the first method. For more information on the other
method, see Manually register Azure AD apps for CMG.

Before you start, make sure you have an Azure AD global administrator available.

7 Note
If you plan to import precreated app registrations, you first need to create them in
Azure AD. Start with the article to Manually register Azure AD apps for CMG. Then
return to this article to run the Azure Services wizard and import the apps to
Configuration Manager.

Purpose of app registrations


These two Azure AD app registrations represent the server and client side of the CMG.

The client app represents managed clients and users that connect to the CMG. It
defines what resources they have access to within Azure, including the CMG itself.

The server app represents the CMG components that are hosted in Azure. It defines
what resources they have access to within Azure. The server app is used to
facilitate authentication and authorization from managed clients, users, and the
CMG connection point to the Azure-based CMG components. This communication
includes traffic to on-premises management points and software update points,
initial CMG provisioning in Azure, and Azure AD discovery.

If clients use PKI-issued client authentication certificates, then the two client apps aren't
used for device-centric activity. For example, software distribution targeted to a device
collection. User-centric activity always uses these two app registrations for
authentication and authorization purposes.

Start the Azure Services wizard


1. In the Configuration Manager console, go to the Administration workspace,
expand Cloud Services, and select the Azure Services node.

2. On the Home tab of the ribbon, in the Azure Services* group, select Configure
Azure Services.

3. On the Azure Services page of the Azure Services Wizard:

a. Specify a Name for the object in Configuration Manager. This name is only to
identify the connection in Configuration Manager.

b. Specify an optional Description to further identify this service connection.

c. Select the Cloud Management service.

4. On the App page of the Azure Services Wizard, select the Azure environment for
your tenant:
AzurePublicCloud: Your tenant is in the global Azure cloud.
AzureUSGovernmentCloud: Your tenant is in the Azure US Government
cloud.

Create the web (server) app registration


1. On the App page of the Azure Services Wizard window, for the Web app, select
Browse.

2. In the Server App window, select Create to use Configuration Manager to automate
the creation of the app.

3. In the Create Server Application window, specify the following information:

Application name: A friendly name for the app.

HomePage URL: This value isn't used by Configuration Manager, but required
by Azure AD. By default this value is https://ConfigMgrService .

App ID URI: This value needs to be unique in your Azure AD tenant. It's in the
access token used by the Configuration Manager client to request access to
the service. By default this value is https://ConfigMgrService . Change the
default to one of the following recommended formats:
api://{tenantId}/{string} , for example, api://5e97358c-d99c-4558-af0c-

de7774091dda/ConfigMgrService

https://{verifiedCustomerDomain}/{string} , for example,


https://contoso.onmicrosoft.com/ConfigMgrService

Secret key validity period: choose either 1 year or 2 years from the drop-
down list. One year is the default value.

Azure AD admin account: Select Sign in to authenticate to Azure AD as a


global administrator. Configuration Manager doesn't save these credentials.
This persona doesn't require permissions in Configuration Manager, and
doesn't need to be the same account that runs the Azure Services Wizard.
After successfully authenticating to Azure, the page shows the Azure AD
tenant name for reference.

4. Select OK to create the web app in Azure AD and close the Create Server
Application window.

5. In the Server App window, make sure your new app is selected, then select OK to
save and close the window.
Create the native (client) app registration
1. On the App page of the Azure Services Wizard window, for the Native Client app,
select Browse.

2. In the Client App window, select Create to use Configuration Manager to automate
the creation of the app.

3. In the Create Client Application window, specify the following information:

Application name: A friendly name for the app.

Azure AD admin account: Select Sign in to authenticate to Azure AD as a


global administrator. Configuration Manager doesn't save these credentials.
This persona doesn't require permissions in Configuration Manager, and
doesn't need to be the same account that runs the Azure Services Wizard.
After successfully authenticating to Azure, the page shows the Azure AD
tenant name for reference.

4. Select OK to create the native app in Azure AD and close the Create Client
Application window.

5. In the Client App window, make sure your new app is selected, then select OK to
save and close the window.

Complete the Azure Services wizard


1. In the Azure Services Wizard, confirm both the Web app and Native Client app
values are complete. Select Next to continue.

2. The Discovery page of the wizard is only necessary in some scenarios. It's optional
when you onboard the site to Azure AD, and not required to create the CMG. If
you need it to support specific functionality in your environment, you can enable it
later.

For more information on the CMG scenarios that may require Azure AD user
discovery, see Configure client authentication: Azure AD and Install clients using
Azure AD.

For more information on this discovery method, see Configure Azure AD user
discovery.

3. Review the settings and complete the wizard.


When the wizard closes, you'll see the new connection in the Azure Services node. You
can also view the tenant and app registrations in the Azure Active Directory Tenants
node of the Configuration Manager console.

Disable Azure AD authentication for non-device or user


tenants
If your devices are in an Azure AD tenant that's separate from the tenant with a
subscription for the CMG compute resources, you can disable authentication for tenants
not associated with users and devices.

1. Open the properties of the Cloud Management service.

2. Switch to the Applications tab.

3. Select the option to Disable Azure Active Directory authentication for this tenant.

For more information, see Configure Azure services.

Configure Azure resource providers


The CMG service requires that you register specific resource providers in your Azure
subscription. When you deploy the CMG to a virtual machine scale set, register the
following resource providers:

Microsoft.KeyVault
Microsoft.Storage
Microsoft.Network
Microsoft.Compute

7 Note

If you previously deployed the CMG using a classic cloud service, your Azure
subscription requires the following two resource providers:

Microsoft.ClassicCompute
Microsoft.Storage

Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is
removed. All CMG deployments should use a virtual machine scale set. For more
information, see Removed and deprecated features.
Your Azure AD account needs permission to do the /register/action operation for the
resource provider. By default, the Contributor and Owner roles include this permission.

The following steps summarize the process to register a resource provider. For more
information, see Azure resource providers and types.

1. Sign in to the Azure portal .

2. On the Azure portal menu, search for Subscriptions. Select it from the available
options.

3. Select the subscription you want to view.

4. On the left menu, under Settings, select Resource providers.

5. Find the resource provider you want to register, and select Register. To maintain
least privileges in your subscription, only register those resource providers that
you're ready to use.

Automate with PowerShell


You can optionally automate aspects of these configurations using PowerShell.

1. Use the Import-CMAADServerApplication cmdlet to define the Azure AD


web/server app in Configuration Manager.

2. Use the Import-CMAADClientApplication cmdlet to define the Azure AD


native/client app in Configuration Manager.

3. Use the Get-CMAADApplication cmdlet to get the imported app objects.

4. Then pass the app objects to the New-CMCloudManagementAzureService cmdlet


to create the Azure service for Cloud Management in Configuration Manager.

Next steps
Continue your CMG setup by deciding which type of client authentication to use:

Configure client authentication


Configure client authentication for
cloud management gateway
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The next step in the setup of a cloud management gateway (CMG) is to configure how
clients authenticate. Because these clients are potentially connecting to the service from
the untrusted public internet, they have a higher authentication requirement. There are
three options:

Azure Active Directory (Azure AD)


PKI certificates
Configuration Manager site-issued tokens

This article describes how to configure each of these options. For more foundational
information, see Plan for CMG client authentication methods.

Azure AD
If your internet-based devices are running Windows 10 or later, use Azure AD modern
authentication with the CMG. This authentication method is the only one that enables
user-centric scenarios.

This authentication method requires the following configurations:

The devices need to be either cloud domain-joined or hybrid Azure AD-joined, and
the user also needs an Azure AD identity.

 Tip

To check if a device is cloud-joined, run dsregcmd.exe /status in a command


prompt. If the device is Azure AD-joined or hybrid-joined, the AzureAdjoined
field in the results shows YES. For more information, see dsregcmd command
- device state.

One of the primary requirements for using Azure AD authentication for internet-
based clients with a CMG is to integrate the site with Azure AD. You already
completed that action in the prior step.
There are a few other requirements, depending upon your environment:
Enable user discovery methods for hybrid identities
Enable ASP.NET 4.5 on the management point
Configure client settings

For more information on these prerequisites, see Install clients using Azure AD.

PKI certificate
Use these steps if you have a public key infrastructure (PKI) that can issue client
authentication certificates to devices.

This certificate may be required on the CMG connection point. For more information,
see CMG connection point.

Issue the certificate


Create and issue this certificate from your PKI, which is outside of the context of
Configuration Manager. For example, you can use Active Directory Certificate Services
and group policy to automatically issue client authentication certificates to domain-
joined devices. For more information, see Example deployment of PKI certificates:
Deploy the client certificate.

The CMG client authentication certificate supports the following configurations:

2048-bit or 4096-bit key length

This certificate supports key storage providers for certificate private keys (v3). For
more information, see CNG v3 certificates overview.

Export the client certificate's trusted root


The CMG has to trust the client authentication certificates to establish the HTTPS
channel with clients. To accomplish this trust, export the trusted root certificate chain.
Then supply these certificates when you create the CMG in the Configuration Manager
console.

Make sure to export all certificates in the trust chain. For example, if the client
authentication certificate is issued by an intermediate CA, export both the intermediate
and root CA certificates.

7 Note
Export this certificate when any client uses PKI certificates for authentication. When
all clients use either Azure AD or tokens for authentication, this certificate isn't
required.

After you issue a client authentication certificate to a computer, use this process on that
computer to export the trusted root certificate.

1. Open the Start menu. Type "run" to open the Run window. Open mmc .

2. From the File menu, choose Add/Remove Snap-in....

3. In the Add or Remove Snap-ins dialog box, select Certificates, then select Add.

a. In the Certificates snap-in dialog box, select Computer account, then select
Next.

b. In the Select Computer dialog box, select Local computer, then select Finish.

c. In the Add or Remove Snap-ins dialog box, select OK.

4. Expand Certificates, expand Personal, and select Certificates.

5. Select a certificate whose Intended Purpose is Client Authentication.

a. From the Action menu, select Open.

b. Go to the Certification Path tab.

c. Select the next certificate up the chain, and select View Certificate.

6. On this new Certificate dialog box, go to the Details tab. Select Copy to File....

7. Complete the Certificate Export Wizard using the default certificate format, DER
encoded binary X.509 (.CER). Make note of the name and location of the exported
certificate.

8. Export all of the certificates in the certification path of the original client
authentication certificate. Make note of which exported certificates are
intermediate CAs, and which ones are trusted root CAs.

CMG connection point


To securely forward client requests, the CMG connection point requires a secure
connection with the management point. If you're using PKI client authentication, and
the internet-enabled management point is HTTPS, issue a client authentication
certificate to the site system server with the CMG connection point role.

7 Note

The CMG connection point doesn't require a client authentication certificate in the
following scenarios:

Clients use Azure AD authentication.


Clients use Configuration Manager token-based authentication.
The site uses Enhanced HTTP.

For more information, see Enable management point for HTTPS.

Site token
If you can't join devices to Azure AD or use PKI client authentication certificates, then
use Configuration Manager token-based authentication. For more information, or to
create a bulk registration token, see Token-based authentication for cloud management
gateway.

Enable management point for HTTPS


Depending upon how you configure the site, and which client authentication method
you choose, you may need to reconfigure your internet-enabled management points.
There are two options:

Configure the site for Enhanced HTTP, and configure the management point for
HTTP
Configure the management point for HTTPS

Configure the site for Enhanced HTTP


When you use the site option to Use Configuration Manager-generated certificates for
HTTP site systems, you can configure the management point for HTTP. When you
enable Enhanced HTTP, the site server generates a self-signed certificate named SMS
Role SSL Certificate. This certificate is issued by the root SMS Issuing certificate. The
management point adds this certificate to the IIS Default Web site bound to port 443.
With this option, internal clients can continue to communicate with the management
point using HTTP. Internet-based clients using Azure AD or a client authentication
certificate can securely communicate through the CMG with this management point
over HTTPS.

For more information, see Enhanced HTTP.

Configure the management point for HTTPS


To configure a management point for HTTPS, first issue it a web server certificate. Then
enable the role for HTTPS.

1. Create and issue a web server certificate from your PKI or a third-party provider,
which are outside of the context of Configuration Manager. For example, use
Active Directory Certificate Services and group policy to issue a web server
certificate to the site system server with the management point role. For more
information, see the following articles:

PKI certificate requirements


Example deployment of PKI certificates: Deploy the web server certificate for
site systems that run IIS

2. On the properties of the management point role, set the client connections to
HTTPS.

 Tip

After you set up the CMG, you'll configure other settings for this management
point.

If your environment has multiple management points, you don't have to HTTPS-enable
them all for CMG. Configure the CMG-enabled management points as Internet only.
Then your on-premises clients don't try to use them.

Management point client connection mode summary


These tables summarize whether the management point requires HTTP or HTTPS,
depending upon the type of client. They use the following terms:

Workgroup: The device isn't joined to a domain or Azure AD, but has a client
authentication certificate.
AD domain-joined: You join the device to an on-premises Active Directory domain.
Azure AD-joined: Also known as cloud domain-joined, you join the device to an
Azure AD tenant. For more information, see Azure AD joined devices.
Hybrid-joined: You join the device to your on-premises Active Directory and
register it with your Azure AD. For more information, see Hybrid Azure AD joined
devices.
HTTP: On the management point properties, you set the client connections to
HTTP.
HTTPS: On the management point properties, you set the client connections to
HTTPS.
E-HTTP: On the site properties, Communication Security tab, you set the site
system settings to HTTPS or HTTP, and you enable the option to Use
Configuration Manager-generated certificates for HTTP site systems. You
configure the management point for HTTP, and the HTTP management point is
ready for both HTTP and HTTPS communication.

) Important

Starting in Configuration Manager version 2103, sites that allow HTTP client
communication are deprecated. Configure the site for HTTPS or Enhanced HTTP.
For more information, see Enable the site for HTTPS-only or enhanced HTTP.

For internet-based clients communicating with the CMG

Configure an on-premises management point to allow connections from the CMG with
the following client connection mode:

Internet-based client Management point

Workgroup Note 1 E-HTTP, HTTPS

AD domain-joined Note 1 E-HTTP, HTTPS

Azure AD-joined E-HTTP, HTTPS

Hybrid-joined E-HTTP, HTTPS

7 Note

Note 1: This configuration requires the client has a client authentication certificate,
and only supports device-centric scenarios.
For on-premises clients communicating with the on-premises
management point

Configure an on-premises management point with the following client connection


mode:

On-premises client Management point

Workgroup HTTP, HTTPS

AD domain-joined HTTP, HTTPS

Azure AD-joined HTTPS

Hybrid-joined HTTP, HTTPS

7 Note

On-premises AD domain-joined clients support both device- and user-centric


scenarios communicating with an HTTP or HTTPS management point.

On-premises Azure AD-joined and hybrid-joined clients can communicate via HTTP
for device-centric scenarios, but need E-HTTP or HTTPS to enable user-centric
scenarios. Otherwise they behave the same as workgroup clients.

Next steps
You're now ready to create the CMG in Configuration Manager:

Set up CMG
Set up CMG for Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Once you have the prerequisites in place, you can start the process to set up a cloud
management gateway (CMG). Before you start this process, make sure you have the
necessary information and prerequisites to create a CMG. For more information, see Set
up checklist for CMG.

This step of the overall process includes the following actions:

Use the Configuration Manager console to create the CMG service in Azure.
Configure the primary site for client certificate authentication.
Add the CMG connection point site system role.
Configure the management point and software update point for CMG traffic.
Configure boundary groups.

Set up a CMG

7 Note

Deploying a CMG with a virtual machine scale set in Azure was first introduced in
version 2010 as a pre-release feature. Beginning with version 2107, it's no longer a
pre-release feature.

Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.

Do this procedure on the top-level site. That site is either a standalone primary site, or
the central administration site (CAS).

1. In the Configuration Manager console, go to the Administration workspace,


expand Cloud Services, and select Cloud Management Gateway.

2. Select Create Cloud Management Gateway in the ribbon.

3. On the General page of the wizard, first specify the Azure environment for this
CMG:

AzurePublicCloud: Create the service in the global Azure cloud.


AzureUSGovernmentCloud: Create the service in the Azure US Government
cloud.

4. Next choose how you want to deploy the CMG in Azure:

Virtual machine scale set

Starting in version 2203, virtual machine scale set is the only option.

Starting in version 2107, this option is the recommended deployment


method. Even if you have an existing CMG deployed with the cloud service
(classic) method, deploy new CMG instances as a virtual machine scale set.

In versions 2010 and 2103, you have to enable this pre-release feature to
see it. In these releases, it's only intended for customers with a Cloud
Solution Provider (CSP) subscription. If you already deployed a CMG with
the cloud service (classic) method, this option is unavailable. For more
information, see Plan for CMG: Virtual machine scale sets.

Cloud service (classic)

) Important

Starting in version 2203, the option to deploy a CMG as a cloud service


(classic) is removed. All CMG deployments should use a virtual machine
scale set. For more information, see Removed and deprecated features.

In version 2107 and later, only use this option if you can't deploy with a
virtual machine scale set because of one of the limitations.

In versions 2010 and 2103, most customers should use this deployment
method.

5. Select Sign in. Authenticate with an Azure Subscription Owner account. The
wizard automatically populates the remaining fields from the information stored
during the Azure AD integration prerequisite. If you own multiple subscriptions,
select the Subscription ID of the subscription you want to use.

Select Next, and wait as the site tests the connection to Azure.

6. On the Settings page of the wizard, first Browse to the .PFX file for the CMG server
authentication certificate (Certificate file). The common name from this certificate
is used to populate the Service name and Deployment name fields.
If you use a wildcard certificate, replace the asterisk ( * ) in the Service name field
with the globally unique deployment name prefix for your CMG.

a. Optionally specify a Description to further identify this CMG in the


Configuration Manager console.

b. Select an Azure Region for this CMG. The list of available regions may vary
based on the selected subscription.

c. Select a Resource Group option:

If you choose Use existing, then select an existing resource group from
the list. This resource group needs to already exist in the same region you
selected for the CMG. If you select an existing resource group, and it's in a
different region than the previously selected region, the CMG will fail to
deploy.

If you choose Create new, then enter the new resource group name.

d. By default, the VM Size is Standard (A2_V2). Select another option as your


design specifies. For example, Large (A4_v2) for increased client capacity per
VM, or Lab (B2s) in a small test environment.

) Important

The Lab (B2s) size VM is only intended for lab testing and small proof-of-
concept environments. For example, with the Configuration Manager
technical preview branch. The B2s VMs aren't intended for production use
with the CMG. They are low cost and low performing.

e. In the VM Instance field, enter the number of VMs for this service. The default is
one, but you can scale up to 16 VMs per CMG.

f. If you're using client authentication certificates, select Certificates to add


trusted root certificates. Add all of the certificates in the trust chain.

7 Note

A trusted root certificate isn't required when using Azure Active Directory
(Azure AD) or site-issued tokens for client authentication.

g. By default, the wizard enables the option to Verify Client Certificate


Revocation. A certificate revocation list (CRL) must be publicly published for this
verification to work. For more information, see Publish the certificate revocation
list.

h. By default, the wizard enables the option to Enforce TLS 1.2. This setting
requires the Azure VM to use the TLS 1.2 encryption protocol. It doesn't apply
to any on-premises Configuration Manager site servers or clients. Starting in
version 2107 with the update rollup, this setting also applies to the CMG
storage account. For more information, see How to enable TLS 1.2.

i. By default, the wizard enables the option to Allow CMG to function as a cloud
distribution point and serve content from Azure storage. If you plan on
targeting deployments with content to clients, you need to configure the CMG
to serve content.

7. Next is the Alerts page of the wizard. To monitor CMG traffic with a 14-day
threshold, enable the threshold alert. Then specify the threshold, and the
percentage at which to raise the different alert levels. You can also enable a
storage alert threshold. Choose Next when you're done.

8. Review the settings, and complete the wizard.

Configuration Manager starts to set up the service. The amount of time it takes to
completely provision the service in Azure is dependent upon the settings that you
specified. To determine when the service is ready, view the Status column for the new
CMG.

To troubleshoot CMG deployments, use CloudMgr.log and CMGSetup.log. For more


information, see Monitor CMG.

 Tip

You can also use the PowerShell cmdlet New-CMCloudManagementGateway for


this process. Optionally use this cmdlet to create the CMG service. For more
information, see New-CMCloudManagementGateway.

Configure primary site for client certificate


authentication
If you're using client authentication certificates for clients to authenticate with the CMG,
follow this procedure to configure each primary site.
1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and select Sites.

2. Select the primary site to which your internet-based clients are assigned, and
choose Properties.

3. Switch to the Communication Security tab, and select Use PKI client certificate
(client authentication) when available.

4. If you don't publish a CRL, disable the following option: Clients check the
certificate revocation list (CRL) for site systems.

Add the CMG connection point


The CMG connection point is the site system role that's required for communication
from your on-premises Configuration Manager deployment to the cloud-based CMG.
Before you start this process, you should have already developed a plan for the role, and
identified at least one existing site system server. For more information, see Plan for the
CMG.

To add the CMG connection point, the following steps summarize the instructions to
install site system roles:

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Servers and Site System Roles node.

2. Select an existing site server to which you want to add this role. In the ribbon, on
the Home tab, select Add Site System Roles.

3. On the System Role Selection screen, choose Cloud management gateway


connection point, and then select Next. Choose the Cloud management gateway
name to which this server connects. The wizard will show the region for the
selected CMG.

) Important

If you're using client authentication certificates, the CMG connection point needs
this certificate. For more information, see client authentication certificate.

To troubleshoot CMG service health, use CMGService.log and


SMS_Cloud_ProxyConnector.log. For more information, see Log files.
 Tip

Optionally, you can also use the PowerShell cmdlet Add-


CMCloudManagementGatewayConnectionPoint to add the CMG connection point
role to a site system server.

For more information, see Add-CMCloudManagementGatewayConnectionPoint.

Configure client-facing roles for CMG traffic


Configure the management point and software update point site systems to accept
CMG traffic. Do this procedure on the primary site, for all management points and
software update points that service internet-based clients.

1. In the Configuration Manager console, go to the Administration workspace,


expand Site Configuration, and select the Servers and Site System Roles node. On
the Home tab of the ribbon, in the View group, select Servers with Role. Then
select Management point from the list.

2. Select the site system server you want to configure for CMG traffic. Select the
Management point role in the details pane, and then in the Site Role group of the
ribbon, select Properties.

3. In the Management point properties sheet, under Client Connections select Allow
Configuration Manager cloud management gateway traffic.

Depending upon your CMG design and Configuration Manager version, you may
need to enable the HTTPS option. For more information, see Enable management
point for HTTPS.

4. Select OK to close the management point properties window.

Repeat these steps for other management points as needed, and for any software
update points.

Configure boundary groups


You can associate a CMG with a boundary group. This configuration allows clients to use
the CMG for client communication according to boundary group relationships. This
configuration is beneficial for VPN or branch office clients where it might be better to
manage them via a CMG than over the VPN or WAN connection. If you enable the
option to Prefer cloud-based sources over on-premises sources then clients will prefer
the CMG for both policy and content.

For more information on boundary groups, see Configure boundary groups.

When you create or configure a boundary group, on the References tab, add a cloud
management gateway. This action associates the CMG with this boundary group.

BranchCache
To enable a content-enabled CMG to use Windows BranchCache, install the
BranchCache feature on the site server.

If the site server has an on-premises distribution point site system role, configure
the option in that role's properties to Enable and configure BranchCache. For
more information, see Configure a distribution point.

If the site server doesn't have a distribution point role, install the BranchCache
feature in Windows. For more information, see Install the BranchCache feature.

If you've already distributed content to a CMG, and then decide to enable BranchCache,
first install the feature. Then redistribute the content to the CMG.

Distribute and manage content


Distribute content to the content-enabled CMG the same as any other distribution
point. The management point doesn't include the CMG in the list of content locations
unless it has the content that clients request. For more information, see Distribute and
manage content.

Manage content on a CMG the same as any other distribution point. These actions
include assigning it to a distribution point group and managing content packages. For
more information, see Install and configure distribution points.

Next steps
Continue your CMG setup by configuring clients for CMG:

Configure clients for CMG


Configure clients for cloud management
gateway
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Once the cloud management gateway (CMG) and the supporting site system roles are
operational, you may need to make configuration changes on Configuration Manager
clients.

Clients that can communicate with the management point automatically get the location
of the CMG service on the next location request. The polling cycle for location requests
is every 24 hours. If you don't want to wait for the normally scheduled location request,
you can force the request. To force the request, restart the SMS Agent Host service
(ccmexec.exe) on the computer.

For devices that aren't connected to the internal network, there are several options to
configure them with a CMG location. For more information, see Install off-premises
clients using a CMG.

7 Note

By default all clients receive CMG policy. Control this behavior with the client
setting, Enable clients to use a cloud management gateway. For more information,
see About client settings.

Client location
The Configuration Manager client automatically determines whether it's on the intranet
or the internet. If the client can contact a domain controller or an on-premises
management point, it sets its connection type to Currently intranet. Otherwise, it
switches to Currently Internet, and uses the location of the CMG service to
communicate with the site.

7 Note

You can force the client to always use the CMG regardless of whether it's on the
intranet or internet. This configuration is useful for testing purposes, or for clients
that you want to force to always use the CMG. Set the following registry key on the
client:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security, ClientAlwaysOnInternet = 1

You can also specify this setting during client installation using the
CCMALWAYSINF property.

This setting will always apply, even if the client roams into a location where
boundary group configurations would otherwise leverage local resources.

To verify that clients have the policy specifying the CMG, open a Windows PowerShell
command prompt as an administrator on the client computer, and run the following
command:

PowerShell

Get-WmiObject -Namespace Root\Ccm\LocationServices -Class


SMS_ActiveMPCandidate | Where-Object {$_.Type -eq "Internet"}

This command displays any internet-based management points the client knows about.
While the CMG isn't technically an internet-based management point, clients view it as
one.

7 Note

To troubleshoot CMG client traffic, use CMGService.log and


SMS_Cloud_ProxyConnector.log. For more information, see Log files.

Install off-premises clients using a CMG


There are two methods to install the Configuration Manager client on devices that aren't
currently connected to your intranet. Both require a local administrator account on the
target system.

The first method is to use a bulk registration token to install the client on a device.
For more information on this method, see Create a bulk registration token.

For the second method, when you run ccmsetup.exe, use the /mp parameter to
specify the CMG's URL. For more information, see About client installation
parameters and properties. This method requires one of the following conditions:
The Configuration Manager site is properly configured to use PKI certificates for
client authentication. Additionally, the client systems each have a valid, unique,
and trusted client authentication certificate previously issued to them.

The systems are Azure Active Directory (Azure AD) domain-joined or hybrid
Azure AD domain-joined.

Configure off-premises clients for CMG


You can connect devices to a recently configured CMG where the following conditions
are true:

They already have the Configuration Manager client installed.

They aren't connected and can't be connected to your intranet.

They meet one of the following conditions:

A valid, unique, and trusted client authentication certificate previously issued to


it.

Azure AD domain-joined

Hybrid Azure AD domain-joined

You don't want to or can't completely reinstall the existing client.

You have a method to change a machine registry value and restart the SMS Agent
Host service using a local administrator account.

To force the connection on these devices, create the REG_SZ registry entry CMGFQDNs in
the key HKLM\Software\Microsoft\CCM . Set its value to the URL of the CMG, for example,
https://GraniteFalls.contoso.com . Then restart the SMS Agent Host Windows service
on the device.

If the Configuration Manager client doesn't have a current CMG or internet-facing


management point set in the registry, it automatically checks the CMGFQDNs registry
value. This check occurs every 25 hours, when the SMS Agent Host service starts, or
when it detects a network change. When the client connects to the site and learns of a
CMG, it automatically updates this value.

Next steps
Your CMG is now set up and functional with clients communicating to the site. Next,
understand how to monitor the CMG service and clients:

Monitor CMG
Monitor the CMG
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After the cloud management gateway (CMG) is running and clients are connecting
through it, you can monitor clients and network traffic. Monitor the service to make sure
its performance is optimal.

Monitor clients
Clients connected through the CMG appear in the Configuration Manager console the
same way on-premises clients do. For more information, see how to monitor clients.

Monitor traffic in the console


Monitor traffic on the CMG using the Configuration Manager console:

1. Go to the Administration workspace, expand Cloud Services, and select the Cloud
Management Gateway node.

2. Select the CMG in the list pane.

3. View the traffic information in the details pane for the CMG connection point and
the site system roles it connects to. These statistics show the client requests
coming into these roles. The requests include policy, location, registration, content,
inventory, and client notifications.

Monitor content
Monitor content that you distribute to a CMG the same as with any other distribution
point. For more information, see Monitor content.

When you view the list of CMGs in the console, you can add more columns to the list.
For example, the Storage egress (GB) column shows the amount of data that clients
downloaded from the service in the last 30 days.

Monitor logs
The following table lists the log files that contain information related to the cloud
management gateway.

Log name Description Computer with


log file

CloudMgr.log Records details about deploying the cloud The installdir


management gateway service, ongoing folder on the
service status, and use data associated with primary site
the service. To configure the logging level, server or CAS.
edit the Logging level value in the
following registry key: HKLM\SOFTWARE\
Microsoft\SMS\COMPONENTS\ SMS_CLOUD_
SERVICES_MANAGER

CMGSetup.log Note 1 Records details about the second phase of The


the cloud management gateway %approot%\logs
deployment (local deployment in Azure). To on your Azure
configure the logging level, use the setting server, or the
Trace level (Information (Default), Verbose, SMS/Logs folder
Error) on the Azure portal\Cloud services on the site
configuration tab. system server

CMGService.log Note 1 Records details about the cloud The


management gateway service core %approot%\logs
component in Azure. To configure the on your Azure
logging level, use the setting Trace level server, or the
(Information (Default), Verbose, Error) on SMS/Logs folder
the Azure portal\Cloud services on the site
configuration tab. system server

SMS_Cloud_ProxyConnector.log Records details about setting up Site system


connections between the cloud server
management gateway service and the
cloud management gateway connection
point.

CMGContentService.log Note 1 When you enable a CMG to also serve The


content from Azure storage, this log %approot%\logs
records the details of that service. on your Azure
server, or the
SMS/Logs folder
on the site
system server

For troubleshooting deployments, use CloudMgr.log and CMGSetup.log


For troubleshooting service health, use CMGService.log and
SMS_Cloud_ProxyConnector.log.
For troubleshooting client traffic, use CMGService.log and
SMS_Cloud_ProxyConnector.log.

Note 1: Logs synchronized from Azure

These are local Configuration Manager log files that cloud service manager syncs from
Azure storage every five minutes. The cloud management gateway pushes logs to Azure
storage every five minutes. So the maximum delay is 10 minutes. Verbose switches affect
both local and remote logs. The actual file names include the service name and role
instance identifier. For example, CMG-ServiceName-RoleInstanceID-CMGSetup.log.
These log files are synced, so you don't need to RDP to the cloud management gateway
to obtain them, and that option isn't supported.

Cloud management dashboard


The cloud management dashboard provides a centralized view for CMG usage. It also
displays data about cloud users and devices.

In the Configuration Manager console, go to the Monitoring workspace. Select the


Cloud Management node, and view the dashboard tiles.

The following screenshot shows the section of the cloud management dashboard
specific for the CMG:


Connection analyzer
To aid troubleshooting, use the CMG connection analyzer for real-time verification. The
in-console utility checks the current status of the service, and the communication
channel through the CMG connection point to any management points that allow CMG
traffic.

1. In the Configuration Manager console, go to the Administration workspace.


Expand Cloud Services and select the Cloud management gateway node.

2. Select the target CMG instance, and then select Connection analyzer in the ribbon.

3. In the CMG connection analyzer window, select one of the following options to
authenticate with the service:

a. Azure AD user: Use this option to simulate communication the same as a cloud-
based user identity signed in to an Azure AD-joined Windows device. Select
Sign In to securely enter the credentials for an Azure AD user account.

b. Client certificate: Use this option to simulate communication the same as a


Configuration Manager client with a client authentication certificate.

4. Select Start to start the analysis. The analyzer window displays the results. Select
an entry to see more details in the Description field.
Set up outbound traffic alerts
Outbound traffic alerts help you know when network traffic approaches a 14-day
threshold level. When you create the CMG, you can set up traffic alerts. If you skipped
that part, you can still set up the alerts after the service is running. Adjust the alert
settings at any time.

You can also configure thresholds for the amount of data that you want to store on the
CMG and that clients download. Use alerts for these thresholds to help you decide when
to stop or delete the cloud service, adjust the content that you store on the CMG, or
modify which clients can use the service.

1. Go to the Administration workspace, expand Cloud Services, and select the Cloud
Management Gateway node.

2. Select the CMG in the list pane, and then select Properties in the ribbon.
3. Go to the Alerts tab to enable the threshold and alerts:

Specify the 14-day data threshold for outbound data transfer in gigabytes
(GB). This threshold helps you to monitor the amount of data that transfers
from the CMG to clients every two weeks. By default, this threshold is
approximately 10 TB. The default value is 10,000 GB. The site raises warning
and critical alerts when transfers reach values that you define. By default,
these alerts occur at 50% and 90% of the threshold.

If the CMG is content-enabled, also specify a storage alert threshold. This


threshold sets an upper limit on the amount of content to store on the CMG.
By default, this threshold is approximately 2 TB. The default value is 2,000
GB. Configuration Manager generates warning and critical alerts when the
remaining free space reaches the levels that you specify. By default, these
alerts occur at 50% and 90% of the threshold.

7 Note

Alerts for the CMG depend on usage statistics from Azure, which can take up to 24
hours to become available. For more information about Storage Analytics for Azure,
see Storage Analytics.

In an hourly cycle, the primary site that monitors the CMG downloads transaction
data from Azure. It stores this transaction data in the CloudDP-<ServiceName>.log
file on the site server. Configuration Manager then evaluates this information
against the storage and transfer quotas for each CMG. When the transfer of data
reaches or exceeds the specified volume for either warnings or critical alerts,
Configuration Manager generates the appropriate alert.

Because the site downloads information about data transfers from Azure every
hour, the usage might exceed a warning or critical threshold before Configuration
Manager can access the data and raise an alert.

Stop CMG when it exceeds threshold


Configuration Manager can stop a CMG service when the total data transfer goes over
your limit. Use alerts to trigger notifications when the usage reaches warning or critical
levels. To help reduce any unexpected Azure costs because of a spike in usage, this
option turns off the cloud service.

) Important
Even if the service isn't running, there are still costs associated with the cloud
service. Stopping the service doesn't eliminate all associated Azure costs. To
remove all cost for the cloud service, delete the CMG.

When you stop the CMG service, internet-based clients can't communicate with
Configuration Manager.

The total data transfer (egress) includes data from the cloud service and storage
account. This data comes from the following flows:

CMG to client
CMG to site, including CMG log files
If you enable CMG for content, storage account to client

For more information on these data flows, see CMG ports and data flow.

The storage alert threshold is separate. That alert monitors the capacity of your Azure
storage instance.

When you select the CMG instance in the Cloud Management Gateway node in the
console, you can see the total data transfer in the details pane.

Configuration Manager checks the threshold value every six minutes. If there's a sudden
spike in usage, Configuration Manager can take up to six minutes to detect that it
exceeded the threshold and then stop the service.

Process to stop the cloud service when it exceeds


threshold
1. Set up outbound traffic alerts.

2. On the Alerts tab of the CMG properties window, enable the option to Stop this
service when the critical threshold is exceeded.

To test this feature, temporarily reduce one of the following values:

14-day threshold for outbound data transfer (GB). The default value is 10000 .

Percentage of threshold for raising Critical alert. The default value is 90 .

Next steps
If you need to change the configuration, you can modify the CMG:
Modify a CMG
Modify a CMG
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

If you need to change the configuration, you can modify the cloud management
gateway (CMG).

Configure properties
After you create a CMG, you can modify some of its settings. Select the CMG in the
Configuration Manager console and select Properties. Configure settings on the
following tabs:

Settings tab
Certificate file: Change the server authentication certificate for the CMG. This
option is useful when you renew the certificate before it expires. When you get a
new certificate, make sure its common name is the same.

7 Note

When you renew the server authentication certificate for the CMG, the FQDN
that you specify for the certificate's common name (CN) is case-sensitive. For
example, if the CN of the current certificate is granitefalls.contoso.com ,
create the new certificate with the same lowercase CN. The wizard won't
accept a certificate with the CN GRANITEFALLS.CONTOSO.COM .

If you make significant changes to the certificate, you may need to Redeploy
the service. For example, changing the organization name on the certificate.

Description: Specify an optional description to further identify this CMG in the


Configuration Manager console.

VM Instance: Change the number of virtual machines that the service uses in
Azure. This setting allows you to dynamically scale the service up or down based
on usage or cost considerations.

Certificates: Add or remove trusted root or intermediate CA certificates. This


option is useful when adding new CAs, or retiring expired certificates.
Verify Client Certificate Revocation: If you didn't originally enable this setting
when you created the CMG, you can enable it afterwards after you publish the CRL.
For more information, see Publish the certificate revocation list.

Enforce TLS 1.2: The CMG enables this option by default. Require it to use the TLS
1.2 encryption protocol. Starting in version 2107 with the update rollup, this setting
also applies to the CMG storage account. For more information, see How to enable
TLS 1.2.

Allow CMG to function as a cloud distribution point and serve content from
Azure storage: The CMG enables this option by default. If you plan on targeting
deployments with content to clients, you need to configure the CMG to serve
content.

Alerts tab
Reconfigure the alerts at any time after you create the CMG. For more information, see
Monitor the CMG: Set up outbound traffic alerts.

Content tab
View the packages that are assigned to the cloud storage account for this CMG. See
how much space each package uses in the storage account. When you select a package,
you can redistribute or remove the content files.

To verify that the content files for a package are available on the content-enabled CMG,
go to the Content Status node in the Monitoring workspace. For more information, see
Monitor content you distribute.

Convert

7 Note

Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.

Starting in version 2107, if you have a CMG that uses the classic cloud service, convert it
to use a virtual machine scale set.
 Tip

This process reuses the underlying storage account.

When you convert a CMG, you can't change all settings:

Setting Convert

VM size

VM instances

Verify CRL

Require TLS

Serve content

Azure environment

Subscription

Azure AD app

Region

Resource group

To make changes that the conversion process doesn't support, you need to Redeploy
the service.

) Important

If your CMG's service name is in the cloudapp.net domain, you can't convert it to a
virtual machine scale set. For example, you issued a server authentication certificate
from your internal PKI with a common name of GraniteFalls.cloudapp.net . Since
Microsoft owns the cloudapp.net domain, you can't create a DNS CNAME to map
this service name to the new deployment name in the cloudapp.azure.com domain.

1. Issue a new server authentication certificate from your internal PKI with a new
service name. Consider using your domain name instead of a Microsoft
domain. For more information, see Use an enterprise PKI certificate.
2. Deploy a new CMG as a virtual machine scale set with the new certificate.
3. Once clients refresh policy to get this new CMG, delete the old CMG.

For more information, see Replace a CMG with a new service name.

Process to convert a CMG to a virtual machine scale set

) Important

First review the prerequisites for virtual machine scale sets. For example, make sure
that you register the necessary Azure resource providers in the subscription. You
also need both Subscription Owner permission to the associated subscription and
Global Administrator permissions for the associated tenant.

1. In the Configuration Manager console, go to the Administration workspace,


expand Cloud Services, and select the Cloud Management Gateway node.

2. Select a CMG instance whose Status is Ready. In the ribbon, select Convert. This
action opens the Convert CMG wizard.

3. On the General page, select Next. You can't change any of these settings.

4. On the Settings page, note the new Deployment name with the suffix for the virtual
machine scale set.

5. Make other configuration changes as needed. Then select Next and complete the
wizard.

Monitor the conversion process the same as a new deployment. For example, view the
state in the console, and review cloudmgr.log. For more information, see Monitor CMG.

Update or create a DNS CNAME


Since the deployment name changed, you need to update or create a DNS canonical
name record (CNAME). This alias maps the service name to the deployment name. For
more information, see Create a DNS CNAME alias.

For example:

The CMG's service name is GraniteFalls.contoso.com .

For the deployment name:

Classic: GraniteFalls.cloudapp.net
Virtual machine scale set: GraniteFalls.EastUS.CloudApp.Azure.Com

Redeploy the service


More significant changes, such as the following configurations, require that you
redeploy the service:

Subscription
Service name
Region
Resource group
Significant changes to the server authentication certificate

Always keep at least one active CMG for internet-based clients to receive updated
policy. Internet-based clients can't communicate with a removed CMG. Clients don't
know about a new one until they refresh policy. When you create a second CMG
instance to delete the first, also create another CMG connection point.

Clients refresh policy by default every 24 hours. Before you delete the old CMG, wait at
least one day after you create a new one. If clients are turned off or without an internet
connection, you may need to wait longer.

If you have an existing CMG from version 1810 or earlier, it uses the Azure Service
Manager deployment method. This method used an Azure management certificate. This
method is deprecated, and support will be removed in a later version of Configuration
Manager. Redeploy a new CMG to use the Azure Resource Manager deployment
method.

The process to redeploy the service depends upon your service name and whether you
want to reuse it.

7 Note

In version 2107 and later, you can have multiple CMGs that use different
deployment methods. You can also convert a cloud service (classic) CMG to a
virtual machine scale set. For more information, see Convert.

In versions 2010 and 2103, if you already deployed a CMG with the cloud service
(classic) method, you can't deploy another CMG as a virtual machine scale set, and
vice versa. First delete the existing CMG, and then create a new one with the other
deployment method. All CMG instances for the site need to use the same
deployment method. For more information, see Plan for CMG: Virtual machine
scale sets.

Replace a CMG and reuse the same service name

) Important

This process assumes that you already have at least two CMG services, and are
replacing one of them at a time. You need to have at least one active CMG for
internet-based clients.

1. Delete the old CMG.

2. Create a new CMG with the same server authentication certificate.

3. Reconfigure the CMG connection point to use the new CMG.

Replace a CMG with a new service name


1. Get a new server authentication certificate.

2. Create a new CMG.

3. Create a new CMG connection point and link it with the new CMG.

4. Wait at least one day for internet-based clients to receive policy about the new
CMG. If clients are turned off or without an internet connection, you may need to
wait longer.

5. Delete the old CMG and associated CMG connection point.

Stop and start the service


Use the Configuration Manager console to stop and start the service if you need to.

1. In the Configuration Manager console, go to the Administration workspace,


expand Cloud Services, and select the Cloud Management Gateway node.

2. Select the CMG instance.

3. In the ribbon, select one of the following actions:


To stop a running CMG, select Stop service.
To start a stopped CMG, select Start service.

Configuration Manager can stop a CMG service when the total data transfer goes over
your limit. For more information, see Stop CMG when it exceeds threshold

) Important

Even if the service isn't running, there are still costs associated with the cloud
service. Stopping the service doesn't eliminate all associated Azure costs. To
remove all cost for the cloud service, delete the CMG.

When you stop the CMG service, internet-based clients can't communicate with
Configuration Manager.

You can also use PowerShell to stop and start a CMG:

Start-CMCloudManagementGateway
Stop-CMCloudManagementGateway

Determine deployment model


To determine the current deployment model of a CMG:

1. In the Configuration Manager console, go to the Administration workspace,


expand Cloud Services, and select the Cloud Management Gateway node.

2. Select the CMG instance.

3. In the Details pane at the bottom of the window, look for the Deployment Model
attribute.

Starting in version 2010, you'll see either Cloud service (classic) or Virtual machine
scale set.

In version 2006 and earlier, for a Resource Manager deployment, this attribute is
Azure Resource Manager. The legacy deployment model with the Azure
management certificate displays as Azure Service Manager.

) Important

CMG deployments using Azure Service Manager are deprecated. Support will
be removed in a later version of Configuration Manager. Redeploy a new
CMG to use the Azure Resource Manager deployment method.

You can also add the Deployment Model attribute as a column to the list view.

Modifications in the Azure portal


Only modify the CMG from the Configuration Manager console. Making modifications
to the service or underlying VMs directly in Azure isn't supported. Any changes may be
lost without notice. As with any platform as a service (PaaS), the service can rebuild the
VMs at any time. These rebuilds can happen for backend hardware maintenance, or to
apply updates to the VM OS.

Renew Azure service secret key


When you first configure Azure Active Directory (Azure AD) for the CMG to create the
Cloud Management Azure service, you specify a secret key validity period on the web
(server) app registration. By default, the secret key is valid for one year, or you can
specify two years. Before the secret key expires, make sure to renew it. For more
information, see Renew secret key.

Delete the service


If you need to delete the CMG, only do it from the Configuration Manager console.
Manually removing any components in Azure causes the system to be inconsistent. This
state leaves orphaned information, and unexpected behaviors may occur.
Manually register Azure AD apps for the
CMG
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The second primary step to set up a cloud management gateway (CMG) is to integrate
the Configuration Manager site with your Azure Active Directory (Azure AD) tenant. This
integration allows the site to authenticate with Azure AD, which it uses to deploy and
monitor the CMG service. If you can't use Configuration Manager to automate the
creation of the apps during the Azure Service Wizard, you can use the wizard to import
a previously created app. For example, if your Azure administrators require that they
manually create all Azure AD app registrations, then use this process.

 Tip

This article provides prescriptive guidance to integrate the site specifically for the
cloud management gateway. For more information on this process and other uses
of the Azure Services node in the Configuration Manager console, see Configure
Azure services.

When you integrate the site, you create app registrations in Azure AD. The CMG requires
two app registrations:

Web app (also referred to as a server app in Configuration Manager)


Native app (also referred to as a client app in Configuration Manager)

There are two methods to create these apps, both of which require a global
administrator role in Azure AD:

Use Configuration Manager to automate the creation of the apps when you
integrate the site.
Manually create the apps in advance, and then import them when you integrate
the site.

This article provides the specific details for the second method. Pair these instructions
with the procedures in the Configure Azure AD for CMG article to complete the process.

Get tenant details


 Tip

During this process, you'll need to note several values to use later. Open an app like
Windows Notepad to paste in the values that you'll copy from the Azure Portal.

First, you need to make note of the Azure AD tenant name and tenant ID. These values
are the first two pieces of information that you need to import the app registrations in
Configuration Manager.

1. In the Azure portal , select Azure Active Directory.

2. In the Azure AD menu, select Custom domain names.

3. Note the tenant name. For example, contoso.onmicrosoft.com .

4. In the Azure AD menu, select Properties.

5. Copy the Tenant ID GUID value.

Register the web (server) app


1. In the Azure AD menu, select App registrations. Select New registration to create
a new app.

2. In the Register an application pane, specify the following information:

Name: A friendly name for the app. For example, CMG-ServerApp .


Supported account types: Leave this setting as the default option, Accounts
in this organizational directory only.
Redirect URI: Leave this optional value blank.

3. Select Register to create the app.

4. In the properties of the new app, copy the following values:

Display name: This value is the friendly name for this app registration that
you'll use later as the application name.
Application (client) ID: You'll use this GUID value later as the client ID.

5. In the menu of the app properties, select Certificates & secrets, then select New
client secret.

Description: You can use any name for the secret or leave it blank.
Expires: Select either 12 months or 24 months.
Select Add. Immediately copy the client secret string Value and Expires. If you
leave this pane, you can't retrieve the same secret again. You'll use these values
later as the secret key and secret key expiry values.

6. If you're going to use Azure AD User Discovery in Configuration Manager, you


need to adjust the permissions on this app. In the menu of the app properties,
select API permissions. By default it should have the User.Read permission for the
Microsoft Graph API, which needs to change.

a. Select Microsoft Graph to enumerate the list of available API permissions, then
select Application permissions.

b. Expand Directory, and then select Directory.Read.All.

c. Switch to Delegated permissions.

d. Expand User, and remove the User.Read permission.

e. Select Update permissions.

f. On the API permissions pane, select Grant admin consent for..., then select Yes.

7. In the menu of the app properties, select Expose an API.

a. For the Application ID URI, select Set. Specify a URI that's unique for the tenant.
You'll use this value later as the App ID URI. Use one of the following
recommended formats:

api://{tenantId}/{string} , for example, api://5e97358c-d99c-4558-af0c-


de7774091dda/ConfigMgrService

https://{verifiedCustomerDomain}/{string} , for example,


https://contoso.onmicrosoft.com/ConfigMgrService

Select Save.

b. Select Add a scope, and specify the following required information:

Scope name: user_impersonation


Who can consent: Select Admins and users
Admin consent display name: Specify a meaningful name. For example,
Access CMG-ServerApp

Admin consent description: Specify a meaningful description. For


example, Allow the application to access CMG-ServerApp on behalf of
the signed-in user.
c. Select Add scope to save.

8. In the menu of the app properties, select Manifest. Set the


oauth2AllowIdTokenImplicitFlow entry to true. For example:

JSON

"oauth2AllowIdTokenImplicitFlow": true,

Select Save.

The web (server) app for CMG is now registered in Azure AD.

Register the native (client) app


1. In the Azure AD menu, select App registrations. Select New registration to create
a new app.

2. In the Register an application pane, specify the following information:

Name: A friendly name for the app. For example, CMG-ClientApp .


Supported account types: Leave this setting as the default option, Accounts
in this organizational directory only.
Redirect URI: Leave this optional value blank.

3. Select Register to create the app.

4. In the properties of the new app, copy the following values:

Display name: This value is the friendly name for this app registration that
you'll use later as the application name.
Application (client) ID: You'll use this GUID value later as the client ID.

5. In the menu of the app properties, select Authentication.

a. Under Platform configurations, select Add a platform.

i. In the Configure platforms pane, select Mobile and desktop applications.

ii. In the Configure Desktop + devices pane, under Custom redirect URIs,
specify ms-appx-web://Microsoft.AAD.BrokerPlugin/<ClientID> . Use the app's
client ID GUID, for example: ms-appx-
web://Microsoft.AAD.BrokerPlugin/2afe572e-d268-4c77-a22d-fdca617e2255 .

iii. Select Configure.


b. Under Advanced settings, set Allow public client flows to Yes. Select Save.

6. Adjust the permissions on this app. In the menu of the app properties, select API
permissions. By default it should have the User.Read delegated permission for the
Microsoft Graph API.

a. On the API permissions pane, select Add a permission.

b. Switch to the My APIs tab, and select your web (server) app. For example, CMG-
ServerApp. Select the user_impersonation permission, and then select Add
permissions to save.

c. On the API permissions pane, select Grant admin consent for..., and then select
Yes.

7. In the menu of the app properties, select Manifest. Set the


oauth2AllowIdTokenImplicitFlow entry to true. For example:

JSON

"oauth2AllowIdTokenImplicitFlow": true,

Select Save.

The native (client) app for CMG is now registered in Azure AD. This step also concludes
the process in the Azure portal. The role of the Azure global administrator is done.

Import the apps to Configuration Manager


After you manually register the two apps in the Azure portal, use the process in the
article to Configure Azure AD for CMG, but select the option to Import each of the apps.

These processes import metadata about the Azure AD apps into Configuration Manager.
You don't require any Azure AD permissions to import these apps.

Import web (server) app


When you select Import from the Server app window, it opens the Import apps window.
Enter the following information about the Azure AD web app that's already registered in
the Azure portal:

Azure AD Tenant Name: The name of your Azure AD tenant.


Azure AD Tenant ID: The GUID of your Azure AD tenant.
Application Name: A friendly name for the app, the display name in the app
registration.
Client ID: The Application (client) ID value of the app registration. The format is a
standard GUID.
Secret Key: Copy the secret key when you register the app in Azure AD and create
the secret key.
Secret Key Expiry: Specify the same date as from the Azure portal.
App ID URI: The value is the Application ID URI of the app registration entry in the
Azure AD portal. The format is similar to https://ConfigMgrService .

After entering the information, select Verify. Then select OK to close the Import apps
window.

) Important

When you use an imported Azure AD app, you aren't notified of an upcoming
expiration date from console notifications.

Import native (client) app


When you select Import from the Client app window, it opens the Import apps window.
Enter the following information about the Azure AD native app that's already registered
in the Azure portal:

The wizard autopopulates the Azure AD tenant name and tenant ID based on the
web (server) app that you already specified.
Application Name: A friendly name for the app.
Client ID: The Application (client) ID value of the app registration. The format is a
standard GUID.

After entering the information, select Verify. Then select OK to close the Import apps
window.

Next steps
After you manually register the two apps in the Azure portal, use the process in the
following article to import the apps:

Configure Azure AD for CMG


Security and privacy for the cloud
management gateway
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article includes security and privacy information for the Configuration Manager
cloud management gateway (CMG). For more information, see Overview of cloud
management gateway.

Security details
The CMG accepts and manages connections from CMG connection points. It uses
mutual authentication using certificates and connection IDs.

The CMG accepts and forwards client requests using the following methods:

Pre-authenticates connections using mutual HTTPS with the PKI-based client


authentication certificate or Azure Active Directory (Azure AD).

IIS on the CMG VM instances verifies the certificate path based on the trusted
root certificates that you upload to the CMG.

If you enable certificate revocation, IIS on the VM instance also verifies client
certificate revocation. For more information, see Publish the certificate
revocation list.

The certificate trust list (CTL) checks the root of the client authentication certificate.
It also does the same validation as the management point for the client. For more
information, see Review entries in the site's certificate trust list.

Validates and filters client requests (URLs) to check if any CMG connection point
can service the request.

Checks content length for each publishing endpoint.

Uses round-robin behavior to load-balance CMG connection points in the same


site.

The CMG connection point uses the following methods:

Builds consistent HTTPS/TCP connections to all VM instances of the CMG. It checks


and maintains these connections every minute.
Uses mutual authentication with the CMG using certificates.

Forwards client requests based on URL mappings.

Reports connection status to show service health status in the console.

Reports traffic per endpoint every five minutes.

Configuration Manager rotates the storage account key for the CMG. This process
happens automatically every 180 days.

Security mechanisms and protections


The CMG resources in Azure are part of the Azure platform as a service (PaaS). They're
protected in the same manner and with the same default protections as all other
resources in Azure. It's not supported to change any of the configurations of the CMG
resources or architecture in Azure. These changes include the use of any sort of firewall
in front the CMG to intercept, filter, or otherwise process traffic before it reaches the
CMG. All traffic destined for a CMG is processed through an Azure load balancer. CMG
deployments as a virtual machine scale set are protected by Microsoft Defender for
Cloud.

Service principals and authentication

The service principals are authenticated by the server app registration in Azure AD. This
app is also known as the web app. You create this app registration automatically when
you create the CMG, or manually by an Azure administrator in advance. For more
information, see Manually register Azure AD apps for the CMG.

The secret keys for the Azure apps are encrypted and stored in the Configuration
Manager site database. As part of the setup process, the server app has Read Directory
Data permission to the Microsoft Graph API. It also has the contributor role on the
resource group that hosts the CMG. Each time the app needs to access resources like
Microsoft Graph, it gets an access token from Azure, which it uses to access the cloud
resource.

Azure AD can automatically rotate the secret key for these apps, or you can do it
manually. When the secret key changes, you need to renew the secret key in
Configuration Manager.

For more information, see Purpose of app registrations.

Configuration Manager client-facing roles


The management point and software update point host endpoints in IIS to service client
requests. The CMG doesn't expose all internal endpoints. Every endpoint published to
the CMG has a URL mapping.

The external URL is the one the client uses to communicate with the CMG.

The internal URL is the CMG connection point used to forward requests to the
internal server.

URL-mapping example
When you enable CMG traffic on a management point, Configuration Manager creates
an internal set of URL mappings for each management point server. For example:
ccm_system, ccm_incoming, and sms_mp. The external URL for the management point
ccm_system endpoint might look like:

https://<CMG service name>/CCM_Proxy_MutualAuth/<MP Role ID>/CCM_System

The URL is unique for each management point. The Configuration Manager client then
puts the CMG-enabled management point name into its internet management point list.
This name looks like:

<CMG service name>/CCM_Proxy_MutualAuth/<MP Role ID>

The site automatically uploads all published external URLs to the CMG. This behavior
allows the CMG to do URL filtering. All URL mappings replicate to the CMG connection
point. It then forwards the communication to internal servers according to the external
URL from the client request.

Security guidance

Publish the certificate revocation list


Publish your PKI's certificate revocation list (CRL) for internet-based clients to access.
When deploying a CMG using PKI, configure the service to Verify client certificate
revocation on the Settings tab. This setting configures the service to use a published
CRL. For more information, see Plan for PKI certificate revocation.

This CMG option verifies the client authentication certificate.

If the client is using Azure AD or Configuration Manager token-based


authentication, the CRL doesn't matter.

If you use PKI, and externally publish the CRL, then enable this option
(recommended).
If you use PKI, don't publish the CRL, then disable this option.

If you misconfigure this option, it can cause more traffic from clients to the CMG.
This traffic can increase the Azure egress data, which can increase your Azure costs.

Review entries in the site's certificate trust list


Each Configuration Manager site includes a list of trusted root certification authorities,
the certificate trust list (CTL). View and modify the list by going to the Administration
workspace, expand Site Configuration, and select Sites. Select a site, and then select
Properties in the ribbon. Switch to the Communication Security tab, and then select Set
under Trusted Root Certification Authorities.

Use a more restrictive CTL for a site with a CMG using PKI client authentication.
Otherwise, clients with client authentication certificates issued by any trusted root that
already exists on the management point are automatically accepted for client
registration.

This subset provides administrators with more control over security. The CTL restricts the
server to only accept client certificates that are issued from the certification authorities
in the CTL. For example, Windows ships with certificates for many public and globally
trusted certificate providers. By default, the computer running IIS trusts certificates that
chain to these well-known certificate authorities (CA). Without configuring IIS with a CTL,
any computer that has a client certificate issued from these CAs are accepted as a valid
Configuration Manager client. If you configure IIS with a CTL that didn't include these
CAs, client connections are refused if the certificate chained to these CAs.

Enforce TLS 1.2


Use the CMG setting to Enforce TLS 1.2. It only applies to the Azure cloud service VM. It
doesn't apply to any on-premises Configuration Manager site servers or clients.

Starting in version 2107 with the update rollup, this setting also applies to the CMG
storage account.

For more information on TLS 1.2, see How to enable TLS 1.2.

Use token-based authentication


If you have devices that have one or more of the following conditions, consider using
Configuration Manager token-based authentication:
An internet-based device that doesn't often connect to the internal network
The device isn't able to join Azure AD
You don't have a method to install a PKI-issued certificate

With token-based authentication, the site automatically issues tokens for devices that
register on the internal network. You can create a bulk registration token for internet-
based devices. For more information, see Token-based authentication for CMG.
Frequently asked questions about
the CMG
FAQ

Applies to: Configuration Manager (current branch)

This article answers your frequently asked questions about the cloud management
gateway (CMG). For more information, see Overview of CMG.

Do I need any certificates?


Yes, at least one, and possibly others depending upon your design.

Server authentication certificate: The CMG creates an HTTPS service to which


internet-based clients connect. The service requires a server authentication
certificate to build the secure channel. You can acquire a certificate for this purpose
from a public provider, or issue it from your public key infrastructure (PKI). For
more information, see CMG server authentication certificate.

Client authentication certificate: Depending upon your environment and CMG


design, you can use PKI certificates for client authentication. This authentication
method doesn't support user-centric scenarios, but supports devices running any
supported version of Windows. For more information, see Configure client
authentication for CMG: PKI certificate.

When you use this client authentication method, you also need to export the client
certificate's trusted root chain. You then use this chain of certificates when you
create the CMG and on the CMG connection point.

HTTPS-enabled the management point: Depending upon how you configure the
site, and which client authentication method you choose, you may need to
configure your internet-enabled management points to support HTTPS. For more
information, see Configure client authentication for CMG: Enable management
point for HTTPS.

Do I need Azure ExpressRoute?


No. Azure ExpressRoute lets you extend your on-premises network into the Microsoft
cloud. ExpressRoute, or other such virtual network connections aren't required for the
CMG. The design of the CMG allows internet-based clients to communicate through the
Azure service to on-premises site systems with no additional network configuration. For
more information, see Overview of CMG.

Do I need to maintain or secure the


Azure virtual machines?
No. The CMG is a software as a service (SaaS) solution that extends your Configuration
Manager environment into the cloud. The design of the CMG uses Azure platform as a
service (PaaS). Using the subscription you provide, Configuration Manager creates the
necessary virtual machines (VMs), storage, and networking. Azure PaaS secures and
updates the VMs. You don't need to monitor these VMs. The Azure VMs for CMG aren't
a part of your on-premises environment, as is the case with infrastructure as a service
(IaaS). For more security specific information on the underlying PaaS solution that the
CMG is built on, see Securing PaaS deployments.

Since the CMG acts as a proxy for client communication, it doesn't process, keep, or
store any client data. The communication path over the internet always uses HTTPS. For
greater security, configure the management point for HTTPS. Also configure the site
option for clients to encrypt inventory and status messages. For more information, see
Plan for security: Signing and encryption.

How can I ensure service continuity


during service updates?
By scaling CMG to include two or more instances, you automatically benefit from
Update Domains in Azure. See How to update a cloud service.

I'm already using IBCM. If I add CMG,


how do clients behave?
If you already deployed internet-based client management (IBCM), you can also deploy
the CMG. Clients receive policy for both services. As they roam onto the internet, they
randomly select and use one of these internet-based services.

Do the user accounts have to be in the


same Azure AD tenant as the tenant
associated with the subscription that
hosts the CMG cloud service?
No, you can deploy CMG into any subscription that can host Azure cloud services.

To clarify terms:

The Azure AD tenant is the directory of user accounts and app registrations. One
tenant can have multiple subscriptions.
An Azure subscription separates billing, resources, and services. It's associated with
a single tenant.

 Tip

For more information, see Subscriptions, licenses, accounts, and tenants for
Microsoft's cloud offerings.

This question is common in the following scenarios:

When you have distinct test and production Active Directory and Azure AD
environments, but one single, centralized Azure hosting subscription.

Your use of Azure has grown organically across different teams.

When you're using a Resource Manager deployment, onboard the Azure AD tenant
associated with the subscription. This connection allows Configuration Manager to
authenticate to Azure to create, deploy, and manage the CMG.

If you're using Azure AD authentication for the users and devices managed over the
CMG, onboard that Azure AD tenant. For more information on Azure services for cloud
management, see Configure Azure services. When you onboard each Azure AD tenant, a
single CMG can provide Azure AD authentication for multiple tenants, regardless of the
hosting location.

Example 1: One tenant with multiple subscriptions


The user identities, device registrations, and app registrations are all in the same tenant.
You can choose which subscription the CMG uses. You can deploy multiple CMG services
from one site into separate subscriptions. The site has a one-to-one relationship with
the tenant. You decide which subscriptions to use for various reasons such as billing or
logical separation.
Example 2: Multiple tenants
In other words, your environment has more than one Azure AD. If you need to support
user and device identities in both tenants, you need to attach the site to each tenant.
This process requires an administrative account from each tenant to create the app
registrations in that tenant. One site can then host CMG services in multiple tenants. You
can create a CMG in any available subscription in either tenant. Devices that are joined
or hybrid joined to either Azure AD could use a CMG.

If the user and device identities are in one tenant, but the CMG's subscription is in
another tenant, you need to attach the site to both tenants. Technically, the client app
isn't needed for the second tenant that only has the CMG service. The client app only
provides user and device authentication for clients that use the CMG service.

How does CMG affect my clients


connected via VPN?
Roaming clients that connect to your environment via a VPN are commonly detected as
intranet-facing. They attempt to connect to your on-premises infrastructure such as
management points and distribution points. Some customers prefer to have these
roaming clients managed by cloud services even when connected via VPN.

You can also associate the CMG with a boundary group. This action forces these clients
to not use the on-premises site systems. For more information, see Configure boundary
groups.

How does the configuration of the


management point affect internal
clients?
To secure sensitive traffic sent over a CMG, you need to configure at least one
management point to use HTTPS or configure the site for Enhanced HTTP.

Then when you deploy a CMG, if you use PKI certificates for HTTPS communication on
the CMG-enabled management point, select the option to Allow internet-only clients
on the management point properties. This setting makes sure that internal clients
continue to use HTTP management points in your environment.
If you use Enhanced HTTP, you don't need to configure this setting. Clients continue to
use HTTP when communicating directly to the CMG-enabled management point. For
more information, see Enhanced HTTP.

What are the differences with client


authentication between Azure AD and
certificates?
You can use Azure AD or a client authentication certificate for devices to authenticate to
the CMG service. You can also use Configuration Manager site-issued tokens for
authentication.

If you manage traditional Windows clients with Active Directory domain-joined identity,
they need PKI certificates to secure the communication channel. These clients can
include any supported version of Windows. You can use all CMG-supported features, but
software distribution is limited to devices only. Install the Configuration Manager client
before the device roams onto the internet, or use token authentication.

You can also manage Windows 10 or later clients with modern identity, either hybrid or
pure cloud domain-joined with Azure AD. Clients use Azure AD to authenticate rather
than PKI certificates. Using Azure AD is simpler to set up, configure and maintain than
more complex PKI systems. You can do all of the same management activities plus
software distribution to the user. It also enables additional methods to install the client
on a remote device.

Microsoft recommends joining devices to Azure AD. Internet-based devices can use
Azure AD to authenticate with Configuration Manager. It also enables both device and
user scenarios whether the device is on the internet or connected to the internal
network.

For more information, see Configure client authentication.

Should I use a virtual machine scale set


deployment?
Yes, if your site is version 2107 or later. It's no longer a pre-release feature, and
recommended for all customers. If you have an existing classic CMG deployment, you
can convert it to a virtual machine scale set.
If your site is version 2010 or 2103, the virtual machine scale set deployment method is
a pre-release feature. It's only intended for customers with a Cloud Solution Provider
(CSP) subscription.

) Important

Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is
removed. All CMG deployments should use a virtual machine scale set. For more
information, see Removed and deprecated features.

For more information about deploying a CMG as a virtual machine scale set, see Plan for
CMG.

Does a content-enabled CMG use Azure


CDN?
No. It doesn't currently support the Azure content delivery network (CDN). The CDN is a
global solution for rapidly delivering high-bandwidth content by caching the content at
strategically placed physical nodes across the world. For more information, see What is
Azure CDN?.

Do I need to do anything with the


deprecation of the Azure AD Graph API
and Azure AD Authentication Library
(ADAL)?
No. You may have seen the following blog post and are wondering how it applies to
Configuration Manager: Update your applications to use Microsoft Authentication
Library and Microsoft Graph API . This post is referring to any developed code that
uses these authentication libraries. Configuration Manager has been using the Microsoft
Graph API and Microsoft Authentication Library (MSAL) in some places for several years.
All other components are updated in Configuration Manager version 2107 with the
update rollup. If you stay current with Configuration Manager versions, there's nothing
else you need to do.

Some people confuse the information in this blog post with the application registrations
in Azure AD that Configuration Manager uses for various cloud-attached services. These
app registrations are cloud-based service principals that don't directly use these
authentication libraries. If an Azure global administrator manually created the
Configuration Manager app registrations in Azure AD, they can double-check that those
registrations have permissions for the Microsoft Graph API. They don't need
permissions for the Azure AD Graph API. For more information, see Manually register
Azure AD apps.
Data flow for CMG
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use this article to understand how data flows between components of the cloud
management gateway (CMG). It requires specific network ports and internet endpoints
to function. You don't need to open any inbound ports to your on-premises network.
The service connection point and CMG connection point site system roles start all
communication with Azure and the CMG. These two roles need to create outbound
connections to the Microsoft cloud. The service connection point deploys and monitors
the service in Azure, so needs to be online. The CMG connection point connects to the
CMG to manage communication between the CMG and on-premises site system roles.

Data flow diagram


The following diagram is a basic, conceptual data flow for the CMG:

1. The service connection point connects to Azure over HTTPS port 443. It
authenticates using Azure Active Directory (Azure AD). The service connection
point deploys the CMG in Azure. The CMG creates the HTTPS service using the
server authentication certificate.

2. The CMG connection point connects to the CMG in Azure. It holds the connection
open, and builds the channel for future two-way communication.
When you deploy the CMG as a virtual machine scale set, this flow is over
HTTPS.

If you deploy the CMG as a classic cloud service, it first tries TCP-TLS. If that
connection fails, it switches to HTTPS.

For more information, see Note 2: CMG connection point HTTPS ports for one VM.

3. The client connects to the CMG over HTTPS port 443. It authenticates using Azure
AD, the client authentication certificate, or a site-issued token.

7 Note

If you enable the CMG to serve content, the client connects directly to Azure
blob storage over HTTPS port 443. For more information, see Content data
flow.

4. The CMG forwards the client communication over the existing connection to the
on-premises CMG connection point. You don't need to open any inbound firewall
ports.

5. The CMG connection point forwards the client communication to the on-premises
management point and software update point.

For more information when you integrate with Azure AD, see Configure Azure services:
Cloud management data flow.

Content data flow


When a client uses a CMG as a content location:

1. The management point gives the client an access token along with the list of
content sources. This token is valid for 24 hours, and gives the client access to the
cloud-based content source.

2. The management point responds to the client's location request with the service
name of the CMG. This property is the same as the common name of the server
authentication certificate.

If you're using your domain name, for example, WallaceFalls.contoso.com , then


the client first tries to resolve this FQDN. Clients use the CNAME alias in your
domain's internet-facing DNS to resolve the Azure deployment name.
3. The client next resolves the deployment name to a valid IP address. This response is
handled by Azure's DNS.

4. The client connects to the CMG. Azure load balances the connection to one of the
VM instances. The client authenticates itself using the access token.

5. The CMG authenticates the client's access token, and then gives the client the
exact content location in Azure storage.

6. If the client trusts the CMG's server authentication certificate, it connects to Azure
storage to download the content.

Required ports
This table lists the required network ports and protocols. The Client is the device that
starts the connection, requiring an outbound port. The Server is the device that accepts
the connection, requiring an inbound port.

Client Protocol Port Server Description

Service connection HTTPS 443 Azure CMG deployment


point

CMG connection point HTTPS 443 CMG service Protocol to build CMG channel
(virtual machine scale to only one VM instance Note 2
set)

CMG connection point HTTPS 10124- CMG service Protocol to build CMG channel
(virtual machine scale 10139 to two or more VM instances
set) Note 3

CMG connection point TCP-TLS 10140- CMG service Preferred protocol to build
(classic cloud service) 10155 CMG channel Note 1

CMG connection point HTTPS 443 CMG service Fall back protocol to build
(classic cloud service) CMG channel to only one VM
instance Note 2

CMG connection point HTTPS 10124- CMG service Fall back protocol to build
(classic cloud service) 10139 CMG channel to two or more
VM instances Note 3

Client HTTPS 443 CMG General client communication

Client HTTPS 443 Blob storage Download cloud-based content


Client Protocol Port Server Description

CMG connection point HTTPS 443 or 80 Management On-premises traffic, port


or HTTP point depends upon management
point configuration

CMG connection point HTTPS 443 or 80 Software On-premises traffic, port


or HTTP / 8530 or update point depends upon software update
8531 point configuration

Notes on ports

Note 1: CMG connection point TCP-TLS ports


These ports only apply when you deploy the CMG as a cloud service (classic), which was
the only method available in version 2006 and earlier.

The CMG connection point first tries to establish a long-lived TCP-TLS connection with
each CMG VM instance. It connects to the first VM instance on port 10140. The second
VM instance uses port 10141, up to the 16th on port 10155. A TCP-TLS connection has
the best performance, but it doesn't support internet proxy. If the CMG connection
point can't connect via TCP-TLS, then it falls back to HTTPSNote 2.

Note 2: CMG connection point HTTPS ports for one VM


If you deploy the CMG in a virtual machine scale set, the CMG connection point only
communicates with the service in Azure over HTTPS. It doesn't require TCP-TLS ports to
build the CMG communication channel.

For a CMG deployed as a classic cloud service, it only uses this port if the TCP-TLS
connection fails. If the CMG connection point can't connect to the CMG via TCP-TLSNote
1, it connects to the Azure network load balancer over HTTPS 443. This behavior is only
for one VM instance.

Note 3: CMG connection point HTTPS ports for two or more VMs

If there are two or more VM instances, the CMG connection point uses HTTPS 10124 to
the first VM instance, not HTTPS 443. It connects to the second VM instance on HTTPS
10125, up to the 16th on HTTPS port 10139.

Internet access requirements


If your organization restricts network communication with the internet using a firewall or
proxy device, you need to allow the CMG connection point and service connection point
to access internet endpoints.

For more information, see Internet access requirements.

This section covers the following features:

Cloud management gateway (CMG)

Azure Active Directory (Azure AD) integration

Azure AD-based discovery

Cloud distribution point (CDP)

7 Note

The cloud-based distribution point (CDP) is deprecated. Starting in version


2107, you can't create new CDP instances. To provide content to internet-
based devices, enable the CMG to distribute content.

The following sections list the endpoints by role. Some endpoints refer to a service by
<prefix> , which is the prefix name of the CMG. For example, if your CMG is

GraniteFalls.WestUS.CloudApp.Azure.Com , then the actual storage endpoint is

GraniteFalls.blob.core.windows.net .

 Tip

To clarify some terminology:

CMG service name: The common name (CN) of the CMG server authentication
certificate. Clients and the CMG connection point site system role
communicate with this service name. For example, GraniteFalls.contoso.com
or GraniteFalls.WestUS.CloudApp.Azure.Com .

CMG deployment name: The first part of the service name plus the Azure
location for the cloud service deployment. The cloud service manager
component of the service connection point uses this name when it deploys
the CMG in Azure. The deployment name is always in an Azure domain. The
Azure location depends upon the deployment method, for example:
Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
Classic deployment: GraniteFalls.CloudApp.Net

This article uses examples with a virtual machine scale set as the recommended
deployment method in version 2107 and later. If you use a classic deployment, note
the difference as you read this article and configure internet access.

Service connection point for cloud services


For Configuration Manager to deploy the CMG service in Azure, the service connection
point needs access to:

Specific Azure endpoints, which are different per environment depending upon the
configuration. Configuration Manager stores these endpoints in the site database.
Query the AzureEnvironments table in SQL Server for the list of Azure endpoints.

Azure services:
management.azure.com (Azure public cloud)

management.usgovcloudapi.net (Azure US Government cloud)

For Azure AD user discovery: Microsoft Graph endpoint


https://graph.microsoft.com/

CMG connection point for cloud services


The CMG connection point needs access to the following endpoints:

Type Azure public cloud Azure US Government cloud

Service name <prefix>. <prefix>.usgovcloudapp.net


<region>.cloudapp.azure.com

Storage <prefix>.blob.core.windows.net <prefix>.blob.core.usgovcloudapi.net


endpoint 1

Storage <prefix>.table.core.windows.net <prefix>.table.core.usgovcloudapi.net


endpoint 2

Key vault <prefix>.vault.azure.net <prefix>.vault.usgovcloudapi.net

The CMG connection point site system supports using a web proxy. For more
information on configuring this role for a proxy, see Proxy server support.

The CMG connection point only needs to connect to the CMG service endpoints. It
doesn't need access to other Azure endpoints.
Configuration Manager client for cloud services
Any Configuration Manager client that needs to communicate with a CMG needs access
to the following endpoints:

Type Azure public cloud Azure US Government cloud

Deployment <prefix>. <prefix>.usgovcloudapp.net


name <region>.cloudapp.azure.com

Storage <prefix>.blob.core.windows.net <prefix>.blob.core.usgovcloudapi.net


endpoint

Azure AD login.microsoftonline.com login.microsoftonline.us


endpoint

Configuration Manager console for cloud services


Any device with the Configuration Manager console needs access to the following
endpoints:

Type Azure public cloud Azure US Government cloud

Azure AD endpoints login.microsoftonline.com


login.microsoftonline.us
aadcdn.msauth.net

aadcdn.msftauth.net

HTTP headers and verbs


Any networking device that manages communication between the client, the CMG, and
the on-premises site systems has to allow the following HTTP headers and verbs. If
these items are blocked, it will affect client communication through the CMG.

HTTP headers
Range:
CCMClientID:
CCMClientIDSignature:
CCMClientTimestamp:
CCMClientTimestampsSignature:

HTTP verbs
HEAD
CCM_POST
BITS_POST
GET
PROPFIND
Plan for internet-based client
management in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use internet-based client management (IBCM) to manage Configuration Manager


clients when they aren't connected to your internal network. Advantages of using IBCM:

Full control of servers and roles providing the service


No cloud service dependency
May not require a virtual private network (VPN)
All costs are associated with the on-premises service

Because of the higher security requirements of managing client computers on a public


network, IBCM requires the use of PKI certificates. This configuration makes sure that
connections are authenticated by an independent authority. When IBCM clients and site
servers send data, it's encrypted and secure.

Client communications
The following site system roles at primary sites support connections from clients that are
in untrusted locations:

7 Note

While IBCM primarily focuses on the internet-based scenario, the same behaviors
apply to clients in an untrusted Active Directory forest. Secondary sites don't
support client connections from untrusted locations.

Certificate registration point for the Configuration Manager policy module (NDES)

2 Warning

Starting in version 2203, the certificate registration point is no longer


supported. For more information, see Frequently asked questions about
resource access deprecation.

Distribution point
Content-enabled cloud management gateway (CMG)

Enrollment proxy point

Fallback status point

Management point

Software update point

About internet facing site systems


There's no requirement to have a trust between a client's forest and that of the site
system server. However, when the forest that contains an internet-facing site system
trusts the forest that contains the user accounts, this configuration supports user-based
policies for devices on the internet when you enable the Client Policy client setting
Enable user policy requests from internet clients.

For example, the following configurations illustrate when IBCM supports user policies for
devices on the internet:

The internet-based management point is in the perimeter network. That network


also has a read-only domain controller to authenticate the user. A firewall between
the perimeter and internal networks allows Active Directory packets.

The user account is in the intranet-based forest. The internet-based management


point is in the perimeter-based forest. The perimeter forest trusts the internal
forest. A firewall between the perimeter and internal networks allows the
authentication packets.

The user account and the internet-based management point are both in the
intranet-based forest. You publish the management point to the internet with a
web proxy server.

Use a web proxy server


You can place internet-based site systems in the intranet when you publish them to the
internet with a web proxy server. Configure these site systems for client connections
from the internet only, or client connections from the internet and intranet. When you
use a web proxy server, you can configure it for Secure Sockets Layer (SSL) bridging to
SSL or SSL tunneling.

SSL bridging to SSL


SSL bridging to SSL is the recommended and more secure configuration, because it uses
SSL termination with authentication. It authenticates client computers with computer
authentication. Mobile devices that you enroll with Configuration Manager don't
support SSL bridging.

With SSL termination at the proxy, it inspects packets from the internet before it
forwards them to the internal network. The proxy authenticates the connection from the
client, terminates it, and then opens a new authenticated connection to the internet-
based site systems. When Configuration Manager clients use a proxy, the client securely
contains its identity (GUID) in the packet payload. The management point doesn't
consider the proxy to be the client. Configuration Manager doesn't support bridging
with HTTP to HTTPS, or from HTTPS to HTTP.

7 Note

Configuration Manager doesn't support setting third-party SSL bridging


configurations. For example, Citrix Netscaler or F5 BIG-IP. Please work with your
device vendor to configure it for use with Configuration Manager.

Tunneling
If your proxy web server can't support the requirements for SSL bridging, Configuration
Manager also supports SSL tunneling. You can also use SSL tunneling to support mobile
devices that you enroll with Configuration Manager. It's a less secure option because the
proxy forwards the SSL packets from the internet to the site systems without SSL
termination. The proxy doesn't inspect the packets for malicious content. When you use
SSL tunneling, there are no certificate requirements for the proxy web server.

Plan for internet-based clients


Decide whether to configure your internet-based clients for management on both the
intranet and the internet, or for internet-only client management. You can only
configure this management option during client installation. To change it later, reinstall
the client.

7 Note

If you configure a management point to support internet-based clients, clients that


connect to this management point will become internet-capable when they next
refresh their list of available management points.
You don't have to restrict the configuration of internet-only client management to
the internet. You can also use it on the intranet.

Clients that you configure for internet-only management only communicate with the
site systems that you configure for client connections from the internet. Use this
configuration in the following scenarios:

For computers that you know will never connect to your intranet. For example,
point of sale computers in remote locations.
To restrict client communication to HTTPS only. For example, to support firewall
and restricted security policies.
When you install internet-based site systems in a perimeter network, and you want
to manage these servers as Configuration Manager clients.

7 Note

When you want to manage workgroup clients on the internet, install them as
internet-only.

When you configure a mobile device to use an internet-based management point,


it automatically configures as internet-only.

You can configure other clients for both internet and intranet client management. When
they detect a change of network, they automatically switch between IBCM and intranet
client management. If these clients can find and connect to a management point that
supports client connections on the intranet, these clients are managed as intranet
clients. Intranet clients have full Configuration Manager functionality. If the clients can't
find or connect to a management point that supports client connections on the intranet,
they attempt to connect to an internet-based management point. If this action
succeeds, these clients are then managed by the internet-based site systems in their
assigned site.

The benefit in automatic switching is that clients can use all features when they connect
to the intranet, and receive essential management when they're on the internet. Content
download that begins on the internet can seamlessly resume on the intranet, and the
other way around.

Prerequisites
IBCM in Configuration Manager has the following dependencies:
Clients require an internet connection. Configuration Manager uses the device's
existing internet connection. Mobile devices must have a direct internet
connection. Full client computers can have either a direct internet connection or
connect by using a proxy web server.

Site systems that support IBCM require an internet connection, and must be in an
Active Directory domain. The internet-based site systems don't require a trust
relationship with the Active Directory forest of the site server. However, when the
internet-based management point can authenticate the user by using Windows
authentication, it supports user policies. If Windows authentication fails, it only
supports device policies.

7 Note

To support user policies, also enable the following client settings in the Client
Policy group:
Enable user policy polling on clients
Enable user policy requests from Internet clients

A public key infrastructure (PKI) to deploy and manage the required certificates for
internet-based clients and site system servers. For more information, see PKI
certificate requirements.

Register public DNS host entries for the internet fully qualified domain names
(FQDN) of site systems that support IBCM.

Enable the option to Use PKI client certificate (client authentication capability)
when available on the Communication Security tab of the site properties. This
option is required.

Client communication requirements


Intervening firewalls or proxy servers must allow the client communication for internet-
based site systems:

Support HTTP 1.1

Allow HTTP content type of multipart MIME attachment (multipart/mixed and


application/octet-stream)

Verbs
Allow the following verbs for the internet-based site system server roles:

Role Verbs

Management point - HEAD

- CCM_POST

- BITS_POST

- GET

- PROPFIND

Distribution point - HEAD

- GET

- PROPFIND

Fallback status point POST

HTTP headers
Allow the following HTTP headers for the internet-based site system server roles:

Role HTTP headers

Management point - Range:

- CCMClientID:

- CCMClientIDSignature:

- CCMClientTimestamp:

- CCMClientTimestampsSignature:

Distribution point Range:

For similar communication requirements when you use the software update point for
client connections from the internet, see the documentation for Windows Server Update
Services (WSUS).

Unsupported features
Not all client management functionality is appropriate for the internet. Configuration
Manager doesn't support some features for clients on the internet. These unsupported
features typically rely on Active Directory Domain Services or aren't appropriate for a
public network.

The following features aren't supported when you manage clients on the internet with
IBCM:
Client deployment over the internet, such as client push and software update-
based client deployment. Use manual client installation.

Automatic site assignment

Wake-on-LAN

OS deployment. However, you can deploy task sequences that don't deploy an OS.

Remote control

Software deployment to users. This feature relied upon the application catalog,
which is no longer supported.

Client roaming. Roaming enables clients to always find the closest distribution
points to download content. Clients non-deterministically select one of the
internet-based site systems, whatever the bandwidth or physical location.

When you configure a software update point to accept connections from the internet,
internet-based clients always scan against this software update point to determine
which software updates are required. When these clients are on the internet, they first
try to download the software updates from Microsoft Update, rather than from an
internet-based distribution point. If this behavior fails, they then try to download the
required software updates from an internet-based distribution point.

 Tip

The Configuration Manager client automatically determines whether it's on the


intranet or the internet. If the client can contact a domain controller or an on-
premises management point, it sets its connection type to "Currently intranet".
Otherwise, it switches to "Currently internet", and communicates with the site
systems assigned to its site.
Install and assign Configuration
Manager clients using Azure AD for
authentication
Article • 10/04/2022

To install the Configuration Manager client on Windows devices using Azure Active
Directory (Azure AD) authentication, integrate Configuration Manager with Azure AD.
Clients can be on the intranet communicating directly with an HTTPS-enabled
management point or any management point in a site enabled for Enhanced HTTP. They
can also be internet-based communicating through the CMG or with an Internet-based
management point. This process uses Azure AD to authenticate clients to the
Configuration Manager site. Azure AD replaces the need to configure and use client
authentication certificates.

Setting up Azure AD may be easier for some customers than setting up a public key
infrastructure for certificate-based authentication. There are features that require you
onboard the site to Azure AD, but don't necessarily require the clients to be Azure AD-
joined. For more information, see the following articles:

Plan for Azure Active Directory


Use Azure AD for co-management

Before you begin


An Azure AD tenant is a prerequisite

Device requirements:

A supported version of Windows 10 or later

Joined to Azure AD, either pure cloud domain-joined, or hybrid Azure AD-
joined

User requirements:

The signed in user must be an Azure AD identity.

If the user is a federated or synchronized identity, configure both Configuration


Manager Active Directory user discovery and Azure AD user discovery. For more
information about hybrid identities, see Define a hybrid identity adoption
strategy.
In addition to the existing prerequisites for the management point site system role,
also enable ASP.NET 4.5 on this server. Include any other options that are
automatically selected when enabling ASP.NET 4.5.

Determine whether your management point needs HTTPS. For more information,
see Enable management point for HTTPS.

Optionally set up a cloud management gateway (CMG) to deploy internet-based


clients. For on-premises clients that authenticate with Azure AD, you don't need a
CMG.

 Tip

Configuration Manager extends its support for internet-based devices that don't
often connect to the internal network, aren't able to join Azure Active Directory
(Azure AD), and don't have a method to install a PKI-issued certificate. For more
information, see Token-based authentication for CMG.

Configure Azure Services for Cloud


Management
Connect your Configuration Manager site to Azure AD as the first step. For details of this
process, see Configure Azure services. Create a connection to the Cloud Management
service.

Enable Azure AD User Discovery as part of onboarding to Cloud Management.

After you complete these actions, your Configuration Manager site is connected to
Azure AD.

7 Note

If your devices are in an Azure AD tenant that's separate from the tenant with a
subscription for the CMG compute resources, starting in version 2010 you can
disable authentication for tenants not associated with users and devices. For more
information, see Configure Azure services.

Configure client settings


These client settings help configure Windows devices to be hybrid-joined. They also
enable internet-based clients to use the CMG.

1. Configure the following client settings in the Cloud Services group. For more
information, see How to configure client settings.

Allow access to cloud distribution point: Enable this setting to help internet-
based devices get the required content to install the Configuration Manager
client. Devices can get the content from the CMG.

Automatically register new Windows 10 or later domain joined devices with


Azure Active Directory: Set to Yes or No. The default setting is Yes. This
behavior is also the default in Windows.

 Tip

Hybrid-joined devices are joined to an on-premises Active Directory


domain and registered with Azure AD. For more information, see Hybrid
Azure AD joined devices.

Enable clients to use a cloud management gateway: Set to Yes (default), or


No.

2. Deploy the client settings to the required collection of devices. Don't deploy these
settings to user collections.

To confirm the device is hybrid-joined, run dsregcmd.exe /status in a command prompt.


If the device is Azure AD-joined or hybrid-joined, the AzureAdjoined field in the results
shows YES. For more information, see dsregcmd command - device state.

Install and register the client using Azure AD


identity
To manually install the client using Azure AD identity, first review the general process on
How to install clients manually.

7 Note

The device needs access to the internet to contact Azure AD, but doesn't need to
be internet-based.
The following example shows the general structure of the command line:
ccmsetup.exe
/mp:<source management point> CCMHOSTNAME=<internet-based management point>
SMSSITECODE=<site code> SMSMP=<initial management point> AADTENANTID=<Azure AD

tenant identifier> AADCLIENTAPPID=<Azure AD client app identifier> AADRESOURCEURI=


<Azure AD server app identifier>

For more information, see Client installation properties.

The /mp parameter and CCMHOSTNAME property specify one of the following, depending
upon the scenario:

On-premises management point. Only specify the /mp parameter. The CCMHOSTNAME
property isn't required.
Cloud management gateway
Internet-based management point

The SMSMP property specifies the on-premises management point. It's not required. It's
recommended for Azure AD-joined devices that roam onto the intranet, so they can find
an on-premises management point.

This example uses a cloud management gateway. It replaces sample values:


ccmsetup.exe
/mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500

CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500
SMSSITECODE=ABC SMSMP=https://mp1.contoso.com AADTENANTID=daf4a1c2-3a0c-401b-966f-

0b855d3abd1a AADCLIENTAPPID=7506ee10-f7ec-415a-b415-cd3d58790d97
AADRESOURCEURI=https://contososerver

The site publishes additional Azure AD information to the cloud management gateway
(CMG). An Azure AD-joined client gets this information from the CMG during the
ccmsetup process, using the same tenant to which it's joined. This behavior further
simplifies installing the client in an environment with more than one Azure AD tenant.
The only two required ccmsetup properties are CCMHOSTNAME and SMSSITECODE .

To automate the client install using Azure AD identity via Microsoft Intune, see How to
prepare internet-based devices for co-management.

Next steps
Once complete, you can continue to monitor and manage clients.
Token-based authentication for cloud
management gateway
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The cloud management gateway (CMG) supports many types of clients, but even with
Enhanced HTTP, these clients require a client authentication certificate. This certificate
requirement can be challenging to provision on internet-based clients that don't often
connect to the internal network, aren't able to join Azure Active Directory (Azure AD),
and don't have a method to install a PKI-issued certificate.

To overcome these challenges, Configuration Manager extends its device support by


issuing its own authentication tokens to devices. To take full advantage of this feature,
after you update the site, also update clients to the latest version. The complete scenario
isn't functional until the client version is also the latest. If necessary, make sure you
promote the new client version to production.

Clients initially register for these tokens using one of the following two methods:

Internal network

Bulk registration

The Configuration Manager client together with the management point manage this
token, so there's no OS version dependency. This feature is available for any supported
client OS version.

7 Note

These methods only support device-centric management scenarios.

Microsoft recommends joining devices to Azure AD. Internet-based devices can use
Azure AD to authenticate with Configuration Manager. It also enables both device
and user scenarios whether the device is on the internet or connected to the
internal network. For more information, see Install and register the client using
Azure AD identity.

Make sure to Enable clients to use a cloud management gateway in the Cloud services
group of client settings. Even with a site token, clients can't communicate with a CMG if
client settings don't allow it. For more information, see About client settings: Cloud
services.

Internal network registration


This method requires the client to first register with the management point on the
internal network. Client registration typically happens right after installation. The
management point gives the client a unique token that shows it's using a self-signed
certificate. When the client roams onto the internet, to communicate with the CMG it
pairs its self-signed certificate with the management point-issued token.

The site enables this behavior by default.

7 Note

With an HTTPS management point, the client needs to first register regardless of
internet/intranet management point. The client needs to present a valid PKI-issued
certificate, an Azure AD token, or a bulk registration token.

Bulk registration token


If you can't install and register clients on the internal network, create a bulk registration
token. Use this token when the client installs on an internet-based device, and registers
through the CMG. The bulk registration token has a short-validity period, and isn't
stored on the client or the site. It allows the client to generate a unique token, which
paired with its self-signed certificate, lets it authenticate with the CMG.

7 Note

Don't confuse bulk registration tokens with those that Configuration Manager
issues to individual clients. The bulk registration token enables the client to initially
install and communicate with the site. This initial communication is long enough for
the site to issue the client its own, unique client authentication token. The client
then uses its authentication token for all communication with the site while it's on
the internet. Beyond the initial registration, the client doesn't use or store the bulk
registration token.

To create a bulk registration token for use during client installation on internet-based
devices, complete the following actions:
1. Sign in to the top-level site server in the hierarchy with local administrator
privileges.

2. Open a command prompt as an administrator.

3. Run the tool from the \bin\X64 folder of the Configuration Manager installation
directory on the site server: BulkRegistrationTokenTool.exe . Create a new token
with the /new parameter. For example, BulkRegistrationTokenTool.exe /new . For
more information, see Bulk registration token tool usage.

4. Copy the token and save it in a secure location.

5. Install the Configuration Manager client on an internet-based device. Include the


client installation parameter: /regtoken. The following example command line
includes the other required setup parameters and properties:

ccmsetup.exe
/mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500

CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500
SMSSiteCode=ABC

/regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik9Tbzh2Tmd5VldRUjlDYVh5

T2lacHFlMDlXNCJ9.eyJTQ0NNVG9rZW5DYXRlZ29yeSI6IlN7Q01QcmVBdXRoVG9rZW4iLCJBdXRob
3JpdHkiOiJTQ0NNIiwiTGljZW5zZSI6IlNDQ00iLCJUeXBlIjoiQnVsa1JlZ2lzdHJhdGlvbiIsIlR

lbmFudElkIjoiQ0RDQzVFOTEtMEFERi00QTI0LTgyRDAtMTk2NjY3RjFDMDgxIiwiVW5pcXVlSWQiO
iJkYjU5MWUzMy1wNmZkLTRjNWItODJmMy1iZjY3M2U1YmQwYTIiLCJpc3MiOiJ1cm46c2NjbTpvYXV

0aDI6Y2RjYzVlOTEtMGFkZi00YTI0LTgyZDAtMTk2NjY3ZjFjMDgxIiwiYXVkIjoidXJuOnNjY206c
2VydmljZSIsImV4cCI6MTU4MDQxNbUwNSwibmJmIjoxNTgwMTU2MzA1fQ.ZUJkxCX6lxHUZhMH_WhY

XFm_tbXenEdpgnbIqI1h8hYIJw7xDk3wv625SCfNfsqxhAwRwJByfkXdVGgIpAcFshzArXUVPPvmiU

GaxlbB83etUTQjrLIk-
gvQQZiE5NSgJ63LCp5KtqFCZe8vlZxnOloErFIrebjFikxqAgwOO4i5ukJdl3KQ07YPRhwpuXmwxRf

1vsiawXBvTMhy40SOeZ3mAyCRypQpQNa7NM3adCBwUtYKwHqiX3r1jQU0y57LvU_brBfLUL6JUpk3r
i-LSpwPFarRXzZPJUu4-mQFIgrMmKCYbFk3AaEvvrJienfWSvFYLpIYA7lg-6EVYRcCAA

 Tip

For more information on this command line, see Install and register the client
using Azure AD identity. This process is similar, just doesn't use the Azure AD
properties.

To verify, review the following log file for a similar entry:


ClientLocation.log

Rotating internet management point, new management point [1] is:


https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 (0) with
capabilities: <Capabilities SchemaVersion ="1.0"><Property Name="SSL"
Version="1" /></Capabilities>

To troubleshoot installation, review %WinDir%\ccmsetup\logs\ccmsetup.log on the client.


After installation, review %WinDir%\ccm\logs\ClientIDManagerStartup.log .

On the server, review the following logs:

CMG logs
Management point
CCM_STS.log
MP_RegistrationManager.log
ClientAuth.log

Bulk registration token tool usage


The BulkRegistrationTokenTool.exe tool is in the \bin\X64 folder of the Configuration
Manager installation directory on the site server. Sign in to the site server, and run it as
an administrator. It supports the following command-line parameters:

/?

/new
/lifetime

/?

Display this usage information.

Example: BulkRegistrationTokenTool.exe /?

/new

Create a new bulk registration token.

Example: BulkRegistrationTokenTool.exe /new

The tool displays the following information:

A GUID that the site uses to track issued tokens


The token validity period, which is three days by default.
The bulk registration token.

The token isn't stored on the client or the site. Make sure to copy the token from the
command prompt, and store in a secure location.

/lifetime

Use with /new parameter to specify the token validity period of the token. Specify an
integer value in minutes. The default value is 4,320 (three days). The maximum value is
10,080 (seven days).

Example: BulkRegistrationTokenTool.exe /lifetime 4320

Bulk registration token management


You can see previously created bulk registration tokens and their lifetimes in the
Configuration Manager console and block their usage if necessary. The site database
doesn't, however, store bulk registration tokens.

Review a bulk registration token


1. In the Configuration Manager console, go to the Administration workspace.

2. Expand Security, and select the Certificates node. The console lists all site-related
certificates and bulk registration tokens in the details pane.

3. Select the bulk registration token to review.

You can filter or sort on the Type column. Identify specific bulk registration tokens based
on their GUID. When you create a bulk registration token, the tool displays the GUID.

Block a bulk registration token


1. In the Configuration Manager console, go to the Administration workspace.

2. Expand Security, select the Certificates node, and select the bulk registration
token to block.

3. On the Home tab of the ribbon bar or the right-click context menu, select Block.
To unblock previously blocked bulk registration tokens, select the Unblock action.
Token renewal
The client renews its unique, Configuration Manager-issued token once a month, and
it's valid for 90 days. A client doesn't need to connect to the internal network to renew
its token. As long as the token is still valid, connecting to the site using a CMG is
sufficient. If the token isn't renewed within 90 days, the client must directly connect to a
management point on an internal network to receive a new token.

You can't renew a bulk registration token. Once a bulk registration token expires,
generate a new one for internet-based device registration using a CMG.

See also
Overview of cloud management gateway

Install and assign Configuration Manager clients using Azure AD for authentication
Azure AD authentication workflow
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article is a technical reference for the Configuration Manager client installation and
registration process on a Windows device that is joined to Azure Active Directory (Azure
AD). It details the workflow process for the device authentication.

7 Note

Windows clients get a workplace join (WPJ) certificate when they join an Azure AD
tenant. If the certificate isn't found, the Configuration Manager client can't request
Azure AD tokens. Without a token, the client can't use the Configuration Manager
security token service (CCM_STS) communication channel for Azure AD
authentication with Configuration Manager site systems.

Client installation
In this workflow sample, you installed the Configuration Manager client on a Windows
device over the internet with the following ccmsetup command-line properties:

CCMHOSTNAME="CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500"

SMSSITECODE="MEM"


1. Azure AD info request from ccmsetup
Clients installed from internet need specific command-line properties to use Azure AD
authentication. You can include these properties in the command line for internet
ccmsetup, but they aren't required. When you don't use Azure AD properties, ccmsetup
requests the AADCLIENTAPPID and AADRESOURCEURI properties from the cloud
management gateway (CMG). It uses the device's Azure AD TenantID as a reference. If
you haven't onboarded the client's TenantID in Configuration Manager, the CMG
doesn't give the required properties to ccmsetup to continue client installation.

The following entries are logged in ccmsetup.log of the client:

log

Getting AAD info from CMG 'CMG.CLOUDAPP.NET'

SMS CCM 5.0: Host=CMG.CLOUDAPP.NET, Path=/CCM_Proxy_ServerAuth/AADAuthInfo?


TenantID=9aaf466a-3f40-4468-b3cd-f0010f21f05a, Port=443, Protocol=https,
CcmTokenAuth=0, Flags=0x1304, Options=0xe0

Created connection on port 443

Enabled SSL revocation check.

) Important

During ccmsetup, the device has to validate the CMG server authentication
certificate. The root certificate authority (CA) certificate for the CMG server
authentication certificate needs to be available on the client for the chain
validation. If you use PKI, when the root CA isn't published on the internet, add the
root CA certificate to the device's root CAs store.

If the root CA certificate revocation list (CRL) isn't published on internet, add the
/nocrlcheck parameter in the ccmsetup command line.

2. Azure AD token request


On a Windows Azure AD domain-joined device, ccmsetup uses the Azure AD properties
to request an Azure AD token calling the ADALOperation provider. The following entries
are logged in ccmsetup.log on the client:

Log

Getting AAD (device) token with: ClientId = 0b7c8ab3-9ea1-4ffa-b2b9-


8ffdd944bd8b, ResourceUrl = https://ConfigMgrService, AccountId =
https://login.microsoftonline.com/common/oauth2/token

If the device token request fails, ccmsetup falls back to try requesting an Azure AD user
token. If the device can't get either an Azure AD device or user token, ccmsetup doesn't
continue.

7 Note

If the device has a valid PKI client authentication certificate, ccmsetup always
prefers the certificate. In this case, the client installs as a PKI client and doesn't use
Azure AD authentication.

Log

WAM token request failed. Status 5, Details 'AAD WAM extension error'

Failed to get AAD token..

Unknown error (Error: D0090016; Source: Unknown)

Failed to get AAD token for 'S-1-5-18' from WAM API. Error 0xd0090016

Falling back to get user 'S-1-5-21-1527250992-855612568-2252598708-1604'


token for system...

Getting AAD (user) token with: ClientId = 0b7c8ab3-9ea1-4ffa-b2b9-


8ffdd944bd8, ResourceUrl = https://ConfigMgrService, AccountId = 149FC29A-
ECE3-123-A3C1-123456F035A6E

Retrieved AAD token for AAD user 'e8838041-db7a-42d5-b9ae-78813910e4cc'

3. Configuration Manager client token request


The client uses the Azure AD token to request the Configuration Manager client (CCM)
token. Operational communication between ccmsetup and the site uses the CCM token
as authorization token (CcmTokenAuth=1).

3.1 Client sends CCM token request to CMG


The following entries are logged in ccmsetup.log on the client:

Log

Getting CCM Token from STS server


'cmg.cloudapp.net/CCM_PROXY_MutualAuth/72186325152220500'

Getting CCM Token from


https://cmg.cloudapp.net/CCM_PROXY_MutualAuth/72186325152220500/CCM_STS

3.2 CMG forwards to CMG connection point


The following entries are logged in CMGService.log on the CMG VM instance.

Log

RequestUri: /CCM_PROXY_SERVERAUTH/72057594037937981/CCM_STS RequestCount: 1


RequestSize: 1974 Bytes ResponseCount: 1 ResponseSize: 1566 Bytes
AverageElapsedTime: 218 ms~~ $$<CMGService><06-24-2020 15:31:46.376+00>
<thread=4992 (0x1380)>

 Tip

Configuration Manager synchronizes the CMGService.log to the site server logs


folder every five minutes as CMG-<CMGname>-ProxyService_IN_<%>-CMGService.log .

3.3 CMG connection point transforms CMG client request to


management point client request
The following entries are logged in SMS_CLOUD_PROXYCONNECTOR.log (verbose
mode) of the site system that hosts the CMG connection point role:

Log

SMS_CLOUD_PROXYCONNECTOR Switched to internal URL. Replaced


'https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500/CCM_STS' in
'https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500/CCM_STS'
with 'https://MP.MYCORP.COM/CCM_STS' and got
'https:///MP.MYCORP.COM/CCM_STS~~

3.4 Management point verifies user token in site database

The following entries are logged in CCM_STS.log of the site system that hosts the
management point that handles the client request:

Log

ProcessRequest - Start

Incoming request URL: https://MP.MYCORP.COM/CCM_STS

Validated AAD token. TokenType: UDA TenantId: 2ca9a796-a1a6-43ec-88f1-


5935b32155c5 UserId: e8838041-db7a-42d5-b9ae-78813910e4cc DeviceId:
8d2b4ff9-0172-4998-9851-b5324303385f OnPrem_UserSid: S-1-5-21-1527250992-
855612568-2252598708-1604 OnPrem_DeviceSid:

TokenType is UDA

Created SCCM token, token type: UDA, hierarchyId: 8ed3174b-e814-41b5-b51c-


fb368f0d4003, userId: 23bbbba2-702e-4db4-8fd9-3b4fe3a5175d, deviceId:
GUID:13E80CEF-5698-4C63-9ED6-E58FBFF78C38

Issued token

Return token to client

4. Content location request


Once the client gets the CCM token, it caches and uses it to request site information and
content location of ccmsetup.cab. Once the device downloads the client content, it
starts the installation. The following entries are logged in ccmsetup.log on the client:

Log

Cached encrypted token for 'S-1-5-18'. Will expire at '06/25/2020 08:29:35'

ccmsetup: Host=CMG.cloudapp.net,
Path=/CCM_Proxy_ServerAuth7981/ccm_system_tokenauth/request, Port=443,
Protocol=https, CcmTokenAuth=1, Flags=0x4100, Options=0xe0

Created connection on port 443

Sending location request to


'cmg.cloudapp.net/CCM_PROXY_MutualAuth/72186325152220500' with payload '<
Request >

Appending CCM Token to the header.

Received message '<SiteInfoReply SchemaVersion="1.00"> < reply >


</SiteInfoReply>'

...

Checking the URL


'https://CMG.cloudapp.net/CCM_PROXY_MutualAuth/72186325152220500/CCM_Client/
ccmsetup.cab

ccmsetup: Host=CMG.cloudapp.net,
Path=/CCM_Proxy_ServerAuth/72057594037937995/CCM_Client

Appending CCM Token to the header.

Found a valid online MP


'https://CMG.cloudapp.net/CCM_PROXY_MutualAuth/72186325152220500

Searching for DP locations from MP(s)...

CCMSETUP bootstrap from Internet: 1

Sending message body '<ContentLocationRequest SchemaVersion="1.00"


BGRVersion="1"> ...

The location
'https://CMG.cloudapp.net/downloadrestservice.svc/getcontentxmlsecure?
pid=CS100001&cid=CS100001

...

Installing version 5.00.8968.1000 of the client with product code {66653948-


0717-4D50-B0B9-ED66FDED2DDB}

Running installation package

Package: C:\WINDOWS\ccmsetup\{E6F27809-FF66-4BAA-B0FB-
E4A154A6A388}\client.msi

7 Note

If the client finds the content from a content-enabled CMG, ccmsetup downloads
the content from the cloud storage. If the latest client version isn't available on the
cloud, it downloads the content from the management point via a CMG request.

Client registration

1. Configuration Manager client request registration


Once ccmsetup successfully installs the Configuration Manager client, registration
initializes. The following entries are logged in ClientIDManagerStartup.log of the client:

Log

AADJoinStatusTask: Client hasn't been registered yet.

RegEndPoint: Event notification: CCM_RemoteClient_Reassigned

RegEndPoint: Received notification for site assignment change from '<none>'


to 'MEM'.

...

[RegTask] - Starting registration, attempt 1.

[RegTask] - Client is not registered. Sending registration request for


GUID:C66EE0FD-08E7-4B38-B282-7E6954B71139 ...

Registering client using AAD auth.

2. Configuration Manager requests Azure AD token to


register client
The client requests a new Azure AD token to register using Azure AD authentication. It
prefers a device token, but if it's not available, the client falls back to request an Azure
AD user token. The following entries are logged in ADALOperationProvider.log of the
client:

Log

Getting AAD (user) token with: ClientId = 0b7c8ab3-9ea1-4ffa-b2b9-


8ffdd944bd8, ResourceUrl = https://ConfigMgrService, AccountId = 9756a359-
f76a-47d5-8662-9a837012fc35

Retrieved AAD token for AAD user 'e8838041-db7a-42d5-b9ae-78813910e4cc'

3. Registration request
The registration component on the management point handles the client registration
process. The client sends a registration message to the MP_ClientRegistration endpoint.

3.1 CMG forwards the client registration request to the


management point
The following entries are logged in the MP_RegistrationManager.log of the site system
that hosts the management point that handles the client request:

Log

Registering device using AAD auth: DeviceId='8d2b4ff9-0172-4998-9851-


b5324303385f ', TenantId='c8c82542-203c-4df9-9d86-cdd4dae67e0a'

Processing Registration request from Client 'GUID:C66EE0FD-08E7-4B38-B282-


7E6954B71139'

3.2 Configuration Manager client is registered

If registration succeeds, the client gets a confirmation message of registration with


Approval 3 for Azure AD-based registration. The following entries are logged in
ClientIDManagerStartup.log of the client:

Log

[RegTask] - Client is registered. Server assigned ClientID is GUID:C66EE0FD-


08E7-4B38-B282-7E6954B71139. Approval status 3

4. Configuration Manager client token request


Once the server confirms the client registration, the client processes the reply message.
The client then requests and caches a new CCM token. The following entries are logged
in ClientIDManagerStartup.log of the client:

Log

Getting CCM Token from STS server 'MP.MYCORP.COM'

Getting CCM Token from https://MP.MYCORP.COM/CCM_STS

...

Cached encrypted token for 'S-1-5-18'. Will expire at '08/12/2020 18:55:40'

4.1 CMG gets and forwards CCM_Token request to CMG connection


point

The following entries are logged in CMGService.log of the CMG VM and the site system
that hosts the CMG connection point role:

Log

RequestUri: /CCM_PROXY_SERVERAUTH/72057594037937981/CCM_STS RequestCount:


769 RequestSize: 1081595 Bytes ResponseCount: 769 ResponseSize: 36143
Bytes AverageElapsedTime: 3945 ms

4.2 CMG connection point transforms CMG client request to


management point client request

The following entries are logged in SMS_CLOUD_PROXYCONNECTOR.log of the site


system that hosts the CMG connection point role:

Log

MessageID: 3087bd34-b82c-4950-b972-e82bb0fb8385 RequestURI:


https://MP.MYCORP.COM/CCM_STS EndpointName: CCM_STS ResponseHeader: HTTP/1.1
200 OK ~~ ResponseBodySize: 0 ElapsedTime: 2 ms

4.3 Management point verifies user token in site database


The following entries are logged in CCM_STS.log of the site system that hosts the
management point that handles the client request:

Log
ProcessRequest - Start

Incoming request URL: https://MP.MYCORP.COM/CCM_STS

Validated AAD token. TokenType: UDA TenantId: 2ca9a796-a1a6-43ec-88f1-


5935b32155c5 UserId: e8838041-db7a-42d5-b9ae-78813910e4cc DeviceId:
8d2b4ff9-0172-4998-9851-b5324303385f OnPrem_UserSid: S-1-5-21-1527250992-
855612568-2252598708-1604 OnPrem_DeviceSid:

TokenType is UDA

Created SCCM token, token type: UDA, hierarchyId: 8ed3174b-e814-41b5-b51c-


fb368f0d4003, userId: 23bbbba2-702e-4db4-8fd9-3b4fe3a5175d, deviceId:
GUID:13E80CEF-5698-4C63-9ED6-E58FBFF78C38

Issued token

Return token to client

The server returns the CCM token to the client for the rest of client-to-site
communication.

7 Note

During client registration, certificate validation always runs. This process happens
even if you're using the Azure AD authentication method to register the client. This
behavior is a fallback option, in case Azure AD authentication doesn't succeed.

CCM token renewal


The CCM token has a lifetime of eight hours. When the client detects the CCM token is
expired or close to expiration, it sends a new CCM token request. The CcmMessaging
component handles this renewal process. The following entries are logged in
CcmMessaging.log of the client:

Log

Sending remote sync message '{BD03DEED-D09A-4E63-ADAD-596376FFB0DA}' to host


'CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500' endpoint
'MP_PolicyManager'. Flags 0x280, sender account S-1-5-21-1721254763-
462695806-1538882281-3289177

...

CCM Token for 'S-1-5-8-1721254763-462695806-1538882281-3289177' (12/23/2019


21:47:24) is already expired or close to expire

Getting CCM Token from


https://CMG.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72186325152220500/CCM_STS

Cached encrypted token for 'S-1-5-21-1721254763-462695806-1538882281-


3289177'. Will expire at '01/10/2020 17:14:54'

...

ccmhttp: Host=CMG.CLOUDAPP.NET,
Path=/CCM_Proxy_ServerAuth/72186325152220500/ccm_system_tokenauth/request,
Port=443, Protocol=https, CcmTokenAuth=1, Flags=0x4200, Options=0x1e0

Target URL scheme is HTTPS:


https://CMG.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72186325152220500/ccm_system_t
okenauth/request

Appending CCM Token to the header.

...

Message '{BD03DEED-D09A-4E63-ADAD-596376FFB0DA}' got reply message


'{36EE3A78-8F6E-425F-BF5C-8460E8E56C33}' to endpoint 'dummy'

Common issues
Root CA not present: Clients need the root CA certificate to validate the CMG
server authentication certificate.

CRL check is enabled: Publish the CRL on the internet. As an alternative, use the
/NoCRLCheck parameter for ccmsetup. You can also disable the following option:
Clients check the certificate revocation list (CRL) for site systems. Find this setting
on the Communication Security tab of the site properties.

The WPJ certificate isn't found: Make sure the device is Azure AD-joined. Use
dsregcmd.exe. For example, dsregcmd /status and look at the Device State
section.

 Tip

Client communication via CMG, CMG connection point, and management point
runs over HTTPS. If you configure the site for enhanced HTTP, you can still
configure the management point for HTTP.

Client verifies the CMG server authentication certificate:


PKI certificate: Client requires the root CA of the CMG certificate in its local
store.
Third-party certificate: Clients automatically validate a certificate with its
root CA published on the internet.

CMG, CMG connection point, and management point validate Azure AD and
CCM tokens.

Communication between CMG connection point and management point is


also secured in both ends:
CMG connection point uses client auth certificate.
MP uses a PKI certificate for HTTPS configuration, or a self-signed
certificate for enhanced HTTP.
Use a cloud distribution point in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

2 Warning

The implementation for sharing content from Azure has changed. Use a content-
enabled cloud management gateway by enabling the option to Allow CMG to
function as a cloud distribution point and serve content from Azure storage. For
more information, see Modify a CMG.

Starting in version 2107, you can't create a traditional cloud distribution point
(CDP).

A cloud distribution point is a Configuration Manager distribution point that is hosted as


Platform-as-a-Service (PaaS) in Microsoft Azure. This service supports the following
scenarios:

Provide software content to internet-based clients without additional on-premises


infrastructure

Cloud-enable your content distribution system

Reduce the need for traditional distribution points

This article helps you learn about the cloud distribution point, plan for its use, and
design your implementation. It includes the following sections:

Features and benefits


Topology design
Requirements
Specifications
Cost
Performance and scale
Ports and data flow
Certificates
Frequently asked questions (FAQ)
Features and benefits

Features
The cloud distribution point supports several features that are also offered by on-
premises distribution points:

Manage cloud distribution points individually or as members of distribution point


groups

Use a cloud distribution point as a fallback content location

Supports both intranet and internet-based clients

Benefits
The cloud distribution point provides the following additional benefits:

The site encrypts the content before sending it to the cloud distribution point in
Azure.

To meet changing demands for content requests by clients, manually scale the
cloud service in Azure. This action doesn't require that you install and provision
additional distribution points in Configuration Manager.

Supports content download from clients configured for other content


technologies, such as Windows BranchCache.

Use cloud distribution points as source locations for pull-distribution points.

Topology design
Deployment and operation of the cloud distribution point includes the following
components:

A cloud service in Azure. The site distributes content to this service, which stores it
in Azure cloud storage. The management point provides to clients this content
location in the list of available sources as appropriate.

A management point site system role services client requests per normal.

On-premises clients typically use an on-premises management point.


Internet-based clients either use a cloud management gateway, or an internet-
based management point.

The cloud distribution point uses a certificate-based HTTPS web service to help
secure network communication with clients. Clients must trust this certificate.

Azure Resource Manager


Create a cloud distribution point using an Azure Resource Manager deployment. Azure
Resource Manager is a modern platform for managing all solution resources as a single
entity, called a resource group. When deploying a cloud distribution point with Azure
Resource Manager, the site uses Azure Active Directory (Azure AD) to authenticate and
create the necessary cloud resources.

7 Note

This feature doesn't enable support for Azure Cloud Service Providers (CSP). The
cloud distribution point deployment with Azure Resource Manager continues to
use the classic cloud service, which the CSP doesn't support. For more information,
see available Azure services in Azure CSP.

Azure Resource Manager is the only deployment mechanism for new instances of the
cloud distribution point. Existing deployments continue to work.

Hierarchy design
Where you create the cloud distribution point depends upon which clients need to
access the content.

Azure Resource Manager deployment: Create this type at a primary site or the
central administration site.

The cloud management gateway (CMG) can also serve content to clients. This
functionality reduces the required certificates and cost of Azure VMs. For more
information, see Overview of cloud management gateway.

To determine whether to include cloud distribution points in boundary groups, consider


the following behaviors:

Internet-based clients don't rely on boundary groups. They only use internet-
facing distribution points or cloud distribution points. If you're only using cloud
distribution points to service these types of clients, then you don't need to include
them in boundary groups.

If you want clients on your internal network to use a cloud distribution point, then
it needs to be in the same boundary group as the clients. Clients prioritize cloud
distribution points last in their list of content sources, because there's a cost
associated with downloading content out of Azure. So a cloud distribution point is
typically used as a fallback source for intranet-based clients. If you want a cloud-
first design, then design your boundary groups to meet this business requirement.
For more information, see Configure boundary groups.

Even though you install cloud distribution points in specific regions of Azure, clients
aren't aware of the Azure regions. They randomly select a cloud distribution point. If you
install cloud distribution points in multiple regions, and a client receives more than one
in the content location list, the client might not use a cloud distribution point from the
same Azure region.

Backup and recovery


When you use a cloud distribution point in your hierarchy, use the following information
to help you plan for backup and recovery:

When you use the Backup Site Server maintenance task, Configuration Manager
automatically includes the configurations for the cloud distribution point.

Back up and save a copy of the server authentication certificate. When you restore
the Configuration Manager primary site to a different server, reimport the
certificate.

Requirements
You need an Azure subscription to host the service.
An Azure administrator needs to participate in the initial creation of certain
components, depending upon your design. This persona doesn't require
permissions in Configuration Manager.

The site server requires internet access to deploy and manage the cloud service.

When using the Azure Resource Manager deployment method, integrate


Configuration Manager with Azure AD for Cloud Management. Azure AD user
discovery isn't required.
A server authentication certificate. For more information, see the Certificates
section below.
To reduce complexity, use a public certificate provider for the server
authentication certificate. When doing so, you also need a DNS CNAME alias
for clients to resolve the name of the cloud service.

Set the client setting, Allow access to cloud distribution points, to Yes in the
Cloud Services group. By default, this value is set to No.

Client devices require internet connectivity, and must use IPv4.

Specifications
The cloud distribution point supports all Windows versions listed in Supported
operating systems for clients and devices.

An administrator distributes the following types of supported software content:

Applications

Packages

OS upgrade packages

Third-party software updates

) Important
While the Configuration Manager console doesn't block the distribution
of Microsoft software updates to a cloud distribution point, you're
paying Azure costs to store content that clients don't use. Internet-
based clients always get Microsoft software update content from the
Microsoft Update cloud service. Don't distribute Microsoft software
updates to a cloud distribution point.
When using a CMG for content storage, the content for third-party
updates won't download to clients if the Download delta content when
available client setting is enabled.

Configure a pull-distribution point to use a cloud distribution point as a source. For


more information, see About source distribution points.

Deployment settings
Download content locally when needed by the running task sequence. The task
sequence engine can download packages on-demand from a content-enabled
CMG or a cloud distribution point. This option provides additional flexibility with
your Windows in-place upgrade deployments to internet-based devices.

Download all content locally before starting task sequence. With this option, the
Configuration Manager client downloads the content from the cloud source before
starting the task sequence.

A cloud distribution point doesn't support package deployments with the option
to Run program from distribution point. Use the deployment option to Download
content from distribution point and run locally.

Limitations
You can't use a cloud distribution point for PXE or multicast-enabled deployments.

A cloud distribution point doesn't support App-V streaming applications.

A cloud distribution point doesn't support content for Microsoft 365 Apps
updates.

You can't prestage content on a cloud distribution point. The distribution manager
of the primary site that manages the cloud distribution point transfers all content.

You can't configure a cloud distribution point as a pull-distribution point.

Cost

) Important

The following cost information is for estimating purposes only. Your environment
may have other variables that affect the overall cost of using a cloud distribution
point.

Configuration Manager includes the following options to help control costs and monitor
data access:

Control and monitor the amount of content that you store in a cloud service. For
more information, see Monitor cloud distribution points.
Configure Configuration Manager to alert you when thresholds for client
downloads meet or exceed monthly limits. For more information, see Data transfer
threshold alerts.

To help reduce the number of data transfers from cloud distribution points by
clients, use one of the following peer caching technologies:

Configuration Manager peer cache

Windows BranchCache

Windows Delivery Optimization

For more information, see Fundamental concepts for content management.

Components
A cloud distribution point uses the following Azure components, which incur charges to
the Azure subscription account:

 Tip

The cloud management gateway can also serve content to clients. This functionality
reduces the cost by consolidating the Azure VMs. For more information, see Cost
for cloud management gateway.

Virtual machine
The cloud distribution point uses Azure Cloud Services as platform as a service
(PaaS). This service uses virtual machines (VMs) that incur compute costs.

Each cloud distribution point service uses two Standard A0 VMs.

See the Azure pricing calculator to help determine potential costs.

7 Note

Virtual machine costs vary by region.

Outbound data transfer


Any dataflows into Azure are free (ingress or upload). Distributing content from the
site to the cloud distribution point is uploading to Azure.

Charges are based on data flowing out of Azure (egress or download). Cloud
distribution point dataflows out of Azure consist of the software content that
clients download.

For more information, see Monitor cloud distribution points.

See the Azure bandwidth pricing details to help determine potential costs.
Pricing for data transfer is tiered. The more you use, the less you pay per gigabyte.

Content storage
Internet-based clients get Microsoft software update content from the Microsoft
Update cloud service at no charge. Don't distribute software update deployment
packages with Microsoft software updates to a cloud distribution point. Otherwise,
you'll incur data storage costs for content that clients never use.

Cloud distribution points with an Azure Resource Manager deployment use Azure
locally redundant storage (LRS). For more information, see Locally redundant
storage.

Other costs

Each cloud service has a dynamic IP address. Each distinct cloud distribution point
uses a new dynamic IP address. Adding additional VMs per cloud service doesn't
increase these addresses.

Ports and data flow


There are two primary data flows for the cloud distribution point:

The site server connects to Azure to set up the cloud distribution point service

A client connects to the cloud distribution point to download content

Site server to Azure


You don't need to open any inbound ports to your on-premises network. The site server
initiates all communication with Azure and the cloud distribution point to deploy,
update, and manage the cloud service. The site server needs to create outbound
connections to the Microsoft cloud. This action is equivalent to installing the distribution
point site system role on a specific site.

Client to cloud distribution point


You don't need to open any inbound ports to your on-premises network. Internet-based
clients communicate directly with the Azure service. Clients on your internal network
that use a cloud distribution point need to connect to the Microsoft cloud.

For more information on content location priority and when intranet-based clients use a
cloud distribution point, see Content source priority.

When a client uses a cloud distribution point as a content location:

1. The management point gives the client an access token along with the list of
content sources. This token is valid for 24 hours, and gives the client access to the
cloud distribution point.

2. The management point responds to the client's location request with the Service
FQDN of the cloud distribution point. This property is the same as the common
name of the server authentication certificate.

If you're using your domain name, for example, WallaceFalls.contoso.com, then the
client first tries to resolve this FQDN. You need a CNAME alias in your domain's
internet-facing DNS for clients to resolve the Azure service name, for example:
WallaceFalls.cloudapp.net.

3. The client next resolves the Azure service name, for example,
WallaceFalls.cloudapp.net, to a valid IP address. This response should be handled
by Azure's DNS.

4. The client connects to the cloud distribution point. Azure load balances the
connection to one of the VM instances. The client authenticates itself using the
access token.

5. The cloud distribution point authenticates the client's access token, and then gives
the client the exact content location in Azure storage.

6. If the client trusts the cloud distribution point's server authentication certificate, it
connects to Azure storage to download the content.

Performance and scale


As with any distribution point design, consider the following factors:

Number of concurrent client connections


The size of the content that clients download
The length of time allowed to meet your business requirements

Depending upon your topology design, if clients have the option of more than one
cloud distribution point for any given content, then they naturally randomize across
those cloud services. If you only distribute a certain piece of content to a single cloud
distribution point, and a large number of clients try to download this content at the
same time, this activity puts higher load on that single cloud distribution point. Adding
an additional cloud distribution point also includes a separate Azure storage service. For
more information on how the client communicates with the cloud distribution point
components and downloads content, see Ports and data flow.

The cloud distribution point uses two Azure VMs as the front end to the Azure storage.
This default deployment meets most customer's needs. In some extreme circumstances,
with a large number of concurrent client connections (for example, 150,000 clients), the
processing capacity of the Azure VMs can't keep up with the client requests. You can't
resize the Azure VMs used for the cloud distribution point. While you can't configure the
number of VM instances for the cloud distribution point in Configuration Manager, if
necessary, reconfigure the cloud service in the Azure portal. Either manually add more
VM instances, or configure the service to automatically scale.

) Important

When you update Configuration Manager, the site redeploys the cloud service. If
you manually reconfigure the cloud service in the Azure portal, the number of
instances resets to the default of two.

The Azure storage service supports 500 requests per second for a single file.
Performance testing of a single cloud distribution point supported distribution of a
single 100-MB file to 50,000 clients in 24 hours.

Certificates
Depending upon your cloud distribution point design, you need one or more digital
certificates.

General information
Certificates for cloud distribution points support the following configurations:

4096-bit key length

Version 3 certificates. For more information, see CNG certificates overview.

When you configure Windows with the following policy: System cryptography:
Use FIPS compliant algorithms for encryption, hashing, and signing

Support for TLS 1.2. For more information, see Cryptographic controls technical
reference.

Server authentication certificate


This certificate is required for all cloud distribution point deployments.

For more information, see CMG server authentication certificate, and the following
subsections, as necessary:

CMG trusted root certificate to clients


Server authentication certificate issued by public provider
Server authentication certificate issued from enterprise PKI

The cloud distribution point uses this type of certificate in the same way as the cloud
management gateway. Clients also need to trust this certificate. To reduce complexity,
Microsoft recommends using a certificate issued by a public provider.

Unless you use a wildcard certificate, don't reuse the same certificate. Each instance of
the cloud distribution point and cloud management gateway requires a unique server
authentication certificate.

For more information on creating this certificate from a PKI, see Deploy the service
certificate for cloud distribution points.

Frequently asked questions (FAQ)

Does a client need a certificate to download content from


a cloud distribution point?
A client authentication certificate isn't required. The client does need to trust the server
authentication certificate used by the cloud distribution point. If this certificate is issued
by a public certificate provider, then most Windows devices already include trusted root
certificates for these providers. If you issued a server authentication certificate from your
organization's PKI, then your clients need to trust the issuing certificates in the entire
chain. This chain includes the root certificate authority, and any intermediate certificate
authorities. Depending upon your PKI design, this certificate can introduce additional
complexity to the deployment of the cloud distribution point. To avoid this complexity,
Microsoft recommends using a public certificate provider that your clients already trust.

Can my on-premises clients use a cloud distribution


point?
Yes. If you want clients on your internal network to use a cloud distribution point, then it
needs to be in the same boundary group as the clients. Clients prioritize cloud
distribution points last in their list of content sources, because there's a cost associated
with downloading content out of Azure. Thus, a cloud distribution point is typically used
as a fallback source for intranet-based clients. If you want a cloud-first design, then
design your boundary groups accordingly. For more information, see Configure
boundary groups.

Do I need Azure ExpressRoute?


Azure ExpressRoute lets you extend your on-premises network into the Microsoft cloud.
ExpressRoute, or other such virtual network connections aren't required for the
Configuration Manager cloud distribution point.

If your organization uses ExpressRoute, isolate the Azure subscription for the cloud
distribution point from the subscription that uses ExpressRoute. This configuration
ensures that the cloud distribution point isn't accidentally connected in this manner.

Do I need to maintain the Azure virtual machines?


No maintenance is required. The design of the cloud distribution point uses Azure
platform as a service (PaaS). Using the subscription you provide, Configuration Manager
creates the necessary VMs, storage, and networking. Azure secures and updates the
virtual machines. These VMs aren't a part of your on-premises environment, as is the
case with infrastructure as a service (IaaS). The cloud distribution point is a PaaS that
extends your Configuration Manager environment into the cloud. For more information,
see Security advantages of a PaaS cloud service model.

Does the cloud distribution point use Azure CDN?


The Azure Content Delivery Network (CDN) is a global solution for rapidly delivering
high-bandwidth content by caching the content at strategically placed physical nodes
across the world. For more information, see What is Azure CDN?.

The Configuration Manager cloud distribution point currently doesn't support Azure
CDN.

Next steps
Install cloud distribution points
Install a cloud distribution point for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

2 Warning

The implementation for sharing content from Azure has changed. Use a content-
enabled cloud management gateway by enabling the option to Allow CMG to
function as a cloud distribution point and serve content from Azure storage. For
more information, see Modify a CMG.

Starting in version 2107, you can't create a traditional cloud distribution point
(CDP).

This article details the steps to install a Configuration Manager cloud distribution point
in Microsoft Azure. It includes the following sections:

Before you begin


Set up
Configure DNS
Set up site server proxy
Distribute content and configure clients
Manage and monitor
Modify
Advanced troubleshooting

Before you begin


Start by reading the article Use a cloud distribution point. That article helps you plan
and design your cloud distribution points.

Use the following checklist to make sure you have the necessary information and
prerequisites to create a cloud distribution point:

The site server can connect to Azure. If your network uses a proxy, configure the
site system role.
The Azure environment to use. For example, the Azure Public Cloud or the Azure
US Government Cloud.

Use the Azure Resource Manager deployment. It has the following requirements:

Integration with Azure Active Directory for Cloud Management. Azure AD user
discovery isn't required.

The Azure Subscription ID.

The Azure Resource Group.

A subscription admin account needs to sign in during the wizard.

A server authentication certificate, exported as a .PFX file.

A globally unique service name for the cloud distribution point.

 Tip

Before requesting the server authentication certificate that uses this service
name, confirm that the desired Azure domain name is unique. For example,
WallaceFalls.CloudApp.Net.

1. Sign in to the Azure portal .


2. Select All resources, and then select Add.
3. Search for Cloud service. Select Create.
4. In the DNS name field, type the prefix you want, for example
WallaceFalls. The interface reflects whether the domain name is available
or already in use by another service.

Don't create the service in the portal, just use this process to check the name
availability.

The Azure region for this deployment.

BranchCache
To enable a cloud distribution point to use Windows BranchCache, install the
BranchCache feature on the site server.

If the site server has an on-premises distribution point site system role, configure
the option in that role's properties to Enable and configure BranchCache. For
more information, see Configure a distribution point.

If the site server doesn't have a distribution point role, install the BranchCache
feature in Windows. For more information, see Install the BranchCache feature.

If you've already distributed content to a cloud distribution point, and then decide to
enable BranchCache, first install the feature. Then redistribute the content to the cloud
distribution point.

Set up

2 Warning

Starting in version 2107, this action isn't available. You can't create a traditional
cloud distribution point (CDP). Use a content-enabled cloud management gateway
by enabling the option to Allow CMG to function as a cloud distribution point
and serve content from Azure storage. For more information, see Modify a CMG.

Perform this procedure on the site to host this cloud distribution point as determined by
your design.

1. In the Configuration Manager console, go to the Administration workspace,


expand Cloud Services, and select Cloud Distribution Points. In the ribbon, select
Create Cloud Distribution Point.

2. On the General page of the Create Cloud Distribution Point Wizard, configure the
following settings:

a. First specify the Azure environment.

b. Select Azure Resource Manager deployment as the deployment method. Select


Sign in to authenticate with an Azure subscription admin account. The wizard
auto-populates the remaining fields from the information stored during the
Azure AD integration prerequisite. If you own multiple subscriptions, select the
Subscription ID of the desired subscription to use.

3. Select Next. Wait as the site tests the connection to Azure.

4. On the Settings page, specify the following settings, and then select Next:

Region: Select the Azure region where you want to create the cloud
distribution point.
Resource Group (Azure Resource Manager deployment method only)

Use existing: Select an existing resource group from the drop-down list.

Create new: Enter the new resource group name to create in your Azure
subscription.

Primary site: Select the primary site to distribute content to this distribution
point.

Certificate file: Select Browse and select the .PFX file for this cloud
distribution point's server authentication certificate. The common name from
this certificate populates the required Service FQDN and Service name fields.

7 Note

The cloud distribution point server authentication certificate supports


wildcards. If you use a wildcard certificate, replace the asterisk ( * ) in the
Service FQDN field with the desired hostname for the service.

5. On the Alerts page, set up storage quotas, transfer quotas, and at what percentage
of these quotas you want Configuration Manager to generate alerts. Then select
Next.

6. Complete the wizard.

Monitor installation
The site starts to create a new hosted service for the cloud distribution point. After you
close the wizard, monitor the installation progress of the cloud distribution point in the
Configuration Manager console. Also monitor the CloudMgr.log file on the primary site
server. If necessary, monitor the provisioning of the cloud service in the Azure portal.

7 Note

It can take up to 30 minutes to provision a new distribution point in Azure. The


CloudMgr.log file repeats the following message until the storage account is
provisioned:

Waiting for check if container exists. Will check again in 10 seconds

After it provisions the storage account, the service is created and configured.
Verify installation
Verify that the cloud distribution point installation is complete by using the following
methods:

In the Configuration Manager console, go to the Administration workspace.


Expand Cloud Services, and select the Cloud Distribution Points node. Find the
new cloud distribution point in the list. The Status column should be Ready.

In the Configuration Manager console, go to the Monitoring workspace. Expand


System Status, and select the Component Status node. Show all messages from
the SMS_CLOUD_SERVICES_MANAGER component, and look for status message
ID 9409.

If necessary, go to the Azure portal. The Deployment for the cloud distribution
point displays a status of Ready.

Configure DNS
Before clients can use the cloud distribution point, they must be able to resolve the
name of the cloud distribution point to an IP address that Azure manages. The
management point gives them the Service FQDN of the cloud distribution point. The
cloud distribution point exists in Azure as the Service name. See these values on the
Settings tab of the cloud distribution point properties.

7 Note

The Cloud Distribution Points node in the console includes a column named
Service Name, but actually shows the Service FQDN value. To see both values,
open Properties for the cloud distribution point and switch to the Settings tab.

The server authentication certificate common name should include your domain name.
This name is required when you purchase a certificate from a public provider. It's
recommended when issuing this certificate from your PKI. For example,
WallaceFalls.contoso.com . When you specify this certificate in the Create Cloud

Distribution Point Wizard, the common name populates the Service FQDN property
( WallaceFalls.contoso.com ). The Service name takes the same hostname ( WallaceFalls )
and appends it to the Azure domain name, cloudapp.net . In this scenario, clients need
to resolve your domain's Service FQDN ( WallaceFalls.contoso.com ) to the Azure
Service name ( WallaceFalls.cloudapp.net ). Create a CNAME alias to map these names.
Create CNAME alias
Create a canonical name record (CNAME) in your organization's public, internet-facing
DNS. This record creates an alias for the cloud distribution point's Service FQDN
property that clients receive, to the Azure Service name. For example, create a new
CNAME record for WallaceFalls.contoso.com to WallaceFalls.cloudapp.net .

Client name resolution process


The following process shows how a client resolves the name of the cloud distribution
point:

1. The client gets the Service FQDN of the cloud distribution point in the list of
content sources. For example, WallaceFalls.contoso.com .

2. It queries DNS, which resolves the Service FQDN using the CNAME alias to the
Azure Service name. For example, WallaceFalls.cloudapp.net .

3. It queries DNS again, which resolves the Azure service name to the Azure public IP
address.

4. The client uses this IP address to start communication with the cloud distribution
point.

5. The cloud distribution point presents the server authentication certificate to the
client. The client uses the trust chain of the certificate to validate.

Set up site server proxy


The primary site server that manages the cloud distribution point needs to communicate
with Azure. If your organization uses a proxy server to control internet access, configure
the primary site server to use this proxy.

For more information, see Proxy server support.

Distribute content and configure clients


Distribute content to the cloud distribution point the same as any other on-premises
distribution point. The management point doesn't include the cloud distribution point in
the list of content locations unless it has the content that clients request. For more
information, see Distribute and manage content.
Manage a cloud distribution point the same as any other on-premises distribution point.
These actions include assigning it to a distribution point group, and managing content
packages. For more information, see Install and configure distribution points.

Default client settings automatically enable clients to use cloud distribution points.
Control access to all cloud distribution points in your hierarchy with the following client
setting:

In the Cloud Settings group, modify the setting Allow access to cloud distribution
points.

By default, this setting is set to Yes.

Modify and deploy this setting for both users and devices.

Manage and monitor


Monitor content that you distribute to a cloud distribution point the same as with any
other on-premises distribution points. For more information, see Monitor content.

When you view the list of cloud distribution points in the console, you can add
additional columns to the list. For example, the Data egress column shows the amount
of data clients downloaded from the service in the last 30 days.

Alerts
Configuration Manager periodically checks the Azure service. If the service isn't active, or
if there are subscription or certificate issues, Configuration Manager raises an alert.

Configure thresholds for the amount of data that you want to store on the cloud
distribution point, and for the amount of data that clients download from the
distribution point. Use alerts for these thresholds to help you decide when to stop or
delete the cloud service, adjust the content that you store on the cloud distribution
point, or modify which clients can use the service.

Storage alert threshold: The storage alert threshold sets an upper limit in GB on
the amount of data or content that you want store on the cloud distribution point.
By default, this threshold is 2,000 GB. Configuration Manager generates warning
and critical alerts when the remaining free space reaches the levels that you
specify. By default, these alerts occur at 50% and 90% of the threshold.

Monthly transfer alert threshold: The monthly transfer alert threshold helps you to
monitor the amount of content that transfers from the distribution point to clients
for a 30-day period. By default, this threshold is 10,000 GB. The site raises warning
and critical alerts when transfers reach values that you define. By default, these
alerts occur at 50% and 90% of the threshold.

) Important

Configuration Manager monitors the transfer of data, but does not stop the
transfer of data beyond the specified transfer alert threshold.

Specify thresholds for each cloud distribution point during installation, or use the Alerts
tab of the cloud distribution point properties.

7 Note

Alerts for a cloud distribution point depend on usage statistics from Azure, which
can take up to 24 hours to become available. For more information about Storage
Analytics for Azure, see Storage Analytics.

In an hourly cycle, the primary site that monitors the cloud distribution point downloads
transaction data from Azure. It stores this transaction data in the CloudDP-
<ServiceName>.log file on the site server. Configuration Manager then evaluates this

information against the storage and transfer quotas for each cloud distribution point.
When the transfer of data reaches or exceeds the specified volume for either warnings
or critical alerts, Configuration Manager generates the appropriate alert.

2 Warning

Because the site downloads information about data transfers from Azure every
hour, the usage might exceed a warning or critical threshold before Configuration
Manager can access the data and raise an alert.

Modify
View high-level information about the distribution point in the Cloud Distribution
Points node under Cloud Services in the Administration workspace of the
Configuration Manager console. Select a distribution point and select Properties to see
more details.
When you edit the properties of a cloud distribution point, the following tabs include
settings to edit:

Settings

Description

Certificate file: Before the server authentication certificate expires, issue a new
certificate with the same common name. Then add the new certificate here for the
service to start using. If the certificate expires, clients won't trust and use the
service.

Alerts
Adjust the data thresholds for storage and monthly transfer alerts.

Content
Manage content the same as for an on-premises distribution point.

Redeploy the service


More significant changes, such as the following configurations, require redeploying the
service:

Classic deployment method to Azure Resource Manager


Subscription
Service name
Private to public PKI
Azure region

If you have an existing cloud distribution point on the classic deployment method, in
order to use the Azure Resource Manager deployment method you need to deploy a
new cloud distribution point. There are two options:

If you want to reuse the same service name:

1. First delete the classic cloud distribution point. If there isn't another cloud
distribution point, then clients may not be able to get content.

2. Create a new cloud distribution point using a Resource Manager deployment.


Reuse the same server authentication certificate.
3. Distribute the necessary software package content to the new cloud
distribution point.

If you want to use a new service name:

1. Create a new cloud distribution point using a Resource Manager deployment.


Use a new server authentication certificate.

2. Distribute the necessary software package content to the new cloud


distribution point.

3. Delete the classic cloud distribution point.

 Tip

To determine the current deployment model of a cloud distribution point:

1. In the Configuration Manager console, go to the Administration workspace,


expand Cloud Services, and select the Cloud Distribution Points node.
2. Add the Deployment Model attribute as a column to the list view. For a
Resource Manager deployment, this attribute is Azure Resource Manager.

Stop or start the cloud service on demand


Stop a cloud distribution point at any time in the Configuration Manager console. This
action immediately prevents clients from downloading additional content from the
service. Restart the cloud service from the Configuration Manager console to restore
access for clients. For example, stop a cloud service when it reaches a data threshold.

When you stop a cloud distribution point, the cloud service doesn't delete the content
from the storage account. It also doesn't prevent the site server from transferring
additional content to the cloud distribution point. The management point still returns
the cloud distribution point to clients as a valid content source.

Use the following procedure to stop a cloud distribution point:

1. In the Configuration Manager console, go to the Administration workspace.


Expand Cloud Services, and select the Cloud Distribution Points node.

2. Select the cloud distribution point. To stop the cloud service that runs in Azure,
select Stop service in the ribbon.

3. Select Start service to restart the cloud distribution point.


Delete a cloud distribution point
To uninstall a cloud distribution point, select the distribution point in the Configuration
Manager console, and then select Delete.

When you delete a cloud distribution point from a hierarchy, Configuration Manager
removes the content from the cloud service in Azure.

Manually removing any components in Azure causes the system to be inconsistent. This
state leaves orphaned information, and unexpected behaviors may occur.

Advanced troubleshooting
If you need to collect diagnostic logging from the Azure VMs to help troubleshoot
problems with your cloud distribution point, use the following PowerShell sample to
enable the service diagnostic extension for the subscription:

PowerShell

# Change these variables for your Azure environment. The current values are
provided as examples. You can find the values for these from the Azure
portal.

$storage_name="4780E38368358502‬
23C071" # The name of the storage account

that goes with the CloudDP

$key="3jSyvMssuTyAyj5jWHKtf2bV5JF^aDN%z%2g*RImGK8R4vcu3PE07!P7CKTbZhT1Sxd3l^
t69R8Cpsdl1xhlhZtl" # The storage access key from the Storage Account view

$service_name="4780E38368358502‬
23C071" # The name of the cloud service for

the CloudDP, which for a Cloud DP is the same as the storage name

$azureSubscriptionName="8ba1cb83-84a2-457e-bd37-f78d2dd371ee" # The
subscription name the tenant is using

$subscriptionId="8ba1cb83-84a2-457e-bd37-f78d2dd371ee" # The subscription ID


the tenant is using

# This variable is the path to the config file on the local computer.

$public_config="F:\PowerShellDiagFile\diagnostics.wadcfgx"

# These variables are for the Azure management certificate. Install it in


the Current User certificate store on the system running this script.

$thumbprint="dac9024f54d8f6df94935fb1732638ca6ad77c13" # The thumbprint of


the Azure management certificate

$mycert = Get-Item cert:\\CurrentUser\My\$thumbprint

Set-AzureSubscription -SubscriptionName $azureSubscriptionName -


SubscriptionId $subscriptionId -Certificate $mycert

Select-AzureSubscription $azureSubscriptionName

Set-AzureServiceDiagnosticsExtension -StorageAccountName $storage_name -


StorageAccountKey $key -DiagnosticsConfigurationPath $public_config –
ServiceName $service_name -Slot 'Production' -Verbose

The following sample is an example diagnostics.wadcfgx file as referenced in the


public_config variable in the above PowerShell script. For more information, see Azure
Diagnostics extension configuration schema.

XML

<?xml version="1.0" encoding="utf-8"?>

<PublicConfig
xmlns="http://schemas.microsoft.com/ServiceHosting/2010/10/DiagnosticsConfig
uration">

<WadCfg>

<DiagnosticMonitorConfiguration overallQuotaInMB="4096">

<Directories scheduledTransferPeriod="PT1M">

<IISLogs containerName ="wad-iis-logfiles" />

<FailedRequestLogs containerName ="wad-failedrequestlogs" />

</Directories>

<WindowsEventLog scheduledTransferPeriod="PT1M">

<DataSource name="Application!*" />

</WindowsEventLog>

<Logs scheduledTransferPeriod="PT1M"
scheduledTransferLogLevelFilter="Information" />

<CrashDumps dumpType="Full">

<CrashDumpConfiguration processName="WaAppAgent.exe" />

<CrashDumpConfiguration processName="WaIISHost.exe" />

<CrashDumpConfiguration processName="WindowsAzureGuestAgent.exe" />

<CrashDumpConfiguration processName="WaWorkerHost.exe" />

<CrashDumpConfiguration processName="DiagnosticsAgent.exe" />

<CrashDumpConfiguration processName="w3wp.exe" />

</CrashDumps>

<PerformanceCounters scheduledTransferPeriod="PT1M">

<PerformanceCounterConfiguration counterSpecifier="\Memory\Available
MBytes" sampleRate="PT3M" />

<PerformanceCounterConfiguration counterSpecifier="\Web
Service(_Total)\ISAPI Extension Requests/sec" sampleRate="PT3M" />

<PerformanceCounterConfiguration counterSpecifier="\Web
Service(_Total)\Bytes Total/Sec" sampleRate="PT3M" />

<PerformanceCounterConfiguration counterSpecifier="\ASP.NET
Applications(__Total__)\Requests/Sec" sampleRate="PT3M" />

<PerformanceCounterConfiguration counterSpecifier="\ASP.NET
Applications(__Total__)\Errors Total/Sec" sampleRate="PT3M" />

<PerformanceCounterConfiguration counterSpecifier="\ASP.NET\Requests
Queued" sampleRate="PT3M" />

<PerformanceCounterConfiguration counterSpecifier="\ASP.NET\Requests
Rejected" sampleRate="PT3M" />

<PerformanceCounterConfiguration
counterSpecifier="\Processor(_Total)\% Processor Time" sampleRate="PT3M" />

</PerformanceCounters>

</DiagnosticMonitorConfiguration>

</WadCfg>

</PublicConfig>

You might also like