The new Configuration Manager Application Catalog represents a great opportunity for you to deliver self-service application installation to your company’s users.  By modeling the applications and publishing them in the Application Catalog, you can offer up a service that makes installing applications quick and easy for your end-users.  Because the Application Catalog only shows applications that are deployed to the user, your end users also get a tailored experience just for their job role.  To make the most effective use of the Application Catalog and ensure you’re delivering the best experience possible, here are a few tips we’ve learned from real world deployments.

Site System Role Installation

If you’re hosting less than 10,000 users in your company’s intranet, co-locating the Application Catalog web service and Application Catalog website roles on the same server should work just fine.  Remember that the web service role connects directly to your database, so ensure that the network connectivity between the SQL server and the Application Catalog web service servers is robust.  Refer to the product documentation for specific scalability guidance.

If you’re hosting more than 10,000 users, or when you have more geographically distributed users, consider deploying additional application catalogs to keep responsiveness high and user satisfaction up.  Use client settings to configure collections of computers to use different Application Catalog servers.

For deployments with two or more primary sites, it helps to have at least one set of Application Catalog roles per primary site.  When you configure the Computer Agent client settings, set the Default Application Catalog Website point value to Automatically detect and the system will take care of assigning the local Application Catalog role for clients in each primary site.

For deployments that need to scale out, (especially as it relates to Application Catalog performance) it’s better to scale out by using separate primaries rather than installing a second Application Catalog role for the same primary site as the existing Application Catalog. Doing so will allow the Application Catalog web service roles to communicate with a different SQL Server database and provide a better end user experience.

The User Experience

The Application Catalog has code running in the browser but the user’s experience is heavily dependent the data exchange with the catalog web server.  Some caching takes place on the Application Catalog web roles for performance optimization, but several factors influence the overall performance and responsiveness of the Application Catalog:

1. Number of applications for a user - The Application Catalog is designed to return a sorted list of applications for a user one page at a time.  Users can also limit that list by a search criteria, or a category.  Regardless of the method they use to see their list of applications, the system has to build out the list, sort it, and return a page of applications to the user.  For an Application Catalog that has 1000s of applications, it will take longer to fetch and sort the list than if there were less than 100 applications published.  So, as you’re deploying applications, periodically review the applications published to the catalog and remove deployments for outdated or obsolete applications. 
2. Number of distribution groups (or security groups) the user is a member of which are used in creating user collections - When you deploy an application to a user collection, you can either deploy to “All Users” or a custom user collection.  Deploying to the “All Users” collection provides the fastest user experience because the SQL query is very simple.  When you deploy to a user collection that’s based on direct members or distribution/security groups, the system has to build a much more complex SQL query which includes a list of the user’s distribution group ID’s – and that will take more time to send to the server and process in SQL.   Be conscious of this as you deploy your applications.  By all means, deploy your applications to user collections that represent the audience for that application, but for those applications that are truly available to all users in your organization, you can offer the best possible user experience by deploying those applications to the “All Users” collection.  
3. The number of categories, keywords and descriptions - Categories, publishers, keywords and descriptions represent two groups of filtering mechanisms.  By selecting a “Browse By” group (either Category or Publisher) the user immediately sees a sub-set of the overall list of applications.  In terms of user experience, smart use of Category and Publisher values will dramatically improve your user’s ability to quickly locate the software needed for their job.  In the same way, poor planning or haphazard categories will confuse users and frustrate them.  Plan ahead, and validate your planned categories with real users to ensure they make sense to your audience.
4. The network connectivity between the user’s computer and the Application Catalog website - The Application Catalog transfers a lot of information between the users’ computer and the web server during a normal session.  When a user is connected over a slow network, their experience may be degraded.  You can deploy additional Application Catalogs in network segments that are closer to the users to improve their experience.  Each user sees their personalized list of applications from any Application Catalog server.  Some network connectivity factors may simply be out of your control, so it’s helpful to give your users information and set their expectations appropriately if they frequently connect over slower networks.
5. The number of users currently using the Application Catalog - For most organizations we’ve talked with, installing software isn’t an activity that end users do several times a day, and probably won’t even do it several times per month.  However, there is a more common scenario that will cause a spike in usage on your Application Catalog.  When you’re rolling out a new application, it’s typical that a large number of users will start installing it immediately after an announcement.   You can stagger announcements (and even enforce them by deploying to collections of users that mirror your announcements) to avoid a super-large spike in Application Catalog usage that would impact the overall user experience.

Tell me about the applications!

Great descriptions for your applications are critical.  It’s amazing to watch users browse through a screen full of text.  Some users are very deliberate and read every word, but most simply scan for key words.  Some users use visual recognition of the application icon.  Whatever the style of user, plan to accommodate the most typical ones as you fill out your Application Catalog metadata.  Here are some specific best practices:

1. Have a great one-liner!   Make the very first line of your description concise, easy to read, and to the point.   That is what shows up in the description preview for the application, and your users can quickly scan that one line.
2. State key requirements.  The Application Catalog will tell users if their computer doesn’t meet requirements for the application. But, you can also help your users by including any unique or critical requirements in the description.  For example, “Requires Windows XP Tablet Edition” 
3. Import icons.  Many users will appreciate the visual reference to the application and can quickly find an application using icons.
4. Extend the description.  The Application Catalog has a URL associated with each item.  If you have lengthy installation instructions, training guides, approval requirements, or other documentation that doesn’t fit well in the description field, point the “User Documentation” URL to your internal website for the application.  Set the “Link Text” string to match.  For example, set the link text to: “Detailed installation instructions” and set the User Documentation URL to your internal SharePoint site or an internal knowledge base article for that application.

Thanks for making it through this blog!   You now have some new tools at your disposal to deliver a great self-service application catalog to your users.

For more information about the Application Catalog, see Introducing the Application Catalog and Software Center in System Center 2012 Configuration Manager on this blog, and Configuring the Application Catalog and Software Center in Configuration Manager on TechNet.

--Dave Randall

This posting is provided "AS IS" with no warranties and confers no rights.

We would like to inform you of the upcoming changes to the System Center Online cloud service that is used by Configuration Manager Asset Intelligence synchronization points to synchronize software catalog data.  We are upgrading the catalog service and hosting it on a new platform.  This week onwards, all Configuration Manager Asset Intelligence synchronization points will start to silently redirect to the new catalog service platform.

There is no action required by you as a result of this migration.  At the end of your standard synchronization period, existing Asset Intelligence synchronization points will detect the new service platform and begin to automatically migrate.  After migration is complete, Asset Intelligence synchronization points will continue to synchronize catalog data from the upgraded catalog service.

However, we do recommend that customers running Configuration Manager 2007 Service Pack 2 apply the latest Asset Intelligence Hotfix Rollup.

Use the following information if you want to understand more about the migration process and how to track it.

The migration process takes place in two steps:

1. Watermark update
2. Full catalog download

Watermark Update

When the Asset Intelligence synchronization point contacts the upgraded catalog service for the first time, it presents its current watermark to the catalog service and attempts to download the Asset Intelligence catalog.  To indicate to the Asset Intelligence synchronization point that a full download of the catalog is required rather than a delta download, the service refuses the watermark and issues a new one.  Example AIUpdateSvc.log file entry:

Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 06:52:42 GMT:Error WatermarkNotHonored during download

The Asset Intelligence synchronization point then resets its watermark and schedules an immediate retry of the catalog download.  It retries on the following intervals: 1 hour, 3 hours, and then every 6 hours if necessary.  Example AIUpdateSvc.log file entry:

Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 06:52:42 GMT:Updating retry data
Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 06:52:42 GMT:=====================Catalog download done=====================

Full Catalog Download

After the Asset Intelligence synchronization point updates the watermark, the next catalog download is successful.  Example AIUpdateSvc.log file entry:

Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:37:42 GMT:Retry sync is due.
Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:37:42 GMT:No proxy server
Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:37:42 GMT:=====================Downloading catalog=====================
Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:37:44 GMT:Detected MPC download begin in file C:\Windows\TEMP\SMS_AIUS\btrzwq1g.ucq.tmp, batch id 021953b5-deaa-41fb-aebf-5fbbd9bd7bd7
Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:37:57 GMT:Detected MPC download end
Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:48:19 GMT:Processing 1480 data/status files from download
Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:48:42 GMT:=====================Data/Status copied to outbox=====================
Asset Intelligence Catalog Sync Service Information: 0 : Sun, 08 Apr 2012 07:48:42 GMT:=====================Catalog download done=====================

Overall, the migration process will take at least one hour from the time that the Asset Intelligence synchronization point first contacts the upgraded catalog service.  You do not have to take any actions because the migration will complete on its own. 

When the migration is complete, you will see the following:

1. The Asset Intelligence synchronization point status in the Configuration Manager console for Configuration Manager 2007 and System Center 2012 Configuration Manager displays Connected to online service.  For example:

   

2. The sizes of the LU_Category and LU_SoftwareList tables will be increased by about 20-25%.  This is expected.

Summary

This blog post notifies you of planned changes that Microsoft is making this week to upgrade the System Center Online cloud service.  As a result, all Configuration Manager Asset Intelligence synchronization points will be silently redirected to the new catalog service platform. 

During the automatic migration process, you can track progress in the AIUpdateSvc.log file entry. There is no action required as the migration will complete on its own. We also recommend installing the latest hotfix rollup if you are running Configuration Manager 2007 SP2.

--Yvette O'Meally

This posting is provided "AS IS" with no warranties and confers no rights.

As all Configuration Manager customers know, security is challenging and often requires complex setup configurations. Setting up a Certificate Authority, issuing certificates, and maintaining them can be a herculean task, and in most cases involves interacting with multiple teams in an organization.

It is the price we pay to have a highly secure environment, where the administrators, executives, and employees don’t have to worry about their data being compromised.

Configuration Manger leverages an existing PKI infrastructure to enable secure communication between clients and site system roles.

Before System Center Configuration Manager 2012, Configuration Manager 2007 had concepts called native mode and mixed mode: The philosophy behind native mode was to secure the site server and all its site systems, in addition to securing all site-to-site communication. This involved configuring a site signing certificate on all installed sites, plus there was an added restriction that a native mode site must always report to a native mode site.

During the planning phase for System Center 2012 Configuration Manager, we listened to customer feedback and revisited this native and mixed mode model, and debated our previous concept of securing the site. The result was client computer communication.

Key concepts for client computer communication:

• Client computer communication is about securing end points. The two end points in this case are the client and the site system roles that the client talks to.
• A client can communicate by using either the HTTP or HTTPS protocol. HTTPS requires the client and site system roles to be configured with valid PKI certificates for mutual authentication.
• Intelligent client behavior:  This enables the client to select the most secure communication option available:
  1. If the client is configured with a valid PKI certificate and there are HTTPS site system roles available, the client uses HTTPS.
  2. If the client is configured with a valid PKI certificate and there are NO HTTPS site system roles available and the client is configured to use HTTP, the client uses HTTP to communicate with site system roles.

Let’s take a couple of example scenarios to see how this new model works.

Scenario 1: Extending Client Management to the Internet without Installing a New Site

Woodgrove Bank currently has 20,000 intranet clients. These clients never leave the corporate network. Management recently made some changes in corporate policy to address the employee concerns about work life balance and the request for more flexible working arrangements. With the new policy in effect, 30% of the task force will be issued new laptops and they are allowed to work from home.

When the Configuration Manager administrator first read this memo, his first thought was “I have a lot of extra work to do before I can manage these laptops on the Internet!”

Currently all the clients are managed by a single System Center 2012 Configuration Manager primary site (PR1). All the site system roles are configured to communicate over HTTP.

Being aware of how native mode and Internet-based client management worked in Configuration Manager 2007, the administrator’s first assumption was that he would have to install a new native mode primary site. He doesn’t currently have a central administration site, so he thought this would mean either having two hierarchies to manage, or redesign his existing hierarchy.

However, when he investigates the changes in System Center 2012 Configuration Manager, he realizes that he does not need an additional site. Instead, all that’s needed are a few Internet-based roles that are configured for HTTPS communication:

Here’s a comparison of how the two solutions might look for this scenario, to support Internet-based client management in Configuration Manager 2007 and System Center 2012 Configuration Manager:

*Red halo around the site system roles represent sites and roles that are capable of HTTPS communication.

The next challenge is to how to manage Internet clients when they move back into the intranet. Our administrator does not want to change the existing hierarchy and does not want to configure all the clients and site system roles on the intranet to have PKI certificates. The answer to this is enabling intelligent client behavior, one of the new key concepts mentioned previously.

To enable this behavior, simply select this check box from the property page in the previous screenshot:

When selected, Internet clients on the intranet can communicate with HTTP site system roles on the intranet.

Scenario 2: Transitioning a Site from HTTP Communication to HTTPS

Trey Research has 5,000 clients that are managed by a single primary site (PR1). After the recent security push, the Configuration Manager administrator was instructed that all clients must communicate over HTTPS by using PKI certificates for mutual authentication.

If the site had been running Configuration Manager 2007, this would require migrating the whole site from mixed mode to native mode. This would involve checking that all clients had a PKI client certificate, reconfiguring IIS for all the site system roles, configuring the site to use the site server signing certificate, automatically reinstalling site system roles to operate in native mode, and waiting for the site server to resign all the client policies. This “big bang” approach requires a lot of careful planning to make sure that clients are not unmanaged after the migration, with the recommendation to make this change during a quiet period.

Because Trey Research has System Center 2012 Configuration Manager, the administrator doesn’t have to take this risk and work over the weekend. Instead, he does the following:

1. On the site properties, Client Computer Communication tab, he selects HTTPS or HTTP: 
    
   This allows the site system roles to use either HTTP or HTTPS communication.
2. He then configures the following to enable the intelligent client behavior:
   
   This check box allows clients that are PKI-enabled or not PKI-enabled to co-exist and be managed in the same site at the same time.
3. He can start moving one site system role at a time from HTTP to HTTPS, and do a gradual rollout of PKI certificates for client computers. This provides a safe opportunity to check whether the site system roles and clients work with the HTTPS configuration. Because the site system roles still accept HTTP connections, all the clients remain managed:
• If a client has a valid PKI certificate and there are HTTPS site system roles available, these clients communicate over HTTPS.
• If a client does not have a valid PKI certificate, the client falls back to HTTP communication.
4. When all clients have a PKI certificate, he changes the site system settings from HTTPS or HTTP to HTTPS only. Then, the Use PKI client certificate (client authentication capability) when available option will be cleared and the option will be unavailable to change. This configuration ensures that clients are not allowed to communicate over HTTP and the new security objective is met.

I hope that this information and example scenarios throw some light into the changes we made for System Center 2012 Configuration Manager, and how you can benefit from the flexibility they provide to manage clients over HTTPS – whether this is to manage client on the Internet or to provide greater security on the intranet.

For more information, see the following in the System Center 2012 Configuration Manager Documentation Library:

• The Planning for Internet-Based Client Management section of the Planning for Communications in Configuration Manager topic
• The Planning for Certificates (Self-Signed and PKI) section of the Planning for Security in Configuration Manager topic
• PKI Certificate Requirements for Configuration Manager
• Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority

  -- Abhishek Pathak

This posting is provided "AS IS" with no warranties and confers no rights.

We’re pleased to announce that you can now download the documentation for System Center 2012 Configuration Manager and you can choose from three different formats:

• Chm (help file)
• Docx (Word file)
• PDF

Download link: Technical Documentation Download for System Center 2012 Configuration Manager

Downloadable Chm - Help Update Wizard

The first option uses the System Center 2012 Configuration Manager Help Update Wizard, similar to how we’ve done this previously with Configuration Manager 2007.  Use this wizard to install a local help file, which contains a copy of the guides in the TechNet Documentation Library for System Center 2012 Configuration.

After installation, you can load the help file from a Configuration Manager console or independently, for example, from a shortcut on your desktop. After you have installed the local help file, you can expand System Center 2012 Configuration Manager to confirm that it now contains the Configuration Manager guides that are published on TechNet.  You can then use the Search tab to search for text in titles or in the body of the topic, and use the Print option to print all topics under a selected node.

New! – Word and PDF

We are also piloting Word and PDF formats, to provide a more portable option for the docs.  We haven’t done this in the past because of the size of our documentation library, but many customers have requested this so we’re piloting these additional options.  Let us know how you get on with these and your preferences. 

Unlike the other System Center components, we have not offered the downloads by guide because there is too much linking between them. Having a separate download for each guide would break the offline experience for links that go to other guides and you wouldn’t be able to search across them.

Bonus - New version of the Help File Updater Wizard for Configuration Manager 2007

For good measure, we have also provided a new version of the Help File Updater Wizard for Configuration Manager 2007, which contains a roll-up of all changes since the last version in June, 2011.

Advantages and Disadvantages of Downloaded Documentation 

We know that downloadable versions of the documentation are important to you, because you don’t always have Internet access (or might not have reliable connectivity).  Some people find them easier to read, search, and print.  However, we cannot keep them as up-to-date as the content on TechNet, where we can update individual topics on a regular basis as we get more information from the product group or in response to customer feedback.  Whenever possible, use TechNet for the most current information.

Search: As an alternative to using the downloaded documentation because you find it easier to search because it returns topics from the Configuration Manager library only – try using the scoped search string that we provide in the Information and Support for Configuration Manager page. This provides a Bing search string that is scoped to the System Center 2012 Configuration Manager Documentation Library, so you don’t get results for Configuration Manager 2007, for other Microsoft products, or from external sources. Use the instructions and examples provided to help you create your own searches, using AND, OR, and NOT operators.

Tip: To use a similar scoped search string for Configuration Manager 2007, use "search_criteria" site:technet.microsoft.com/en-us/library meta:search.MSCategory(hh528538)

Print and save to PDF: As an alternative to using the downloaded documentation for printing multiple topics (for example, the whole Site Administration guide), try using the Print/Export Multiple Topics feature that is available in the TechNet Lightweight Library.  This feature has been in beta for while and is now officially released.  You can find more information about how it works in this blog posting: http://thirdblogfromthesun.com/2011/08/export-then-print-multiple-library-topics-beta/http://thirdblogfromthesun.com/2011/08/export-then-print-multiple-library-topics-beta/  This functionality is currently restricted to 100 topics at a time, but there are fewer than 100 topics in each guide, with the exception of the Assets and Compliance guide.  So for example, you could select and save in PDF format all the topics in the Site Administration guide. Then print them or view them on your mobile device.

Send feedback: We’re looking forward to your feedback about the different formats, which one you prefer, and why – so email us at the usual address of SMSDocs@microsoft.com and we will report back the results.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

The Documentation Library for System Center 2012 Configuration Manager and the Configuration Manager 2007 Documentation Library have been updated on the web and the latest content has Updated: May 1, 2012 at the top of the topic.

Downloadable documentation will be available soon, to be announced on this blog.

In addition to updating the documentation libraries, we also have two new topics that are added to the Technical Publications for System Center 2012 Configuration Manager:

• Configuration Manager Quizzes
• System Center 2012 Configuration Manager Logo Certification for Windows Server 2008 R2

We have removed the reference to the downloadable quizzes in Configuration Manager 2007 Quizzes.  Now that the web-based quizzes are available, expect the downloadable versions to be retired soon.  All new quizzes and any updates will be web-based.

We value customer feedback and try to incorporate it when possible.  Although we can’t promise to make the docs perfect for everybody, we are committed to continual improvement.  So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Documentation Library for System Center 2012 Configuration Manager, May 2012

The following information lists the topics that contain significant changes since the April 2012 update.

Supported Configurations for Configuration Manager

- Updated to remove the previously documented limitation that the NetBIOS name must match the first label of the domain FQDN. The SQL Server statements are also updated to include the Datacenter edition and this addition is also made in Planning for Hardware Configurations for Configuration Manager. We’ve also clarified that CU versions for SQL Server are minimum versions.

What’s New in Configuration Manager

- Updated the Sites and Hierarchies section for a new section for Language Pack Support. This information is also clarified in the Client Deployment and Operations section, which contains the information that you no longer install International Client Packs (ICPs) when you want to support different languages on the client.

Planning for Site Systems in Configuration Manager

- Updated the site system role placement for secondary sites. Most site system roles must be on the secondary site server.

Planning for Sites and Hierarchies in Configuration Manager

- Updated for additional information about planning for language packs at Configuration Manager sites, clients, and the Configuration Manager console.

Planning for Discovery in Configuration Manager

- Updated for the new section, Best Practices for Discovery.

Planning for Communications in Configuration Manager

- Updated for a procedure how to manually publish management points to DNS on Windows Server.

Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager

- Updated the Steps Taken section in Scenario 2: Infrastructure Reduction and Management of Client Settings, to clarify that the decision to install a primary site in London instead of a secondary site was a result of assessing the available hardware for a site server, the current number of clients at London (5,500 clients exceed the supported number of clients for a secondary site), and the potential for growth at the location.

Install Sites and Create a Hierarchy for Configuration Manager

- Updated for a new section, Decommission Sites and Hierarchies, for information about how to uninstall Configuration Manager.

Manage Site and Hierarchy Configurations

- Updated for the new section, Manage Language Packs at Configuration Manager Sites.

Security and Privacy for Site Administration in Configuration Manager

- Updated the entry about the Security Configuration Wizard with the link to download the toolkit for System Center 2012 Configuration Manager: System Center 2012: Configuration Manager Component Add-ons and Extensions. This information is also updated in the Security and Privacy for System Center 2012 Configuration Manager guide.

Technical Reference for Ports Used in Configuration Manager

- Updated for the ports used by the new site system roles: the Application Catalog website point and Application Catalog web service point; the enrollment point and enrollment proxy point; and the Endpoint Protection point. Also clarified that Configuration Manager does not support dynamic ports for SQL Server.

Technical Reference for Language Packs in Configuration Manager

- New topic that provides technical details about language support in System Center 2012 Configuration Manager.

Planning for Migration to System Center 2012 Configuration Manager

- Updated for additional information about planning for overlapping boundaries if you will install new Configuration Manager 2007 client during the migration period.

About Client Installation Properties in Configuration Manager

- Updated for information about file locations for the /config: /NotifyOnly and CCMENABLELOGGING installation properties.

How to Manage Applications and Deployment Types in Configuration Manager

- Updated to clarify that the Retire management task does not remove any installed copies of the application from client computers.

Security and Privacy for Application Management in Configuration Manager

- Updated for the security best practice of deploying only signed applications for mobile devices so that you don’t have to configure settings that let unsigned applications install and run (“unlock”).

Introduction to Software Updates in Configuration Manager

- Updated for the new Extend Software Updates in Configuration Manager section for information about System Center Updates Publisher 2011 and added a reference to the new scenario topic, Example Scenario for Deploying Software Updates.

Example Scenario for Deploying Software Updates

- New topic that provides an example scenario for how you might deploy software updates in your environment.

Prerequisites For Deploying Operating Systems in Configuration Manager

- Updated for the external dependency, DHCP.

Planning a Task Sequences Strategy in Configuration Manager

- Updated for information about running task sequences in a maintenance window.

How to Manage the User State in Configuration Manager

- Updated for how to create a USMT package and how to restore the user state if the operating system deployment fails.

Task Sequence Steps in Configuration Manager

- Updated the Updated Install Software Updates step for the information that the step cannot suppress restarts if the software update requires a restart.

How to Deploy Operating Systems by Using PXE in Configuration Manager

- As a result of customer feedback, updated to clarify that the exclusion list file can be stored anywhere on the computer and the specified path is used to identify the location.

Example Scenario for PXE-Initiated Operating System Deployment

- New topic that provides an example scenario for how you might deploy an operating system by using PXE in your environment.

Best Practices for Collections in Configuration Manager

- Updated for the new best practice: Do not modify the built-in collections and instead, copy and then modify the pasted collection.

How to Create Queries in Configuration Manager

- Updated to clarify that a query that contains no criteria will return all devices in the All Systems collection.

How to Extend Hardware Inventory in Configuration Manager

- Updated for the information that you must create a hardware inventory class for any MIF files you want to add to inventory.

How to Configure Software Inventory in Configuration Manager

- Updated for an example of how to specify a file type that you want to inventory.

Introduction to Software Metering in Configuration Manager

 - Updated to include the reference to Example Scenario for Software Metering in Configuration Manager.

How to Manage AMT-based Computers Out of Band in Configuration Manager

- Updated to clarify that the out of band management power control commands are always available for a collection, even if the collection contains resources that are not provisioned for AMT.

How to Configure Endpoint Protection in Configuration Manager

- Updated for information about using software updates automatic deployment rules to deploy definition updates for Endpoint Protection.

Frequently Asked Questions for Configuration Manager

Updated for the new entries:

• Where are the supported scenarios and network diagrams for Internet-based client management that you had for Configuration Manager 2007?
• Which antimalware solutions can Endpoint Protection uninstall?

What’s New in the Documentation for Configuration Manager

- Updated with a section, What's New in the Documentation Library for May 2012, which lists the topics with significant technical updates since the official publication of the documentation library in March.

Information and Support for Configuration Manager

- Updated the Search the Configuration Manager Documentation Library section to explain how to use the scoped search link, with examples and search tips. Scoped search lets you search for topics that are only within the Documentation Library for System Center 2012 Configuration Manager. For example, it excludes links from Configuration Manager 2007 and external sources.

What's New in the Configuration Manager 2007 Documentation Library for May 2012

The following information lists the topics that contain significant changes since the April 2012 update.

Configuration Manager 2007 General Supported Configurations

- Updated for the information that Windows Server 2008 R2 domain functional level and forest functional level is supported with Configuration Manager 2007 SP1 and Configuration Manager 2007 SP2.

Configuration Manager 2007 SP2 Supported Configurations

- Updated for SQL Server 2012 and Windows Embedded, which  now includes Thin PC, Windows Embedded POSReady 7, and Windows Embedded Standard 7 SP1. 

How to Manually Publish the Default Management Point to DNS

- As a result of customer feedback, updated with a procedure for Windows Server DNS.

About Heartbeat Discovery

- As a result of customer feedback, updated for information about how to initiate a manual Heartbeat Discovery cycle.

How to Create a Query

- Updated to clarify that a query that contains no criteria will return all devices in the All Systems collection.

Conflicting Records

- Updated this technical reference topic to clarify that you must have Modify Resource and Read Resource permissions on any collection that contains a conflicting record to reconcile the conflicting records that appear in the Conflicting Records node.

About Configuration Manager Client Installation Properties

- As a result of customer feedback, updated the /mp:<Computer> CCMSetup property with the tip that if the client connects to a native mode management point, typically, you must specify the FQDN for this option rather than the computer name.

How to Capture and Restore the User State

- Updated for information about how to create a USMT package and added a section to restore the user state if the operating system deployment fails.

Install Software Updates Task Sequence Step

- Updated for the information that the step cannot suppress restarts if the software update requires a restart.

How to Provision Computers for AMT

- As a result of customer feedback, updated for a third step to perform before you provision AMT-based computers out of band: Identify the SMBIOS GUID for each computer so that you have this information for when you run the Import Computer for Out of Band Management Wizard. This information remains on the Import Computer for Out of Band Management Wizard page.

What's New in the Configuration Manager 2007 Documentation Library for May 2012

- New topic that rolls up the significant technical changes since June 2011.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

If you use the Import Application Wizard and see the error message dialog box in the following screenshot that says “Cannot find any application in the specified file to import”, it might be because of one of these reasons:

• The zip file that you selected is corrupt.
• The zip file that you selected to import is not the original exported zip file that you created with Configuration Manager, but a zip file of the exported zip file. 

In the current release, there is nothing in the log files that would help to identify the cause of this error.

To determine whether the zip file that you selected to import is a Configuration Manager application export file, the zip file should contain a structure similar to the following example:

If the file does not contain a similar structure, the import will fail.

To resolve the import error problem, try the following:

• If you suspect the file might be corrupt, export the application again, and then select the new zip file in the Import Application Wizard.
• If the zip file is not the original exported application zip file, select the original exported application zip file or export the application again, and then select the new zip file in the Import Application Wizard.

Summary:

If you see the error message “Cannot find any application in the specified file to import” when you try to import an application, check that the file is not corrupt and that it is an application exported zip file.

For more information about application management in System Center 2012 Configuration Manager, see How to Manage Applications and Deployment Types or Application Management in Configuration Manager in the System Center 2012 Configuration Manager Documentation Library.

 --Michael Wray

This posting is provided "AS IS" with no warranties, and confers no rights.

You can use Configuration Manager to install the Enhanced Mitigation Experience Toolkit (EMET) 3.0 and subsequent configurations for applications to increase the security of applications on your managed systems.   This blog walks you through the process of deploying and configuring EMET 3.0 using Configuration Manager.

The Enhanced Mitigation Experience Toolkit (EMET) 3.0 is designed to help prevent hackers from gaining access to your system, by adding additional security to any application configured for enhanced mitigation.  One of the primary benefits of EMET is in hardening legacy applications that either don’t have up-to-date security mitigations in-code, or that haven’t been patched to the latest versions.  Without vendor-provided updates to these applications, or adding the additional security controls and recompiling the application, there would be no easy way to secure them from exploitation.  That’s where EMET comes in.

EMET leverages a Windows shim infrastructure called the Application Compatibility Framework.  Using this framework, EMET applies the specified mitigations to each application configured for enhanced mitigation in a way that adds no additional resource overhead to the monitored applications.  Full details on the latest release of EMET can be found here.  EMET 3.0 can be downloaded from here.

EMET 3.0 also provides out of box protection profiles that add mitigation for some common applications.  These can be applied to clients with EMET installed, by running a simple configuration binary.  Additionally, the XML schema used in the protection profiles is straightforward, and can be easily modified to add your applications to the list of mitigated apps, and updated configurations can of course be delivered by Configuration Manager.  As with any application you plan on deploying, it’s important to test EMET against your desired applications thoroughly before deploying to production.

Create the Application to Deploy the EMET Client

The first step in deploying EMET is to download the EMET 3.0 MSI.  After you have the MSI, then do the following steps.  In this example, I’m going to reference building an application in Configuration Manager 2012, but the same thing could be accomplished with packages, programs, and advertisements using Configuration Manager 2007.

1. From Software Library | Application Management | Applications, choose to Create Application.
2. Keep the default type as Windows Installer (Native) and browse to the source UNC path for the EMET Setup.MSI, which you downloaded previously.
3. The application details will be automatically derived from the MSI, along with MSI product code (on the Import Information page).
4. On the General Information page, you will be able to add any additional details for this application, and you’ll see a pre-populated command next to Installation program, that has details on the MSI-based install of EMET.  Edit the installation line to read:  msiexec /i "EMET Setup.msi" /qn /norestart
5. Change install behavior to Install for system.
6. Complete the wizard.
7. From the application you just created, choose Deploy.
8. Browse to the collection you want to target.
9. On the content page, choose your distribution points.
10. On the deployment settings page, choose the intended install settings (most likely this will be required, unless you are just testing the deployment).
11. Configure the deployment scheduled, user experience, and alerts, then complete the wizard.
12. You are now in the process of deploying the EMET client silently to all targeted clients.  You can monitor the deployment progress of this application in Monitoring | Deployments. 

Create the Package and Program to Configure EMET

Now that you have EMET deployed (or the deployment in progress), you will need to configure EMET for enhanced mitigation of your specified applications.  Without configuring EMET, the EMET client does nothing to offer enhanced application protection.  Here we’ll create a collection of clients reporting they have the EMET client installed, and we’ll target those with the configuration package. 

Create the EMET Configuration Target Collection

1. From Assets and Compliance | Device Collections choose to Create Device Collection.
2. Name the Device Collection (Clients with EMET Installed), and choose the limiting collection.
3. On the membership rules page, click Add Rule, and choose a Query Rule.
4. Name the query, and choose Edit Query Statement.
5. In the criteria tab, click the yellow star.
6. In Criterion Properties, keep the type as Simple value, and choose select.
7. Choose Installed Applications as the attribute class.
8. Choose Display Name as the Attribute.
9. After clicking OK, click the Value button.
10. Choose EMET from the list of values.  NOTE:  At least one system must have reported its hardware inventory after it installed the EMET client for this value to be populated.  If it’s not in the list, simply type the value in.
11. After completing the query rule, choose how often you want to evaluate this collection.  We will be targeting the EMET configuration to this collection, so evaluate it as often as you want clients that have recently installed the EMET to be added to the collection. Also, keep in mind that this collection will only be populated with new clients that have installed EMET and then submitted their inventory information to the server.  By default, inventory is sent every 7 days.

Create the EMET Configuration Package and Program

1. Place the following 4 files in a source directory that you will use as the source for the EMET configuration package.  You can get these files from the source directory of the EMET client after you’ve installed the MSI on a client.  NOTE:  If you don’t include all of these files, EMET configuration will not work.
   1. All.XML (from the source \program files (x86)\EMET\Deployment\Protection Profiles)
   2. EMET_Conf.exe (from the source \program files (x86)\EMET)
   3. EMET_notifier.exe (from the source \program files (x86)\EMET)
   4. MitigationInterface.dll (from the source \program files (x86)\EMET)
2. From Software Library | Packages choose to Create Package.
3. Name the package, and choose this package contains source files.  Provide the path where you are sourcing the four files referenced in step 1.
4. Choose standard program.
5. Name the program, and set the command line to be EMET_Conf.exe --import All.xml.  NOTE:  This is just an example, using the protection profile of all provided by the EMET team.  You can modify this config file to your own preferences, or use on of the other protection profiles provided by EMET.  You simply need to reference the file to be imported, and include it in your EMET configuration package.
6. Set the program to run hidden, and whether or not a user is logged on.
7. Complete the wizard.
8. After the package and program are complete, choose to deploy it.
9. Pick the collection we created earlier as the target collection, and complete the wizard with your desired settings.

Wrap Up

So the goal of this blog is twofold:  one, I wanted to raise everyone’s awareness of the EMET tool itself, and two, I wanted to provide a simple way you can use Configuration Manager to deploy the EMET client and to configure it.  At this time, we don’t have a way to surface EMET events (which are written to the event log on clients) into Configuration Manager, but we’re always investigating ways to make our solutions better together so it’s functionality we know that you need in the future.  One option for surfacing events would be using event forwarding and parsing the results into SQL, but that’s outside of the scope of this particular blog.  The main point is that EMET is an awesome tool for application hardening, and Configuration Manager is an excellent way to deploy and configure EMET.

--Jason Githens

This posting is provided "AS IS" with no warranties, and confers no rights.

The Configuration Manager console has been greatly improved in System Center 2012 Configuration Manager, which enhances its usability. In addition to improvements in performance and layout, the console now supports a quicker way to monitor the status of distribution point site system roles.

Using this new monitoring capability, you might see that the installation of a distribution point on a computer other than the site server (known as a remote distribution point) displays an error, with the message Failed to create virtual directory. This failure often indicates that the distribution point computer must be rebooted so that the IIS installation and configuration can complete. This might not be the only reason for this error, but try the following process to resolve the problem:

1. Reboot the remote distribution point and wait a few minutes.
2. Distribute content to the distribution point.

The following screenshot shows an example of this Failed to create virtual directory error:

Note: There is a known issue in the current release where the error might not always clear to return the distribution point status back to a success state. We hope to address this issue in a future release.

If you double-click this message, the following dialog box provides more detailed information:

To see whether you have resolved the problem, refresh the Configuration Manager console, and look for the new messages IIS was configured successfully and Content was distributed to distribution point:

Summary:

• You might experience a remote distribution point installation failure with the error that the virtual directory could not be created.
• To resolve this error, try rebooting the remote distribution point computer and then distribute content to the distribution point.
• Check whether you now see messages that say that the IIS configuration is successful and that the content is distributed to the distribution point.

For more information about managing the content library in System Center 2012 Configuration Manager, see Content Management in Configuration Manager in the System Center 2012 Configuration Manager Documentation Library.

--Michael Wray

This posting is provided "AS IS" with no warranties, and confers no rights.

You might see content mismatch warnings in System Center 2012 Configuration Manager when content validation runs and determines that there is a discrepancy between the expected list of packages in WMI on the distribution point and the packages in the content library. In this scenario, the distribution point status goes into a warning state and the status message returned by the distribution point is listed in the Details pane when you view the status of the distribution point in the Monitoring workspace, Distribution Point Configuration Status node.

You can see an example of this scenario in the following screenshot where a distribution point has a Warning state and there is a status message in the Details tab in the Details pane that shows there was a failure to retrieve the package list.

Note: There is currently a known issue in the current release where the warning might not always clear to return the distribution point status back to a success state. We hope to address this issue in a future release.

To determine which package is causing this mismatch, review the smsdpmon.log file on the distribution point.

Using the CMTrace log file tool, the following snapshot shows the corresponding smsdpmon.log entry:

Notice the log entries:

CContentDefinition::LibraryPackagesWmi: The package data in WMI is not consistent to PkgLib
CContentDefinition::LibraryPackagesWmi: Package CCA0000A can't be found in PkgLib

The simplest way to determine the missing package is to view the Content Status  in the Monitoring workspace and search for the package ID by using the search field. After you have found the package ID, you can determine the name of the software.

If the package is not on the site, you must remove the package from WMI on the distribution point. The namespace to connect to is root\sccmdp. The class that contains the list of packages expected is SMS_PackagesInContLib. The simplest way to find the package and remove it from WMI is to run a query on the distribution point such as the following, and then delete the object that is returned.

select * from SMS_PackagesInContLib Where PackageID = 'CCB00002'

Note: Ensure that you replace the CCB00002 with your own package ID

If the package is on the site, you can update the content on the distribution point to clear the Warning state.

To update the content on the distribution point for applications:

1. In the Configuration Manager console, click Software Library.
2. In the Software Library workspace, expand Application Management, and click the Application node.
3. Find and select the application by using the name that you identified from the Content Status.
4. In the Details pane, click the Deployment Types tab, right click a deployment type, and then select Update Content to create a new package and version of the content on the distribution point:
   

The next time content validation occurs, the warning is cleared.

To update the content on the distribution point for packages:

1. In the Configuration Manager console, click Software Library.
2. In the Software Library workspace, expand Application Management, and click the Packages node.
3. Find and select the package by using the name that you identified from the Content Status, or by using the Package ID.
4. Right click the package, and select Update Distribution Points to create a new package and version of the content on the distribution point:
   

The next time content validation runs, the warning is cleared.

Summary:

• There might be times when the content library and the package list in WMI on a distribution point become mismatched and the status of the distribution point displays as Warning.
• There are two possible solutions to resolve this mismatch: Delete the package from WMI or update the distribution point.

For more information about managing the content library in System Center 2012 Configuration Manager, see Content Management in Configuration Manager in the System Center 2012 Configuration Manager Documentation Library.

--Michael Wray

This posting is provided "AS IS" with no warranties, and confers no rights.

We’re pleased to announce that we’ve just published a new set of our popular quizzes for System Center 2012 Configuration Manager. These 14 quizzes are a fun way to learn about some of the capabilities of the product and also to help you to find your way around our documentation library. Each quiz asks you ten questions and regardless of whether you answer correctly or incorrectly, provides the correct solution and links to the Configuration Manager online documentation. You can also print out your results for later reference.

For example, how well do you know the differences between Configuration Manager 2007 and System Center 2012 Configuration? Although these are documented in What’s New in Configuration Manager, take the What’s New in Configuration Manager Quiz to test your knowledge.

We’ve also increased the difficulty level on these quizzes by adding new features, which include the following:

• Quizzes now have multiple choice questions in addition to questions with simple Yes or No answers
• Many quizzes now have a larger pool of questions from which ten are randomly chosen (no more memorizing the order of answers!)
• The order in which questions are presented is now randomized

The following quizzes are now available:

• Application Management Quiz
• Client Deployment and Assignment Quiz
• Collections and Queries Quiz
• Compliance Settings Quiz
• Documentation Quiz
• Endpoint Protection Quiz
• Fundamentals Quiz
• Inventory and Software Metering Quiz
• Migration to System Center 2012 Configuration Manager Quiz
• Operating System Deployment Quiz
• Power Management Quiz
• Remote Control Quiz
• Site Administration Quiz
• What’s New in Configuration Manager Quiz

The quizzes are compatible with any computer running Windows XP, Windows Vista or Windows 7 and will download the correct version of Silverlight if it is not installed.

To run the quizzes, visit http://quizapp.cloudapp.net/default.aspx?quiz=Configmgr2012

We hope you enjoy these new quizzes and would love to hear your feedback about them and any of our other content. Contact us by emailing smsdocs@microsoft.com.

-- Rob Stack

This posting is provided "AS IS" with no warranties and confers no rights.