Posts belonging to Category CEP

Remote Control client settings in Configuration Manager 2012

In an earlier blog about the Remote Control CEP session I explained the rebuild and secure remote control feature in Configuration Manager 2012. Today I want to look at the Client Settings that are related to Remote Control.

You are able to find the Remote Control settings in the Remote Tools section of the Client Device settings.

Remote Control settings

When enabling the remote control feature you are able to configure configuration Manager to be able to configure the firewall settings for the domain, private and public firewall profiles. You need to ensure that Configuration Manager is able reach the destination computer. When enabling a firewall profile, the remote control port and program exceptions are automatically created at the client.

Enable Remote Control and enable creation firewall rules

When you look at the local firewall on a Configuration Manage client, you will see that the firewall exceptions are created like shown below.

Created firewall rule

Configuration Manager firewall rule

Exception program CMRcService.exe

Firewall rule created for profiles

By default users cannot manage their remote control settings via the Software Center. By enabling the setting, which you don’t want if you ask me, you will be allowing users to for instance disallow remote access of their client.

Let the users control their remote control settings

Back again is the ability to send the Ctrl+Alt+Del key key sequence and logon at clients that are unattended.  You will have the option to disable this feature. When you connect with the Configuration Manager Remote Control tool to a Configuration Manager Client you will have the option to send the Ctrl+Alt+Del key.

Control unattended client

In most situations your users will get a notification when you want to connect to their computer, you are able to disable this notification. When the notification is on, you will see the following message.

Waiting for user

Approve or deny remote control

When you choose to grant the remote control permission to local administrators, all members of that group are able to remotely control that workstation. You are able to disable this option, but you than need to configure which (groups of) users are able to connect via remote control or remote assistance.  Personally I think this is the preferred way of giving remote control and remote assistance access.

Define which user or group of users are allowed to remotely control clients

Notification of for when remotely controlling or assisting a client can be enabled of disabled. By default this notification via sound, a session connection bar and a session notification icon on the taskbar is enabled.

Session connection bar

Session connection icon on the taskbar


Las but not least you are also able to manage unsolicited, solicited Remote Assistance and Remote Desktop settings with Configuration Manager 2012.This way you are able to use remote assistance and remote desktop from the Configuration Manager 2012 console.

Community Evaluation Program, a personal recap

The last 1,5 years the Configuration Manager 2012 Community Evaluation Program guided numerous of people with the evaluation of the early beta and release candidate versions of Configuration Manager 2012. Yesterday the CEP for Configuration Manager 2012 stopped after almost 2 years. A little personal recap.

At TechEd 2010 in Berlin I attended a Configuration Manager 2007 R3 session from Jeff Wettlaufer, at that point still at Microsoft. He pointed out the Community Evaluation Program that was just started and still open for application.

Joining the program gave me the opportunity learn about the early beta version of Configuration Manager 2012, which was not released for the public yet, and share the information with the rest of the Configuration Manager community via this blog. Subjects came across about the new application model, the new features in Software Updates Deployment, role based administration, compliance and settings management and the new console, all presented by the Configuration Manager product team. During the first run of the program I won a MMS ticket for the March 2011 edition in Las Vegas. In Vegas I was able to learn again lots about Configuration Manager 2012  and it was the place where Configuration Manager 2012 Beta2 was released for the public. At the same time Sybex contacted me if I would like to write chapters for Mastering System Center 2012 Configuration Manager, how cool was that. :) Also met a lot of great people in Vegas.

The second run of the Community Evaluation Program was based on the beta2 version of Configuration Manager 2012 and later the Release Candidate 1 and 2. Playing and testing with the beta 2 and release candidate versions in combination with the CEP sessions and support from the Community were very valuable to be able learn the inside out of this new version of Configuration Manager. As being part of the CEP and blogging I also was able to find the bigger Configuration Manager community online and locally.

My highlights of the CMCEP were:

  • To be able to attend the Microsoft Management Summit in 2011 and 2012
  • The Configuration Manager 2012 Package Conversion Manager  :)
  • Configuration Manager 2012 in general!
  • Attending the biweekly sessions to hear about the features first hand.

The Community around the Evaluation Program stays alive, the connect site and the forums will be managed and if one of the beta versions of the Service Pack 1 of Configuration Manager 2012 will come to life the CEP will be active again.

Leaves me a huge thanks to the CEP team (Nicole, AJ, Jeff) and the Configuration Manager 2012 product team (all of you!) for sharing their knowledge about Configuration Manager and creating and maintaining the Community Evaluation Program. It was a blast, and I can’t wait until the beta of SP1 will be released ;) See ya in Vegas!

P2V Migration Toolkit RC2 released

This week the release candidate 2 version of the Configuration Manager Physical to Virtual (P2V) Migration Toolkit was released. The Configuration Manager P2V Migration Toolkit enables you to migrate your branch office site servers side by side without investing in new hardware.

Read more about the P2V Migration Toolkit in my earlier blogs:

You are able to download the Configuration Manager P2V Migration Toolkit RC2 here (x64) and here (x86) if you are a member of the public beta program or the Configuration Manager 2012 CEP.

Simulate deployments in Configuration Manager 2012

A new feature in Configuration Manager 2012 is the ability to simulate a deployment of an application to a user or device. This feature helps you to test the deployment of an application without actually installing or uninstalling the application. 

The simulation will evaluate the dependencies, requirement and detection methods of a deployment and report the results in the deployments node of the monitoring workspace. Let’s see how the simulation of a deployment really works.

Go to the Software Library Workspace, browse to the Applications node and select an Application. In the Home Ribbon you will see Simulate Deployment. Click on Simulate Deployment.

Select the Simulate Deployment button

Select the collection that you want use to simulate the deployment and click on Next, Next and Close.

Select the collection

If you select the application and click on de Deployments tab, you will notice that the deployment purpose is Simulate.

The deployment is Simulated

The deployment will do its work and the Configuration Manager 2012 clients will process the application and evaluate the dependencies, requirement and detection methods and report the information back to the Configuration Manager 2012 Primary Site.

See the deployment simulation results

After reviewing the results you need to delete the Simulation Deployment and create a real deployment to a collection with users or devices.



Configuration Manager 2012 CEP wrap-up scheduled for February the 1st

It looks like that the Community Evaluation Program for Configuration Manager 2012 comes to an end after running since October the 6th of 2010. :( In the past 1,5 years,  members of the Configuration Manager 2012 Product team presented almost 30 sessions about the early versions of Configuration Manager 2012, the P2V migration toolkit and the Package Conversion Toolkit.


In the next months ahead Configuration Manager 2012 will head to RTM and hopefully soon general available for us to implement this great product in production environments. But first two CEP sessions are scheduled:

  • 18 January 2012: Microsoft IT Deployment of Configuration Manager 2012
  • 1 February 2012: Program wrap-up

You can still join the System Center 2012 Configuration Manager Community Evaluation Program by applying via the following link: Here you are also able to download recodings and the Powerpoint slides.

One little month of CEP to go, guess I will going to miss this program ;) The session of tomorrow is rescheduled to the 18th of January .

Mark your calendar; next CEP session 18 January about Microsoft IT

The first Community Evaluation Program session of 2012 is scheduled for the 18th of January (9:00 AM Pacific). This session will be about the deployment of Configuration Manager 2012 by Microsoft IT, the largest deployment of System Center 2012 Configuration Manager until now.

During this session members of the deployment project will tell us how the team planned, deployed, migrated and now managing the 200.000 clients (target will  be 280.000 clients). They will share the overall project scheduled migration strategy, client deployment experience,  software center implementation, settings management, the new app model, integrated management and security and more. If you ask me a very valuable session if you plan to migrate to Configuraton Manager 2012 this year.

The speakers are:

Shitanshu Verma is Lead Operations Engineering in Management Platforms and Service Delivery (MPSD) organization which provides Software Delivery Service to Microsoft IT using System Center Configuration Manager. Shitanshu is primarily responsible for Platform Engineering and Operations related to System Center Configuration Manager deployment and managing the Microsoft IT Configuration Manager hierarchy with almost 400 Configuration Manager servers worldwide and ~300,000 Configuration Manager clients. Shitanshu has worked on enterprise management technology for the past 10 years with the last 7+ years at Microsoft.

Karthik Jayavel is a Service Engineer focused on Configuration Manager 2012, including settings management (formally DCM), power management, mobile device management, and other configuration management items. One of his focus areas is on automating remediation of client settings and server settings as well as integrating Configuration Manager with Operations Manager and Service Manager. Karthik has worked in IT for 15 years and prior to joining Microsoft, worked in Systems Management since 2000.

Marc Hurley is Operations Lead for the Software Delivery Service in the Management and Platforms Service Delivery organization at Microsoft. He is responsible for the operational components behind software delivery service which provides applications to over 250,000 desktops at Microsoft. Marc has been heavily involved in Microsoft’s transition from System Center Configuration Manager (ConfigMgr) 2007 to ConfigMgr 2012. Prior to joining Microsoft, Marc worked in systems management and virtualization technologies for over 10 years, including supporting global systems for a top automobile manufacturer and a major Hydro Electric company.

You can still join the System Center 2012 Configuration Manager Community Evaluation Program by applying via the following link:


Managing mobile devices in Configuration Manager 2012 via Exchange Online (2)

In my last blog I configured the Exchange Server Connector in Configuration Manager 2012 RC1 to connect to an Hosted Exchange 2010 environment in Office 365. Today I want to show some interaction of Configuration Manager 2012 with Office 365 Exchange Online.

Access Rules

After configuring the Exchange Server Connector you are able to create access rules for devices that are able to connect to Exchange Online in the Exchange Server Connector. You can do this as follows;

Go to the Exchange Server Connector (Administration Workspace -> Hierarchy Configuration -> Exchange Server Connectors) and retrieve the properties of the configured connector.

The configured Exchange Server Connector

Go to the Access Rules tab and Configure a access rule for the device family Iphone with an access level of Allow access. Click on OK configure the Access Rule.

Configure an Access Rule for an iPhone

Next browse to your Exchange Online management website ( Options -> Manage My Organization – Phone & Voice) and check if the Access Rule is synchronized. In the next figure you see it is.

The access rule is synchronized to Exchange Online

Quarantine settings

Next what you are able to configure quarantine settings. With this option any new device that is going to connect to the Exchange environment must be first approved by the (Exchange) Administrator.

Go to the Exchange Server Connector (Administration Workspace -> Hierarchy Configuration -> Exchange Server Connectors) and retrieve the properties of the configured connector. Change the Access level when a mobile device is not managed by a rule option to Quarantine.

Configure Quarantine

After connecting my new Nokia Lumia with Windows Phone 7.5 I received a message from Exchange ActiveSync that the telephone is in quarantine until the administrator approved access.

Nokia Lumia is placed in Quarantine

In Configuration Manager you are able to Allow or block access for this new discovered device. The option to Create a rule for similar devices won’t work since the connector won’t synchronize the rule Configuration Manager 2012. To allow all Windows Phones you should create an access rule from the Configuration Manager console.

The discovered mobile devices

Monitoring Exchange Server Connector

Monitor the logfile EASDisc.log

The EASDisc.Log file in the logs folder where Configuration Manager 2012 is installed can be used to see if the Exchange Server Connector still works. But you can of course also view the status messages in SMS_EXCHANGE_CONNECTOR in the Component monitoring node in the Configuration Manager Console.

Or monitor the status messages


Another feature of Configuration Manager 2012 that rocks and enhances the ability to manage your mobile devices in the enterprise. The only thing I couldn’t find was the option to Create a rule for similar devices that are in Quarantine in the Configuration Manager console. Maybe this will be available in the RTM version.

Read more on the Exchange Server Connector and Mobile Device Management in Configuration Manager 2012 here:

Managing mobile devices in Configuration Manager 2012 via Exchange Online (1)

In an earlier blog I configured the Exchange Server Connector in Configuration Manager 2012 Beta2 to use it with on premise environment of Exchange 2010. Today let’s have a look at if the Exchange Server Connector in Configuration Manager 2012 RC1 also can handle Exchange 2010 in Office 365. Since I don’t have an enterprise Office 365 environment I used a free 30 day evaluation version.

After configuring a temporary Office 365 account and connecting my mobile devices it was fairly easy to configure the Exchange Connector in Configuration Manager 2012. Let’s see how.

I configured an Office 365 environment as follows:

  • Domain name:
  • Administrative user:
  • Test user:

Go in the Configuration Manager 2012 console to the Administration workspace and choose Hierarchy Configuration -> Exchange Server Connectors to configure a new Exchange Server Connector.

Configure the Exchange online URL

Choose Hosted Exchange Server and supply and choose the Primary site where the Exchange Server connector must run from. If needed, also configure a proxy server to connect to the Internet.

Configure the credentials to access Exchange in Office 365

Supply the credentials of the administrative Office 365 user ( ) by adding the user to Configuration Manager 2012. With this account the Exchange Server Connector will access Hosted Exchange environment.

Configure the discovery of mobile devices

Configure the discovery of the mobile devices in Exchange 2010 via the Exchange Server Connector, you are able to schedule the full synchronization which gathers all properties for new and known mobile devices and a delta synchronization interval which identifies new mobile devices and limited changes for known mobile devices.

Let's manage everything with Configuration Manager 2012

Configure the mobile device settings per group. When changing a setting in a group, the status will be changed from Configured by Exchange to Configured By Configuration Manager. Finish the configuration of the connector and click on Synchronize Now in the home ribbon. The Exchange Server Connector will connect to the hosted Exchange 2010 environment and gather all information about the to Exchange connected mobile devices

The discovered mobile devices

How easy was this? In the next blog I will point out how the  the Exchange Server Connector and the hosted Exchange environment are working.

Read more on the Exchange Server Connector and Mobile Device Management in Configuration Manager 2012 here:

Happy (System Center) 2012!

First of all, I would like to wish everybody a healthy and successful 2012! It’s is going to be a superb year for every System Center adapt with the release of the System Center 2012 suite ;) Looking forward to it!

Some people say, never look back, but last year was a superb year for me, it was the year of;

As mentioned earlier, it was a superb “System Center”  year for me, hope to see you again in 2012 on ! Thanks for reading the blogs and giving feedback!

2012 is going to be exceptional!

Discovery Methods in Configuration Manager 2012

In Configuration Manager 2012 the discovery of users, groups and devices has been improved since Configuration Manager 2007. In this blog I would like to point out the available options that come with Configuration Manager 2012.

The discovery feature in Configuration Manager 2012 enables you to identify computer and user resources that can be managed with Configuration Manager. You are able to configure the discovery of resources on different levels in the Configuration Manager 2012 hierarchy. Let’s see how you are able to discover your user and devices.

Active Directory Forest Discovery

The Active Directory Forest Discovery is a new discovery method in Configuration Manager 2012 that allows the discovery of Active Directory Forest where the site servers reside and also any trusted forest. With this discovery method you are able to automatically create the Active Directory or IP subnet boundaries that are within the discovered Active Directory Forests.

Active Directory Forest Discovery can be configured on Central Administration Sites and Primary Sites.

To enable the discovery of Active Directory Forest you need to configure this option in Administration -> Overview -> Site Hierarchy -> Discovery Methods -> Active Directory Forest Discovery.

Enable Active Directory Forest Discovery

Heartbeat discovery

The Heartbeat Discovery method is enabled by default and is used to configure the heartbeat schedule. The heartbeat discovery runs on each Configuration Manager client and is used to create a discovery data record (DDR). This record is reported back to the management point every x period of time. For mobile device clients, the DDR is created by the management point that is used by the mobile device client.

The Heartbeat discovery can be configured on every Primary Site.

To enable the Heartbeat Discovery you need to configure this option in Administration -> Overview -> Site Hierarchy -> Discovery Methods -> Heartbeat Discovery.

Network Discovery

The Network Discovery method is used to discover the topology of your network and the devices on that network. The Network Discovery “service” searches your network for IP enabled resources. This is done by querying services that run an implementation of Microsoft’s DHCP, ARP tables in routers, SNMP enabled devices and Active Directory Domains.

Configure Network Discovery

It is a best practice only to use this method when all other methods cannot find the devices you want to discover and manage.

You are able to configure network discovery on the Central Administration Site, Primary Sites and Secondary Sites.

To enable the Network Discovery you need to configure this option in Administration -> Overview -> Site Hierarchy -> Discovery Methods -> Network Discovery.

Active Directory User Discovery

The Active Directory User Discovery is used to discover users in the Active Directory ;) You are able to configure the discovery only to look into one or more definable OUs or a complete domain, search into child containers and discover object within Active Directory groups like shown in the figure beneath.

Limit the scope of discovery

You are able to configure the full discovery polling schedule to occur every period of time (minutes, hours, days, weekly, monthly) and you are able to configure a delta discovery every X number of minutes. Delta discovery finds resources in the Active Directory that are new or modified since the last full discovery cycle.

Besides the default attributes, you are able to add attributes that need to be discovered.

Add attributes to the scope of discovered attributes

Active Directory User Discovery can be configured on Central Administration Sites and Primary Sites.

To enable the discovery of Active Directory Users you need to configure this option in Administration -> Overview -> Site Hierarchy -> Discovery Methods -> Active Directory User Discovery.

Active Directory System Discovery

The Active Directory System Discovery has the same discovery options regarding OUs, scheduling and adding attributes that needs to be discovered. Two new and very welcome options are that you now can define that the discovery method only must discover computers that have logged on to a domain in a given period of time and that the discovery method only must discover computers that have updated their computer password in a given period of time. This way you won’t discover obsolete computer accounts from the Active Directory.

Exclude "obsolete" computers

Active Directory System Discovery can be configured on Central Administration Sites and Primary Sites.

To enable the discovery of Active Directory Systems you need to configure this option in Administration -> Overview -> Site Hierarchy -> Discovery Methods -> Active Directory System Discovery.

Active Directory Group Discovery

The old Configuration Manager 2007 System Group and User Group discovery are merged to one discovery method, which is called Active Directory Group Discovery. Besides merging the methods, Configuration Manager will now also remove devices or users from collections that are for instance removed from an Active Directory Group. You are able to discover Groups via a definable Location (OU or domain) or via definable Groups that are available in the Active Directory domain.

Configure group discovery

Also with the Active Directory Group Discovery you are able to configure the “Time since last logon”  and “Time since last password update”  options. You are also able to discover the membership of distribution groups.

Exclude "obsolete" computers and discover membership of distribution groups

Active Directory Group Discovery can be configured on Central Administration Sites and Primary Sites.

To enable the discovery of Active Directory Groups you need to configure this option in Administration -> Overview -> Site Hierarchy -> Discovery Methods -> Active Directory Group Discovery.

With all these discovery methods you are able to gather the resources that you want to manage in your Configuration Manager sites. Try to limit the resources that you want to discover to those you need for Configuration Manager 2012.