The new Configuration Manager Application Catalog represents a great opportunity for you to deliver self-service application installation to your company’s users. By modeling the applications and publishing them in the Application Catalog, you can offer up a service that makes installing applications quick and easy for your end-users. Because the Application Catalog only shows applications that are deployed to the user, your end users also get a tailored experience just for their job role. To make the most effective use of the Application Catalog and ensure you’re delivering the best experience possible, here are a few tips we’ve learned from real world deployments.
Site System Role Installation
If you’re hosting less than 10,000 users in your company’s intranet, co-locating the Application Catalog web service and Application Catalog website roles on the same server should work just fine. Remember that the web service role connects directly to your database, so ensure that the network connectivity between the SQL server and the Application Catalog web service servers is robust. Refer to the product documentation for specific scalability guidance.
If you’re hosting more than 10,000 users, or when you have more geographically distributed users, consider deploying additional application catalogs to keep responsiveness high and user satisfaction up. Use client settings to configure collections of computers to use different Application Catalog servers.
For deployments with two or more primary sites, it helps to have at least one set of Application Catalog roles per primary site. When you configure the Computer Agent client settings, set the Default Application Catalog Website point value to Automatically detect and the system will take care of assigning the local Application Catalog role for clients in each primary site.
For deployments that need to scale out, (especially as it relates to Application Catalog performance) it’s better to scale out by using separate primaries rather than installing a second Application Catalog role for the same primary site as the existing Application Catalog. Doing so will allow the Application Catalog web service roles to communicate with a different SQL Server database and provide a better end user experience.
The User Experience
The Application Catalog has code running in the browser but the user’s experience is heavily dependent the data exchange with the catalog web server. Some caching takes place on the Application Catalog web roles for performance optimization, but several factors influence the overall performance and responsiveness of the Application Catalog:
Tell me about the applications!
Great descriptions for your applications are critical. It’s amazing to watch users browse through a screen full of text. Some users are very deliberate and read every word, but most simply scan for key words. Some users use visual recognition of the application icon. Whatever the style of user, plan to accommodate the most typical ones as you fill out your Application Catalog metadata. Here are some specific best practices:
Thanks for making it through this blog! You now have some new tools at your disposal to deliver a great self-service application catalog to your users.
For more information about the Application Catalog, see Introducing the Application Catalog and Software Center in System Center 2012 Configuration Manager on this blog, and Configuring the Application Catalog and Software Center in Configuration Manager on TechNet.
--Dave Randall
This posting is provided "AS IS" with no warranties and confers no rights.
We would like to inform you of the upcoming changes to the System Center Online cloud service that is used by Configuration Manager Asset Intelligence synchronization points to synchronize software catalog data. We are upgrading the catalog service and hosting it on a new platform. This week onwards, all Configuration Manager Asset Intelligence synchronization points will start to silently redirect to the new catalog service platform.
There is no action required by you as a result of this migration. At the end of your standard synchronization period, existing Asset Intelligence synchronization points will detect the new service platform and begin to automatically migrate. After migration is complete, Asset Intelligence synchronization points will continue to synchronize catalog data from the upgraded catalog service.
However, we do recommend that customers running Configuration Manager 2007 Service Pack 2 apply the latest Asset Intelligence Hotfix Rollup.
Use the following information if you want to understand more about the migration process and how to track it.
The migration process takes place in two steps:
When the Asset Intelligence synchronization point contacts the upgraded catalog service for the first time, it presents its current watermark to the catalog service and attempts to download the Asset Intelligence catalog. To indicate to the Asset Intelligence synchronization point that a full download of the catalog is required rather than a delta download, the service refuses the watermark and issues a new one. Example AIUpdateSvc.log file entry:
Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 06:52:42 GMT:Error WatermarkNotHonored during download
The Asset Intelligence synchronization point then resets its watermark and schedules an immediate retry of the catalog download. It retries on the following intervals: 1 hour, 3 hours, and then every 6 hours if necessary. Example AIUpdateSvc.log file entry:
Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 06:52:42 GMT:Updating retry data Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 06:52:42 GMT:=====================Catalog download done=====================
After the Asset Intelligence synchronization point updates the watermark, the next catalog download is successful. Example AIUpdateSvc.log file entry:
Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:37:42 GMT:Retry sync is due. Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:37:42 GMT:No proxy server Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:37:42 GMT:=====================Downloading catalog===================== Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:37:44 GMT:Detected MPC download begin in file C:\Windows\TEMP\SMS_AIUS\btrzwq1g.ucq.tmp, batch id 021953b5-deaa-41fb-aebf-5fbbd9bd7bd7 Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:37:57 GMT:Detected MPC download end Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:48:19 GMT:Processing 1480 data/status files from download Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:48:42 GMT:=====================Data/Status copied to outbox===================== Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:48:42 GMT:=====================Catalog download done=====================
Overall, the migration process will take at least one hour from the time that the Asset Intelligence synchronization point first contacts the upgraded catalog service. You do not have to take any actions because the migration will complete on its own.
When the migration is complete, you will see the following:
This blog post notifies you of planned changes that Microsoft is making this week to upgrade the System Center Online cloud service. As a result, all Configuration Manager Asset Intelligence synchronization points will be silently redirected to the new catalog service platform.
During the automatic migration process, you can track progress in the AIUpdateSvc.log file entry. There is no action required as the migration will complete on its own. We also recommend installing the latest hotfix rollup if you are running Configuration Manager 2007 SP2.
--Yvette O'Meally
As all Configuration Manager customers know, security is challenging and often requires complex setup configurations. Setting up a Certificate Authority, issuing certificates, and maintaining them can be a herculean task, and in most cases involves interacting with multiple teams in an organization.
It is the price we pay to have a highly secure environment, where the administrators, executives, and employees don’t have to worry about their data being compromised.
Configuration Manger leverages an existing PKI infrastructure to enable secure communication between clients and site system roles.
Before System Center Configuration Manager 2012, Configuration Manager 2007 had concepts called native mode and mixed mode: The philosophy behind native mode was to secure the site server and all its site systems, in addition to securing all site-to-site communication. This involved configuring a site signing certificate on all installed sites, plus there was an added restriction that a native mode site must always report to a native mode site.
During the planning phase for System Center 2012 Configuration Manager, we listened to customer feedback and revisited this native and mixed mode model, and debated our previous concept of securing the site. The result was client computer communication.
Key concepts for client computer communication:
Let’s take a couple of example scenarios to see how this new model works.
Woodgrove Bank currently has 20,000 intranet clients. These clients never leave the corporate network. Management recently made some changes in corporate policy to address the employee concerns about work life balance and the request for more flexible working arrangements. With the new policy in effect, 30% of the task force will be issued new laptops and they are allowed to work from home.
When the Configuration Manager administrator first read this memo, his first thought was “I have a lot of extra work to do before I can manage these laptops on the Internet!”
Currently all the clients are managed by a single System Center 2012 Configuration Manager primary site (PR1). All the site system roles are configured to communicate over HTTP.
Being aware of how native mode and Internet-based client management worked in Configuration Manager 2007, the administrator’s first assumption was that he would have to install a new native mode primary site. He doesn’t currently have a central administration site, so he thought this would mean either having two hierarchies to manage, or redesign his existing hierarchy.
However, when he investigates the changes in System Center 2012 Configuration Manager, he realizes that he does not need an additional site. Instead, all that’s needed are a few Internet-based roles that are configured for HTTPS communication:
Here’s a comparison of how the two solutions might look for this scenario, to support Internet-based client management in Configuration Manager 2007 and System Center 2012 Configuration Manager:
*Red halo around the site system roles represent sites and roles that are capable of HTTPS communication.
The next challenge is to how to manage Internet clients when they move back into the intranet. Our administrator does not want to change the existing hierarchy and does not want to configure all the clients and site system roles on the intranet to have PKI certificates. The answer to this is enabling intelligent client behavior, one of the new key concepts mentioned previously.
To enable this behavior, simply select this check box from the property page in the previous screenshot:
When selected, Internet clients on the intranet can communicate with HTTP site system roles on the intranet.
Trey Research has 5,000 clients that are managed by a single primary site (PR1). After the recent security push, the Configuration Manager administrator was instructed that all clients must communicate over HTTPS by using PKI certificates for mutual authentication.
If the site had been running Configuration Manager 2007, this would require migrating the whole site from mixed mode to native mode. This would involve checking that all clients had a PKI client certificate, reconfiguring IIS for all the site system roles, configuring the site to use the site server signing certificate, automatically reinstalling site system roles to operate in native mode, and waiting for the site server to resign all the client policies. This “big bang” approach requires a lot of careful planning to make sure that clients are not unmanaged after the migration, with the recommendation to make this change during a quiet period.
Because Trey Research has System Center 2012 Configuration Manager, the administrator doesn’t have to take this risk and work over the weekend. Instead, he does the following:
I hope that this information and example scenarios throw some light into the changes we made for System Center 2012 Configuration Manager, and how you can benefit from the flexibility they provide to manage clients over HTTPS – whether this is to manage client on the Internet or to provide greater security on the intranet.
For more information, see the following in the System Center 2012 Configuration Manager Documentation Library:
-- Abhishek Pathak
We’re pleased to announce that you can now download the documentation for System Center 2012 Configuration Manager and you can choose from three different formats:
Download link: Technical Documentation Download for System Center 2012 Configuration Manager
Downloadable Chm - Help Update Wizard
The first option uses the System Center 2012 Configuration Manager Help Update Wizard, similar to how we’ve done this previously with Configuration Manager 2007. Use this wizard to install a local help file, which contains a copy of the guides in the TechNet Documentation Library for System Center 2012 Configuration.
After installation, you can load the help file from a Configuration Manager console or independently, for example, from a shortcut on your desktop. After you have installed the local help file, you can expand System Center 2012 Configuration Manager to confirm that it now contains the Configuration Manager guides that are published on TechNet. You can then use the Search tab to search for text in titles or in the body of the topic, and use the Print option to print all topics under a selected node.
New! – Word and PDF
We are also piloting Word and PDF formats, to provide a more portable option for the docs. We haven’t done this in the past because of the size of our documentation library, but many customers have requested this so we’re piloting these additional options. Let us know how you get on with these and your preferences.
Unlike the other System Center components, we have not offered the downloads by guide because there is too much linking between them. Having a separate download for each guide would break the offline experience for links that go to other guides and you wouldn’t be able to search across them.
Bonus - New version of the Help File Updater Wizard for Configuration Manager 2007
For good measure, we have also provided a new version of the Help File Updater Wizard for Configuration Manager 2007, which contains a roll-up of all changes since the last version in June, 2011.
Advantages and Disadvantages of Downloaded Documentation
We know that downloadable versions of the documentation are important to you, because you don’t always have Internet access (or might not have reliable connectivity). Some people find them easier to read, search, and print. However, we cannot keep them as up-to-date as the content on TechNet, where we can update individual topics on a regular basis as we get more information from the product group or in response to customer feedback. Whenever possible, use TechNet for the most current information.
Search: As an alternative to using the downloaded documentation because you find it easier to search because it returns topics from the Configuration Manager library only – try using the scoped search string that we provide in the Information and Support for Configuration Manager page. This provides a Bing search string that is scoped to the System Center 2012 Configuration Manager Documentation Library, so you don’t get results for Configuration Manager 2007, for other Microsoft products, or from external sources. Use the instructions and examples provided to help you create your own searches, using AND, OR, and NOT operators.
Tip: To use a similar scoped search string for Configuration Manager 2007, use "search_criteria" site:technet.microsoft.com/en-us/library meta:search.MSCategory(hh528538)
Print and save to PDF: As an alternative to using the downloaded documentation for printing multiple topics (for example, the whole Site Administration guide), try using the Print/Export Multiple Topics feature that is available in the TechNet Lightweight Library. This feature has been in beta for while and is now officially released. You can find more information about how it works in this blog posting: http://thirdblogfromthesun.com/2011/08/export-then-print-multiple-library-topics-beta/http://thirdblogfromthesun.com/2011/08/export-then-print-multiple-library-topics-beta/ This functionality is currently restricted to 100 topics at a time, but there are fewer than 100 topics in each guide, with the exception of the Assets and Compliance guide. So for example, you could select and save in PDF format all the topics in the Site Administration guide. Then print them or view them on your mobile device.
Send feedback: We’re looking forward to your feedback about the different formats, which one you prefer, and why – so email us at the usual address of SMSDocs@microsoft.com and we will report back the results.
-- The Configuration Manager Writing Team
The Documentation Library for System Center 2012 Configuration Manager and the Configuration Manager 2007 Documentation Library have been updated on the web and the latest content has Updated: May 1, 2012 at the top of the topic.
Downloadable documentation will be available soon, to be announced on this blog.
In addition to updating the documentation libraries, we also have two new topics that are added to the Technical Publications for System Center 2012 Configuration Manager:
We have removed the reference to the downloadable quizzes in Configuration Manager 2007 Quizzes. Now that the web-based quizzes are available, expect the downloadable versions to be retired soon. All new quizzes and any updates will be web-based.
We value customer feedback and try to incorporate it when possible. Although we can’t promise to make the docs perfect for everybody, we are committed to continual improvement. So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com.
What's New in the Documentation Library for System Center 2012 Configuration Manager, May 2012
The following information lists the topics that contain significant changes since the April 2012 update.
Supported Configurations for Configuration Manager
- Updated to remove the previously documented limitation that the NetBIOS name must match the first label of the domain FQDN. The SQL Server statements are also updated to include the Datacenter edition and this addition is also made in Planning for Hardware Configurations for Configuration Manager. We’ve also clarified that CU versions for SQL Server are minimum versions.
What’s New in Configuration Manager
- Updated the Sites and Hierarchies section for a new section for Language Pack Support. This information is also clarified in the Client Deployment and Operations section, which contains the information that you no longer install International Client Packs (ICPs) when you want to support different languages on the client.
Planning for Site Systems in Configuration Manager
- Updated the site system role placement for secondary sites. Most site system roles must be on the secondary site server.
Planning for Sites and Hierarchies in Configuration Manager
- Updated for additional information about planning for language packs at Configuration Manager sites, clients, and the Configuration Manager console.
Planning for Discovery in Configuration Manager
- Updated for the new section, Best Practices for Discovery.
Planning for Communications in Configuration Manager
- Updated for a procedure how to manually publish management points to DNS on Windows Server.
Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager
- Updated the Steps Taken section in Scenario 2: Infrastructure Reduction and Management of Client Settings, to clarify that the decision to install a primary site in London instead of a secondary site was a result of assessing the available hardware for a site server, the current number of clients at London (5,500 clients exceed the supported number of clients for a secondary site), and the potential for growth at the location.
Install Sites and Create a Hierarchy for Configuration Manager
- Updated for a new section, Decommission Sites and Hierarchies, for information about how to uninstall Configuration Manager.
Manage Site and Hierarchy Configurations
- Updated for the new section, Manage Language Packs at Configuration Manager Sites.
Security and Privacy for Site Administration in Configuration Manager
- Updated the entry about the Security Configuration Wizard with the link to download the toolkit for System Center 2012 Configuration Manager: System Center 2012: Configuration Manager Component Add-ons and Extensions. This information is also updated in the Security and Privacy for System Center 2012 Configuration Manager guide.
Technical Reference for Ports Used in Configuration Manager
- Updated for the ports used by the new site system roles: the Application Catalog website point and Application Catalog web service point; the enrollment point and enrollment proxy point; and the Endpoint Protection point. Also clarified that Configuration Manager does not support dynamic ports for SQL Server.
Technical Reference for Language Packs in Configuration Manager
- New topic that provides technical details about language support in System Center 2012 Configuration Manager.
Planning for Migration to System Center 2012 Configuration Manager
- Updated for additional information about planning for overlapping boundaries if you will install new Configuration Manager 2007 client during the migration period.
About Client Installation Properties in Configuration Manager
- Updated for information about file locations for the /config: /NotifyOnly and CCMENABLELOGGING installation properties.
How to Manage Applications and Deployment Types in Configuration Manager
- Updated to clarify that the Retire management task does not remove any installed copies of the application from client computers.
Security and Privacy for Application Management in Configuration Manager
- Updated for the security best practice of deploying only signed applications for mobile devices so that you don’t have to configure settings that let unsigned applications install and run (“unlock”).
Introduction to Software Updates in Configuration Manager
- Updated for the new Extend Software Updates in Configuration Manager section for information about System Center Updates Publisher 2011 and added a reference to the new scenario topic, Example Scenario for Deploying Software Updates.
Example Scenario for Deploying Software Updates
- New topic that provides an example scenario for how you might deploy software updates in your environment.
Prerequisites For Deploying Operating Systems in Configuration Manager
- Updated for the external dependency, DHCP.
Planning a Task Sequences Strategy in Configuration Manager
- Updated for information about running task sequences in a maintenance window.
How to Manage the User State in Configuration Manager
- Updated for how to create a USMT package and how to restore the user state if the operating system deployment fails.
Task Sequence Steps in Configuration Manager
- Updated the Updated Install Software Updates step for the information that the step cannot suppress restarts if the software update requires a restart.
How to Deploy Operating Systems by Using PXE in Configuration Manager
- As a result of customer feedback, updated to clarify that the exclusion list file can be stored anywhere on the computer and the specified path is used to identify the location.
Example Scenario for PXE-Initiated Operating System Deployment
- New topic that provides an example scenario for how you might deploy an operating system by using PXE in your environment.
Best Practices for Collections in Configuration Manager
- Updated for the new best practice: Do not modify the built-in collections and instead, copy and then modify the pasted collection.
How to Create Queries in Configuration Manager
- Updated to clarify that a query that contains no criteria will return all devices in the All Systems collection.
How to Extend Hardware Inventory in Configuration Manager
- Updated for the information that you must create a hardware inventory class for any MIF files you want to add to inventory.
How to Configure Software Inventory in Configuration Manager
- Updated for an example of how to specify a file type that you want to inventory.
Introduction to Software Metering in Configuration Manager
- Updated to include the reference to Example Scenario for Software Metering in Configuration Manager.
How to Manage AMT-based Computers Out of Band in Configuration Manager
- Updated to clarify that the out of band management power control commands are always available for a collection, even if the collection contains resources that are not provisioned for AMT.
How to Configure Endpoint Protection in Configuration Manager
- Updated for information about using software updates automatic deployment rules to deploy definition updates for Endpoint Protection.
Frequently Asked Questions for Configuration Manager
Updated for the new entries:
What’s New in the Documentation for Configuration Manager
- Updated with a section, What's New in the Documentation Library for May 2012, which lists the topics with significant technical updates since the official publication of the documentation library in March.
Information and Support for Configuration Manager
- Updated the Search the Configuration Manager Documentation Library section to explain how to use the scoped search link, with examples and search tips. Scoped search lets you search for topics that are only within the Documentation Library for System Center 2012 Configuration Manager. For example, it excludes links from Configuration Manager 2007 and external sources.
What's New in the Configuration Manager 2007 Documentation Library for May 2012
Configuration Manager 2007 General Supported Configurations
- Updated for the information that Windows Server 2008 R2 domain functional level and forest functional level is supported with Configuration Manager 2007 SP1 and Configuration Manager 2007 SP2.
Configuration Manager 2007 SP2 Supported Configurations
- Updated for SQL Server 2012 and Windows Embedded, which now includes Thin PC, Windows Embedded POSReady 7, and Windows Embedded Standard 7 SP1.
How to Manually Publish the Default Management Point to DNS
- As a result of customer feedback, updated with a procedure for Windows Server DNS.
About Heartbeat Discovery
- As a result of customer feedback, updated for information about how to initiate a manual Heartbeat Discovery cycle.
How to Create a Query
Conflicting Records
- Updated this technical reference topic to clarify that you must have Modify Resource and Read Resource permissions on any collection that contains a conflicting record to reconcile the conflicting records that appear in the Conflicting Records node.
About Configuration Manager Client Installation Properties
- As a result of customer feedback, updated the /mp:<Computer> CCMSetup property with the tip that if the client connects to a native mode management point, typically, you must specify the FQDN for this option rather than the computer name.
How to Capture and Restore the User State
- Updated for information about how to create a USMT package and added a section to restore the user state if the operating system deployment fails.
Install Software Updates Task Sequence Step
- Updated for the information that the step cannot suppress restarts if the software update requires a restart.
How to Provision Computers for AMT
- As a result of customer feedback, updated for a third step to perform before you provision AMT-based computers out of band: Identify the SMBIOS GUID for each computer so that you have this information for when you run the Import Computer for Out of Band Management Wizard. This information remains on the Import Computer for Out of Band Management Wizard page.
- New topic that rolls up the significant technical changes since June 2011.
If you use the Import Application Wizard and see the error message dialog box in the following screenshot that says “Cannot find any application in the specified file to import”, it might be because of one of these reasons:
In the current release, there is nothing in the log files that would help to identify the cause of this error.
To determine whether the zip file that you selected to import is a Configuration Manager application export file, the zip file should contain a structure similar to the following example:
If the file does not contain a similar structure, the import will fail.
To resolve the import error problem, try the following:
Summary:
If you see the error message “Cannot find any application in the specified file to import” when you try to import an application, check that the file is not corrupt and that it is an application exported zip file.
For more information about application management in System Center 2012 Configuration Manager, see How to Manage Applications and Deployment Types or Application Management in Configuration Manager in the System Center 2012 Configuration Manager Documentation Library.
--Michael Wray
This posting is provided "AS IS" with no warranties, and confers no rights.
You can use Configuration Manager to install the Enhanced Mitigation Experience Toolkit (EMET) 3.0 and subsequent configurations for applications to increase the security of applications on your managed systems. This blog walks you through the process of deploying and configuring EMET 3.0 using Configuration Manager.
The Enhanced Mitigation Experience Toolkit (EMET) 3.0 is designed to help prevent hackers from gaining access to your system, by adding additional security to any application configured for enhanced mitigation. One of the primary benefits of EMET is in hardening legacy applications that either don’t have up-to-date security mitigations in-code, or that haven’t been patched to the latest versions. Without vendor-provided updates to these applications, or adding the additional security controls and recompiling the application, there would be no easy way to secure them from exploitation. That’s where EMET comes in.
EMET leverages a Windows shim infrastructure called the Application Compatibility Framework. Using this framework, EMET applies the specified mitigations to each application configured for enhanced mitigation in a way that adds no additional resource overhead to the monitored applications. Full details on the latest release of EMET can be found here. EMET 3.0 can be downloaded from here.
EMET 3.0 also provides out of box protection profiles that add mitigation for some common applications. These can be applied to clients with EMET installed, by running a simple configuration binary. Additionally, the XML schema used in the protection profiles is straightforward, and can be easily modified to add your applications to the list of mitigated apps, and updated configurations can of course be delivered by Configuration Manager. As with any application you plan on deploying, it’s important to test EMET against your desired applications thoroughly before deploying to production.
The first step in deploying EMET is to download the EMET 3.0 MSI. After you have the MSI, then do the following steps. In this example, I’m going to reference building an application in Configuration Manager 2012, but the same thing could be accomplished with packages, programs, and advertisements using Configuration Manager 2007.
Now that you have EMET deployed (or the deployment in progress), you will need to configure EMET for enhanced mitigation of your specified applications. Without configuring EMET, the EMET client does nothing to offer enhanced application protection. Here we’ll create a collection of clients reporting they have the EMET client installed, and we’ll target those with the configuration package.
So the goal of this blog is twofold: one, I wanted to raise everyone’s awareness of the EMET tool itself, and two, I wanted to provide a simple way you can use Configuration Manager to deploy the EMET client and to configure it. At this time, we don’t have a way to surface EMET events (which are written to the event log on clients) into Configuration Manager, but we’re always investigating ways to make our solutions better together so it’s functionality we know that you need in the future. One option for surfacing events would be using event forwarding and parsing the results into SQL, but that’s outside of the scope of this particular blog. The main point is that EMET is an awesome tool for application hardening, and Configuration Manager is an excellent way to deploy and configure EMET.
--Jason Githens
The Configuration Manager console has been greatly improved in System Center 2012 Configuration Manager, which enhances its usability. In addition to improvements in performance and layout, the console now supports a quicker way to monitor the status of distribution point site system roles.
Using this new monitoring capability, you might see that the installation of a distribution point on a computer other than the site server (known as a remote distribution point) displays an error, with the message Failed to create virtual directory. This failure often indicates that the distribution point computer must be rebooted so that the IIS installation and configuration can complete. This might not be the only reason for this error, but try the following process to resolve the problem:
The following screenshot shows an example of this Failed to create virtual directory error:
Note: There is a known issue in the current release where the error might not always clear to return the distribution point status back to a success state. We hope to address this issue in a future release.
If you double-click this message, the following dialog box provides more detailed information:
To see whether you have resolved the problem, refresh the Configuration Manager console, and look for the new messages IIS was configured successfully and Content was distributed to distribution point:
For more information about managing the content library in System Center 2012 Configuration Manager, see Content Management in Configuration Manager in the System Center 2012 Configuration Manager Documentation Library.
You might see content mismatch warnings in System Center 2012 Configuration Manager when content validation runs and determines that there is a discrepancy between the expected list of packages in WMI on the distribution point and the packages in the content library. In this scenario, the distribution point status goes into a warning state and the status message returned by the distribution point is listed in the Details pane when you view the status of the distribution point in the Monitoring workspace, Distribution Point Configuration Status node.
You can see an example of this scenario in the following screenshot where a distribution point has a Warning state and there is a status message in the Details tab in the Details pane that shows there was a failure to retrieve the package list.
Note: There is currently a known issue in the current release where the warning might not always clear to return the distribution point status back to a success state. We hope to address this issue in a future release.
To determine which package is causing this mismatch, review the smsdpmon.log file on the distribution point.
Using the CMTrace log file tool, the following snapshot shows the corresponding smsdpmon.log entry:
Notice the log entries:
CContentDefinition::LibraryPackagesWmi: The package data in WMI is not consistent to PkgLib CContentDefinition::LibraryPackagesWmi: Package CCA0000A can't be found in PkgLib
The simplest way to determine the missing package is to view the Content Status in the Monitoring workspace and search for the package ID by using the search field. After you have found the package ID, you can determine the name of the software.
If the package is not on the site, you must remove the package from WMI on the distribution point. The namespace to connect to is root\sccmdp. The class that contains the list of packages expected is SMS_PackagesInContLib. The simplest way to find the package and remove it from WMI is to run a query on the distribution point such as the following, and then delete the object that is returned.
select * from SMS_PackagesInContLib Where PackageID = 'CCB00002'
Note: Ensure that you replace the CCB00002 with your own package ID
If the package is on the site, you can update the content on the distribution point to clear the Warning state.
To update the content on the distribution point for applications:
The next time content validation occurs, the warning is cleared.
To update the content on the distribution point for packages:
The next time content validation runs, the warning is cleared.
We’re pleased to announce that we’ve just published a new set of our popular quizzes for System Center 2012 Configuration Manager. These 14 quizzes are a fun way to learn about some of the capabilities of the product and also to help you to find your way around our documentation library. Each quiz asks you ten questions and regardless of whether you answer correctly or incorrectly, provides the correct solution and links to the Configuration Manager online documentation. You can also print out your results for later reference.
For example, how well do you know the differences between Configuration Manager 2007 and System Center 2012 Configuration? Although these are documented in What’s New in Configuration Manager, take the What’s New in Configuration Manager Quiz to test your knowledge.
We’ve also increased the difficulty level on these quizzes by adding new features, which include the following:
The following quizzes are now available:
The quizzes are compatible with any computer running Windows XP, Windows Vista or Windows 7 and will download the correct version of Silverlight if it is not installed.
To run the quizzes, visit http://quizapp.cloudapp.net/default.aspx?quiz=Configmgr2012
We hope you enjoy these new quizzes and would love to hear your feedback about them and any of our other content. Contact us by emailing smsdocs@microsoft.com.
-- Rob Stack