Configuration Manager 2012 R2 SDK and Toolkit released

Microsoft yesterday released a updated version of the SDK for Configuration Manager 2012 R2, you can find it here –>

This also includes an updated Application Workflow setup (Which allows you to integrate application approval process into Service Manager instead of IT managers needing to go into Configuration Manager to do application approval processes.

Microsoft has also released an updated version of its Toolkit for Configuration Manager –> which I have blogged about before –>

But now there are some new tools included in the package.

  • * DP Job Manager – A tool that helps troubleshoot and manage ongoing content distribution jobs to Configuration Manager distribution points.
  • * Collection Evaluation Viewer – A tool that assists in troubleshooting collection evaluation related issues by viewing collection evaluation details.
  • * Content Library Explorer – A tool that assists in troubleshooting issues with and viewing the contents of the content library.

Including a Security Configuration Wizard for R2, now the cool thing here is the Content Library Explorer, which allows you to explore content and the source files of applications and such.


Managing Ubuntu Clients with Configuration Manager

Microsoft recently released a preview of System Center 2012 R2 and with it, they released a new version of the additional clients for Configuration Manager.
You can download them from here –>

The pack includes clients for:

  • AIX Version 7.1, 6.1, 5.3
  • Solaris Version 11 (SPARC and x86) , 10 (SPARC and x86), 9 (SPARC)
  • HP-UX Version 11iv2 (PA-RISC and IA64) , 11iv3 (PA-RISC and IA64)
  • RHEL Version 6 (x64 and x86) , 5 (x64 and x86), 4 (x64 and x86)
  • SLES Version 11 (x64 and x86), 10 (x64 and x86), 9 (x86)
  • CentOS Version 6 (x64 and x86), 5 (x64 and x86)
  • Debian Version 6 (x64 and x86), 5 (x64 and x86)
  • Ubuntu Version 12.4 LTS (x64 and x86), 10.4 LTS (x64 and x86)
  • Oracle Linux 6 (x64 and x86), 5 (x64 and x86)
    • Mac OS X 10.6 (Snow Leopard)
    • Mac OS X 10.7 (Lion)
    • Mac OS X 10.8 (Mountain Lion)

For my part I see more and more using Mac in the enterprise, but at my former job we had alot of RHEL and Ubuntu users as well, so therefore I wanted to show how we can manage these types of clients in the enterprise.

Now in order to setup a client we need to download two files to the ubuntu computer.
The CCM-universal package and the install file.

After the files are downloaded you have to open terminal and run the following command from the download folder

NOTE: Be sure that the linux client can find the ConfigMgr servers by nslookup.
You might need to alter the resolv.conf file to point to another DNS server.
You might also need to define a domain name in order to use the FQDN
domainname AD.fqdn from terminal

./install -mp <computer> -sitecode <sitecode> <property #1> <property #2> <client installation package>

NOTE: You have to change the rights on the install file by running chmod +x install from temrinal

So in my case ./install –mp configmgr.msandbu.local –sitecode TST ccm-Universal-x86.tar



After this is done you can review logs from the /var/opt/microsoft/scxcm.log folder.
NOTE: If you run the installation again you will get a message if you wish to overwrite in case you entered the wrong info during setup, if you wish to uinstall it completely you can run the command /opt/microsoft/configmgr/bin/uninstall

Note: from CU1 Linux clients now support FSP as well which you can specify during the installation. –fsp fsppoint.fqdn

Configuration Manager and hierarchy planning

With 2012 release of System Center Configuration Manager, planning and designing a hierarchy became a bit more difficult.
Not because of the limitations, but because of the huge mix of different possibilities you have.
For instance with the introduction of CAS role (Which sits on the top of the hierarchy and is used for management purposes of many primary sites) you have even more options of how to manage your infrastructure.

In addition, with SP1 you have even more options, for instance you can now have more than one SUP for a primary site. (Which you could not have before SP1) and that the CAS SUP now doesn’t need to sync directly with Windows Update as well) so this post is what factors you need to think of in terms of planning and how to manage the devices. In addition, for many which have multiple domains, trusted and untrusted, and in different forests and depending on how you want the flow of traffic to go it takes a lot of planning!

This post is meant as a guideline and might not always present the best options but just to show some possible examples of how you deploy Configuration Manager 2012 SP1.

Now first I am going to define how the hierarchy in Configuration Manager looks like.
In the first picture we have a stand-alone site (Primary Site) in the secondary picture we have a Primary site with two secondary sites.
In addition, in the last picture we have the CAS with three primary sites and with their secondary sites.


First I’m going to specify the limits of each hierarchy role:

CAS: (Does not process client data, and does not support clients assignments.
400.000 clients (If you use SQL Enterprise) 50,000 if you use standard.
25 Child Primary Sites
Asset Intelligence synchronization point (Can only be one in the hierarchy)
Endpoint Protection point (Can only be one in the hierarchy)
Reporting services point
Software update point
System Health Validator point
Windows Intune connector

Primary Site:
250 secondary sites
100,000 clients (50,000 clients if the SQL is installed on the same computer as the site server)
10,000 WES clients
50,000 Mac
Application Catalog web service point
Application Catalog website point
Asset Intelligence synchronization point (not if it’s a child primary site)
Distribution point
Fallback status point
Management point
Endpoint Protection point (not if it’s a child primary site)
Enrollment point
Enrollment proxy point
Out of band service point
Reporting services point
Software update point
State migration point
System Health Validator point
Windows Intune connector (not if it’s a child primary site)

Secondary Site: (Must be linked to a primary site, MP and DP are installed automatically, installs SQL Express if nothing else is available)
5,000 clients.
Distribution point
Management point
Software update point
State migration point

Software Update Point:
25,000 clients (That is installed on the same server as the site server 100,000 else)
After SP1 (Supports multiple SUP per Site)

Distribution Point:
4,000 clients
250 DP per Primary Site
250 DP per secondary site
10,000 packages and applications

Management Point:
25,000 clients
10,000 Mac computers
10 MP per primary site

Now there are some roles that cannot be deployed in a untrusted domain:
These are out of band service point and the Application Catalog web service point.

But always think simplicity, so if it is possible avoid the CAS role where it seems logical.

(1 domain) ( 1 location ) 1 Primary Site

Depending on how many clients you have in your infrastructure, but with one location and one domain this is only and easiest way to go ahead, for high-availability purposes you should have 2 of each system role and a clustered SQL server for the site server.

( 1 domain ) ( 2 locations) 1 Primary Site 1 Secondary Site (Slow link)
Lets for the purpose of this post say that you have 1 location where you have most of your infrastructure, you have one remote site with 200 clients which has a limited connection to the primary site, one secondary site on the remote location would be the best approach. Clients there would talk directly to the management point and the distribution point of the secondary site.

(1 domain) ( 2 locations) 1 Primary Site and 1 Distribution Point (Fast link for secondary site)
In this case we have also a remote location but we have a fast wan link so we don’t need a secondary site which has the agents and the applications and packages. Therefore, we have a distribution point at the remote location and clients communicate with a MP in the central location.

(1 domain) (2 locations) ( one small branch office )
I would recommend using branch cache on a distribution point and for the clients, when the first client requests content from the DP it will download it and cache it for other clients on the same subnet. This requires a DP installed with Branch cache.

NOTE: Remember that for a remote domain installation to work properly you would need to install the management point with an account that has access to the Configuration Manager database. You configure this during the installation of the Management Point.

( 2 domains untrusted forest ) ( 1 locations) 1 Primary Site in Primary (1 Management Point 1 Distribution Point)

Now we cannot install a primary or secondary site in a untrusted domain, we can only install user facing system roles in a untrusted domain. So therefore, we install a management point and a distribution point in the untrusted domain.
And we can also publish the site in AD for the untrusted domain as well.

( 2 domains trusted forest ) ( 1 location )

This depends on the number of clients but again a solution with a distribution point and a management point in the other domain could be a solution. In case there are too many clients, you would need to expand the hierarchy with a CAS and a primary site in each forest.

(Multiple domains untrusted) (Multiple domains)

Primary site or depending on how many clients. Use Primary Site in one domain (Pref the largest one) and deploy a distribution point and a management point in the other domains.

Here I will also link to some example hierarchy scenarios from Microsoft

Identify requirements to plan for a hierarchy

I would also recommend that you read Microsoft’s own hierarchy for their internal Configuration Manager solution

Remote Control for Configuration Manager

I actually see a lot of search terms on this blog regarding Remote Control so therefore I wanted to write a post to clarify it’s functionality and how to set it up. It allows for administrators to connect to a client without using RDP and even without a user logged on and you can interact with the user as well, allowing you to see what the users sees. All communication happens over port TCP 2701 and uses Kerberos for authentication (if it cannot authenticate using Kerberos it will try with the less secure NTLM)

To enable Remote Control for a set of clients
In the Configuration Manager console, click Administration.

  1. In the Administration workspace, click Client Settings.

  2. Click Default Client Settings.

  3. On the Home tab, in the Properties group, click Properties.

  4. In the Default dialog box, click Remote Tools.

  5. Configure the remote control, Remote Assistance and Remote Desktop client settings.

Now there are some settings there are some bunch of settings there that you need to configure before you start.

Enable Remote Control on clients Firewall exception profiles
Select whether Configuration Manager remote control is enabled for all client computers that receive these client settings. Click Configure to enable remote control and optionally configure firewall settings to allow remote control to work on client computers. (Just to remember that Remote Control is disabled by default)

Allow Remote Control of an unattended computer
Select whether an administrator can use remote control to access a client computer that is logged off or locked. Only a logged-on and unlocked computer can be remote controlled when this setting is disabled.

Prompt user for Remote Control permission
Select whether the client computer will display a message asking for the user’s permission before allowing a remote control session.

Grant Remote Control permission to local Administrators group
Select whether local administrators on the server initiating the remote control connection can establish remote control sessions to client computers.

Access level allowed
Specify the level of remote control access that will be allowed.

Permitted viewers
Click Set Viewers to open the Configure Client Setting dialog box and specify the names of the Windows users who can establish remote control sessions to client computers.

Now after you have changed the settings here you need Press OK and save the settings. If you need to change these settings or have different set of settings for different users, create a separate client settings and deploy it to a new collection.


And Viewers can be set to domain users and different viewers can be deployed to separate collections. You just have to create a separate Client Policy.
After these settings are changed to can go back to your computers right click and choose Remote Control



Now with the green bar appeared we have connected. The user will also see this green bar so it knows who is connected.
We can also see that it successfully used Kerberos to authenticate.


Configuration Manager and Collections

I see a lot of questions on the forums and lot’s of traffic on my blog regarding computer collections. In many cases you want to separate your managed computers / servers into different collections.
For instance you would want to separate clients from two network segments because they need separate client settings or the clients in the one location needs one piece of software that the other one’s don’t need.
And in many cases collections can be a life-saver for software management.
For instance you can create a dynamic computer collection based on a registry value (To check if adobe reader is < version 9 if true then the computer is added to collection 1, where the IT-admin has deployed the newest Adobe reader as a required software. Next time the collection update happens the computer will no longer be present in the collection.
And also remember that a dynamic collection is based upon a query. And queries in ConfigMgr are based on WQL which basically is SQL for WMI.

Now where do we create collection ?
Open the ConfigMgr console –> Assets and Compliance –> Device Collections
Right click and choose Create


Now enter a name for the collection and choose a limit collection. This narrows down the collection. So if you have a lot of collections you should be more aware of using the limit collection, since this will lighten the database load.


Now under membership rules choose Query Rule –>


Now the query editor will open –>

And from here we choose Edit (We could also choose import another query but that we can do later)
So when we press Edit we come to the Query statement properties pane.

Under the general pane we choose for what attributes we wish to search for.


Under Criteria we choose what attributes we wish to add a statement for instance if a value is true or not.


So if we press the “Show Query Language” you can see the query that is being generated from the menu. IF you wish you can just import a finished query here (further down below in this post )
Now we are going to go trough a query that will find all computers that start with the name neo.

Go back to general and press the + Sign choose simple attribute and  select attribute from there choose System Resource and NetBIOS name. Press OK and OK

If you press the Show Query Language now we can see that the query changed


Now we are going to make a criteria, so I do practically the same here


The sign % is for wildcard so all computers that have the netbios name that starts with neo will be fetched by this query.


After that is done you can press OK and OK.

And you need to remember the logic of a collection query.

1 SELECT (what do I need to show) Netbiosname = Computer Name
2 (What are the requirements that need to be fulfilled in order for the query to return true?)
3 If Computer 1 has Adobe Reader = True then inn to the collection you go.
You also need to remember that the symbol % is wildcard
So if you want to search for something that start with n you use this n% in your query
if you what a query with something that ends with n you use n%

Now some examples of queries that you can use (By using the import query button –> )

Adobe Reader Version from Add/Remove Programs in Control Panel
select SMS_R_System.NetbiosName,
SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName from 
SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on
SMS_R_System.ResourceId where
SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like «%Adobe Reader%»

Computer based on OU
select SMS_R_System.NetbiosName,
SMS_R_System.SystemOUName from 
SMS_R_System where
SMS_R_System.SystemOUName = «OU Name»

Spesific computer name in this case every computer that starts with neo
select SMS_R_System.NetbiosName from 
SMS_R_System where SMS_R_System.NetbiosName like «neo%”

Windows 8 computers
select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System
inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId
where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%" or SMS_R_System.OperatingSystemNameandVersion like "%Windows 8%

XenApp Connector for Configuration Manager in Tech preview

The long awaited connector for XenApp to Configuration Manager 2012 is now available for TechPreview on
Link here –>

You can see a video regarding  the functionality here –>

Ill come back with more when I get to work with the details about it Smile

Integrating Configuration Manager and RES Workspace Manager

As I stated in a earlier post is that you have the ability to integrate RES Workspace Manager with Configuration Manager.

Workspace Manager is a product that allows you to design how the desktop should appear to the user.
Instead of using Group Policy and slow login scripts you can move all those tasks into Workspace Manager.
For instance Printer mapping, drive mapping, +++
I has a lot of features but take a look at my previous post if you wish to know more about it Smile

Workspace Manager also allows for a lot of integration. With for instance XenApp, App-V, RDS, Vmware Thinapp and Configmgr.
With Configmgr integration you can allow for Workspace Manager to deploy application (Automation task) to a users desktop.

When a user logs on for the first time, and clicks a predefined shortcut for that application, Workspace Manager will automatically deploy the software to the desktop by contacting the MP that is configured.

First we start by adding the ConfigMgr integration, Click Setup –> Microsoft System Center,


Now on the Menu, click Settings. Click on the “Enable Microsoft System Center ConfigMgr Integration” And remember as it states there. You need a Configmgr agent and a Workspace Manager agent installed on the client where you are going to use this.
Enter credentials, and choose which version of ConfigMgr you have in your environment.

And Click Test Now (A list of packages that are deployed should now appear). Remember that it only supports ConfigMgr Packages not Applications as with 2012.

After this is applied you should get this message. (Even thou the integration is in place, the software distribution option is not enabled, so we have to enable this )

Exit the setup mode and go back to composition, and enable Software distribution.


And before we can deploy the software we have to attach the package to a application that is defined within Workspace Manager.


Click Start and press “New Application” if you are unfamiliar using the different options you can choose the wizard. I have created a “Lync planning tool” application. Right click and choose Edit, go down to configuration and press Add. From there choose ConfigMgr


Now press the package you need to add. IF not mark the “Program” option and choose the button on the right side and add the package.


Then Press OK and close.
For all Managed desktop (With RES Agent and ConfigMgr Agent) Will now get this application.