Posts belonging to Category v.Next

Automatically migrating SCCM 2007 DPs to SCCM 2012

In earlier blogs I described and showed you the overall process of migrating Configuration Manager 2007 to Configuration Manager 2012. In this blog I would like to point out the great migration feature: “Automatically upgrading of Distribution Points”.

While being in the migration process you have the option to share the Configuration Manager 2007 Distribution Points with Configuration Manager 2012 instead of deploying new ones. In other words when sharing the Configuration Manager 2007 Distribution Points the content on the Distribution Points will also be available for clients that are part of the Configuration Manager 2012 hierarchy. Enabling this option is a simple step. After gathering the data of the source hierarchy it will also gather information about the Distribution Points in the source hierarchy. In the Configuration Manager 2012 Console browse to the Administrator workspace, go to the Migration node and click on Active Source Hierarchy. Next you need to select the site for which you want to share the Distribution Points and click on Share Distribution Points in the home ribbon.

When the dialog above appears hit the checkbox and click on OK. The data gathering process will start again and from now on your Configuration Manager 2012 clients can access the Distribution Point in the Configuration Manager 2012 hierarchy. After all your Configuration Manager 2007 objects are migrated to Configuration Manager 2012 and your migration period is finished you are able to upgrade the distribution point.

In the Configuration Manager 2012 Console browse to the Administrator workspace, go to the Migration node and click on Active Source Hierarchy. Next you need to select the site for where you enabled Distribution Point Sharing and click on Distribution Points. Select the Distribution Point, go to the home ribbon and click on Upgrade.  Before upgrading the server where the Distribution Point resides will be checked if there is enough disk space available and if there are no other Configuration Manager Site Roles are present.

Depending on the size of your distribution point, it can take some hours to complete the upgrade. You see, migrating to Configuration Manager 2012 is going to be easy :)


Troubleshooting Certificates and Configuration Manager 2012

While implementing certificates in my Configuration Manager 2012 lab I came across a couple of certificate issues. I was not able to install Configuration Manager Clients and the enrollment of devices was not stable.



Issue1 : MP and DMP not responding to HTTP requests

MP Control Manager detected DMP is not responding to HTTP requests.  The http error is 2147500037.

Possible cause: DMP service is not started or not responding on all DMP
physical machines.

Solution: Manually restart the SMS Agent Host service on the DMP.

Possible cause: IIS service is not responding.

Solution: Manually restart the W3SVC service on the MP.

For more information, refer to Microsoft Knowledge Base article 838891.

Fix: change the template for client authentication where is said “Subject Name” must be Common, use Fully
distinguished name instead of Common. The Client Authentication Certificate must also be installed on the Management Point Site Server.

After fixing above, the client was pushed and was able to communicate with the primary site, like shown in the picture below.


Issue 2: Enrollment Web Component and Enrollment Service not responding to HTTP requests

Enrollment Web Control Manager detected Enrollment Web Component is not responding to HTTP requests.  The http error is 2147500037.

Possible cause: IIS service is not responding.

Solution: Manually restart the W3SVC service on the ENROLLWEB.

For more information, refer to Microsoft Knowledge Base article 838891.


Enrollment Server Control Manager detected Enrollment Service is not responding to HTTP requests.  The http error is 2147500037.

Possible cause: IIS service is not responding.

Solution: Manually restart the W3SVC service on the ENROLLService.

For more information, refer to Microsoft Knowledge Base article 838891.

Fix for me was installing the Client Authentication Certificate on the Management Point Site Server.

Configuration Manager 2012 and certificates

With Configuration Manager 2012 you are able to secure your Configuration Manager infrastructure with certificates per Site System Role instead of whole Configuration Manager Sites in Configuration Manager 2007. Let’s look at how you are able to enable secure communications to and between the site system roles in Configuration Manager 2012.

First you need to ensure that a Public Key Infrastructure is present in your environment and that you are able to enroll PKI certificates. After the PKI is there and tested you can follow the global steps described below: (

Creating a Web Service Certificate for Site Systems that run IIS

  • Create a “Configuration Manager 2012 site systems” Certificate Template by copying it from the Web Server Template
  • Request and enroll the Web Server certificate on the Configuration Manager 2012 Site Servers from the “Configuration Manager 2012 site systems” template
  • Configure IIS to use the created certificate.

Deploying the client certificates for the computers

  • Create and issue a Workstation authentication certificate
  • Configure and enabling auto enrollment of the client certificates

Deploying Certificates for Mobile Devices

  • Create a “Configuration Manager 2012 site systems” Certificate Template by copying it from the Authenticated Session Template
  • Create a new template for ConfigMgr Mobile Device Enrollment Certificate.

Per site role you are able to configure if it needs to communicate secure via HTTPS or via HTTP. Roles like the Management Point, Distribution Point are configurable like shown below.

To configure the Site to use secure communications, you are able to configure the settings at the client computer communications at the Site properties of the Primary Site or Central Administration Site. In my lab I only secured the primary site like shown below.

When enabling “HTTPS” for a site do not forget to configure the protocols for the SQL Server also to use the certificate of the SCCM site server. Otherwise the Configuration Manager is not able to communicate with SQL Database and your eventlog will fillup with Schannel errors.

In the next blog I will write about some issues I ran into and the resolutions to get the secure communications right.

CEP Configuration Manager 2012 Hierarchy Technical Overview summary

Today another Live Meeting session of the Configuration Manager 2012 Community Evaluation Program was held. The subject this time: Hierarchy Technical Overview. With Configuration Manager 2012 lots of nice things in the Configuration Manager Hierarchy are changing. Let’s see which nice things will change :)

Today D.C. Tardy, Senior Program Manager of the Configuration Manager team guided us the through the changes.

Key takeaway for today are simplification of infrastructure and simplification of administration!

Configuration Manager 2012 will have the following Infrastructure promises

  • Modernizing architecture
    • Minimizing infrastructure for remote offices
    • Consolidating infrastructure for primary sites
      • Central Administration Point is just for administration and reporting.
      • File processing occurs once at the primary site and uses replication to reach other sites
      • System generated data (Hardware and software inventory and Status) can be configured to flow to the CAS directly.
    • Be  trustworthy
      • Interactions with SQL DBA are consistent with SCCM 2007
      • Configuration manager admin can monitor and troubleshoot new replication approach directly

Simplify your hierarchy! Collapse the multi-tier approach to a CAS with Primaries.

  • Use Primary sites for:
    • Scale more than 100.000 clients
    • Reduce impact of site failure
    • Local point of connectivity of administration (political)
    • Political reasons
    • Content regulation
  • Use primary sites not for:
    • Decentralized administration
    • Logical data segmentation
    • Client settings
    • Languages
    • Content routing for deep hierarchies
  • Use Secondary site for:
    • Manage upward flowing wan traffic
      • Sensitive networks
  • Tiered content routing for deep network topologies
  • No local administrator
  • Secondary Site servers support and uses SQL  Express, MP, DP, SUP and PMP
  • Use Distribution points for
    • Sites with not enough bandwidth for BITS
    • Multicast for operating system deployment
    • App-v streaming
  • Not use Distribution Points for
    • When BITS provides enough control for WAN traffic
    • When BranchCache is deployed
      • DP on Windows Server 2008 R2
      • Vista SP2 KB960568
      • Windows 7
  • Distribution Points provide
    • Scheduling and throttling data synchronization
    • PXE and multicast properties
    • Role can be installed on clients and services
    • Specify drives for content storage
  • There is no support anymore for all the old prestaging technology (courier senders, pkgPreLoadOnSite tools, manual prestaging)

Content Prestaging

  • New for Configuration Manager 2012
  • One feature that can preload on a site srver or distribution point
    • All package types supported
    • Content library and package share
    • Registers package availability with site server
    • Prestaged content file is compressed
    • Singe action to load multiple prestaged content files
    • Conflict detection to ensure latest package version

Forest discovery

  • Discovers site servers forest plus any trusted forests
  • Manually adds forests that are not trusted
    • Forests for a perimeter network
    • Supports both publishing and discovery
  • Discovery returns; domains, IP Subnets and AD Sites
  • Supports boundary creation, on demand selection or automatically


  • Retained same boundaries as SCCM 2007
    • Active Directory Site
    • IP Address range
    • IPv4 subnet
    • IPv6 prefix
  • Boundary management has been simplified
    • Automatically create boundaries as part of forest discovery
      • Enable AD forest discovery
    • Separated client assignment and content lookup
    • Added boundary groups to keep boundaries organized in logical containers
    • Boundary groups are the primary object for client assignment and content lookup ( not the boundary itself)
  • Automatically create a boundary group and associated boundaries from Configuration Manager 2007 site during migration

When you need a Central Administration Site?

  • More than one primary site in a single hierarchy
  • Off-load reporting and administration from you Primary Site
  • Migration consideration: The Central Administration Site must always be installed on new hardware.
  • You can move administrators from primary sites to the CAS for reducing

SQL for Configuration Manager 2012

  • One configuration Manager site per SQL Server instance
  • All database communication is encrypted
  • TCP/IP ports for service broker need to be opened in the firewall (1433 4022)

Replication of Configuration Manager data

  • Global data is replicated via SQL
    • Collection rules, package metadata, software update metadata, deployments
    • Found on Central Administration Site, All Primary Sites and Secondary sites (subset of global data)
  • Site data is replicated via SQL
    • Created by system
    • Collection members, Hardware inventory, alert messages
    • Found on Central Administration Point, Originating Primary Site
  • Content is replicated via file based replication
    • Software packages, installation bits, software updates, boot images
    • Found on Primary Sites, Secondary Sites and Distribution Points
  • For more information about the replication you can find there.

Monitoring replication


  • Is done in the Configuratino Manager Management Console
  • Administration Node shows disk space problems at site for instance SQL database
  • Monitoring node shows us alerts set for instance disk space
  • Monitoring can be done in the Hierarchy Diagram
  • Database Replication node gives replication information about site to site replication (global replication status
  • Diagnostic information can be saved to CSV files

Client settings

  • Easiest step to infrastructure reduction; stop using primary sites for different client settings
  • Default client settings for the entire hierarchy
  • Custom client settings assigned to collections
    • Priority-based conflict resolution
      • Custom settings override default settings
    • Resultant settings can be an aggregation of both default and one or more custom settings

Hardware inventory client settings

  • No editing .mof files because of the console experience in the Configuration Manager Console :)
  • Browse WMI namespace to select the classes you need
  • Backward compatible (you can import existing .mof files)

Client Settings & collection assignment

  • Collections are global data
  • Collections are bow globally evaluated at all sites
    • Clients from any site can be members and receive targeted deployments
    • Change focus from site-centric administration to client-centric
  • Remember:
    • global data: collection rules & counts
    • Site data: collection members

Role based administration

Role based administration is a very important peace for allowing hierarchy simplification. The concept is based on “Display what’s relevant to me”

Role Based Administration allows:

  • Mapping organizational roles of administrators to security roles
  • Hierarchy-wide security management from a single management console
    • RBA is global data
    • Concept of RBA:
      • Security Roles, what types of object can I see and what can I do to them?
      • Security Scopes, Which instances can I see and interact with?
      • Collections, Which resources can I interact with?

Collection limiting

With Configuration Manager 2012 you are able to limit collections.

  • Every collection is limited by another
  • Assigning a collection to an administrator automatically assigns all limited collections
  • Ship with to read-only root collections
    • All systems
    • All users and user groups

Promises for Configuration Manager 2012 vs 2007

  • Scalability and data latency improvements
  • Consolidating infrastructure for primary sites
  • Minimizing infrastructure for remote offices

Migration thoughts

Be sure to see the Migration Session and my movie about migrating Configuration Manager 2007 to Configuration Manager 2012. To further prepare your SCCM 2007 environment please look at the following:

  • Flatten your hierarchy where possible
  • Plan for Windows Server 2008, SQL 2008 and 64-bit
  • Start implementing BranchCache with Configuration Manager 2007 SP2
  • Move from web reporting to SQL Reporting Services
  • Avoid mixing user & device collection definitions
  • Use UNC path’s to MSI in package source path instead of  local paths

The question I asked about when a client receives more client settings via different collections, if there is a way to view the resultant set of client settings is passed to the Client Settings part of the Configuration Product Team. If it’s not there yet, I think that it would be a nice feature for in Configuration Manager 2012 ;)

Next session is about June 8, Application Management part 2. Be there! :)

CEP meeting #9 summary “SCCM 2012 Mobile Device Management”

As part of the Community Evaluation Community the 9th live meeting about System Center Configuration Manager 2012 was scheduled for today. The main subject was Mobile Device Management in SCCM 2012.

At this moment Microsoft has three major products for managing Mobile phones, Mobile Devices Management (MDM) 2008, SCCM 2007 and Exchange 2007/2010. The functionality of MDM 2008 SP1 and SCCM 2007 is combined in SCCM 2007 R3. The same functionality of SCCM 2007 R3 and some nice enhancements and new features will be available in SCCM 2012.

This blog is a summary of the CEP session about SCCM 2012 Mobile Device Management.

Mobile phones in the enterprise today

Today the mobile devices in the enterprise is a heterogeneous environment, the companies can no longer standardize on one platform. The employees bring their own mobile device to their work and want to synchronize their email and calendar information. Half of all smartphones in use in North America business are not company owned.

Exchange admins end up managing most mobile devices due to use of Exchange Activesync policies

Microsoft Mobile device management

There are two sorts of mobile device management in SCCM, light mobile device management and depth mobile device management.

  • Single “pane of glass” for managing desktops, servers, mobile devices;
  • Exchange connector
  • Depth management of WinCE 6.0, WM 6.0/6.1, WP 6.5 and Nokia Symbian based devices
  • Secure over the air enrollment
  • Monitor and remediate non-compliant devices
  • Deploy applications and configuration policies to users or devices
  • Mobile VPN is not required anymore to connect to the Device Management environment

Exchange Connector for SCCM 2012

Light Mobile device management via Exchange connector:

  • Provides a single pane of glass for all assets in the enterprise
  • Transfers mobile device administrator from exchange to SCCM
    • Rich inventory and reporting experience
    • Define organization level ActiveSync Policy
    • Device wipe
    • Supports Exchange 2010 and hosted Exchange
    • Supports all EAS capable devices including WP7, Symbian, IOS, Android, Palm, etc.

Configuring Exchange Connector in SCCM 2012

Configuring the Exchange Connector in SCCM 2012 is easy, you just need to supply the server address of the Exchange (I think the CAS) server and a service account. You can give the service account limited access through RBAC. (Option; Mobile Device Management)

In SCCM 2012 you must configure the EAS policy on the Primary Site, it will deploy it to Exchange and Active Directory. In the EAS Policy you can assign the same things like in Exchange Server 2010, one of the settings is disabling POP3 and IMAP access.

Exchange Connector experience

“All mobile device” collection is the place to find all the in Exchange discovered devices

You can see information of discovered mobile devices through the resource explorer, things like hardware information, software settings, inventory and ActiveSync properties. You also can remotely wipe the mobile device. (or cancel the request ;) )

The Exchange connector gives us basic reporting about the following things;

  • What mobile devices are in the enterprise?
  • Exchange policy summarization (compliancy)
  1. What mobile devices are compliant
  2. What mobile devices are not compliant

The discovery of the mobile devices goes from Exchange/AD to SCCM.

Depth vs Light Management

You will find the difference between light management and depth management in the following table.

  Light Depth Depth Depth
Feature Exchange ActiveSync Connected Devices WM 6.1, WP 6.5.x Nokia Symbian WM 6.0, CE 6.0
Over the air enrolment   V V  
Inventory V V V V
Settings Management V V V  
Software Distribution   V V V
Remote Wipe V V V  


Depth Device Management Topology

  • Key server roles for Device Management in SCCM 2012
    • Enrollment Web Proxy
    • Enrollment Service Point
    • Software catalog roles (option)
    • Management Point
    • Distribution Point
    • Management is done over HTTPS
    • Microsoft Enterprise CA is required (SCCM Native Mode)

Mobile device enrollment

  • Establishes mutual trusts between the device and the management server
  • Windows Phone 6.5.x, WM 6.1 abd Nokia devices enrolled and provision securely (HTTPS) over the air
  • WinCE 6.0 and WM 6.0 enrollment performed as in SCCM 2007


User targeting Client setting is used to allow users to enroll mobile devices assigned to collections.

Installation process:

  • User download Configmgrenroll[1].cab to the mobile device
  • Enrollment client is installed by user
  • User supplies email and password
  • Autodiscovery server address in Enrolment client
  • Client will poll for the policies / registration

Registered mobile devices

  • Are added to site
  • More Inventory information

When registered, the administrator have more reporting functionality. Like in the Resource Explorer, the following hardware information:

  • Device Client Agent Version
  • Device Computer System
  • Device Display
  • Device Installed Applications
  • Device Memory
  • Device OS Information
  • Device Password
  • Device Power
  • System
  • Workstation Status

The Software Catalog also integrates with depth managed mobile devices, and can wipe their mobile devices. You are also able to bind a mobile device to a specific user.

Remote Device Wipe

  • Admins can wipe a mobile device from the management console
  • Users can wipe from the software catalog
  • The wipe action is always scheduled
    • Depth managed devices : wipe is scheduled for the next DM session
    • Light managed devices are wiped at next email synchronization
    • Dual managed devices: next DM session or email synchronization or  whichever is first.

Mobile device settings management

  • Fully integrated experience  with non-mobile configuration and settings mangement
    • Supports monitoring and enforcement
    • Standard settings groups with simplified UI
    • Supports admin defined settings via mobile registry or OMA-URI
    • Evaluation is done on the server and remediate commands to sent to client
    • Baseline settings can be user or devices targeted

New Features for software distribution

Like mentioned in an earlier blog, the Application Model is changed in SCCM 2012.

  • Application Model
    • Incorporates all supported software types (MSI, Script, App-v, Mobile Cab)
    • Greatly improved dependency handling
    • Installation requirements rules
    • Installation detection methods
    • Application supersedence
    • Application uninstall
    • User devices affinity
    • Unified monitoring experience
    • Content Management
      • Distribution Points Groups
      • Content Library
      • Improved content monitoring experience

Application distribution/ deployment process for mobile devices:

  • Create Application with more deployment types.
  • Create / get policy for application required apps
    • Only required apps are supported
    • Get source from DP
    • Install
    • Report back to MP

Next CEP session is about SCCM 2012 Migration. In my opinion a very interesting session, because Microsoft announced at TechEd last year that migrating from SCCM 2007 to SCCM 2012 is very easy :)

System Center Configuration Manager 2012 collection changes

Today I attended at TechEd a nice open discussion session about System Center Configuration Manager 2012. During thislast  session of TechEd some “new” changes regarding collections came up. In SCCM 2007 collections were often used to build a logical structure in the collection set, this way or organizing is still available in SCCM 2012 beta1. This cannot be done anymore in SCCM 2012 beta2 and the next versions, a new feature is that you can now create a folder structure to organize your collections. During a migration scenario, empty parent collections will be migrated to folders with the child collections in the folders. To get some kind of “collection structure”, you can include or exclude collections in a collection.

In SCCM 2007 you were able to put systems, users and groups into one collection, this is not allowed anymore. You need to create a separate collections to be able to target one application to systems, users and groups.

System Center Configuration Manager 2012 TechEd update

The latest news comes from TechEd 2010 in Berlin these days. During this week several sessions during this week will cover System Center Configuration Manager (SCCM) 2012. Beta1 of SCCM .vNext was released earlier this year and is now officially re branded to SCCM 2012. The system after for more than 10 years central in the way of distributing applications, the “twenty twelve” release will be User Centric.  

Some hightlights of SCCM 2012 are:

  • The infrastructure is flattened, if I am right you are able to have one Central Administration Site (1st-tier), one level of Primary sites (2nd-tier) and one level of secondary sites (3th tier)
  • One primary site can hold up to 400.000 clients
  • There is no need to create a primary site per “administrative site”, SCCM 2012 now has Role Based Administration.
  • With Role Based Administration, you can assign rights for users or groups that belong for instance to a particular sub-net
  • Forefront Endpoint Protection will fully integrate with SCCM 2012, you only need one console to manage your clients
  • Desired Configuration manager has now auto remediation
  • New for the user is, the Software Catalog portal or the Software Center on the workplace
  • With the Software Catalog portal you can easily search for new software and install or request the software on your computer
  • You can define relations regarding applications, from one application like Office 2010, a corporate user will receive the MSI installation and a user with it’s own computer will receive the App-v version of Office 2010. The user won’t know the difference, except for the deployment speed.
  • The migration path from SCCM 2007 to SCCM 2012 is “easy”, all the migrated applications will be “legacy apps”
  • For applications created with SCCM 2012 you have  “optional apps” and “required apps”
  • You can manage the SCCM Client settings centrally per collection
  • You can now throttle or schedule Distribution Point replication without creating an extra site
  • SCCM 2012 can you branch cache to minimize the load on the WAN
  • Microsoft Updates can be deployed to groups or individual systems

 In the next couple of months we will dig deeper into the new System Center Configuration Manager