I have recently had several requests asking about the support for managing Mac OSx computers in System Center 2012 R2 Configuration Manager, so I went to work in my lab and successfully set this up. There were so many different articles around the needed certificates, roles, client settings, etc... that I felt it would help to have it all documented in a single place. I hope you find this information useful.

I followed this documentation on TechNet to deploy the needed certs and roles in ConfigMgr 2012 R2
http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_MacClient_SP1 and I had to manually configure the Mac computer’s hosts file for resolving the Servername.lab.local FQDN, this would not be needed in a production environment, it was due to my Virtual Lab not being on the same LAN as my MacBook.

First we need to create and issue and request/install the three certificates/templates required for supporting Mac OSx clients with System Center 2012 R2 Configuration Manager:

 

Deploying the Web Server Certificate for Site Systems that Run IIS

 

Creating and Issuing the Web Server Certificate Template on the Certification Authority

This procedure creates a certificate template for Configuration Manager site systems and adds it to the certification authority.

To create and issue the web server certificate template on the certification authority

1. Create a security group named ConfigMgr IIS Servers that contains the member servers to install System Center 2012 Configuration Manager site systems that will run IIS.

    

2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.

    

3. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.

    

4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
   NOTE: Do not select Windows 2008 Server, Enterprise Edition.

    

5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate.

    

6. Click the Subject Name tab, and make sure that Supply in the request is selected.

    

7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

    

8. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.

    

9. Select the Enroll permission for this group, and do not clear the Read permission.

    

10. Click OK, and close the Certificate Templates Console.

     

11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

     

12. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Web Server Certificate, and then click OK.

     

13. If you do not need to create and issue any more certificate, close Certification Authority.

 

Requesting the Web Server Certificate

This procedure allows you to specify the intranet and Internet FQDN values that will be configured in the site system server properties, and then installs the web server certificate on to the member server that runs IIS.

1. Restart the member server that runs IIS, to ensure that the computer can access the certificate template that you created, by using the Read and Enroll permissions that you configured.

    

2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.

    

3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

    

4. In the Certificate snap-in dialog box, select Computer account, and then click Next.

    

5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.

    

6. In the Add or Remove Snap-ins dialog box, click OK.

    

7. In the console, expand Certificates (Local Computer), and then click Personal.

    

8. Right-click Certificates, click All Tasks, and then click Request New Certificate.

    

9. On the Before You Begin page, click Next.

    

10. If you see the Select Certificate Enrollment Policy page, click Next.

     

11. On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.

     

12. In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS.

     

13. In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box.
    Examples:  If the site system will only accept client connections from the intranet, and the intranet FQDN of the site system server is server1.internal.contoso.com:  Type server1.internal.contoso.com, and then click Add. If the site system will accept client connections from the intranet and the Internet, and the intranet FQDN of the site system server is server1.internal.contoso.com and the Internet FQDN of the site system server is server.contoso.com:   Type server1.internal.contoso.com, and then click Add. And then type server.contoso.com, and then click Add. Note: It does not matter in which order you specify the FQDNs for Configuration Manager. However, check that all devices that will use the certificate, such as mobile devices and proxy web servers, can use a certificate SAN and multiple values in the SAN. If devices have limited support for SAN values in certificates, you might have to change the order of the FQDNs or use the Subject value instead.

     

14. On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.

     

15. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.

     

16. Close Certificates (Local Computer).

 

Configuring IIS to Use the Web Server Certificate

This procedure binds the installed certificate to the IIS Default Web Site.

1. On the member server that has IIS installed, click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

    

2. Expand Sites, right-click Default Web Site, and then select Edit Bindings.

    

3. Click the https entry, and then click Edit.

    

4. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK. Note: If you are not sure which is the correct certificate, select one, and then click View. This allows you to compare the selected certificate details with the certificates that are displayed with the Certificates snap-in. For example, the Certificates snap-in displays the certificate template that was used to request the certificate. You can then compare the certificate thumbprint of the certificate that was requested with the ConfigMgr Web Server Certificates template with the certificate thumbprint of the certificate currently selected in the Edit Site Binding dialog box.

    

5. Click OK in the Edit Site Binding dialog box, and then click Close.

    

6. Close Internet Information Services (IIS) Manager.

The member server is now provisioned with a Configuration Manager web server certificate. Important: When you install the Configuration Manager site system server on this computer, make sure that you specify the same FQDNs in the site system properties as you specified when you requested the certificate.

 

Deploying the Client Certificate for Distribution Points

Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority

This procedure creates a custom certificate template for Configuration Manager distribution points that allows the private key to be exported, and adds the certificate template to the certification authority.

Note : This procedure uses a different certificate template from the certificate template that you created for client computers, because although both certificates require client authentication capability, the certificate for distribution points requires that the private key is exported. As a security best practice, do not configure certificate templates to allow the private key to be exported unless this configuration is required. The distribution point requires this configuration because you must import the certificate as a file, rather than select it from the certificate store. By creating a new certificate template for this certificate, you can restrict which computers request a certificate that allows the private key to be exported. In our example deployment, this will be the security group that you previously created for Configuration Manager site system servers that run IIS. On a production network that distributes the IIS site system roles, consider creating a new security group for the servers that run distribution points so that you can restrict the certificate to just these site system servers. You might also consider adding the following modifications for this certificate:

• Require approval to install the certificate, for additional security.

• Increase the certificate validity period. Because you must export and import the certificate each time before it expires, increasing the validity period reduces how often you must repeat this procedure. However, when you increase the validity period, it decreases the security of the certificate because it provides more time for an attacker to decrypt the private key and steal the certificate.

• Use a custom value in the certificate Subject field or Subject Alternative Name (SAN) to help identify this certificate from standard client certificates. This can be particularly helpful if you will use the same certificate for multiple distribution points.

To create and issue the custom Workstation Authentication certificate template on the certification authority

1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

    

2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.

    

3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important: Do not select Windows 2008 Server, Enterprise Edition.

    

4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client authentication certificate for distribution points, such as ConfigMgr Client Distribution Point Certificate.

    

5. Click the Request Handling tab, and select Allow private key to be exported.

    

6. Click the Security tab, and remove the Enroll permission from the Enterprise Admins security group.

    

7. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.

    

8. Select the Enroll permission for this group, and do not clear the Read permission.

    

9. Click OK and close Certificate Templates Console.

    

10. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

     

11. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Distribution Point Certificate, and then click OK.

     

12. If you do not have to create and issue any more certificates, close Certification Authority.

 

Requesting the Custom Workstation Authentication Certificate

This procedure requests and then installs the custom client certificate on to the member server that runs IIS and that will be configured as a distribution point.

1. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.

    

2. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

    

3. In the Certificate snap-in dialog box, select Computer account, and then click Next.

    

4. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.

    

5. In the Add or Remove Snap-ins dialog box, click OK.

    

6. In the console, expand Certificates (Local Computer), and then click Personal.

    

7. Right-click Certificates, click All Tasks, and then click Request New Certificate.

    

8. On the Before You Begin page, click Next.

    

9. If you see the Select Certificate Enrollment Policy page, click Next.

    

10. On the Request Certificates page, select the ConfigMgr Client Distribution Point Certificate from the list of displayed certificates, and then click Enroll.

     

11. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.

     

12. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Distribution Point Certificate is displayed in the Certificate Template column.

     

13. Do not close Certificates (Local Computer).

 

Exporting the Client Certificate for Distribution Points

This procedure exports the custom Workstation Authentication certificate to a file, so that it can be imported in the distribution point properties.

1. In the Certificates (Local Computer) console, right-click the certificate that you have just installed, select All Tasks, and then click Export.

    

2. In the Certificates Export Wizard, click Next.

    

3. On the Export Private Key page, select Yes, export the private key, and then click Next.
   Note :If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format. You must reconfigure the certificate template to allow the private key to be exported, and then request the certificate again.

    

4. On the Export File Format page, ensure that the option Personal Information Exchange - PKCS #12 (.PFX) is selected.

    

5. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.

    

6. On the File to Export page, specify the name of the file that you want to export, and then click Next.

    

7. To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box.

    

8. Close Certificates (Local Computer).

    

9. Store the file securely and ensure that you can access it from the Configuration Manager console. The certificate is now ready to be imported when you configure the distribution point.

 

 

Creating and Issuing a Mac Client Certificate Template on the Certification Authority

This procedure creates a custom certificate template for Configuration Manager Mac computers and adds the certificate template to the certification authority. Note: This procedure uses a different certificate template from the certificate template that you might have created for Windows client computers or for distribution points. By creating a new certificate template for this certificate, you can restrict the certificate request to authorized users.

To create and issue the Mac client certificate template on the certification authority
 

1. Create a security group that contains user accounts for administrative users who will enroll the certificate on the Mac computer by using Configuration Manager.

    

2. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

    

3. In the results pane, right-click the entry that displays Authenticated Session in the column Template Display Name, and then click Duplicate Template.

    

4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important: Do not select Windows 2008 Server, Enterprise Edition.

    

5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Mac client certificate, such as ConfigMgr Mac Client Certificate.

    

6. Click the Subject Name tab, make sure that Build from this Active Directory information is selected, select Common name for the Subject name format: and clear User principal name (UPN) from Include this information in alternate subject name.

    

7. Click the Security tab, and remove the Enroll permission from the Domain Admins and Enterprise Admins security groups.

    

8. Click Add, specify the security group that you created in step one, and then click OK.

    

9. Select the Enroll permission for this group, and do not clear the Read permission.

    

10. Click OK and close Certificate Templates Console.

     

11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

     

12. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Mac Client Certificate, and then click OK.

      

13. If you do not have to create and issue any more certificates, close Certification Authority. The Mac client certificate template is now ready to be selected when you configure client settings for enrollment.

 

 

Installing the Roles in Configuration Manager to support the Mac Client Enrollment

I adapted the steps in this section from this article: http://technet.microsoft.com/en-us/library/gg712327.aspx We need to install a total of 4 roles in order to support the Mac OSx Computers as clients and to enroll them in the System Center 2012 R2 Configuration Manager Environment.

• Enrollment Point

• Enrollment Proxy Point

• Management Point

• Distribution Point

Ensure that the new Site Server we are installing these roles on is configured with an Internet FQDN. In addition, these site system roles must be in a primary site. Check the Site System Role properties for this server to ensure it is configured with an Internet FQDN, even if you are configuring it with the same FQDN as the internal server name.

 
To configure management points and distribution points for supporting Mac Clients
 

1. In the Configuration Manager console, click Administration.

    

2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that hosts the site system roles to configure.

    

3. In the details pane, right-click Management point, click Role Properties, and in the Management Point Properties dialog box, configure the following options: Select HTTPS. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties. Select Allow mobile devices and Mac computers to use this management point, and then click OK.

4. In the details pane, right-click Distribution point, click Role Properties, and in the Distribution Point Properties dialog box, configure the following options: Select HTTPS. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties. Click Import certificate, browse to the exported client distribution point certificate file, and then specify the password, and then click OK.

 

To install and configure the enrollment site systems on a New site system server

 

1. In the Configuration Manager console, click Administration.

    

2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles

    

3. On the Home tab, in the Create group, click Create Site System Server.

    

4. On the General page, specify the general settings for the site system, and then click Next. Important: Make sure that you specify the Internet FQDN, even if it is the same value as the intranet FQDN. Mobile devices that are enrolled by Configuration Manager always connect to the Internet FQDN, even when they are on the intranet.

    

5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next.

    

6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next.

    

7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next.

    

8. Complete the wizard.

 

 

Configuring the Client Settings for Mac Computer Enrollment

The first procedure in this step configures the default client settings for mobile device enrollment and will apply to all users in hierarchy. If you want these settings to apply to only some users, create a custom user setting and assign it to a collection that contains users who you will allow to enroll their mobile devices. The second procedure in this step configures the default client settings for the mobile device polling interval and hardware inventory to apply to all mobile devices in the hierarchy that Configuration Manager enrolls. The hardware inventory settings also apply to client computers. If you want these settings to apply to only mobile devices or to selected mobile devices, create a custom device setting and assign it to a collection that contains the enrolled mobile devices that you want to configure with these settings.  For more information about how to create custom client settings, see How to Create and Assign Custom Client Settings.
 
To configure the default client settings for Mac Client enrollment

 

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, click Client Settings.

3. Click Default Client Settings.

4. On the Home tab, in the Properties group, click Properties.

5. Select the Enrollment section, and then configure the following user settings: Mobile device enrollment profile: Click Set Profile and configure it as follows: Allow users to enroll mobile devices and Mac computers: Yes, Enrollment profile: Click Set Profile.

6. In the Enrollment Profile, click Create.

7. In the dialog box, enter a name for this Mac Computer enrollment profile, and then configure the Management site code. Select the System Center 2012 Configuration Manager primary site that contains the management points that will manage these mobile devices. Note: If you cannot select the site, check that at least one management point in the site is configured to support mobile devices, and ensure it is configured for Both Intranet and Internet connections, this is also the setting we should be using in the Distribution Point properties as well.

8. Click Add.

9. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to mobile devices, and then click OK.

10. In the Create Mobile Device Enrollment Profile dialog box (Configuration Manager with no service pack) or Create Enrollment Profile dialog box (Configuration Manager SP1), select the mobile device certificate template that you created in III. A. 5. above “ConfigMgr Mac Client Certificate”, and then click OK.

11. Click OK to close the dialog box, and then click OK to close the Default Client Settings dialog box.

 

 

Installing the SCCM 2012 Mac Client

There currently is no automated method for installing Mac Clients in Configuration Manager, you will need to perform these steps to do this on each client or find a scripting method to automate the process if possible. I adapted these steps from this article: http://technet.microsoft.com/en-us/library/jj591553.aspx

1. Download the Mac OS X client file package, ConfigmgrMacClient.msi, and save it to a computer that runs Windows. This file is not supplied on the Configuration Manager installation media. You can download this file from the Microsoft Download Center for System Center 2012 R2 Configuration Manager.

2. On the Windows computer, run the ConfigmgrMacClient.msi file that you just downloaded to extract the Mac client package, Macclient.dmg to a folder on the local disk (by default C:\Program Files (x86)\Microsoft\System Center 2012 Configuration Manager Mac Client\).

3. Copy the Macclient.dmg file to a folder on the Mac computer.

4. On the Mac computer, run the Macclient.dmg file that you just downloaded to extract the files to a folder on the local disk.

5. In the folder, ensure that the files Ccmsetup and CMClient.pkg are extracted and that a folder named Tools is created that contains the CMDiagnostics, CMUninstall, CMAppUtil and CMEnroll tools.

6. Next extract the .dmg package file for the latest version of the SCCM 2012 Mac Client to desktop of my Mac Computer, and navigated to the folder using Terminal and ran the following command to install the ccm client:  sudo ./ccmsetup

7. Wait until you see the Completed installation message. Although the installer displays a message that you must restart now, do not restart now but continue to the next step.

8. After you have finished installing the client the Computer Enrollment wizard opens. Click Next to continue past the welcome page. Note: If the wizard does not open, or if you accidentally close the wizard, click Enroll from the Configuration Manager preference page to open the wizard.

9. On the next page of the wizard, specify the following information: User Name, Password, and Server FQDN, the user name can be in domain\user or user@domain.com format:

   NOTE: When you use an email address to populate the User name field, Configuration Manager automatically uses the domain name of the email address and the default name of the enrollment proxy point server to populate the Server name field. If this domain name and server name do not match the name of the enrollment proxy point server, you must advise your users of the correct name to use, so that they can enter this when enrolling their Mac computers. The user name and corresponding password must match an Active Directory user account that is granted Read and Enroll permissions on the Mac client certificate template.

10. Click Next to continue, and then complete the wizard and restart the Mac computer and you should be able see it as a new device in the All Systems Collection in the ConfigMgr 2012 R2 Admin Console, as well as get hardware inventory, and be able to deploy applications and compliance settings to your Mac Clients.

     

     

How to Create Mac Computer Configuration Items in Configuration Manager:
http://technet.microsoft.com/en-us/library/jj687949.aspx

Deploy OS X Applications With Configuration Manager 2012 SP1 (should be the same for R2):
http://www.jamesbannanit.com/2012/11/deploy-os-x-applications-with-configuration-manager-2012-sp1/

You can download the System Center 2012 Endpoint Protection Agent for Mac from your Volume License site from Microsoft, and use the blog above to create and deploy this as an Application for your Mac Clients.

Compliance Settings can be used with Detection and Remediation Scripts to configure settings such as turning the firewall on or off automatically by using these scripts to read and change settings in plist files on the Mac Clients.

 

Troubleshooting and Certificate Revocation List publishing.

After some time, my Mac client stopped connecting to the Management Point and found that in the MPControl.log I was getting 443 errors. This was related to the Certificate Revocation List (CRL) not being published in my lab and I followed this article to disable this feature since my certs will not expire for 10 years, and you may do the same, although it is not really a best practice it is a workaround I found here: http://blogs.msdn.com/b/kaushal/archive/2012/10/15/disable-client-certificate-revocation-check-on-iis.aspx  After following this on the HTTPS SCCM Server, and restarting IIS, my Mac Client was able to connect again.

I recommend following up with Microsoft Support for assistance with the Certificate Authority Configuration in order to properly publish the Certificate Revocation List as part of your certificate template in order to ensure your clients can access the CRL URL.

The SCCM Https Server has some logs that can be helpful in troubleshooting Mac Clients in ConfigMgr 2012 R2. C:\SMS_CCM\Logs folder this is the Management Point logs of the HTTPS Management Point.

DMPRP.log is for Mac Client Policy actions.

MP_Location.log will show Mac Client activity for Application Deployment Content location requests to help troubleshooting Application Deployments to Mac Computers.

On the Mac Client under ~Libray/Logs and User/Library/Application Support/Microsoft/CCM/Logs are the logs for the CCMClient on the Mac Client.

 

I will try and blog about some other topics on Mac Management, but that's it for now.

Cliff

A few days ago one of my peers ask me a very interesting question, how can I get a report that show reboot pending machines. I told him this was not an easy task to be performed in ConfigMgr 2012 due to the many parameters that makes a machine in need ...read more

You implemented a SQL Cluster for SysCtr 2012 R2 ConfigMgr and you forgot what? I was configuring a SQL Cluster this past week and I always try to configure it the best way I can. The cluster was an all-in-one cluster type for multiple System Center Products ...read more

If you are unable to join us for Microsoft TechEd North America in Houston this year, you still have a chance to tune in for the keynote and select technical sessions. Register today and join us for the LIVE stream May 12–15, 2014. At this year’s TechEd ...read more

Hello everyone, ConfigNinja here. In one of my old blog posts I wrote a little bit about the usage of SQL Trace Flags in ConfigMgr. Q. First what is a SQL Trace Flag? A. Trace flags are used to temporarily set specific server characteristics or to switch ...read more

Hello, ConfigNinja here to write to you about optimizing the site database in System Center 2012 R2 Configuration Manager. One of the areas we cover with our customers is the ConfigMgr site database. For the past few months I have reviewed data about ...read more

Hello All, ConfigNinja here to write about Reports in System Center 2012 R2 Configuration Manager. One of the topics that I like the most is the creation of reports, at the beginning of the month we released the Creating Custom Reports by Using SQL Server ...read more

Hello all, ConfigNinja here trying to show you a few tips and tricks to convert your current custom reports using the new RBA(Role Based Administration) for reports. http://technet.microsoft.com/en-us/library/dn236351.aspx#BKMK_WhatsNew_Monitoring_and_Reporting ...read more

With this new release, it means a lot of things but one of the meanings is that we can take advantage of Windows Server 2012 R2 and Windows 8.1. But how about if you already have System Center 2012 Configuration Manager in a Windows Server 2008 R2, what ...read more

  Hello, ConfigNinja here writing from Germany. Many customers have asked me about what is the best method to achieve a higher number of client installs. And this got me thinking on what are those techniques that I would use more to achieve this ...read more

I’m always looking for the SQL Version and need a place to store this links for easy access, maybe you are on the same situation and need the find out about the support SQL Version. The following table lists the SQL Server versions that are supported ...read more

Hello all, ConfigNinja here If you follow me on tweeter or my blog I normally share some of the latest news about ConfigMgr KBs, Hotfixes and of course more ConfigMgr stuff.   Top 10 Recent ConfigMgr KB’s: 1. An incorrect locale setting is configured ...read more

Been working on a few topics related to Compliance Setting, one of those was to create a Default IE Browser Compliance Baseline. As this may not be needed for many of you, I wanted to bring the example on my blog. Whether you are trying to create a compliance ...read more

The Cumulative Update 2 for System Center 2012 Configuration Manager Service Pack 1 has been released, I decided to document some of my notes, steps and comments for future reference. Download the CU2 from KB 2854009 Before you begin installing you need ...read more

I few weeks ago this happened to one of you, I know the frustration that this may have caused when you initially saw it. Either the server files where corrupted or the vhd was lost on a power lost, what happened now you are on a panic state. You need ...read more

Do you want to work for Microsoft? Are you ready for the challenge, well we have some interesting interviews on the Wanna Work with me Wednesday blog. I had the pleasure to be selected for todays post of “Wanna work with me”, hope you guys like it. http ...read more

Hello all, ConfigNinja here. It was a pleasure for me to deliver this session at MMS 2013, its never easy to be the first session of the event. A lot of icebreakers and hard rehearsal on the same day, but was happy to be there and see many friend, customers ...read more

Hello there, if you missed my tweet post on Friday about the new Cumulative Update 1 for System Center 2012 Configuration Manager Sp1, here is a quick link and recap on it. After the hotfix information, I capture some of the screenshots of this fix on ...read more

I got this in my inbox today, tough it was worth sharing. I know its hard to take the first step in writing a book, its also hard to be the first one in being published by a company. I can’t imagine what this authors tough when MS Press accept their book ...read more

This past week I have the opportunity to speak to my peers about this topic, while speaking of it I tough my self that I will share some of these key values with my blog readers. I know how important this content can be for them, so lets sharp some extra ...read more

Today I want to write about Rap as a Service, the newest offering from Microsoft Premier Support! In the past few months we have convert our Configuration Manager Risk Assessment Program into RaaS for CM, here are more details about what we you can do ...read more

Secure your environment with SCM 3.0! The Security Compliance Manager (SCM) is a free tool from the Microsoft Solution Accelerators team that enables you to quickly configure and manage the computers in your environment and your private cloud using Group ...read more

Installing System Center 2012 Configuration Manager in Windows Server 2012 and SQL Server 2012 My Notes This week I took the task to build a System Center 2012 Configuration Manager SP1 in Windows Server 2012 and SQL Server 2012, I will outline some of ...read more

With the release of Service Pack 1 for System Center 2012 Configuration Manager, we have been seeing some issues (not necessarily new issues) revealed with Antivirus Exclusion issues around OSD and Boot Image related activities as follows:

OSD Related A/V Exclusion Considerations:

Boot image actions:

• Importing default boot WIM’s during initial site setup
• Updating default boot WIM’s during site upgrade
• Manual import of custom boot images (customer action)
• Customize boot images (drivers, prestart command, WinPE optional components, background
  image, etc.)

Folders to exclude from AV scanning:

• Temporary folder for these cases is C:\Windows\TEMP\BootImages\{GUID}.  Exclude C:\Windows\TEMP\BootImages
  and subfolders.

 OS image actions:

• Offline Servicing

Folders to exclude from AV scanning:

• Temporary folder for offline servicing is <X:>\ConfigMgr_OfflineImageServicing
  and several subfolders used for different purposes – staging files, mounting
  OS, etc. – where <X:> is the StagingDrive value from the Offline
  Servicing Manager section of the site control file.  If this value is
  missing, we use the drive where the site is installed.  Exclude <X:>\ConfigMgr_OfflineImageServicing
  and subfolders.\

 

Boot images not updated after upgrading to SP1 in System Center 2012 Configuration Manager:

I was also provided anecdotal information from an issue that  if you find yourself in situation where boot images didn’t get updated during site upgrade to SP1, you
can manually update the boot images using the following instructions:

• Rename the boot.wim and the default boot wims in each architecture folder of the <smsinstall>OSD\boot\ folder – both the i386 and x64 to <wim>.bak
• Starting with the i386 folder first...Find the install folder of the ADK, which should be here if you installed with the defaults: “C:\Program Files (x86)\Windows
  Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us\winpe.wim”. You will need to copy the winpe.wim to the <smsinstall>OSD\boot\i386 folder. Rename it to boot.wim.
• You will also need to copy it again, but this time rename it so it matches the name of the default boot wim for the site – so it should look like boot.<packageid>.wim
• Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage
• You will need to do this for the x64 folder as well. Do not do this for any custom boot images – this is just to update the default boot wims installed during setup of the site.

 

General Antivirus Exclusions and Additional Information for System Center 2012 Configuration Manager Endpoint Protection

Additionally per my other post showing how to import various templates for different servers, here is the general list of file/folder exclusions exported from the Endpoint Protection System Center 2012 Configuration Manager template"

%allusersprofile%\NTUser.pol
%systemroot%\system32\GroupPolicy\registry.pol
%windir%\Security\database\*.chk
%windir%\Security\database\*.edb
%windir%\Security\database\*.jrs
%windir%\Security\database\*.log
%windir%\Security\database\*.sdb
%windir%\SoftwareDistribution\Datastore\Datastore.edb
%windir%\SoftwareDistribution\Datastore\Logs\edb.chk
%windir%\SoftwareDistribution\Datastore\Logs\edb*.log
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Res1.log
%windir%\SoftwareDistribution\Datastore\Logs\Res2.log
%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
%programfiles%\Microsoft Configuration Manager\Inboxes\*.* (shortened list for blog sake)
%programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*.* (shortened list for blog sake)

These entries above were taken directly from one of the included templates in System Center 2012 Configuration Manager which I have attached to the post

Additional links to Antivirus and Antimalware Information:

Where is the Documentation for System Center 2012 Endpoint Protection?

Forefront Endpoint Protection Blog

Guidance on serve initial FEP definition update with SCCM through DP

How to use the Definition Update Automation Tool for Forefront Endpoint Protection
2010 Update Rollup 1

Important Changes to Forefront Product Roadmaps

Support Questions about Windows 8 and Windows Server 2012 for Configuration Manager and
Endpoint Protection

Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows
http://support.microsoft.com/kb/822158 

Antivirus programs may contribute to file backlogs in SMS 2.0, SMS 2003 and Configuration Manager 2007:
http://support.microsoft.com/kb/327453

ConfigMgr 2007 Antivirus Scan and Exclusion Recommendations:
http://blogs.technet.com/b/configurationmgr/archive/2010/11/30/configmgr-2007-antivirus-scan-and-exclusion-recommendations.aspx

 

Thanks, Cliff Hughes
Premier Field Engineer
System Center 2012 Configuration Manager

...read more...( read more ) ...read more