Symptoms:
When you use the Forefront Endpoint Protection (FEP) 2010 Group Policy Tool to import a policy file that was exported from System Center 2012 Endpoint Protection, it will fail with a screenshot similar to the following:
Cause:
The XML namespace is missing and a couple of registry value types have changed in System Center 2012 Endpoint Protection, which results in the error.
Resolution:
You can use the script in the Script section to make the changes to the policy file. You can also write a Java script tool to automate the script. For example, you can name the script in the Script section FepGPFileCorrector.js, and then use a command such as the following:
cscript.exe FepGPFileCorrector.js <originpolicyfile>.xml
Where, originpolicyfile is the exported System Center 2012 Endpoint Protection policy file. Currently, the following is supported:
The target/output policy file is named Converted-<originpolicyfile>.xml.
References:
The Forefront Endpoint Protection Group Policy Tool is used to convert policy settings contained in configured FEP policies to the format that is used by Group Policy. This tool can be obtained from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=207729) as part of the FEP 2010 Group Policy Tools download package.
System Center 2012 Endpoint Protection provides several default policy template files that you can find in subfolder AdminConsole\XmlStorage\EPTemplates of site server installation directory. You can import the policy template files by using FEP 2010 Forefront Endpoint Protection Group Policy Tool by default.
Script:
@set @debug = false
//******************************************************************************
//
// Constants
var c_sSecurityPolicy = "SecurityPolicy";
var c_sPolicySection = "PolicySection";
var c_sLocalGroupPolicySettings = "LocalGroupPolicySettings";
var c_sXmlns = "xmlns";
var c_sNameSpace = "http://forefront.microsoft.com/FEP/2010/01/PolicyData";
var c_sAddKey = "AddKey";
var c_sAddValue = "AddValue";
var c_sName = "Name";
var c_sType = "Type";
var c_sDisabled = "Disabled";
var c_sFallbackOrder = "FallbackOrder";
var c_sDefinitionUpdateFileShareSources = "DefinitionUpdateFileSharesSources";
var c_sDWord = "REG_DWORD";
var c_sSZ = "REG_SZ";
var c_sHelp = "cscript.exe FepGPFileCorrector.js <originpolicyfile> \r\n"
+ "\r\n"
+ "originpolicyfile Original exported SCEp2012 policy file.\r\n"
// Globals
var g_fso = null; // Scripting.FileSystemObject
var g_xmlSource = null; // Source XML document
var g_xmlTarget = null; // Target XML document
var g_shell = null;
var g_environment = null;
var g_sScriptDir = null; // cscript.exe running directory
var g_sOriginPolicyFile = null; // Original FEP2012 exported policy file
var g_sOriginFileName = null; // Original FEP2012 exported policy file name
var g_sOriginPolicyPath = null; // The directory hosting original FEP2012 exported policy file
// GetAttribute
function GetAttribute(oNode, sAttrib, bAllowNull)
{
var attrib = oNode.attributes.getNamedItem(sAttrib);
if (attrib != null)
return attrib.text;
}
else if (bAllowNull)
return null;
// Validate script host version
if (Number(WScript.Version) < 5.6)
WScript.Echo(
"This script requires Windows Script Host v5.6 or later. "
+ "Go to http://www.microsoft.com/scripting for download"
);
WScript.Quit(1);
if (WScript.FullName.toLowerCase().indexOf("cscript.exe") < 0)
"This script can only be executed with Cscript."
if ((WScript.Arguments.length < 1) || (WScript.Arguments(0) == "/?"))
WScript.Echo(c_sHelp);
// Initialize
g_fso = new ActiveXObject("Scripting.FileSystemObject");
g_shell = new ActiveXObject("WScript.Shell");
g_environment = g_shell.Environment("Process");
g_sScriptDir = g_fso.GetParentFolderName(WScript.ScriptFullName);
g_sOriginPolicyFile = String(WScript.Arguments(0));
// If g_sOriginPolicyFile has not path
if ((g_sOriginPolicyFile.indexOf(":") > 0) && (g_sOriginPolicyFile.charAt(0) != "."))
g_sOriginPolicyPath = g_sOriginPolicyFile.substr(0, g_sOriginPolicyFile.lastIndexOf("\\"));
g_sOriginFileName = g_sOriginPolicyFile.substr(g_sOriginPolicyFile.lastIndexOf("\\") + 1);
else if ((g_sOriginPolicyFile.charAt(0) == "\\") && (g_sOriginPolicyFile.charAt(1) == "\\"))
else
g_sOriginPolicyPath = g_sScriptDir;
g_sOriginFileName = g_sOriginPolicyFile;
if (!g_fso.FileExists(g_sOriginPolicyFile))
WScript.Echo("XML file " + g_sOriginPolicyFile + " does not exist!");
throw new Error(1, "The XML file does not exist!");
//var oFile = g_fso.GetFile(g_sOriginPolicyFile);
//oFile.Attributes = oFile.Attributes & (~1);
g_xmlSource = new ActiveXObject("MSXML2.DOMDocument.6.0");
// Load original SCEP2012 exported policy file
if (!g_xmlSource.load(g_sOriginPolicyFile))
var pe = g_xmlSource.parseError;
INFO(
"XML load failed:\n"
+ " Location: " + pe.line + ", " + pe.linepos + "\n"
+ " Source: " + pe.srcText + "\n"
+ " Reason: " + pe.reason + "\n"
throw new Error(-1, "Policy file is invalid.");
var oSrcSecurityPolicyNode;
//var oRootNodes = g_xmlSource.documentElement.selectNodes(c_sSecurityPolicy);
var oRootNodes = g_xmlSource.childNodes;
if (!g_xmlSource.hasChildNodes())
WScript.Echo("XML file " + g_sOriginPolicyFile + " might not need to process, exit directly.");
for (var iIndex = 0; iIndex < oRootNodes.length; iIndex++)
if (oRootNodes[iIndex].nodeName == c_sSecurityPolicy)
oSrcSecurityPolicyNode = oRootNodes[iIndex];
if (oSrcSecurityPolicyNode != null)
if (oSrcSecurityPolicyNode.attributes.getNamedItem(c_sXmlns) != null)
break;
g_xmlTarget = new ActiveXObject("MSXML2.DOMDocument.6.0");
var sTargetXmlFile = g_sOriginPolicyPath + "\\Converted-" + g_sOriginFileName;
if (g_fso.FileExists(sTargetXmlFile))
var oFile = g_fso.GetFile(sTargetXmlFile);
oFile.Attributes = oFile.Attributes & (~1);
g_fso.DeleteFile(sTargetXmlFile);
WScript.Echo("The target converted policy file: " + sTargetXmlFile);
var oSrcAddKeyNodes;
var oSrcAddValueNodes;
var sNameAttribute;
var sTypeAttribute;
var sDisabledAttribute;
var sNodeValue;
var oTargetAddKeyNode;
var oTargetAddValueNode;
var oAttributes;
// Check "SecurityPolicy" node in source XML
// Create "SecurityPolicy" node for target XML
var oTargetSecurityPolicyNode = g_xmlTarget.createNode(1, c_sSecurityPolicy, c_sNameSpace);
// Add attributes under "SecurityPolicy" child node to target node
oAttributes = oSrcSecurityPolicyNode.attributes;
for (var index = 0; index < oAttributes.length; index++)
if (oAttributes.item(index).name != c_sXmlns)
oTargetSecurityPolicyNode.setAttribute(oAttributes.item(index).name, oAttributes.item(index).nodeValue);
// Check "PolicySection" child node in source XML
var oSrcPolicySectionNode = oSrcSecurityPolicyNode.selectSingleNode(c_sPolicySection);
if (oSrcPolicySectionNode != null)
// Create "PolicySection" node for target XML
var oTargetPolicySectionNode = g_xmlTarget.createNode(1, c_sPolicySection, c_sNameSpace);
// Add attributes under "PolicySection" child node to target node
oAttributes = oSrcPolicySectionNode.attributes;
oTargetPolicySectionNode.setAttribute(oAttributes.item(index).name, oAttributes.item(index).nodeValue);
// Check "LocalGroupPolicySettings" child node
var oSrcLocalGroupPolicySettingsNode = oSrcPolicySectionNode.selectSingleNode(c_sLocalGroupPolicySettings);
if (oSrcLocalGroupPolicySettingsNode != null)
// Create "LocalGroupPolicySettings" node for target XML
var oTargetLocalGroupPolicySettingsNode = g_xmlTarget.createNode(1, c_sLocalGroupPolicySettings, c_sNameSpace);
oSrcAddKeyNodes = oSrcLocalGroupPolicySettingsNode.selectNodes(c_sAddKey);
for (var iKeyIndex = 0; iKeyIndex < oSrcAddKeyNodes.length; iKeyIndex++)
// Create one "AddKey" node for target XML
oTargetAddKeyNode = g_xmlTarget.createNode(1, c_sAddKey, c_sNameSpace);
// Add attributes under "AddKey" child node to target node
oAttributes = oSrcAddKeyNodes[iKeyIndex].attributes;
oTargetAddKeyNode.setAttribute(oAttributes.item(index).name, oAttributes.item(index).nodeValue);
oSrcAddValueNodes = oSrcAddKeyNodes[iKeyIndex].selectNodes(c_sAddValue);
for (var iValueIndex = 0; iValueIndex < oSrcAddValueNodes.length; iValueIndex++)
// Create "AddValue" node
oTargetAddValueNode = g_xmlTarget.createNode(1, c_sAddValue, c_sNameSpace);
// Add attributes under "AddValue" child node to target node
sNameAttribute = GetAttribute(oSrcAddValueNodes[iValueIndex], c_sName);
oTargetAddValueNode.setAttribute(c_sName, sNameAttribute);
sTypeAttribute = GetAttribute(oSrcAddValueNodes[iValueIndex], c_sType);
if (sNameAttribute == c_sFallbackOrder)
if (sTypeAttribute == c_sDWord)
oTargetAddValueNode.setAttribute(c_sType, c_sSZ);
oTargetAddValueNode.setAttribute(c_sType, sTypeAttribute);
else if (sNameAttribute == c_sDefinitionUpdateFileShareSources)
if (oSrcAddValueNodes[iValueIndex].attributes.getNamedItem(c_sDisabled) != null)
sDisabledAttribute = GetAttribute(oSrcAddValueNodes[iValueIndex], c_sDisabled);
oTargetAddValueNode.setAttribute(c_sDisabled, sDisabledAttribute);
sNodeValue = oSrcAddValueNodes[iValueIndex].text;
oTargetNodeValue = g_xmlTarget.createTextNode(sNodeValue);
oTargetAddValueNode.appendChild(oTargetNodeValue);
// Append "AddValue" child node under current "AddKey" node
oTargetAddKeyNode.appendChild(oTargetAddValueNode);
// Append "AddKey" child node under "LocalGroupPolicySettings" node
oTargetLocalGroupPolicySettingsNode.appendChild(oTargetAddKeyNode);
// Append "LocalGroupPolicySettings" child node under "PolicySection" node
oTargetPolicySectionNode.appendChild(oTargetLocalGroupPolicySettingsNode);
// Append "PolicySection" child node under "SecurityPolicy" node
oTargetSecurityPolicyNode.appendChild(oTargetPolicySectionNode);
// Append "SecurityPolicy" node
g_xmlTarget.appendChild(oTargetSecurityPolicyNode);
g_xmlTarget.save(sTargetXmlFile);
--Weitao Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
Many of our existing Configuration Manager customers are used to thinking in terms of installing and configuring sites, and then configuring individual features, such as hardware inventory, software distribution, and software updates. This reflected the product evolution and our internal development teams, as functionality was added over the years. It was also reflected in the management console, with new nodes for each feature. As the product grew, the number of nodes in the console increased and made it challenging to navigate.
The new design of the Configuration Manager console in System Center 2012 Configuration Manager changes that, with the focus on common scenarios and grouping similar tasks. Although you still have nodes under each of the workspaces (Assets and Compliance, Software Library, Monitoring, and Administration), they no longer necessarily map to features. Many features now overlap and share common terms and functions, to provide a more consistent administration experience.
For example, we use the word “deploy” to send anything to clients, such as settings, packages and programs, and software updates. In the past, we used “assign”, “distribute”, and “deploy” for these similar client management functions, depending on the feature used. The goal for Configuration Manager and the System Center components is “a single pane of glass” where the administration experience is reduced in complexity to minimize your administrative overheads. You can then focus on what’s important – managing computers – rather than spending time learning and remembering the different vocabulary and configuration variations for the different features.
The documentation library for System Center 2012 Configuration Manager reflects this change of thinking from features to scenarios and management tasks. Customers have often told us that they want documentation that better reflects how they manage computers, rather than be forced to know how these map to our features. So when we designed the new documentation library for System Center 2012 Configuration Manager, we divided the documentation into these guides that group similar administration and management scenarios:
Guide
Description
Getting Started with System Center 2012 Configuration Manager
This guide helps you get started with System Center 2012 Configuration Manager with an introduction to the product, what’s new and changed since Configuration Manager 2007, basic concepts, and some frequently asked questions.
Site Administration for System Center 2012 Configuration Manager
This guide provides the information to help you plan, install, configure, and maintain System Center 2012 Configuration Manager.
Migrating from Configuration Manager 2007 to System Center 2012 Configuration Manager
This guide provides information about migrating an existing Configuration Manager 2007 infrastructure to System Center 2012 Configuration Manager.
Deploying Clients for System Center 2012 Configuration Manager
This guide provides information to help you plan, install, configure, and manage client deployment in System Center 2012 Configuration Manager.
Deploying Software and Operating Systems in System Center 2012 Configuration Manager
This guide provides information to help you plan, configure, and manage the deployment of software and operating systems in System Center 2012 Configuration Manager.
Assets and Compliance in System Center 2012 Configuration Manager
This guide provides information to help you manage your devices (computers and mobile devices) in System Center 2012 Configuration Manager.
Security and Privacy for System Center 2012 Configuration Manager
This guide contains security-related information from the other Configuration Manager guides and privacy statements for the product.
Within each of these guides, you will often find sections that relate to the features that are you familiar with. For example, in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide, you will find the section Software Updates in Configuration Manager. But you will might also find sections that are you not expecting, such as Content Management in Configuration Manager, which is not a feature name that you’re familiar with, but an underlying infrastructure for deploying all software to clients – whether that’s applications, packages and programs, software updates, or operating systems.
Customers have also asked us where to find documentation for the reporting feature. Because reporting spans all client management functions as well as the configuration status of Configuration Manager itself, the Reporting in Configuration Manager section is in the Site Administration for System Center 2012 Configuration Manager guide.
The one guide that probably most closely maps to feature names that you’re familiar with is the Assets and Compliance in System Center 2012 Configuration Manager guide, where you will find the familiar names of features that describe their functionality, such as remote control, and inventory. Even here, we’ve tried to group similar tasks so that hardware inventory, software inventory, and Asset Intelligence is grouped under Inventory.
A potential downside of this rearrangement is that existing customers sometimes have a hard time finding the documentation that they need, because they expect it to be organized and named by feature area. We see this most often with mobile devices, which are now so similar to manage as you would computers, that we have integrated this information throughout the different guides.
For example, installing the mobile device client and managing mobile devices that connect to Exchange Server is integrated into the Deploying Clients for System Center 2012 Configuration Manager guide. After mobile devices are enrolled by Configuration Manager, configuring hardware inventory and deploying applications is the same as for client computers, so you will find this information in the inventory section and application management section of the Assets and Compliance in System Center 2012 Configuration Manager guide and the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide respectively. Ironically, the downside to the “single pane of glass” can make it harder to find this information.
In addition, the documentation does not cover every single aspect of the product. We provide documentation as supplemental to the product when it’s needed, rather than for the sake of having documentation. We expect that the new design and adding need-to-know text in the product itself reduces the need for a lot of documentation. The less documentation you have to wade through, the quicker you can get the job done.
As an example, you might have seen demos and presentations for the new search functionality that is used throughout the console to help you quickly find objects. You will not find documentation in the library about how to use search; this functionality should be intuitive. If you are turning to the documentation because you are having problems using search, please provide this feedback to the product group by using Microsoft Connect, so that they can address this in future versions.
Similarly, we haven’t documented every single option that you can configure. We worked with the product group to make configuration options intuitive to understand, and provide need-to-know text in wizards and dialog boxes. We kept the documentation for when there wasn’t enough room in the UI for you to make an informed choice, or there was a level of complexity involved that wasn’t suitable for the UI.
When you think a particular option that isn’t documented needs additional information, let us know by emailing SMSDocs@Microsoft.com. We can incorporate that feedback with our documentation updates, and let you know about updates and revisions by using documentation announcements on this blog.
For customers who are more used to thinking in terms of feature documentation, we’ve now added some “Where is the documentation for …?” entries to the Frequently Asked Questions for Configuration Manager page, and we supply links to the main topics for these areas. In our January documentation update, we added entries for Setup, role-based administration, and mobile devices. If you are having problems finding the documentation for a feature that you were familiar with from Configuration Manager 2007 or covered in a blog post or presentation for System Center 2012 Configuration Manager, email SMSDocs@Microsoft.com.
And if you have any other feedback about the documentation library design or content, we’ll be happy to hear that and respond to it as well!
-- Carol Bailey
The Configuration Manager 2007 Documentation Library and the Documentation Library for System Center 2012 Configuration Manager have been updated on the web and the latest content has Updated: January 1, 2012 at the top of the topic.
New this month, we’re publishing prerelease documentation for the Microsoft System Center 2012 Configuration Manager Physical to Virtual Migration Toolkit – also known as the P2V Toolkit. Download the release candidate for this toolkit from the Microsoft Connect site to migrate Configuration Manager 2007 to System Center 2012 Configuration Manager in a branch office scenario where migration over a wide area network (WAN) connection is not feasible and where hardware resources for a side-by-side migration are limited. This toolkit virtualizes the site server instance so Configuration Manager 2007 and System Center 2012 Configuration Manager can run on the same physical server in an environment where you can perform a side-by-side migration.
Documentation updates for this month includes customer feedback for Configuration Manager 2007 and updates the support information for SQL Server that was previously announced on this blog in September. We have some updates and clarifications for System Center 2012 Configuration Manager, and we’ve also added notification to the Forefront Endpoint Protection 2012 beta documentation that this is now updated and replaced with System Center 2012 Endpoint Protection. You cannot use the beta version of FEP 2012 with the release candidate versions of System Center 2012 Configuration Manager, so expect this beta documentation to be retired in the near future.
In addition, for FEP 2010 customers, we’ve updated Prerequisites for Deploying Forefront Endpoint Protection on a Client to include information about how Windows Embedded Device Manager 2011 installs the Forefront Endpoint Protection client and definition updates to write filter-enabled devices.
We value customer feedback and try to incorporate it when possible. Although we can’t promise to make the docs perfect for everybody, we are committed to continual improvement. So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com.
What's New in the Configuration Manager 2007 Documentation Library for January 2012
The following information lists the topics that contain significant changes since the July 2011 update.
Configuration Manager 2007 SP2 Supported Configurations
- Updated for the following SQL Server versions: SQL Server 2008 SP3, and SQL Server 2008 R2 SP1. Windows Embedded support now includes Thin PC, Windows Embedded POSReady7, and Windows Embedded Standard 7 SP1.
About Network Discovery
- Updated to clarify how Network Discovery finds the subnet mask.
How to Monitor Wake On LAN Activity
- As a result of community content, clarified that the reference to the Performance utility is the same as Performance Monitor. On some versions of Windows, and depending on how you access it, you will see just “Performance” and then “Performance Monitor” in the window title when you actually run it.
How to Install Configuration Manager Clients Using Group Policy
- As a result of community content, reworded for publishing rather than assigning the Configuration Manager client to users by using Group Policy.
Ports Used by Configuration Manager
- As a result of community content, added TCP port 53 in addition to UDP 53, for DNS.
Software Distribution Security Best Practices and Privacy Information
- Removed the reference to enabling Real Time Streaming Protocol (RTSP) and RTSP over TLS (RTSPS) for application virtualization streaming–enabled distribution points. This protocol is not supported by Configuration Manager 2007.
What's New in the Documentation Library for System Center 2012 Configuration Manager, January 2012
The following information lists the topics that contain significant changes since the December 2011 update.
Supported Configurations for Configuration Manager
- Updated the table in the Site and Site System Role Scalability section to include more site system roles, and to update the number of clients that site system roles at a secondary site can support.
Technical Reference for Accounts Used in Configuration Manager
- New topic that lists the groups and accounts that are used by Configuration Manager. Note that as a result of a publishing problem with angle brackets that denote a variable, the group names that end in _<sitecode> are currently listed in this topic as _[sitecode]. We hope to correct this soon.
What’s New in Configuration Manager
- Updated to clarify that NLB management points are no longer supported and this configuration is removed from the management point component properties.
Planning for Communications in Configuration Manager
- Updated with the new behavior of Internet-based clients that first try to download software updates from Microsoft Update when Configuration Manager detects these clients to be on the Internet. Only if this fails, do they then try to download them from Internet-based distribution points. The cross-forest table information is also updated to clarify the supported scenarios.
Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority
- As a result of customer feedback, updated the procedure for the web server certificate to clarify that when you specify a subject alternative name (SAN), the subject value remains empty. When a SAN is specified in a PKI certificate, Configuration Manager does not use the certificate subject, which is why it can remain empty.
Introduction to Client Deployment in Configuration Manager
- Updated with a new section “Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure”, for customers who are using VDI.
Prerequisites for Client Deployment in Configuration Manager
- Added the information about the hotfix KB2552033, which must be installed on site servers that run Windows Server 2008 R2 when client push installation is enabled. Also added the required security permissions to configure enrollment for mobile devices, and to manage enrolled mobile devices.
About Client Settings in Configuration Manager
- Updated to clarify that the client setting Agent extensions manage the deployment of applications and software updates applies to only software updates and required applications. This setting has no effect for available applications and users can still request them in the Application Catalog. This setting also does not apply to packages and programs, or task sequences.
How to Enroll Mobile Device Clients in Configuration Manager 2012
- Updated with the information that remote wipe from the Application Catalog uses user device affinity, which is automatically configured for mobile devices that connect to an on-premise Exchange Server computer. For mobile devices that connect to Exchange Online, you must manually configure the user device affinity.
Introduction to Application Management in Configuration Manager
- Updated with the clarification that when an application with multiple deployment types is deployed, each deployment type is evaluated in order. The deployment type with the highest priority that meets the specified requirements is installed.
How to Manage User Device Affinity in Configuration Manager
- Updated with the recommendation to configure the client setting of User device affinity threshold (days) to a value of at least 7 days. This minimum value helps to avoid situations where an automatically configured user device affinity might be lost while the user is not logged on, for example, during the weekend.
Operating System Deployment in Configuration Manager
- This section has been updated for the following topics:
Introduction to Out of Band Management in Configuration Manager
- Added new section, “Extending Out of Band Management in Configuration Manager” for information about Intel support and their applications that extend out of band management for vPro computers.
Prerequisites for Endpoint Protection in Configuration Manager
- Updated to clarify that the Endpoint Protection point site system role must be installed on a central administration site, or where there is no central administration site, on the primary site that is at the top of the hierarchy.
How to Configure Endpoint Protection in Configuration Manager
- Updated to clarify the schedule for definition updates.
Microsoft System Center 2012 Configuration Manager Privacy Statement
- Minor updates and a new section for Setup Updates.
Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum
- Updated with the notification that this end-user privacy information is now available in additional languages from the Microsoft Download Center.
Frequently Asked Questions for Configuration Manager
- Updated with new entries that include the following:
-- The Configuration Manager Writing Team
This posting is provided "AS IS" with no warranties and confers no rights.
The Documentation Library for System Center 2012 Configuration Manager has been updated on the web and the latest content has Updated: December 1, 2011 at the top of the topic.
There are no significant updates for the Configuration Manager 2007 documentation library this month.
Because most of the topics for System Center 2012 Configuration Manager have been updated this month, we are not listing them individually in this blog post. The updates contain the latest information from the product group and clarifications that were requested by customers. There are no significant changes to the Package Conversion Manager tool.
We will continue to add more information for Configuration Manager as we get that information from the product group and in response to customer feedback. To help you find the right information, use the search portal for System Center 2012 Configuration Manager.
Note that we are writing for the released product, rather than for any prerelease version, such as Beta 2 or the Release Candidate. As such, there might be some discrepancies with the prerelease version that you are testing and the documentation. If you are testing a prerelease version, remember to check the release notes (link from Setup and Help) for any issues that are specific to that version.
The Documentation library for System Center 2012 Configuration Manager has been updated on the web and the latest content has Updated: November 1, 2011 at the top of the topic.
This month we have fewer doc updates but they do contain some important additional information or corrections to help you be more successful when you download and test the Release Candidate.
What's New in the Documentation Library for System Center 2012 Configuration Manager for November 2011
The following information lists the topics that contain significant changes since the October 2011 update.
– Updated for support statements that include site system requirements, mobile device platforms and languages, DirectAccess support and limitations, and Specialized Storage Technology.
– Updated to correct the information about PowerShell execution policy. There are also new entries for user policies and what functionality is limited when these are not enabled. The entries for the default Application Catalog website point and adding it to the trusted sites zone in Internet Explorer are also updated, with details about how automatic detection works.
– Updated for a new procedure to create a certificate file for distribution points: Deploying the Client Certificate for Distribution Points
Determine How to Manage Mobile Devices in Configuration Manager
– Updated to correct the information about software inventory support.
How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager
– Updated for the new enrollment link that was introduced in the Release Candidate to support both Windows mobile devices and Nokia mobile devices.
Fundamentals of Configuration Manager
– Updated for the latest changes in the product.
[Updated 12/02/2011]
Earlier today we released an updated version (found here) of the Definition Update Automation Tool for Forefront Endpoint Protection 2010 Update Rollup 1. This document provides steps for how to use this tool.
Important Note: We recommend installing the hotfix here if you are using the Definition Update Automation Tool.
With Forefront Endpoint Protection 2010 Update Rollup 1, you now can deploy Forefront Endpoint Protection definition updates to clients by using the Configuration Manager console. There are multiple definition update releases per day, thus making it time-consuming to manually download and deploy each definition update through the Configuration Manager Console. The Definition Update Automation Tool can be used to automate the steps required to keep a deployment of Forefront Endpoint Protection update definitions up to date. The tool will download the latest definition update and update the specified software update deployment with the latest definition. Configuring this tool to run automatically with Windows Task Scheduler or via a Configuration Manager Status Filter Rule can keep a deployment up to date without continuous and repetitive manual processes.
To learn more about managing software updates click here.
This tool was first released with Forefront Endpoint Protection 2010 Update Rollup 1. This release addresses a number of supportability issues, primarily around logging.
Bug Fixes:
Usage: SoftwareUpdateAutomation.exe parameters
Parameters:
/Help: Get program usage
/SiteServer: Site server computer name
/UpdateFilter: Filter for selecting software updates that are used for the destination packages
/AssignmentName: Name of destination software updates assignment
/PackageName: Name of destination software update package
/DisableRefreshDP: Disable automatic propagation of updated package to Distribution Points
/Verbose: Enable additional logging.
SoftwareUpdateAutomation.exe /AssignmentName FEPDeployment /Package FEP
This example will use local machine as Site Server and use the default UpdateFilter. It will add the latest Forefront Endpoint Protection definition update into Assignment “FEPDeployment” and Package “FEP” and refresh the Distribution Points if any updates were made to the deployment package.
To run this tool, you must copy the binaries to the Admin UI bin folder:
Now you can run this tool manually from a command line, or use Task Scheduler or a Status Filter Rule to run it automatically.
Note: This tool will only download the latest Forefront Endpoint Protection definition update and add it to the existing deployment and package. It will not synchronize the definition update into Configuration Manager. It is still necessary to run software update synchronization to synchronize the latest Forefront Endpoint Protection definition update into the Configuration Manager database before you run this tool. Please refer to How to Configure Software Updates Synchronization(http://technet.microsoft.com/en-us/library/bb632893.aspx) for information on how to configure the software update synchronization. As a best practice, before you run this tool, always make sure that a scheduled software update synchronization has completed.
/AssignmentName AssignmentName /PackageName PackageName
Where AssignmentName is the name of the software deployment for the definitions which you recorded earlier and PackageName is the name of the software package that contains the definitions which you recorded earlier. Parameters are not case sensitive.
Note: This is the recommended scheduling option as it allows the Definition Update Automation Tool to automatically run after a WSUS synchronization completes successfully.
Sample RunSoftwareUpdateAutomation.bat:
“<ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe” /AssignmentName ”AssignmentName” /PackageName “PackageName”
Note: It is recommended to put the Definition Update Automation Tool command line in a batch file to prevent problems with the quotes (“).
The status filter Rule runs the tool under the System account. To enable the tool to download, make sure the system account has the appropriate proxy settings. One option to configure the proxy settings for localsystem is to use the BITSAdmin Tool (for more information on the BITSAdmin Tool, click here).
You can use the command: bitsadmin /util /setieproxy localsystem to set the proxy setting for system account. (eg: bitsadmin /util /setieproxy localsystem myproxy *.mydomain.com)
A proper schedule for software update point synchronization is necessary to keep your Forefront Endpoint Protection clients up-to-date. Below is the recommended setting for these schedules when using this tool:
In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site name> / Site Settings / Component Configuration.
Right-click Software Update Point Component, click Properties.
Click Sync Schedule Tab, check Enable Synchronization on a schedule, check Simple schedule and Run every 1 Days.
There are four suggested Configuration Manager and Forefront Endpoint Protection 2010 topologies: See http://technet.microsoft.com/en-us/library/gg412503.aspx. In this section, we will give suggestions on where to run this tool for each topology.
Run this tool on each central site.
Run this tool on each child site. Note: the assignment and package you used for this tool must also be created on child site.
SoftwareUpdateAutomation.log will always be the first place to investigate. The log file is located in %ALLUSERSPROFILE%.
You can use the parameter /Verbose to enable verbose logging.
When using Task Scheduler to run the tool, the task must be selected to run as highest privilege. Otherwise, no log file will be created.
Error in SoftwareUpdateAutomation.log
Possible Reason and Resolution
Error:Error Downloading SourceURL…… Result: 12007
Verify that the proxy is set correctly.
If you run the tool with domain user account, check the proxy with command: netsh winhttp show proxy;
If you run the tool with system account (eg. You use Status Filter Rule to run the tool), check the proxy with command: bitsadmin /util /getieproxy localsystem.
Cannot find the log
The log is under %ProgramData% folder;
If you run it on Windows 2003 Server, there is no %ProgramData% environment variable. You can always use %ALLUSERSPROFILE% to access the folder contains the log file.
If you run the tool with a Task Sequence ensure that the user account used to run the tool has permission to create the log under that folder (and run as highest privilege is selected).
Make sure the command line parameters are set correctly; otherwise no log will be created.
--Jason Lewis
The Documentation library for System Center 2012 Configuration Manager has been updated on the web and the latest content has Updated: October 1, 2011 at the top of the topic.
We’ve been very busy this month, updating the library for the new System Center 2012 branding, publishing information about System Center 2012 Endpoint Protection, and the Package Conversion Manager feature pack, and updating all the docs so that you have the latest information when you download the Release Candidate.
We will continue to add more information for Configuration Manager as we get that information from the product group and in response to customer feedback. At the moment, some topics are published without any content to let you know that it’s planned – but the number of empty topics are now very few! We’ve been working on the topics that we see are being requested by customers. To help you find the right information, use the Configuration Manager 2012 search portal.
Note that we are writing for the released product, rather than for any prerelease version, such as Beta 2 or the Release Candidate. As such, there might be some discrepancies with the prerelease version that you are testing and the documentation.
What's New in the Documentation Library for System Center 2012 Configuration Manager for October 2011
The following information lists the topics that contain significant changes since the September 2011 update.
– Updated for support statements that were previously published on the Microsoft Connect site.
– The Client Deployment and Operations section is updated for Remote Control and Endpoint Protection.
Introduction to Site Administration in Configuration Manager
– New topic for overview information about how to plan, deploy, configure, and maintain a Configuration Manager hierarchy.
Planning for Discovery in Configuration Manager
– Updated for new information about Active Directory forest discovery.
Planning for Site Systems in Configuration Manager
– Updated for site system role placement and planning considerations.
Planning for Security in Configuration Manager
– Updated for the section Planning a Transition Strategy for PKI Certificates and Internet-Based Client Management.
Planning for Site Operations in Configuration Manager
– Updated for backup and recovery information.
Prepare the Windows Environment for Configuration Manager
– Updated for information about extending the Active Directory schema for Configuration Manager and setting security permissions so that sites can publish to Active Directory Domain Service, and how to configure IIS for site system roles.
Install Sites and Create a Hierarchy for Configuration Manager
– Updated for Setup information.
Configuring Discovery in Configuration Manager
– Updated for how to configure Active Directory Forest Discovery.
Configuring Settings for Client Management in Configuration Manager
– Updated for how to configure maintenance windows, the implications of multiple maintenance windows, and how these work with Software Center.
Backup and Recovery in Configuration Manager
– Updated for information about how to backup and recover a site.
Reporting in Configuration Manager
– This section has been updated throughout for reporting information.
Security and Privacy for Site Administration in Configuration Manager
– Updated for security best practices related to site administration and privacy information for Discovery.
Technical Reference for Log Files in Configuration Manager
– Updated for the log files that are created by Configuration Manager. We will continue to update this topic when the information becomes available.
Security and Privacy for Migration to System Center 2012 Configuration Manager
– New topic that lists security best practices and issues, and privacy information for when you migrate from Configuration Manager 2007 to System Center 2012 Configuration Manager.
– Updated for Prerequisites for Mobile Device Clients.
Security and Privacy for Clients in Configuration Manager
– Updated for security and privacy information for clients and mobile devices that are managed by the Exchange Server connector, and privacy information.
– Updated to reflect the latest client settings options.
– Updated for additional information, which includes simulated deployments and supersedence.
How to Simulate an Application Deployment in Configuration Manager
– New topic that provides information about how to use the new simulated deployment option.
How to Use Application Supersedence in Configuration Manager
– New topic that provides information about how to use the new supersedence option.
How to Create Applications in Configuration Manager
- Updated for procedural information.
How to Create Deployment Types in Configuration Manager
How to Deploy Applications in Configuration Manager
Security and Privacy for Application Management in Configuration Manager
– Updated for security and privacy information for application management and the Application Catalog.
How to Enable CRL Checking for Software Updates
– New topic that provides information about how to enable certificate revocation checking in the Configuration Manager console for when you download software updates.
Security and Privacy for Software Updates in Configuration Manager
– Updated for security and privacy information for software updates.
Security and Privacy for Deploying Operating Systems in Configuration Manager
– Updated for security and privacy information for operating system deployment.
How to Create Collections in Configuration Manager
– Updated procedural information.
How to Use Maintenance Windows in Configuration Manager
Security and Privacy for Collections in Configuration Manager
– Updated for security and privacy information for collections.
Security and Privacy for Queries in Configuration Manager
– Updated for security and privacy information for queries.
How to Configure Software Inventory in Configuration Manager
– Updated for how to configure software inventory.
How to Use Resource Explorer to View Software Inventory in Configuration Manager
– Updated for how to use Resource Explorer.
Power Management in Configuration Manager
– This section is updated throughout.
Best Practices for Out of Band Management in Configuration Manager
– New topic that lists some operational best practices for when you manage Intel AMT-based computers out of band.
Endpoint Protection in Configuration Manager
– New section that introduces Endpoint Protection how to plan, configure, and use it.
What’s New in the Documentation for Configuration Manager
– Updated for the new Security and Privacy guide and a link to the new glossary.
– Updated for new questions that include:
Configuration Manager Package Conversion Manager (Prerelease)
– New section that provides information about this new feature pack that allows you to convert packages from Configuration Manager 2007 into application for System Center 2012 Configuration Manager.
The release candidates for System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection are now available on the Microsoft Download Center. In case you missed it, the release announcement describing the features of the release candidate can be viewed here. You will find pre-release documentation in our Technet Library here.
We encourage all our readers to download and evaluate these releases and provide feedback through our Community Evaluation Program (CEP).
--Yvette O’Meally
[Today’s announcement comes from Brian Huneycutt]
The Sustained Engineering team has released an update to the “Microsoft System Center Configuration Manager 2007 SP2 Management Pack for Microsoft System Center Operations Manager 2007 R2”.
Due to changes in naming convention, this update is now referred to as the “System Center Monitoring Pack for Configuration Manager 2007 SP2 (Converted)”. You can download the new release here.
This is a very limited scope release intended to address top customer issues reported after shipping the last Management Pack (MP). As you can see from the name this is still a converted MP although the Monitoring Pack for Configuration Manager 2012 will be native.
The following changes, also covered in the updated MP guide, are in version 6.0.6000.3.
The prior version of the MP will upgrade directly to the new release.
If you are running an alternate MP, such as one that was unsealed, modified, and then sealed again the upgrade steps will include the following:
--Brian Huneycutt
[Today's post is from the Configuration Manager Writing Team]
The Configuration Manager 2012 documentation library has been updated on the web and the latest content has Updated: September 1, 2011 at the top of the topic.
We will continue to add more information for Configuration Manager 2012 as we get that information from the product group and in response to customer feedback. At the moment, some topics are published without any content to let you know that it’s planned. We also monitor page hits and search results to help us plan when to publish the information. To help you find the right information, use the Configuration Manager 2012 search portal.
Note that we are writing for the released product, rather than for any pre-release version, such as Beta 2. As such, there might be some discrepancies with the pre-release version that you are testing and the documentation.
What's New in the Configuration Manager 2012 Documentation Library for September 2011
The following information lists the topics that contain significant changes since the August 2011 update.
Configuring the Application Catalog and Software Center in Configuration Manager
– New topic with the steps and procedures required to install and configure the Application Catalog and Software Center. These elements support user-centric management, a central theme of Configuration Manager 2012.
Prerequisites for Application Management in Configuration Manager
– Updated for the Application Catalog dependencies.
– Updated to clarify that mobile devices that are enrolled by Configuration Manager always connect to the Internet FQDN of the management point and distribution point in primary sites.
– Updated the section Deploying the Web Server Certificate for Site Systems that run IIS, to accommodate site system roles that allow connections from the Internet.
Administrator Checklist: Deploying Clients in Configuration Manager
– New topic that lists the steps to deploy clients on computers and mobile devices.
About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager
– Information added about which client installation properties are published to Active Directory Domain Services.