The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content on the Web has Updated: January 1, 2010 at the top of the topic.

This month's updates contain an updated support statement that in-band provisioning for AMT-based computers is now supported on client computers running Windows 7.  We have also updated topics to incorporate customer feedback.  We do value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Configuration Manager Documentation Library for January 2010

The following information lists the topics that contain significant changes since the December 2009 update.

Configuration Manager 2007 SP2 Supported Configurations

- Removal of the statement that in-band provisioning is not supported on Windows 7.  This topic also has an updated section about BranchCache, to clarify its integration with Configuration Manager 2007 SP2.

Certificate Requirements for Native Mode

- Updated for the client authentication certificate that might be used with an operating system deployment in native mode. This certificate must have a unique value for the Subject Name and unlike the client authentication certificate that is used by native mode clients, it does not support a certificate SAN value.

Troubleshooting Management Point Communication

- Updated for clarity and with a warning that before running the MPCERT and MPLIST tests in a native mode site, a certificate must be imported into the browser.

Overview of Configuration Manager Client Deployment

- Updated the upgrade installation information with the clarification that you cannot use task sequences to upgrade the Configuration Manager client.

Configuration Manager 2007 SP2 Upgrade Checklist

- Updated with the clarification that clients do not automatically upgrade when the site is upgraded, and you must take manual steps to ensure that clients are upgraded. This checklist also has a new step to back up a customized SMS_def.mof prior to the upgrade because this file is overwritten by Setup.

How to Export Certificates For Use With Operating System Deployment

- Updated to correct a step out of sequence.

How to Set a Maintenance Window

- Updated to clarify how the Maximum allowed run time value is evaluated by maintenance windows.  This clarification is also added to Program Name Properties: Requirements Tab.

How to Re-run an Advertisement

- Updated to clarify the differences between original advertisement schedules and those created by the Re-Run Advertisement action.  This clarification is also added to How to Assign a Mandatory Advertisement and the Troubleshooting section "Advertisements Created by Using Rerun Advertisement Might Run at the Wrong Time" in Troubleshooting Software Distribution Issues.

Modifying the Default Configuration Manager SMS_def.mof File Before Upgrading

- Updated to clarify that service pack upgrades to the Configuration Manager site removes any custom edits to the SMS_def.mof file. This information is incorporated into the upgrade checklist topics as an additional step to back up a customized SMS_def.mof file for reference before the upgrade, and then edit the SMS_def.mof on the site server after verifying the site upgrade.

Deployment Package Name Properties: Data Access Tab

- Updated with the important information that specifying a share distribution folder that is already in use can result in data loss.  This information is also added to the following topics:  Download Updates Wizard: Data Access Page, Boot Image Properties - Data Access Tab, Operating System Images - Data Access Tab, and Operating System Install Packages - Data Access Tab.

Remove Package Page

- Updated with the information that the Select Group button is not used in Configuration Manager 2007.

Troubleshooting Configuration Manager Console Issues

- Updated the Troubleshooting issue "Error Message: This Function Is Not Supported on This Site System" with a second solution to verify that the account has read and execute permissions on the Configuration Manager installation folder on the site server.

Configuration Manager Client General Issues

- Updated for the new Troubleshooting issue "Available Cache Space and Location is Displayed Incorrectly on 64-Bit Configuration Manager Clients".

Operating System Deployment Task Sequence Variables

- Updated with the new task sequence variable _SMSTSTimezone.

Ports Used by Configuration Manager

- Updated with the clarification that the ports used by the software update point do not have to be the same throughout the hierarchy.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is provided by Levi Stevens]

Last year we added support for the new Windows Embedded Standard 2009 platform to Configuration Manager 2007.  Until our online documentation at Tasks for Managing Configuration Manager Clients on Windows Embedded Devices is updated, we are bringing you the few key things that you need to know:

1. Write Filters have been tested and are now supported with Windows Embedded Standard 2009. Please see the section Prerequisites when using the File Based Write Filter below for added details on filter exceptions needed when using write filters. These are necessary if you want the state to be preserved across system restarts. This applies to Windows XP Embedded as well.
2. Windows Embedded Standard 2009 introduces support for Sysprep enabling Operating System Deployment feature support. See the General Prerequisites section below for requirements to use this feature.

We will follow up this with another blog post we are working on that will document how to extend Hardware Inventory to create collections and report on specific versions of Windows Embedded family operating systems.  So keep your eyes peeled.

Prerequisites for using the Configuration Manager 2007 Client on Windows Embedded Devices

Before you install and use the Configuration Manager 2007 client on devices running the Windows Embedded operating system, ensure that the following prerequisites are in place:

 General Prerequisites

When building your Windows Embedded image in Microsoft Target Designer, ensure that the following components are included:

• SCCM Client Prerequisite- Required to support installation of the client software
• UDFS - Required for support using the operating system deployment capture CD with Windows Embedded Standard 2009
• Sysprep - Required to support operating system deployment image capture (only available on Windows Embedded Standard 2009)
• Users Control Panel - Required for users to use the Run Advertised Programs control panel applet
• .NET Framework 2.0 or later - Required to use the Desired Configuration Management feature

Note:

The Configuration Manager 2007 advanced client prerequisites macro component is included Windows Embedded Standard 2009 and can be selected in Microsoft Target Designer. To install the Configuration Manager 2007 client on devices running Windows XP Embedded, you must first download the System Center Configuration Manager 2007 Advanced Client pre-requisites macro component for Windows XP Embedded from http://www.microsoft.com/downloads/details.aspx?familyid=7e7128f7-43d8-48d0-85bc-ca971e2fbc8a&displaylang=en&tm.

Prerequisites when using the File Based Write Filter

Configure the following exceptions if you want to use the File Based Write Filter (FBWF) to persist the state of the Configuration Manager 2007 client between device restarts.

Registry Exceptions

Configure the following registry exceptions using the Embedded Designer as you create your image:

• HKLM\Software\Microsoft\SMS
• HKLM\Software\Microsoft\CCM
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon - Configure this exception if you will be using task sequences to service the Configuration Manager 2007 client.

File Exceptions

Configure the following file exceptions using the File Based Write Filter after installing the Configuration Manager 2007 client:

• %WINDIR%\System32\CCM
• %WINDIR%\System32\Wbem
• C:\_TaskSequence - Configure this exception if you will be using task sequences to service the Configuration Manager 2007 client.

For detailed information about building images and configuring write filters, see your Windows Embedded documentation.

-- Levi Stevens

This posting is provided "AS IS" with no warranties and confers no rights.

Software distribution in Configuration Manager 2007 starts with creating a package and ends when the package content installs on the client. However, there are quite a few steps in between and the content download process is usually where customers encounter most problems. Here are some examples from the TechNet forums:

• http://social.technet.microsoft.com/Forums/en-US/configmgrswdist/thread/b26d330c-2074-44ed-aa2b-c9040c853ed7
• http://social.technet.microsoft.com/Forums/en-US/configmgrswdist/thread/c2d7d528-5105-453b-9532-09264ea52d90?prof=required

This blog post offers a troubleshooting guide for customers to diagnose some of the frequently encountered issues relating to client content download problems.  It outlines the scenario, then takes you through how to track the various processes involved from when the client downloads policy to when the client installs the software.

• Step 1: Tracking the Advertisement on the Client
• Step 2: Tracking the Content Location Request on the Client
• Step 3: Tracking the Content Location Response on the Management Point
• Step 4: Identifying the Client Boundary and How this Affects Content Location and Download
• Step 5: Tracking the Content Download
• Step 6: Troubleshooting BITS

This scenario assumes that the package has been successfully distributed to a standard distribution point, an advertisement for this package is targeted to a collection, and for troubleshooting purposes, debug logging is enabled on both the client and the management point.  For instructions how to configure debug logging, see http://support.microsoft.com/kb/833417.

When client policy is triggered, clients in the targeted collection get the advertisement.  If you need instructions to initiate client policy, see How to Initiate Policy Retrieval for a Configuration Manager Client.

For more information about the log files mentioned and their locations, see List of Log Files in Configuration Manager 2007.

Step 1: Tracking the Advertisement on the Client

Start with the log file execmgr.log on the client and search for the advertisement ID. You should see references to the advertisement ID in this log that looks similar to the following:

<![LOG[CExecutionManager::HandleMessage received message: '<?xml version='1.0' ?>

          <SoftwareDeploymentMessage MessageType='Execution'>

              <AdvertisementID>CAR20000</AdvertisementID>

              <PackageID>CAR00003</PackageID>

              <ProgramID>TestProgram</ProgramID>

              <HistoryLocation>Machine</HistoryLocation>

          </SoftwareDeploymentMessage>'

Step 2: Tracking the Content Location Request on the Client

After confirming that the client has received the advertisement, open the log file LocationServices.log on the client. If the advertisement requires content to be downloaded, the client asks its management point for a list of URLs where this content is available. The LocationServices.log file logs this content location request sent by the client. Search for this by using the PackageID value that was referenced in execmgr.log.  It will look similar to the following:

ContentLocationRequest : <ContentLocationRequest SchemaVersion="1.00"><Package ID="CAR00003" Version="1"/><AssignedSite SiteCode="PS2"/><ClientLocationInfo LocationType="SMSPackage" UseProtected="0" AllowCaching="0" BranchDPFlags="0" UseInternetDP="0" AllowHTTP="1" AllowSMB="1" AllowMulticast="1" AllowFileStreaming="0"><ADSite Name="CorpHQ"/><IPAddresses><IPAddress SubnetAddress="A.B.C.D" Address="A.B.C.E"/></IPAddresses></ClientLocationInfo></ContentLocationRequest>

Step 3: Tracking the Content Location Response on the Management Point

After receiving this content location request, the management point responds with a content location reply, containing a list of URLs. You can use the log file MP_Location.log file on the management point to track both the request (ContentLocationRequest xml segment) and the response (ContentLocationReply xml segment).

When the management point returns a valid list of URLs for the client to download the content, it will look similar to the following:

MP LM: Message Body : <ContentLocationRequest SchemaVersion="1.00" ExcludeFileList=""><Package ID="CAR00003" Version="1"/><AssignedSite SiteCode="PS2"/><ClientLocationInfo LocationType="SMSPackage" UseProtected="0" AllowCaching="0" BranchDPFlags="0" UseInternetDP="0" AllowHTTP="1" AllowSMB="1" AllowMulticast="1" AllowFileStreaming="0"><ADSite Name="MyADSite"/><IPAddresses><IPAddress SubnetAddress="A.B.C.D" Address="A.B.C.E"/></IPAddresses></ClientLocationInfo></ContentLocationRequest>

MP_LocationManager      10/14/2009 10:52:08 AM        4768 (0x12A0)

UID not found       MP_LocationManager      10/14/2009 10:52:08 AM        4768 (0x12A0)

MP_GetContentDPInfoUnprotected (CAR00003,1,PS2,SMSPackage,00000000)
MP_LocationManager      10/14/2009 10:52:08 AM        4768 (0x12A0)

WriteContentDPInfo        MP_LocationManager      10/14/2009 10:52:08 AM        4768 (0x12A0)

MP LM: Reply message body: <ContentLocationReply SchemaVersion="1.00"><ContentInfo PackageFlags="0"/><Sites><Site><MPSite SiteCode="PS2" MasterSiteCode="PS2" SiteLocality="LOCAL"/><LocationRecords><LocationRecord><SMBPath Name="\\[ServerName]\SMSPKGC$\CAR00003"/><URL Name="http://[ServerName/SMS_DP_SMSPKGC$/CAR00003" Signature="http://[ServerName]/SMS_DP_SMSSIG$/CAR00003.1.tar"/><ADSite Name=""/><IPSubnets><IPSubnet Address=""/><IPSubnet Address=""/></IPSubnets><Metric Value=""/><Version>6221</Version><Capabilities SchemaVersion="1.0"/><ServerRemoteName>NOVA42306.NOVA42304DOM.net</ServerRemoteName><DPType>SERVER</DPType></LocationRecord></LocationRecords></Site></Sites></ContentLocationReply>          MP_LocationManager  10/8/2009 2:42:56 PM        5408 (0x1520)

When the management point has no locations for the client to download the content, it will look similar to the following:

No Locations found.     MP_LocationManager  10/14/2009 10:52:08 AM    4768 (0x12A0)

MP LM: Reply message body: <ContentLocationReply SchemaVersion="1.00"><ContentInfo PackageFlags=""/><Sites><Site><MPSite SiteCode="PS2" MasterSiteCode="PS2" SiteLocality="LOCAL"/><LocationRecords/></Site></Sites></ContentLocationReply>MP_LocationManager          10/14/2009 10:52:08 AM    4768 (0x12A0)

If you see "No Locations found" like this in the MP_Location.log, confirm that the package is successfully installed on the distribution points by using the log file distmgr.log on the site server.

Step 4: Identifying the Client Boundary and How this Affects Content Location and Download

In the example of the MP_Location.log showing the management point returning a valid list of URLs for the client to download the content, it has SiteLocality="LOCAL", which identifies the client as being within the fast boundary of the site and hence the locality of the client is considered "local".  The two other values for the SiteLocality attribute are Remote and Fallback:

• Remote identifies the client as being in a slow and unreliable boundary
• Fallback identifies the client as not belonging to any boundary

When the client is located within a slow and unreliable boundary of the site, the ContentLocationReply looks similar to this:

ContentLocationReply : <ContentLocationReply SchemaVersion="1.00"><ContentInfo PackageFlags="0"/><Sites><Site><MPSite SiteCode="PS1" MasterSiteCode="PS1" SiteLocality="REMOTE"/><LocationRecords><LocationRecord><SMBPath Name="\\[ServerName]\SMSPKGC$\CAR00003\"/><URL Name="http://[ServerName]/SMS_DP_SMSPKGC$/CAR00003/" Signature="http://[ServerName]/SMS_DP_SMSSIG$/CAR00003.1.tar"/><ADSite Name=""/><IPSubnets><IPSubnet Address=""/><IPSubnet Address=""/></IPSubnets><Metric Value=""/><Version>6221</Version><Capabilities SchemaVersion="1.0"/><ServerRemoteName>[ServerName]</ServerRemoteName><DPType>SERVER</DPType></LocationRecord></LocationRecords></Site></Sites></ContentLocationReply>          LocationServices        10/14/2009 2:01:23 PM     2592 (0x0A20)

If the client is within a slow and unreliable boundary and you want it to install software, ensure that the advertisement is configured with the following option enabled: "Download content from distribution point and run locally". The default setting for an advertisement when clients are within a slow and unreliable boundary is "Do not run program".

Note:  There might be valid reasons why clients in slow and unreliable boundaries should not install software. This setting applies to all clients identified as being in a slow and unreliable boundary and cannot be configured for individual clients.  If you do change the setting, be aware that it will impact potentially many clients.  For more information, see Decide Whether Clients Should Download Content If They Are on a Slow or Unreliable Network Boundary.

When SiteLocality="FALLBACK", the resulting behavior is the same as if the client is on a slow and unreliable boundary. The content location reply in this case looks something like this:

ContentLocationReply : <ContentLocationReply SchemaVersion="1.00"><ContentInfo PackageFlags="0"/><Sites><Site><MPSite SiteCode="PS1" MasterSiteCode="PS1" SiteLocality="FALLBACK"/><LocationRecords><LocationRecord><SMBPath Name="\\[ServerName]\SMSPKGC$\CAR00003\"/><URL Name="http://[ServerName]/SMS_DP_SMSPKGC$/CAR00003/" Signature="http://[ServerName]/SMS_DP_SMSSIG$/CAR00003.1.tar"/><ADSite Name=""/><IPSubnets><IPSubnet Address=""/><IPSubnet Address=""/></IPSubnets><Metric Value=""/><Version>6221</Version><Capabilities SchemaVersion="1.0"/><ServerRemoteName>[ServerName]</ServerRemoteName><DPType>SERVER</DPType></LocationRecord></LocationRecords></Site></Sites></ContentLocationReply>          LocationServices        1/11/2010 10:59:55 AM     2448 (0x0990)

 

Step 5: Tracking the Content Download

The client attempts to download content from the first distribution point listed in the content location reply. This is logged in ContentTransferManager.log on the client, with an example being as follows:

CTM dumping locations returned by Location Service:          ContentTransferManager   10/8/2009 2:42:56 PM       3204 (0x0C84)
Source: 'http://[ServerName]/SMS_DP_SMSPKGC$/CAR00003' Locality: Local Version: 6221 Capability: <Capabilities SchemaVersion="1.0"/>Signatures: http://[ServerName]/SMS_DP_SMSSIG$/CAR0000.1.tar' ContentTransferManager   10/8/2009 2:42:56 PM       3204 (0x0C84)
Source: '\\[ServerName]\SMSPKGC$\CAR00003' Locality: Local         Version: 6221 Capability: <Capabilities SchemaVersion="1.0"/>Signatures: ''          ContentTransferManager   10/8/2009 2:42:56 PM       3204 (0x0C84)

Then check DataTransferService.log on the client to see if a job has been created to download the files to the client. The log entry looks like this:

DTSJob {BC1A0EAB-A1D7-48BE-AD1E-CFE85F63C1B0} created to download from 'http://NOVA42306.NOVA42304DOM.net/SMS_DP_SMSPKGC$/CAR00003' to 'C:\Windows\system32\CCM\Cache\CAR00003.1.System'.          DataTransferService 10/8/2009 2:42:56 PM       3204 (0x0C84)

Subsequent log entries look like the following:

Execute called for DTS job '{BC1A0EAB-A1D7-48BE-AD1E-CFE85F63C1B0}'.  Current state: 'PendingDownload'.     DataTransferService 10/8/2009 2:43:07 PM    3788 (0x0ECC)
...

Starting BITS download for DTS job '{BC1A0EAB-A1D7-48BE-AD1E-CFE85F63C1B0}'.       DataTransferService 10/8/2009 2:43:07 PM       3788 (0x0ECC)

The last line above indicates content download from a BITS-enabled distribution point (the configuration option Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS on the ConfigMgr Distribution Point Properties: General tab). Note that if the BITS download fails, the content download will fall back to using SMB and the download of files can then be monitored by using the FileBITS.log file.

Step 6: Troubleshooting BITS

If the content is being downloaded using BITS, the download process might stall under various circumstances. The bitsadmin tool is very useful in troubleshooting the status of content download. For example:

• bitsadmin /list /allusers
  Use this command to find the job ID that's relevant to your troubleshooting task, because you will need this for other bitsadmin commands. This command lists all the BITS download jobs that are currently in progress.  From this list, identify the job related to your package ID, and note the job ID.
• bitsadmin /getinfo jobid
  Use this command to get more information about a particular BITS job.  From the output, if you notice that the download has stopped on any one particular file or directory, use the following bitsadmin command to manually download the file as a test to see if it works: bitsadmin /transfer MyJob /download /priority normal [http://remote-file-url] [SysDrive]\LocalFileName

It's typical for the download to stall on one particular file or directory.  The following lists some frequently encountered issues and resolutions.

• Some file extensions are blocked inherently by IIS. Check whether the package has any files with theses extensions and use the following KB article to remove the blocked extensions from the applicationHost.config file: http://support.microsoft.com/kb/942045/
• Some directories are hidden by default by IIS. Some typical directories that might be present in the packages are "bin" and "log" folders. These directories are hidden by IIS and BITS will subsequently fail to download all files hosted under these directories. Use the following KB article to remove these restrictions from the applicationHost.config file: http://support.microsoft.com/kb/942047/ For more information, see http://blogs.iis.net/bills/archive/2008/03/23/how-to-un-block-directories-with-iis7-web-config.aspx
• Some file names or directories containing special characters such as "+" have a double escape sequence, which is denied by IIS by default. Use the following KB article to set "allowDoubleEscaping" to true in the applicationHost.config file: http://support.microsoft.com/kb/942076/

Please post your comments on this blog post and let me know if you would like to see similar troubleshooting posts for software distribution and other areas.  I will try to address questions as soon as possible.

- Bhaskar Krishnan

This posting is provided "AS IS" with no warranties, and confers no rights.