The Configuration Manager writing team is very excited to announce the release of the following SuperFlows:

• Software Updates Synchronization SuperFlow: Provides the detailed dataflow for the software updates synchronization process, additional resources related to software updates synchronization, and troubleshooting information.


• SuperFlow for Configuring Software Updates: Provides detailed steps that help you to plan for and configure software updates at a site. This SuperFlow also includes troubleshooting information and additional resources that you can use to learn more about configuring software updates in Configuration Manager 2007.


• Software Update Deployment SuperFlow: Provides information that helps you to prepare for and deploy software updates after you configure the software updates infrastructure and synchronize software updates.


• SuperFlow for Creating SRS Report Models in Configuration Manager 2007: Provides detailed steps that you can use to create a SQL Server Reporting Services report model in Configuration Manager 2007.

A complete list of the Configuration Manager SuperFlows and links to the download location for each is available at: http://go.microsoft.com/fwlink/?LinkId=183297.

What is a SuperFlow?

The SuperFlow interactive content model provides a structured and interactive interface for viewing documentation. Each SuperFlow includes comprehensive information about a specific Configuration Manager 2007 dataflow, workflow, or process. Depending on the focus of the SuperFlow, you will find overview information, steps that include detailed information, procedures, sample log entries, best practices, real-world scenarios, troubleshooting information, security information, animations, or other information. Each SuperFlow also includes links to relevant resources, such as Web sites or local files that are copied to your computer when you install the SuperFlow.

Your feedback makes a difference!
We want to continue to improve the SuperFlow content model and your feedback continues to be a critical part of the process. A feedback icon is available and I encourage everyone to use the link to tell us what you think. For anyone attending MMS 2010, check out one of the System Center Content Architecture and Innovation focus groups where you will have an opportunity to provide feedback about the SuperFlows.

Thank you!

-- Doug Eby

This posting is provided "AS IS" with no warranties and confers no rights.

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content on the Web has Updated: January 1, 2010 at the top of the topic.

This month's updates contain an updated support statement that in-band provisioning for AMT-based computers is now supported on client computers running Windows 7.  We have also updated topics to incorporate customer feedback.  We do value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Configuration Manager Documentation Library for January 2010

The following information lists the topics that contain significant changes since the December 2009 update.

Configuration Manager 2007 SP2 Supported Configurations

- Removal of the statement that in-band provisioning is not supported on Windows 7.  This topic also has an updated section about BranchCache, to clarify its integration with Configuration Manager 2007 SP2.

Certificate Requirements for Native Mode

- Updated for the client authentication certificate that might be used with an operating system deployment in native mode. This certificate must have a unique value for the Subject Name and unlike the client authentication certificate that is used by native mode clients, it does not support a certificate SAN value.

Troubleshooting Management Point Communication

- Updated for clarity and with a warning that before running the MPCERT and MPLIST tests in a native mode site, a certificate must be imported into the browser.

Overview of Configuration Manager Client Deployment

- Updated the upgrade installation information with the clarification that you cannot use task sequences to upgrade the Configuration Manager client.

Configuration Manager 2007 SP2 Upgrade Checklist

- Updated with the clarification that clients do not automatically upgrade when the site is upgraded, and you must take manual steps to ensure that clients are upgraded. This checklist also has a new step to back up a customized SMS_def.mof prior to the upgrade because this file is overwritten by Setup.

How to Export Certificates For Use With Operating System Deployment

- Updated to correct a step out of sequence.

How to Set a Maintenance Window

- Updated to clarify how the Maximum allowed run time value is evaluated by maintenance windows.  This clarification is also added to Program Name Properties: Requirements Tab.

How to Re-run an Advertisement

- Updated to clarify the differences between original advertisement schedules and those created by the Re-Run Advertisement action.  This clarification is also added to How to Assign a Mandatory Advertisement and the Troubleshooting section "Advertisements Created by Using Rerun Advertisement Might Run at the Wrong Time" in Troubleshooting Software Distribution Issues.

Modifying the Default Configuration Manager SMS_def.mof File Before Upgrading

- Updated to clarify that service pack upgrades to the Configuration Manager site removes any custom edits to the SMS_def.mof file. This information is incorporated into the upgrade checklist topics as an additional step to back up a customized SMS_def.mof file for reference before the upgrade, and then edit the SMS_def.mof on the site server after verifying the site upgrade.

Deployment Package Name Properties: Data Access Tab

- Updated with the important information that specifying a share distribution folder that is already in use can result in data loss.  This information is also added to the following topics:  Download Updates Wizard: Data Access Page, Boot Image Properties - Data Access Tab, Operating System Images - Data Access Tab, and Operating System Install Packages - Data Access Tab.

Remove Package Page

- Updated with the information that the Select Group button is not used in Configuration Manager 2007.

Troubleshooting Configuration Manager Console Issues

- Updated the Troubleshooting issue "Error Message: This Function Is Not Supported on This Site System" with a second solution to verify that the account has read and execute permissions on the Configuration Manager installation folder on the site server.

Configuration Manager Client General Issues

- Updated for the new Troubleshooting issue "Available Cache Space and Location is Displayed Incorrectly on 64-Bit Configuration Manager Clients".

Operating System Deployment Task Sequence Variables

- Updated with the new task sequence variable _SMSTSTimezone.

Ports Used by Configuration Manager

- Updated with the clarification that the ports used by the software update point do not have to be the same throughout the hierarchy.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is provided by Levi Stevens]

Last year we added support for the new Windows Embedded Standard 2009 platform to Configuration Manager 2007.  Until our online documentation at Tasks for Managing Configuration Manager Clients on Windows Embedded Devices is updated, we are bringing you the few key things that you need to know:

1. Write Filters have been tested and are now supported with Windows Embedded Standard 2009. Please see the section Prerequisites when using the File Based Write Filter below for added details on filter exceptions needed when using write filters. These are necessary if you want the state to be preserved across system restarts. This applies to Windows XP Embedded as well.
2. Windows Embedded Standard 2009 introduces support for Sysprep enabling Operating System Deployment feature support. See the General Prerequisites section below for requirements to use this feature.

We will follow up this with another blog post we are working on that will document how to extend Hardware Inventory to create collections and report on specific versions of Windows Embedded family operating systems.  So keep your eyes peeled.

Prerequisites for using the Configuration Manager 2007 Client on Windows Embedded Devices

Before you install and use the Configuration Manager 2007 client on devices running the Windows Embedded operating system, ensure that the following prerequisites are in place:

 General Prerequisites

When building your Windows Embedded image in Microsoft Target Designer, ensure that the following components are included:

• SCCM Client Prerequisite- Required to support installation of the client software
• UDFS - Required for support using the operating system deployment capture CD with Windows Embedded Standard 2009
• Sysprep - Required to support operating system deployment image capture (only available on Windows Embedded Standard 2009)
• Users Control Panel - Required for users to use the Run Advertised Programs control panel applet
• .NET Framework 2.0 or later - Required to use the Desired Configuration Management feature

Note:

The Configuration Manager 2007 advanced client prerequisites macro component is included Windows Embedded Standard 2009 and can be selected in Microsoft Target Designer. To install the Configuration Manager 2007 client on devices running Windows XP Embedded, you must first download the System Center Configuration Manager 2007 Advanced Client pre-requisites macro component for Windows XP Embedded from http://www.microsoft.com/downloads/details.aspx?familyid=7e7128f7-43d8-48d0-85bc-ca971e2fbc8a&displaylang=en&tm.

Prerequisites when using the File Based Write Filter

Configure the following exceptions if you want to use the File Based Write Filter (FBWF) to persist the state of the Configuration Manager 2007 client between device restarts.

Registry Exceptions

Configure the following registry exceptions using the Embedded Designer as you create your image:

• HKLM\Software\Microsoft\SMS
• HKLM\Software\Microsoft\CCM
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon - Configure this exception if you will be using task sequences to service the Configuration Manager 2007 client.

File Exceptions

Configure the following file exceptions using the File Based Write Filter after installing the Configuration Manager 2007 client:

• %WINDIR%\System32\CCM
• %WINDIR%\System32\Wbem
• C:\_TaskSequence - Configure this exception if you will be using task sequences to service the Configuration Manager 2007 client.

For detailed information about building images and configuring write filters, see your Windows Embedded documentation.

-- Levi Stevens

This posting is provided "AS IS" with no warranties and confers no rights.

Software distribution in Configuration Manager 2007 starts with creating a package and ends when the package content installs on the client. However, there are quite a few steps in between and the content download process is usually where customers encounter most problems. Here are some examples from the TechNet forums:

• http://social.technet.microsoft.com/Forums/en-US/configmgrswdist/thread/b26d330c-2074-44ed-aa2b-c9040c853ed7
• http://social.technet.microsoft.com/Forums/en-US/configmgrswdist/thread/c2d7d528-5105-453b-9532-09264ea52d90?prof=required

This blog post offers a troubleshooting guide for customers to diagnose some of the frequently encountered issues relating to client content download problems.  It outlines the scenario, then takes you through how to track the various processes involved from when the client downloads policy to when the client installs the software.

• Step 1: Tracking the Advertisement on the Client
• Step 2: Tracking the Content Location Request on the Client
• Step 3: Tracking the Content Location Response on the Management Point
• Step 4: Identifying the Client Boundary and How this Affects Content Location and Download
• Step 5: Tracking the Content Download
• Step 6: Troubleshooting BITS

This scenario assumes that the package has been successfully distributed to a standard distribution point, an advertisement for this package is targeted to a collection, and for troubleshooting purposes, debug logging is enabled on both the client and the management point.  For instructions how to configure debug logging, see http://support.microsoft.com/kb/833417.

When client policy is triggered, clients in the targeted collection get the advertisement.  If you need instructions to initiate client policy, see How to Initiate Policy Retrieval for a Configuration Manager Client.

For more information about the log files mentioned and their locations, see List of Log Files in Configuration Manager 2007.

Step 1: Tracking the Advertisement on the Client

Start with the log file execmgr.log on the client and search for the advertisement ID. You should see references to the advertisement ID in this log that looks similar to the following:

<![LOG[CExecutionManager::HandleMessage received message: '<?xml version='1.0' ?>

          <SoftwareDeploymentMessage MessageType='Execution'>

              <AdvertisementID>CAR20000</AdvertisementID>

              <PackageID>CAR00003</PackageID>

              <ProgramID>TestProgram</ProgramID>

              <HistoryLocation>Machine</HistoryLocation>

          </SoftwareDeploymentMessage>'

Step 2: Tracking the Content Location Request on the Client

After confirming that the client has received the advertisement, open the log file LocationServices.log on the client. If the advertisement requires content to be downloaded, the client asks its management point for a list of URLs where this content is available. The LocationServices.log file logs this content location request sent by the client. Search for this by using the PackageID value that was referenced in execmgr.log.  It will look similar to the following:

ContentLocationRequest : <ContentLocationRequest SchemaVersion="1.00"><Package ID="CAR00003" Version="1"/><AssignedSite SiteCode="PS2"/><ClientLocationInfo LocationType="SMSPackage" UseProtected="0" AllowCaching="0" BranchDPFlags="0" UseInternetDP="0" AllowHTTP="1" AllowSMB="1" AllowMulticast="1" AllowFileStreaming="0"><ADSite Name="CorpHQ"/><IPAddresses><IPAddress SubnetAddress="A.B.C.D" Address="A.B.C.E"/></IPAddresses></ClientLocationInfo></ContentLocationRequest>

Step 3: Tracking the Content Location Response on the Management Point

After receiving this content location request, the management point responds with a content location reply, containing a list of URLs. You can use the log file MP_Location.log file on the management point to track both the request (ContentLocationRequest xml segment) and the response (ContentLocationReply xml segment).

When the management point returns a valid list of URLs for the client to download the content, it will look similar to the following:

MP LM: Message Body : <ContentLocationRequest SchemaVersion="1.00" ExcludeFileList=""><Package ID="CAR00003" Version="1"/><AssignedSite SiteCode="PS2"/><ClientLocationInfo LocationType="SMSPackage" UseProtected="0" AllowCaching="0" BranchDPFlags="0" UseInternetDP="0" AllowHTTP="1" AllowSMB="1" AllowMulticast="1" AllowFileStreaming="0"><ADSite Name="MyADSite"/><IPAddresses><IPAddress SubnetAddress="A.B.C.D" Address="A.B.C.E"/></IPAddresses></ClientLocationInfo></ContentLocationRequest>

MP_LocationManager      10/14/2009 10:52:08 AM        4768 (0x12A0)

UID not found       MP_LocationManager      10/14/2009 10:52:08 AM        4768 (0x12A0)

MP_GetContentDPInfoUnprotected (CAR00003,1,PS2,SMSPackage,00000000)
MP_LocationManager      10/14/2009 10:52:08 AM        4768 (0x12A0)

WriteContentDPInfo        MP_LocationManager      10/14/2009 10:52:08 AM        4768 (0x12A0)

MP LM: Reply message body: <ContentLocationReply SchemaVersion="1.00"><ContentInfo PackageFlags="0"/><Sites><Site><MPSite SiteCode="PS2" MasterSiteCode="PS2" SiteLocality="LOCAL"/><LocationRecords><LocationRecord><SMBPath Name="\\[ServerName]\SMSPKGC$\CAR00003"/><URL Name="http://[ServerName/SMS_DP_SMSPKGC$/CAR00003" Signature="http://[ServerName]/SMS_DP_SMSSIG$/CAR00003.1.tar"/><ADSite Name=""/><IPSubnets><IPSubnet Address=""/><IPSubnet Address=""/></IPSubnets><Metric Value=""/><Version>6221</Version><Capabilities SchemaVersion="1.0"/><ServerRemoteName>NOVA42306.NOVA42304DOM.net</ServerRemoteName><DPType>SERVER</DPType></LocationRecord></LocationRecords></Site></Sites></ContentLocationReply>          MP_LocationManager  10/8/2009 2:42:56 PM        5408 (0x1520)

When the management point has no locations for the client to download the content, it will look similar to the following:

No Locations found.     MP_LocationManager  10/14/2009 10:52:08 AM    4768 (0x12A0)

MP LM: Reply message body: <ContentLocationReply SchemaVersion="1.00"><ContentInfo PackageFlags=""/><Sites><Site><MPSite SiteCode="PS2" MasterSiteCode="PS2" SiteLocality="LOCAL"/><LocationRecords/></Site></Sites></ContentLocationReply>MP_LocationManager          10/14/2009 10:52:08 AM    4768 (0x12A0)

If you see "No Locations found" like this in the MP_Location.log, confirm that the package is successfully installed on the distribution points by using the log file distmgr.log on the site server.

Step 4: Identifying the Client Boundary and How this Affects Content Location and Download

In the example of the MP_Location.log showing the management point returning a valid list of URLs for the client to download the content, it has SiteLocality="LOCAL", which identifies the client as being within the fast boundary of the site and hence the locality of the client is considered "local".  The two other values for the SiteLocality attribute are Remote and Fallback:

• Remote identifies the client as being in a slow and unreliable boundary
• Fallback identifies the client as not belonging to any boundary

When the client is located within a slow and unreliable boundary of the site, the ContentLocationReply looks similar to this:

ContentLocationReply : <ContentLocationReply SchemaVersion="1.00"><ContentInfo PackageFlags="0"/><Sites><Site><MPSite SiteCode="PS1" MasterSiteCode="PS1" SiteLocality="REMOTE"/><LocationRecords><LocationRecord><SMBPath Name="\\[ServerName]\SMSPKGC$\CAR00003\"/><URL Name="http://[ServerName]/SMS_DP_SMSPKGC$/CAR00003/" Signature="http://[ServerName]/SMS_DP_SMSSIG$/CAR00003.1.tar"/><ADSite Name=""/><IPSubnets><IPSubnet Address=""/><IPSubnet Address=""/></IPSubnets><Metric Value=""/><Version>6221</Version><Capabilities SchemaVersion="1.0"/><ServerRemoteName>[ServerName]</ServerRemoteName><DPType>SERVER</DPType></LocationRecord></LocationRecords></Site></Sites></ContentLocationReply>          LocationServices        10/14/2009 2:01:23 PM     2592 (0x0A20)

If the client is within a slow and unreliable boundary and you want it to install software, ensure that the advertisement is configured with the following option enabled: "Download content from distribution point and run locally". The default setting for an advertisement when clients are within a slow and unreliable boundary is "Do not run program".

Note:  There might be valid reasons why clients in slow and unreliable boundaries should not install software. This setting applies to all clients identified as being in a slow and unreliable boundary and cannot be configured for individual clients.  If you do change the setting, be aware that it will impact potentially many clients.  For more information, see Decide Whether Clients Should Download Content If They Are on a Slow or Unreliable Network Boundary.

When SiteLocality="FALLBACK", the resulting behavior is the same as if the client is on a slow and unreliable boundary. The content location reply in this case looks something like this:

ContentLocationReply : <ContentLocationReply SchemaVersion="1.00"><ContentInfo PackageFlags="0"/><Sites><Site><MPSite SiteCode="PS1" MasterSiteCode="PS1" SiteLocality="FALLBACK"/><LocationRecords><LocationRecord><SMBPath Name="\\[ServerName]\SMSPKGC$\CAR00003\"/><URL Name="http://[ServerName]/SMS_DP_SMSPKGC$/CAR00003/" Signature="http://[ServerName]/SMS_DP_SMSSIG$/CAR00003.1.tar"/><ADSite Name=""/><IPSubnets><IPSubnet Address=""/><IPSubnet Address=""/></IPSubnets><Metric Value=""/><Version>6221</Version><Capabilities SchemaVersion="1.0"/><ServerRemoteName>[ServerName]</ServerRemoteName><DPType>SERVER</DPType></LocationRecord></LocationRecords></Site></Sites></ContentLocationReply>          LocationServices        1/11/2010 10:59:55 AM     2448 (0x0990)

 

Step 5: Tracking the Content Download

The client attempts to download content from the first distribution point listed in the content location reply. This is logged in ContentTransferManager.log on the client, with an example being as follows:

CTM dumping locations returned by Location Service:          ContentTransferManager   10/8/2009 2:42:56 PM       3204 (0x0C84)
Source: 'http://[ServerName]/SMS_DP_SMSPKGC$/CAR00003' Locality: Local Version: 6221 Capability: <Capabilities SchemaVersion="1.0"/>Signatures: http://[ServerName]/SMS_DP_SMSSIG$/CAR0000.1.tar' ContentTransferManager   10/8/2009 2:42:56 PM       3204 (0x0C84)
Source: '\\[ServerName]\SMSPKGC$\CAR00003' Locality: Local         Version: 6221 Capability: <Capabilities SchemaVersion="1.0"/>Signatures: ''          ContentTransferManager   10/8/2009 2:42:56 PM       3204 (0x0C84)

Then check DataTransferService.log on the client to see if a job has been created to download the files to the client. The log entry looks like this:

DTSJob {BC1A0EAB-A1D7-48BE-AD1E-CFE85F63C1B0} created to download from 'http://NOVA42306.NOVA42304DOM.net/SMS_DP_SMSPKGC$/CAR00003' to 'C:\Windows\system32\CCM\Cache\CAR00003.1.System'.          DataTransferService 10/8/2009 2:42:56 PM       3204 (0x0C84)

Subsequent log entries look like the following:

Execute called for DTS job '{BC1A0EAB-A1D7-48BE-AD1E-CFE85F63C1B0}'.  Current state: 'PendingDownload'.     DataTransferService 10/8/2009 2:43:07 PM    3788 (0x0ECC)
...

Starting BITS download for DTS job '{BC1A0EAB-A1D7-48BE-AD1E-CFE85F63C1B0}'.       DataTransferService 10/8/2009 2:43:07 PM       3788 (0x0ECC)

The last line above indicates content download from a BITS-enabled distribution point (the configuration option Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS on the ConfigMgr Distribution Point Properties: General tab). Note that if the BITS download fails, the content download will fall back to using SMB and the download of files can then be monitored by using the FileBITS.log file.

Step 6: Troubleshooting BITS

If the content is being downloaded using BITS, the download process might stall under various circumstances. The bitsadmin tool is very useful in troubleshooting the status of content download. For example:

• bitsadmin /list /allusers
  Use this command to find the job ID that's relevant to your troubleshooting task, because you will need this for other bitsadmin commands. This command lists all the BITS download jobs that are currently in progress.  From this list, identify the job related to your package ID, and note the job ID.
• bitsadmin /getinfo jobid
  Use this command to get more information about a particular BITS job.  From the output, if you notice that the download has stopped on any one particular file or directory, use the following bitsadmin command to manually download the file as a test to see if it works: bitsadmin /transfer MyJob /download /priority normal [http://remote-file-url] [SysDrive]\LocalFileName

It's typical for the download to stall on one particular file or directory.  The following lists some frequently encountered issues and resolutions.

• Some file extensions are blocked inherently by IIS. Check whether the package has any files with theses extensions and use the following KB article to remove the blocked extensions from the applicationHost.config file: http://support.microsoft.com/kb/942045/
• Some directories are hidden by default by IIS. Some typical directories that might be present in the packages are "bin" and "log" folders. These directories are hidden by IIS and BITS will subsequently fail to download all files hosted under these directories. Use the following KB article to remove these restrictions from the applicationHost.config file: http://support.microsoft.com/kb/942047/ For more information, see http://blogs.iis.net/bills/archive/2008/03/23/how-to-un-block-directories-with-iis7-web-config.aspx
• Some file names or directories containing special characters such as "+" have a double escape sequence, which is denied by IIS by default. Use the following KB article to set "allowDoubleEscaping" to true in the applicationHost.config file: http://support.microsoft.com/kb/942076/

Please post your comments on this blog post and let me know if you would like to see similar troubleshooting posts for software distribution and other areas.  I will try to address questions as soon as possible.

- Bhaskar Krishnan

This posting is provided "AS IS" with no warranties, and confers no rights.

We have recently updated the Configuration Manager Documentation Library regarding site boundary configurations.  This change was made to clarify the use of supernets, which remain unsupported but have been a source of confusion resulting in support calls.   The confusion comes when an Active Directory site is configured as a boundary and that Active Directory site contains one or more supernets. 

Configuration Manager does not support supernets for site boundaries.  This includes supernets defined directly in the Configuration Manager console as IP subnets, and supernets defined indirectly in the Configuration Manager console as Active Directory sites that contain supernets. Supernets can result in inconsistent behavior for Configuation Manager actions that use boundary configurations, such as site discovery and auto-site assignment for clients, and content location for when clients find distribution points to download packages.

Two common problems you might see when using supernets include the following:

• Clients are unable to discover and to automatically assign to the correct site.
• Clients fail to download packages because they are not given the expected distribution points .

It's easy to miss that supernets might be the underlying cause of these problems because of inconsistent behavior.  Some clients that use supernets can behave as expected, while others do not.   Configuration Manager 2007 was not designed to support supernets as boundaries, and while this configuration might work for some clients, it remains officially unsupported.

When clients exhibit unexpected behavior for boundary related tasks, validate that you have only supported boundary configurations in the Configuration Manager console and within the Active Directory sites configured as boundaries.  For example, if you find that you've defined an Active Directory site as a boundary and this Active Directory site contains supernets, remove the Active Directory site boundary configuration and replace it with the exact subnets.  

If this reconfiguration is not practical because of high administrative overheads, you might consider adding the relevant subnets to supplement the existing boundary configuration.  This approach might eliminate the requirement to specify each subnet.  We've heard that some customers have been successful with this configuration but it has not been tested by the product group and so it remains unsupported.  For example, one possible consequence of this configuration might be that clients are given incorrect distribution points, such as a protected distribution point across a WAN when this was not your intended behavior.

The December documentation update clarifies the unsupported configuration of using supernets for boundary configuration in the following topics:

• Choose Configuration Manager Boundaries
• Planning Configuration Manager Boundaries

More information on the Configuration Manager Support Team blog: Some ConfigMgr 2007 clients never install packages, report status of "Waiting on content"

Many thanks to our colleagues in CSS - Clifton Hughes, Keith Thornley, Ryan Anderson - for bringing this to our attention, and to Brent Dunsire who helped us to clarify the use of supernets in the documentation and provide this additional information for customers. 

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post comes from the Configuration Manager Writing Team] 

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content on the Web has Updated: December 1, 2009 at the top of the topic.

This month's updates are primarily for revisions based on customer feedback.  We do value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Configuration Manager Documentation Library for December 2009

The following information lists the topics that contain significant changes since the November 2009 update.

Planning Configuration Manager Boundaries

- Updated to clarify that supernets are not supported as boundary configurations when they are defined as an IP Subnet or an Active Directory site.

Certificate Requirements for Native Mode

- Updated for the information regarding the client certificate, which is not used for authentication to the software update point. Unlike the other native mode site systems, the software update point doesn't use mutual authentication and uses server authentication only.  Other topics have been updated to clarify this exception, including Benefits of Using Native Mode.

About Network Access Protection Remediation

- Updated with the information that a server locator point can act as a Network Access Protection remediation server when it is used by clients for site information or for locating the management point.  This clarification is also added to Determine Which Site Systems Are Boundary Servers for IPsec Network Access Protection and Configuring Remediation Server Groups for Configuration Manager Network Access Protection.

About Network Access Protection in Configuration Manager Hierarchies

- Updated with the important clarification that you cannot create NAP policies on a site that is inheriting software updates from a parent site. When you configure software updates synchronization with Microsoft, make sure that you configure this synchronization on the site from which you want to create Configuration Manager NAP policies.

About Configuration Manager Client Installation Properties Published to Active Directory Domain Services

- Updated to clarify that when CCMSetup reads client installation properties that are published to Active Directory Domain Services, the default management point is always returned as the location from which clients download installation files.  This means that if clients are within the boundaries of a secondary site that contains a proxy management point, they will still download the client source files from the primary site.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post comes from Yvette O'Meally]

We have received a number of requests from customers who would like to create their own Microsoft License file for import, similar to the method used for the non-Microsoft License Import File. 

Disclaimer: While it is possible to produce the xml file manually, you should keep in mind that this was not the original intent or design of the feature so the parsing of the xml file may seem surprisingly picky about things that seem harmless.

For Microsoft License import, the Asset Intelligence License Import Wizard requires an xml file with the following columns in this order and with the specified data types.

 The expected format of the rows is a pivot table.  Attached to this post is a small manual example of what the table should look like.  If you have a lot of data you may put the raw data on one worksheet and use the excel pivot tools to generate the pivot table on a different worksheet.

To Create a Microsoft License Import File Using Microsoft Office Excel

1. Open Microsoft Office Excel and create a new spreadsheet.

2. Name the first worksheet License Summary and the second worksheet License Data.

3. On the first row of the License Data worksheet, enter all software license data field names.

4. On the second and subsequent rows of the License Data worksheet, enter software license information as required. If you have access to your license information on the Volume License Service Center (VLSC) portal, this information may be obtained by cutting and pasting the first 5 columns from the License Summary table. NOTE: Excel may import the License Version column as numbers. If that occurs convert the cells to text.

5. Create a pivot table on the License Summary worksheet. The source of the pivot table should be the table that was created on the License Data worksheet. Select all 5 columns (Product Pool, License Product Family, License Version, Effective Quantity and Unresolved Quantity) as Row labels in that order. Turn off all totals and subtotals using Pivot Table options and Field settings.

6. From the Microsoft Office Excel file menu, save the file in .xml format. When using Microsoft Office Excel 2003, the file created should be saved as an XML Spreadsheet formatted file. When using Microsoft Excel 2007, the file created should be saved as an XML Spreadsheet 2003 formatted file.

7. Copy the .xml file to the file share that will be used to import software license information into the Asset Intelligence catalog using the Asset Intelligence License Import Wizard.

8. From within the Configuration Manager console, use the Asset Intelligence License Import Wizard to import the newly created .xml license information file.

9. Run the Asset Intelligence License 14A - Microsoft Volume Licensing Reconciliation Report to verify that the licensing information has been successfully imported into the Asset Intelligence catalog.

For more information see

• Importing Software Licenses Into the Asset Intelligence Catalog http://technet.microsoft.com/en-us/library/cc431362.aspx
• Volume Licensing Service Center (VLSC) https://www.microsoft.com/licensing/servicecenter/

--Yvette O'Meally

This posting is provided "AS IS" with no warranties and confers no rights.

[Carol Bailey has contributed today's post]

A couple of issues recently came to our attention from the TechNet forums with regard to native mode certificate selection when there is more than one available certificate that could be used:

• When a certificate in the certificate store has expired, we log this and Trace32 highlights it as an error, which might be interpreted that it is this certificate that is selected.  This can lead customers to think that their certificate selection criteria isn't working, whereas in fact we always log this condition, even when Configuration Manager has selected a different certificate that is successfully used for native mode.
• The logging information, even with verbose debug enabled, does not identify which certificate was selected by Configuration Manager.  Only the certificate thumbprint can uniquely identify a certificate, and this is not logged in ClientIDManagerStartup.log or any of the other client logging files.

The first issue can be put down to "logging noise" that can be either safely ignored, or downgraded to information only.  There might be good and known reasons why the certificate store contains expired certificates.  Obviously, native mode communication in Configuration Manager requires an unexpired certificate, but the presence of an expired certificate will not prevent Configuration Manager from working.  The error that you see looks like this: The certificate issued to ‘<computer_name>' has expired.

The second issue is of more importance because there could be good reasons why you need to know which certificate Configuration Manager has selected when using your certificate selection criteria.  For example, it might successfully select a certificate that is not trusted by the native mode site systems because it chains to a different root CA.  Another example is that the selected certificate might contain CRL paths that are inaccessible to the native mode site systems, and this results in a CRL checking failure.

We've filed a design change request (DCR) to improve the logging information for future versions of the product, but in the meantime, if you need to confirm which native mode certificate was selected by Configuration Manager, consider running the script that Gabe Brown posted on his blog: Getting a ConfigMgr Client's Registered Certificate Thumbprint.  Although this script is provided "as is", it is a nondestructive script to run on the client to read the certificate thumbprint selected by Configuration Manager and displays it on the screen.  Many thanks to Gabe for helping me to investigate this, file the DCR, and provide an interim solution for CSS and customers.

--Carol Bailey

This posting is provided "AS IS" with no warranties and confers no rights.

Recently a customer reported that when applying a hotfix (.MSP file) that updates the Configuration Manager client software, some customized hardware inventory data was later missing for the targeted clients. The customer was looking specifically at information previously added to the Win32Reg_AddRemovePrograms class. 

Here is what happened:
The client installation process, which in this context also includes installing a patch, triggers local compilation of a few buit-in MOF files that are needed for some core client functions. 

The end result is that if you have customized hardware inventory to extend Win32Reg_AddRemovePrograms, or one of the other classes in the following list, your customizations will not be preserved when you apply a patch to the Configuration Manager client:

CCM_InstalledComponent;
CCM_SystemDevices;
CCM_RecentlyUsedApps;
CCM_System;

SMS_AMTObject;
SMS_LogicalDisk;
SMS_Processor;

Win32_WindowsUpdateAgentVersion;

Win32Reg_AddRemovePrograms;
Win32Reg_SMSAdvancedClientSSLConfiguration;
Win32Reg_SMSGuestVirtualMachine;

To recover and have these classes reported properly again requires an update to the hardware inventory policy data on the site server.  This can be forced by just making a change to the sms_def.mof (such as adding, then removing a space) and saving it to force Inventory Data Loader to update policy based on the mof.  This is a site wide change, though a small one.  To minimize repetition of this, and therefore unnecessary traffic, wait to do this until all Configuration Manager clients have been updated.

-- Brian Huneycutt

This posting is provided "AS IS" with no warranties and confers no rights.

[In today's post Levi Stevens discusses an issue with USMT and Config Manager 2007 SP2]

Problem Description

When upgrading or reinstalling Windows XP to Windows 7 using USMT 4.0 to migrate system and user state, settings like Wallpaper and Network Printer mappings are not migrated.

Running scanstate.exe from a folder other than the USMT - x86 - folder (the default for the Task Sequence) prevents scanstate.exe from finding the DLManifests folder to include system components like wallpaper and folder settings. These settings will not be migrated.  USMT 4.0 must be run from a local folder containing the DLManifests folder.

The User State Migration Tool (USMT) version 4.0 released with the Windows Automated Installation Kit (WAIK) version 2.0 and is a prerequisite for using OS Deployment with ConfigMgr 2007 SP2.

Symptoms

After migrating user state the wall paper or folder settings do not migrate.  If you have enabled verbose logging (/v:5) you may see the following entry in ScanState.log:

2009-09-14 15:41:19, Info [0x000000] Downlevel Manifests folder is not present. System component settings will not be gathered.

Workaround

Copy the USMT binaries to local and use "Run Command Line" task sequence step to run scanstate.exe from the USMT\x86 directory (set the Starting In from "Run Command Line" to USMT\x86 folder).  You will need two steps, one to copy the USTM folder to the local drive, and one to run USMT capture state.

Example Task Sequence

Save the below example as TSExample.xml, then import this into ConfigMgr.  You will need to edit the task sequence to set the reference package that contains the RunScanState.bat example workaround script.

<?xml version="1.0"?>
<SmsTaskSequencePackage xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <BootImageID />
  <Category />
  <DependentProgram />
  <Description />
  <Duration>360</Duration>
  <Name>WorkAround</Name>
  <ProgramFlags>152084496</ProgramFlags>
  <SequenceData>
    <sequence version="3.00">
      <referenceList>
        <reference package="SMS00001" />
      </referenceList>
      <step type="SMS_TaskSequence_RunCommandLineAction" name="Run Command Line" description="" runIn="WinPEandFullOS" successCodeList="0 3010">
        <action>smsswd.exe /run: cmd.exe /c md %systemdrive%\usmtsafe</action>
        <defaultVarList>
          <variable name="CommandLine" property="CommandLine" hidden="true">cmd.exe /c md %systemdrive%\usmtsafe</variable>
          <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">true</variable>
          <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
          <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
        </defaultVarList>
      </step>
      <step type="SMS_TaskSequence_RunCommandLineAction" name="Run Command Line" description="" runIn="WinPEandFullOS" successCodeList="0 3010">
        <action>smsswd.exe /run: cmd.exe /c md %systemdrive%\USMTbits</action>
        <defaultVarList>
          <variable name="CommandLine" property="CommandLine" hidden="true">cmd.exe /c md %systemdrive%\USMTbits</variable>
          <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
          <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
          <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
        </defaultVarList>
      </step>
      <step type="SMS_TaskSequence_SetVariableAction" name="Set Task Sequence Variable" description="" runIn="WinPEandFullOS" successCodeList="0">
        <action>tsenv.exe "OSDStateStorePath=%systemdrive%\usmtsafe"</action>
        <defaultVarList>
          <variable name="VariableName" property="VariableName" hidden="true">OSDStateStorePath</variable>
          <variable name="VariableValue" property="VariableValue" hidden="true">%systemdrive%\usmtsafe</variable>
        </defaultVarList>
      </step>
      <step type="SMS_TaskSequence_RunCommandLineAction" name="Run Command Line" description="" runIn="WinPEandFullOS" successCodeList="0 3010">
        <action>smsswd.exe /run:SMS00001 xcopy * %systemdrive%\USMTbits /herciy</action>
        <defaultVarList>
          <variable name="CommandLine" property="CommandLine" hidden="true">xcopy * %systemdrive%\USMTbits /herciy</variable>
          <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">true</variable>
          <variable name="PackageID" property="PackageID" hidden="true">7S000003</variable>
          <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
          <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
        </defaultVarList>
      </step>
      <step type="SMS_TaskSequence_RunCommandLineAction" name="Run Command Line" description="" runIn="WinPEandFullOS" successCodeList="0 3010">
        <action>smsswd.exe /run: cmd /c runscanstate.bat %OSDStateStorePath% %systemdrive%</action>
        <defaultVarList>
          <variable name="CommandLine" property="CommandLine" hidden="true">cmd /c runscanstate.bat %OSDStateStorePath% %systemdrive%</variable>
          <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
          <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
          <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
          <variable name="WorkingDirectory" property="WorkingDirectory">%systemdrive%\USMTbits\x86</variable>
        </defaultVarList>
      </step>
    </sequence>
  </SequenceData>
  <SourceDate>2009-10-21T19:33:43</SourceDate>
  <SupportedOperatingSystems />
  <IconSize>0</IconSize>
</SmsTaskSequencePackage>

RunScanState.Bat

@set USMT_WORKING_DIR=%~2%\USMTbits\x86
"%~2\USMTbits\x86\scanstate.exe" "%~1" /o /localonly /efs:copyraw /all /v:5 
/l:%~2\windows\TEMP\SMSTSLog\scanstate.log 
/progress:%~2\windows\TEMP\SMSTSLog\scanstateprogress.log 
/i:%~2\USMTbits\x86\miguser.xml /i:%~2\USMTbits\x86\migapp.xml

-- Levi Stevens

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post comes from the Configuration Manager Writing Team] 

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content on the Web has Updated: November 1, 2009 at the top of the topic.

This month's updates contain the latest supported configurations, as previously blogged here: Configuration Manager Support Announcements for November 2009.  It also has some updates to existing documentation.  The additional support statements include Windows Storage Server 2003 and Windows Storage Server 2008 for distribution points, and support for running desired configuration management on Server Core with .Net Framework 2.0 installed. 

In addition to our support statements for BranchCache and DirectAccess with Configuration Manager 2007 SP2, we've added links to the official Windows Server documentation for these cross-technology dependencies:

• BranchCache: http://go.microsoft.com/fwlink/?LinkId=177945
• DirectAccess: http://go.microsoft.com/fwlink/?LinkId=178017

We do value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Configuration Manager Documentation Library for November 2009

The following information lists the topics that contain significant changes since the August 2009 update.

Configuration Manager 2007 SP2 Supported Configurations

- Updated to include the latest support statements.

Configuration Manager 2007 R2 Supported Configurations

- Updated to include the latest support statements.

Configuration Manager 2007 SP1 Supported Configurations

- Updated to include the latest support statements.

Prerequisites for Out of Band Management

- Updated with the latest WinRM support version information.

Configuration Manager Site to Site Communications

- Updated to remove the following requirement:  "The Domain Admins group from the trusted Domain are added to the local administrators group on the Configuration Manager 2007 primary site servers spanning the trust." Customers brought to our attention that this requirement was not necessary.  We asked the product group to retest, and they confirmed that this requirement was not needed when there is a forest trust.

Predefined Maintenance Tasks

- Updated with missing information about the new tasks:

• Delete Aged Delete Detection Data
• Evaluate Provisioned AMT Computer Certificates
• Reset AMT Computer Passwords

This information has also been added to Predefined Maintenance Task Planning.

How to Configure Hardlinks for User State Migration

- Updated to correct the procedure title.

Glossary term for fallback status point

- Modified to indicate that the fallback status point is not just for error conditions but is also useful in tracking successful client deployments.

How to Configure Network Discovery

- Corrected our favorite typo of the month - replacing "typology" with "topography".

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is provided by Levi Stevens] 

Up until now we have released support announcements on the ConfigMgr Support Team blog from our very own Customer Support Services.  Moving forward, we will be announcing support for new configuration via our Configuration Manager Team blog directly from our finger tips to your eyes.  While we are on the topic, you might be wondering what to expect from our team when new versions of our dependencies release.  First, let's establish some terminology.  We consider our ‘externals' anything that our product is dependent on (or specific features are dependent on) that is not developed by our own development teams.  We have dependencies on platforms like Windows or SQL, or components like .NET Framework or the Bandwidth Intelligent Throttling Service (BITS).  We currently track over 26 external dependencies against our product.

Each time a new version of an external is going to release, our team assesses whether or not we will offer support for this new external.  Often this will involve some ‘scout' testing, some sanity check to see if there are any blatant issues and to size the cost to thoroughly test and validate the new release.  In some cases we need to release a hotfix to enable support, and in some cases we find no issues during test and can simply release a support statement.  As you can imagine the level of change affects our support approach.  For example, the release of Windows 7 required integration of a whole new WAIK and upgrading to a new toolset for imaging. This wasn't something that we could simply hotfix, so this level of support and change was rolled into our next service pack release (SP2 released on 10/22).

You should look to our Supported Configuration pages as your law for what is supported by Microsoft. In most cases we are specific about what we DO support, so if you are checking to see if a new Windows Service Pack is supported yet, if it is not listed, that means it is not supported.  When we do announce support, you can expect a new blog posting on our Configuration Manager Team blog and the official supported configuration page will be updated in the next document publishing cycle (quarterly).

In a few cases we document support implicitly.  For example, we document that BITS 2.5 as a minimum requirement in the ConfigMgr Prerequisites.  What does this mean when something such as BITS 4.0 releases? It means that our team is actively testing this new release and if we find issues we will document them.

How does ‘extended support' or an expired service pack impact support for new configurations?  We do not test or add support for new configurations on a product that reaches extended support (like SMS 2003 coming in January) or with ConfigMgr 2007 RTM (with no service pack).  If your company is planning on rolling out new platforms or components you should plan moving to mainstream supported products and service pack levels.

With that introduction, here are the support announcements for November 2009:

Windows Storage Server 2008 is now supported on Configuration Manager 2007 SP1 and SP2

System Center Configuration Manager 2007 SP1 and SP2 now support the Windows Storage Server 2008 operating systems for client installation.  Site system roles of a standard distribution point and a branch distribution point are supported.  Installations of the administrator console or other site system roles are not supported.

No software updates are required.

Windows Remote Management (WinRM) 2.0 is now supported on Configuration Manager 2007 SP1 and SP2

System Center Configuration Manager 2007 SP1 and SP2 now support installing Windows Remote Management 2.0 on site systems running the out of band service point role.

No software updates are required.

-- Levi Stevens

This posting is provided "AS IS" with no warranties and confers no rights.

The latest downloadable quarterly update for the Configuration Manager 2007 Documentation Library has been posted to the download center. The October 2009 version is the newest downloadable update available and contains new material and fixes to documentation problems reported by customers since the last update was published for the April 2009 version.

The January, April and October 2009 versions of the downloadable documentation help updates are now available on the Configuration Manager 2007 Help File Update Wizard download center page and additional, future quarterly updates will also be posted to this location.

The eagle-eyed among you might notice that we did not publish a quarterly update for July 2009. This was because at this time the help file contained a lot of pre-release content for Configuration Manager 2007 SP2 that was subject to change.

To get the most recent downloadable Configuration Manager Documentation Library help, go to http://www.microsoft.com/downloads/details.aspx?FamilyID=71816b0f-de06-40e0-bce7-ad4b1e4377bb&displaylang=en.

For more information about the Configuration Manager 2007 Help File Update Wizard, see this post: "Need the Latest Configuration Manager 2007 Help File?" at http://blogs.technet.com/configmgrteam/archive/2009/02/03/need-the-latest-configuration-manager-2007-help-file.aspx .

Please contact smsdocs@microsoft.com if you have any questions or comments about this downloadable update.

-- Rob Stack

This posting is provided "AS IS" with no warranties and confers no rights.

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content on the Web has Updated: October 1, 2009 at the top of the topic.

This month's updates contain new content for Configuration Manager 2007 SP2 and some updates to existing documentation. It also includes a list of changes in the documentation since April 2009 (see What's New in the Configuration Manager Documentation Library for October 2009).

We do value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement. So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Configuration Manager Documentation Library for October 2009

The following information lists the topics that contain significant changes since the August 2009 update.

Configuration Manager 2007 SP1 Supported Configurations

- Updated to include Windows Server 2008 R2 and Windows 7.

Supported Operating Systems and Hard Disk Configurations for Operating System Deployment

- Updated with information about the operating systems that are not supported and those which can be deployed only by first capturing a Windows installation image (.wim) file using an image capture task sequence.

Supported Mobile Devices

- Updated to remove information about supported mobile device client operating systems so that it is now exclusively in supported configuration topics (Configuration Manager 2007 Supported Configurations). This means that customers have a consistent place to find supported version information and it reduces the risk of inconsistent information between topics.

About Heartbeat Discovery

- Updated to remove the incorrect information "Although you can configure Heartbeat Discovery to update client DDRs as frequently as you want, if you configure it to run less than once every 25 hours (the default client refresh cycle) the updated DDR will be reported no less than once every 25 hours". This restriction applied to an earlier version of the product and does not apply to Configuration Manager.

About the Site Repair Wizard and How to Back Up a Secondary Site

- Updated with the information that the Site Repair Wizard should not be used to recover a secondary site. The Product Group has confirmed that the recovery procedure doesn't work for secondary sites and will not be supported. If you need to recover a secondary site, reinstall it and secondary site configuration from the primary site will be replicated to it automatically when installation is complete. Because restoring a secondary site is not supported with the product, there is no point in backing up a secondary site by using the Backup Secondary Site Server maintenance task. To help avoid confusion, we have removed the procedural information in How to Back Up a Secondary Site.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

We released Service Pack 2 for Configuration Manager 2007 yesterday.  See the release announcement by Jeff Wettlaufer here. 

 SP2 provides:

• Windows 7 and Windows Server 2008 R2 support that enables customers to deploy and manage their Windows 7 client and server based systems.
• New options for Out of Band Management that includes the addition of updated firmware support along with support for key new features such as wireless profile management and 802.1X.
• Branch Cache support that enables customers to significantly reduce WAN utilization in branch office scenarios by leveraging new technology in Windows Server 2008 R2.
• Greater 64-bit support that includes Remote Control, App-V, and the 2007 OpsMgr agent.

For a full list of what is included in SP2 see the What's New in Configuration Manager 2007 SP2 topic in our documentation library.  The service pack can be downloaded here.  A 180 day evaluation version of the service pack can be downloaded here.

We'd like to thank all our customers who participated in our beta program and provided feedback to us.

--Michael Cureton

This posting is provided "AS IS" with no warranties and confers no rights.