Serviços ebooks sc2012_config_mgr_pdf_download

System Center 2012 Configuration Manager
Documentation Library
Microsoft Corporation
Published: May 23, 2012

Copyright
This document is provided "as-is". Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
You may modify this document for your internal, reference purposes.
© 2012 Microsoft Corporation. All rights reserved.
Microsoft, Access, Active Directory, ActiveSync, ActiveX, Authenticode, Bing, BitLocker, Excel,
Forefront, Hyper-V, Internet Explorer, JScript, Microsoft Press, MSDN, Outlook, SharePoint,
Silverlight, SoftGrid, SQL Server, Visio, Visual Basic, Visual C++, Visual Studio, Win32, Windows,
Windows Intune, Windows Mobile, Windows PowerShell, Windows Server,
Windows Server System, and Windows Vista are trademarks of the Microsoft group of
companies. All other trademarks are property of their respective owners.

Contents
System Center 2012 Configuration Manager ................................................................................ 19
Getting Started with System Center 2012 Configuration Manager............................................ 21
Introduction to Configuration Manager ................................................................................... 22
What’s New in Configuration Manager ................................................................................... 35
What’s New in the Documentation for Configuration Manager .............................................. 69
Fundamentals of Configuration Manager ............................................................................... 75
Supported Configurations for Configuration Manager ............................................................ 84
Frequently Asked Questions for Configuration Manager...................................................... 127
Information and Support for Configuration Manager ............................................................ 150
Site Administration for System Center 2012 Configuration Manager ...................................... 153
Introduction to Site Administration in Configuration Manager .............................................. 153
Planning for Configuration Manager Sites and Hierarchy .................................................... 157
Supported Configurations for Configuration Manager .......................................................... 158
Planning for Hardware Configurations for Configuration Manager ............................................. 201
PKI Certificate Requirements for Configuration Manager ........................................................... 205
Identify Your Network and Business Requirements to Plan a Configuration Manager Hierarchy
.................................................................................................................................................. 221
Determine Whether to Migrate Configuration Manager 2007 Data to System Center 2012
Configuration Manager............................................................................................................. 244
Determine Whether to Extend the Active Directory Schema for Configuration Manager ........... 245
Planning for Sites and Hierarchies in Configuration Manager .................................................... 250
Planning for Publishing of Site Data to Active Directory Domain Services ................................. 265
Planning for Discovery in Configuration Manager ....................................................................... 266
Planning for Client Settings in Configuration Manager................................................................ 292
Planning for Site Systems in Configuration Manager.................................................................. 293
Planning for Content Management in Configuration Manager .................................................... 314
Planning for Boundaries and Boundary Groups in Configuration Manager ................................ 325
Planning for Security in Configuration Manager.......................................................................... 328
Planning for Communications in Configuration Manager............................................................ 342

Planning for Site Operations in Configuration Manager.............................................................. 371
Planning for High Availability with Configuration Manager.......................................................... 392
Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager................ 402
Configuring Sites and Hierarchies in Configuration Manager ..................................................... 411
Prepare the Windows Environment for Configuration Manager.................................................. 412
Install Sites and Create a Hierarchy for Configuration Manager................................................. 420
Configure Sites and the Hierarchy in Configuration Manager..................................................... 476
Configuring Security for Configuration Manager ......................................................................... 477
Configuring Discovery in Configuration Manager........................................................................ 488
Configuring Sites to Publish to Active Directory Domain Services.............................................. 500
Configuring Settings for Client Management in Configuration Manager..................................... 501
Configuring Distribution Point Groups in Configuration Manager ............................................... 510
Configuring Boundaries and Boundary Groups in Configuration Manager ................................. 512
Configuring Alerts in Configuration Manager .............................................................................. 517
Configuring Site Components in Configuration Manager............................................................ 518
Install and Configure Site System Roles for Configuration Manager.......................................... 527
Configure Database Replicas for Management Points ............................................................... 538
Migrate Data from Configuration Manager 2007 to Configuration Manager ............................... 549
Operations and Maintenance for Site Administration In Configuration Manager ........................ 550
Manage Site and Hierarchy Configurations................................................................................. 550
Configure the Status System for Configuration Manager............................................................ 564
Configure Maintenance Tasks for Configuration Manager Sites................................................. 567
Monitor Configuration Manager Sites and Hierarchy .................................................................. 569
Backup and Recovery in Configuration Manager........................................................................ 578
Reporting in Configuration Manager............................................................................................ 608
Introduction to Reporting in Configuration Manager.................................................................... 609

Planning for Reporting in Configuration Manager ....................................................................... 614
Prerequisites for Reporting in Configuration Manager ................................................................ 617
Best Practices for Reporting........................................................................................................ 618
Configuring Reporting in Configuration Manager ........................................................................ 619
Operations and Maintenance for Reporting in Configuration Manager....................................... 628
Creating Custom Report Models in SQL Server Reporting Services.......................................... 638
Security and Privacy for Reporting in Configuration Manager .................................................... 653
Technical Reference for Reporting in Configuration Manager .................................................... 653
Security and Privacy for Site Administration in Configuration Manager...................................... 654
Technical Reference for Site Administration in Configuration Manager...................................... 674
Technical Reference for Site Communications in Configuration Manager.................................. 675
Technical Reference for Ports Used in Configuration Manager.................................................. 677
Technical Reference for Log Files in Configuration Manager ..................................................... 694
Technical Reference for Accounts Used in Configuration Manager ........................................... 734
Technical Reference for Cryptographic Controls Used in Configuration Manager ..................... 752
Technical Reference for Language Packs in Configuration Manager......................................... 761
Technical Reference for Unicode and ASCII Support in Configuration Manager ....................... 763
Technical Reference for the Hierarchy Maintenance Tool (Preinst.exe) in Configuration Manager
.................................................................................................................................................. 766
Technical Reference for the Prerequisite Checker in Configuration Manager............................ 770
Technical Reference for International Support in Configuration Manager .................................. 784
Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows
Server 2008 Certification Authority .......................................................................................... 785
Migrating from Configuration Manager 2007 to System Center 2012 Configuration Manager... 802
Introduction to Migration in System Center 2012 Configuration Manager .................................. 803
Planning for Migration to System Center 2012 Configuration Manager...................................... 807
Prerequisites for Migration in System Center 2012 Configuration Manager ............................... 808

Administrator Checklists for Migration Planning in System Center 2012 Configuration Manager
.................................................................................................................................................. 810
Determine Whether to Migrate Configuration Manager 2007 to System Center 2012 Configuration
Manager ................................................................................................................................... 815
Planning for Source Hierarchies in System Center 2012 Configuration Manager ...................... 817
Planning for Migration Jobs in System Center 2012 Configuration Manager ............................. 821
Planning for Client Migration to System Center 2012 Configuration Manager ........................... 829
Planning for Content Deployment During Migration to System Center 2012 Configuration
Manager ................................................................................................................................... 831
Planning for the Migration of Configuration Manager 2007 Objects to System Center 2012
Planning to Monitor Migration Activity in System Center 2012 Configuration Manager.............. 846
Planning to Complete Migration to System Center 2012 Configuration Manager ...................... 846
Configuring Migration to System Center 2012 Configuration Manager....................................... 848
Operations for Migrating Configuration Manager 2007 to System Center 2012 Configuration
Manager ................................................................................................................................... 850
Security and Privacy for Migration to System Center 2012 Configuration Manager................... 855
Deploying Clients for System Center 2012 Configuration Manager............................................ 856
Introduction to Client Deployment in Configuration Manager...................................................... 857
Planning for Client Deployment in Configuration Manager ......................................................... 864
Prerequisites for Client Deployment in Configuration Manager .................................................. 865
Best Practices for Client Deployment in Configuration Manager ................................................ 875
Determine How to Manage Mobile Devices in Configuration Manager....................................... 877
Determine the Site System Roles for Client Deployment in Configuration Manager .................. 881
Determine the Client Installation Method to Use for Computers in Configuration Manager ....... 884
Determine Whether to Block Clients in Configuration Manager.................................................. 887
Configuring Client Deployment in Configuration Manager .......................................................... 890
How to Configure Client Communication Port Numbers in Configuration Manager ................... 890

How to Configure Client Computers to Find Management Points by using DNS Publishing in
How to Prevent the Client Software from Installing on Specific Computers in Configuration
Manager ................................................................................................................................... 894
How to Configure Client Settings in Configuration Manager....................................................... 895
How to Install Clients on Computers in Configuration Manager.................................................. 897
How to Assign Clients to a Site in Configuration Manager.......................................................... 911
How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager .... 918
How to Configure Client Status in Configuration Manager.......................................................... 926
Operations and Maintenance for Client Deployment in Configuration Manager......................... 929
How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration
Manager ................................................................................................................................... 929
How to Manage Clients in Configuration Manager...................................................................... 932
How to Monitor Clients in Configuration Manager....................................................................... 946
Security and Privacy for Clients in Configuration Manager......................................................... 948
Technical Reference for Client Deployment in Configuration Manager ...................................... 958
About Client Settings in Configuration Manager ......................................................................... 958
About Client Installation Properties in Configuration Manager.................................................... 982
About Client Installation Properties Published to Active Directory Domain Services in
Configuration Manager........................................................................................................... 1001
Administrator Checklist: Deploying Clients in Configuration Manager ...................................... 1004
Windows Firewall and Port Settings for Client Computers in Configuration Manager.............. 1006
Deploying Software and Operating Systems in System Center 2012 Configuration Manager. 1012
Content Management in Configuration Manager ...................................................................... 1013
Introduction to Content Management in Configuration Manager .............................................. 1013
Planning for Content Management in Configuration Manager .................................................. 1019
Prerequisites for Content Management in Configuration Manager ........................................... 1030
Best Practices for Content Management in Configuration Manager ......................................... 1032

Configuring Content Management in Configuration Manager................................................... 1033
Operations and Maintenance for Content Management in Configuration Manager.................. 1049
How to Prestage Content to Distribution Points Located on a Site Server ............................... 1064
Security and Privacy for Content Management in Configuration Manager ............................... 1065
Technical Reference for Content Management in Configuration Manager ............................... 1068
Application Management in Configuration Manager ................................................................. 1069
Introduction to Application Management in Configuration Manager ......................................... 1069
Planning for Application Management in Configuration Manager............................................. 1079
Prerequisites for Application Management in Configuration Manager ...................................... 1080
Best Practices for Application Management in Configuration Manager .................................... 1085
Configuring the Application Catalog and Software Center in Configuration Manager .............. 1085
Operations and Maintenance for Application Management in Configuration Manager............. 1092
How to Create Applications in Configuration Manager.............................................................. 1092
How to Create Deployment Types in Configuration Manager................................................... 1097
How to Deploy Applications in Configuration Manager ............................................................. 1108
How to Simulate an Application Deployment in Configuration Manager................................... 1112
How to Manage Applications and Deployment Types in Configuration Manager ..................... 1113
How to Manage Application Revisions in Configuration Manager ............................................ 1118
How to Use Application Supersedence in Configuration Manager ........................................... 1119
How to Uninstall Applications in Configuration Manager .......................................................... 1121
How to Monitor Applications in Configuration Manager ............................................................ 1122
How to Manage User Device Affinity in Configuration Manager ............................................... 1124
How to Create Global Conditions in Configuration Manager .................................................... 1128
Packages and Programs in Configuration Manager.................................................................. 1137
How to Create Packages and Programs in Configuration Manager ......................................... 1138
How to Deploy Packages and Programs in Configuration Manager ......................................... 1147

How to Monitor Packages and Programs in Configuration Manager ........................................ 1150
How to Manage Packages and Programs in Configuration Manager ....................................... 1150
Security and Privacy for Application Management in Configuration Manager .......................... 1152
Technical Reference for Application Management in Configuration Manager.......................... 1157
Example Scenario for Application Management in Configuration Manager.............................. 1158
Software Updates in Configuration Manager ............................................................................ 1167
Introduction to Software Updates in Configuration Manager .................................................... 1167
Planning for Software Updates in Configuration Manager ........................................................ 1184
Prerequisites for Software Updates in Configuration Manager ................................................. 1197
Best Practices for Software Updates in Configuration Manager ............................................... 1202
Configuring Software Updates in Configuration Manager......................................................... 1203
How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster .... 1245
How to Determine the Port Settings Used by WSUS................................................................ 1251
How to Enable CRL Checking for Software Updates................................................................ 1252
Operations and Maintenance for Software Updates in Configuration Manager........................ 1252
Security and Privacy for Software Updates in Configuration Manager ..................................... 1282
Technical Reference for Software Updates in Configuration Manager ..................................... 1287
Technical Reference for the Icons Used for Software Updates ................................................ 1287
Example Scenario for Deploying Software Updates ................................................................. 1291
Operating System Deployment in Configuration Manager........................................................ 1296
Introduction to Operating System Deployment in Configuration Manager ................................ 1297
Planning How to Deploy Operating Systems in Configuration Manager................................... 1305
Prerequisites For Deploying Operating Systems in Configuration Manager............................. 1306
Supported Operating Systems and Hard Disk Configurations for Operating System Deployment
................................................................................................................................................ 1312
Determine the Operating System Deployment Method to Use in Configuration Manager........ 1314
Planning Site System Roles for Operating System Deployments in Configuration Manager ... 1317

Planning for Deploying Operating System Images in Configuration Manager.......................... 1320
Planning for Capturing Operating System Images in Configuration Manager .......................... 1323
Planning for Boot Image Deployments in Configuration Manager ............................................ 1328
Planning a Device Driver Strategy in Configuration Manager................................................... 1331
Planning for PXE-Initiated Operating System Deployments in Configuration Manager............ 1333
Planning a Multicast Strategy in Configuration Manager .......................................................... 1336
Planning for Media Operating System Deployments in Configuration Manager....................... 1338
Planning a Task Sequences Strategy in Configuration Manager.............................................. 1341
Planning for Operating System Deployments in a NAP-Enabled Environment ........................ 1355
Configuring Configuration Manager for Operating System Deployments ................................. 1357
How to Manage Operating System Images and Installers in Configuration Manager .............. 1357
How to Manage Boot Images in Configuration Manager .......................................................... 1360
How to Manage the Driver Catalog in Configuration Manager.................................................. 1366
How to Manage Task Sequences in Configuration Manager.................................................... 1373
How to Manage the User State in Configuration Manager........................................................ 1392
How to Manage Unknown Computer Deployments in Configuration Manager......................... 1399
How to Associate Users with a Destination Computer.............................................................. 1401
How to Manage Multicast in Configuration Manager................................................................. 1404
Operations and Maintenance for Deploying Operating Systems in Configuration Manager .... 1406
How to Deploy Operating Systems in Configuration Manager.................................................. 1407
How to Deploy Operating Systems by Using Media in Configuration Manager........................ 1412
How to Deploy Operating Systems by Using PXE in Configuration Manager .......................... 1423
How to Deploy Operating Systems to Offline Computers in Configuration Manager................ 1427
Security and Privacy for Deploying Operating Systems in Configuration Manager .................. 1427
Technical Reference for Deploying Operating Systems in Configuration Manager.................. 1435
Example Scenario for PXE-Initiated Operating System Deployment........................................ 1435

Task Sequence Variables in Configuration Manager................................................................ 1438
Task Sequence Action Variables in Configuration Manager..................................................... 1439
Task Sequence Built-in Variables in Configuration Manager.................................................... 1465
Task Sequence Steps in Configuration Manager...................................................................... 1472
Task Sequence Scenarios in Configuration Manager............................................................... 1515
Assets and Compliance in System Center 2012 Configuration Manager ................................. 1525
Collections in Configuration Manager ....................................................................................... 1526
Introduction to Collections in Configuration Manager................................................................ 1527
Planning for Collections in Configuration Manager ................................................................... 1531
Prerequisites for Collections in Configuration Manager ............................................................ 1531
Best Practices for Collections in Configuration Manager .......................................................... 1532
Operations and Maintenance for Collections in Configuration Manager................................... 1533
How to Create Collections in Configuration Manager ............................................................... 1533
How to Manage Collections in Configuration Manager ............................................................. 1541
How to Use Maintenance Windows in Configuration Manager ................................................. 1549
Security and Privacy for Collections in Configuration Manager ................................................ 1551
Technical Reference for Collections in Configuration Manager ................................................ 1552
Queries in Configuration Manager............................................................................................. 1552
Introduction to Queries in Configuration Manager..................................................................... 1552
Operations and Maintenance for Queries in Configuration Manager........................................ 1553
How to Create Queries in Configuration Manager .................................................................... 1554
How to Manage Queries in Configuration Manager .................................................................. 1556
Security and Privacy for Queries in Configuration Manager ..................................................... 1557
Technical Reference for Queries in Configuration Manager ..................................................... 1558
Inventory in Configuration Manager .......................................................................................... 1558
Hardware Inventory in Configuration Manager.......................................................................... 1559

Introduction to Hardware Inventory in Configuration Manager.................................................. 1560
Planning for Hardware Inventory in Configuration Manager ..................................................... 1562
Prerequisites for Hardware Inventory in Configuration Manager .............................................. 1562
Best Practices for Hardware Inventory in Configuration Manager ............................................ 1563
Configuring Hardware Inventory in Configuration Manager ...................................................... 1563
How to Configure Hardware Inventory in Configuration Manager............................................. 1563
How to Extend Hardware Inventory in Configuration Manager ................................................. 1564
Operations and Maintenance for Hardware Inventory in Configuration Manager..................... 1570
How to Use Resource Explorer to View Hardware Inventory in Configuration Manager .......... 1570
Security and Privacy for Hardware Inventory in Configuration Manager .................................. 1571
Technical Reference for Hardware Inventory in Configuration Manager .................................. 1573
Software Inventory in Configuration Manager ........................................................................... 1574
Introduction to Software Inventory in Configuration Manager ................................................... 1574
Planning for Software Inventory in Configuration Manager....................................................... 1575
Prerequisites for Software Inventory ......................................................................................... 1576
Configuring Software Inventory in Configuration Manager........................................................ 1576
How to Configure Software Inventory in Configuration Manager .............................................. 1577
How to Exclude Folders from Software Inventory in Configuration Manager............................ 1578
Operations and Maintenance for Software Inventory in Configuration Manager ...................... 1578
How to Use Resource Explorer to View Software Inventory in Configuration Manager ........... 1579
Security and Privacy for Software Inventory in Configuration Manager.................................... 1580
Technical Reference for Software Inventory in Configuration Manager.................................... 1582
Asset Intelligence in Configuration Manager............................................................................. 1582
Introduction to Asset Intelligence in Configuration Manager..................................................... 1582
Prerequisites for Asset Intelligence in Configuration Manager ................................................. 1593
Configuring Asset Intelligence in Configuration Manager ......................................................... 1597

Operations for Asset Intelligence in Configuration Manager..................................................... 1608
Security and Privacy for Asset Intelligence in Configuration Manager...................................... 1618
Technical Reference for Asset Intelligence in Configuration Manager ..................................... 1620
Example Validation State Transitions for Asset Intelligence ..................................................... 1620
Example Asset Intelligence General License Import File.......................................................... 1624
Power Management in Configuration Manager......................................................................... 1626
Introduction to Power Management in Configuration Manager................................................. 1627
Planning for Power Management in Configuration Manager .................................................... 1628
Prerequisites for Power Management in Configuration Manager ............................................. 1629
Best Practices for Power Management in Configuration Manager ........................................... 1630
Administrator Checklist for Power Management in Configuration Manager ............................. 1632
Configuring Power Management in Configuration Manager ..................................................... 1637
Operations and Maintenance for Power Management in Configuration Manager .................... 1639
How to Monitor and Plan for Power Management in Configuration Manager........................... 1639
How to Create and Apply Power Plans in Configuration Manager............................................ 1667
Security and Privacy for Power Management in Configuration Manager.................................. 1674
Technical Reference for Power Management in Configuration Manager ................................. 1675
Remote Control in Configuration Manager................................................................................ 1675
Introduction to Remote Control in Configuration Manager........................................................ 1676
Planning for Remote Control in Configuration Manager ........................................................... 1677
Prerequisites for Remote Control in Configuration Manager .................................................... 1678
Configuring Remote Control in Configuration Manager ............................................................ 1680
Operations and Maintenance for Remote Control in Configuration Manager ........................... 1682
How to Remotely Administer a Client Computer by Using Configuration Manager .................. 1682
How to Audit Remote Control Usage in Configuration Manager............................................... 1684
Security and Privacy for Remote Control in Configuration Manager......................................... 1685

Technical Reference for Remote Control in Configuration Manager ........................................ 1688
Keyboard Shortcuts for the Remote Control Viewer in Configuration Manager........................ 1689
Software Metering in Configuration Manager............................................................................ 1689
Introduction to Software Metering in Configuration Manager.................................................... 1690
Planning for Software Metering in Configuration Manager........................................................ 1691
Prerequisites for Software Metering in Configuration Manager ................................................ 1691
Configuring Software Metering in Configuration Manager ........................................................ 1692
How to Configure Software Metering in Configuration Manager............................................... 1692
Operations and Maintenance for Software Metering in Configuration Manager ....................... 1693
How to Create Software Metering Rules in Configuration Manager ......................................... 1694
How to Configure Automatic Software Metering Rule Generation in Configuration Manager .. 1695
How to Manage Software Metering Rules in Configuration Manager ....................................... 1696
How to Monitor Software Metering in Configuration Manager .................................................. 1697
Security and Privacy for Software Metering in Configuration Manager..................................... 1698
Technical Reference for Software Metering in Configuration Manager .................................... 1699
Example Scenario for Software Metering in Configuration Manager ........................................ 1699
Maintenance Tasks for Software Metering in Configuration Manager ...................................... 1701
Out of Band Management in Configuration Manager................................................................ 1703
Introduction to Out of Band Management in Configuration Manager........................................ 1703
Planning for Out of Band Management in Configuration Manager ........................................... 1709
Prerequisites for Out of Band Management in Configuration Manager .................................... 1710
Best Practices for Out of Band Management in Configuration Manager .................................. 1716
Determine Whether to Use a Customized Firmware Image From Your Computer Manufacturer
................................................................................................................................................ 1718
Configuring Out of Band Management in Configuration Manager ............................................ 1719
Administrator Checklist: Out of Band Management in Configuration Manager......................... 1719
How to Provision and Configure AMT-Based Computers in Configuration Manager ............... 1720

How to Manage AMT Provisioning Information in Configuration Manager ............................... 1732
Operations and Maintenance for Out of Band Management in Configuration Manager ........... 1735
How to Manage AMT-based Computers Out of Band in Configuration Manager..................... 1736
How to Manage the Audit Log for AMT-Based Computers in Configuration Manager ............. 1743
How to Monitor Out of Band Management in Configuration Manager ...................................... 1745
Security and Privacy for Out of Band Management in Configuration Manager ........................ 1747
Technical Reference for Out of Band Management in Configuration Manager ........................ 1754
About the AMT Status and Out of Band Management in Configuration Manager .................... 1754
Example Scenario for Implementing Out of Band Management in Configuration Manager ..... 1757
Example Scenarios for Using Out of Band Management in Configuration Manager ................ 1764
AMT Provisioning Process for Out of Band Management in Configuration Manager ............... 1771
Compliance Settings in Configuration Manager ........................................................................ 1773
Introduction to Compliance Settings in Configuration Manager ................................................ 1774
Planning for Compliance Settings in Configuration Manager.................................................... 1777
Prerequisites for Compliance Settings in Configuration Manager............................................. 1777
Configuring Compliance Settings in Configuration Manager .................................................... 1779
Operations and Maintenance for Compliance Settings in Configuration Manager ................... 1780
How to Create Windows Configuration Items for Compliance Settings in Configuration Manager
................................................................................................................................................ 1781
How to Create Mobile Device Configuration Items for Compliance Settings in Configuration
Manager ................................................................................................................................. 1798
How to Create Configuration Baselines for Compliance Settings in Configuration Manager ... 1800
How to Create Child Configuration Items in Configuration Manager ........................................ 1801
How to Deploy Configuration Baselines in Configuration Manager .......................................... 1802
How to Manage Configuration Baselines for Compliance Settings in Configuration Manager . 1804
How to Manage Configuration Items for Compliance Settings in Configuration Manager ........ 1806
How to Monitor for Compliance Settings in Configuration Manager ......................................... 1808

How to Import Configuration Data in Configuration Manager ................................................... 1811
Security and Privacy for Compliance Settings in Configuration Manager................................. 1813
Technical Reference for Compliance Settings in Configuration Manager................................. 1814
Example Scenario for Compliance Settings in Configuration Manager .................................... 1815
Endpoint Protection in Configuration Manager.......................................................................... 1820
Introduction to Endpoint Protection in Configuration Manager.................................................. 1820
Planning for Endpoint Protection in Configuration Manager ..................................................... 1822
Prerequisites for Endpoint Protection in Configuration Manager .............................................. 1823
Best Practices for Endpoint Protection in Configuration Manager ............................................ 1827
Administrator Workflow for Endpoint Protection in Configuration Manager .............................. 1827
Configuring Endpoint Protection in Configuration Manager ...................................................... 1828
How to Configure Endpoint Protection in Configuration Manager............................................. 1829
How to Configure Alerts for Endpoint Protection in Configuration Manager ............................. 1835
Operations and Maintenance for Endpoint Protection in Configuration Manager..................... 1840
How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager
................................................................................................................................................ 1841
How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration
Manager ................................................................................................................................. 1846
How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in
Configuration Manager........................................................................................................... 1848
How to Monitor Endpoint Protection in Configuration Manager ................................................ 1851
Security and Privacy for Endpoint Protection in Configuration Manager .................................. 1853
Technical Reference for Endpoint Protection in Configuration Manager .................................. 1854
Security and Privacy for System Center 2012 Configuration Manager..................................... 1854
Planning for Security in Configuration Manager........................................................................ 1856
Configuring Security for Configuration Manager ....................................................................... 1870
Microsoft System Center 2012 Configuration Manager Privacy Statement.............................. 1880

Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device
Addendum.............................................................................................................................. 1889
Security Best Practices and Privacy Information for Configuration Manager ........................... 1889
Security and Privacy for Site Administration in Configuration Manager.................................... 1890
Security and Privacy for Reporting in Configuration Manager .................................................. 1911
Security and Privacy for Migration to System Center 2012 Configuration Manager................. 1911
Security and Privacy for Clients in Configuration Manager....................................................... 1913
Security and Privacy for Content Management in Configuration Manager ............................... 1923
Security and Privacy for Application Management in Configuration Manager .......................... 1926
Security and Privacy for Software Updates in Configuration Manager ..................................... 1932
Security and Privacy for Deploying Operating Systems in Configuration Manager .................. 1937
Security and Privacy for Collections in Configuration Manager ................................................ 1944
Security and Privacy for Queries in Configuration Manager ..................................................... 1945
Security and Privacy for Hardware Inventory in Configuration Manager .................................. 1946
Security and Privacy for Software Inventory in Configuration Manager.................................... 1948
Security and Privacy for Asset Intelligence in Configuration Manager...................................... 1950
Security and Privacy for Power Management in Configuration Manager.................................. 1951
Security and Privacy for Remote Control in Configuration Manager......................................... 1952
Security and Privacy for Software Metering in Configuration Manager..................................... 1955
Security and Privacy for Out of Band Management in Configuration Manager ........................ 1956
Security and Privacy for Compliance Settings in Configuration Manager................................. 1963
Security and Privacy for Endpoint Protection in Configuration Manager .................................. 1964
Technical Reference for Cryptographic Controls Used in Configuration Manager ................... 1966
Technical Reference for Ports Used in Configuration Manager................................................ 1975
Technical Reference for Accounts Used in Configuration Manager ......................................... 1992
Glossary for Microsoft System Center 2012 Configuration Manager........................................ 2010
The Configuration Manager Console ........................................................................................ 2023

The Assets and Compliance Workspace .................................................................................. 2023
The Software Library Workspace .............................................................................................. 2025
The Monitoring Workspace........................................................................................................ 2027
The Administration Workspace.................................................................................................. 2029
Accessibility for People with Disabilities.................................................................................... 2031
Accessibility Features of Configuration Manager ...................................................................... 2032
Accessibility Features of Configuration Manager Help.............................................................. 2033
Accessibility Products and Services from Microsoft.................................................................. 2035
Technical Reference for Configuration Manager....................................................................... 2037
Creating and Modifying Configuration Items ............................................................................. 2038
Creating and Modifying Configuration Baselines ...................................................................... 2039
Adding and Configuring Site System Roles .............................................................................. 2039
Creating and Modifying Collections........................................................................................... 2040
Creating and Modifying Applications ......................................................................................... 2040
Deploying Software ................................................................................................................... 2041
Adding a User or User Group to Configuration Manager .......................................................... 2042
Configuring Client Settings ........................................................................................................ 2042
Creating and Modifying Automatic Deployment Rules.............................................................. 2043
Creating and Modifying Migration Jobs ..................................................................................... 2044
Creating and Editing Task Sequences ...................................................................................... 2044

19
Updated: May 23, 2012
Welcome to Microsoft System Center 2012 Configuration Manager. Use Configuration Manager
to provide more effective IT services by enabling secure and scalable software deployment,
compliance settings management, and comprehensive asset management of servers, desktops,
and mobile devices.
For in-depth information about how System Center 2012 Configuration Manager can help you
manage your IT infrastructure, see the following guides:
 Getting Started with System Center 2012 Configuration Manager
 Site Administration for System Center 2012 Configuration Manager
 Migrating from Configuration Manager 2007 to System Center 2012 Configuration Manager
 Deploying Clients for System Center 2012 Configuration Manager
 Deploying Software and Operating Systems in System Center 2012 Configuration Manager
 Assets and Compliance in System Center 2012 Configuration Manager
 Security and Privacy for System Center 2012 Configuration Manager
Release Notes
The release notes are published online. See the Configuration Manager 2012 Release Notes on
TechNet.
Search the Configuration Manager Documentation
Library
Find information online from the Documentation Library for System Center 2012
Configuration Manager.
This customized Bing search query scopes your search so that you see results from the
Documentation Library for System Center 2012 Configuration Manager only. It uses the search
text Configuration Manager, which you can replace in the search bar with your own search
string or strings, and choice of search operators, to help you narrow the search results.

20
Example Searches
Use the Find information online link and customize the search by using the following examples.
 Single search string: To search for topics that contain the search string Endpoint Protection,
replace Configuration Manager with Endpoint Protection:
("Endpoint Protection") site:technet.microsoft.com/en-
us/library meta:search.MSCategory(gg682056)
 Combining search strings: To search for topics that contain the search strings Endpoint
Protection and monitoring, use the AND operator:
("Endpoint Protection") AND ("monitoring")
site:technet.microsoft.com/en-us/library
meta:search.MSCategory(gg682056)
 Alternative search strings: To search for topics that contain the search string Endpoint
Protection or monitoring, use the OR operator:
("Endpoint Protection" OR "monitoring")
 Exclude search strings: To search for topics that contain the search string Endpoint
Protection and exclude topics about monitoring, use the NOT operator:
("Endpoint Protection)" NOT ("monitoring")
Search Tips
Use the following search tips to help you find the information that you need:
 When you search on a page in TechNet (for example, press Ctrl-F1, and enter search terms
in the Find box), the results exclude text that is in collapsed sections. If you are using
TechNet in Classic view, before you search on the page, click Expand All at the top of the
page, before the topic title. By default, you must first click Collapse All, and then you can
click Expand All. With all sections expanded, a search on the page can then search all
sections on that page. If you are using TechNet in Lightweight view, this configuration does
not support the Expand All option and you must manually expand individual sections that are
collapsed before search on the page finds text in those sections.
Tip

21
To change from TechNet Lightweight view (the default) to Classic view, click the
Preferences icon at the top right-hand side of the page, click Classic, and then click
OK.
 To search a topic in the help file, press F1, and enter search terms in the Find dialog box.
The help file does not support the Expand All option and you must manually expand
individual sections that are collapsed before search on the page finds text in those sections.
 Whenever possible, use the TechNet online library rather than downloaded documentation.
TechNet contains the most up-to-date information and the information that you are searching
for might not be in the downloaded documentation or there might be corrections or additional
information online.
Copyright Information
This document is provided "as-is". Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
You may modify this document for your internal, reference purposes.
© 2011 Microsoft Corporation. All rights reserved.
Microsoft, Access, Active Directory, ActiveSync, ActiveX, Authenticode, Bing, BitLocker, Excel,
Forefront, Hyper-V, Internet Explorer, JScript, Microsoft Press, MSDN, Outlook, SharePoint,
Silverlight, SoftGrid, SQL Server, Visio, Visual Basic, Visual C++, Visual Studio, Win32, Windows,
Windows Intune, Windows Mobile, Windows PowerShell, Windows Server,
Windows Server System, and Windows Vista are trademarks of the Microsoft group of
companies. All other trademarks are property of their respective owners.
Getting Started with System Center 2012
Configuration Manager
Getting Started Topics
Use the following topics to help you get started with Microsoft System Center 2012
Configuration Manager:
 Introduction to Configuration Manager
 What’s New in Configuration Manager
 What’s New in the Documentation for Configuration Manager
 Fundamentals of Configuration Manager
 Frequently Asked Questions for Configuration Manager
 Supported Configurations for Configuration Manager
 Information and Support for Configuration Manager

22
Other Resources for this Product
 TechNet Library main page for System Center 2012 Configuration Manager
 Documentation Library for System Center 2012 Configuration Manager
Introduction to Configuration Manager
A member of the Microsoft System Center suite of management solutions, System Center 2012
Configuration Manager increases IT productivity and efficiency by reducing manual tasks and
enabling you to focus on high-value projects, maximize hardware and software investments, and
empower end-user productivity by providing the right software at the right time. Configuration
Manager helps you to provide more effective IT services by enabling secure and scalable
software deployment, compliance settings management, and comprehensive asset management
of servers, desktops, laptops, and mobile devices.
Configuration Manager extends and works alongside your existing Microsoft technologies and
solutions. For example:
 Configuration Manager uses Active Directory Domain Services for security, service location,
configuration, and to discover the users and devices that you want to manage.
 Configuration Manager uses Microsoft SQL Server as a distributed change management
database and integrates with SQL Server Reporting Services (SSRS) to produce reports to
monitor and track the management activities.
 Many of the Configuration Manager site system roles that provide management functionality
use the web services of Internet Information Services (IIS).
 Background Intelligent Transfer Service (BITS) and BranchCache can be used to help
manage the available network bandwidth.
In addition, Configuration Manager can integrate with Windows Update Services (WSUS),
Network Access Protection (NAP), Certificate Services, Exchange Server, Group Policy, the DNS
Server role, Windows Automated Installation Kit (Windows AIK) and the User State Migration
Tool (USMT), Windows Deployment Services (WDS), Remote Desktop and Remote Assistance.
To be successful with Configuration Manager, you must first thoroughly plan and test the
management features before you use Configuration Manager in a production environment. As a
powerful management application, Configuration Manager has the potential to affect every
computer in your organization. When you deploy and manage Configuration Manager with careful
planning and consideration of your business requirements, Configuration Manager can reduce
your administrative overhead and total cost of ownership.
Use the following sections to learn more about Configuration Manager:
 Configuration Manager Management Capabilities
 The Configuration Manager Console
 The Application Catalog and Software Center
 Configuration Manager Properties (Client)
 Example Scenarios for Configuration Manager
 Example Scenario: Empower Users by Ensuring Access to Applications from Any Device

23
 Example Scenario: Unify Compliance Management for Devices
 Example Scenario: Simplify Client Management for Devices
 Next Steps
Configuration Manager Management Capabilities
The following table provides details about the primary management capabilities of Configuration
Manager. Each capability has its own prerequisites and the capabilities that you want to use
might influence the design and implementation of your Configuration Manager hierarchy. For
example, if you want to deploy software to devices in your hierarchy, you must install the
distribution point site system role.
Management capability Description More information
Application management Provides a set of tools and
resources that can help you to
create, manage, deploy, and
monitor applications in the
enterprise.
Introduction to Application
Management in Configuration
Manager
Compliance settings Provides a set of tools and
assess, track, and remediate
the configuration compliance
of client devices in the
enterprise.
Introduction to Compliance
Settings in Configuration
Manager
Endpoint Protection Provides security,
antimalware, and Windows
Firewall management for
computers in your enterprise.
Introduction to Endpoint
Protection in Configuration
Manager
Inventory Provides a set of tools to help
identify and monitor assets:
 Hardware inventory:
Collects detailed
information about the
hardware of devices in
your enterprise.
 Software inventory:
Collects and reports
information about the files
that are stored on client
computers in your
organization.
 Asset Intelligence:
See the following
documentation:
 Introduction to Hardware
Inventory in Configuration
Manager
 Introduction to Software
Manager
 Introduction to Asset
Intelligence in

24
Provides tools to collect
inventory data and to
monitor software license
usage in your enterprise.
Operating system
deployment
Provides a tool to create
operating system images. You
can then use these images to
deploy them to computers that
are managed by Configuration
Manager and to unmanaged
computers, by using PXE boot
or bootable media such as a
CD set, DVD, or USB flash
drives.
Introduction to Operating
System Deployment in
Out of band management Integrates with Intel Active
Management Technology
(Intel AMT), which lets you
manage desktop and laptop
computers independently from
the Configuration Manager
client or the computer
operating system.
Introduction to Out of Band
Manager
Power management Provides a set of tools and
resources that you can use to
manage and monitor the
power consumption of client
computers in the enterprise.
Introduction to Power
Manager
Queries Provides a tool to retrieve
information about resources in
your hierarchy and information
about inventory data and
status messages. You can
then use this information for
reporting purposes or for
defining collections of devices
or users for software
deployment and configuration
settings.
Introduction to Queries in
Remote control Provides tools to remotely Introduction to Remote Control

25
administer client computers
from the Configuration
Manager console.
in Configuration Manager
Reporting Provides a set of tools and
resources that help you use
the advanced reporting
capabilities of SQL Server
Reporting Services from the
console.
Introduction to Reporting in
Software metering Provides tools to monitor and
collect software usage data
from Configuration Manager
clients.
Introduction to Software
Metering in Configuration
Manager
Software updates Provides a set of tools and
manage, deploy, and monitor
software updates in the
enterprise.
Introduction to Software
Updates in Configuration
Manager
For more information about how to plan and install Configuration Manager to support these
management capabilities in your environment, see Introduction to Site Administration in
The Configuration Manager Console
After you install Configuration Manager, use the Configuration Manager console to configure
sites, clients, and run and monitor management tasks. This console is the main point of
administration and can manage multiple sites. It can also run secondary consoles to support
specific client management tasks, such as the following:
 Resource Explorer, to view hardware and software inventory information.
 Remote control, to remotely connect to a client computer to perform troubleshooting tasks.
 Out of band management, to connect to the AMT management controller on Intel AMT-based
computers and perform power management operations or troubleshooting tasks.
You can install the Configuration Manager console on additional server computers and
workstations, and restrict access and limit what administrative users can see in the console by
using Configuration Manager role-based administration.
For more information, see the Install a Configuration Manager Console section in the Install Sites
and Create a Hierarchy for Configuration Manager topic.

26
The Application Catalog and Software Center
The Configuration Manager Application Catalog is a website where users can browse for and
request software. To use the Application Catalog, you must install the Application Catalog web
service point and the Application Catalog website point for the site.
Software Center is an application that is installed when the Configuration Manager client is
installed on computers. Users run this application from the Start menu to request software and
manage the software that is deployed to them by using Configuration Manager. Software Center
lets users do the following:
 Browse for and install software from the Application Catalog.
 View their software request history.
 Configure when Configuration Manager can install software on their devices.
 Configure access settings for remote control, if an administrative user enabled remote
control.
For more information about the Application Catalog and Software Center, see the Deploying
Applications in Configuration Manager section in the Introduction to Application Management in
Configuration Manager topic.
Configuration Manager Properties (Client)
When the Configuration Manager client is installed on computers, Configuration Manager is
installed in Control Panel. Typically, you do not have to configure this application because the
client configuration is performed in the Configuration Manager console. This application helps
administrative users and the help desk troubleshoot problems with individual clients.
For more information about client deployment, see Introduction to Client Deployment in
Example Scenarios for Configuration Manager
The following example scenarios demonstrate how a company named Trey Research uses
System Center 2012 Configuration Manager to empower users to be more productive, unify their
compliance management for devices for a more streamlined administration experience, and
simplify device management to reduce IT operating costs. In all scenarios, Adam is the main
administrator for Configuration Manager.
Example Scenario: Empower Users by Ensuring Access to Applications from Any Device
Trey Research wants to ensure that employees have access to the applications that they require
and as efficiently as possible. Adam maps these company requirements to the following
scenarios:
Requirement Current client management
state
Future client management state
New employees can work
efficiently from day one.
When employees join the
company, they must wait for
When employees join the
company, they log on and

27
state
applications to be installed
after they first log on.
their applications are installed
and are ready to be used.
Employees can quickly and
easily request additional
software that they need.
When employees require
additional applications, they
file a ticket with the help desk,
and then typically wait two
days for the ticket to be
processed and the
applications are installed.
When employees require
additional applications, they
can request it from a website
and it installs immediately if
there are no licensing
restrictions. If there are
licensing restrictions, they
must first ask for approval
before they can install the
application.
The website shows users only
the applications that they are
allowed to install.
Employees can use their mobile
devices at work if the devices
conform to security policies that
are monitored and enforced.
These policies include the
following:
 Strong password
 Lock after period of
inactivity
 Lost or stolen mobile
devices are remotely wiped
Employees connect their
mobile devices to Exchange
Server for email but there is
limited reporting to confirm
that they are in compliance
with the security policies in the
default Exchange ActiveSync
mailbox policies. The personal
use of mobile devices is at risk
of being prohibited unless IT
can confirm adherence to
policy.
The IT organization can report
mobile device security
compliance with the required
settings. This confirmation
allows users to continue to
use their mobile device at
work. Users can remotely wipe
their mobile device if it is lost
or stolen and the help desk
can wipe any user’s mobile
device that is reported as lost
or stolen.
Provide mobile device
enrollment within a PKI
environment for additional
security and control.
Employees can be productive
even if they are not at their
desk.
When employees are not at
their desk and do not have
laptops, they cannot access
their applications by using the
kiosk computers that are
available throughout the
company.
Employees can use kiosk
computers to access their
applications and data.

28
state
In most circumstances,
business continuity takes
precedence over installing
required applications and
software updates.
Applications and software
updates that are required
install during the day and often
disrupt users from working
because their computers slow
down or restart during the
installation.
Users can configure their
working hours to prevent
required software from
installing while they are using
their computer.
To meet the requirements, Adam uses these Configuration Manager management capabilities
and configuration options:
 Application management
 Mobile device management
He implements these by using the configuration steps in the following table.
Configuration steps Outcome
Adam ensures that the new users have user
accounts in Active Directory and creates a new
query-based collection in Configuration
Manager for these users. He then defines user
device affinity for these users by creating a file
that maps the user accounts to the primary
computers that they will use and imports this
file into Configuration Manager.
The applications that the new users require are
already created in Configuration Manager, so
he then deploys these applications with the
purpose of Required to the collection that
contains the new users.
Because of the user device affinity information,
the applications install to each user’s primary
computer or computers before the user log on.
The applications are ready to use as soon as
the user successfully logs on.
Adam installs and configures the Application
Catalog site system roles so that users can
browse for applications to install. He creates
application deployments with the purpose of
Available, and deploys these applications to the
collection that contains the new users.
For the applications that have a restricted
number of licenses, Adam configures these
applications to require approval.
By configuring applications as available to
these users and by using the Application
Catalog, users can now browse the
applications that they are allowed to install and
either install them immediately, or request
approval and return to the Application Catalog
to install them after the help desk has approved
their request.
Adam creates an Exchange Server connector With these two mobile device management

29
in Configuration Manager to manage the mobile
devices that connect to the company’s on-
premises Exchange Server. He configures the
connector with security settings that include the
requirement for a strong password and lock the
mobile device after a period of inactivity.
Adam identifies that some mobile devices can
be enrolled by Configuration Manager for full
management support, which includes installing
applications and extensive settings
management. For these mobile devices, he
configures a certificate template for the issuing
enterprise certification authority (CA). Adam
then configures enrollment for mobile devices
in Configuration Manager and sends an email
to the users who own these mobile devices for
them to click a link to start the enrollment
process.
After the mobile devices are enrolled by
Configuration Manager, Adam uses compliance
settings to configure security settings for these
mobile devices. These settings include the
requirement to configure a strong password
and lock the mobile device after a period of
inactivity.
solutions, the IT organization can now provide
reporting information about the mobile devices
that are in use on the company network and
their compliance with the configured security
settings.
Users are shown how to remotely wipe their
mobile device by using the Application Catalog,
if their mobile device is lost or stolen. The help
desk is also instructed how to remotely wipe a
mobile device for users by using the
Configuration Manager console.
In addition, for the mobile devices that are
enrolled by Configuration Manager, Adam can
now deploy mobile applications to them, collect
more inventory data from them, and have
greater management control over these
devices by being able to access more settings.
Trey research has a number of kiosk
computers that are used by employees who
visit the office. The employees want their
applications to be available to them wherever
they log on. However, Adam does not want to
locally install all the applications on each
computer.
To accomplish this, Adam creates the required
applications with two deployment types:
 A full, local install of the application with a
requirement that it can only be installed on
a user’s primary device.
 A virtual version of the application with the
requirement that it must not be installed on
the users primary device.
When visiting employees log on to a kiosk
computer, they see the applications that they
require as icons on the desktop. When they run
the application, it is streamed as a virtual
application and they can be as productive as if
they are sitting at their desktop.

30
Adam lets users know that they can configure
their business hours in Software Center and
select options to prevent software deployment
activities during this time period and whenever
the computer is in presentation mode.
Because users can control when Configuration
Manager deploys software to their computers,
users remain more productive during their
working day.
These configuration steps and outcomes result in Trey Research successfully empowering their
employees by ensuring access to applications from any device.
Example Scenario: Unify Compliance Management for Devices
Trey Research wants a unified client management solution that ensures that their computers run
antivirus software that is automatically kept up-to-date, Windows Firewall is enabled, critical
software updates are installed, that specific registry keys are set, and that managed mobile
devices cannot install or run unsigned applications. The company also wants to extend this
protection to the Internet for laptops that move from the intranet to the Internet.
Adam maps these company requirements to the following scenarios:
state
All computers run antimalware
software that has up-to-date
definition files and enables
Windows Firewall.
Different computers run
different antimalware solutions
that are not always kept up-to-
date and although Windows
Firewall is enabled by default,
users sometimes disable it.
Users are asked to contact the
help desk if antimalware is
detected on their computer.
All computers run the same
antimalware solution that
automatically downloads the
latest definition update files
and automatically re-enables
Windows Firewall if users
disable it.
The help desk is automatically
notified by email if antimalware
is detected.
All computers install critical
software updates within the
first month of release.
Although software updates are
installed on computers, many
computers do not automatically
install critical software updates
until two or three months after
they are released, which
leaves them vulnerable to
attack during this time period.
For the computers that do not
install the critical software
Improve the current
compliance rate within the
specified month to over 95%
without sending emails or
asking the help desk to
manually install them.

31
state
updates, the help desk first
sends out emails asking users
to install them. For computers
that remain noncompliant,
engineers remotely connect to
these computers and manually
install the missing software
updates.
Security settings for specific
applications are regularly
checked and remediated if
necessary.
Computers run complex startup
scripts that rely on computer
group membership to reset
registry values for specific
applications.
Because these scripts only run
at startup and some computers
are left on for days, the help
desk cannot check for
configuration drift on a timely
basis.
Registry values are checked
and automatically remediated
without relying on computer
group membership or
restarting the computer.
Mobile devices cannot install
or run unsafe applications.
Users are asked to not
download and run potentially
unsafe applications from the
Internet but there are no
controls in place to monitor or
enforce this.
Mobile devices that are
managed by Configuration
Manager automatically prevent
unsigned applications from
installing or running.
Laptops that move from the
intranet to the Internet must be
kept secure.
For users who travel, they
often cannot connect over the
VPN on a daily basis and these
laptops become out of
compliance with security
requirements.
An Internet connection is all
that is required for laptops to
be kept in compliance with
security requirements. Uses do
not have to log in or use the
VPN.
 Endpoint Protection
 Software updates
 Compliance settings
 Mobile device management

32
 Internet-based client management
Adam configures Endpoint Protection and
enables the client setting to uninstall other
antimalware solutions and enables Windows
Firewall. He configures automatic deployment
rules so that computers check for and install
the latest definition updates on a regular basis.
The single antimalware solution helps to protect
all computers with minimal administrative
overhead. Because the help desk is
automatically notified by email if antimalware is
detected, problems can be resolved quickly,
which helps to prevent attacks on other
computers.
To help increase compliance rates, Adam uses
automatic deployment rules, defines
maintenance windows for servers, and
investigates the advantages and disadvantages
of using Wake on LAN for computers that
hibernate.
Compliance for critical software updates
increases and reduces the requirement for
users or the help desk to install software
updates manually.
Adam uses compliance settings to check for
the presence of the specified applications.
When the applications are detected,
configuration items then check the registry
values and automatically remediates them if
they are out of compliance.
By using configuration items and configuration
baselines that are deployed to all computers
and that check for compliance every day,
separate scripts that rely on computer
membership and computer restarts are no
longer required.
Adam uses compliance settings for enrolled
mobile devices and configures the Exchange
Server connector so that unsigned applications
are prohibited from installing and running on
mobile devices.
By prohibiting unsigned applications, mobile
devices are automatically protected from
potentially harmful applications.
Adam ensures that site system servers and
computers have the PKI certificates that
Configuration Manager requires for HTTPS
connections, and then installs additional site
system roles in the perimeter network that
accept client connections from the Internet.
Computers that move from the intranet to the
Internet automatically continue to be managed
by Configuration Manager when they have an
Internet connection and do not rely on users
logging on or connecting to the VPN.
These computers continue to be managed for
antimalware and Windows Firewall, software
updates, and configuration items. As a result,
compliance levels automatically increase.
These configuration steps and outcomes result in Trey Research successfully unifying their
compliance management for devices.

33
Example Scenario: Simplify Client Management for Devices
Trey Research wants all new computers to automatically install their base computer image that
runs Windows 7. After these computers are installed, they must be managed and monitored for
additional software that users install. Computers that store highly confidential information require
more restrictive management policies than the other computers. For example, help desk
engineers must not connect to them remotely, BitLocker PIN entry must be used for restarts, and
only local administrators can install software.
Adam maps these company requirements to the following scenarios:
state
New computers are installed
with Windows 7.
The help desk installs and
configures Windows 7 for
users and then sends the
computer to the respective
location.
New computers go straight to
the final destination, are
plugged into the network, and
they automatically install and
configure Windows 7.
Computers must be managed
and monitored, which includes
hardware and software
inventory to help determine
licensing requirements.
The Configuration Manager
client is deployed by using
automatic client push and the
help desk investigates
installation failures and clients
that do not send inventory data
when expected.
Failures are often due to
installation dependencies that
are not met and WMI
corruption on the client.
Client installation and inventory
data that is collected from
computers is more reliable and
requires less intervention from
the help desk. Reports show
software usage for license
information.
Some computers must have
more stringent management
policies.
Because of the more stringent
management policies, these
computers are not currently
managed by Configuration
Manager.
Manage these computers by
using Configuration Manager
without additional
administrative overhead to
accommodate the exceptions.
 Operating system deployment
 Client deployment and client status
 Compliance settings
 Client settings

34
 Inventory and Asset Intelligence
 Role-based administration
Adam captures an operating system image
from a computer that has Windows 7 installed
and that is configured to the company
specifications. He then deploys the operating
system to the new computers by using
unknown computer support and PXE. He also
installs the Configuration Manager client as part
of the operating system deployment.
New computers are up and running more
quickly without intervention from the help desk.
Adam configures automatic site-wide client
push installation to install the Configuration
Manager client on any computers that are
discovered. This ensures that any computers
that were not imaged with the client still install
the client so that the computer is managed by
Adam configures client status to automatically
remediate any client issues that are discovered.
Adam also configures client settings that
enable the collection of inventory data that is
required, and configures Asset Intelligence.
Installing the client with the operating system is
quicker and more reliable than waiting for
Configuration Manager to discover the
computer and then attempt to install the client
source files on the computer. However, leaving
the automatic client push option enabled
provides a backup mechanism to install the
client for any computers that connect to the
network with an operating system already
installed.
Client settings ensure that clients send their
inventory information to the site on a regular
basis and the client status tests help to keep
the client running with minimal intervention from
the help desk. For example, WMI corruptions
are detected and automatically remediated.
The Asset Intelligence reports help to monitor
software usage and licenses.
Adam creates a collection for the computers
that must have more stringent policy settings
and then creates a custom client device setting
for this collection that includes disabling remote
control, enables BitLocker PIN entry, and
allows only local administrators to install
software.
Adam configures role-based administration so
that help desk engineers do not see this
collection of computers to help ensure that they
These computers are now managed by
Configuration Manager but with specific
settings that do not require a new site.
The collection for these computers is not visible
to the help desk engineers to help reduce the
possibility that they are accidentally sent
deployments and scripts for standard
computers.

35
are not accidentally managed as a standard
computer.
These configuration steps and outcomes result in Trey Research successfully simplifying client
management for devices.
Next Steps
Before you install Configuration Manager, familiarize yourself with some basic concepts and
terms that are specific to Configuration Manager:
 If you are familiar with Configuration Manager 2007, see What’s New in Configuration
Manager because there are some important changes in basic concepts and functionality from
previous versions of the software.
 If you are new to System Center 2012 Configuration Manager, see Fundamentals of
When you are familiar with the basic concepts, use the System Center 2012
Configuration Manager documentation to help you successfully deploy and use Configuration
Manager. For more information about the available documentation, see What’s New in the
Documentation for Configuration Manager.
See Also
Getting Started with System Center 2012 Configuration Manager
What’s New in Configuration Manager
Use the following sections to review information about significant changes in System Center 2012
Configuration Manager since Configuration Manager 2007:
 Site Installation and the Configuration Manager Console
 Sites and Hierarchies
 Client Deployment and Operations
 Software Deployment and Content Management
 Monitoring and Reporting
In addition, the following features either have not changed or have minor changes:
 Wake on LAN
 Windows Embedded devices
Site Installation and the Configuration Manager Console
The following sections contain information about changes in Configuration Manager since
Configuration Manager 2007 that relate to how you install System Center 2012
Configuration Manager and changes to the Configuration Manager console.

36
Site Installation
The following options in Setup for site installation are new or have changed since Configuration
Manager 2007.
 Central Administration Site
The top-level Configuration Manager 2007 site in a multi-primary site hierarchy was known as
a central site. In System Center 2012 Configuration Manager the central site is replaced by
the central administration site. The central administration site is not a primary site at the top
of the hierarchy, but rather a site that is used for reporting and to facilitate communication
between primary sites in the hierarchy. A central administration site supports a limited
selection of site system roles and does not directly support clients or process client data.
 Installation of Site System Roles
The following site roles can be installed and configured during Setup:
 Management point
 Distribution point
The site system roles are installed locally on the site server. After installation, you can add a
distribution point on another server. The management point for the secondary site is a
supported role only on the site server.
 No Secondary Site Installation Option
Secondary sites can only be installed from the System Center 2012 Configuration Manager
console. For more information about installing a secondary site, see the Install a Secondary
Site section in the topic.
 Optional Configuration Manager Console Installation
You can choose to install the Configuration Manager console during Setup or install the
console after Setup by using the Configuration Manager console Windows Installer package
(consolesetup.exe).
 Server and client language selections
You are no longer required to install your site servers by using source files for a specific
language or install International Client Packs when you want to support different languages
on the client. From Setup, you can choose the server and client languages that are supported
in your Configuration Manager hierarchy. Configuration Manager uses the display language
of the server or client computer when you have configured support for the language. English
is the default language used when Configuration Manager does not support the display
language of the server or client computer.
You cannot select specific languages for mobile device clients. Instead, you must
enable all available client languages or use English only.
 Unattended installation script is automatically created
Setup automatically creates the unattended installation script when you confirm the settings
on the Summary page of the wizard. The unattended installation script contains the settings
Warning

37
that you choose in the wizard. You can modify the script to install other sites in your
hierarchy. Setup creates the script in %TEMP%ConfigMgrAutoSave.ini.
 Database Replication
When you have more than one System Center 2012 Configuration Manager site in your
hierarchy, Configuration Manager uses database replication to transfer data and merge
changes made to a site’s database with the information stored in the database at other sites
in the hierarchy. This enables all sites to share the same information. When you have a
primary site without any other sites, database replication is not used. Database replication is
enabled when you install a primary site that reports to a central administration site or when
you connect a secondary site to a primary site.
 Setup Downloader
Setup Downloader (SetupDL.exe) is a stand-alone application that downloads the files
required by Setup. You can run Setup Downloader or Setup can run it during site installation.
You can see the progress of files being downloaded and verified, and only the required files
are downloaded (missing files and files that have been updated). For more information about
Setup Downloader, see the Setup Downloader section in this topic.
 Prerequisite Checker
The Prerequisite Checker (prereqchk.exe) is a standalone application that verifies server
readiness for a specific site system role. In addition to the site server, site database server,
and provider computer, the Prerequisite Checker now checks management point and
distribution point site systems. You can run Prerequisite Checker manually or Setup runs it
automatically as part of site installation. For more information about the Prerequisite Checker,
see the Prerequisite Checker section in this topic.
 The Configuration Manager 2007 log viewer tool, Trace32, is now replaced with CMTrace.
For more information, see the Install Sites and Create a Hierarchy for Configuration Manager
topic in the Site Administration for System Center 2012 Configuration Manager guide.
The Configuration Manager Console
There is a new console for System Center 2012 Configuration Manager, which provides the
following benefits:
 Logical grouping of operations into the following workspaces: Assets and Compliance,
Software Library, Monitoring, and Administration. To change the default order of the
workspaces and which ones are displayed, click the down arrow on the navigation pane
above the status bar, and then select one of the options: Show More Buttons, Show Fewer
Buttons, or Navigation Pane Options.
 A ribbon to help you more efficiently use the console.
 An administrative user sees only the objects that she is allowed to see, as defined by role-
based administration.
 Search capabilities throughout the console, to help you find your data more quickly.
 Browse and verify capability for many accounts that you configure in the console, which helps
to eliminate misconfiguration and can be useful for troubleshooting scenarios. For example,
this design applies to the Client Push Installation Account and the Network Access Account.

38
 Use of temporary nodes in the navigation pane that are automatically created and selected
as a result of actions that you take and that do not display after you close the console.
Examples of temporary nodes include the following:
 In the Assets and Compliance workspace, click the Device Collections node, and then
select the All Systems collection. In the Collection group, click Show Members and the
temporary node named All Systems is created and automatically selected in the
navigation pane.
 In the Monitoring workspace, click Client Status, and in the Statistics section, browse
to the All Systems collection, and then click Active clients that passed client check or
no results. The temporary node named Active clients that passed client check or no
results from “All Systems” is created and automatically selected in the Assets and
Compliance workspace.
Sites and Hierarchies
The following sections contain information about changes from Configuration Manager 2007 that
relate to sites and hierarchies in System Center 2012 Configuration Manager.
The Active Directory schema extensions for System Center 2012 Configuration Manager
are unchanged from those used by Configuration Manager 2007. If you extended the
schema for Configuration Manager 2007, you do not need to extend the schema again
for System Center 2012 Configuration Manager.
Site Types
System Center 2012 Configuration Manager introduces the central administration site and some
changes to primary and secondary sites. The following tables summaries these sites and how
they compare to sites in Configuration Manager 2007.
Site Purpose Change from Configuration
Manager 2007
Central administration site The central administration
site coordinates intersite data
replication across the
hierarchy by using
database replication. It also
enables the administration of
hierarchy-wide configurations
for client agents, discovery,
and other operations.
Use this site for all
administration and reporting
Although this is the site at the top
of the hierarchy in
System Center 2012
Configuration Manager, it has the
following differences from a
central site in Configuration
Manager 2007:
 Does not process data
submitted by clients, except
for the Heartbeat Discovery
discovery data record.
 Does not accept client
assignments.
Note

39
Manager 2007
for the hierarchy.  Does not support all site
system roles.
 Participates in database
replication
Primary site Manages clients in well-
connected networks.
Primary sites in
System Center 2012
Configuration Manager have the
following differences from primary
sites in Configuration Manager
2007:
 Additional primary sites allow
the hierarchy to support more
clients.
 Cannot be tiered below other
primary sites.
 No longer used as a boundary
for client agent settings or
security.
replication.
Secondary site Controls content distribution
for clients in remote locations
across links that have limited
network bandwidth.
Secondary sites in
System Center 2012
following differences from
secondary sites in Configuration
Manager 2007:
 SQL Server is required and
SQL Server Express will be
installed during site installation
if required.
 A management point and
distribution point are
automatically deployed during
the site installation.
 Secondary sites can send
content distribution to other
secondary sites.
replication.

40
For more information, see the Planning for Sites and Hierarchies in Configuration Manager topic
in the Site Administration for System Center 2012 Configuration Manager guide.
Site Communication
The following items are new or have changed for site communication since Configuration
Manager 2007:
 Site-to-site communication now uses database replication in addition to file-based replication
for many site-to-site data transfers, including configurations and settings.
 The Configuration Manager 2007 concept of mixed-mode or native-mode sites to define how
clients communicate to site systems in the site has been replaced by site system roles that
can independently support HTTP or HTTPS client communications.
 To help support client computers in other forests, Configuration Manager can discover
computers in these forests and publish site information to these forests.
 The server locator point is no longer used, and the functionality of this site system role is
moved to the management point.
Although the Active Directory schema extensions still include the server locator point,
this object is not used by Microsoft System Center 2012 Configuration Manager.
 Internet-based client management now supports the following:
 User policies when the Internet-based management point can authenticate the user by
using Windows authentication (Kerberos or NTLM).
 Simple task sequences, such as scripts. Operating system deployment on the Internet
remains unsupported.
 Internet-based clients on the Internet first try to download any required software updates
from Microsoft Update, rather than from an Internet-based distribution point in their
assigned site. Only if this fails, will they then try to download the required software
updates from an Internet-based distribution point.
For more information, see the Planning for Communications in Configuration Manager topic in the
Site Administration for System Center 2012 Configuration Manager guide.
Site Modes
Sites are no longer configured for mixed mode or native mode. Instead, you secure client
communication endpoints by configuring individual site system roles to support client connections
over HTTPS or HTTP. Site system roles in the same site can have different settings, for example,
some management points are configured for HTTPS and some are configured for HTTP. Most
client connections over HTTPS use mutual authentication so you must make sure that clients
have a PKI certificate that has client authentication capability to support this configuration. Mobile
devices and client connections over the Internet must use HTTPS.
For sites that use HTTPS client connections, you do not have to specify a PKI certificate for
document signing (the site server signing certificate in Configuration Manager 2007) because
System Center 2012 Configuration Manager automatically creates this certificate (self-signed).
However, most of the PKI certificate requirements from Configuration Manager 2007 remain the
Note

41
same when you configure site system roles to use HTTPS client communication, except that
many certificates now support SHA-2 in addition to SHA-1. For more information about the
certificates, see Security: Certificates and Cryptographic Controls in this topic.
Language Pack Support
The following items are new or have changed for language support since Configuration Manager
2007:
 You no longer install site servers by using source files designed for a specific language.
Additionally, you no longer install International Client Packs to support different languages on
the client. Instead, you can choose to install only the server and client languages that you
want to support.
 Available client and server language packs are included with the Configuration Manager
installation media in the LanguagePack folder, and updates are available by download
with the prerequisite files.
 You can add client and server language packs to a site when you install the site, and can
modify the language packs in use after the site installs.
 You can install multiple languages at each site, and only need to install those you use:
 Each site supports multiple languages for use with Configuration Manager consoles.
 At each site you can install individual client language packs, adding support for only the
client languages you want to support.
 When you install support for a language that matches the display language of a computer,
Configuration Manager consoles and the client user interface that run on that computer
display information in that language.
 When you install support for a language that matches the language preference that is in use
by the web browser of a computer, connections to web-based information including the
Application Catalog or SQL Server Reporting Services reports display in that language.
Site System Roles
The following site systems roles are removed:
 The reporting point. All reports are generated by the reporting services point.
 The PXE service point. This functionality is moved to the distribution point.
 The server locator point. This functionality is moved to the management point.
 The branch distribution point. Distribution points can be installed on servers or workstations
that are in an Active Directory domain. The functionality of the branch distribution point is now
a BranchCache setting for an application deployment type and the package deployment.
In addition, network load balanced (NLB) management points are no longer supported and this
configuration is removed from the management point component properties. Instead, this
functionality is automatically provided when you install more than one management point in the
site.
The following site system roles are new:
 The Application Catalog website point and the Application Catalog web services point. These
site system roles require IIS and support the new client application, Software Center.

42
 The enrollment proxy point, which manages enrollment requests from mobile devices, and
the enrollment point, which completes mobile device enrollment and provisions AMT-based
computers. These site system roles require IIS.
There is no longer a default management point at primary sites. Instead you can install multiple
management points and the client will automatically select one, based on network location and
capability (HTTPS or HTTP). This behavior supports a higher number of clients in a single site
and provides redundancy, which was previously obtained by using a network load balancing
(NLB) cluster. When the site contains some management points that support HTTPS client
connections and some management points that support HTTP client connections, the client will
connect to a management point that is configured for HTTPS when the client has a valid PKI
certificate.
You can also have more than one Internet-based management point in a primary site, although
you can specify only one when you configure clients for Internet-based client management. When
Internet-based clients communicate with the specified Internet-based management point, they will
be given a list of all the Internet-based management points in the site and then select one.
At a secondary site, the management point is no longer referred to as proxy management point,
and must be co-located on the secondary site server.
Boundaries and Boundary Groups
The following items are new or have changed for boundaries since Configuration Manager 2007:
 Boundaries are no longer site specific, but defined once for the hierarchy, and they are
available at all sites in the hierarchy.
 Each boundary must be a member of a boundary group before a device on that boundary can
identify an assigned site, or a content server such as a distribution point.
 You no longer configure the network connection speed of each boundary. Instead, in a
boundary group you specify the network connection speed for each site system server
associated to the boundary group as a content location server.
For more information, see the Planning for Boundaries and Boundary Groups in Configuration
Manager topic in the Site Administration for System Center 2012 Configuration Manager guide.
Fallback Site for Client Assignment
In Configuration Manager 2007, automatic site assignment would fail if the client was not in a
specified boundary. New in System Center 2012 Configuration Manager, if you specify a fallback
site (an optional setting for the hierarchy) and the client is not in a boundary group, automatic site
assignment succeeds and the client is assigned to the specified fallback site.
For more information, see the How to Assign Clients to a Site in Configuration Manager topic in
the Deploying Clients for System Center 2012 Configuration Manager guide.
Discovery
The following items are new or have changed for Discovery since Configuration Manager 2007:
 Each data discovery record is processed and entered into the database one time only, at a
primary site or central administration site, and then the data discovery record is deleted
without additional processing.

43
 Discovery information entered into the database at one site is shared to each site in the
hierarchy by using Configuration Manager database replication.
 Active Directory Forest Discovery is a new discovery method that can discover subnets and
Active Directory sites, and can add them as boundaries for your hierarchy.
 Active Directory System Group Discovery has been removed.
 Active Directory Security Group Discovery is renamed to Active Directory Group Discovery
and discovers the group memberships of resources.
 Active Directory System Discovery and Active Directory Group Discovery support options to
filter out stale computer records from discovery.
 Active Directory System, User, and Group Discovery support Active Directory Delta
Discovery. Delta Discovery is improved from Configuration Manager 2007 R3 and can now
detect when computers or users are added or removed from a group.
For more information, see the Planning for Discovery in Configuration Manager topic in the Site
Administration for System Center 2012 Configuration Manager guide.
Client Agent Settings is Now Client Settings
In Configuration Manager 2007, client agent settings are configured on a per-site basis and you
cannot configure these settings for the whole hierarchy. In System Center 2012
Configuration Manager, client agent settings and other client settings are grouped into centrally
configurable client settings objects that are applied at the hierarchy. To view and configure these,
modify the default client settings. If you need additional flexibility for groups of users or
computers, configure custom client settings and assign them to collections. For example, you can
configure remote control to be available only on specified computers.
For more information, see the Planning for Client Settings in Configuration Manager topic in the
Site Administration for System Center 2012 Configuration Manager guide.
Security: Role-Based Administration
In Configuration Manager 2007, administrative access to site resources is controlled by using
class and instance security settings that are verified by the SMS Provider computer to allow
access to site information and configuration settings. System Center 2012 Configuration Manager
introduces role-based administration to centrally define and manage hierarchy-wide security
access settings for all sites and site settings.
Instead of using individual class rights, role-based administration uses security roles to group
typical administrative tasks that are assigned to multiple administrative users. Security scopes
replace individual instance rights per object to group the permissions that are applied to site
objects.
The combination of security roles, security scopes, and collections allow you to segregate the
administrative assignments that meet your organization requirements and this combination
defines what an administrative user can view and manage in the Configuration Manager
hierarchy.
Role-based administration provides the following benefits:
 Sites are no longer administrative boundaries.

44
 You create administrative users for the hierarchy and assign security to them one time only.
 You create content for the hierarchy and assign security to that content one time only.
 All security assignments are replicated and available throughout the hierarchy.
 There are built-in security roles to assign the typical administration tasks and you can create
your own custom security roles.
 Administrative users see only the objects that they have permissions to manage.
 You can audit administrative security actions.
The following table illustrates the differences between implementing security permissions in
Configuration Manager 2007 and System Center 2012 Configuration Manager:
Scenario Configuration Manager 2007 System Center 2012
Add new administrative user Perform the following actions
from each site in the
hierarchy:
1. Add the Configuration
Manager user.
2. Select the security
classes.
3. For each class selected,
select instance
permissions.
Perform the following actions one
time only from any site in the
hierarchy:
1. Add the Configuration
Manager administrative user.
2. Select the security roles.
3. Select the security scopes.
4. Select the collections.
Create and deploy software. Perform the following actions
from each site in the
hierarchy:
1. Edit the package
properties and select the
security classes
2. Add each user or group
to the instance and then
select the instance rights.
3. Deploy the software.
Perform the following actions one
time only from any site in the
hierarchy:
1. Assign a security scope to the
software deployment.
2. Deploy the software.
To configure role-based administration, in the Administration workspace, click Security, and
then view or edit the Administrative Users, Security Roles, and Security Scopes.
For more information, see the Planning for Role-Based Administration section in the Planning for
Security in Configuration Manager topic in the Site Administration for System Center 2012
Configuration Manager guide.

45
Security: Certificates and Cryptographic Controls
The following items are new or have changed for certificates and cryptographic controls since
Configuration Manager 2007:
 For most Configuration Manager communications that require certificates for authentication,
signing, or encryption, Configuration Manager automatically uses PKI certificates if they are
available. If they are not available, Configuration Manager generates self-signed certificates.
 The primary hashing algorithm that Configuration Manager uses for signing is SHA-256.
When two Configuration Manager sites communicate with each other, they sign their
communications by using SHA-256 and you can require that all clients use SHA-256.
 Configuration Manager uses two new types of certificates for site systems: a site system
server certificate for authentication to other site systems in the same Configuration Manager
site, and a site system role certificate.
 Configuration Manager also uses a client authentication certificate to send status messages
from the distribution point to the management point.
 The site server signing certificate is now self-signed; you cannot use a PKI certificate to sign
client policies.
 You can use a client PKI certificate for authentication to a site system that accepts HTTP
client connections.
 The new certificate issuers list for a site acts like a certificate trust list (CTL) in IIS. It is used
by site systems and clients to help ensure that the correct client PKI certificate is used for PKI
communication in Configuration Manager. For more information, see the Planning for the PKI
Trusted Root Certificates and the Certificate Issuers List section in the Planning for Security
in Configuration Manager topic in the Site Administration for System Center 2012
For more information about the certificates and the cryptographic controls, see Technical
Reference for Cryptographic Controls Used in Configuration Manager in the Site Administration
for System Center 2012 Configuration Manager guide.
For more information about the PKI certificate requirements, see PKI Certificate Requirements for
Configuration Manager in the Site Administration for System Center 2012 Configuration Manager
guide.
In addition, when you deploy operating systems and use PKI certificates, Configuration Manager
now supports the following:
 The client authentication certificate supports the Subject Alternative Name (SAN) certificate
field and a blank Subject. If you use Active Directory Certificate Services with an enterprise
CA to deploy this certificate, you can use the Workstation certificate template to generate a
certificate with a blank Subject and SAN value.
 Task sequences support the option to disable CRL checking on clients.
When you implement Internet-based client management, user policies are now supported for
devices that are on the Internet when the management point can authenticate the user in Active
Directory Domain Services. For example, the management point is in the intranet and accepts
connections from Internet clients and intranet clients; or the management point is in a perimeter
network that trusts the intranet forest where the user account resides. For more information about

46
Internet-based client management, see the Planning for Internet-Based Client Management
section in the Planning for Communications in Configuration Manager topic in the Site
Backup and Recovery
The following items are new or have changed for backup and recovery since Configuration
Manager 2007.
Feature Description
Recovery integrated with System Center 2012
Configuration Manager Setup
Configuration Manager 2007 used the Site
Repair Wizard to recover sites. In
System Center 2012 Configuration Manager,
recovery is integrated in the Configuration
Manager Setup Wizard.
Support for multiple recovery options You have the following options when running
recovery in System Center 2012
Site Server
 Recover the site server from a backup.
 Reinstall the site server
Site Database
 Recover the site database from a backup
 Create a new site database
 Use a site database that been manually
recovered
 Skip database recovery
Recovery uses data replication to minimize
data loss
database replication uses SQL Server to
transfer data and merge changes made to a
site’s database with the information stored in
the database at other sites in the hierarchy.
This enables all sites to share the same
information.
Recovery in System Center 2012
Configuration Manager leverages database
replication to retrieve global data that was
created by the failed site before it failed. This
process minimizes data loss even when no
backup is available.

47
Feature Description
Recovery using a Setup script You can initiate an unattended site recovery by
configuring an unattended installation script
and then using the Setup command /script
option.
For more information, see the Planning for Backup and Recovery section in the Planning for Site
Operations in Configuration Manager topic in the Site Administration for System Center 2012
Manage Site Accounts Tool (MSAC)
The Manage Site Accounts (MSAC) command-line tool that was provided with Configuration
Manager 2007 is not provided with System Center 2012 Configuration Manager. Do not use
MSAC from Configuration Manager 2007 with System Center 2012 Configuration Manager.
Instead, configure and manage the accounts by using the Configuration Manager console.
Client Deployment and Operations
relate to client deployment and client operations in System Center 2012 Configuration Manager.
Client Deployment
The following items are new or have changed for client deployment since Configuration Manager
2007:
 Clients are no longer configured for mixed mode or native mode, but instead use HTTPS with
public key infrastructure (PKI) certificates or HTTP with self-signed certificates. Clients use
HTTPS or HTTP according to the configuration of the site system roles that the clients
connect to and whether they have a valid PKI certificate that includes client authentication
capability.
On the Configuration Manager client, in Properties, on the General tab, review the Client
certificate value to determine the current client communication method. This value displays
PKI certificate when the client communicates with a management point over HTTPS, and
Self-signed when the client communicates with a management point over HTTP. Just as the
client property value for the Connection type updates, depending on the current network
status of the client, so the Client certificate client property value updates, depending on
which management point the client communicates with.
 Because Microsoft System Center 2012 Configuration Manager does not use mixed mode
and native mode, the client installation property, /native: [<native mode option>], is no
longer used. Instead, use /UsePKICert to use a PKI certificate that has client authentication
capability, if it is available, but fall back to an HTTP connection if no certificate is available. If
/UsePKICert is not specified, the client does not attempt to communicate by using a PKI
certificate, but communicates by using HTTP only. Additionally, use the new command

48
/NoCRLCheck if you do not want a client to check the certificate revocation list (CRL) before
it establishes an HTTPS communication.
 The client.msi property SMSSIGNCERT is still used but requires the exported self-signed
certificate of the site server. This certificate is stored in the SMS certificate store and has the
Subject name Site Server and the friendly name Site Server Signing Certificate.
 When you reassign a client from a Microsoft System Center 2012 Configuration Manager
hierarchy to another Microsoft System Center 2012 Configuration Manager hierarchy, the
client will be able to automatically replace the trusted root key if the new site is published to
Active Directory Domain Services and the client can access that information from a Global
Catalog server. For this scenario in Configuration Manager 2007, you had to remove the
trusted root key, manually replace the trusted root key, or uninstall and reinstall the client.
 The server locator point is no longer used for site assignment or to locate management
points. This functionality is replaced by the management point. The CCMSetup Client.msi
property SMSSLP remains supported, but only to specify the computer name of management
points.
 You no longer have to specify CCMSetup Client.msi properties for the Internet-based
management point (CCMHOSTNAME) and certificate selection (CCMCERTSEL) when
clients can connect on the intranet. These values are automatically configured on clients
when they connect to an intranet management point. These properties are still required if you
install clients on the Internet.
 You no longer install International Client Packs when you want to support different languages
on the client. Instead, select the client languages that you want during Setup. Then, during
the client installation, Configuration Manager automatically installs support for those
languages on the client, enabling the display of information in a language that matches the
user’s language preferences. If a matching language is not available, the client displays
information in the default of English. For more information, see the Planning for Client
Language Packs section in the Planning for Sites and Hierarchies in Configuration Manager
topic.
 Decommissioned clients are no longer displayed in the Configuration Manager console and
they are automatically removed from the database by the Delete Aged Discovery Data task.
 The Client.msi property for CCMSetup, SMSDIRECTORYLOOKUP=WINSPROMISCUOUS,
is no longer supported. This setting allowed the client to use WINS to find a management
point without verifying the management point's self-signed certificate.
 To support the new 64-bit client, the location of the CCM folder for client-related files (such as
the client cache and log files) has changed from %windir%system32 to %windir%. If you
reference the CCM folder for your own script files, update these references for the new folder
location for Microsoft System Center 2012 Configuration Manager clients.
Microsoft System Center 2012 Configuration Manager does not support the CCM folder on
paths that support redirection (such as Program Files and %windir%system32) on 64-bit
operating systems.
 Automatic, site-wide client push now installs the Configuration Manager on existing computer
resources if the client is not installed, and not just newly discovered computer resources.
 Client push installation initiates and tracks the installation of the client by using the
Configuration Manager database and no longer creates individual .CCR files. When you

49
enable client push installation for a site, all discovered resources that are assigned to the site
and that do not have a client installed are immediately added to the database and client
installation begins.
 Configuration Manager can automatically upgrade Configuration Manager 2007 and
System Center 2012 Configuration Manager clients to the latest System Center 2012
Configuration Manager version when they are below a version that you specify. For more
information see the How to Automatically Upgrade the Configuration Manager Client section
in the topic How to Install Clients on Computers in Configuration Manager.
For more information, see the Introduction to Client Deployment in Configuration Manager topic in
Client Assignment
The following items are new or have changed for client assignment since Configuration Manager
2007:
 For automatic site assignment to succeed with boundary information, the boundary must be
configured in a boundary group that is configured for site assignment.
 In Configuration Manager 2007, automatic site assignment would fail if the client was not in a
specified boundary. New in System Center 2012 Configuration Manager, if you specify a
fallback site (an optional setting for the hierarchy) and the client’s network location is not in a
boundary group, automatic site assignment succeeds, and the client is assigned to the
specified fallback site.
 Clients can now download site settings from the management point after they have assigned
to the site if they cannot locate these settings from Active Directory Domain Services.
 Although clients continue to download policy and upload client data to management points in
their assigned site or in a secondary site that is a child site of their assigned site, all clients
that are configured for intranet client management can now use any management point in the
hierarchy for content location requests. There is no longer a requirement to extend the Active
Directory schema to support this capability, and there is no longer a concept of regional and
global roaming.
For more information, see the How to Assign Clients to a Site in Configuration Manager topic in
Collections
The following items are new or have changed for collections since Configuration Manager 2007:
Feature Description
User Collections and Device Collections
nodes
You can no longer combine user resources and
device resources in the same collection. The
Configuration Manager console has two new
nodes for user collections and device
collections.
Sub collections Sub collections are no longer used in

50
Feature Description
System Center 2012 Configuration Manager.
In Configuration Manager 2007, sub collections
had two main uses:
 Organize collections in folders. In
System Center 2012
Configuration Manager, you can now
create a hierarchy of folders in which to
store collections.
 Sub collections were often used in
Configuration Manager 2007 for phased
software deployments to a larger collection
of computers. In System Center 2012
Configuration Manager, you can use
include rules to progressively increase the
membership of a collection.
For more information, see How to Manage
Collections in Configuration Manager.
Include collection rules and exclude
collection rules
In System Center 2012 Configuration Manager,
you can include or exclude the contents of
another collection from a specified collection.
Incremental collection member evaluation Incremental collection member evaluation
periodically scans for new or changed
resources from the previous collection
evaluation and updates a collections
membership with these resources,
independently of a full collection evaluation. By
default, when you enable incremental collection
member updates, it runs every 10 minutes and
helps to keep your collection data up-to-date
without the overhead of a full collection
evaluation.
Migration support Collections can be migrated from Configuration
Manager 2007 collections. For more
information, see Planning for Migration Jobs in
Role-based administration security scopes You can use collections to limit access to
Configuration Manager objects. For more
information, see Planning for Security in

51
Feature Description
Collection resources In Configuration Manager 2007, collections
contained only resources from the site where
they were created and from child sites of that
site. In System Center 2012
Configuration Manager, collections contain
resources from all sites in the hierarchy.
Collection limiting In System Center 2012 Configuration Manager,
all collections must be limited to the
membership of another collection. When you
create a collection, you must specify a limiting
collection. A collection is always a subset of its
limiting collection.
For more information, see the Introduction to Collections in Configuration Manager topic in the
Assets and Compliance in System Center 2012 Configuration Manager guide.
Queries
The following items are new or have changed for queries since Configuration Manager 2007:
 The option to export the results of a query is not available in this release. As a workaround,
you can copy the query results to the Windows clipboard.
For more information about queries, see the Introduction to Queries in Configuration Manager
topic in the Assets and Compliance in System Center 2012 Configuration Manager guide.
Client Status Reporting is Now Client Status
The following items are new or have changed for client status reporting (now client status) since
 Client status and client activity information is integrated into the Configuration Manager
console.
 Typical client problems that are detected are automatically remediated.
 The Ping tool from Configuration Manager 2007 R2 client status reporting is not used by
For more information, see the Monitoring the Status of Client Computers in Configuration
Manager section in the Introduction to Client Deployment in Configuration Manager topic in the
Deploying Clients for System Center 2012 Configuration Manager guide.
Desired Configuration Management is Now Compliance Settings
The following items are new or have changed for desired configuration management (now
compliance settings) since Configuration Manager 2007:
 Configuration Manager 2007 desired configuration management is now called compliance
settings in System Center 2012 Configuration Manager.

52
 Configuration Manager provides a new built-in security role named Compliance Settings
Manager. Administrative users who are members of this role can manage and deploy
configuration items and configuration baselines and view compliance results.
 An administrative user can create registry and file system settings by browsing to an existing
file, folder, or registry setting on the local or a remote reference computer.
 It is now easier to create configuration baselines.
 You can reuse settings for multiple configuration items.
 You can remediate noncompliant settings for WMI, the registry, scripts, and all settings for
the mobile devices that are enrolled by Configuration Manager.
 When you deploy a configuration baseline, you can specify a compliance threshold for the
deployment. If the compliance is below the specified threshold after a specified date and
time, System Center 2012 Configuration Manager generates an alert to notify the
administrator.
 You can use the new monitoring features of System Center 2012 Configuration Manager to
monitor compliance settings and to view the most common causes of noncompliance, errors,
and the number of users and devices that are affected.
 You can deploy configuration baselines to users and devices.
 Configuration baseline deployments and evaluation support Configuration Manager
maintenance windows.
 You can use compliance settings to manage the mobile devices that you enroll with
 Configuration item versioning lets you view and use previous versions of configuration items.
You can restore or delete previous versions of configuration items and see the user names of
administrative users who made changes.
 Configuration items can contain user and device settings. User settings are evaluated when
the user is logged on. Examples of user settings include registry settings that are stored in
HKEY CURRENT USER and user-based script settings that an administrative user
configured.
 Improved reports contain rule details, remediation information, and troubleshooting
information.
 You can now detect and report conflicting compliance rules.
 Unlike Configuration Manager 2007, System Center 2012 Configuration Manager does not
support uninterpreted configuration items. An uninterpreted configuration item is a
configuration item that is imported into compliance settings, but the Configuration Manager
console cannot interpret it. Consequently you cannot view or edit the configuration item
properties in the console. Before you import Configuration Packs or configuration baselines to
System Center 2012 Configuration Manager, you must remove uninterpreted configuration
items in Configuration Manager 2007.
 You can migrate configuration items and configuration baselines from Configuration Manager
2007 to System Center 2012 Configuration Manager. During migration, configuration data is
automatically converted into the new format.
 Settings groups from Configuration Manager 2007 are no longer supported in

53
 Regular expressions for settings are not supported in System Center 2012
 Using wildcards for registry settings is not supported in System Center 2012
Configuration Manager. If you migrate configuration data from Configuration Manager 2007,
you must remove wildcards from registry settings before you migrate otherwise the data will
be invalid in the System Center 2012 Configuration Manager configuration item.
 The string operators Matches and Do not Match are not supported in System Center 2012
 You can no longer create configuration items of the type General from the Configuration
Manager console. You can now create only application configuration items and operating
system configuration items. However, if you create a configuration item for a mobile device,
this is created as a general configuration item.
For more information, see the Introduction to Compliance Settings in Configuration Manager topic
in the Assets and Compliance in System Center 2012 Configuration Manager guide.
Out of Band Management
The following have changed for out of band management since Configuration Manager 2007:
 System Center 2012 Configuration Manager no longer supports provisioning out of band,
which could be used in Configuration Manager 2007 when the Configuration Manager client
was not installed, or the computer did not have an operating system installed. To provision
computers for AMT in System Center 2012 Configuration Manager, they must belong to an
Active Directory domain, have the System Center 2012 Configuration Manager client
installed, and be assigned to a System Center 2012 Configuration Manager primary site.
 To provision computers for AMT, you must install the new site system role, the enrollment
point, in addition to the out of band service point. You must install both these site system
roles on the same primary site.
 There is a new account, the AMT Provisioning Removal Account, which you specify on the
Out of Band Management Component Properties: Provisioning tab. When you specify
this account and use the same Windows account that is specified as an AMT User Account,
you can use this account to remove the AMT provisioning information, if you have to recover
the site. You might also be able to use it when the client was reassigned and the AMT
provisioning information was not removed on the old site.
 Configuration Manager no longer generates a status message to warn you that the AMT
provisioning certificate is about to expire. You must check the remaining validity period
yourself and ensure that you renew this certificate before it expires.
 AMT discovery no longer uses port TCP 16992; only port TCP 16993 is used.
 Port TCP 9971 is no longer used to connect the AMT management controller to the out of
band service point to provision computers for AMT.
 The out of band service point uses HTTPS (by default, port TCP 443) to connect to the
enrollment point.
 The WS-MAN translator is no longer supported.
 The maintenance task Reset AMT Computer Passwords has been removed.

54
 You no longer select individual permissions for each AMT User Account. Instead, all AMT
User Accounts are automatically configured for the PT Administration (Configuration
Manager 2007 SP1) or Platform Administration (Configuration Manager 2007 SP2) right,
which grants permissions to all AMT features.
 You must specify a universal security group in the Out Of Band Management Component
Properties to contain the AMT computer accounts that Configuration Manager creates during
the AMT provisioning process.
 The site server computer no longer requires Full Control to the organizational unit (OU) that is
used during AMT provisioning. Instead, it grants Read Members and Writer Members (this
object only) permissions.
 The enrollment point rather than the primary site server computer now requires the Issue and
Manage Certificates permission on the issuing certification authority (CA). This permission is
required to revoke AMT certificates. As in Configuration Manager 2007, this computer
account requires DCOM permissions to communicate with the issuing CA. To configure this,
ensure that for Windows Server 2008, the computer account of the enrollment point site
system server is a member of the security group Certificate Service DCOM Access, or, for
Windows Server 2003 SP1 and later, a member of the security group
CERTSVC_DCOM_ACCESS in the domain where the issuing CA resides.
 The certificate templates for the AMT web server certificate and the AMT 802.1X client
certificate no longer use Supply in the request, and the site server computer account no
longer requires permissions to the following certificate templates:
 For the AMT web server certificate template: On the Subject tab, select Build from this
Active Directory information, and then select Common name for the Subject name
format. On the Security tab, grant Read and Enroll permissions to the universal security
group that you specify in the Out Of Band Management Component Properties.
 For the AMT 802.1X client certificate template: On the Subject tab, select Build from
this Active Directory information, and then select Common name for the Subject
name format. Clear the DNS name check box, and then select User principal name
(UPN) as the alternate subject name. On the Security tab, grant Read and Enroll
permissions to the universal security group that you specify in Out Of Band
Management Point Component Properties.
 The AMT provisioning certificate no longer requires that the private key can be exported.
 By default, the out of band service point checks the AMT provisioning certificate for certificate
revocation. This occurs when the site system first runs, and when the AMT provisioning
certificate is changed. You can disable this option in the Out Of Band Service Point
Properties.
 You can enable or disable CRL checking for the AMT web server certificate in the out of
band management console. To change the settings, click the Tools menu, and then click
Options. The new setting is used when you next connect to an AMT-based computer.
 When a certificate for an AMT-based computer is revoked, the revocation reason is now
Cease of Operation instead of Superseded.
 AMT-based computers that are assigned to the same Configuration Manager site must have
a unique computer name, even when they belong to different domains and therefore have a
unique FQDN.

55
 When you reassign an AMT-based computer from one Configuration Manager site to
another, you must first remove the AMT provisioning information, reassign the client, and
then provision the client again for AMT.
 The security rights View management controllers and Manage management controllers
in Configuration Manager 2007 are now named Provision AMT and Control AMT,
respectively. The Control AMT permission is automatically added to the Remote Tools
Operator security role. If an administrative user is assigned to the Remote Tools Operator
security role, and you want this administrative user to provision AMT-based computers or
control the AMT audit log, you must add the Provision AMT permission to this security role,
or ensure that the administrative user belongs to another security role that includes this
permission.
For more information, see the Introduction to Out of Band Management in Configuration Manager
topic in the Assets and Compliance in System Center 2012 Configuration Manager guide.
Remote Control
The following items are new or have changed for remote control since Configuration Manager
2007:
 Remote control now supports sending the CTRL+ALT+DEL command to computers.
 You can apply different remote control settings to collections of computers by using client
settings.
 You can lock the keyboard and mouse of the computer that is being administered during a
remote control session.
 The copy and paste functionality between the host computer and the computer that is being
administered has been improved.
 If the remote control network connection is disconnected, the desktop of the computer that is
being administered will be locked.
 You can start the remote control viewer from the Windows Start menu.
 Remote control client settings can automatically configure the Windows Firewall on client
computers to allow remote control to operate.
 Remote control supports connecting to computers with multiple monitors.
 A high visibility notification bar is visible on client computers to inform the user that a remote
control session is active.
 By default, members of the local Administrators group are granted the Remote Control
permission as a client setting.
 The account name of the administrative user who starts the remote control session is
automatically displayed to users during the remote control session. This display helps users
to verify who is connecting to their computer.
 If Kerberos authentication fails when you make a remote control connection to a computer,
you are prompted to confirm that you want to continue before Configuration Manager falls
back to using the less secure authentication method of NTLM.
 Only TCP port 2701 is required for remote control packets; ports TCP 2702 and TCP 135 are
no longer used.
 Responsiveness for low-bandwidth connections supports the following improvements:

56
 Elimination of mouse trails by using single mouse cursor design.
 Full support for Windows Aero.
 Elimination of mirror driver.
For more information, see the Introduction to Remote Control in Configuration Manager topic in
the Assets and Compliance in System Center 2012 Configuration Manager guide.
Hardware Inventory
The following items are new or have changed for hardware inventory since Configuration
Manager 2007:
 In System Center 2012 Configuration Manager, you can enable custom hardware inventory,
and add and import new inventory classes from the Configuration Manager console. The
sms_def.mof file is no longer used to customize hardware inventory.
 You can extend the inventory schema by adding or importing new classes.
 Different hardware inventory settings can be applied to collections of devices by using client
settings.
For more information, see the Introduction to Hardware Inventory in Configuration Manager topic
Software Inventory
There are no significant changes for software inventory in Configuration Manager since
Configuration Manager 2007.
For more information about software inventory, see the Introduction to Software Inventory in
Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration
Manager guide.
Asset Intelligence
The following items are new or have changed for Asset Intelligence since Configuration Manager
2007:
 In System Center 2012 Configuration Manager, you can enable Asset Intelligence hardware
inventory classes without editing the sms_def.mof file.
 You can now download the Microsoft Volume Licensing Service (MVLS) license statement
from the Microsoft Volume Licensing Service Center and import the license statement from
the Configuration Manager console.
 There is a new maintenance task (Check Application Title with Inventory Information) that
checks that the software title reported in software inventory is reconciled with the software
title in the Asset Intelligence catalog.
 There is a new maintenance task (Summarize Installed Software Data) that provides the
information displayed in the Inventoried Software node under the Asset Intelligence node in
the Assets and Compliance workspace.
 The Client Access License reports have been deprecated.
For more information, see the Introduction to Asset Intelligence in Configuration Manager topic in
the Assets and Compliance in System Center 2012 Configuration Manager guide.

57
Software Metering
There are no significant changes for software metering in Configuration Manager since
For more information about software metering, see the Introduction to Software Metering in
Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration
Manager guide.
Power Management
The following items are new or have changed for power management since Configuration
Manager 2007:
 If an administrative user enables this option, users can exclude computers from power
management.
 Virtual machines are excluded from power management.
 Administrative users can copy power management settings from another collection.
 A new Computers Excluded report is now available. It displays the computers that are
excluded from power management.
For more information, see the Introduction to Power Management in Configuration Manager topic
Mobile Devices
Enrollment for mobile devices in System Center 2012 Configuration Manager is now natively
supported by using the two new enrollment site system roles (the enrollment point and the
enrollment proxy point) and a Microsoft enterprise certification authority.
For more information about how to configure enrollment for mobile devices by using
System Center 2012 Configuration Manager, see How to Install Clients on Mobile Devices and
Enroll Them by Using Configuration Manager.
After the mobile devices are enrolled, you can manage their settings by creating mobile device
configuration items and then deploy them in a configuration baseline. For more information, see
How to Create Mobile Device Configuration Items for Compliance Settings in Configuration
Manager.
For more information, see the Deploying the Configuration Manager Client to Mobile Devices
section in the Introduction to Client Deployment in Configuration Manager topic in the Deploying
Clients for System Center 2012 Configuration Manager guide.
Exchange Server Connector
New in System Center 2012 Configuration Manager, the Exchange Server connector allows you
to find and manage devices that connect to Exchange Server (on-premise or hosted) by using the
Exchange ActiveSync protocol. Use this mobile device management process when you cannot
install the Configuration Manager client on the mobile device.
For more information about the different management capabilities when you manage mobile
devices by using the Exchange Server connector and when you install a Configuration Manager

58
client on mobile devices, see Determine How to Manage Mobile Devices in Configuration
Manager.
For more information about how to install and configure the Exchange Server connector, see the
How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration
Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide.
Mobile Device Legacy Client
If you have mobile devices that you managed with Configuration Manager 2007 and you cannot
enroll them by using System Center 2012 Configuration Manager, you can continue to use them
with System Center 2012 Configuration Manager. The installation for this mobile device client
remains the same. However, whereas Configuration Manager 2007 did not require PKI
certificates, System Center 2012 Configuration Manager requires PKI certificates on the mobile
device and the management points and distribution points.
Unlike other clients, mobile device legacy clients cannot automatically use multiple management
points in a site.
File collection is no longer supported for these mobile device clients in System Center 2012
Configuration Manager and unlike the mobile devices that you can enroll with Configuration
Manager or manage by using the Exchange Server connector, you cannot manage settings for
these mobile devices. In addition, the mobile device management inventory extension tool
(DmInvExtension.exe) is no longer supported. This functionality is replaced with the Exchange
Server connector.
For more information about the different mobile device management capabilities, see Determine
How to Manage Mobile Devices in Configuration Manager.
For more information, see the Deploying the Configuration Manager Client to Mobile Devices
section in the Introduction to Client Deployment in Configuration Manager topic in the Deploying
Clients for System Center 2012 Configuration Manager guide.
Endpoint Protection
System Center 2012 Endpoint Protection is now integrated with System Center 2012
Configuration Manager. The following items are new or have changed for Endpoint Protection
since Forefront Endpoint Protection 2010:
 Because Endpoint Protection is now fully integrated with Configuration Manager, you do not
run a separate Setup program to install an Endpoint Protection server. Instead, select the
Endpoint Protection point as one of the available Configuration Manager site system roles.
 You can install the Endpoint Protection client by using Configuration Manager client settings,
or you can manage existing Endpoint Protection clients. You do not use a package and
program to install the Endpoint Protection client.
 The Endpoint Protection Manager role-based administration security role provides an
administrative user with the minimum permissions required to manage Endpoint Protection in
the hierarchy.

59
 Endpoint Protection in Configuration Manager provides new reports that integrate with
Configuration Manager reporting. For example, you can now identify the users who have
computers that most frequently report security threats.
 You can use Configuration Manager software updates to automatically update definitions and
the definition engine by using automatic deployment rules.
 You can configure multiple malware alert types to notify you when Endpoint Protection
detects malware on computers. You can also configure subscriptions to notify you about
these alerts by using email.
 The Endpoint Protection dashboard is integrated with the Configuration Manager console.
You do not have to install the dashboard separately. To view the Endpoint Protection
dashboard, click the System Center 2012 Endpoint Protection Status node in the
Monitoring workspace.
For more information, see the Introduction to Endpoint Protection in Configuration Manager topic
Software Deployment and Content Management
relate to software updates, software distribution, operating system deployment and task
sequences in System Center 2012 Configuration Manager.
Software Updates
Although the general concepts for deploying software updates are the same in
System Center 2012 Configuration Manager as they were in Configuration Manager 2007, new or
updated functionality is available that improves the software update deployment process. This
includes automatic approval and deployment for software updates, improved search with
expanded criteria, enhancements to software updates monitoring, and greater user control for
scheduling software update installation.
The following table lists the functionality that is new or that has changed for software updates
since Configuration Manager 2007.
Functionality Description
Software update groups Software update groups are new in
Configuration Manager and replace update lists
that were used in Configuration Manager 2007.
Software update groups more effectively
organize software updates in your environment.
You can manually add software updates to a
software updates group, or add software
updates automatically to a new or existing
software update group by using an automatic
deployment rule. You can also deploy a
software update group manually or

60
automatically by using an automatic
deployment rule. After you deploy a software
update group, you can add new software
updates to the group, and they are
automatically deployed.
Automatic deployment rules Automatic deployment rules automatically
approve and deploy software updates. You
specify the criteria for software updates (for
example, all Windows 7 software updates
released in the last week), the software updates
are added to a software update group, you
configure deployment and monitoring settings,
and decide whether to deploy the software
updates in the software update group. You can
deploy the software updates in the software
update group or retrieve compliance
information from client computers for the
software updates in the software update group
without deploying them.
Software updates filtering New search and expanded criteria are available
when software updates are listed in the
Configuration Manager console. You can add a
set of criteria that makes it easy to find the
software updates that you require. You can
save the search criteria to use later. For
example, you can set criteria for all critical
software updates for Windows 7 and for
software updates that were released in the last
year. After you filter for the updates that you
require, you can select the software updates
and review compliance information per software
update, create a software update group that
contains the software updates, manually deploy
the software updates, and so on.
Software updates monitoring In the Configuration Manager console, you can
monitor the following software updates objects
and processes:
 Important software updates compliance
and deployment views
 Detailed state messages for all

61
deployments and assets
 Software updates error codes with
additional information to help identify issues
 Status for software updates
synchronization
 Alerts for important software updates
issues
Software update reports are also available that
provide detailed state information for software
updates, software update groups, and software
update deployments.
Manage superseded software updates Superseded software updates in Configuration
Manager 2007 were automatically expired
during the full software updates synchronization
process for a site.
In System Center 2012 Configuration Manager,
you can decide whether to manage superseded
software updates as in Configuration Manager
2007, or you can configure a specified period of
time where the software update is not
automatically expired after it is superseded.
During this time, you can deploy superseded
software updates.
Increased user control over software updates
installation
Configuration Manager gives users more
control over when to install software updates on
their computer. Configuration
Manager Software Center is an application that
is installed with the Configuration Manager
client. Users run this application on the Start
menu to manage the software that is deployed
to them. This includes software updates. In
Software Center, users can schedule software
update installation at a convenient time before
the deadline and install optional software
updates. For example, you can configure your
business hours and have software updates run
outside of those hours to minimize productivity
loss. When the deadline is reached for a
software update, the installation for the
software update is started.

62
Software update files are stored in the content
library
The content library in System Center 2012
Configuration Manager is the location that
stores all content files for software updates,
applications, operating system deployment, and
so on. The content library provides a single
instance store for content files on the site
server and distribution points, and provides an
advantage over content management
functionality in Configuration Manager 2007.
For example, in Configuration Manager 2007,
you might distribute the same content files
multiple times by using different deployments
and deployment packages. The result was that
the same content files were stored multiple
times on the site server and on distribution
points and added unnecessary processing
overhead and excessive hard disk space
requirements.
For more information about content
management, see the Content Library section
in the Introduction to Content Management in
Software update deployment template There is no longer a Deployment Templates
node in the Configuration Manager console to
manage your templates. Deployment templates
can be created only in the Automatic
Deployment Rules Wizard or Deploy Software
Updates Wizard. Deployment templates store
many of the deployment properties that might
not change from deployment to deployment,
and they can save much time for administrative
users when they deploy software updates.
Deployment templates can be created for
different deployment scenarios in your
environment. For example, you can create a
template for expedited software update
deployments and planned deployments. The
template for the expedited deployment can
suppress display notifications on client
computers, set the deadline for zero (0) days

63
from the deployment schedule, and enable
system restarts outside maintenance windows.
The template for a planned deployment can
allow for display notifications on client
computers and set the deadline for 14 days
from the deployment schedule.
Internet-based clients can retrieve update files
from the Internet
When an Internet-based client receives a
deployment, the client first tries to download the
software files from Microsoft Update instead of
distribution points. When the connection to
Microsoft is not successful, clients fall back to a
distribution point that hosts the software update
files and is configured to accept communication
from clients on the Internet.
Update lists are no longer used Update lists have been replaced by software
update groups.
Deployments are no longer used Although you can still deploy software updates
in System Center 2012 Configuration Manager,
there is no longer a visible software update
deployment object. The deployment object is
now nested in a software update group.
The New Policies Wizard is no longer available
to create a NAP policy for software updates
The Network Access Protection node in the
Configuration Manager console and the New
Policies Wizard are no longer available in
To create a NAP policy for software updates,
you must select Enable NAP evaluation on the
NAP Evaluation tab in software update
properties.
For more information, see the Introduction to Software Updates in Configuration Manager topic in
the Deploying Software and Operating Systems in System Center 2012 Configuration Manager
guide.
Application Management
Applications are new in System Center 2012 Configuration Manager and have the following
characteristics:

64
 Applications contain the files and information necessary to deploy a software package to a
computer or a mobile device. Applications contain multiple deployment types that contain the
files and commands necessary to install the software. For example, an application could
contain deployment types for a local installation of a software package, a virtual application
package or a version of the application for mobile devices.
 Requirement rules define conditions that specify how an application is deployed to client
devices. For example, you can specify that the application should not be installed if the
destination computer has less than 2GB RAM or you could specify that a virtual application
deployment type is installed when the destination computer is not the primary device of the
user.
 Global conditions are similar to requirement rules but can be reused with any deployment
type.
 User device affinity allows you to associate a user with specified devices. This allows you to
deploy software to a user rather than a device. For example, you could deploy an application
so that it only installs on the primary device of the user. On devices that are not the primary
device of the user, you could deploy a virtual application that is removed when the user logs
out.
 Deployments are used to distribute applications. A deployment can have an action which
specifies whether to install or uninstall the application and a purpose which specifies whether
the application must be installed or whether the user can choose to install it.
 System Center 2012 Configuration Manager can use detection methods to determine if a
deployment type has already been installed on a device by using product information, or a
script.
 Application management supports the new monitoring features in System Center 2012
Configuration Manager. The status of an application deployment can be monitored directly in
 Packages and programs from Configuration Manager 2007 are supported in
System Center 2012 Configuration Manager and can use some of the new deployment and
monitoring features.
 You can now deploy a task sequence on the Internet, as a method to deploy a script, for
example, prior to installing a package and program. It is still not supported to deploy an
operating system over the Internet.
 Software Center is a new client interface that allows users to request and install applications,
control some client functionality, and to access the Application Catalog, which contains
details about all available applications.
The following are new or changed for virtual application (App-V) deployment in
System Center 2012 Configuration Manager:
 Virtual applications support App-V Dynamic Suite Composition by using Configuration
Manager local and virtual application dependencies.
 You can selectively publish the components of a virtual application to client computers.
 Performance improvements when publishing application shortcuts to client computers.
 Clients now check more quickly for required installations after logon. Clients also now check
for required installations when the desktop is unlocked.

65
 Applications can be deployed to users of Remote Desktop Services or Citrix servers when
other users are logged in.
 System Center 2012 Configuration Manager supports streaming virtual applications over the
Internet from an Internet-based distribution point.
 Streaming support for packages suited together using Dynamic Suite Composition.
 In Configuration Manager 2007, you had to enable streaming support for virtual applications
on each distribution point. In System Center 2012 Configuration Manager, all distribution
points are automatically capable of virtual application streaming.
 Reduced disk space usage on distribution points as application content is no longer
duplicated for multiple application revisions.
 Virtual application content is no longer persisted by default in the Configuration Manager
client cache.
 You can no longer create virtual applications by using Configuration Manager packages and
programs. You must use Configuration Manager application management.
 Configuration Manager supports migrating virtual application packages from Configuration
Manager 2007 to System Center 2012 Configuration Manager. When you migrate an App-V
package from Configuration Manager 2007, the migration Wizard will create this as a
System Center 2012 Configuration Manager application.
 The Configuration Manager 2007 client option Allow virtual application package
advertisement has been removed. In System Center 2012 Configuration Manager, virtual
applications can be deployed by default.
 Virtual applications that are deployed from an App-V Server are not deleted by the
Configuration Manager client.
 Configuration Manager hardware inventory can be used to inventory virtual applications
deployed by an App-V Server.
 Application content that has been downloaded to the App-V cache is not downloaded to the
Configuration Manager client cache.
To modify a virtual application, you must first create it as a Configuration Manager
application.
For more information, see the Introduction to Application Management in Configuration Manager
topic in the Deploying Software and Operating Systems in System Center 2012 Configuration
Manager guide.
Operating System Deployment
The following items are new or have changed for operating system deployment since
 You can apply Windows Updates by using Component-Based Servicing (CBS) to update the
Windows Imaging Format (WIM) files that are stored in the Image node of the Software
Library workspace.
 The Task Sequence Media Wizard includes steps to add prestart command files (formerly
pre-execution hooks) to prestaged media, bootable media, and stand-alone media.
Note

66
For more information about how to deploy operation system including using prestart
commands when you create media, see one of the following sections in the How to Deploy
Operating Systems by Using Media in Configuration Manager topic:
 How to Create Prestaged Media
 How to Create Bootable Media
 How to Create Stand-alone Media
 When you create media that deploys an operating system, you can configure the Task
Sequence Media Wizard to suppress the Task Sequence wizard during operating system
installation. This configuration enables you to deploy operating systems without end-user
intervention.
For more information about how to create media by using the Task Sequence Media Wizard,
see How to Deploy Operating Systems by Using Media in Configuration Manager.
 You can define a deployment in a prestart command that overrides existing deployments to
the destination computer. Use the SMSTSPreferredAdvertID task sequence variable to
configure the task sequence to use the specific Offer ID that defines the conditions for the
deployment.
 You can use the same task sequence media to deploy operating systems to computers
anywhere in the hierarchy.
For more information about how to create media by using the Task Sequence Media Wizard,
see How to Deploy Operating Systems by Using Media in Configuration Manager.
 The Capture User State task sequence action and the Restore User State task sequence
steps support new features from the User State Migration Tool (USMT) version 4.
For more information about capturing and restoring the user state, see How to Manage the
User State in Configuration Manager.
 You can use the Install Application task sequence step to deploy applications when you
deploy an operating system.
For more information about task sequences, see Planning a Task Sequences Strategy in
 You can associate a user with the computer where the operating system is deployed to
support user device affinity actions. For more information about creating an association
between users and the destination computer, see How to Associate Users with a Destination
Computer.
For more information about how to manage user device affinity, see How to Manage User
Device Affinity in Configuration Manager.
 The functionality of the PXE service point and its configuration is moved to the distribution
point to increase scalability.
For more information about creating a distribution point that accepts PXE requests, see the
Creating Distribution Points that Accept PXE Requests section of the How to Deploy
Operating Systems by Using PXE in Configuration Manager topic.
 CMTrace, the Configuration Manager log viewer tool, is added to all boot images that are
added to the Software Library.

67
For more information about boot images, see Planning for Boot Image Deployments in
For more information, see the Introduction to Operating System Deployment in Configuration
Manager topic in the Deploying Software and Operating Systems in System Center 2012
Content Management
The following items are new or have changed for content management since Configuration
Manager 2007:
 Branch distribution points were available in Configuration Manager 2007 to distribute content,
for example, to a small office with limited bandwidth. In System Center 2012
Configuration Manager, there is only one distribution point type with the following new
functionality:
 You can install the distribution point site system role on client or server computers.
 You can configure bandwidth settings, throttling settings, and schedule content
distribution between the site server and distribution point.
 You can prestage content on remote distribution points and manage how Configuration
Manager updates content to the prestaged distribution points.
 The PXE service point and the associated settings are in the properties for the
distribution point.
 In Configuration Manager 2007, you configure a distribution point as protected to prevent
clients outside the protected boundaries from accessing the distribution point. In
System Center 2012 Configuration Manager, preferred distribution points replace protected
distribution points.
 Distribution point groups provide a logical grouping of distribution points for content
distribution. You can add one or more distribution points from any site in the Configuration
Manager hierarchy to the distribution point group. You can also add the distribution point to
more than one distribution point group. This expanded functionality lets you manage and
monitor content from a central location for distribution points that span multiple sites.
 The content library in System Center 2012 Configuration Manager is the location that stores
all content files for software updates, applications, operating system deployment, and so on.
The content library provides a single instance store for content files on the site server and
distribution points, and provides an advantage over content management functionality in
Configuration Manager 2007. For example, in Configuration Manager 2007, you might
distribute the same content files multiple times by using different deployments and
deployment packages. The result was that the same content files were stored multiple times
on the site server and on distribution points and added unnecessary processing overhead
and excessive hard disk space requirements.
 You can prestage content, which is the process to copy content, to the content library on a
site server or distribution point before you distribute the content. Because the content files are
already in the content library, Configuration Manager does not copy the files over the network
when you distribute the content.
 The Configuration Manager console provides content monitoring that includes the status for
all package types in relation to the associated distribution points, the status of content

68
assigned to a specific distribution point group, the state of content assigned to a distribution
point, and the status of optional features for each distribution point.
 You can enable content validation on distribution points to verify the integrity of packages that
have been distributed to the distribution point.
 In Configuration Manager 2007, content files are automatically distributed to the disk drive
with the most amount of free space. In System Center 2012 Configuration Manager, you
configure the disk drives on which you want to store content and configure the priority for
each drive when Configuration Manager copies the content files.
 BranchCache has been integrated in System Center 2012 Configuration Manager so that you
can control usage at a more detailed level. You can configure the BranchCache settings on a
deployment type for applications and on the deployment for a package.
For more information, see the Introduction to Content Management in Configuration Manager
topic in the Deploying Software and Operating Systems in System Center 2012 Configuration
Manager guide.
Monitoring and Reporting
relate to monitoring and reporting in System Center 2012 Configuration Manager.
Reporting
The following items are new or have changed for reporting since Configuration Manager 2007:
 Configuration Manager no longer uses the reporting point; the reporting services point is the
only site system role that Configuration Manager now uses for reporting.
 Full integration of the Configuration Manager 2007 R2 SQL Server Reporting Services
solution: In addition to standard report management, Configuration Manager 2007 R2
introduced support for SQL Server Reporting Services reporting. System Center 2012
Configuration Manager integrates the Reporting Services solution, adds new functionality,
and removes standard report management as a reporting solution.
 Report Builder 2.0 integration: System Center 2012 Configuration Manager uses Microsoft
SQL Server 2008 Reporting Services Report Builder 2.0 as the exclusive authoring and
editing tool for both model-based and SQL-based reports. Report Builder 2.0 is automatically
installed when you create or modify a report for the first time.
 Report subscriptions in SQL Server Reporting Services let you configure the automatic
delivery of specified reports by email or to a file share in scheduled intervals.
 You can run Configuration Manager reports in the Configuration Manager console by using
Report Viewer, or you can run reports from a browser by using Report Manager. Both
methods for running reports provide a similar experience.
 Reports in Configuration Manager are rendered in the locale of the installed Configuration
Manager console. Subscriptions are rendered in the locale that SQL Server Reporting
Services is installed. When you author a report, you can specify the assembly and
expression.
For more information, see the Introduction to Reporting in Configuration Manager topic in the Site

69
Alerts
Alerts are new in System Center 2012 Configuration Manager and provide near real-time
awareness of current site operations and conditions in the Configuration Manager console. Alerts
are state-based and will automatically update when conditions change. System Center 2012
Configuration Manager alerts are not similar to status messages in Configuration Manager, nor
are they similar to alerts in other System Center products, such as those found in
Microsoft System Center Operations Manager 2007.
For more information, see the Configuring Alerts in Configuration Manager topic in the Site
Monitoring Database Replication
You can monitor the status of System Center 2012 Configuration Manager data replication by
using the Database Replication node in the Monitoring workspace of the Configuration
Manager console.
For more information, see the How to Monitor Database Replication and SQL Server Status for
Database Replication section in the Monitor Configuration Manager Sites and Hierarchy topic
from the Site Administration for System Center 2012 Configuration Manager guide.
See Also
What’s New in the Documentation for Configuration Manager
Use this topic to track a summary of significant changes in the Documentation Library for
System Center 2012 Configuration Manager. After the release, the documentation might be
updated for new information, to incorporate customer feedback, and to make any corrections that
might be required. Typically, any documentation changes are announced each month on the
System Center Configuration Manager Team Blog, and then periodically summarized in this topic.
You can use the Configuration Manager Documentation Team Twitter feed to be notified
about recent updates.
In the release publication of the library, the following guides include information to help you be
successful with Configuration Manager:
Guide Description
Getting Started with System Center 2012
This guide helps you get started with
with an introduction to the product, what’s new
and changed since Configuration Manager
2007, basic concepts, and some frequently
asked questions.
Tip

70
Guide Description
Site Administration for System Center 2012
This guide provides the information to help you
plan, install, configure, and maintain
This information includes how to run Setup for
the product.
Migrating from Configuration Manager 2007 to
This guide provides information about migrating
an existing Configuration Manager 2007
infrastructure to System Center 2012
Deploying Clients for System Center 2012
This guide provides information to help you
plan, install, configure, and manage client
deployment in System Center 2012
Configuration Manager. This information
includes enrolling mobile devices with
Configuration Manager and how to manage
mobile devices by using the Exchange Server
connector.
Deploying Software and Operating Systems in
plan, configure, and manage the deployment of
software and operating systems in
Assets and Compliance in System Center 2012
manage your devices (computers and mobile
devices) in System Center 2012
Security and Privacy for System Center 2012
This guide contains security-related information
from the other Configuration Manager guides
and privacy statements for the product.
For a glossary of terms and definitions, see Glossary for Microsoft System Center 2012
What's New in the Documentation Library for May 2012
The following sections describe what's new in the Documentation Library for System Center 2012
Configuration Manager since the official documentation library release in March 2012. The topics
that are listed are either new topics or topics that contain significant technical changes. Topics
that contain minor changes are not listed.

71
In addition, you can now download a copy of this technical documentation from the Microsoft
Download Center. Always use the TechNet online library for the most up-to-date information.
The following new or updated topics are from the Getting Started with System Center 2012
Topic More information
What’s New in Configuration Manager In the Sites and Hierarchies section, added a
new section for Language Pack Support. This
information is also clarified in the Client
Deployment and Operations section, which
contains the information that you no longer
install International Client Packs (ICPs) when
you want to support different languages on the
client.
Supported Configurations for Configuration
Manager
Updated for the latest support statements.
Frequently Asked Questions for Configuration
Manager
Updated for new questions that include the
following:
 Where are the supported scenarios and
network diagrams for Internet-based client
management that you had for Configuration
Manager 2007?
 Can I migrate maintenance windows?
 Which antimalware solutions can Endpoint
Protection uninstall?
Information and Support for Configuration
Manager
Updated the Search the Configuration Manager
Documentation Library section to explain how
to use the scoped search link, with examples
and search tips.
Site Administration for System Center 2012 Configuration Manager
The following new or updated topics are from the Site Administration for System Center 2012
Planning for Site Systems in Configuration
Manager
Updated the site system role placement for
secondary sites.

72
Planning for Sites and Hierarchies in
Updated for additional information about
planning for language packs at Configuration
Manager sites, clients, and the Configuration
Manager console.
Planning for Discovery in Configuration
Manager
Updated for the new section, Best Practices for
Discovery.
Planning for Communications in Configuration
Manager
Updated for the information that the Application
Catalog web service point, like the out of band
service point, must reside in the same Active
Directory forest as the site server. Other site
system roles can be installed in other forests.
This topic is also updated for a procedure how
to manually publish management points to DNS
on Windows Server.
Install Sites and Create a Hierarchy for
Updated for a new section, Decommission
Sites and Hierarchies, for information about
how to uninstall Configuration Manager.
In addition, the /TESTDBUPGRADE option is
updated in the Using Command-Line Options
with Setup section to clarify that this switch is
not supported on a production database.
Manage Site and Hierarchy Configurations Updated the Modify the Site Database
Configuration section to clarify that
Configuration Manager does not support
changing the port for SQL Server after the site
is installed.
Added new sections, Manage Language Packs
at Configuration Manager Sites and Configure
Custom Locations for the Site Database Files.
Security and Privacy for Site Administration in
Updated the entry about the Security
Configuration Wizard with the link to download
the toolkit for System Center 2012
Configuration Manager: System Center 2012 –
Configuration Manager Component Add-ons
and Extensions. This information is also
updated in the Security and Privacy for System
Center 2012 Configuration Manager guide.
Technical Reference for Ports Used in Updated for the ports used by the new site

73
Configuration Manager system roles: the Application Catalog website
point and Application Catalog web service
point; the enrollment point and enrollment proxy
point; and the Endpoint Protection point. Also
clarified that Configuration Manager does not
support dynamic ports for SQL Server.
Technical Reference for Language Packs in
New topic that provides technical details about
language support in System Center 2012
Migrating from Configuration Manager 2007 to System Center 2012 Configuration Manager
The following new or updated topics are from the Migrating from Configuration Manager 2007 to
System Center 2012 Configuration Manager guide.
Planning for Migration to System Center 2012
Updated for additional information about
planning for overlapping boundaries if you will
install new Configuration Manager 2007 client
during the migration period.
Planning for Migration Jobs in System Center
2012 Configuration Manager
Updated to clarify that when a collection
migrates, Configuration Manager also migrates
collection settings that include maintenance
windows and collection variables, but cannot
migrate collection settings for AMT
provisioning.
Planning for Content Deployment During
Migration to System Center 2012 Configuration
Manager
Updated the Distribution Point Upgrade section
to clarify the package migration behavior during
a distribution point upgrade.
Deploying Clients for System Center 2012 Configuration Manager
The following new or updated topics are from the Deploying Clients for System Center 2012
Prerequisites for Client Deployment in
Updated to clarify that although most operating
systems now include BITS, some operating
systems, such as Windows Server 2003 R2

74
SP2, do not. If you install the client on an
operating system that does not already have
BITS installed, you must first install it.
Best Practices for Client Deployment in
Updated for the new best practice to install
additional client languages on the site before
you deploy clients on computers and mobile
devices.
How to Assign Clients to a Site in Configuration
Manager
Updated to clarify the assignment behavior for
a System Center 2012 Configuration Manager
client when it is assigned to a Configuration
Manager 2007 site.
About Client Installation Properties in
Updated for information about file locations for
the /config: and CCMENABLELOGGING
installation properties.
Deploying Software and Operating Systems in System Center 2012 Configuration Manager
The following new or updated topics are from the Deploying Software and Operating Systems in
System Center 2012 Configuration Manager guide.
Example Scenario for Deploying Software
Updates
New topic that provides an example scenario
for how you might deploy software updates in
your environment.
How to Manage Applications and Deployment
Types in Configuration Manager
Updated to clarify that the Retire management
task does not remove any installed copies of
the application from client computers.
Planning a Task Sequences Strategy in
Updated for information about running task
sequences in a maintenance window.
How to Manage the User State in Configuration
Manager
Updated for how to create a USMT package
and how to restore the user state if the
operating system deployment fails.
Task Sequence Steps in Configuration
Manager
Updated the Updated Install Software Updates
step for the information that the step cannot
suppress restarts if the software update
requires a restart.
Example Scenario for PXE-Initiated Operating New topic that provides an example scenario

75
System Deployment for how you might deploy an operating system
by using PXE in your environment.
Assets and Compliance in System Center 2012 Configuration Manager
The following new or updated topics are from the Assets and Compliance in System Center 2012
How to Create Queries in Configuration
Manager
Updated to clarify that a query that contains no
criteria will return all devices in the All
Systems collection.
How to Extend Hardware Inventory in
Updated for the information that you must
create a hardware inventory class for any MIF
files you want to add to inventory.
How to Configure Software Inventory in
Updated for an example of how to specify a file
type that you want to inventory.
Introduction to Software Metering in
Updated to include the reference to Example
Scenario for Software Metering in Configuration
Manager.
How to Manage AMT-based Computers Out of
Band in Configuration Manager
Updated to clarify that the out of band
management power control commands are
always available for a collection, even if the
collection contains resources that are not
provisioned for AMT.
How to Configure Endpoint Protection in
Updated for information about using software
updates automatic deployment rules to deploy
definition updates for Endpoint Protection.
See Also
Fundamentals of Configuration Manager
If you are new to Configuration Manager, use the following information to learn about the basic
concepts for Microsoft System Center 2012 Configuration Manager before you run Setup or read
more detailed information. If you are familiar with Configuration Manager 2007, see What’s New
in Configuration Manager.

76
For information about supported operating systems and supported environments, hardware
requirements, and capacity information, see Supported Configurations for Configuration Manager.
Sites
When you install System Center 2012 Configuration Manager for the first time, you create a
Configuration Manager site that is the foundation from which to manage devices and users in
your enterprise. This site is either a central administration site or a primary site. A central
administration site is suitable for large-scale deployments and provides a central point of
administration and the flexibility to support devices that are distributed across a global network
infrastructure. A primary site is suitable for smaller deployments and it has fewer options to
accommodate any future growth of your enterprise.
When you install a central administration site, you must also install at least one primary site to
manage users and devices. With this design, you can install additional primary sites to manage
more devices and to control network bandwidth when devices are in different geographical
locations. You can also install another type of site that is named a secondary site. Secondary
sites extend a primary site to manage a few devices that have a slow network connection to the
primary site.
When the first site that you install is a primary site instead of a central administration site, you
cannot install additional primary sites. However, you can still install one or more secondary sites
to extend the primary site when you need to manage a few devices that have a slow network
connection to the primary site. If you do not install any secondary sites from this single primary
site, the site is referred to as a standalone site.
When you have more than one site that communicates with each other, you have an arrangement
of sites that is referred to as a hierarchy.
Publishing Site Information to Active Directory Domain Services
If you extend the Active Directory schema for System Center 2012 Configuration Manager, you
can publish System Center 2012 Configuration Manager sites to Active Directory Domain
Services so that Active Directory computers can securely retrieve System Center 2012
Configuration Manager site information from a trusted source. Although publishing site
information to Active Directory Domain Services is not required for basic Configuration Manager
functionality, this configuration increases the security of your System Center 2012
Configuration Manager hierarchy and reduces administrative overhead.
You can extend the Active Directory schema before or after you install System Center 2012
Configuration Manager. Before you can publish site information, you must also create an Active
Directory container named System Management in each domain that contains a
System Center 2012 Configuration Manager site. You must also configure the Active Directory
permissions so that the site can publish its information to this Active Directory container. As with
all schema extensions, you extend the schema for System Center 2012 Configuration Manager
one time only per forest.

77
Site System Servers and Site System Roles
Configuration Manager uses site system roles to support management operations at each site.
When you install a Configuration Manager site, some site system roles are automatically installed
and assigned to the server on which Configuration Manager Setup has run successfully. One of
these site system roles is the site server, which you cannot transfer to another server or remove
without uninstalling the site. You can use other servers to run additional site system roles or to
transfer some site system roles from the site server by installing and configuring Configuration
Manager site system servers.
Each site system role supports different management functions. The site system roles that
provide basic management functionality are described in the following table.
Site System Role Description
Site server A computer on which you run the Configuration
Manager setup program and which provides
the core functionality for the site.
Site database server A server that hosts the SQL Server database,
which stores information about Configuration
Manager assets and site data.
Component server A server that runs Configuration Manager
services. When you install all the site system
roles except for the distribution point role,
Configuration Manager automatically installs
the component server.
Management point A site system role that provides policy and
service location information to clients and
receives configuration data from clients.
Distribution point A site system role that contains source files for
clients to download, such as application
content, software packages, software updates,
operating system images, and boot images.
Reporting services point A site system role that integrates with
SQL Server Reporting Services to create and
manage reports for Configuration Manager.

78
When companies first deploy Configuration Manager in a production environment, they often run
multiple site system roles on the site server and have additional site system servers for
distribution points. Then they install additional site system servers and add new site system roles,
according to their business requirements and network infrastructure.
The additional site system roles that you might need for specific functionality are listed in the
following table.
State migration point A site system role that stores user state data
when a computer is migrated to a new
operating system.
Software update point A site system role that integrates with
Windows Server Update Services (WSUS) to
provide software updates to Configuration
Manager clients.
System Health Validator point A site system role that validates Configuration
Manager Network Access Protection (NAP)
policies. It must be installed on a NAP health
policy server.
Endpoint Protection point A site system role that Configuration Manager
uses to accept the Endpoint Protection license
terms and to configure the default membership
for Microsoft Active Protection Service.
Fallback status point A site system role that helps you monitor client
installation and identify the clients that are
unmanaged because they cannot communicate
with their management point.
Out of band service point A site system role that provisions and
configures Intel AMT-based computers for out
of band management.
Asset Intelligence synchronization point A site system role that connects to
System Center Online to download Asset
Intelligence catalog information and upload
uncategorized titles so that they can be
considered for future inclusion in the catalog.

79
Application Catalog web service point A site system role that provides software
information to the Application Catalog website
from the Software Library.
Application Catalog website point A site system role that provides users with a list
of available software from the Application
Catalog.
Enrollment proxy point A site system role that manages enrollment
requests from mobile devices so that they can
be managed by Configuration Manager.
Enrollment point A site system role that uses PKI certificates to
complete mobile device enrollment and to
provision Intel AMT-based computers.
Clients
System Center 2012 Configuration Manager clients are devices (such as workstations, laptops,
servers, and mobile devices) that have the Configuration Manager client software installed so that
you can manage them. Management includes operations such as reporting hardware and
software inventory information, installing software, and configuring settings that are needed for
compliance. Configuration Manager has discovery methods that you can use to find devices on
your network to help you to install the client software on them.
Configuration Manager has a number of options to install the client software on devices. These
options include client push installation, software update-based installation, group policy, and
manual installation. You can also include the client when you deploy an operating system image.
Configuration Manager uses collections to group devices so that you can perform management
tasks on multiple devices that share a common set of criteria. For example, you might want to
install a mobile device application on all mobile devices, in which case you could use the All
Mobile Devices collection, which automatically excludes computers. You can create your own
collections to logically group the devices that you manage, according to your business
requirements.

80
User-Centric Management
In addition to the collections for devices, there are also user collections that contain users from
Active Directory Domain Services. User collections allow you to install software on all computers
that the user logs into, or you can configure user device affinity so that the software installs on
only the main devices that the user uses. These main devices are called primary devices and a
user can have one or more primary devices.
One of the ways in which users can control their software deployment experience is by using the
new client interface, Software Center. Software Center is automatically installed on client
computers and accessed from the users’ Start menu. It allows users to manage their own
software, and they can perform the following:
 Install software
 Schedule software to automatically install outside working hours
 Configure when Configuration Manager can install software on their device
 Configure access settings for remote control, if remote control is enabled in Configuration
Manager
 Configure options for power management if an administrative user has enabled this
A link in Software Center allows users to connect to the Application Catalog, where they can
browse for, install and request software. In addition, users can also use the Application Catalog to
configure some preference settings and wipe their mobile devices. Because Application Catalog
is a website that is hosted in IIS, users can also access the Application Catalog directly from a
browser, from the intranet, or from the Internet.
Users can also specify their primary devices from the Application Catalog, if you allow this
configuration. Other methods of configuring the user device affinity information include importing
the information from a file and automatic generation from usage data.
Client Settings
When you first install System Center 2012 Configuration Manager, all clients in the hierarchy are
configured with default client settings, which you can modify. These client settings include
configuration options such as how often devices communicate with the site, whether the client is
enabled for software updates and other management operations, and whether users can enroll
their mobile devices to be managed by Configuration Manager. If you need different client
settings for groups of users or devices, you can create custom client settings and then assign
them to collections. Users or devices that are in the collection will be configured with the custom
settings. You can create multiple custom client settings and they are applied in the order that you
specify. When you have multiple custom client settings, they are applied according to their order
number. If there are any conflicts, the setting that has the lowest order number overrides the
other settings..
Limited Management without Clients
The System Center 2012 Configuration Manager client software provides full management
capability for users and devices but there are also two scenarios in which you can manage
devices independently from the client software: out of band management, which uses Intel Active

81
Management Technology (AMT), and mobile devices that are connected to an Exchange Server
computer.
Configuration Manager uses the client software to provision and configure computers for AMT,
but when you perform AMT management operations, the client software is not used. Instead,
Configuration Manager connects directly to the AMT management controller. This means that you
continue to have some management control over computers that are not started or are not
responding at the operating system level. For example, you could restart these computers, re-
image them, or run diagnostic utilities to help troubleshoot them.
When you cannot install the Configuration Manager client software on mobile devices, you can
still manage them by using the Exchange Server connector. The connector allows you to
configure the settings in the Exchange Default ActiveSync mailbox policy. Any settings that are
defined in this policy can be configured by Configuration Manager, and this connector also
supports remote wipe and Exchange access rules for block and quarantine. Any mobile device
that you manage by using the Exchange Server connector displays in the All Mobile Devices
collection, even though the device does not have the System Center 2012 Configuration Manager
client installed on it. Because the client is not installed, you cannot deploy software to these
devices.
Client Management Tasks
After you have installed Configuration Manager clients, you can perform various client
management tasks, which include the following:
 Deploy applications, software updates, maintenance scripts, and operating systems. You can
configure these to install by a specified date and time, or make them available for users to
install when they are requested, and you can configure applications to be uninstalled.
 Help protect computers from malware and security threats, and alert you when problems are
detected.
 Define client configuration settings that you want to monitor and remediate if they are out of
compliance.
 Collect hardware and software inventory information, which includes monitoring and
reconciling license information from System Center Online.
 Troubleshoot computers by using remote control or by using AMT operations for AMT-based
computers that are not responding.
 Implement power management settings to manage and monitor the power consumption of
computers.
You can use the Configuration Manager console to monitor these operations in near real-time, by
using alerts and status information. For capturing data and historical trending, you can use the
integrated reporting capabilities of SQL Reporting Services.
To help ensure that you continue to manage the System Center 2012 Configuration Manager
clients, use the client status information that provides data about the health of the client and client
activity. This data helps to identify computers that are not responding and in some cases,
problems can be automatically remediated.

82
Configuration Manager (Windows Control Panel)
When you install the Configuration Manager client, this installs the Configuration Manager client
application in Control Panel. Unlike Software Center, this application is not intended to be used
by end users, but rather by the help desk. Some configuration options require local administrative
permissions. You can use this application to perform the following tasks on an individual client:
 View properties about the client, such as the build number, its assigned site, which
management point it is communicating with, and whether it is using a PKI certificate or a self-
signed certificate.
 Confirm that the client has successfully downloaded client policy after it is installed for the
first time and that client settings are enabled or disabled as expected, according to the client
settings that are configured in the Configuration Manager console.
 Initiate client actions, such as download the client policy if there has been a recent change of
configuration in the Configuration Manager console and you do not want to wait until the next
schedule time.
 Manually assign a client to a Configuration Manager site or try to find a site, and specify the
DNS suffix for management points that publish to DNS.
 Configure the client cache that temporarily stores files, and delete files in the cache if you
need more disk space to install software.
 Configure settings for Internet-based client management.
 View configuration baselines that have been deployed to the client, initiate compliance
evaluation, and view compliance reports.
Security
Security for System Center 2012 Configuration Manager consists of several layers. First,
Windows provides many security features for both the operating system and the network, such as
the following:
 File sharing to transfer files between System Center 2012 Configuration Manager
components
 Access Control Lists (ACLs) to secure files and registry keys
 IPsec for securing communications
 Group Policy for setting security policy
 DCOM permissions for distributed applications, such as the Configuration Manager console
 Active Directory Domain Services to store security principals
 Windows account security, including some groups that are created during
System Center 2012 Configuration Manager Setup
Additional security components, such as firewalls and intrusion detection, help provide defense in
depth for the entire environment. Certificates issued by industry standard PKI implementations
help provide authentication, signing, and encryption.
System Center 2012 Configuration Manager controls access to the Configuration Manager
console in several ways. By default, only local Administrators have rights to the files and registry
keys required to run the Configuration Manager console on computers where it is installed.

83
The next layer of security is based on access through Windows Management Instrumentation
(WMI), specifically the SMS Provider. The SMS Provider is restricted by default to members of
the local SMS Admins group. This group initially contains only the user who installed
System Center 2012 Configuration Manager. To grant other accounts permission to the Common
Information Model (CIM) repository and the SMS Provider, add the other accounts to the SMS
Admins group.
The final layer of security is based on permissions to objects in the site database. By default, the
Local System account and the user account that you used to install System Center 2012
Configuration Manager have access to administer all objects in the site database. You can grant
and restrict permissions to additional administrative users in the Configuration Manager console
by using role-based administration.
Role-Based Administration
System Center 2012 Configuration Manager uses role-based administration to secure objects
such as collections, deployments, and sites. This administration model centrally defines and
manages hierarchy-wide security access settings for all sites and site settings. Security roles are
assigned to administrative users and group permissions to different Configuration Manager object
types, such as the permissions to create or modify client settings. Security scopes group specific
instances of objects that an administrative user is responsible to manage, such as an application
that installs Microsoft Office 2010. The combination of security roles, security scopes, and
collections define what objects an administrative user can view and manage.
System Center 2012 Configuration Manager installs some default security roles for typical
management tasks, but you can create your own security roles to support your specific business
requirements.
Securing Client Endpoints
Client communication to site system roles is secured by using either self-signed certificates, or by
using public key infrastructure (PKI) certificates. Computer clients that Configuration Manager
detects to be on the Internet and mobile device clients must use PKI certificates so that the client
endpoints can be secured by using HTTPS. The site system roles that clients connect to can be
configured for HTTPS or HTTP client communication. Client computers always communicate by
using the most secure method available and only fall back to using the less secure
communication method of HTTP on the intranet if you have site systems roles that allow HTTP
communication.
Configuration Manager Accounts and Groups
System Center 2012 Configuration Manager uses the Local System account for most site
operations. However, some management tasks might require creating and maintaining additional
accounts. Several default groups and SQL Server roles are created during Setup, but you might
have to manually add computer or user accounts to these default groups and roles.
Privacy
Although enterprise management products offer many advantages because they can effectively
manage large numbers of clients, you must also be aware of how this software might affect the

84
privacy of users in your organization. System Center 2012 Configuration Manager includes many
tools to gather data and monitor devices, some of which could raise privacy concerns.
For example, when you install the System Center 2012 Configuration Manager client, many
management settings are enabled by default, which result in the client software sending
information to the Configuration Manager site. Client information is stored in the Configuration
Manager database and it is not sent to Microsoft. Before you implement System Center 2012
Configuration Manager, consider your privacy requirements.
See Also
Supported Configurations for Configuration Manager
This topic appears in the Getting Started with System Center 2012 Configuration
Manager guide and in the Site Administration for System Center 2012 Configuration
Manager guide.
This topic specifies the requirements necessary to implement and maintain Microsoft System
Center System Center 2012 Configuration Manager in your environment.
The following sections list products that are supported with System Center 2012
Configuration Manager. No extension of support for these products beyond their current product
lifecycles is implied. Products that are beyond their current support lifecycle are not supported for
use with Configuration Manager. For more information about Microsoft Support Lifecycles, visit
the Microsoft Support Lifecycle website at Microsoft Support Lifecycle.
Microsoft provides support for the current service pack and, in some cases, the
immediately preceding service pack. For additional information about Microsoft support
lifecycle policy, visit the Microsoft Support Lifecycle Support Policy FAQ Web site at
Microsoft Support Lifecycle Policy FAQ.
Products that are not listed in this document are not supported with System Center 2012
Configuration Manager unless they are announced on the System Center Configuration Manager
Team Blog.
 Interoperability Between System Center 2012 Configuration Manager and Configuration
Manager 2007 Sites
 Client Site Assignment Considerations
 Configuration Manager System Requirements
 Site and Site System Role Scalability
 Site System Requirements
 Computer Client Requirements
 Mobile Device Requirements
Note
Warning

85
 Configuration Manager Console Requirements
 Supported Upgrade Paths
 Configurations for the SQL Server Site Database
 SQL Server Requirements
 Function-Specific Requirements
 Application Management
 Out of Band Management
 Remote Control Viewer
 Support for Active Directory Domains
 Active Directory Schema Extensions
 Disjoint Namespaces
 Single Label Domains
 Windows Environment
 Support for Internet Protocol Version 6
 Support for Specialized Storage Technology
 Support for Computers in Workgroups
 Support for Virtualization Environments
 Support for Network Address Translation
 DirectAccess Feature Support
 BranchCache Feature Support
 Fast User Switching
 Dual Boot Computers
Interoperability Between System Center 2012 Configuration Manager and
Configuration Manager 2007 Sites
A System Center 2012 Configuration Manager site or hierarchy cannot interoperate with a
Configuration Manager 2007 site or hierarchy. A Configuration Manager 2007 site cannot report
to a System Center 2012 Configuration Manager parent site, and you cannot upgrade a
Configuration Manager 2007 site to a System Center 2012 Configuration Manager site. Instead of
an in-place upgrade, you use System Center 2012 Configuration Manager migration to migrate
your Configuration Manager 2007 objects and data to System Center 2012
Configuration Manager. For information about migrating from Configuration Manager 2007 to
System Center 2012 Configuration Manager, see Migrating from Configuration Manager 2007 to
Because you can deploy a System Center 2012 Configuration Manager site or hierarchy side-by-
side with a Configuration Manager 2007 site or hierarchy, take action to prevent clients from
either version from trying to join a site from the other Configuration Manager version. For
example, if your Configuration Manager hierarchies have overlapping boundaries, including the
same network locations, you might assign each new client to a specific site instead of using
automatic site assignment. For information about automatic site assignment in

86
System Center 2012 Configuration Manager, see How to Assign Clients to a Site in Configuration
Manager.
System Center 2012 Configuration Manager supports only System Center 2012
Configuration Manager device and mobile device clients. The following clients and the following
VPN connection are not supported:
 Any Configuration Manager 2007 or earlier computer client version.
 Any Configuration Manager 2007 or earlier device management client
 Windows CE Platform Builder device management client (any version)
 System Center Mobile Device Manager VPN connection
Client Site Assignment Considerations
System Center 2012 Configuration Manager clients can be assigned to only one site. When
automatic site assignment is used to assign clients to a site during client installation and more
than one boundary group includes the same boundary, and the boundary groups have different
assigned sites, the actual site assignment of a client cannot be predicted.
If boundaries overlap across multiple System Center 2012 Configuration Manager and
Configuration Manager 2007 site hierarchies, clients might not get assigned to the correct site
hierarchy or might not get assigned to a site at all.
System Center 2012 Configuration Manager clients check the version of the Configuration
Manager site before they complete site assignment and cannot assign to a Configuration
Manager 2007 site if boundaries overlap. However, Configuration Manager 2007 clients do not
check for the site version and can incorrectly assign to a System Center 2012
Configuration Manager site.
To prevent Configuration Manager 2007 clients from unintentionally assigning to a
System Center 2012 Configuration Manager site when the two hierarchies have overlapping
boundaries, configure Configuration Manager 2007 client installation parameters to assign clients
to a specific site.
Configuration Manager System Requirements
The following sections specify the hardware and software requirements that are necessary to
implement and maintain Microsoft System Center 2012 Configuration Manager in your
environment.
Site and Site System Role Scalability
The following table contains information about the number of clients supported at each site type
and by each client-facing site system role. This information is based on the recommended
hardware for site systems. For information about the recommended hardware for Configuration
Manager sites, see Planning for Hardware Configurations for Configuration Manager. For
information about the minimum required hardware to run a Configuration Manager site, see
Minimum Hardware Requirements for Site Systems, in this topic.

87
Site or site system role More information
Central administration site  A central administration site can support up
to 25 child primary sites.
 When using SQL Server Enterprise or
Datacenter for the site database at the
central administration site, the shared
database and hierarchy supports up to
400,000 clients. The maximum number of
supported clients per hierarchy depends on
the SQL Server edition in the central
administration site, and is independent of
the SQL Server edition at primary or
secondary sites.
Note
Configuration Manager supports up
to 400,000 clients per hierarchy
when you use the default settings
for all Configuration Manager
features.
 When you use SQL Server Standard for the
site database at the central administration
site, the shared database and hierarchy
supports up to 50,000 clients. This is
because of how the database is partitioned.
After you install Configuration Manager, if
you then upgrade the edition of SQL Server
at the central administration site from
Standard to Enterprise or Datacenter, the
database does not repartition and this
limitation remains.
Note
You cannot assign Configuration
Manager clients to a central
administration site. Support for clients
applies to clients that are assigned to
child primary sites in the hierarchy.
Primary site  Each primary site can support up to 250
secondary sites.
Note
The number of secondary sites per

88
primary site is based on well
connected and reliable wide area
network (WAN) connections. For
locations that have fewer than 500
clients, consider a distribution point
instead of a secondary site.
 A stand-alone primary site always supports
up to 100,000 clients.
 A child primary site that uses SQL Server
installed on the same computer as the site
server can support up to 50,000 clients.
When you use SQL Server that is installed
on a computer that is remote from the site
server, the child primary site can support up
to 100,000 clients.
Note
In a hierarchy with a central
administration site that uses a
standard edition SQL Server, the
total number of clients supported in
the hierarchy is limited to 50,000. In
this hierarchy, a child primary site
that uses a remote installation of
SQL Server cannot support more
clients than is supported by the
hierarchy. The version of SQL
Server that is used by a secondary
site does not affect the number of
clients that the primary site
supports.
 Unlike a central administration site, the
edition of SQL Server you use for the
primary site database does not affect the
maximum number of clients the primary site
supports. This is true for both child primary
sites, and stand-alone primary sites.
Secondary site  Each secondary site can support
communications from up to 5,000 clients
when you use a secondary site server
computer with the recommended hardware

89
and that has a fast and reliable network
connection to its primary parent site. A
secondary site might be able to support
communications from additional clients
when its hardware configuration exceeds
the recommended hardware configuration.
For information about the recommended
hardware for Configuration Manager sites,
see Planning for Hardware Configurations
for Configuration Manager.
Management point Primary site:
 Each primary site management point can
support up to 25,000 computer clients. To
support 100,000 clients you must have at
least four management points.
nNote
Do not place management points
across a slow link from their
primary site server or from the site
database server.
 Each primary site can support up to 10
management points.
Note
When you have more than four
management points in a primary
site, you do not increase the
supported client count of the
primary site beyond 100,000.
Instead, any additional
management points provide
redundancy for communications
from clients.
Secondary site:
 Each secondary site supports a single
management point that must be installed
on the secondary site server.
 The secondary site management point
supports communications from the same

90
number of clients as supported by the
hardware configuration of the secondary
site server.
Distribution point  Individually, each primary site supports up
to 250 distribution points and each
distribution point can support up to 4,000
clients.
 Individually, each secondary site supports
up to 250 distribution points and each
distribution point can support up to the
same number of clients as supported by the
site server, up to a maximum of 4,000
clients.
 Each primary site supports a combined
total of up to 5,000 distribution points. This
total includes all the distribution points at
the primary site and all distribution points
that belong to the primary site’s child
secondary sites.
Note
The number of clients that one
distribution point can support depends
on the speed of your network, the disk
performance of the distribution point
computer, and the application or
package size.
Software update point  Each site supports one active software
update point for use on the intranet, and
optionally, one software update point for
use on the Internet. You can configure
each of these software update points as a
Network Load Balancing (NLB) cluster. You
can have up to four software update points
in the NLB cluster.
 A software update point that is installed on
the site server can support up to 25,000
clients.
a computer that is remote from the site

91
Note
For more information, see Planning for
Software Updates in Configuration
Manager.
Fallback status point  Each primary site supports one fallback
status point.
 Each fallback status point can support up to
100,000 clients.
Application Catalog website point  Each instance of this site system role
supports up to 400,000 clients, providing
service for the entire hierarchy.
 You can install multiple instances of the
Application Catalog website point at
primary sites.
 For improved performance, plan to support
up to 50,000 clients per instance.
Tip
As a best practice, install the
Application Catalog website point and
Application Catalog web service point
together on the same site system when
they provide service to clients that are
on the intranet.
Application Catalog web service point  Each instance of this site system role
Application Catalog web service point at
primary sites.
Tip

92
on the intranet.
System Health Validator point  Each System Health Validator point can
support up to 100,000 clients.
Site System Requirements
Each System Center 2012 Configuration Manager site system server must use a 64-bit operating
system. The only exception to this is the distribution point site system role which can be installed
on limited 32-bit operating system versions.
Limitations for site systems:
 Site systems are not supported on Server Core installations of the Windows Server 2008 or
Windows Server 2008 R2, or Windows Server 2008 Foundation or Windows Server 2008 R2
Foundation operating systems.
 It is not supported to change the domain membership or computer name of a Configuration
Manager site system after it is installed.
 Site system roles are not supported on an instance of a Windows Server cluster. The only
exception to this is the site database server.
The following sections list the hardware requirements and operating system requirements for
System Center 2012 Configuration Manager sites, typical site system roles, and function-specific
site system roles.
Prerequisites for Site System Roles
The following table identifies prerequisites that are required by Configuration Manager for each
site system role. Some prerequisites, such as SQL Server for the site database server, or
Windows Server Update Services (WSUS) for the software update point, might require additional
prerequisites that are not directly required by the site system role.
For site system roles that require Internet Information Services (IIS), use a version of IIS that the
computer supports that runs the site system role. For information, see the following sections,
Operating System Requirements for Typical Site System Roles and Operating System
Requirements for Function-Specific Site System Roles, in this topic.
Site system role .NET
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Role services for the
web server (IIS) role
Additional
prerequisites
Site server Requires
the
following:
Not applicable Not applicable Windows feature:
 Remote
Differential

93
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
 3.51
SP1
 4.0
Compression
By default, a
secondary site
installs a
management point
and a distribution
point. Therefore
secondary sites
must meet the
prerequisites for
these site system
roles.
Database server Not
applicable
Not applicable Not applicable A version of
SQL Server that
Configuration
Manager supports
must be installed on
this computer.
When you install
SQL Server
Express as part of a
secondary site
installation, the
secondary site
server computer
must meet the
requirements for
SQL Server
Express.
SMS Provider
Server
Not
applicable
Not applicable Not applicable Not applicable
Application
Catalog web
service point
Requires
the
following:
 3.51
SP1
Requires the
following options
for WCF
activation:
 HTTP
Activation
Requires the default
IIS configuration with
the following
additions:
 Application
Development:
Not applicable

94
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
 4.0  Non-HTTP
Activation
 ASP.NET
(and
automatically
selected
options)
 IIS 6
Management
Compatibility:
 IIS 6
Metabase
Compatibility
Application
Catalog website
point
Requires
the
following:
 4.0
Not applicable Requires the default
the following
additions:
 Common HTTP
Features:
 Static
Content
 Default
Document
 Application
Development:
 ASP.NET
(and
automatically
selected
options)
3
 Security:
 Windows
Authenticatio
n
 IIS 6
Management
Compatibility:
 IIS 6
Metabase
Compatibility
Not applicable

95
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
Asset
Intelligence
synchronization
point
Requires
the
following:
 4.0
Distribution
point
4
Not
applicable
Not applicable You can use the
default IIS
configuration, or a
custom configuration.
To use a custom IIS
configuration, you
must enable the
following options for
IIS:
 Application
Development:
 ISAPI
Extensions
 Security:
 Windows
Authenticatio
n
 IIS 6
Management
Compatibility:
 IIS 6
Metabase
Compatibility
 IIS 6 WMI
Compatibility
When you use a
custom IIS
configuration you can
remove options that
are not required,
including the
following:
 Common HTTP
Windows feature:
 Remote
Differential
Compression
 BITS Server
Extensions (and
automatically
selected
options), or
Background
Intelligent
Transfer
Services (BITS)
(and
automatically
selected
options)
To support PXE or
multicast, install the
following Windows
role:
 Windows
Deployment
Services

96
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
Features:
 HTTP
Redirection
 IIS Management
Scripts and Tools
Endpoint
Protection point
Requires
the
following:
 3.5 SP1
Enrollment point Requires
the
following:
 3.5 SP1
Requires the
following options
for WCF
activation:
 HTTP
Activation
 Non-HTTP
Activation
the following
additions:
 Application
Development:
 ASP.NET
(and
automatically
selected
options)
Not applicable
Enrollment proxy
point
Requires
the
following:
 3.5 SP1
Requires the
following options
for WCF
activation:
 HTTP
Activation
 Non-HTTP
Activation
the following
additions:
 Application
Development:
 ASP.NET
(and
automatically
selected
options)
Not applicable
Fallback status
point
Not
applicable
the following
additions:
 IIS 6
Management
Not applicable

97
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
Compatibility:
 IIS 6
Metabase
Compatibility
Management
point
Requires
the following
when
configured
to support
mobile
devices:
 3.5
SP1
5
default IIS
configuration, or a
To use a custom IIS
configuration, you
must enable the
IIS:
 Application
Development:
 ISAPI
Extensions
 Security:
 Windows
Authenticatio
n
 IIS 6
Management
Compatibility:
 IIS 6
Metabase
Compatibility
 IIS 6 WMI
Compatibility
When you use a
custom IIS
remove options that
are not required,
including the
following:
Windows feature:
 BITS Server
Extensions (and
automatically
selected
options), or
Background
Intelligent
Transfer
Services (BITS)
(and
automatically
selected
options)

98
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
 Common HTTP
Features:
 HTTP
Redirection
Scripts and Tools
Out of band
service point
Requires
the
following:
 4.0
Requires the
following options
for WCF
activation:
 HTTP
Activation
 Non-HTTP
Activation
Not applicable Not applicable
Reporting
services point
Requires
the
following:
 4.0
Not applicable Not applicable SQL Server
Reporting Services
installed and
configured to use at
least one instance
for the reporting
services point.
Software update
point
Requires
the
following:
 3.51
SP1
 4.0
IIS configuration
Windows Server
Update Services
(WSUS) 3.0 SP2
this computer.
State migration
point
Not
applicable
IIS configuration
Not applicable
System Health
Validator point
Not
applicable
Not applicable Not applicable This site system
role is supported
only on a NAP
health policy server.
1
Install the full version of the Microsoft.NET Framework before you install the site system roles.
For example, see the Microsoft .NET Framework 4 (Stand-Alone Installer).

99
The Microsoft .NET Framework 4 Client Profile is insufficient for this requirement.
2
You can configure WCF activation as part of the .NET Framework Windows feature on the site
system server. For example, on Windows Server 2008 R2, run the Add Features Wizard to
install additional features on the server. On the Select Features page, expand NET Framework
3.5.1 Features, then expand WCF Activation, and then select the check box for both HTTP
Activation and Non-HTTP Activation to enable these options.
3
In some scenarios, such as when IIS is installed or reconfigured after the .NET Framework
version 4.0 is installed, you must explicitly enable ASP.NET version 4.0. For example, on a 64-bit
computer that runs the .NET Framework version 4.0.30319, run the following command:
%windir%Microsoft.NETFramework64v4.0.30319aspnet_regiis.exe –i –enable
4
You must manually install IIS on computers that run a supported version of Windows Server
2003. Additionally, to install IIS and configure the additional Windows features, the computer
might require access to the Windows Server 2003 source media.
5
By default, a management point does not require the .NET Framework. However, each
management point that you enable to support mobile devices does require the .NET Framework
3.5 SP1.
Minimum Hardware Requirements for Site Systems
This section identifies the minimum required hardware requirements for Configuration Manager
site systems. These requirements are sufficient to support all features of Configuration Manager
in an environment with up to 100 clients. This information is suitable for testing environments. For
guidance about the recommended hardware for Configuration Manager in full-scale production
environments, see Planning for Hardware Configurations for Configuration Manager.
The following minimum requirements apply to all site types (central administration site, primary
site, secondary site) when you install all available site system roles on the site server computer.
Hardware component Requirement
Processor  Minimum: AMD Opteron, AMD Athlon 64,
Intel Xeon with Intel EM64T support, Intel
Pentium IV with EM64T support
 Minimum: 1.4 GHz
RAM  Minimum: 2 GB
Free disk space  Available: 10 GB
 Total: 50 GB
Operating System Requirements for Site Servers, Database Servers, and the SMS Provider
The following tables list the supported operating systems for System Center 2012
Configuration Manager site servers, the database server, and the SMS Provider site system role.
Important

100
Operating
system
System
architecture
Central
administration
site
Primary
site
Secondary
site
Site
database
server
1
SMS
Provider
Windows
Server 2008
 Standard
Edition
(SP2)
 Enterprise
Edition
(SP2)
 Datacenter
Edition
(SP2)
x64 √ √ √
2
√
2
√
Windows
Server 2008 R2
 Standard
Edition
(without
service
pack, or with
SP1)
 Enterprise
Edition
(without
service
pack, or with
SP1)
 Datacenter
Edition
(without
service
pack, or with
SP1)
x64 √ √ √
2
√
2
√
1
For more information about the versions of SQL Server that Configuration Manager supports,
see Configurations for the SQL Server Site Database in this topic.
2
Site database servers and secondary site servers are not supported on a computer that runs
Windows Server 2008 or Windows Server 2008 R2 when that computer uses a read-only domain
controller (RODC).
Operating System Requirements for Typical Site System Roles

101
The following table specifies the operating systems that can support multi-function site system
roles.
Operating system System
architecture
Distribution
point
3
Enrollment
point and
enrollment
proxy point
Fallback
status point
Management
point
Windows Vista
 Business
Edition (SP1)
 Enterprise
Edition (SP1)
 Ultimate
Edition
(without
service pack,
or with SP1)
x64 √
1, 2
Not
supported
Not
supported
Not supported
Windows 7
 Professional
(without
service pack,
or with SP1)
 Enterprise
Editions
(without
service pack,
or with SP1)
 Ultimate
Editions
(without
service pack,
or with SP1)
x86, x64 √
1, 2
Not
supported
Not
supported
Not supported
Windows
Server 2003 R2
 Standard
Edition
 Enterprise
Edition
x86, x64 √
2
Not
supported
Not
supported
Not supported
Windows
Server 2003
Standard Edition
x86, x64 √
2
Not
supported
Not
supported
Not supported

102
architecture
Distribution
point
3
Enrollment
point and
enrollment
proxy point
Fallback
status point
Management
point
(SP2)
Enterprise Edition
(SP2)
Datacenter
Edition (SP2)
Windows
Server 2003
 Web Edition
(SP2)
 Storage
Server
Edition (SP2)
x86 √
2
Not
supported
Not
supported
Not supported
Windows
Server 2008
 Standard
Edition (SP2)
 Enterprise
Edition (SP2)
 Datacenter
Edition (SP2)
x64 √
2
√ √ √
Windows
Server 2008 R2
 Standard
Edition
(without
service pack,
or with SP1)
 Enterprise
Edition(witho
ut service
pack, or with
SP1)
 Datacenter
Edition (SP1)
x64 √ √ √ √

103
1
Distribution points on this operating system are not supported for PXE.
2
Distribution points on this operating system version do not support Multicast.
3
Unlike other site system roles, distribution points are supported on some 32-bit operating
systems. Distribution points also support several different configurations that each have different
requirements and in some cases support installation not only on servers, but on client operating
systems. For more information about the options available for distribution points, see
Prerequisites for Content Management in Configuration Manager in the Deploying Software and
Operating Systems in System Center 2012 Configuration Manager guide.
Operating System Requirements for Function-Specific Site System Roles
The following table specifies the operating systems that are supported for use with each feature-
specific Configuration Manager site system role.
Operating
system
System
architect
ure
Applicat
ion
Catalog
webserv
ice
point
and
Applicat
ion
Catalog
website
point
Asset
Intelligence
synchroniz
ation point
Endpoi
nt
Protect
ion
point
Out
of
band
servi
ce
point
Reporti
ng
service
s point
Softw
are
updat
e
point
State
migrati
on
point
Syste
m
Health
Valida
tor
point
Windows
Server 200
8

 Sta
ndard
Edition
(SP2)

 Ent
erprise
Edition
(SP2)

 Dat
acenter
Edition
(SP2)
x64 √ √ √ √ √ √ √ √

104
Operating
system
System
architect
ure
Applicat
ion
Catalog
webserv
ice
point
and
Applicat
ion
Catalog
website
point
Asset
Intelligence
synchroniz
ation point
Endpoi
nt
Protect
ion
point
Out
of
band
servi
ce
point
Reporti
ng
service
s point
Softw
are
updat
e
point
State
migrati
on
point
Syste
m
Health
Valida
tor
point
Windows
Server 200
8 R2

 Sta
ndard
Edition
(withou
t
service
pack,
or with
SP1)

 Ent
erprise
Edition(
without
service
pack,
or with
SP1)

 Dat
acenter
Edition
(SP1)
x64 √ √ √ √ √ √ √ √
Computer Client Requirements
The following sections describe the operating systems and hardware supported for
System Center 2012 Configuration Manager computer client installation. Ensure that you also

105
review Prerequisites for Client Deployment in Configuration Manager for a list of dependencies
for the installation of the Configuration Manager client on computers and mobile devices.
Computer Client Hardware Requirements
The following are minimum requirements for computers that you manage with Configuration
Manager.
Requirement Details
Processor and memory Refer to the processor and RAM requirements
for the computers operating system.
Note
An exception to this is Windows XP
and Windows 2003 which both require
a minimum of 256 MB of RAM.
Disk space 500 MB available disk space, with 5 GB
recommended for the Configuration Manager
client cache.
The following are additional hardware requirements for optional functionality in Configuration
Manager.
Function Minimum hardware requirements
Operating system deployment 384 MB of RAM
Software Center 500 MHz processor
Remote Control Pentium 4 Hyper-Threaded 3 GHz (single core)
or comparable CPU, with at least an 1 GB RAM
for optimal experience.
Out of Band Management Desktop or laptop computers must have the
Intel vPro Technology or Intel Centrino Pro and
a supported version of Intel AMT.
Operating System Requirements for Configuration Manager Client Installation
The following table specifies the operating systems supported for Configuration Manager client
installation. For server platforms, client support is independent of any other service that runs on
that server unless noted otherwise. For example, the client is supported on domain controllers
and servers that run cluster services or terminal services.

106
Operating system System architecture System Center 2012
Windows XP Professional (SP3) x86 √
Windows XP Professional for
64-bit Systems (SP2)
x64 √
Windows XP Tablet PC (SP3) x86 √
Windows Vista
 Business Edition (SP2)
 Enterprise Edition (SP2)
 Ultimate Edition (SP2)
x86, x64 √
Windows 7
 Professional (without
service pack, or with SP1)
 Enterprise Editions (without
 Ultimate Editions (without
x86, x64 √
Windows Server 2003
Web Edition (SP2)
x86 √
Windows Server 2003
 Standard Edition (SP2)
 Datacenter Edition
1
(SP2)
x86, x64 √
Windows Server 2003 R2 SP2
 Standard Edition
 Enterprise Edition
1
x86, x64 √
Windows Storage Server
2003 R2 SP2
x86, x64 √
Windows Server 2008
 Datacenter Edition (SP2)
1
x86, x64 √
The Server Core installation of
Windows Server 2008 (SP2)
x86, x64 √

107
Windows Storage
Server 2008 R2
 Standard
 Enterprise
x64 √
Windows Server 2008 R2
 Standard Edition (without
 Enterprise Edition (without
 Datacenter Edition (without
1
x64 √
(without service pack, or with
SP1)
x64 √
1
x64 √
1
Datacenter releases are supported but not certified for System Center 2012
Configuration Manager. Hotfix support is not offered for issues specific to Windows Server
Datacenter Edition.
Embedded Operating System Requirements for Configuration Manager Clients
System Center 2012 Configuration Manager supports clients for integration with
Windows Embedded. Support limitations for Windows Embedded:
 All client features are supported natively on supported Windows Embedded systems that do
not have write filters enabled. For Windows Embedded systems that do have write filters
enabled, the client features must be accomplished through the use of task sequences.
 The Application Catalog is not supported for any Windows Embedded system.
 Endpoint Protection in System Center 2012 Configuration Manager is not supported with
versions of Windows Embedded that are based on Windows XP.
Configuration Manager supports the following Windows Embedded versions.

108
Windows Embedded operating
system
Base operating system System architecture
Windows Embedded
Standard 2009
Windows XP SP3 x86
Windows XP Embedded SP3 Windows XP SP3 x86
Windows Fundamentals for
Legacy PCs (WinFLP)
Windows XP SP3 x86
Windows Embedded POSReady
2009
Windows XP SP3 x86
WEPOS 1.1 with SP3 Windows XP SP3 x86
Windows Embedded Standard 7
with SP1
Windows 7 x86, x64
Windows Embedded POSReady 7 Windows 7 x86, x64
Windows Thin PC Windows 7 x86, x64
Mobile Device Requirements
The following sections describe the hardware and operating systems that are supported for
managing mobile devices in System Center 2012 Configuration Manager.
The following mobile device clients are not supported in the Configuration Manager
hierarchy:
 Device management clients from System Management Server 2003 and Configuration
Manager 2007
Mobile Devices Enrolled By Configuration Manager
The following sections describe the hardware and operating systems that are supported for the
mobile devices enrolled by System Center 2012 Configuration Manager.
Enrolled Mobile Device Client Language and Operating System Requirements
The following table lists the platforms and languages that support Configuration Manager
enrollment.
Operating system Supported Languages
Windows Mobile 6.1  Chinese (Simplified)
 Chinese (Traditional)
Note

109
 English (US)
 French (France)
 German
 Italian
 Japanese
 Korean
 Portuguese (Brazil)
 Russian
 Spanish (Spain)
 English (US)
 German
 Italian
 Japanese
 Korean
 Russian
Nokia Symbian Belle  Arabic
 Basque (Basque)
 Bulgarian
 Catalan
 Chinese (Hong Kong SAR)
 Chinese (Simplified)
 Croatian
 Czech
 Danish
 Dutch
 English (UK)
 English (US)
 Estonian
 Farsi
 Finnish

110
 French (Canada)
 Galician
 German
 Greek
 Hebrew
 Hungarian
 Icelandic
 Indonesian
 Italian
 Kazakh
 Korean
 Latvian
 Lithuanian
 Malay
 Norwegian
 Polish
 Portuguese (Portugal)
 Romanian
 Russian
 Serbian (Latin/Cyrillic)
 Slovak
 Slovenian
 Spanish (Latin America)
 Swedish
 Tagalog (Filipino)
 Thai
 Turkish
 Ukrainian
 Urdu
 Vietnamese
Mobile Device Support by Using the Exchange Server Connector
System Center 2012 Configuration Manager offers limited management for mobile devices when
you use the Exchange Server connector for Exchange Active Sync (EAS) capable devices that

111
connect to a server running Exchange Server. For more information about which management
functions Configuration Manager supports for mobile devices that the Exchange Server connector
manages, see Determine How to Manage Mobile Devices in Configuration Manager.
The following table lists the platforms that support the Exchange Server connector.
Version of Exchange Server Supported
Exchange Server 2010 SP1 √
Exchange Online (Office 365)
1
√
1
Includes Business Productivity Online Standard Suite.
The following sections list the hardware and operating systems that are supported for the mobile
device legacy client in System Center 2012 Configuration Manager.
Mobile Device Legacy Client Hardware Requirements
The mobile device client requires 0.78 MB of storage space to install. In addition, logging on the
mobile device can require up to 256 KB of storage space.
Mobile Device Legacy Client Operating System Requirements
System Center 2012 Configuration Manager supports management for Windows Phone,
Windows Mobile, and Windows CE when you install the Configuration Manager mobile device
legacy client. Features for these mobile devices vary by platform and client type. For more
information about which management functions Configuration Manager supports for the mobile
device legacy client, see Determine How to Manage Mobile Devices in Configuration Manager.
The mobile device legacy client is supported on the following mobile device platforms:
Operating system Supported
Windows CE 5.0 (Arm and x86 processors)  Chinese (Simplified)
 English (US)
 German
 Italian
 Japanese
 Korean
 Russian

112
 English (US)
 German
 Italian
 Japanese
 Korean
 Russian
 English (US)
 German
 Italian
 Japanese
 Korean
 Russian
 English (US)
 German
 Italian
 Japanese
 Korean
 Russian

113
Configuration Manager Console Requirements
The Configuration Manager console is supported on the operating systems that are listed in the
following table. Each computer that installs the Configuration Manager console requires the
Microsoft .NET Framework 4.
Windows XP Professional
(SP3)
x86 √
Windows Vista
x86, x64 √
Windows Server 2008
x86, x64 √
Windows 7
 Professional Edition
(without service pack, or
with SP1)
 Ultimate Edition (without
x86, x64 √
with SP1)
x64 √
It is supported to install the System Center 2012 Configuration Manager console on the same
computer with the Configuration Manager 2007 console. However, you cannot use the
System Center 2012 Configuration Manager console to manage Configuration Manager 2007
sites, and vice versa.

114
The requirements in the following table apply to each computer that runs Configuration Manager
console.
Minimum hardware configuration Screen resolution
 1 x Pentium 4 Hyper-Threaded 3 GHz (Intel
Pentium 4 HT 630 or comparable CPU)
 2 GB of RAM
 2 GB of disk space.
DPI setting Minimum resolution
96 / 100% 1024x768
120 /125% 1280x960
144 / 150% 1600x1200
196 / 200% 2500x1600
Supported Upgrade Paths
The following sections identify the upgrade options for System Center 2012
Configuration Manager, the operating system version of site servers and clients, and the
SQL Server version of database servers.
Site Upgrade
System Center 2012 Configuration Manager is available in the following releases.
Configuration Manager version Release options More information
System Center 2012
 An evaluation release,
which expires 180
days after installation.
 A complete release, to
perform a new
installation.
You can install
System Center 2012
Configuration Manager as either
a full installation, or as a trial
installation. If you install
Configuration Manager as a trial
installation, after 180 days you
can only connect a read-only
Configuration Manager console
and Configuration Manager
functionality is limited. At any
time before or after the 180 day
period, you have the option to
upgrade the trial installation to a
full installation.
System Center 2012
Configuration Manager supports

115
migration of your Configuration
Manager 2007 infrastructure but
does not support an in–place
upgrade of sites from
However, migration supports the
upgrade of a Configuration
Manager 2007 distribution point,
or secondary site that is co-
located with a distribution point,
to a System Center 2012
distribution point.
For more information about
migrating to System Center 2012
Configuration Manager from
Configuration Manager 2007,
see Migrating from Configuration
Manager 2007 to System Center
2012 Configuration Manager.
Upgrade of the Site Server Operating System
Configuration Manager supports an in-place upgrade of the operating system of the site server in
the following situations:
 In-place upgrade to a higher Windows Server service pack so long as the resulting service
pack level remains supported by Configuration Manager.
Configuration Manager does not support the following Windows Server upgrade scenarios.
 Any version of Windows Server 2008 to any version of Windows Server 2008 R2.
When a direct operating system upgrade is not supported, perform one of the following
procedures after you have installed the new operating system:
 Install System Center 2012 Configuration Manager with the service pack level that you want,
and configure the site according to your requirements.
 Install System Center 2012 Configuration Manager with the service pack level that you want
and perform a site recovery. This scenario requires that you have a site backup that was
created by using the Backup Site Server maintenance task on the original Configuration
Manager site, and that you use the same installation settings for the new
System Center 2012 Configuration Manager site.
Client Operating System Upgrade
Configuration Manager supports an in-place upgrade of the operating system for Configuration
Manager clients in the following situations:

116
Site Database Server Upgrade Considerations
Configuration Manager supports an in-place upgrade of SQL Server on the site database server
in the following situations:
 In-place upgrade of SQL Server to a higher service pack so long as the resulting SQL Server
service pack level remains supported by Configuration Manager.
To upgrade SQL Server on the site database server:
1. Stop all Configuration Manager services at the site.
2. Upgrade SQL Server to a supported version.
3. Restart the Configuration Manager services.
Configurations for the SQL Server Site Database
Each System Center 2012 Configuration Manager site database can be installed on either the
default instance or a named instance of a SQL Server installation. The SQL Server instance can
be co-located with the site system server, or on a remote computer.
When you use a remote SQL Server computer, the instance of SQL Server used to host the site
database can also be configured as a SQL Server failover cluster in an active/passive cluster, or
a multiple instance configuration. The site database site system role is the only
System Center 2012 Configuration Manager site system role supported on an instance of a
Windows Server cluster. If you use a SQL Server cluster for the site database, you must add the
computer account of the site server to the Local Administrators group of each Windows Server
cluster node computer.
SQL Server database mirroring is not supported for the Configuration Manager site
database.
When you install a secondary site, you can use an existing instance of SQL Server or allow Setup
to install and use an instance of SQL Server 2008 Express. Whichever option you choose,
SQL Server must be located on the secondary site server.
The following table lists the SQL Server versions that are supported by System Center 2012
SQL Server version Central administration
site
Primary site Secondary site
SQL Server 2008 SP2
with a minimum of
Cumulative Update 9
 Standard
1
 Enterprise
√ √ √
Note

117
site
 Datacenter
SQL Server 2008 SP3
with a minimum of
Cumulative Update 4
 Standard
1
 Enterprise
 Datacenter
√ √ √
SQL Server 2008 R2 with
SP1 and with a minimum
of Cumulative Update 6
 Standard
1
 Enterprise
 Datacenter
√ √ √
SQL Server Express
2008 R2 with SP1 and
with a minimum of
Cumulative Update 4
Not Supported Not Supported √
1
When you use SQL Server Standard for the database at the central administration site, the
hierarchy can only support up to 50,000 clients. For more information see Site and Site System
Role Scalability.
SQL Server Requirements
The following are required configurations for each database server with a full SQL Server
installation, and on each SQL Server Express installation that you manually configure for
secondary sites. You do not have to configure SQL Server Express for a secondary site if
SQL Server Express is installed by Configuration Manager.
Configuration More information
Database collation The instance of SQL Server in use at each site
must use the following collation:
SQL_Latin1_General_CP1_CI_AS.
SQL Server features Only the Database Engine Services feature is
required for each site server.
Note
Configuration Manager database

118
replication does not require the
SQL Server replication feature.
Windows Authentication Configuration Manager requires Windows
authentication to validate connections to the
database.
SQL Server instance You must use a dedicated instance of
SQL Server for each site.
SQL Server memory When you use a database server that is co-
located with the site server, limit the memory for
SQL Server to 50 to 80 percent of the available
addressable system memory.
When you use a dedicated SQL Server, limit
the memory for SQL Server to 80 to 90 percent
of the available addressable system memory.
Configuration Manager requires SQL Server to
reserve a minimum of 8 gigabytes (GB) of
memory in the buffer pool used by an instance
of SQL Server for the central administration site
and primary site and a minimum of 4 gigabytes
(GB) for the secondary site. This memory is
reserved by using the Minimum server memory
setting under Server Memory Options and is
configured by using SQL Server Management
Studio. For more information about how to set a
fixed amount of memory, see How to: Set a
Fixed Amount of Memory (SQL Server
Management Studio).
Optional SQL Server Configurations
The following configurations either support multiple choices or are optional on each database
server with a full SQL Server installation.
SQL Server service You can configure the SQL Server service on
each database server to run by using a domain
local account or the local system account of the
computer running SQL Server.
 Use a domain user account as a
SQL Server best practice. This type of

119
account can be more secure than the local
system account but might require you to
manually register the Service Principle
Name (SPN) for the account.
 Use the local system account of the
computer running SQL Server to simplify
the configuration process. When you use
the local system account Configuration
Manager automatically registers the SPN
for the SQL Server service. Using the local
system account for the SQL Server service
is not a SQL Server best practice.
For information about SQL Server best
practices, see the product documentation for
the version of Microsoft SQL Server that you
are using. For information about SPN
configurations for Configuration Manager, see
How to Manage the SPN for SQL Server Site
Database Servers. For information about how
to change the account in use by the SQL
Service, see How to: Change the Service
Startup Account for SQL Server (SQL Server
Configuration Manager).
SQL Server Reporting Services Required to install a reporting services point
that allows you to run reports.
SQL Server ports For communication to the SQL Server database
engine, and for intersite replication, you can
use the default SQL Server port configurations
or specify custom ports:
 Intersite communications use the
SQL Server Service Broker, which by
default uses port TCP 4022.
 Intrasite communication between the
SQL Server database engine and various
Configuration Manager site system roles by
default use port TCP 1433. The following
site system roles communicate directly with
the SQL Server database:
 SMS Provider computer
 Reporting Services point

120
 Site server
When a SQL Server hosts a database from
more than one site, each database must use a
separate instance of SQL Server, and each
instance must be configured with a unique set
of ports.
Warning
Configuration Manager does not
support dynamic ports. Because
SQL Server named instances by
default use dynamic ports for
connections to the database engine,
when you use a named instance, you
must manually configure the static port
that you want to use for intrasite
communication.
If you have a firewall enabled on the computer
running SQL Server, ensure that it is configured
to allow the ports in use by your deployment,
and at any locations on the network between
computers that communicate with the
SQL Server.
For an example of how to configure SQL Server
to use a specific port, see How to: Configure a
Server to Listen on a Specific TCP Port (SQL
Server Configuration Manager) in the SQL
Server TechNet library.
Function-Specific Requirements
The following sections identify function-specific requirements for Configuration Manager.
For devices that run the Windows Mobile operating system, Configuration Manager only supports
the Uninstall action for applications on Windows Mobile 6.1.4 or later.
System Center 2012 Configuration Manager supports out of band management for computers
that have the following Intel vPro chip sets and Intel Active Management Technology (Intel AMT)
firmware versions:

121
 Intel AMT version 3.2 with a minimum revision of 3.2.1
 Intel AMT version 4.0, version 4.1, and version 4.2
 Intel AMT version 5,0, and version 5.2 with a minimum revision of 5.2.10
 Intel AMT version 6.0, and version 6.1
The following limitations apply:
 AMT provisioning is not supported on AMT-based computers that are running any version of
Windows Server, Windows XP with SP2, or Windows XP Tablet PC Edition.
 Out of band communication is not supported to an AMT-based computer that is running the
Routing and Remote Access service in the client operating system. This service runs when
Internet Connection Sharing is enabled, and the service might be enabled by line of business
applications.
 The out of band management console is not supported on workstations running Windows XP
on versions earlier than Service Pack 3.
For more information about out of band management in Configuration Manager, see Introduction
to Out of Band Management in Configuration Manager.
Remote Control Viewer
The Configuration Manager remote control viewer is not supported on Windows Server 2003 or
Windows Server 2008 operating systems.
Support for Active Directory Domains
All System Center 2012 Configuration Manager site systems must be members of a Windows
Active Directory domain with a domain functional level of Windows 2000, Windows Server 2003,
Windows Server 2008, or Windows Server 2008 R2.
Note: If you configure discovery to filter and remove stale computer records, the
Active Directory domain functional level must be a minimum of Windows Server 2003.
This requirement includes site systems that support Internet-based client management in a
perimeter network (also known as DMZ, demilitarized zone, and screened subnet). Configuration
Manager client computers can be domain members, or workgroup members.
The following are limitations for site systems:
 It is not supported to change the domain membership, rename the domain, or change the
computer name of a Configuration Manager site system after it is installed.
The following sections contain additional information about domain structures and requirements
Active Directory Schema Extensions
Configuration Manager Active Directory schema extensions provide benefits for Configuration
Manager sites, but they are not required for all Configuration Manager functions. For more
information about Active Directory schema extension considerations, see Determine Whether to
Extend the Active Directory Schema for Configuration Manager.
Note

122
If you have extended your Active Directory schema for Configuration Manager 2007, you do not
have to update your schema for System Center 2012 Configuration Manager. You can update the
Active Directory schema before or after you install Configuration Manager. Schema updates do
not interfere with an existing Configuration Manager 2007 sites or clients. For more information
about how to extend the Active Directory schema for System Center 2012
Configuration Manager, see the Prepare Active Directory for Configuration Manager section in the
Prepare the Windows Environment for Configuration Manager topic.
Disjoint Namespaces
With the exception of out of band management, Configuration Manager supports installing site
systems and clients in a domain that has a disjoint namespace.
For more information about namespace limitations for when you manage AMT-based
computers out of band, see Prerequisites for Out of Band Management in Configuration
Manager.
A disjoint namespace scenario is one in which the primary Domain Name System (DNS) suffix of
a computer does not match the Active Directory DNS domain name where that computer resides.
The computer with the primary DNS suffix that does not match is said to be disjoint. Another
disjoint namespace scenario occurs if the NetBIOS domain name of a domain controller does not
match the Active Directory DNS domain name.
The following table identifies the supported scenarios for a disjoint namespace.
Scenario More information
Scenario 1:
The primary DNS suffix of the domain controller
is not the same as the Active Directory DNS
domain name. Computers that are members of
the domain can be either disjoint or not disjoint.
In this scenario, the primary DNS suffix of the
domain controller is not the same as the Active
Directory DNS domain name. The domain
controller is disjoint in this scenario. Computers
that are members of the domain, including site
servers and computers, can have a primary
DNS suffix that either matches the primary DNS
suffix of the domain controller or matches the
Active Directory DNS domain name.
Scenario 2:
A member computer in an Active Directory
domain is disjoint, even though the domain
controller is not disjoint.
In this scenario, the primary DNS suffix of a
member computer on which a site system is
installed is not the same as the Active Directory
DNS domain name, even though the primary
DNS suffix of the domain controller is the same
as the Active Directory DNS domain name. In
this scenario, you have a domain controller that
is not disjoint and a member computer that is
disjoint. Member computers that are running
Note

123
the Configuration Manager client can have a
primary DNS suffix that either matches the
primary DNS suffix of the disjoint site system
server or matches the Active Directory DNS
domain name.
To allow a computer to access domain controllers that are disjoint, you must modify the msDS-
AllowedDNSSuffixes Active Directory attribute on the domain object container. You must add
both of the DNS suffixes to the attribute.
In addition, to ensure that the DNS suffix search list contains all DNS namespaces that are
deployed within the organization, you must configure the search list for each computer in the
domain that is disjoint. Include in the list of namespaces the primary DNS suffix of the domain
controller, the DNS domain name, and any additional namespaces for other servers with which
Configuration Manager might interoperate. You can use the Group Policy Management console
to configure the Domain Name System (DNS) suffix search list.
When you reference a computer in Configuration Manager, enter the computer by using
its Primary DNS suffix. This suffix should match the Fully Qualified Domain Name
registered as the dnsHostName attribute in the Active Directory domain and the Service
Principal Name associated with the system.
Single Label Domains
With the exception of out of band management, Configuration Manager supports site systems
and clients in a single label domain when the following criteria are met:
 The single label domain in Active Directory Domain Services must be configured with a
disjoint DNS namespace that has a valid top level domain.
For example: The single label domain of Contoso is configured with a disjoint namespace in
DNS of contoso.com. Therefore, when you specify the DNS suffix in Configuration Manager
for a computer in the Contoso domain, you specify Contoso.com and not Contoso.
 DCOM connections between site servers in the system context must be successful using
Kerberos authentication.
Manager.
Windows Environment
The following sections contain general support configuration information for System Center 2012
Important
Note

124
Support for Internet Protocol Version 6
Configuration Manager supports Internet Protocol version 6 (IPv6) in addition to Internet Protocol
version 4 (IPv4). The following table lists the exceptions.
Function Exception to IPv6 support
Network Discovery IPv4 is required when you configure a DHCP
server to search in Network Discovery.
Out of band management IPv4 is required to support out of band
management.
Windows CE IPv4 is required to support the Configuration
Manager client on Windows CE devices.
Support for Specialized Storage Technology
Configuration Manager works with any hardware that is certified on the Windows Hardware
Compatibility List (HCL) for the version of the operating system that the Configuration Manager
component is installed on. Site Server roles require NTFS file systems so that directory and file
permissions can be set. Because Configuration Manager assumes it has complete ownership of a
logical drive, site systems that run on separate computers cannot share a logical partition on any
storage technology, but each computer can use a separate logical partition on the same physical
partition of a shared storage device.
Support considerations for the listed storage technologies:
 Storage Area Network: A Storage Area Network (SAN) is supported when a supported
Windows-based server is attached directly to the volume that is hosted by the SAN.
 Single Instance Storage: It is not supported to configure distribution point package and
signature folders on a Single Instance Storage (SIS)-enabled volume.
Additionally, the Configuration Manager clients cache is not supported on a SIS-enabled
volume.
Single Instance Storage (SIS) is a feature of the Windows Storage Server 2003 R2
operating system.
 Removable Disk Drive: It is not supported to install Configuration Manager site system or
clients on a removable disk drive.
Support for Computers in Workgroups
System Center 2012 Configuration Manager provides support for clients in workgroups. It is also
supported for a client to be moved from a workgroup to a domain or from a domain to a
workgroup. For more information, see How to Install Configuration Manager Clients on
Workgroup Computers
Note

125
All System Center 2012 Configuration Manager site systems must be members of a supported
Active Directory domain. This requirement includes site systems that support Internet-based
client management in a perimeter network (also known as DMZ, demilitarized zone, and
screened subnet).
Support for Virtualization Environments
Configuration Manager supports client installation and all site server roles in the following
virtualization environments:
 Windows Server2008
 Microsoft Hyper-V Server 2008
 Windows Server 2008 R2
 Microsoft Hyper-V Server 2008 R2
Each virtual computer you use must meet or exceed the same hardware and software
configuration you would use for a physical Configuration Manager computer.
You can validate that your virtualization environment is supported for Configuration Manager by
using the Server Virtualization Validation Program (SVVP) and its online Virtualization Program
Support Policy Wizard. For more information about the Server Virtualization Validation Program
(SVVP), see Windows Server Virtualization Validation Program.
Configuration Manager does not support Virtual PC or Virtual Server guest operating
systems running on Macintosh.
Configuration Manager cannot manage virtual machines unless they are running. An offline virtual
machine image cannot be updated nor can inventory be collected by using the Configuration
Manager client on the host computer.
No special consideration is given to virtual machines. For example, Configuration Manager might
not determine that an update has to be re-applied to a virtual machine image if it is stopped and
restarted without saving the state of the virtual machine to which the update was applied.
Support for Network Address Translation
Network Address Translation (NAT) is not supported in Configuration Manager, unless the site
supports clients that are on the Internet and the client detects that it is on the Internet. For more
information about Internet-based client management, see the Planning for Internet-Based Client
Management section in the Planning for Communications in Configuration Manager topic.
DirectAccess Feature Support
Configuration Manager supports the DirectAccess feature in Windows Server 2008 R2 for
communication between site system servers and clients. When all the requirements for
DirectAccess are met, by using this feature Configuration Manager clients on the Internet can
communicate with their assigned site as if they were on the intranet.
Note

126
For server-initiated actions, such as remote control and client push installation, the initiating
computer (such as the site server) must be running IPv6, and this protocol must be supported on
all intervening networking devices.
Configuration Manager does not support the following over DirectAccess:
 Deploying operating systems
 Communication between Configuration Manager sites
 Communication between Configuration Manager site system servers within a site
BranchCache Feature Support
Windows BranchCache has been integrated in System Center 2012 Configuration Manager. You
can configure the BranchCache settings on a deployment type for applications, on the
deployment for a package, and for task sequences.
When all the requirements for BranchCache are met, this feature enables clients at remote
locations to obtain content from local clients that have a current cache of the content.
For example, when the first BranchCache-enabled client computer requests content from a
distribution point that is running Windows Server 2008 R2 and that has also been configured as a
BranchCache server, the client computer downloads the content and caches it. This content is
then made available for clients on the same subnet that request this same content, and these
clients also cache the content. In this way, subsequent clients on the same subnet do not have to
download content from the distribution point, and the content is distributed across multiple clients
for future transfers.
Configuration Manager supports BranchCache with Windows Server 2008 R2 and Windows 7
clients that are configured in BranchCache distributed cache mode. Support is extended to clients
running a supported version of Windows Vista, Windows Server 2008 with SP1, and Windows
Server 2008 with SP2 by using the BITS 4.0 release. However, on these operating systems, the
BranchCache client functionality is not supported for software distribution that is run from the
network or for SMB file transfers. You can install the BITS 4.0 release on Configuration Manager
clients by using software updates or software distribution. For more information about the
BITS 4.0 release, see Windows Management Framework.
To support BranchCache with Configuration Manager, add the BranchCache feature to the
Windows Server 2008 R2 site system server that is configured as a distribution point.
System Center 2012 Configuration Manager distribution points on servers configured to support
BranchCache require no further configuration.
To use BranchCache, the clients that can support BranchCache must be configured for
BranchCache distributed mode, and the operating system setting for BITS client settings must be
enabled to support BranchCache.
For more information about BranchCache, see BranchCache for Windows in the Windows Server
documentation.

127
Fast User Switching
Fast User Switching, available in Windows XP in workgroup computers, is not supported in
System Center 2012 Configuration Manager. Fast User Switching is supported for computers that
are running Windows Vista or later.
Dual Boot Computers
System Center 2012 Configuration Manager cannot manage more than one operating system on
a single computer. If there is more than one operating system on a computer that must be
managed, adjust the discovery and installation methods that are used to ensure that the
Configuration Manager client is installed only on the operating system that has to be managed.
See Also
Planning for Configuration Manager Sites and Hierarchy
Frequently Asked Questions for Configuration Manager
Review the following sections for some frequently asked questions about System Center 2012
 The Configuration Manager Console and Collections
 Sites and Hierarchies
 Migration
 Security and Role-Based Administration
 Client Deployment and Operations
 Mobile Devices
 Remote Control
 Software Deployment
 Endpoint Protection
The Configuration Manager Console and Collections
The following frequently asked questions relate to the Configuration Manager console and
collections.
Does the Configuration Manager console support a 64-bit operating system?
Yes. The Configuration Manager console is a 32-bit program that can run on a 32-bit version of
Windows and on a 64-bit version of Windows.
What is a limiting collection and why would I use it?
In System Center 2012 Configuration Manager, all collections must be limited to the membership
of another collection. When you create a collection, you must specify a limiting collection. A
collection is always a subset of its limiting collection. For more information, see How to Create
Collections in Configuration Manager.

128
Can I include or exclude the members of another collection from my collection?
Yes. System Center 2012 Configuration Manager includes two new collection rules, the Include
Collections rule and the Exclude Collections rule that allow you to include or exclude the
membership of specified collections. For more information, see How to Create Collections in
Are incremental updates supported for all collection types?
No. Collections configured by using query rules that use certain classes do not support
incremental updates. For a list of these classes, see How to Create Collections in Configuration
Manager.
What is the All Unknown Computers collection?
The All Unknown Computers collection contains two objects that represent records in the
Configuration Manager database so that you can deploy operating systems to computers that are
not managed by Configuration Manager, and so are unknown to Configuration Manager. These
computers can include the following:
 A computer where the Configuration Manager client is not installed
 A computer that is not imported into Configuration Manager
 A computer that is not discovered by Configuration Manager
For more information about how to deploy operating systems to unknown computers, see How to
Manage Unknown Computer Deployments in Configuration Manager.
Why does Install Client from the ribbon install the client to the whole collection when I’ve
selected a single computer but installs to the selected computer only if I right-click the
computer and then select Install Client?
If you choose Install Client from the ribbon when the Collection ribbon tab is selected, the client
installs to all computers in the collection rather than to just the selected computer. To install the
client to just the selected computer, click the Home tab on the ribbon before you click Install
Client from the ribbon, or use the right-click option.
Sites and Hierarchies
The following frequently asked questions relate to sites and hierarchies in Configuration Manager.
Are there new Active Directory schema extensions for System Center 2012 Configuration
Manager?
No. The Active Directory schema extensions for System Center 2012 Configuration Manager are
unchanged from those used by Configuration Manager 2007. If you extended the schema for
Configuration Manager 2007, you do not need to extend the schema again for

129
Where is the documentation for Setup?
See Install Sites and Create a Hierarchy for Configuration Manager.
Can I upgrade a prerelease version of System Center 2012 Configuration Manager to the
released version?
No. Unless you were in a prerelease program that was supported by Microsoft (such as the
Technology Adoption Program or the Community Evaluation Program) there is no supported
upgrade path for prerelease versions of System Center 2012 Configuration Manager. For more
information, see the Release Notes for System Center 2012 Configuration Manager.
Can I manage SMS 2003 clients with System Center 2012 Configuration Manager or
migrate SMS 2003 sites and clients to System Center 2012 Configuration Manager?
No. SMS 2003 sites and SMS 2003 clients are not supported by System Center 2012
Configuration Manager. You have two choices to move these sites and clients to
System Center 2012 Configuration Manager:
 Upgrade SMS 2003 sites and clients to Configuration Manager 2007 SP2, and then migrate
them to System Center 2012 Configuration Manager.
 Uninstall SMS 2003 sites and clients and then install System Center 2012
Configuration Manager sites and clients.
For more information about supported upgrade paths, see the Supported Upgrade Paths section
in the Supported Configurations for Configuration Manager topic.
For more information about migrating Configuration Manager 2007 to System Center 2012
Configuration Manager, see the Migrating from Configuration Manager 2007 to System Center
2012 Configuration Manager guide.
Can I upgrade an evaluation version of System Center 2012 Configuration Manager?
Yes. If the evaluation version is not a prerelease version of System Center 2012
Configuration Manager, you can upgrade it to the full version.
For more information, see the Upgrade an Evaluation Installation to a Full Installation section in
the Install Sites and Create a Hierarchy for Configuration Manager topic.
Have the site types changed from Configuration Manager 2007?
System Center 2012 Configuration Manager introduces changes to both primary and secondary
sites while the central administration site is new site type. The central administration site replaces
the primary site referred to as a central site as the top-level site of a multi-primary site hierarchy.
This site does not directly manage clients but does coordinate a shared database across your
hierarchy, and it is designed to provide centralized reporting and configurations for your entire
hierarchy.
Can I join a pre-existing site to another site in System Center 2012
Configuration Manager?
No. In System Center 2012 Configuration Manager you cannot change the parent relationship of
an active site. You can only add a site as a child of another site at the time you install the new
site. Because the database is shared between all sites, joining a site that has already created

130
default objects or that has custom configurations can result in conflicts with similar objects that
already exist in the hierarchy.
Why can’t I install a primary site as a child of another primary site as I did in Configuration
Manager 2007?
With System Center 2012 Configuration Manager, primary sites have changed to support only
secondary sites as child sites, and the new central administration site as a parent site. Unlike
Configuration Manager 2007, primary sites no longer provide a security or configuration
boundary. Because of this, you should only need to install additional primary sites to increase the
maximum number of clients your hierarchy can support, or to provide a local point of contact for
administration.
Why does Configuration Manager require SQL Server for my secondary site?
In System Center 2012 Configuration Manager, secondary sites require either SQL Server, or
SQL Server Express to support database replication with their parent primary site. When you
install a secondary site, Setup automatically installs SQL Server Express if a local instance of
SQL Server is not already installed.
What is database replication?
Database replication uses SQL Server to quickly transfer data for settings and configurations to
other sites in the Configuration Manager hierarchy. Changes that are made at one site merge
with the information stored in the database at other sites. Content for deployments, and other file-
based data, still replicate by file-based replication between sites. Database replication configures
automatically when you join a new site to an existing hierarchy.
How can I monitor and troubleshoot replication in Configuration Manager?
See the Monitor Infrastructure for Configuration Manager section in the Monitor Configuration
Manager Sites and Hierarchy topic. This section includes information about database replication
and how to use the Replication Link Analyzer.
What is Active Directory forest discovery?
Active Directory Forest discovery is a new discovery method in System Center 2012
Configuration Manager that allows you to discover network locations from multiple Active
Directory forests. This discovery method can also create boundaries in Configuration Manager for
the discovered network locations and you can publish site data to another Active Directory forest
to help support clients, sites, and site system servers in those locations.
Can I provide clients with unique client agent configurations without installing additional
sites?
Yes. System Center 2012 Configuration Manager applies a hierarchy-wide set of default client
settings (formerly called client agent settings) that you can then modify on clients by using custom
client settings that you assign to collections. This creates a flexible method of delivering
customized client settings to any client in your hierarchy, regardless of the site it is assigned to, or

131
where it is located on your network. For more information, see How to Configure Client Settings in
Can a site or hierarchy span multiple Active Directory forests?
Configuration Manager supports site-to-site (intersite) communication when a two-way forest trust
exists between the forests. Within a site, Configuration Manager supports placement of site
system roles on computers in an untrusted forest. Configuration Manager also supports clients
that are in a different forest from their site’s site server when the site system role that they
connect to is in the same forest as the client. For more information, see the Planning for
Communications Across Forests in Configuration Manager section in the Planning for
Communications in Configuration Manager topic.
How do clients find management points and has this changed since Configuration
Manager 2007?
System Center 2012 Configuration Manager clients can find available management points by
using the management point that you specify during client deployment, Active Directory Domain
Services, DNS, and WINS. Clients can connect to more than one management point in a site,
always preferring communication that uses HTTPS, when this is possible because the client and
management point uses PKI certificates.
There are some changes here since Configuration Manager 2007, which accommodate the
change that clients can now communicate with more than one management point in site, and that
you can have a mix of HTTPS and HTTP site system roles in the same site.
For more information, see the Planning for Service Location by Clients section in the Planning for
Communications in Configuration Manager topic.
How do I configure my sites for native-mode?
System Center 2012 Configuration Manager has replaced the native mode site configuration in
Configuration Manager 2007 with individual site system role configurations that accept client
communication over HTTPS or HTTP. Because you can have site system roles that support
HTTPS and HTTP in the same site, you have more flexibility in how you introduce PKI to secure
the intranet client endpoints within the hierarchy. Clients over the Internet and mobile devices
must use HTTPS connections.
For more information, see the Planning a Transition Strategy for PKI Certificates and Internet-
Based Client Management section in the Planning for Security in Configuration Manager topic.
Where are the supported scenarios and network diagrams for Internet-based client
management that you had for Configuration Manager 2007?
Unlike Configuration Manager 2007, there are no design restrictions to support clients on the
Internet, providing you meet the requirements in the Planning for Internet-Based Client
Because of the following improvements, you can more easily support clients on the Internet to fit
your existing infrastructure:
 The whole site does not have to be using HTTPS client connections

132
 Support for installing most site system roles in another forest
 Support for ultiple management points in a site
If you use multiple management points and dedicate one or more for client connections from the
Internet, you might want to consider using database replicas for management points. For more
information, see Configure Database Replicas for Management Points.
Why isn’t the site system role that I want available in the Add Site System Roles Wizard?
Configuration Manager supports some site system roles only at specific sites in a hierarchy, and
some site system roles have other limitations as to where and when you can install them. When
Configuration Manager does not support the installation of a site system role, it is not listed in the
wizard. For example, the Endpoint Protection point cannot be installed in a secondary site, or in a
primary site if you have a central administration site. So if you have a central administration site,
you will not see the Endpoint Protection point listed if you run the Add Site System Roles Wizard
on a primary site.
Other examples include you cannot add a second management point to a secondary site, and
you cannot add a management point or distribution point to a central administration site.
For more information about which site system roles can be installed where, see the Planning
Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in
Where do I configure the Network Access Account?
Use the following procedure to configure the Network Access Account:
1. In the Administration workspace, expand Site Configuration, click Sites, and then
select the site.
2. On the Settings group, click Configure Site Components, and then click Software
Distribution.
3. Click the Network Access Account tab, configure the account, and then click OK.
What High Availability does Configuration Manager have?
Configuration Manager offers a number of high availability solutions. For information, see
Planning for High Availability with Configuration Manager.
Migration
The following frequently asked questions relate to migrating Configuration Manager 2007 to
How to configure the Network Access Account for a site

133
What versions of Configuration Manager, or Systems Management Server are supported
for migration?
Only Configuration Manager 2007 sites with SP2 are supported for migration.
Why can’t I upgrade my existing Configuration Manager 2007 sites to System Center 2012
Configuration Manager sites?
Several important changes introduced with System Center 2012 Configuration Manager prevent
an in-place upgrade; however, System Center 2012 Configuration Manager does support
migration from Configuration Manager 2007 with a side-by-side deployment. For example,
System Center 2012 Configuration Manager is native 64 bit application with a database that is
optimized for Unicode and that is shared between all sites. Additionally, site types and site
relationships have changed. These changes, and others, mean that many existing hierarchy
structures cannot be upgraded. For more information, see Migrating from Configuration Manager
2007 to System Center 2012 Configuration Manager
Do I have to migrate my entire Configuration Manager 2007 hierarchy at one time?
Typically, you will migrate data from Configuration Manager 2007 over a period of time that you
define. During the period of migration, you can continue to use your Configuration Manager 2007
hierarchy to manage clients that have not migrated to System Center 2012
Configuration Manager. Additionally if you update an object in the Configuration Manager 2007
hierarchy after you have migrated that object to System Center 2012 Configuration Manager, you
can re-migrate that object again up until you decide to complete your migration.
After I migrate software and packages , do I have to use the new application model?
When you migrate a Configuration Manager 2007 package to System Center 2012
Configuration Manager, it remains a package after migration. If you want to deploy the software
from your Configuration Manager 2007 packages by using the new application model, you can
use the Package Conversion Manager to convert package and programs into
System Center 2012 Configuration Manager applications.
Why can’t I migrate inventory history or compliance data for my clients?
This type of information is easily recreated by an active client when it sends data to its
System Center 2012 Configuration Manager site. Typically, it is only the current information from
each client that provides useful information. To retain access to historical inventory information
you can keep a Configuration Manager 2007 site active until the historical data is no longer
required.
Why must I assign a System Center 2012 Configuration Manager site as a content owner
for migrated content?
When you migrate content to System Center 2012 Configuration Manager, you are really
migrating the metadata about that content. The content itself might remain hosted on a shared
distribution point during migration, or on a distribution point that you will upgrade to
System Center 2012 Configuration Manager. Because the site that owns the content is

134
responsible for monitoring the source files for changes, plan to specify a site that is near to the
source file location on the network.
What are shared distribution points and why can’t I use them after migration has finished?
Shared distribution points are Configuration Manager 2007 distribution points that can be used by
System Center 2012 Configuration Manager clients during the migration period. A distribution
point can be shared only when the Configuration Manager 2007 hierarchy that contains the
distribution point remains the active source hierarchy and distribution point sharing is enabled for
the source site that contains the distribution point. Sharing distribution points ends when you
complete migration from the Configuration Manager 2007 hierarchy.
How can I avoid redistributing content that I migrate to System Center 2012
System Center 2012 Configuration Manager can upgrade supported Configuration Manager 2007
distribution points to System Center 2012 Configuration Manager distribution points. This upgrade
allows you to maintain your existing distribution points with minimal effort or disruption to your
network. You can also use the prestage option for System Center 2012 Configuration Manager
distribution points to reduce the transfer of large files across low-bandwidth network connections.
Can I perform an in-place upgrade of a Configuration Manager 2007 distribution point
(including a branch distribution point) to a System Center 2012 Configuration Manager
distribution point?
You can perform an in-place upgrade of a Configuration Manager 2007 distribution point that
preserves all content during the upgrade. This includes an upgrade of a distribution point on a
server share, a branch distributing point, or standard distribution point.
Can I perform an in-place upgrade of a Configuration Manager 2007 secondary site to a
System Center 2012 Configuration Manager distribution point?
You can perform an in-place upgrade of a Configuration Manager 2007 secondary site to a
System Center 2012 Configuration Manager distribution point. During the upgrade, all migrated
content is preserved.
What happens to the content when I upgrade a Configuration Manager 2007 secondary site
or distribution point to a System Center 2012 Configuration Manager distribution point?
During the upgrade to a System Center 2012 Configuration Manager distribution point, all
migrated content is copied and then converted to the single instance store. The original
Configuration Manager 2007 content remains on the server until it is manually removed.
Can I combine more than one Configuration Manager 2007 hierarchy in a single System
Center 2012 Configuration Manager hierarchy?
You can migrate data from more than one Configuration Manager 2007 hierarchy however, you
can only migrate one hierarchy at a time. You can migrate the hierarchies in any order. However,
you cannot migrate data from multiple hierarchies that use the same site code. If you try to
migrate data from a site that uses the same site code as a migrated site, this corrupts the data in
the System Center 2012 Configuration Manager database.

135
What Configuration Manager 2007 hierarchy can I use as a source hierarchy?
System Center 2012 Configuration Manager supports migrating a Configuration Manager 2007
environment that is at a minimum of Service Pack 2.
What objects can I migrate?
You can migrate the following objects from Configuration Manager 2007 to System Center 2012
 Advertisements
 Boundaries
 Collections
 Configuration baselines and configuration items
 Operating system deployment boot images, driver packages, drivers, images, and packages
 Software distribution packages
 Software metering rules
 Software update deployment packages and templates
 Software update deployments
 Software update lists
 Task sequences
 Virtual application packages
For more information, see Objects That Can Migrate by Migration Job Type
Can I migrate maintenance windows?
Yes. When a collection migrates, Configuration Manager also migrates collection settings, which
includes maintenance windows and collection variables. However, collection settings for AMT
provisioning do not migrate.
Will advertisements rerun after they are migrated?
No. Clients that you upgrade from Configuration Manager 2007 will not rerun advertisements that
you migrate. System Center 2012 Configuration Manager retains the Configuration Manager
2007 Package ID for packages you migrate and clients that upgrade retain their advertisement
history.
Security and Role-Based Administration
The following frequently asked questions relate to security and role-based administration in

136
Where is the documentation for role-based administration?
Because role-based administration is integrated into the configuration of the hierarchy and
management functions, there is no separate documentation section for role-based administration.
Instead, information is integrated throughout the documentation library. For example, information
about planning and configuring role-based administration is in the Planning for Security in
Configuration Manager topic and the Configuring Security for Configuration Manager topic in the
Site Administration for System Center 2012 Configuration Manager guide and the Security and
Privacy for System Center 2012 Configuration Manager guide.
The Configuration Manager console lists the description of each role-based security role that is
installed with Configuration Manager, and the minimum permissions and suitable security roles
for each management function is included as a prerequisite in the relevant topic. For example,
Prerequisites for Application Management in Configuration Manager in the Deploying Software
and Operating Systems in System Center 2012 Configuration Manager guide list the minimum
security permissions to manage and to deploy applications, and the security roles that meet these
requirements.
What is the minimum I have to configure if I don’t want to use role-based administration
while I’m testing System Center 2012 Configuration Manager?
If you install System Center 2012 Configuration Manager, there is no additional configuration
because the Active Directory user account used to install Configuration Manager is automatically
assigned to the Full Administrator security role, assigned to All Scopes, and has access to the
All Systems and All Users and User Groups collections. However, if you want to provide full
administrative permissions for other Active Directory users to access System Center 2012
Configuration Manager, create new administrative users in Configuration Manager using their
Windows accounts and then assign them to the Full Administrator security role.
How can I partition security with System Center 2012 Configuration Manager?
Unlike Configuration Manager 2007, sites no longer provide a security boundary. Instead, use
role-based administration security roles to configure the permissions different administrative
users have, and security scopes and collections to define the set of objects they can view and
manage. These settings can be configured at a central administration site or any primary site and
are enforced at all sites throughout the hierarchy.
Should I use security groups or user accounts to specify administrative users?
As a best practice, specify a security group rather than user accounts when you configure
administrative users for role-based administration.
Can I deny access to objects and collections by using role-based administration?
Role-based administration does not support an explicit deny action on security roles, security
scopes, or collections assigned to an administrative user. Instead, configure security roles,
security scopes, and collections to grant permissions to administrative users. If users do not have
permissions to objects by use of these role-based administration elements, they might have only
partial access to some objects, for example they might be able to view, but not modify specific

137
objects. However, you can use collection membership to exclude collections from a collection that
is assigned to an administrative user.
How do I find which object types can be assigned to security roles?
Run the report Security for a specific or multiple Configuration Manager objects to find the
object types that can be assigned to security roles. Additionally you can view the list of objects for
a security role by viewing the security roles Properties and selecting the Permissions tab.
Can I use security scopes to restrict which distribution points are shown in the
Distribution Status node in the Monitoring workspace?
No, although you can configure role-based administration and security scopes so that
administrative users can distribute content to selected distribution points only, Configuration
Manager always displays all distribution points in the Monitoring workspace.
Client Deployment and Operations
The following frequently asked questions relate to deploying and managing clients on computers
and mobile devices in Configuration Manager.
Does System Center 2012 Configuration Manager support the same client installation
methods as Configuration Manager 2007?
Yes. System Center 2012 Configuration Manager supports the same client installation methods
that Configuration Manager 2007 supports: client push, software update-based, group policy,
manual, logon script, and image-based. For more information, see How to Install Clients on
Computers in Configuration Manager.
What’s the difference between upgrading clients by using the supplied package definition
file and a package and program, and using automatic client upgrade that also uses a
package and program?
When you create a package and program to upgrade Configuration Manager clients, this
installation method is designed to upgrade existing System Center 2012 Configuration Manager
clients. You can control which distribution points hosts the package and the client computers that
install the package. This installation method supports only System Center 2012
Configuration Manager clients and cannot upgrade Configuration Manager 2007 clients.
In comparison, the automatic client upgrade method automatically creates the client upgrade
package and program and this installation method can be used with Configuration Manager 2007
clients as well as System Center 2012 Configuration Manager clients. The package is
automatically distributed to all distribution points in the hierarchy and the deployment is sent to all
clients in the hierarchy for evaluation. This installation method supports System Center 2012
Configuration Manager clients and Configuration Manager 2007 clients that are assigned to a
System Center 2012 Configuration Manager site. Because you cannot restrict which distribution

138
points are sent the upgrade package or which clients are sent the deployment, use automatic
client upgrade with caution and do not use it as your main method to deploy the client software.
For more information, see How to Upgrade Configuration Manager Clients by Using a Package
and Program and How to Automatically Upgrade the Configuration Manager Client for the
Hierarchy in the How to Install Clients on Computers in Configuration Manager topic.
Do references to “devices” in System Center 2012 Configuration Manager mean mobile
devices?
The term “device” in System Center 2012 Configuration Manager applies to a computer or a
mobile device such as a Windows Mobile Phone.
How does System Center 2012 Configuration Manager support clients in a VDI
environment?
For information about supporting clients for a virtual desktop infrastructure (VDI), see the
Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure
(VDI) section in the Introduction to Client Deployment in Configuration Manager topic.
Is it true that System Center 2012 Configuration Manager has a new client health solution?
Yes, client status is new in System Center 2012 Configuration Manager and allows you to monitor
the activity of clients and check and remediate various problems that can occur.
How do I find out what client health checks Configuration Manager makes and can I add
my own?
You can view the client health rules in the %windir%CCMccmeval.xml file that is installed on
the client but Configuration Manager does not support changes to the file. Instead, use
compliance settings in Configuration Manager to check for additional items that you consider
required for the health of your clients. For example, you might check for specific registry key
entries, files, and permissions.
What improvements have you made for Internet-based client management?
Configuration Manager contains many improvements since Configuration Manager 2007 to help
you manage clients when they are on the Internet:
 Configuration Manager supports a gradual transition to using PKI certificates, and not all
clients and site systems have to use PKI certificates before you can manage clients on the
Internet. For more information, see Planning a Transition Strategy for PKI Certificates and
Internet-Based Client Management.
 The certificate selection process that Configuration Manager uses is improved by using a
certificate issuers list. For more information, see Planning for the PKI Trusted Root
Certificates and the Certificate Issuers List.
 Unless the Configuration Manager client is installed on the Internet or is configured as
Internet-only, you no longer have to configure client computers with an Internet-based
management point. Instead, the client will automatically retrieve a list of Internet-based
management points when it is on the intranet.

139
 Although deploying an operating system is still not supported over the Internet, you can
deploy generic task sequences for clients that are on the Internet.
 If the Internet-based management point can authenticate the user, user polices are now
supported when clients are on the Internet. This functionality supports user-centric
management and user device affinity for when you deploy applications to users.
 Configuration Manager Internet-based clients on the Internet first try to download any
required software updates from Microsoft Update, rather than from an Internet-based
distribution point in their assigned site. Only if this fails, will they then try to download the
required software updates from an Internet-based distribution point.
What is the difference between Internet-based client management and DirectAccess?
DirectAccess is a Windows solution for managing domain computers when they move from the
intranet to the Internet. This solution requires the minimum operating systems of Windows
Server 2008 R2 and Windows 7 on clients. Internet-based client management is specific to
Configuration Manager, and it allows you to manage computers and mobile devices when they
are on the Internet. The Configuration Manager clients can be on workgroup computers and
never connect to the intranet, and they can also be mobile devices. The Configuration Manager
solution works for all operating system versions that are supported by Configuration Manager.
Both solutions require PKI certificates on clients and servers. However, DirectAccess requires a
Microsoft enterprise certification authority, whereas Configuration Manager can use any PKI
certificate that meets the requirements documented in PKI Certificate Requirements for
Not all Configuration Manager features are supported for Internet-based client management. For
more information, see the Planning for Internet-Based Client Management section in the Planning
for Communications in Configuration Manager topic. In comparison, because a client that
connects over DirectAccess behaves as if it is on the intranet, all features, with the exception of
deploying an operating system, are supported by Configuration Manager.
Some Configuration Manager communications are server-initiated, such as client push
installation and remote control. For these connections to succeed over DirectAccess, the
initiating computer on the intranet and all intervening network devices must support IPv6.
For support information about how Configuration Manager supports DirectAccess, see the
DirectAccess Feature Support section in the Supported Configurations for Configuration Manager
topic.
Where can I find information about managing vPro computers?
You can manage Intel vPro computers by using out of band management in System Center 2012
Configuration Manager. For more information, see Out of Band Management in Configuration
Manager in the Assets and Compliance in System Center 2012 Configuration Manager guide.
Warning

140
I want to move my Intel AMT-based computers that I provisioned with Configuration
Manager 2007 to System Center 2012 Configuration Manager. Can I use the same
Active Directory security group, OU, and web server certificate template?
AMT-based computers that were provisioned with Configuration Manager 2007 must have their
provisioning data removed before you migrate them to System Center 2012
Configuration Manager, and then provisioned again by System Center 2012
Configuration Manager. Because of functional changes between the versions, the security group,
OU, and web server certificate template have different requirements:
 If you used a security group in Configuration Manager 2007 for 802.1X authentication, you
can continue to use this group if it is a universal security group. If it is not a universal group,
you must convert it or create a new universal security group for System Center 2012
Configuration Manager. The security permissions of Read Members and Write Members for
the site server computer account remain the same.
 The OU can be used without modification. However, System Center 2012
Configuration Manager no longer requires Full Control to this object and all child objects. You
can reduce these permissions to Create Computer Objects and Delete Computer Objects on
this object only.
 The web server certificate template from Configuration Manager 2007 cannot be used in
System Center 2012 Configuration Manager without modification. This certificate template no
longer uses Supply in the request and the site server computer account no longer requires
Read and Enroll permissions.
For more information about the security group and OU, see Step 1 in How to Provision and
Configure AMT-Based Computers in Configuration Manager.
For more information about the certificate requirements, see PKI Certificate Requirements for
Configuration Manager and the example deployment, Deploying the Certificates for AMT.
How can I tell which collections of computers have a power plan applied?
There is no report in System Center 2012 Configuration Manager that displays which collections
of computers have a power plan applied. However, in the Device Collections list, you can select
the Power Configurations column to display whether a collection has a power plan applied.
Mobile Devices
The following frequently asked questions relate specifically to mobile devices in Configuration
Manager.
Where is the documentation for mobile devices?
Because the management of mobile devices is so similar to managing computers in
System Center 2012 Configuration Manager, there is no separate documentation section for
mobile devices. Instead, information is integrated throughout the documentation library. For
example, information about how to install the client on mobile devices is in the Deploying Clients

141
for System Center 2012 Configuration Manager guide. Information about how to configure
settings for mobile devices, such as password settings, is in the Compliance Settings in
Configuration Manager section of the Assets and Compliance in System Center 2012
Configuration Manager guide, and information about how to install applications on mobile devices
is in the Application Management in Configuration Manager section of the Deploying Software
and Operating Systems in System Center 2012 Configuration Manager guide.
Some of the main topics that contain information about mobile devices include the following:
Supported Configurations for Configuration
Manager
See the Mobile Device Requirements section to
check whether Configuration Manager can
support your mobile device environment.
PKI Certificate Requirements for Configuration
Manager
Contains certificate requirements if you install
the Configuration Manager client on mobile
devices. No certificates are required by
Configuration Manager if you manage mobile
devices that connect to Exchange Server.
Manager
Contains information about where to install the
site system roles that are required to manage
mobile devices.
Introduction to Client Deployment in
The Deploying the Configuration Manager
Client to Mobile Devices section contains
introductory information for managing mobile
devices and what is new from Configuration
Manager 2007.
Prerequisites for Client Deployment in
The Prerequisites for Mobile Device Clients
section contains information about the
dependencies and firewall requirements for
when you enroll mobile devices by using
Determine How to Manage Mobile Devices in
Contains information about the differences
between the management options for mobile
devices in Configuration Manager.
How to Install Clients on Mobile Devices and
Enroll Them by Using Configuration Manager
Contains instructions to enroll mobile devices
by using Configuration Manager.
How to Manage Mobile Devices by Using the
Exchange Server Connector in Configuration
Manager
Contains instructions to install the Exchange
Server connector, so that you can manage
mobile devices that connect to an Exchange
Server.

142
Security and Privacy for Clients in
Contains security best practices and privacy
information for mobile devices.
How to Create Mobile Device Configuration
Items for Compliance Settings in Configuration
Manager
Contains instructions to configure settings for
mobile devices that are enrolled by
Technical Reference for Log Files in
See the Mobile Devices section for the list of
log files that are created when you manage
mobile devices in Configuration Manager.
If you have mobile device legacy clients in your System Center 2012 Configuration Manager
hierarchy, the installation and configuration for these mobile devices is the same as in
Configuration Manager 2007. For more information, see Mobile Device Management in
Configuration Manager in the Configuration Manager 2007 documentation library.
How do I re-enroll mobile devices in Configuration Manager?
When the certificate on the mobile device is due for renewal, users are automatically prompted to
accept the new certificate. When they confirm the prompt, Configuration Manager automatically
re-enrolls their mobile device.
What action must I take if I no longer want a mobile device enrolled in Configuration
Manager?
You must wipe the mobile device if you no longer want it to be enrolled in System Center 2012
Configuration Manager. When you wipe a mobile device, this action deletes all data that is stored
on the mobile device and on any attached memory cards. In addition, the certificate that was
issued during enrollment is revoked with the following reason: Cease of Operation.
If I wipe a mobile device that is enrolled by Configuration Manager and discovered by the
Exchange Server connector, will it be wiped twice?
No. In this dual management scenario, Configuration Manager sends the wipe command in the
client policy and by using the Exchange Server connector, and then monitors the wipe status for
the mobile device. As soon as Configuration Manager receives a wipe confirmation from the
mobile device, it cancels the second and pending wipe command so that the mobile device is not
wiped twice.
Can I configure the Exchange Server connector for read-only mode?
Yes, if you only want to find mobile devices and retrieve inventory data from them as a read-only
mode of operation, you can do this by granting a subset of the cmdlets that the account uses to
connect to the Exchange Client Access server. The required cmdlets for a read-only mode of
operation are as follows:
 Get-ActiveSyncDevice
 Get-ActiveSyncDeviceStatistics

143
 Get-ActiveSyncOrganizationSettings
 Get-ActiveSyncMailboxPolicy
 Get-ExchangeServer
 Get-Recipient
 Set-ADServerSettings
When the Exchange Server connector operates with these limited permissions, you
cannot create access rules, or wipe mobile devices, and mobile devices will not be
configured with the settings that you define. In addition, Configuration Manager will
generate alerts and status messages to notify you that it could not complete operations
that are related to the Exchange Server connector.
Remote Control
The following frequently asked questions relate to remote control in Configuration Manager.
Is remote control enabled by default?
By default, remote control is disabled on client computers. Enable remote control as a default
client setting for the hierarchy, or by using custom client settings that you apply to selected
collections.
What ports does remote control use?
TCP 2701 is the only port that System Center 2012 Configuration Manager uses for remote
control. When you enable remote control as a client setting, you can select one of three firewall
profiles that automatically configure this port on Configuration Manager clients: Domain, Private,
or Public.
What is the difference between a Permitted Viewers List and granting a user the role-based
administration security role of Remote Tools Operator?
The Permitted Viewers List grants an administrative user the Remote Control permission for a
computer, and the role-based administration security role of Remote Tools Operator grants an
administrative user the ability to connect a Configuration Manager console to a site so that audit
messages are sent when they manage computers by using remote control.
Can I send a CTRL+ALT+DEL command to a computer during a remote control session?
Yes. In the Configuration Manager remote control window, click Action, and then click Send
Ctrl+Alt+Del.
Warning

144
How can I find out how the Help Desk is using remote control?
You can find this out by using the remote control reports: Remote Control – All computers
remote controlled by a specific user and Remote Control – All remote control information.
For more information, see How to Audit Remote Control Usage in Configuration Manager.
What happened to the Remote Control program in Control Panel on Configuration
Manager clients?
The remote control settings for System Center 2012 Configuration Manager clients are now in
Software Center, on the Options tab.
Software Deployment
The following frequently asked questions relate to content management, software updates,
applications, packages and programs, scripts, and operating system deployment with supporting
task sequences and device drivers in Configuration Manager.
When distribution points are enabled for bandwidth control, does the site server compress
the content that it distributes to them in the same way as site-to-site data is compressed?
No, site servers do not compress the content that it distributes to distribution points that are
enabled for bandwidth control. Whereas site-to-site transfers potentially resend files that might
already be present, only to be discarded by the destination site server, a site server sends only
the files that a distribution point requires. With a lower volume of data to transfer, the
disadvantages of high CPU processing to compress and decompress the data usually outweigh
the advantages of compressing the data.
What is an “application” and why would I use it?
System Center 2012 Configuration Manager applications contain the administrative details and
Application Catalog information necessary to deploy a software package or software update to a
computer or mobile device.
What is a “deployment type” and why would I use one?
A deployment type is contained within an application and specifies the installation files and
method that Configuration Manager will use to install the software. The deployment type contains
rules and settings that control if and how the software is installed on client computers.
What is the “deployment purpose” and why would I use this?
The deployment purpose defines what the deployment should do and represents the
administrator’s intent. For example, an administrative user might require the installation of
software on client computers or might just make the software available for users to install
themselves. A global condition can be set to check regularly that required applications are
installed and to reinstall them if they have been removed.

145
What is a global condition and how is it different from a deployment requirement?
Global conditions are conditions used by requirement rules. Requirement rules set a value for a
deployment type for a global condition. For example, “operating system =” is a global condition; a
requirement rule is “operating system = Win7.”
How do I make an application deployment optional rather than mandatory?
To make a deployment optional, configure the deployment purpose as Available in the
applications deployment type. Available applications display in the Application Catalog where
users can install them.
Can users request applications?
Yes. Users can browse a list of available software in the Application Catalog. Users can then
request an application which, if approved, will be installed on their computer. To make a
deployment optional, configure the deployment purpose as Available in the applications
deployment type.
Why would I use a package and program to deploy software rather than an application
deployment?
Some scenarios, such as the deployment of a script that runs on a client computer but that does
not install software, are more suited to using a package and program rather than an application.
Can I deploy Office so that it installs locally on a user’s main workstation but is available
to that user as a virtual application from any computer?
Yes. You can configure multiple deployment types for an application. Rules that specify which
deployment type is run allows you to specify how the application is made available to the user.
Does Configuration Manager help identify which computers a user uses to support the
user device affinity feature?
Yes. Configuration Manager collects usage statistics from client devices that can be used to
automatically define user device affinities or to help you manually create affinities.
Can I change a simulated application deployment to a standard application deployment?
No. you must create a new deployment that can include extra options that include scheduling and
user experience.
Can I migrate my existing packages and programs from Configuration Manager 2007 to a
System Center 2012 Configuration Manager hierarchy?
Yes. You can see migrated packages and programs in the Packages node in the Software
Library workspace. You can also use the Import Package from Definition Wizard to import
Configuration Manager 2007 package definition files into your site.
Does the term “software” include scripts and drivers?
Yes. In System Center 2012 Configuration Manager, the term software includes software
updates, applications, scripts, task sequences, device drivers, configuration items, and
configuration baselines.

146
What does “state-based deployment” mean in reference to System Center 2012
Depending on the deployment purpose you have specified in the deployment type of an
application, System Center 2012 Configuration Manager periodically checks that the state of the
application is the same as its purpose. For example, if an application’s deployment type is
specified as Required, Configuration Manager reinstalls the application if it has been removed.
Only one deployment type can be created per application and collection pair.
Do I have to begin using System Center 2012 Configuration Manager applications
immediately after migrating from Configuration Manager 2007?
No, you can continue to deploy packages and programs that have been migrated from your
Configuration Manager 2007 site. However, packages and programs cannot use some of the new
features of System Center 2012 Configuration Manager such as requirement rules, dependencies
and supersedence.
If an application that has been deployed to a user is installed on multiple devices, how is
the deployment summarized for the user?
Deployments to users or devices are summarized based on the worst result. For example, if a
deployment is successful on one device and the application requirements were not met on
another device then the deployment for the user is summarized as Requirements Not Met. If
none of the user’s devices has received the application, the deployment is summarized as
Unknown.
Is there a quick guide to installing the Application Catalog?
If you don’t require HTTPS connections (for example, users will not connect from the Internet),
you can use the following the quick guide instructions:
1. Make sure that you have all the prerequisites for the Application Catalog site roles. For more
information, see Prerequisites for Application Management in Configuration Manager.
2. Install the following Application Catalog site system roles and select the default options:
 Application Catalog web service point
 Application Catalog website point
3. Configure the following Computer Agent device client settings by editing the default client
settings, or by creating and assigning custom client settings:
 Default Application Catalog website point: Automatically detect
 Add default Application Catalog website to Internet Explorer trusted site zone: True
 Install Permissions: All users
For full instructions, see Configuring the Application Catalog and Software Center in
Can I deploy applications by using task sequences?
You can use a task sequence to deploy applications. However, when you configure an application
deployment rather than use a task sequence, you benefit from the following:
 You have a richer monitoring and compliance experience.

147
 You can supersede a previous version of the application and can uninstall or upgrade the
previous version.
 You can deploy applications to users.
For more information about how to deploy applications, see Introduction to Application
Management in Configuration Manager.
How often are application deployments summarized?
Although you can configure the application deployment summarization interval, by default, the
following values apply:
 Deployments that were modified in the last 30 days – 1 hour
 Deployments that were modified in the last 31 to 90 days – 1 day
 Deployments that were modified over 90 days ago – 1 week
You can modify the application deployment summarization intervals from the Status
Summarizers dialog box. Click Status Summarizers from the Sites node in the Administration
workspace to open this dialog box.
How does the processing of requirements differ between a deployment with the action of
Install and a deployment with the action of Uninstall?
In most cases, a deployment with an action of Uninstall will always uninstall a deployment type if
it is detected unless the client type is different. For example, if you deploy a mobile device
application with an action of Uninstall to a desktop computer, the deployment will fail with a
status of Requirements not met as it is impossible to enforce this uninstall.
What happens if a simulated deployment and a standard deployment for the same
application are deployed to a computer?
Although you cannot deploy a simulated and a standard deployment of an application to the same
collection, you can target a computer with both if you deploy them to different collections and the
computer is a member of both collections. In this scenario, for both deployments, the computer
reports the results of the standard deployment. This explains how you might see deployment
states for a simulated deployment that you would usually only see for a standard deployment,
such as In Progress and Error.
Can I use update lists in System Center 2012 Configuration Manager?
No. Software update groups are new in System Center 2012 Configuration Manager and replace
update lists that were used in Configuration Manager 2007.
What is an “update group” and why would I use one?
Software update groups provide a more effective method for you to organize software updates in
your environment. You can manually add software updates to a software update group or
software updates can be automatically added to a new or existing software update group by using
an automatic deployment rule. You can also deploy a software update group manually or
automatically by using an automatic deployment rule. After you deploy a software update group,
you can add new software updates to the group and they will automatically be deployed.

148
Does System Center 2012 Configuration Manager have automatic approval rules like
Windows Server Update Services (WSUS)?
Yes. You can create automatic deployment rules to automatically approve and deploy software
updates that meet specified search criteria.
What changes have been made in System Center 2012 Configuration Manager to manage
superseded software updates?
In Configuration Manager 2007, superseded software updates are automatically expired during
full software updates synchronization. In System Center 2012 Configuration Manager, you can
choose to automatically expire superseded software updates during software updates
synchronization just as it is in Configuration Manager 2007. Or, you can specify a number of
months before a superseded software update is expired. This allows you to deploy a superseded
software update for the period of time while you validate and approve the superseding software
update in your environment.
How are superseded and expired software updates removed in System Center 2012
System Center 2012 Configuration Manager might automatically remove expired and superseded
software updates. Consider the following scenarios:
 Expired software updates that are not associated with a deployment are automatically
removed up every 7 days by a site maintenance task.
 Expired software updates that are associated with a deployment are not automatically
removed by the site maintenance task.
 Superseded software updates that you have configured not to expire for a specified period of
time are not removed or deleted by the site maintenance task.
You can remove expired software updates from all software update groups and software update
deployments so that they are automatically removed. To do this, search for expired software
updates, select the returned results, choose edit membership, and remove the expired software
updates from any software update group for which they are members.
What do the software update group icons represent in Configuration Manager?
The software update group icons are different in the following scenarios:
 When a software update group contains at least one expired software update, the icon for
that software update group contains a black X.
 When a software update group contains no expired software updates, but at least one
superseded software update, the icon for that software update group contains a yellow star.
 When a software update group has no expired or superseded software updates, the icon for
that software update group contains a green arrow.
When you view the status of an application deployment in the Deployments node of the
Monitoring workspace, how is the displayed Compliance % calculated?
The compliance percentage (Compliance %) is calculated by taking the number of users or
devices with a deployment state of Success added to the number of devices with a deployment

149
state of Requirements Not Met and then dividing this total by the number of users or devices
that the deployment was sent to.
While monitoring the deployment of an application, the numbers displayed in the
Completion Statistics do not match the numbers displayed in the View Status pane. What
reasons might cause this?
The following reasons might cause the numbers shown in Completions Statistics and the View
Status pane to differ:
 The completion statistics are summarized and the View Status pane displays live data –
Select the deployment in the Deployments node of the Monitoring workspace and then, in
the Home tab, in the Deployment group, click Run Summarization. Refresh the display in
the Configuration Manager console and after summarization completes, the updated
completion statistics will display in the Configuration Manager console.
 An application contains multiple deployment types. The completion statistics display one
status for the application; the View Status pane displays status for each deployment type in
the application.
 The client encountered an error. It was able to report status for the application, but not for the
deployment types contained in the application. You can use the report Application
Infrastructure Errors to troubleshoot this scenario.
Can I deploy operating systems by using a DVD or a flash drive?
Yes. You can use media such as a CD, DVD set, or a USB flash drive to capture an operating
system image and to deploy an operating system. Deployment media includes bootable media,
prestaged media, and stand-alone media. For more information, see Planning for Media
Operating System Deployments in Configuration Manager.
When I upgrade an operating system, can I retain the user’s information so that they have
all their files, data, and preferences when they log on to the new operating system?
Yes. When you deploy an operating system you can add steps to your task sequence that
capture and restore the user state. The captured data can be stored on a state migration point or
on the computer where the operating system is deployed. For more information, see How to
Manage the User State in Configuration Manager.
Can I deploy operating systems to computers that are not managed by Configuration
Manager?
Yes. These types of computers are referred to as unknown computers. For more information
about how to deploy operating systems to unknown computers, see How to Manage Unknown
Computer Deployments in Configuration Manager.
When I deploy an operating system to multiple computers, can I optimize how the
operating system image is sent to the destination computers?
Yes. Use multicast to simultaneously send data to multiple Configuration Manager clients rather
than sending a copy of the data to each client over a separate connection. For more information,
see Planning a Multicast Strategy in Configuration Manager.

150
Endpoint Protection
The following frequently asked questions relate to Endpoint Protection in Configuration Manager.
What’s new for Endpoint Protection in System Center 2012 Configuration Manager?
Endpoint Protection is fully integrated with System Center 2012 Configuration Manager and no
longer requires a separate installation. In addition, there are a number of new features and
enhancements in Endpoint Protection. For more information, see the Endpoint Protection section
in the What’s New in Configuration Manager topic.
Can I deploy definitions by using Configuration Manager distribution points?
Yes, you can deploy Endpoint Protection definitions by using Configuration Manager software
updates. For more information, see Step 3: Configure Configuration Manager Software Updates
to Deliver Definition Updates to Client Computers in the How to Configure Endpoint Protection in
Are malware notifications faster in System Center 2012 Endpoint Protection than in
Forefront Endpoint Protection 2010?
Yes, System Center 2012 Endpoint Protection uses Configuration Manager alerts to more quickly
notify you when malware is detected on client computers.
Which antimalware solutions can Endpoint Protection uninstall?
For a list of the antimalware solutions that Configuration Manager can automatically uninstall
when you install the Endpoint Protection client, see the Endpoint Protection section in the About
Client Settings in Configuration Manager topic. For more information about how to configure
Endpoint Protection to uninstall these antimalware solutions, see How to Configure Endpoint
Protection in Configuration Manager.
See Also
Information and Support for Configuration Manager
For the most current System Center 2012 Configuration Manager product documentation, always
use the TechNet Configuration Manager Documentation Library.
If you have feedback about the documentation, email SMSDocs@Microsoft.com.
To receive Twitter feeds from the documentation team (for example, notification of documentation
updates), see the Configuration Manager Documentation Team Twitter feed.

151
The Configuration Manager Product Group Blog
The Configuration Manager product group and partner teams use the System Center
Configuration Manager Team Blog to provide you with technical information and other news
about Configuration Manager and related technologies. Our blog posts supplement the product
documentation and support information.
Support Options and Community Resources
The following links provide information about support options and community resources:
 System Center Configuration Manager Support
 Microsoft Help and Support
 System Center 2012 Configuration Manager Survival Guide
 Configuration Manager Community Page
 Configuration Manager Forums Page
 myITforum System Center Community Support
All information and content at myITforum.com is provided by the owner or the users
of the website. Microsoft makes no warranties, express, implied or statutory, as to the
information on this website.
In addition, visit the System Center 2012 TechCenter to find other supporting resources for
Search the Configuration Manager Documentation Library
Find information online from the Documentation Library for System Center 2012
This customized Bing search query scopes your search so that you see results from the
Documentation Library for System Center 2012 Configuration Manager only. It uses the search
text Configuration Manager, which you can replace in the search bar with your own search
string or strings, and choice of search operators, to help you narrow the search results.
Example Searches
Use the Find information online link and customize the search by using the following examples.
 Single search string: To search for topics that contain the search string Endpoint Protection,
replace Configuration Manager with Endpoint Protection:
("Endpoint Protection") site:technet.microsoft.com/en-
us/library meta:search.MSCategory(gg682056)
 Combining search strings: To search for topics that contain the search strings Endpoint
Protection and monitoring, use the AND operator:
Note

152
("Endpoint Protection") AND ("monitoring")
 Alternative search strings: To search for topics that contain the search string Endpoint
Protection or monitoring, use the OR operator:
("Endpoint Protection" OR "monitoring")
 Exclude search strings: To search for topics that contain the search string Endpoint
Protection and exclude topics about monitoring, use the NOT operator:
("Endpoint Protection)" NOT ("monitoring")
Search Tips
Use the following search tips to help you find the information that you need:
 When you search on a page in TechNet (for example, press Ctrl-F1, and enter search terms
in the Find box), the results exclude text that is in collapsed sections. If you are using
TechNet in Classic view, before you search on the page, click Expand All at the top of the
page, before the topic title. By default, you must first click Collapse All, and then you can
click Expand All. With all sections expanded, a search on the page can then search all
sections on that page. If you are using TechNet in Lightweight view, this configuration does
not support the Expand All option and you must manually expand individual sections that are
collapsed before search on the page finds text in those sections.
To change from TechNet Lightweight view (the default) to Classic view, click the
Preferences icon at the top right-hand side of the page, click Classic, and then click
OK.
 To search a topic in the help file, press F1, and enter search terms in the Find dialog box.
The help file does not support the Expand All option and you must manually expand
individual sections that are collapsed before search on the page finds text in those sections.
 Whenever possible, use the TechNet online library rather than downloaded documentation.
TechNet contains the most up-to-date information and the information that you are searching
for might not be in the downloaded documentation or there might be corrections or additional
information online.
See Also
Tip

153
Site Administration for System Center 2012
The Site Administration for System Center 2012 Configuration Manager guide provides
documentation to help you plan, install, configure, and maintain Microsoft System Center 2012
Configuration Manager. If you are new to Configuration Manager, read Getting Started with
System Center 2012 Configuration Manager before you read this guide.
Site Administration Topics
Use the following topics to help you plan, configure, and maintain System Center 2012
Configuration Manager sites:
 Introduction to Site Administration in Configuration Manager
 Planning for Configuration Manager Sites and Hierarchy
 Configuring Sites and Hierarchies in Configuration Manager
 Operations and Maintenance for Site Administration In Configuration Manager
 Reporting in Configuration Manager
 Security and Privacy for Site Administration in Configuration Manager
 Technical Reference for Site Administration in Configuration Manager
 Documentation Library for System Center 2012 Configuration Manager
Introduction to Site Administration in Configuration Manager
Site administration in System Center 2012 Configuration Manager refers to the planning,
installation, management, and monitoring of a System Center 2012 Configuration Manager
hierarchy of sites. A hierarchy of sites can be described by one of three basic configurations:
 A single stand-alone primary site that has no additional sites.
 A primary site that has one or more secondary sites.
 A central administration site as the top-level site that has one or more primary child sites. The
primary sites can each support secondary sites.
Several configurations in Configuration Manager apply to objects at every site in the hierarchy.
Other configurations are site-specific and require that you configure each site separately. For
example, you can configure most site system roles at a primary site, but some site system roles
can only be installed at the top-level site of a hierarchy, which might be a primary site in one
hierarchy and a central administration site in another hierarchy. Your available network
infrastructure, the network and geographical locations of the resources that you manage, and the
management features that you use can influence your hierarchy design and approach to
administration.

154
Use the following sections for more information about planning, configuring, and managing your
Configuration Manager site or hierarchy:
 Plan and Deploy a Hierarchy of Sites
 Deploy Site Systems at Sites
 Configure Hierarchy-Wide and Site-Specific Options
 Monitor and Maintain the Hierarchy
Plan and Deploy a Hierarchy of Sites
Before you deploy your first site, review the planning information for Configuration Manager. The
type of site that you first deploy can define the structure for your hierarchy. For example, if the
first site that you install is a primary site because you do not expect to manage a complex or
geographically dispersed environment, your hierarchy is limited to a single primary site. This
primary site can support secondary sites. However, if you deploy a central administration site as
your first site, you have the option to add more primary sites as child sites to the central
administration site in the future. This provides you with the flexibility to expand your hierarchy as
your company grows and when management requirements change. For more information about
sites and hierarchies, see Planning for Sites and Hierarchies in Configuration Manager.
When you plan your hierarchy, consider the external dependencies of Configuration Manager,
such as a public key infrastructure (PKI) if you plan to use certificates, or your Active Directory
domain structure. Determine whether you manage resources in untrusted forests or resources
that are on the Internet, and determine how Configuration Manager will support these scenarios.
These factors and other considerations can influence your hierarchy design and site and site
system role placement. For more information, see PKI Certificate Requirements for Configuration
Manager and Identify Your Network and Business Requirements to Plan a Configuration Manager
Hierarchy.
Deploy Site Systems at Sites
In each site that you install, you must install and configure site system roles to support
management operations. If you plan to install more than a single primary site, review the site
system roles and if you can deploy them at different sites. Some site system roles, which include
the Endpoint Protection point, require that you install just one instance in the hierarchy to provide
a service to all sites in the hierarchy. Other site system roles, which include the Application
Catalog web service point, must be installed at each site where you require them to provide a
service to that site. Finally, some site system roles, which include the management point and
distribution point, support the installation of multiple instances at a site. Refer to the site system
role requirements to help you identify the best locations to place the site system roles at each
site. For example:
 For central administration sites, you can deploy site system roles that are useful for
hierarchy-wide monitoring, such as the reporting services point. You can also deploy site
system roles that provide services to the whole hierarchy, such as the Endpoint Protection
point. Some roles, such as the software update point, must be installed in the central
administration site, but you can also install them in primary and secondary sites. In this

155
scenario, the software update point in the central administration site provides the other
software update points with a central location to synchronize software updates.
 For primary sites, you must have site system roles for client communication, such as
management points and software update points. Review your network infrastructure and the
locations of computers and users on your network to ensure that you put these client-facing
site systems in the best locations to optimize network connectivity.
 For secondary sites, you can install a limited set of site system roles. Additionally, if content
distribution to a remote network location is your main concern, you might decide to install
distribution points from a primary site instead of installing a secondary site.
For more information about site systems, see Planning for Site Systems in Configuration
Manager.
Configure Hierarchy-Wide and Site-Specific Options
After you deploy your first site, you can configure settings that apply across the hierarchy and
settings that are specific to individual sites. Regardless of when you configure sites or hierarchy-
wide settings, plan to periodically revisit these tasks to adjust configurations to meet changing
business requirements. Hierarchy-wide and site-specific configurations affect how sites operate
and how client management tasks in each site function.
Some of the hierarchy-wide configurations that you can set include the following:
 Role-based administration, which includes the following:
 Identify administrative users who manage your Configuration Manager infrastructure and
assign them security roles, security scopes, and collections to manage their permissions
to objects, and the objects that they can interact with.
 Create custom security roles and security scopes that you require to help partition
security and administrative user access to different objects.
 Discovery to locate resources that you can manage.
 Boundaries and boundary groups to control client site assignment, and the site system
servers from which clients can obtain content such as applications or operating system
deployments.
 Client settings to specify how and when Configuration Manager clients perform various
operations, which includes when to check for new applications or to submit hardware or
software inventory data to their assigned site.
Some of the site-specific configurations that you can set include the following:
 Communication settings for site system roles that control how clients communicate with the
site system roles at that site.
 Settings to specify how sites summarize status message details that are collected from
clients and site system servers.
 Site maintenance tasks and schedules to help maintain the local Configuration Manager
database.
 Site component configurations that control how site system roles operate in a site.

156
For more information about how to configure sites and hierarchy-wide settings, see Configure
Sites and the Hierarchy in Configuration Manager, and Operations and Maintenance for Site
Administration In Configuration Manager.
Monitor and Maintain the Hierarchy
You must monitor and maintain the health of the hierarchy and individual site systems. Over time,
conditions in your environment can change. These changes might include network issues that
decrease the replication performance between sites, the number of clients that report to a site
and that might affect site system role performance, and an increase in the amount of data that is
stored in the Configuration Manager database that can decrease data processing and site
performance.
To keep your site systems, intersite data replication, and the database healthy, you must monitor
your hierarchy for problems and take actions to maintain these systems to prevent critical
problems.
You can monitor the health of your hierarchy by using the Monitoring workspace in the
Configuration Manager console. Additionally, you can configure site maintenance tasks at each
site to help maintain the operational efficiency of the database, and to remove aged data that you
no longer require. Periodically review the configurations and operational settings for site system
roles to ensure that they continue to provide a service to your clients, and review the frequency
and extent of the data that you collect from clients to ensure that you collect only the data that
you really require.
Configuration Manager provides built-in functionality that you can use to monitor and maintain
your infrastructure. For example, you can do the following:
 Run reports that inform you about the success or failure of typical Configuration Manager
tasks and that summarize the operational status of your sites and hierarchy.
 View status messages and receive alerts that can help you identify current or emerging
problems, which include information about application deployments or site and hierarchy
infrastructure problems.
 View the status of clients, which includes clients that are inactive, and view the status of
Endpoint Protection clients.
 Configure more than 30 site maintenance tasks to help maintain the health of the
Configuration Manager database.
For more information about monitoring, see Monitor Configuration Manager Sites and Hierarchy,
and Reporting in Configuration Manager. For more information about site maintenance tasks, see
Configure Maintenance Tasks for Configuration Manager Sites.
See Also
Site Administration for System Center 2012 Configuration Manager

157
You can install Microsoft System Center 2012 Configuration Manager by using many different
design configurations that range from a single site to multiple sites that span diverse geographical
network locations. Even single site designs often use multiple Windows servers to provide
services to users and devices on your network.
When you install multiple System Center 2012 Configuration Manager sites, they form a hierarchy
of sites that share information by using a distributed database. Sites communicate with each
other and share information by using database replication that is based on SQL Server replication
and file-based transfers. Sites in a hierarchy use parent-child relationships to define
communication paths.
Because the data that is transferred between computers within a site and between different
Configuration Manager sites can significantly affect the efficiency of your network, plan your site
or hierarchy before you install any Configuration Manager site.
Planning Topics
Use the following topics to help you plan for sites and hierarchies by gathering the information
that you will need to plan the design of your System Center 2012 Configuration Manager
deployment to best meet your business requirements and make efficient use of your network
infrastructure.
 Supported Configurations for Configuration Manager
 Planning for Hardware Configurations for Configuration Manager
 PKI Certificate Requirements for Configuration Manager
 Identify Your Network and Business Requirements to Plan a Configuration Manager
Hierarchy
 Determine Whether to Migrate Configuration Manager 2007 Data to System Center 2012
 Determine Whether to Extend the Active Directory Schema for Configuration Manager
 Planning for Sites and Hierarchies in Configuration Manager
 Planning for Publishing of Site Data to Active Directory Domain Services
 Planning for Discovery in Configuration Manager
 Planning for Client Settings in Configuration Manager
 Planning for Site Systems in Configuration Manager
 Planning for Content Management in Configuration Manager
 Planning for Boundaries and Boundary Groups in Configuration Manager
 Planning for Security in Configuration Manager
 Planning for Communications in Configuration Manager
 Planning for Site Operations in Configuration Manager
 Planning for High Availability with Configuration Manager
 Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager

158
Supported Configurations for Configuration Manager
This topic appears in the Getting Started with System Center 2012 Configuration
Manager guide and in the Site Administration for System Center 2012 Configuration
Manager guide.
This topic specifies the requirements necessary to implement and maintain Microsoft System
Center System Center 2012 Configuration Manager in your environment.
The following sections list products that are supported with System Center 2012
Configuration Manager. No extension of support for these products beyond their current product
lifecycles is implied. Products that are beyond their current support lifecycle are not supported for
use with Configuration Manager. For more information about Microsoft Support Lifecycles, visit
the Microsoft Support Lifecycle website at Microsoft Support Lifecycle.
Microsoft provides support for the current service pack and, in some cases, the
immediately preceding service pack. For additional information about Microsoft support
lifecycle policy, visit the Microsoft Support Lifecycle Support Policy FAQ Web site at
Microsoft Support Lifecycle Policy FAQ.
Products that are not listed in this document are not supported with System Center 2012
Configuration Manager unless they are announced on the System Center Configuration Manager
Team Blog.
 Interoperability Between System Center 2012 Configuration Manager and Configuration
Manager 2007 Sites
 Client Site Assignment Considerations
 Configuration Manager System Requirements
 Site and Site System Role Scalability
 Site System Requirements
 Computer Client Requirements
 Mobile Device Requirements
 Configuration Manager Console Requirements
 Supported Upgrade Paths
 Configurations for the SQL Server Site Database
 SQL Server Requirements
 Function-Specific Requirements
 Application Management
 Out of Band Management
Note
Warning

159
 Remote Control Viewer
 Support for Active Directory Domains
 Active Directory Schema Extensions
 Disjoint Namespaces
 Single Label Domains
 Windows Environment
 Support for Internet Protocol Version 6
 Support for Specialized Storage Technology
 Support for Computers in Workgroups
 Support for Virtualization Environments
 Support for Network Address Translation
 DirectAccess Feature Support
 BranchCache Feature Support
 Fast User Switching
 Dual Boot Computers
Interoperability Between System Center 2012 Configuration Manager and
Configuration Manager 2007 Sites
A System Center 2012 Configuration Manager site or hierarchy cannot interoperate with a
Configuration Manager 2007 site or hierarchy. A Configuration Manager 2007 site cannot report
to a System Center 2012 Configuration Manager parent site, and you cannot upgrade a
Configuration Manager 2007 site to a System Center 2012 Configuration Manager site. Instead of
an in-place upgrade, you use System Center 2012 Configuration Manager migration to migrate
your Configuration Manager 2007 objects and data to System Center 2012
Configuration Manager. For information about migrating from Configuration Manager 2007 to
System Center 2012 Configuration Manager, see Migrating from Configuration Manager 2007 to
Because you can deploy a System Center 2012 Configuration Manager site or hierarchy side-by-
side with a Configuration Manager 2007 site or hierarchy, take action to prevent clients from
either version from trying to join a site from the other Configuration Manager version. For
example, if your Configuration Manager hierarchies have overlapping boundaries, including the
same network locations, you might assign each new client to a specific site instead of using
automatic site assignment. For information about automatic site assignment in
System Center 2012 Configuration Manager, see How to Assign Clients to a Site in Configuration
Manager.
System Center 2012 Configuration Manager supports only System Center 2012
Configuration Manager device and mobile device clients. The following clients and the following
VPN connection are not supported:
 Any Configuration Manager 2007 or earlier computer client version.
 Any Configuration Manager 2007 or earlier device management client

160
Client Site Assignment Considerations
System Center 2012 Configuration Manager clients can be assigned to only one site. When
automatic site assignment is used to assign clients to a site during client installation and more
than one boundary group includes the same boundary, and the boundary groups have different
assigned sites, the actual site assignment of a client cannot be predicted.
If boundaries overlap across multiple System Center 2012 Configuration Manager and
Configuration Manager 2007 site hierarchies, clients might not get assigned to the correct site
hierarchy or might not get assigned to a site at all.
System Center 2012 Configuration Manager clients check the version of the Configuration
Manager site before they complete site assignment and cannot assign to a Configuration
Manager 2007 site if boundaries overlap. However, Configuration Manager 2007 clients do not
check for the site version and can incorrectly assign to a System Center 2012
Configuration Manager site.
To prevent Configuration Manager 2007 clients from unintentionally assigning to a
System Center 2012 Configuration Manager site when the two hierarchies have overlapping
boundaries, configure Configuration Manager 2007 client installation parameters to assign clients
to a specific site.
Configuration Manager System Requirements
The following sections specify the hardware and software requirements that are necessary to
implement and maintain Microsoft System Center 2012 Configuration Manager in your
environment.
Site and Site System Role Scalability
The following table contains information about the number of clients supported at each site type
and by each client-facing site system role. This information is based on the recommended
hardware for site systems. For information about the recommended hardware for Configuration
Manager sites, see Planning for Hardware Configurations for Configuration Manager. For
information about the minimum required hardware to run a Configuration Manager site, see
Minimum Hardware Requirements for Site Systems, in this topic.
Central administration site  A central administration site can support up
to 25 child primary sites.
 When using SQL Server Enterprise or
Datacenter for the site database at the
central administration site, the shared

161
database and hierarchy supports up to
400,000 clients. The maximum number of
supported clients per hierarchy depends on
the SQL Server edition in the central
administration site, and is independent of
the SQL Server edition at primary or
secondary sites.
Note
Configuration Manager supports up
to 400,000 clients per hierarchy
when you use the default settings
for all Configuration Manager
features.
 When you use SQL Server Standard for the
site database at the central administration
site, the shared database and hierarchy
supports up to 50,000 clients. This is
because of how the database is partitioned.
After you install Configuration Manager, if
you then upgrade the edition of SQL Server
at the central administration site from
Standard to Enterprise or Datacenter, the
database does not repartition and this
limitation remains.
Note
You cannot assign Configuration
Manager clients to a central
administration site. Support for clients
applies to clients that are assigned to
child primary sites in the hierarchy.
Primary site  Each primary site can support up to 250
secondary sites.
Note
The number of secondary sites per
primary site is based on well
connected and reliable wide area
network (WAN) connections. For
locations that have fewer than 500
clients, consider a distribution point

162
instead of a secondary site.
 A stand-alone primary site always supports
up to 100,000 clients.
 A child primary site that uses SQL Server
installed on the same computer as the site
When you use SQL Server that is installed
on a computer that is remote from the site
server, the child primary site can support up
to 100,000 clients.
Note
In a hierarchy with a central
administration site that uses a
standard edition SQL Server, the
total number of clients supported in
the hierarchy is limited to 50,000. In
this hierarchy, a child primary site
that uses a remote installation of
SQL Server cannot support more
clients than is supported by the
hierarchy. The version of SQL
Server that is used by a secondary
site does not affect the number of
clients that the primary site
supports.
 Unlike a central administration site, the
edition of SQL Server you use for the
primary site database does not affect the
maximum number of clients the primary site
supports. This is true for both child primary
sites, and stand-alone primary sites.
Secondary site  Each secondary site can support
communications from up to 5,000 clients
when you use a secondary site server
computer with the recommended hardware
and that has a fast and reliable network
connection to its primary parent site. A
secondary site might be able to support
communications from additional clients
when its hardware configuration exceeds

163
the recommended hardware configuration.
For information about the recommended
hardware for Configuration Manager sites,
see Planning for Hardware Configurations
Management point Primary site:
 Each primary site management point can
support up to 25,000 computer clients. To
support 100,000 clients you must have at
least four management points.
nNote
Do not place management points
across a slow link from their
primary site server or from the site
database server.
 Each primary site can support up to 10
management points.
Note
When you have more than four
management points in a primary
site, you do not increase the
supported client count of the
primary site beyond 100,000.
Instead, any additional
management points provide
redundancy for communications
from clients.
Secondary site:
 Each secondary site supports a single
management point that must be installed
on the secondary site server.
 The secondary site management point
supports communications from the same
number of clients as supported by the
site server.
Distribution point  Individually, each primary site supports up
to 250 distribution points and each

164
distribution point can support up to 4,000
clients.
 Individually, each secondary site supports
up to 250 distribution points and each
distribution point can support up to the
same number of clients as supported by the
site server, up to a maximum of 4,000
clients.
 Each primary site supports a combined
total of up to 5,000 distribution points. This
total includes all the distribution points at
the primary site and all distribution points
that belong to the primary site’s child
secondary sites.
Note
The number of clients that one
distribution point can support depends
on the speed of your network, the disk
performance of the distribution point
computer, and the application or
package size.
Software update point  Each site supports one active software
update point for use on the intranet, and
optionally, one software update point for
use on the Internet. You can configure
each of these software update points as a
Network Load Balancing (NLB) cluster. You
can have up to four software update points
in the NLB cluster.
the site server can support up to 25,000
clients.
a computer that is remote from the site
Note
Software Updates in Configuration

165
Manager.
Fallback status point  Each primary site supports one fallback
status point.
 Each fallback status point can support up to
100,000 clients.
Application Catalog website point  Each instance of this site system role
Application Catalog website point at
primary sites.
Tip
on the intranet.
Application Catalog web service point  Each instance of this site system role
Application Catalog web service point at
primary sites.
Tip
on the intranet.
System Health Validator point  Each System Health Validator point can
support up to 100,000 clients.

166
Site System Requirements
Each System Center 2012 Configuration Manager site system server must use a 64-bit operating
system. The only exception to this is the distribution point site system role which can be installed
on limited 32-bit operating system versions.
Limitations for site systems:
 Site systems are not supported on Server Core installations of the Windows Server 2008 or
Windows Server 2008 R2, or Windows Server 2008 Foundation or Windows Server 2008 R2
Foundation operating systems.
 It is not supported to change the domain membership or computer name of a Configuration
Manager site system after it is installed.
 Site system roles are not supported on an instance of a Windows Server cluster. The only
exception to this is the site database server.
The following sections list the hardware requirements and operating system requirements for
System Center 2012 Configuration Manager sites, typical site system roles, and function-specific
site system roles.
Prerequisites for Site System Roles
The following table identifies prerequisites that are required by Configuration Manager for each
site system role. Some prerequisites, such as SQL Server for the site database server, or
Windows Server Update Services (WSUS) for the software update point, might require additional
prerequisites that are not directly required by the site system role.
For site system roles that require Internet Information Services (IIS), use a version of IIS that the
computer supports that runs the site system role. For information, see the following sections,
Operating System Requirements for Typical Site System Roles and Operating System
Requirements for Function-Specific Site System Roles, in this topic.
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
Site server Requires
the
following:
 3.51
SP1
 4.0
Not applicable Not applicable Windows feature:
 Remote
Differential
Compression
By default, a
secondary site
installs a
management point
and a distribution
point. Therefore
secondary sites
must meet the

167
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
prerequisites for
these site system
roles.
Database server Not
applicable
Not applicable Not applicable A version of
SQL Server that
Configuration
Manager supports
this computer.
When you install
SQL Server
Express as part of a
secondary site
installation, the
secondary site
server computer
must meet the
requirements for
SQL Server
Express.
SMS Provider
Server
Not
applicable
Application
Catalog web
service point
Requires
the
following:
 3.51
SP1
 4.0
Requires the
following options
for WCF
activation:
 HTTP
Activation
 Non-HTTP
Activation
the following
additions:
 Application
Development:
 ASP.NET
(and
automatically
selected
options)
 IIS 6
Management
Compatibility:
 IIS 6
Not applicable

168
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
Metabase
Compatibility
Application
Catalog website
point
Requires
the
following:
 4.0
the following
additions:
 Common HTTP
Features:
 Static
Content
 Default
Document
 Application
Development:
 ASP.NET
(and
automatically
selected
options)
3
 Security:
 Windows
Authenticatio
n
 IIS 6
Management
Compatibility:
 IIS 6
Metabase
Compatibility
Not applicable
Asset
Intelligence
synchronization
point
Requires
the
following:
 4.0
Distribution
point
4
Not
applicable
default IIS
configuration, or a
Windows feature:
 Remote
Differential
Compression

169
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
To use a custom IIS
configuration, you
must enable the
IIS:
 Application
Development:
 ISAPI
Extensions
 Security:
 Windows
Authenticatio
n
 IIS 6
Management
Compatibility:
 IIS 6
Metabase
Compatibility
 IIS 6 WMI
Compatibility
When you use a
custom IIS
remove options that
are not required,
including the
following:
 Common HTTP
Features:
 HTTP
Redirection
Scripts and Tools
 BITS Server
Extensions (and
automatically
selected
options), or
Background
Intelligent
Transfer
Services (BITS)
(and
automatically
selected
options)
To support PXE or
multicast, install the
following Windows
role:
 Windows
Deployment
Services
Endpoint
Protection point
Requires
the
following:

170
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
 3.5 SP1
Enrollment point Requires
the
following:
 3.5 SP1
Requires the
following options
for WCF
activation:
 HTTP
Activation
 Non-HTTP
Activation
the following
additions:
 Application
Development:
 ASP.NET
(and
automatically
selected
options)
Not applicable
Enrollment proxy
point
Requires
the
following:
 3.5 SP1
Requires the
following options
for WCF
activation:
 HTTP
Activation
 Non-HTTP
Activation
the following
additions:
 Application
Development:
 ASP.NET
(and
automatically
selected
options)
Not applicable
Fallback status
point
Not
applicable
the following
additions:
 IIS 6
Management
Compatibility:
 IIS 6
Metabase
Compatibility
Not applicable
Management
point
Requires
the following
when
default IIS
configuration, or a
Windows feature:
 BITS Server
Extensions (and

171
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
configured
to support
mobile
devices:
 3.5
SP1
5
To use a custom IIS
configuration, you
must enable the
IIS:
 Application
Development:
 ISAPI
Extensions
 Security:
 Windows
Authenticatio
n
 IIS 6
Management
Compatibility:
 IIS 6
Metabase
Compatibility
 IIS 6 WMI
Compatibility
When you use a
custom IIS
remove options that
are not required,
including the
following:
 Common HTTP
Features:
 HTTP
Redirection
Scripts and Tools
automatically
selected
options), or
Background
Intelligent
Transfer
Services (BITS)
(and
automatically
selected
options)
Out of band
service point
Requires
the
Requires the
following options
Not applicable Not applicable

172
Framework
version
1
Windows
Communication
Foundation
(WCF) activation
2
Additional
prerequisites
following:
 4.0
for WCF
activation:
 HTTP
Activation
 Non-HTTP
Activation
Reporting
services point
Requires
the
following:
 4.0
Not applicable Not applicable SQL Server
Reporting Services
installed and
configured to use at
least one instance
for the reporting
services point.
Software update
point
Requires
the
following:
 3.51
SP1
 4.0
IIS configuration
Windows Server
Update Services
(WSUS) 3.0 SP2
this computer.
State migration
point
Not
applicable
IIS configuration
Not applicable
System Health
Validator point
Not
applicable
Not applicable Not applicable This site system
role is supported
only on a NAP
health policy server.
1
Install the full version of the Microsoft.NET Framework before you install the site system roles.
For example, see the Microsoft .NET Framework 4 (Stand-Alone Installer).
The Microsoft .NET Framework 4 Client Profile is insufficient for this requirement.
2
You can configure WCF activation as part of the .NET Framework Windows feature on the site
system server. For example, on Windows Server 2008 R2, run the Add Features Wizard to
install additional features on the server. On the Select Features page, expand NET Framework
3.5.1 Features, then expand WCF Activation, and then select the check box for both HTTP
Activation and Non-HTTP Activation to enable these options.
Important

173
3
In some scenarios, such as when IIS is installed or reconfigured after the .NET Framework
version 4.0 is installed, you must explicitly enable ASP.NET version 4.0. For example, on a 64-bit
computer that runs the .NET Framework version 4.0.30319, run the following command:
%windir%Microsoft.NETFramework64v4.0.30319aspnet_regiis.exe –i –enable
4
You must manually install IIS on computers that run a supported version of Windows Server
2003. Additionally, to install IIS and configure the additional Windows features, the computer
might require access to the Windows Server 2003 source media.
5
By default, a management point does not require the .NET Framework. However, each
management point that you enable to support mobile devices does require the .NET Framework
3.5 SP1.
Minimum Hardware Requirements for Site Systems
This section identifies the minimum required hardware requirements for Configuration Manager
site systems. These requirements are sufficient to support all features of Configuration Manager
in an environment with up to 100 clients. This information is suitable for testing environments. For
guidance about the recommended hardware for Configuration Manager in full-scale production
environments, see Planning for Hardware Configurations for Configuration Manager.
The following minimum requirements apply to all site types (central administration site, primary
site, secondary site) when you install all available site system roles on the site server computer.
Hardware component Requirement
Processor  Minimum: AMD Opteron, AMD Athlon 64,
Intel Xeon with Intel EM64T support, Intel
Pentium IV with EM64T support
 Minimum: 1.4 GHz
RAM  Minimum: 2 GB
Free disk space  Available: 10 GB
 Total: 50 GB
Operating System Requirements for Site Servers, Database Servers, and the SMS Provider
The following tables list the supported operating systems for System Center 2012
Configuration Manager site servers, the database server, and the SMS Provider site system role.
Operating
system
System
architecture
Central
administration
site
Primary
site
Secondary
site
Site
database
server
1
SMS
Provider
Windows
Server 2008
 Standard
Edition
x64 √ √ √
2
√
2
√

174
Operating
system
System
architecture
Central
administration
site
Primary
site
Secondary
site
Site
database
server
1
SMS
Provider
(SP2)
 Enterprise
Edition
(SP2)
 Datacenter
Edition
(SP2)
Windows
Server 2008 R2
 Standard
Edition
(without
service
pack, or with
SP1)
 Enterprise
Edition
(without
service
pack, or with
SP1)
 Datacenter
Edition
(without
service
pack, or with
SP1)
x64 √ √ √
2
√
2
√
1
For more information about the versions of SQL Server that Configuration Manager supports,
see Configurations for the SQL Server Site Database in this topic.
2
Site database servers and secondary site servers are not supported on a computer that runs
Windows Server 2008 or Windows Server 2008 R2 when that computer uses a read-only domain
controller (RODC).
Operating System Requirements for Typical Site System Roles
The following table specifies the operating systems that can support multi-function site system
roles.

175
architecture
Distribution
point
3
Enrollment
point and
enrollment
proxy point
Fallback
status point
Management
point
Windows Vista
 Business
Edition (SP1)
 Enterprise
Edition (SP1)
 Ultimate
Edition
(without
service pack,
or with SP1)
x64 √
1, 2
Not
supported
Not
supported
Not supported
Windows 7
 Professional
(without
service pack,
or with SP1)
 Enterprise
Editions
(without
service pack,
or with SP1)
 Ultimate
Editions
(without
service pack,
or with SP1)
x86, x64 √
1, 2
Not
supported
Not
supported
Not supported
Windows
Server 2003 R2
 Standard
Edition
 Enterprise
Edition
x86, x64 √
2
Not
supported
Not
supported
Not supported
Windows
Server 2003
Standard Edition
(SP2)
Enterprise Edition
(SP2)
x86, x64 √
2
Not
supported
Not
supported
Not supported

176
architecture
Distribution
point
3
Enrollment
point and
enrollment
proxy point
Fallback
status point
Management
point
Datacenter
Edition (SP2)
Windows
Server 2003
 Web Edition
(SP2)
 Storage
Server
Edition (SP2)
x86 √
2
Not
supported
Not
supported
Not supported
Windows
Server 2008
 Standard
Edition (SP2)
 Enterprise
Edition (SP2)
 Datacenter
Edition (SP2)
x64 √
2
√ √ √
Windows
Server 2008 R2
 Standard
Edition
(without
service pack,
or with SP1)
 Enterprise
Edition(witho
ut service
pack, or with
SP1)
 Datacenter
Edition (SP1)
x64 √ √ √ √
1
Distribution points on this operating system are not supported for PXE.
2
Distribution points on this operating system version do not support Multicast.

177
3
Unlike other site system roles, distribution points are supported on some 32-bit operating
systems. Distribution points also support several different configurations that each have different
requirements and in some cases support installation not only on servers, but on client operating
systems. For more information about the options available for distribution points, see
Prerequisites for Content Management in Configuration Manager in the Deploying Software and
Operating Systems in System Center 2012 Configuration Manager guide.
Operating System Requirements for Function-Specific Site System Roles
The following table specifies the operating systems that are supported for use with each feature-
specific Configuration Manager site system role.
Operating
system
System
architect
ure
Applicat
ion
Catalog
webserv
ice
point
and
Applicat
ion
Catalog
website
point
Asset
Intelligence
synchroniz
ation point
Endpoi
nt
Protect
ion
point
Out
of
band
servi
ce
point
Reporti
ng
service
s point
Softw
are
updat
e
point
State
migrati
on
point
Syste
m
Health
Valida
tor
point
Windows
Server 200
8

 Sta
ndard
Edition
(SP2)

 Ent
erprise
Edition
(SP2)

 Dat
acenter
Edition
(SP2)
x64 √ √ √ √ √ √ √ √
Windows
Server 200
x64 √ √ √ √ √ √ √ √

178
Operating
system
System
architect
ure
Applicat
ion
Catalog
webserv
ice
point
and
Applicat
ion
Catalog
website
point
Asset
Intelligence
synchroniz
ation point
Endpoi
nt
Protect
ion
point
Out
of
band
servi
ce
point
Reporti
ng
service
s point
Softw
are
updat
e
point
State
migrati
on
point
Syste
m
Health
Valida
tor
point
8 R2

 Sta
ndard
Edition
(withou
t
service
pack,
or with
SP1)

 Ent
erprise
Edition(
without
service
pack,
or with
SP1)

 Dat
acenter
Edition
(SP1)
Computer Client Requirements
The following sections describe the operating systems and hardware supported for
System Center 2012 Configuration Manager computer client installation. Ensure that you also
review Prerequisites for Client Deployment in Configuration Manager for a list of dependencies
for the installation of the Configuration Manager client on computers and mobile devices.

179
Computer Client Hardware Requirements
The following are minimum requirements for computers that you manage with Configuration
Manager.
Requirement Details
Processor and memory Refer to the processor and RAM requirements
for the computers operating system.
Note
An exception to this is Windows XP
and Windows 2003 which both require
a minimum of 256 MB of RAM.
Disk space 500 MB available disk space, with 5 GB
recommended for the Configuration Manager
client cache.
The following are additional hardware requirements for optional functionality in Configuration
Manager.
Function Minimum hardware requirements
Operating system deployment 384 MB of RAM
Software Center 500 MHz processor
Remote Control Pentium 4 Hyper-Threaded 3 GHz (single core)
or comparable CPU, with at least an 1 GB RAM
for optimal experience.
Out of Band Management Desktop or laptop computers must have the
Intel vPro Technology or Intel Centrino Pro and
a supported version of Intel AMT.
Operating System Requirements for Configuration Manager Client Installation
The following table specifies the operating systems supported for Configuration Manager client
installation. For server platforms, client support is independent of any other service that runs on
that server unless noted otherwise. For example, the client is supported on domain controllers
and servers that run cluster services or terminal services.

180
Windows XP Professional (SP3) x86 √
Windows XP Professional for
64-bit Systems (SP2)
x64 √
Windows XP Tablet PC (SP3) x86 √
Windows Vista
x86, x64 √
Windows 7
 Professional (without
 Enterprise Editions (without
 Ultimate Editions (without
x86, x64 √
Windows Server 2003
Web Edition (SP2)
x86 √
Windows Server 2003
1
(SP2)
x86, x64 √
1
x86, x64 √
Windows Storage Server
2003 R2 SP2
x86, x64 √
Windows Server 2008
1
x86, x64 √
Windows Server 2008 (SP2)
x86, x64 √

181
Windows Storage
Server 2008 R2
 Standard
 Enterprise
x64 √
 Datacenter Edition (without
1
x64 √
(without service pack, or with
SP1)
x64 √
1
x64 √
1
Datacenter releases are supported but not certified for System Center 2012
Configuration Manager. Hotfix support is not offered for issues specific to Windows Server
Datacenter Edition.
Embedded Operating System Requirements for Configuration Manager Clients
System Center 2012 Configuration Manager supports clients for integration with
Windows Embedded. Support limitations for Windows Embedded:
 All client features are supported natively on supported Windows Embedded systems that do
not have write filters enabled. For Windows Embedded systems that do have write filters
enabled, the client features must be accomplished through the use of task sequences.
 The Application Catalog is not supported for any Windows Embedded system.
 Endpoint Protection in System Center 2012 Configuration Manager is not supported with
versions of Windows Embedded that are based on Windows XP.
Configuration Manager supports the following Windows Embedded versions.

182
Windows Embedded operating
system
Base operating system System architecture
Windows Embedded
Standard 2009
Windows XP SP3 x86
Windows XP Embedded SP3 Windows XP SP3 x86
Windows Fundamentals for
Legacy PCs (WinFLP)
Windows XP SP3 x86
Windows Embedded POSReady
2009
Windows XP SP3 x86
WEPOS 1.1 with SP3 Windows XP SP3 x86
Windows Embedded Standard 7
with SP1
Windows 7 x86, x64
Windows Embedded POSReady 7 Windows 7 x86, x64
Windows Thin PC Windows 7 x86, x64
Mobile Device Requirements
The following sections describe the hardware and operating systems that are supported for
managing mobile devices in System Center 2012 Configuration Manager.
The following mobile device clients are not supported in the Configuration Manager
hierarchy:
 Device management clients from System Management Server 2003 and Configuration
Manager 2007
Mobile Devices Enrolled By Configuration Manager
The following sections describe the hardware and operating systems that are supported for the
mobile devices enrolled by System Center 2012 Configuration Manager.
Enrolled Mobile Device Client Language and Operating System Requirements
The following table lists the platforms and languages that support Configuration Manager
enrollment.
Note

183
 English (US)
 German
 Italian
 Japanese
 Korean
 Russian
 English (US)
 German
 Italian
 Japanese
 Korean
 Russian
Nokia Symbian Belle  Arabic
 Basque (Basque)
 Bulgarian
 Catalan
 Chinese (Hong Kong SAR)
 Chinese (Simplified)
 Croatian
 Czech
 Danish
 Dutch
 English (UK)
 English (US)
 Estonian
 Farsi
 Finnish

184
 French (Canada)
 Galician
 German
 Greek
 Hebrew
 Hungarian
 Icelandic
 Indonesian
 Italian
 Kazakh
 Korean
 Latvian
 Lithuanian
 Malay
 Norwegian
 Polish
 Portuguese (Portugal)
 Romanian
 Russian
 Serbian (Latin/Cyrillic)
 Slovak
 Slovenian
 Spanish (Latin America)
 Swedish
 Tagalog (Filipino)
 Thai
 Turkish
 Ukrainian
 Urdu
 Vietnamese
Mobile Device Support by Using the Exchange Server Connector
System Center 2012 Configuration Manager offers limited management for mobile devices when
you use the Exchange Server connector for Exchange Active Sync (EAS) capable devices that

185
connect to a server running Exchange Server. For more information about which management
functions Configuration Manager supports for mobile devices that the Exchange Server connector
manages, see Determine How to Manage Mobile Devices in Configuration Manager.
The following table lists the platforms that support the Exchange Server connector.
Version of Exchange Server Supported
Exchange Server 2010 SP1 √
Exchange Online (Office 365)
1
√
1
Includes Business Productivity Online Standard Suite.
The following sections list the hardware and operating systems that are supported for the mobile
device legacy client in System Center 2012 Configuration Manager.
Mobile Device Legacy Client Hardware Requirements
The mobile device client requires 0.78 MB of storage space to install. In addition, logging on the
mobile device can require up to 256 KB of storage space.
Mobile Device Legacy Client Operating System Requirements
System Center 2012 Configuration Manager supports management for Windows Phone,
Windows Mobile, and Windows CE when you install the Configuration Manager mobile device
legacy client. Features for these mobile devices vary by platform and client type. For more
information about which management functions Configuration Manager supports for the mobile
device legacy client, see Determine How to Manage Mobile Devices in Configuration Manager.
The mobile device legacy client is supported on the following mobile device platforms:
 English (US)
 German
 Italian
 Japanese
 Korean
 Russian

186
 English (US)
 German
 Italian
 Japanese
 Korean
 Russian
 English (US)
 German
 Italian
 Japanese
 Korean
 Russian
 English (US)
 German
 Italian
 Japanese
 Korean
 Russian

187
Configuration Manager Console Requirements
The Configuration Manager console is supported on the operating systems that are listed in the
following table. Each computer that installs the Configuration Manager console requires the
Microsoft .NET Framework 4.
Windows XP Professional
(SP3)
x86 √
Windows Vista
x86, x64 √
Windows Server 2008
x86, x64 √
Windows 7
 Professional Edition
with SP1)
 Ultimate Edition (without
x86, x64 √
with SP1)
x64 √
It is supported to install the System Center 2012 Configuration Manager console on the same
computer with the Configuration Manager 2007 console. However, you cannot use the
System Center 2012 Configuration Manager console to manage Configuration Manager 2007
sites, and vice versa.

188
The requirements in the following table apply to each computer that runs Configuration Manager
console.
Minimum hardware configuration Screen resolution
 1 x Pentium 4 Hyper-Threaded 3 GHz (Intel
Pentium 4 HT 630 or comparable CPU)
 2 GB of RAM
 2 GB of disk space.
DPI setting Minimum resolution
96 / 100% 1024x768
120 /125% 1280x960
144 / 150% 1600x1200
196 / 200% 2500x1600
Supported Upgrade Paths
The following sections identify the upgrade options for System Center 2012
Configuration Manager, the operating system version of site servers and clients, and the
SQL Server version of database servers.
Site Upgrade
System Center 2012 Configuration Manager is available in the following releases.
System Center 2012
 An evaluation release,
which expires 180
days after installation.
 A complete release, to
perform a new
installation.
You can install
System Center 2012
Configuration Manager as either
a full installation, or as a trial
installation. If you install
Configuration Manager as a trial
installation, after 180 days you
can only connect a read-only
Configuration Manager console
and Configuration Manager
functionality is limited. At any
time before or after the 180 day
period, you have the option to
upgrade the trial installation to a
full installation.
System Center 2012
Configuration Manager supports

189
migration of your Configuration
Manager 2007 infrastructure but
does not support an in–place
upgrade of sites from
However, migration supports the
upgrade of a Configuration
Manager 2007 distribution point,
or secondary site that is co-
located with a distribution point,
to a System Center 2012
distribution point.
migrating to System Center 2012
Configuration Manager from
Configuration Manager 2007,
see Migrating from Configuration
Manager 2007 to System Center
Upgrade of the Site Server Operating System
Configuration Manager supports an in-place upgrade of the operating system of the site server in
the following situations:
Configuration Manager does not support the following Windows Server upgrade scenarios.
 Any version of Windows Server 2008 to any version of Windows Server 2008 R2.
When a direct operating system upgrade is not supported, perform one of the following
procedures after you have installed the new operating system:
 Install System Center 2012 Configuration Manager with the service pack level that you want,
and configure the site according to your requirements.
 Install System Center 2012 Configuration Manager with the service pack level that you want
and perform a site recovery. This scenario requires that you have a site backup that was
created by using the Backup Site Server maintenance task on the original Configuration
Manager site, and that you use the same installation settings for the new
System Center 2012 Configuration Manager site.
Client Operating System Upgrade
Configuration Manager supports an in-place upgrade of the operating system for Configuration
Manager clients in the following situations:

190
Site Database Server Upgrade Considerations
Configuration Manager supports an in-place upgrade of SQL Server on the site database server
in the following situations:
 In-place upgrade of SQL Server to a higher service pack so long as the resulting SQL Server
service pack level remains supported by Configuration Manager.
To upgrade SQL Server on the site database server:
1. Stop all Configuration Manager services at the site.
2. Upgrade SQL Server to a supported version.
3. Restart the Configuration Manager services.
Configurations for the SQL Server Site Database
Each System Center 2012 Configuration Manager site database can be installed on either the
default instance or a named instance of a SQL Server installation. The SQL Server instance can
be co-located with the site system server, or on a remote computer.
When you use a remote SQL Server computer, the instance of SQL Server used to host the site
database can also be configured as a SQL Server failover cluster in an active/passive cluster, or
a multiple instance configuration. The site database site system role is the only
System Center 2012 Configuration Manager site system role supported on an instance of a
Windows Server cluster. If you use a SQL Server cluster for the site database, you must add the
computer account of the site server to the Local Administrators group of each Windows Server
cluster node computer.
SQL Server database mirroring is not supported for the Configuration Manager site
database.
When you install a secondary site, you can use an existing instance of SQL Server or allow Setup
to install and use an instance of SQL Server 2008 Express. Whichever option you choose,
SQL Server must be located on the secondary site server.
The following table lists the SQL Server versions that are supported by System Center 2012
site
SQL Server 2008 SP2
with a minimum of
Cumulative Update 9
 Standard
1
 Enterprise
√ √ √
Note

191
site
 Datacenter
SQL Server 2008 SP3
with a minimum of
Cumulative Update 4
 Standard
1
 Enterprise
 Datacenter
√ √ √
SQL Server 2008 R2 with
SP1 and with a minimum
of Cumulative Update 6
 Standard
1
 Enterprise
 Datacenter
√ √ √
SQL Server Express
2008 R2 with SP1 and
with a minimum of
Cumulative Update 4
Not Supported Not Supported √
1
When you use SQL Server Standard for the database at the central administration site, the
hierarchy can only support up to 50,000 clients. For more information see Site and Site System
Role Scalability.
SQL Server Requirements
The following are required configurations for each database server with a full SQL Server
installation, and on each SQL Server Express installation that you manually configure for
secondary sites. You do not have to configure SQL Server Express for a secondary site if
SQL Server Express is installed by Configuration Manager.
Database collation The instance of SQL Server in use at each site
must use the following collation:
SQL_Latin1_General_CP1_CI_AS.
SQL Server features Only the Database Engine Services feature is
required for each site server.
Note
Configuration Manager database

192
replication does not require the
SQL Server replication feature.
Windows Authentication Configuration Manager requires Windows
authentication to validate connections to the
database.
SQL Server instance You must use a dedicated instance of
SQL Server for each site.
SQL Server memory When you use a database server that is co-
located with the site server, limit the memory for
SQL Server to 50 to 80 percent of the available
addressable system memory.
When you use a dedicated SQL Server, limit
the memory for SQL Server to 80 to 90 percent
of the available addressable system memory.
Configuration Manager requires SQL Server to
reserve a minimum of 8 gigabytes (GB) of
memory in the buffer pool used by an instance
of SQL Server for the central administration site
and primary site and a minimum of 4 gigabytes
(GB) for the secondary site. This memory is
reserved by using the Minimum server memory
setting under Server Memory Options and is
configured by using SQL Server Management
Studio. For more information about how to set a
fixed amount of memory, see How to: Set a
Fixed Amount of Memory (SQL Server
Management Studio).
Optional SQL Server Configurations
The following configurations either support multiple choices or are optional on each database
server with a full SQL Server installation.
SQL Server service You can configure the SQL Server service on
each database server to run by using a domain
local account or the local system account of the
computer running SQL Server.
 Use a domain user account as a
SQL Server best practice. This type of

193
account can be more secure than the local
system account but might require you to
manually register the Service Principle
Name (SPN) for the account.
 Use the local system account of the
computer running SQL Server to simplify
the configuration process. When you use
the local system account Configuration
Manager automatically registers the SPN
for the SQL Server service. Using the local
system account for the SQL Server service
is not a SQL Server best practice.
For information about SQL Server best
practices, see the product documentation for
the version of Microsoft SQL Server that you
are using. For information about SPN
configurations for Configuration Manager, see
How to Manage the SPN for SQL Server Site
Database Servers. For information about how
to change the account in use by the SQL
Service, see How to: Change the Service
Startup Account for SQL Server (SQL Server
Configuration Manager).
SQL Server Reporting Services Required to install a reporting services point
that allows you to run reports.
SQL Server ports For communication to the SQL Server database
engine, and for intersite replication, you can
use the default SQL Server port configurations
or specify custom ports:
 Intersite communications use the
SQL Server Service Broker, which by
default uses port TCP 4022.
 Intrasite communication between the
SQL Server database engine and various
Configuration Manager site system roles by
default use port TCP 1433. The following
site system roles communicate directly with
the SQL Server database:
 SMS Provider computer
 Reporting Services point

194
 Site server
When a SQL Server hosts a database from
more than one site, each database must use a
separate instance of SQL Server, and each
instance must be configured with a unique set
of ports.
Warning
support dynamic ports. Because
SQL Server named instances by
default use dynamic ports for
connections to the database engine,
when you use a named instance, you
must manually configure the static port
that you want to use for intrasite
communication.
If you have a firewall enabled on the computer
running SQL Server, ensure that it is configured
to allow the ports in use by your deployment,
and at any locations on the network between
computers that communicate with the
SQL Server.
For an example of how to configure SQL Server
to use a specific port, see How to: Configure a
Server to Listen on a Specific TCP Port (SQL
Server Configuration Manager) in the SQL
Server TechNet library.
Function-Specific Requirements
The following sections identify function-specific requirements for Configuration Manager.
For devices that run the Windows Mobile operating system, Configuration Manager only supports
the Uninstall action for applications on Windows Mobile 6.1.4 or later.
System Center 2012 Configuration Manager supports out of band management for computers
that have the following Intel vPro chip sets and Intel Active Management Technology (Intel AMT)
firmware versions:

195
 Intel AMT version 3.2 with a minimum revision of 3.2.1
 Intel AMT version 4.0, version 4.1, and version 4.2
 Intel AMT version 5,0, and version 5.2 with a minimum revision of 5.2.10
 Intel AMT version 6.0, and version 6.1
The following limitations apply:
 AMT provisioning is not supported on AMT-based computers that are running any version of
Windows Server, Windows XP with SP2, or Windows XP Tablet PC Edition.
 Out of band communication is not supported to an AMT-based computer that is running the
Routing and Remote Access service in the client operating system. This service runs when
Internet Connection Sharing is enabled, and the service might be enabled by line of business
applications.
 The out of band management console is not supported on workstations running Windows XP
on versions earlier than Service Pack 3.
For more information about out of band management in Configuration Manager, see Introduction
to Out of Band Management in Configuration Manager.
Remote Control Viewer
The Configuration Manager remote control viewer is not supported on Windows Server 2003 or
Windows Server 2008 operating systems.
Support for Active Directory Domains
All System Center 2012 Configuration Manager site systems must be members of a Windows
Active Directory domain with a domain functional level of Windows 2000, Windows Server 2003,
Windows Server 2008, or Windows Server 2008 R2.
Note: If you configure discovery to filter and remove stale computer records, the
Active Directory domain functional level must be a minimum of Windows Server 2003.
This requirement includes site systems that support Internet-based client management in a
perimeter network (also known as DMZ, demilitarized zone, and screened subnet). Configuration
Manager client computers can be domain members, or workgroup members.
The following are limitations for site systems:
 It is not supported to change the domain membership, rename the domain, or change the
computer name of a Configuration Manager site system after it is installed.
The following sections contain additional information about domain structures and requirements
Active Directory Schema Extensions
Configuration Manager Active Directory schema extensions provide benefits for Configuration
Manager sites, but they are not required for all Configuration Manager functions. For more
information about Active Directory schema extension considerations, see Determine Whether to
Extend the Active Directory Schema for Configuration Manager.
Note

196
If you have extended your Active Directory schema for Configuration Manager 2007, you do not
have to update your schema for System Center 2012 Configuration Manager. You can update the
Active Directory schema before or after you install Configuration Manager. Schema updates do
not interfere with an existing Configuration Manager 2007 sites or clients. For more information
about how to extend the Active Directory schema for System Center 2012
Configuration Manager, see the Prepare Active Directory for Configuration Manager section in the
Disjoint Namespaces
With the exception of out of band management, Configuration Manager supports installing site
systems and clients in a domain that has a disjoint namespace.
Manager.
A disjoint namespace scenario is one in which the primary Domain Name System (DNS) suffix of
a computer does not match the Active Directory DNS domain name where that computer resides.
The computer with the primary DNS suffix that does not match is said to be disjoint. Another
disjoint namespace scenario occurs if the NetBIOS domain name of a domain controller does not
match the Active Directory DNS domain name.
The following table identifies the supported scenarios for a disjoint namespace.
Scenario 1:
The primary DNS suffix of the domain controller
is not the same as the Active Directory DNS
domain name. Computers that are members of
the domain can be either disjoint or not disjoint.
In this scenario, the primary DNS suffix of the
domain controller is not the same as the Active
Directory DNS domain name. The domain
controller is disjoint in this scenario. Computers
that are members of the domain, including site
servers and computers, can have a primary
DNS suffix that either matches the primary DNS
suffix of the domain controller or matches the
Active Directory DNS domain name.
Scenario 2:
A member computer in an Active Directory
domain is disjoint, even though the domain
controller is not disjoint.
In this scenario, the primary DNS suffix of a
member computer on which a site system is
installed is not the same as the Active Directory
DNS domain name, even though the primary
DNS suffix of the domain controller is the same
as the Active Directory DNS domain name. In
this scenario, you have a domain controller that
is not disjoint and a member computer that is
disjoint. Member computers that are running
Note

197
the Configuration Manager client can have a
primary DNS suffix that either matches the
primary DNS suffix of the disjoint site system
server or matches the Active Directory DNS
domain name.
To allow a computer to access domain controllers that are disjoint, you must modify the msDS-
AllowedDNSSuffixes Active Directory attribute on the domain object container. You must add
both of the DNS suffixes to the attribute.
In addition, to ensure that the DNS suffix search list contains all DNS namespaces that are
deployed within the organization, you must configure the search list for each computer in the
domain that is disjoint. Include in the list of namespaces the primary DNS suffix of the domain
controller, the DNS domain name, and any additional namespaces for other servers with which
Configuration Manager might interoperate. You can use the Group Policy Management console
to configure the Domain Name System (DNS) suffix search list.
When you reference a computer in Configuration Manager, enter the computer by using
its Primary DNS suffix. This suffix should match the Fully Qualified Domain Name
registered as the dnsHostName attribute in the Active Directory domain and the Service
Principal Name associated with the system.
Single Label Domains
With the exception of out of band management, Configuration Manager supports site systems
and clients in a single label domain when the following criteria are met:
 The single label domain in Active Directory Domain Services must be configured with a
disjoint DNS namespace that has a valid top level domain.
For example: The single label domain of Contoso is configured with a disjoint namespace in
DNS of contoso.com. Therefore, when you specify the DNS suffix in Configuration Manager
for a computer in the Contoso domain, you specify Contoso.com and not Contoso.
 DCOM connections between site servers in the system context must be successful using
Kerberos authentication.
Manager.
Windows Environment
The following sections contain general support configuration information for System Center 2012
Important
Note

198
Support for Internet Protocol Version 6
Configuration Manager supports Internet Protocol version 6 (IPv6) in addition to Internet Protocol
version 4 (IPv4). The following table lists the exceptions.
Function Exception to IPv6 support
Network Discovery IPv4 is required when you configure a DHCP
server to search in Network Discovery.
Out of band management IPv4 is required to support out of band
management.
Windows CE IPv4 is required to support the Configuration
Manager client on Windows CE devices.
Support for Specialized Storage Technology
Configuration Manager works with any hardware that is certified on the Windows Hardware
Compatibility List (HCL) for the version of the operating system that the Configuration Manager
component is installed on. Site Server roles require NTFS file systems so that directory and file
permissions can be set. Because Configuration Manager assumes it has complete ownership of a
logical drive, site systems that run on separate computers cannot share a logical partition on any
storage technology, but each computer can use a separate logical partition on the same physical
partition of a shared storage device.
Support considerations for the listed storage technologies:
 Storage Area Network: A Storage Area Network (SAN) is supported when a supported
Windows-based server is attached directly to the volume that is hosted by the SAN.
 Single Instance Storage: It is not supported to configure distribution point package and
signature folders on a Single Instance Storage (SIS)-enabled volume.
Additionally, the Configuration Manager clients cache is not supported on a SIS-enabled
volume.
Single Instance Storage (SIS) is a feature of the Windows Storage Server 2003 R2
operating system.
 Removable Disk Drive: It is not supported to install Configuration Manager site system or
clients on a removable disk drive.
Support for Computers in Workgroups
System Center 2012 Configuration Manager provides support for clients in workgroups. It is also
supported for a client to be moved from a workgroup to a domain or from a domain to a
workgroup. For more information, see How to Install Configuration Manager Clients on
Workgroup Computers
Note

199
All System Center 2012 Configuration Manager site systems must be members of a supported
Active Directory domain. This requirement includes site systems that support Internet-based
client management in a perimeter network (also known as DMZ, demilitarized zone, and
screened subnet).
Support for Virtualization Environments
Configuration Manager supports client installation and all site server roles in the following
virtualization environments:
 Windows Server2008
 Microsoft Hyper-V Server 2008
 Windows Server 2008 R2
 Microsoft Hyper-V Server 2008 R2
Each virtual computer you use must meet or exceed the same hardware and software
configuration you would use for a physical Configuration Manager computer.
You can validate that your virtualization environment is supported for Configuration Manager by
using the Server Virtualization Validation Program (SVVP) and its online Virtualization Program
Support Policy Wizard. For more information about the Server Virtualization Validation Program
(SVVP), see Windows Server Virtualization Validation Program.
Configuration Manager does not support Virtual PC or Virtual Server guest operating
systems running on Macintosh.
Configuration Manager cannot manage virtual machines unless they are running. An offline virtual
machine image cannot be updated nor can inventory be collected by using the Configuration
Manager client on the host computer.
No special consideration is given to virtual machines. For example, Configuration Manager might
not determine that an update has to be re-applied to a virtual machine image if it is stopped and
restarted without saving the state of the virtual machine to which the update was applied.
Support for Network Address Translation
Network Address Translation (NAT) is not supported in Configuration Manager, unless the site
supports clients that are on the Internet and the client detects that it is on the Internet. For more
information about Internet-based client management, see the Planning for Internet-Based Client
DirectAccess Feature Support
Configuration Manager supports the DirectAccess feature in Windows Server 2008 R2 for
communication between site system servers and clients. When all the requirements for
DirectAccess are met, by using this feature Configuration Manager clients on the Internet can
communicate with their assigned site as if they were on the intranet.
Note

200
For server-initiated actions, such as remote control and client push installation, the initiating
computer (such as the site server) must be running IPv6, and this protocol must be supported on
all intervening networking devices.
Configuration Manager does not support the following over DirectAccess:
 Deploying operating systems
 Communication between Configuration Manager sites
 Communication between Configuration Manager site system servers within a site
BranchCache Feature Support
Windows BranchCache has been integrated in System Center 2012 Configuration Manager. You
can configure the BranchCache settings on a deployment type for applications, on the
deployment for a package, and for task sequences.
When all the requirements for BranchCache are met, this feature enables clients at remote
locations to obtain content from local clients that have a current cache of the content.
For example, when the first BranchCache-enabled client computer requests content from a
distribution point that is running Windows Server 2008 R2 and that has also been configured as a
BranchCache server, the client computer downloads the content and caches it. This content is
then made available for clients on the same subnet that request this same content, and these
clients also cache the content. In this way, subsequent clients on the same subnet do not have to
download content from the distribution point, and the content is distributed across multiple clients
for future transfers.
Configuration Manager supports BranchCache with Windows Server 2008 R2 and Windows 7
clients that are configured in BranchCache distributed cache mode. Support is extended to clients
running a supported version of Windows Vista, Windows Server 2008 with SP1, and Windows
Server 2008 with SP2 by using the BITS 4.0 release. However, on these operating systems, the
BranchCache client functionality is not supported for software distribution that is run from the
network or for SMB file transfers. You can install the BITS 4.0 release on Configuration Manager
clients by using software updates or software distribution. For more information about the
BITS 4.0 release, see Windows Management Framework.
To support BranchCache with Configuration Manager, add the BranchCache feature to the
Windows Server 2008 R2 site system server that is configured as a distribution point.
System Center 2012 Configuration Manager distribution points on servers configured to support
BranchCache require no further configuration.
To use BranchCache, the clients that can support BranchCache must be configured for
BranchCache distributed mode, and the operating system setting for BITS client settings must be
enabled to support BranchCache.
For more information about BranchCache, see BranchCache for Windows in the Windows Server
documentation.

201
Fast User Switching
Fast User Switching, available in Windows XP in workgroup computers, is not supported in
System Center 2012 Configuration Manager. Fast User Switching is supported for computers that
are running Windows Vista or later.
Dual Boot Computers
System Center 2012 Configuration Manager cannot manage more than one operating system on
a single computer. If there is more than one operating system on a computer that must be
managed, adjust the discovery and installation methods that are used to ensure that the
Configuration Manager client is installed only on the operating system that has to be managed.
See Also
Planning for Hardware Configurations for
This topic identifies recommended hardware configurations for System Center 2012
Configuration Manager site system servers, clients, and the Configuration Manager console. Use
these recommendations as guidelines when you plan to scale your Configuration Manager
environment to support more than a very basic deployment of sites, site systems, and clients.
Use the information in this topic as a guide for the hardware to use when you run Configuration
Manager at scale. For information about supported configurations for Configuration Manager, see
Supported Configurations for Configuration Manager.
These recommendations are not intended to cover each possible site and hierarchy configuration.
Instead, use this information as a guide to help you plan for hardware that can meet the
processing loads for clients and sites that use the available Configuration Manager features with
the default configurations.
 Configuration Manager Site Systems
 Site Servers
 Disk Space Configurations
 Remote Site System Servers
Configuration Manager Site Systems
This section identifies recommended hardware configurations for Configuration Manager site
systems. In general, the key factors that limit performance of the overall system include the
following, in order:
1. Disk I/O performance
2. Available memory

202
3. CPU
For best performance, use RAID 10 configurations for all data drives and 1Gbps Ethernet network
connectivity between site system servers, including the database server.
Site Servers
Use the following recommendations for each Configuration Manager site server. For information
about the disk space requirements, see Disk Space Configurations.
Site details Suggested minimum configuration
Central administration site with the Standard
edition of SQL Server
 SQL Server is located on the site server
computer.
 This configuration supports a hierarchy with
up to 50,000 clients
Note
Database replication represents the
largest processing load on the central
administration site.
 8 cores (Intel Xeon 5504 or comparable
CPU)
 32 GB of RAM
 300 GB of disk space for the operating
system, Configuration Manager,
SQL Server, and all database files.
Central administration site with the Enterprise
or Datacenter edition of SQL Server
 SQL Server is located on the site server
computer
 This configuration supports a hierarchy with
up to 400,000 clients
Note
Database replication represents the
largest processing load on the central
 16 cores (Intel Xeon L5520 or comparable
CPU)
 64 GB of RAM
 1.5 TB of disk space for the operating
Stand-alone primary site
 Up to 100,000 clients
 SQL Server is installed on the site server
computer
 8 cores (Intel Xeon E5504 or comparable
CPU)
 32 GB of RAM
 550 GB hard disk space for the operating
system, SQL Server, and all database files
Primary site in a hierarchy
 SQL Server is installed on the site server
computer
CPU)
 16 GB of RAM
 300 GB of hard disk space for the operating

203
Site details Suggested minimum configuration
Primary site in a hierarchy
 SQL Server is remote from the site server
computer
Site Server:
CPU)
 8GB of RAM
system and Configuration Manager.
Remote SQL Server:
 8 cores (Intel Xeon E5504 or comparable
CPU)
 32 GB of RAM
system, SQL Server, and all database files.
Secondary site
 Communications from up to 5,000 clients
 SQL Server must be installed on the site
server computer
CPU)
 8 GB of RAM
Disk Space Configurations
Because disk allocation and configuration contributes to the performance of System Center 2012
Configuration Manager, disk space requirements can be greater than for previous product
versions. Use the following information as guidelines when you determine the amount of disk
space Configuration Manager requires. Because each Configuration Manager environment is
different, these values can vary from the following guidance.
For the best performance, place each object on a separate, dedicated RAID volume. For all data
volumes (Configuration Manager and its database files), use RAID 10 for the best performance.
Data usage Minimum disk
space
1
25,000 clients 50,000 clients 100,000 clients
Operating system See guidance for
the operating
system.
See guidance for
the operating
system.
See guidance for
the operating
system.
See guidance for
the operating
system.
Configuration
Manager
25 GB 50 GB 100 GB 200 GB

204
Data usage Minimum disk
space
1
25,000 clients 50,000 clients 100,000 clients
Application and Log
Files
Site database .mdf
file
75 GB for every
25,000 clients
75 GB 150 GB 300 GB
Site database .ldf
file
25 GB for every
25,000 clients
25 GB 50 GB 100 GB
Temp database files
(.mdf and .ldf)
As needed As needed As needed As needed
Content (distribution
point shares)
As needed As needed As needed As needed
1
The minimum disk space does not include the space required for source content that is located
on the site server.
In addition to the preceding guidance, consider the following general guidelines when you plan for
disk space requirements:
 Each client requires approximately 3 MB of space in the database
 When planning for the size of the Temp database for a primary site, plan for a size that is
25% to 30% of the site database .mdf file. The actual size can be significantly smaller, or
larger, and depends on the performance of the site server and the volume of incoming data
over both short and long periods of time.
 The Temp database size for a central administration site is typically much smaller than that
for a primary site.
 The secondary site database is limited in size to the following:
 SQL Server 2008 Express: 4 GB
 SQL Server 2008 R2 Express: 10 GB
Remote Site System Servers
Use the following as recommended hardware configurations for computers that run the following
site system roles. These recommendations are for computers that hold a single site system role
and you should make adjustments when you install multiple site system roles on the same
computer. For more information about the disk space requirements, see Disk Space
Configurations in this topic.
Site system role Suggested minimum configuration
Management point  4 cores (Intel Xeon 5140 or comparable
CPU)

205
Site system role Suggested minimum configuration
 8 GB of RAM
Note
Management point performance relies
most on memory and processor
capacity.
Distribution point  2 cores (Intel Xeon 5140 or comparable
CPU)
 8 GB of RAM
 Disk space as required for the operating
system and content you deploy to the
distribution point.
Note
Distribution point performance relies
most on network I/O and disk I/O.
Application Catalog, with the web service and
website on the site system computer
CPU)
 16 GB of RAM
All other site system roles  4 cores (Intel Xeon 5140 or comparable
CPU)
 8 GB of RAM
See Also
PKI Certificate Requirements for
The public key infrastructure (PKI) certificates that you might require for System Center 2012
Configuration Manager are listed in the following tables. This information assumes basic

206
knowledge of PKI certificates. For step-by-step guidance for an example deployment of these
certificates, see Step-by-Step Example Deployment of the PKI Certificates for Configuration
Manager: Windows Server 2008 Certification Authority. For more information about Active
Directory Certificate Services, see Active Directory Certificate Services in Windows Server 2008.
With the exception of the client certificates that Configuration Manager enrolls on mobile devices,
and the certificates that Configuration Manager installs on AMT-based computers, you can use
any PKI to create, deploy, and manage the following certificates. However, when you use Active
Directory Certificate Services and certificate templates, this Microsoft PKI solution can ease the
management of the certificates. Use the Microsoft certificate template to use column to identify
the certificate template that most closely matches the certificate requirements. Template-based
certificates can be issued only by an enterprise certification authority running on the Enterprise
Edition or Datacenter Edition of the server operating system, such as Windows Server 2008
Enterprise and Windows Server 2008 Datacenter.
When you use an enterprise certification authority and certificate templates, do not use
the version 3 templates (Windows Server 2008, Enterprise Edition). These certificate
templates create certificates that are incompatible with Configuration Manager.
Use the following sections to view the certificate requirements.
PKI Certificates for Servers
Configuratio
n Manager
component
Certificate
purpose
Microsoft
certificate
template to
use
Specific information in the
certificate
How the certificate
is used in
Configuration
Manager
Site systems
that run
Internet
Information
Services
(IIS) and that
are
configured
for HTTPS
client
connections:

 Man
agement
point
Server
authenticat
ion
Web Server Enhanced Key Usage value
must contain Server
Authentication
(1.3.6.1.5.5.7.3.1).
If the site system accepts
connections from the Internet, the
Subject Name or Subject
Alternative Name must contain
the Internet fully qualified domain
name (FQDN).
connections from the intranet, the
Subject Name or Subject
Alternative Name must contain
either the intranet FQDN
This certificate
must reside in the
Personal store in
the Computer
certificate store.
This web server
certificate is used
to authenticate
these servers to
the client and to
encrypt all data
transferred
between the client
and these servers
by using Secure
Important

207
Configuratio
n Manager
component
Certificate
purpose
Microsoft
certificate
template to
use
certificate
How the certificate
is used in
Configuration
Manager

 Distr
ibution
point
 Software
update
point
 State
migratio
n point

 Enro
llment
point

 Enro
llment
proxy
point

 Appl
ication
Catalog
web
service
point

 Appl
ication
Catalog
website
point
(recommended) or the computer's
name, depending on how the site
system is configured.
connections from both the
Internet and the intranet, both the
Internet FQDN and the intranet
FQDN (or computer name) must
be specified by using the
ampersand (&) symbol delimiter
between the two names.
Important
When the software
update point accepts
client connections from
the Internet only, the
certificate must contain
both the Internet FQDN
and the intranet FQDN.
SHA-1 and SHA-2 hash
algorithms are supported.
specify a maximum supported
key length for this certificate.
Consult your PKI and IIS
documentation for any key-size–
related issues for this certificate.
Sockets Layer
(SSL).
Network
Load
Balancing
(NLB)
cluster for a
software
update point
Server
authenticat
ion
Web server 1. The FQDN of the NLB cluster
in the Subject Name field, or
Subject Alternative Name
field:
 For network load
balancing servers that
support Internet-based
This certificate is
used to
authenticate the
network load
balancing
software update
point to the client,

208
Configuratio
n Manager
component
Certificate
purpose
Microsoft
certificate
template to
use
certificate
How the certificate
is used in
Configuration
Manager
client management, use
the Internet NLB FQDN.
 For network load
balancing servers that
support intranet clients,
use the intranet NLB
FQDN.
2. The computer name of the
site system in the NLB cluster
in the Subject Name field or
Subject Alternative Name
field. This server name must
be specified after the NLB
cluster name and the
ampersand (&) symbol
delimiter:
 For site systems on the
intranet, use the intranet
FQDN if you specify them
(recommended) or the
computer NetBIOS
name.
 For site systems
supporting Internet-based
client management, use
the Internet FQDN.
and to encrypt all
data transferred
between the client
and these servers
by using SSL.
Site system
servers and
servers that
run Microsoft
SQL Server
Server
authenticat
ion
Web server Enhanced Key Usage value
must contain Server
Authentication
(1.3.6.1.5.5.7.3.1).
The Subject Name must contain
the intranet fully qualified domain
name (FQDN).
Maximum supported key length is
This certificate
must reside in the
Personal store in
the Computer
certificate store
and Configuration
Manager
automatically
copies it to the
Trusted People
Store for servers

209
Configuratio
n Manager
component
Certificate
purpose
Microsoft
certificate
template to
use
certificate
How the certificate
is used in
Configuration
Manager
2048 bits. in the
Configuration
Manager
hierarchy that
might have to
establish trust
with the server.
These certificates
are used for
server-to-server
authentication.
Site system
monitoring
for the
following site
system
roles:

 Man
agement
point
 State
migratio
n point
Client
authenticat
ion
Workstatio
n
Authenticat
ion
Enhanced Key Usage value
must contain Client
Authentication
(1.3.6.1.5.5.7.3.2).
Computers must have a unique
value in the Subject Name field or
in the Subject Alternative Name
field.
Note
If you are using multiple
values for the Subject
Alternative Name, only
the first value is used.
2048 bits.
This certificate is
required on the
listed site system
servers, even if
the
System Center 20
12
Configuration Man
ager client is not
installed, so that
the health of
these site system
roles can be
monitored and
reported to the
site.
The certificate for
these site
systems must
reside in the
Personal store of
the Computer
certificate store.
Site systems
that have a
distribution
Client
authenticat
ion
Workstatio
n
Authenticat
must contain Client
Authentication
This certificate
has two purposes:
 It

210
Configuratio
n Manager
component
Certificate
purpose
Microsoft
certificate
template to
use
certificate
How the certificate
is used in
Configuration
Manager
point
installed
ion (1.3.6.1.5.5.7.3.2).
There are no specific
requirements for the certificate
Subject or Subject Alternative
Name (SAN), and you can use
the same certificate for multiple
The private key must be
exportable.
2048 bits.
authenticates
the
distribution
point to an
HTTPS-
enabled
management
point before
the
distribution
point sends
status
messages.
 When the
Enable PXE
support for
clients
distribution
point option is
selected, the
certificate is
sent to
computers
that so that if
task
sequences in
the operating
system
deployment
process
include client
actions such
as client
policy retrieval
or sending
inventory
information,
the client
computers
can connect
to a HTTPS-

211
Configuratio
n Manager
component
Certificate
purpose
Microsoft
certificate
template to
use
certificate
How the certificate
is used in
Configuration
Manager
enabled
management
point during
the
deployment of
the operating
system.
This
certificate is
used for the
duration of the
operating
system
deployment
process only
and is not
installed on
the client.
Because of
this temporary
use, the same
certificate can
be used for
every
operating
system
deployment if
you do not
want to use
multiple client
certificates.
This certificate
must be exported
in a Public Key
Certificate
Standard (PKCS
#12) format, and
the password
must be known so

212
Configuratio
n Manager
component
Certificate
purpose
Microsoft
certificate
template to
use
certificate
How the certificate
is used in
Configuration
Manager
that it can be
imported into the
distribution point
properties.
Note
The
requireme
nts for this
certificate
are the
same as
the client
certificate
for boot
images
for
deploying
operating
systems.
Because
the
requireme
nts are
the same,
you can
use the
same
certificate
file.
Out of band
service point
AMT
Provisionin
g
Web Server
(modified)
must contain Server
Authentication
(1.3.6.1.5.5.7.3.1) and the
following object identifier:
2.16.840.1.113741.1.2.3.
The subject name field must
contain the FQDN of the server
This certificate
resides in the
Personal store in
the Computer
certificate store of
the out of band
service point site
system server.

213
Configuratio
n Manager
component
Certificate
purpose
Microsoft
certificate
template to
use
certificate
How the certificate
is used in
Configuration
Manager
that is hosting the out of band
service point.
Note
If you request an AMT
provisioning certificate
from an external CA
instead of from your own
internal CA, and it does
not support the AMT
provisioning object
identifier of
2.16.840.1.113741.1.2.3,
you can alternatively
specify the following text
string as an
organizational unit (OU)
attribute in the certificate
subject name:
Intel(R) Client Setup Ce
rtificate. This exact text
string in English must be
used, in the same case,
without a trailing period,
and in addition to the
FQDN of the server that
is hosting the out of band
service point.
SHA-1 is the only supported hash
algorithm.
Supported key lengths: 1024 and
2048. For AMT 6.0 and later
versions, the key length of 4096
bits is also supported.
This AMT
provisioning
certificate is used
to prepare
computers for out
of band
management.
You must request
this certificate
from a CA that
supplies AMT
provisioning
certificates, and
the BIOS
extension for the
Intel AMT-based
computers must
be configured to
use the root
certificate
thumbprint (also
referred to as the
certificate hash)
for this
provisioning
certificate.
VeriSign is a
typical example of
an external CA
that provides AMT
provisioning
certificates, but
you can also use
your own internal
CA.
Install the
certificate on the
server that hosts

214
Configuratio
n Manager
component
Certificate
purpose
Microsoft
certificate
template to
use
certificate
How the certificate
is used in
Configuration
Manager
the out of band
service point,
which must be
able to chain
successfully to the
certificate's root
CA. (By default,
the root CA
certificate and
intermediate CA
certificate for
VeriSign are
installed when
Windows installs.)
Proxy Web Servers for Internet-Based Client Management
If the site supports Internet-based client management, and you are using a proxy web server by
using SSL termination (bridging) for incoming Internet connections, the proxy web server has the
certificate requirements listed in the following table.
If you are using a proxy web server without SSL termination (tunneling), no additional
certificates are required on the proxy web server.
Network
infrastructure
component
Certificate
purpose
Microsoft
certificate
template to use
Specific
information in
the certificate
How the certificate is
used in Configuration
Manager
Proxy web
server
accepting client
connections
over the
Internet
Server
authentication
and client
authentication
1. Web Server
2. Workstation
Authenticati
on
Internet
FQDN in the
Subject Name
field or in the
Subject
Alternative
Name field (if
you are using
Microsoft
certificate
This certificate is used to
authenticate the
following servers to
Internet clients and to
encrypt all data
transferred between the
client and this server by
using SSL:
 Internet-based
Note

215
Network
infrastructure
component
Certificate
purpose
Microsoft
certificate
template to use
Specific
information in
the certificate
Manager
templates, the
Subject
Alternative
Name is
available with
the
workstation
template
only).
SHA-1 and
SHA-2 hash
algorithms
are
supported.
management point
distribution point
software update
point
The client authentication
is used to bridge client
connections between
the System Center 2012
clients and the Internet-
based site systems.
PKI Certificates for Clients
Configuration
Manager
component
Certificate
purpose
Microsoft
certificate
template to use
Specific information
in the certificate
Manager
Client
computers
Client
authentication
Workstation
Authenticatio
n
Enhanced Key
Usage value must
contain Client
Authentication
(1.3.6.1.5.5.7.3.2).
Client computers
must have a unique
value in the Subject
Name field or in the
Subject Alternative
Name field.
Note
If you are
using
multiple
values for
By default,
looks for computer
certificates in the
Personal store in the
Computer certificate
store.
With the exception of
the software update
point and the
Application Catalog
website point, this
certificate
authenticates the client
to site system servers
that run IIS and that
are configured to use

216
Configuration
Manager
component
Certificate
purpose
Microsoft
certificate
template to use
in the certificate
Manager
the Subject
Alternative
Name, only
the first value
is used.
SHA-1 and SHA-2
hash algorithms are
supported.
Maximum supported
key length is 2048
bits.
HTTPS.
Mobile device
clients
Client
authentication
Authenticated
Session
Enhanced Key
Usage value must
contain Client
Authentication
(1.3.6.1.5.5.7.3.2).
SHA-1 is the only
supported hash
algorithm.
Maximum supported
key length is 2048
bits.
Important
These
certificates
must be in
Distinguishe
d Encoding
Rules (DER)
encoded
binary X.509
format.
Base64
encoded
X.509 format
is not
supported.
This certificate
authenticates the
mobile device client to
the site system servers
that it communicates
with, such as
management points
and distribution points.

217
Configuration
Manager
component
Certificate
purpose
Microsoft
certificate
template to use
in the certificate
Manager
Boot images
for deploying
operating
systems
Client
authentication
Workstation
Authenticatio
n
Enhanced Key
Usage value must
contain Client
Authentication
(1.3.6.1.5.5.7.3.2).
There are no specific
requirements for the
certificate Subject
Name field or Subject
Alternative Name
(SAN), and you can
use the same
certificate for all boot
mages.
The private key must
be exportable.
SHA-1 and SHA-2
hash algorithms are
supported.
Maximum supported
key length is 2048
bits.
The certificate is used
if task sequences in
the operating system
deployment process
include client actions
such as client policy
retrieval or sending
inventory information.
This certificate is used
for the duration of the
operating system
deployment process
only and is not installed
on the client. Because
of this temporary use,
the same certificate
can be used for every
operating system
deployment if you do
not want to use
multiple client
certificates.
This certificate must be
exported in a Public
Key Certificate
Standard (PKCS #12)
format, and the
password must be
known so that it can be
imported into the
boot images.
Note
The
requirements
for this
certificate are
the same as

218
Configuration
Manager
component
Certificate
purpose
Microsoft
certificate
template to use
in the certificate
Manager
the server
certificate for
site systems
that have a
distribution
point installed.
Because the
requirements
are the same,
you can use
the same
certificate file.
Root
certification
authority (CA)
certificates for
the following
scenarios:
 Operating
system
deployme
nt
 Mobile
device
enrollmen
t
 RADIUS
server
authentic
ation for
Intel
AMT-
based
computer
s
 Client
certificate
authentic
ation
Certificate
chain to a
trusted source
Not applicable. Standard root CA
certificate.
The root CA certificate
must be provided when
clients have to chain
the certificates of the
communicating server
to a trusted source.
This applies in the
following scenarios:
 When you deploy
an operating
system, and task
sequences run that
connect the client
computer to a
management point
that is configured
to use HTTPS.
 When you enroll a
mobile device to be
managed by
System Center 201
2
Configuration Man
ager.
 When you use
802.1X
authentication for
AMT-based

219
Configuration
Manager
component
Certificate
purpose
Microsoft
certificate
template to use
in the certificate
Manager
computers, and
you want to specify
a file for the
RADIUS server’s
root certificate.
In addition, the root CA
certificate for clients
must be provided if the
client certificates are
issued by a different
CA hierarchy than the
CA hierarchy that
issued the
management point
certificate.
Intel AMT-
based
computers
Server
authentication
.
Web Server
(modified)
You must
configure the
Subject Name
for Build from
this Active
Directory
information,
and then select
Common
name for the
Subject name
format.
You must grant
Read and
Enroll
permissions to
the universal
security group
that you specify
in the out of
band
management
Enhanced Key
Usage value must
contain Server
Authentication
(1.3.6.1.5.5.7.3.1).
The Subject Name
must contain the
FQDN of the AMT-
based computer,
which is supplied
automatically from
Active Directory
Domain Services.
SHA-1 is the only
supported hash
algorithm.
Maximum supported
key length: 2048 bits.
This certificate resides
in the nonvolatile
random access
memory of the
management controller
in the computer and is
not viewable in the
Windows user
interface.
Each Intel AMT-based
computer requests this
certificate during AMT
provisioning and for
subsequent updates. If
you remove AMT
provisioning
information from these
computers, they revoke
this certificate.
When this certificate is
installed on Intel AMT-
based computers, the
certificate chain to the
root CA is also

220
Configuration
Manager
component
Certificate
purpose
Microsoft
certificate
template to use
in the certificate
Manager
component
properties.
installed. AMT-based
computers cannot
support CA certificates
with a key length larger
than 2048 bits.
After the certificate is
installed on Intel AMT-
based computers, this
certificate
authenticates the AMT-
based computers to
the out of band service
point site system
server and to
computers that are run
the out of band
management console,
and encrypts all data
transferred between
them by using
Transport Layer
Security (TLS).
Intel AMT
802.1X client
certificate
Client
authentication
Workstation
Authenticatio
n
You must
configure the
Subject Name
for Build from
this Active
Directory
information,
and then select
Common
name for the
Subject name
format, clear
the DNS name
and select the
Enhanced Key
Usage value must
contain Client
Authentication
(1.3.6.1.5.5.7.3.2).
The subject name
field must contain the
FQDN of the AMT-
based computer and
the subject
alternative name
must contain the
UPN.
Maximum supported
key length: 2048 bits.
This certificate resides
in the nonvolatile
random access
memory of the
management controller
in the computer and is
not viewable in the
Windows user
interface.
Each Intel AMT-based
computer can request
this certificate during
AMT provisioning but
they do not revoke this
certificate when their
AMT provisioning

221
Configuration
Manager
component
Certificate
purpose
Microsoft
certificate
template to use
in the certificate
Manager
User principal
name (UPN)
for the
alternative
subject name.
You must grant
the universal
security group
that you specify
in the out of
band
management
component
properties
Read and
Enroll
permissions to
this certificate
template.
information is removed.
After the certificate is
installed on AMT-
based computers, this
certificate
authenticates the AMT-
based computers to
the RADIUS server so
that it can then be
authorized for network
access.
See Also
Identify Your Network and Business
Requirements to Plan a Configuration
Manager Hierarchy
Before you install a System Center 2012 Configuration Manager hierarchy of sites, or a single
site, you must understand your network structure, organizational requirements, and the resources
that are available to use with Configuration Manager. You can then combine this information with
the requirements for Configuration Manager to make decisions about your hierarchy and site
designs, and site system server placement.
Use the information in the following sections when you plan your Configuration Manager
hierarchy:
 Collect Data about Available Resources

222
 Understand Your Organization
 Understand Your Physical Networks
 Use the Data That You Collected to Plan Configuration Manager Sites
 Use Your Active Directory Information
 Use Collected Information to Plan for Discovery
 Use Collected Information to Plan for Boundaries and Boundary Groups
 Use Collected Information to Plan for Site and Hierarchy Design
 Use Collected Information to Plan for Site Systems
Collect Data about Available Resources
Before you design your System Center 2012 Configuration Manager deployment, you must
understand the available network infrastructure and your company’s IT organization and
requirements.
Understand Your Organization
It is important that you know the structure of your organization because this information can
influence how you deploy, use, and support Configuration Manager. It is also useful to know your
organization’s long-term plans. Changes such as mergers and acquisitions can have a significant
effect on IT infrastructure. External factors that require changes and internal projects (either
planned or in progress) can affect how you design and deploy Configuration Manager.
Use the following guidelines to help you collect data about your organization.
Considerations Details
Departmental organization Include the following information:
 High-level organization charts to help
determine the divisional structure of your
organization, the design of your
Configuration Manager hierarchy, and your
method of communicating Configuration
Manager implementation updates to
different departments
 Reporting hierarchy
 Communications methods
 Service level agreements (SLAs)
IT organization and administrative policies Consider the following factors:
 The structure and technical level of local
and remote IT divisions, their reporting
hierarchies, and local and global IT
administrative policies

223
 Organizational structure
 Reporting hierarchy
 Local administrative policies and SLAs
 Global IT administrative policies and SLAs
Long-term business direction Any major business changes planned for the
future, such as mergers, acquisitions, major
physical moves, or network migrations
Geographic Profile
To deploy an efficient hierarchy of Configuration Manager sites, and to place individual sites in
optimal locations, you must understand the geographic profile of your organization. Many
organizations have centrally located headquarters with branch offices located in other regions as
remote sites. Organizations that have locations in different cities must consider how to manage
resources at those locations. This requires evaluation of the available network bandwidth
between locations and an understanding of date and time zone differences that can affect how
and when you distribute software to different locations.
Use the following guidelines to collect geographic information.
Geographic information Details
Date and time zone information  List the time zone for each location, and list
any date and time difference between the
remote site and headquarters.
 Time zone.
 Date and time differences.
Operating systems and international operating
system versions
List the operating systems that are in use and
their locations.
Active Directory Structure
When you plan your Configuration Manager hierarchy, consider the layout of your Active
Directory structure (hierarchical forest arrangement and domain structure) and its physical
structure (Active Directory site topology). An Active Directory site typically includes one or more
well connected TCP/IP subnets. A well connected TCP/IP subnet has a fast, reliable network
connection.
Document your physical Active Directory structure and domain structure before you start the
planning phase. Later, when you plan your Configuration Manager deployment, pay attention to
the more detailed information of the logical structure, such as the organizational units, because

224
these can help determine how you organize collections, distribute software, and perform queries
Use the following guidelines to collect Active Directory information.
Active Directory structure Details
Logical structure The logical structure of your organization as
represented by the following Active Directory
components: organizational units, domains,
trees, and forests.
Information that you collect about domains and
forests must include information about trusted
and untrusted domains and forests that contain
resources that you will use or manage with
Configuration Manager. This includes
information about existing domains and trusts
across forests.
Physical structure The physical structure of your organization as
represented by the following Active Directory
components: Active Directory sites (physical
subnets) and domain controllers.
Information Technology Organization
It is important to determine your personnel resource requirements and to assign project roles
when you plan your Configuration Manager deployment. To do this, you first must have an
understanding of your current IT organization. You require this information during your
Configuration Manager planning and deployment phases, and also for post-deployment
operational tasks.
Understand the structure of the IT staff in your organization. For example, you might have one
central IT group with members in close communication. Or you might have many decentralized
groups where communication is not optimal. There might be a central headquarters with IT
responsibility, or many separate administrative units with widely varying goals and philosophies.
Use the following guidelines to collect IT organization information.
Details
Collect information about your IT organization.
Also create an organization chart that maps
your IT organization to your geographic profile.

225
Details
IT reporting hierarchy.
IT departmental divisions that produce an
overlap in Configuration Manager tasks (for
example, a department separate from the
Configuration Manager team manages all
database servers, including computers that are
running Microsoft SQL Server).
Locations where management control or policy
issues exist.
Level of technical sophistication and security
clearance of IT staff members who are working
with Configuration Manager before, during, or
after deployment.
Auditing policies.
Service level agreements for departments, end
users, and IT groups.
Operating systems in use on the network.
Sensitivity to security risks.
Change control policy.
Security Environment
Use the following guidelines to collect security policy information.
Details
Collect information about your organization’s
security policies, such as the following:
 Account password policies
 Account reuse policies
 Account rights policies
 Client and server lockdown policies
(restrictions on disks and registry, services
that are stopped, whether services use
Domain Administrator accounts, and hidden
shared folders that are removed)
 Auditing policies

226
Details
Separation of or delegation of duties between
IT divisions within the enterprise.
The degree to which users must retain control
of client devices, and any exceptions to such
policies (such as servers, or computers in use
by programmers).
Collect information about how security-related
issues will be handled and supported, such as
the following information:
 Sensitivity to security risks
 Importance of ease of administration
 Special requirements for secure data
access and transmission
 Service level agreements (SLAs) for
applying security updates
Operating System Languages
Identify the client and server operating system languages that devices use that you will manage
with Configuration Manager.
By default, the Configuration Manager console and client-facing user interface displays
information in English. However, each site can install support for multiple supported languages
that can display information in the operating systems language. This information can help you
plan for the languages you require at each site to provide your administrative users and end-
users with the language support that they require.
Understand Your Physical Networks
It is important that you know the structure of your available networks, the network topology,
available bandwidth, the location of servers, and the location of computers that might be installed
as Configuration Manager clients. This information can influence your decisions about where and
what type of sites your Configuration Manager design requires.
Use the following sections to assist you when you collect data about your organization.
Network Topology
Create high-level diagrams of your network topology that include any available information that is
listed in the following table. Later, after you make decisions about your Configuration Manager
hierarchy structure and site system hardware requirements, you can determine whether any

227
equipment upgrades or additions are required before you begin your Configuration Manager
deployment.
Network diagrams are also helpful for when you create a representative test environment for a
test network or pilot project. Ensure that your network diagram is detailed and specific. If your
network is large or complex, consider creating a similar but separate diagram for your domain
structure and server topology.
Use the following guidelines to collect network topology information.
Network topology Details
High-level wide area network (WAN)/LAN
architecture
Links, gateways, firewalls, extranets, virtual
private networks, and perimeter networks
Network size Number of servers and clients at each location
Network bandwidth Link speeds and available bandwidth, including
any known bandwidth issues
Network usage and traffic patterns Categorize the amount of traffic, and identify
the times of day when the network usage is
heaviest (peak times) and the times that are
scheduled for backup and maintenance
(nonpeak times)
Network types Windows and non-Microsoft network operating
systems
Network protocols TCP/IP, IPv4, IPv6, AppleTalk, and so on, and
name resolution methods such as DNS and
WINS
IP subnet structure The Internet Protocol (IP) subnets on your
network by subnet ID
Active Directory site structure Active Directory organizational units, site
names, trees, and forests
Server Environment
Configuration Manager uses typical network infrastructure, which includes Active Directory
Domain Services, DNS, or WINS for name resolution, and Internet Information Services (IIS) for
client communications with Configuration Manager site system servers.
Use the following guidelines to assist in gathering server data.

228
Server data Details
Location and function Document the location and function of the
computers that run the core services of your
network, such as global catalog servers,
domain controllers, DNS and WINS servers, IIS
servers, certification authority (CA) servers,
computers that run Microsoft SQL Server or
Terminal Services, servers running
Microsoft Exchange Server, print servers, and
file servers.
Naming conventions Document current naming conventions for
products that you use with Configuration
Manager, such as computers that run
Windows Server 2008 and SQL Server. This
helps you establish and document naming
conventions for your Configuration Manager
hierarchy elements. These elements include
sites, site codes, servers, and the objects that
are used by or created in the Configuration
Manager console.
Because the site code is used to identify each
Configuration Manager site, it is important that
these are centrally assigned and tracked.
Hardware, software, and network information Document hardware, software, and network
information for each server to use as a site
system role in your Configuration Manager
hierarchy.
For example, document the following
information for each server that will be part of
your Configuration Manager hierarchy:
 Processor type and speed
 Amount of random access memory (RAM)
 Disk and array controller configuration and
characteristics, including size, cache size,
and the drive models and types.
 Platform operating system, version, and
language
 Whether the Windows Cluster service or
Windows Network Load Balancing Service
is enabled

229
Server data Details
 Relevant software applications located on
servers, which includes firewall and
antivirus software
Device Environment
Where applicable, identify information about devices in your network diagram. This type of
information can help you determine whether you must upgrade operating systems before you
deploy Configuration Manager, the scope of your client deployment for devices, and which
discovery and Configuration Manager client installation methods you will employ.
It is important to gather this information so that you can prepare for interoperability and
connectivity issues that might prevent the Configuration Manager client from installing.
For example, suppose that all members of the Contoso Pharmaceuticals sales group use
portable computers:
 Some laptops run Windows XP Professional SP2 (which is not supported as a
System Center 2012 Configuration Manager client), and others run Windows 7.
 Additionally, members of the sales team travel frequently from one location to another and
use a custom remote access application to access the sales database located at
headquarters.
 The Contoso Pharmaceuticals marketing group, however, uses desktop computers that run
Windows Vista. Although they do not travel, the marketing members have home computers
that they use to remotely connect to the corporate network over a virtual private network
(VPN).
The information about operating systems, travel, and custom applications can help you prepare to
manage the computer operating systems that are in use and plan for operating system upgrades
before you deploy Configuration Manager. This information also helps you plan for the
deployment of site systems servers for clients on the intranet and on the Internet, and make
further plans to manage the custom applications that you use.
Use the following guidelines to help you gather data about the devices to manage.
Device considerations Details
Number of devices to manage Total number of devices in use on your
network, and their physical and logical
groupings.
IP subnet size Number and types (operating systems) of
devices on each IP subnet, which includes the
projected number of managed devices in the
next year.
Logon scripts Whether users use logon scripts, and if those

230
Device considerations Details
scripts are customized to users or groups. Note
the file name and location of each script, and
users and groups that are associated with each
script.
Security rights Desktop security rights that are granted to end
users.
Operating systems Windows operating systems (include the
language version) in use on each IP subnet,
and the locations of any computers running
operating systems other than Windows.
Device mobility Computers that are shared by multiple users,
laptops that travel from one location to another,
mobile devices, all home-based computers that
have remote access to the network, and any
other device environments.
Software A database or spreadsheet of all major
applications that are in use in the enterprise,
categorized by organizational division or by IP
subnet.
Special applications Divisions or departments that use Windows
Terminal Services to run applications, or that
use other special applications, such as
internally manufactured or obsolete
applications.
Connectivity The types of connectivity that different
organizational groups use, which includes
remote connection speeds (dependent on the
remote access method in use, such as
wireless, dial-up, the Internet, or others).
Use the Data That You Collected to Plan
Configuration Manager Sites
After you collect relevant information about your networks and organization, you can combine this
information with Configuration Manager options and requirements to plan a site or hierarchy that
makes efficient use of your available resources and also meets your organizational goals.
Use the following sections to help you use this data when you plan a site or hierarchy.

231
Use Your Active Directory Information
Combine the information about your Active Directory environment with the information in the
following table to identify how you can use your existing Active Directory investment with
Active Directory planning Details
Add your Active Directory sites to Configuration
Manager as boundaries
Consider using Active Directory Forest
Discovery to first identify Active Directory sites
and subnets, and then add them as
Configuration Manager boundaries.
For more information, see About Active
Directory Forest Discovery.
Extend the Active Directory schema to simplify
the management of client communication to
sites in Configuration Manager sites
The preferred, but optional, method for clients
to find information about Configuration
Manager sites and the Configuration Manager
services that are available is from Active
Directory Domain Services. When you extend
the Active Directory schema and enable sites to
publish data to Active Directory, clients can
automatically discover resources from this
trusted source, and make efficient use of the
network, based on their current location.
For more information, see Determine Whether
to Extend the Active Directory Schema for
Use Configuration Manager to manage sites
that span multiple Active Directory forests
Configurations across forests within a site or
between two sites require a full two-way forest
trust so that Kerberos can be used for
authentication.
You can manage computers that are not
members of a trusted Active Directory domain;
however, you must implement additional
configurations to support these computers.
Communications in Configuration Manager.

232
Use Collected Information to Plan for Discovery
Combine the information about your Active Directory structure, your network, and device
resources, with the information in the following table to help you plan for discovery, which finds
resources for Configuration Manager to manage.
Discovery planning Details
Use the Active Directory discovery methods to
find computers, users, and groups that you can
manage with Configuration Manager
To query Active Directory Domain Services for
resources, you must understand your Active
Directory container and location structure (local
domain, local forest). Also understand how to
construct custom lightweight Directory Access
Protocol (LDAP) or Global Catalog queries so
that you can search specific areas of Active
Directory Domain Services to conserve network
bandwidth for when you run the Active
Directory Discovery method.
For more information about which discovery
method to use to discover different resources,
see the Decide Which Discovery Methods to
Use section in the Planning for Discovery in
Use Network Discovery to discover details of
your network topology and computer resources
that you can manage with Configuration
Manager
To query your network with Network Discovery,
understand your DHCP server infrastructure,
available SNMP-enabled devices, or Active
Directory domains. This information can help
you configure a Network Discovery search to
conserve network bandwidth for when you run
Network Discovery.
For more information about Network Discovery,
see the About Network Discovery section in the
Manager topic.
Use Active Directory Forest Discovery to
search your local forest, and any additional
forests that you configure for Active Directory
sites and subnets
Consider using Active Directory Forest
Discovery to first identify Active Directory sites
and subnets, and then add them as
Configuration Manager boundaries.
For more information, see the About Active
Directory Forest Discovery section in the
Manager topic.

233
Use Collected Information to Plan for Boundaries and Boundary
Groups
System Center 2012 Configuration Manager clients use boundary groups during client installation
for site assignment, and after installation to locate resources for content deployment. You assign
boundaries to boundary groups, and can also assign content servers to boundary groups. Each
boundary group can support two distinct configurations; site assignment, and content location.
When you configure two or more boundary groups to include the same boundary, directly or
indirectly, they are considered to be overlapping. For example, you might add an IP subnet
boundary of 5.5.5.5 directly to a boundary group. Next, you add an Active Directory site that
includes that same IP Subnet to a second boundary group. These two boundary groups now
overlap because each includes the 5.5.5.5 subnet.
Configuration Manager supports overlapping boundaries for content location. This type of
configuration can help to provide additional options for clients when they search for available
content. However, Configuration Manager does not support overlapping boundaries for site
assignments as the client cannot identify which site to join. For more information, see Planning for
Boundaries and Boundary Groups in Configuration Manager.
Combine the information about your network topology, available bandwidth, computer resources,
and organization requirements, with the information in the following table to help you plan for
boundaries and boundary groups.
Options to consider Details
Create separate boundary for site assignment
and for content location
Although boundary groups support
configurations for site assignment and content
location, consider creating a distinct set of
boundary groups for each purpose.
 Configure boundary groups for client site
assignment without overlapping
boundaries. If you assign a boundary to a
boundary group, do not assign it to another
boundary group that specifies a different
site.
 You can configure boundary groups for
content location with overlapping
boundaries. Each boundary that you assign
to a boundary group will be associated with
each content location server that you
associate to the same boundary group.
Overlapping boundary configurations for
content locations can provide flexibility for
clients that request content.
For more information see, Planning for
Boundaries and Boundary Groups in

234
Options to consider Details
Content location Add specific network locations as boundaries to
the boundary group, and then add distribution
points that are on fast network connections to
those network locations. Clients that are on the
specified boundaries receive those servers as
content locations during content requests.
Note
State migration points are also
considered content location servers
when you configure boundary groups.
For more information about content location,
see Planning for Content Management in
Site assignment Add specific network locations as boundaries to
the boundary group and then specify a site to
the boundary group. Avoid assigning the same
boundary, directly or indirectly, to more than
one boundary group that you use for site
assignment.
For more information about client site
assignment, see How to Assign Clients to a
Site in Configuration Manager.
Fallback site assignment Consider configuring the hierarchy with a
fallback site assignment. The fallback site is
assigned to a new client computer that
automatically discovers its site when that client
is on a network boundary that is not associated
with any boundary group that is configured for
site assignment.
For more information, see the Configure a
Fallback Site for Automatic Site Assignment
section in the Configuring Settings for Client
Management in Configuration Manager topic.

235
Use Collected Information to Plan for Site and Hierarchy Design
Combine the information about your network topology, available bandwidth, server and computer
resources, and organization requirements, with the information in the following table to help you
plan where to locate sites and site system roles in your hierarchy and how to manage
communications between sites, site systems, and clients.
Consider installing a Configuration Manager
site only in a well connected network. Usually
well connected networks correspond to
geographic locations. For planning purposes,
start with the assumption that each well
connected network is one Configuration
Manager site. Modify this number as you collect
more information about your organization.
Identify the number and location of well
connected networks that you have in your
network.
Within a site, clients expect communication with
site system servers to be on a well connected
network. When you use a boundary group that
is configured for content location, you can
manage which distribution points and state
migration points a client can access.
Communications in Configuration Manager.
Remote subnets might be too small to justify
their own Configuration Manager site.
If you have remote subnets that are too small to
justify their own Configuration Manager site, list
those IP subnets and their closest well
connected network.
From the nearest site, consider placing a
distribution point that is enabled for bandwidth
control on these subnets to help manage
content deployment to clients at those
locations.
For more information, see Planning for Content
Deployment During Migration to System Center
In a hierarchy that has multiple primary sites,
the central administration site replicates data
with each primary site.
Balance the location of the central
administration site between a location that
benefits the most administrative users, and a
location that has a well connected network to
your largest primary sites.
Configuration Manager consoles that connect
to a primary site cannot see or manage some
data from other primary sites.
Database replication occurs regularly between
primary sites and the central administration

236
site, and a well connected network can help
prevent replication delays of the Configuration
Manager database.
For more information about intersite replication,
see the Planning for Inter-Site Communications
in Configuration Manager section in the
Planning for Communications in Configuration
Manager topic.
Each Configuration Manager primary site can
manage up to 100,000 clients, with up to
400,000 clients in a single hierarchy. However,
the practical number of clients that a primary
site can manage also depends on the hardware
configuration and performance constraints of
the site server and site system servers.
Although each primary site supports up to
100,000 clients, site system roles have lower
limits. If you configure too few site system
servers for critical roles at a site, you can
create a performance and communication
bottleneck that adversely affects the
management of your environment.
For example, management points support up to
25,000 clients. Therefore, in a site with 100,000
clients, you can expect to install at least four
management points to provide adequate
service to your clients. However, the addition of
more management points can provide
redundancy and can improve overall client-to-
site communications, and compensate for any
unexpected performance issues on those
management point servers.
For more information about site system server
requirements and capacity, see the Site
System Requirements section in the Supported
Configurations for Configuration Manager topic.
Plan your hierarchy infrastructure by using the
fewest number of sites necessary to reduced
administrative overhead.
tTip
In a System Center 2012
Configuration Manager hierarchy, you
can reduce the number of sites
required to manage the same
infrastructure than was required in
Configuration Manager can manage multiple
instances of the following options at the same
site:
Note
In previous product versions, the
comparable configurations each
required a separate site to manage
different instances of the option.
 To partition administrative access to
resources throughout the hierarchy, you

237
can use role-based administration.
For more information, see the Planning for
Role-Based Administration section in the
Planning for Security in Configuration
Manager topic.
 Use collections to assign custom settings to
different groups of users or devices in the
hierarchy.
Client Settings in Configuration Manager.
 To manage the display language of
Configuration Manager consoles and the
clients’ user-facing interface, plan to add
support for the server and client operating
system languages that you will require at
each site.
For more information about languages, see
the Planning for Operating System
Languages section in the Planning for
Sites and Hierarchies in Configuration
Manager topic.
Additionally, when you distribute content to
network locations that are not well connected
and content distribution is your primary network
bandwidth concern, you can use the site
system role of a distribution point that is
enabled for bandwidth control to replace a
secondary site.
For more information about how to use
distribution points instead of secondary sites,
see Planning for Content Deployment During
Migration to System Center 2012 Configuration
Manager.
Choose the type of site to use for a given
network or geographic location.
Consider the following when you decide the
type of site to deploy at a network or
geographical location:
 Primary and central administration sites
require an instance of SQL Server, and that
instance must be installed on a well
connected network.

238
 You deploy primary sites to manage clients.
Although you can deploy a secondary site
to manage the client information from
clients at remote locations, the clients must
still assign to a primary site. It is from the
primary site that clients obtain their policy.
 Secondary sites extend a primary site to a
remote network location. You can deploy a
distribution point that is enabled for
bandwidth control from the primary site
when content deployment to the network
location is your primary concern and you
are not concerned about the network
bandwidth that is used when computers
send their client information to the site.
 Configuration Manager consoles can only
connect to a primary site or the central
For more information about site type options,
see the About Site Types in Configuration
Manager section in the Planning for Sites and
Hierarchies in Configuration Manager topic.
As a security best practice, use a public key
infrastructure (PKI) to deploy and manage the
certificates that are required for communication
If you use a PKI, document how the certificates
will be configured, deployed, and managed for
site systems that require them, client
computers, and mobile devices.
For more information about the certificate
requirements in Configuration Manager, see
the Planning for Certificates (Self-Signed and
PKI) section in the Planning for Security in
Prepare Active Directory Domain Services to
support client communications, or configure
alternatives, which includes DNS or WINS.
For information to help you decide whether to
extend the Active Directory schema to support
Configuration Manager, see Determine
Whether to Extend the Active Directory
Schema for Configuration Manager.
For information about client communication,
see the Planning for Client Communication in
Configuration Manager section in the Planning
for Communications in Configuration Manager
topic.

239
Use Collected Information to Plan for Site Systems
Depending on the hardware configuration of your site system servers, the numbers of clients that
will use each site system server and the security requirements for your organization, you might
decide that one server can perform one or more site system roles. It is also possible that you will
have to separate specific site system roles, such as those that use Internet Information Services
(IIS) to communicate with Configuration Manager clients, from other site system roles such as the
site database server.
The following sections contain lists of typical planning considerations and questions for you to
review when you plan for site systems that are typically used in Configuration Manager. Your
organization might require additional considerations.
Database Servers
The database server stores information from clients and the configurations that you use to
manage your environment. Each site uses database replication to share the information in its
database with other sites in the hierarchy.
You can install a database server on the site server or on another server that is on a well
connected network location. This site system role requires Microsoft SQL Server, and when you
have multiple sites in a hierarchy, the database at each site must use the same SQL Server
database collation to enable the data to replicate between them.
Use the following planning considerations to help you plan for database servers.
Planning considerations Details
Is this a central administration site, a primary
site, or secondary site?
Central administration sites and primary sites
must have access to a full installation of
SQL Server to host the site database.
Secondary sites can use a full installation of
SQL Server, or SQL Server Express.
Database Servers in Configuration Manager
section in the Planning for Site Systems in
Are you planning to locate the Configuration
Manager site database on the site server?
You can install the site database on an instance
of SQL Server on the site server or on another
server. If you install the site database by using
an instance of SQL Server on another server,
or move it to another instance of SQL Server
after site installation, Configuration Manager
supports moving the site database back to the

240
site server at a later time.
Note
Secondary sites do not support
SQL Server on another server.
Database Servers in Configuration Manager
section in the Planning for Site Systems in
Decide whether to install more than a single
SMS Provider at a site.
A site server uses the SMS Provider to
communicate with the site database.
Configuration Manager supports installing
multiple instances of the SMS Provider, but
only one SMS Provider instance can be
installed on each computer. Each
SMS Provider can be installed on the site
server, another server running SQL Server, or
on another server.
Multiple instances of the SMS Provider are
supported at central administration sites and
primary sites.
Note
Secondary sites do not support
installation of the SMS Provider on
another computer.
For more information, see the Planning for the
SMS Provider in Configuration Manager section
in the Planning for Site Systems in
For a hierarchy, do you have servers that run
SQL Server with compatible configurations that
will be available for each planned site?
Each server running SQL Server that you use
as a database server must meet specific
configurations. For example, because sites
replicate data directly with other sites, the
SQL Server collation of each database server
must match that of each other site in the
hierarchy.
For more information, see the SQL Server
Configurations for Database Servers section in
the Planning for Site Systems in Configuration

241
Manager topic.
Distribution Points
You can install one or more distribution points at each primary and secondary site.
Will you deploy content to clients at this site? Consider the number and size of the
applications and packages that you expect to
store on the distribution points at this site. This
will help you understand the disk space
requirements that you require for distribution
point servers.
For more information see, Planning for Content
How many clients will access the distribution
points at this site?
Plan for sufficient distribution points to service
the number of clients that request content at
the site.
For more information, see the Determine the
Distribution Point Infrastructure section in the
Planning for Content Management in
Will you use distribution point groups to
streamline the administration of content
deployments?
Identify how you plan to group your distribution
points.
For more information, see the Plan for
Distribution Point Groups section in the
Do your distribution point servers have all the
prerequisites installed?
For example, distribution points require Remote
Differential Compression and Internet
Information Services (IIS).
For more information about the prerequisites
for distribution points, see the Distribution Point
Configurations section in the Planning for
Content Management in Configuration Manager
topic.
Do you have distribution points in sites that are
located on network locations that are not well
If so, configure those distribution points for

242
connected? network bandwidth control.
For more information, see the Network
Bandwidth Considerations for Distribution
Points section in the Planning for Content
Management in Configuration Manager topic.
Management Points
A management point is the primary point of contact between Configuration Manager clients and
the site server. A primary or secondary site can have multiple management points for clients on
the intranet, and primary sites can support multiple Internet-based management points for mobile
devices and client computers that are on the Internet. Use the following planning considerations
to help you plan for management points.
Consider the maximum number of clients that
you will manage at this site.
If there will be more than 25,000 clients at a
site, you must install more than one
management point. Even when you have fewer
than 25,000 clients, consider installing
additional management points for redundancy
and to compensate for less than optimal
hardware or server operating conditions.
For more information, see the Site System
Requirements section in the Supported
Consider how often the clients that are
assigned to this site will retrieve new policy
information.
Clients download client policy on a schedule
that you configure as a client setting. Consider
the frequency of this download when you plan
for the number of management points to deploy
at each site.
For more information, see How to Manage
Clients in Configuration Manager.
If you will collect hardware or software
inventory from clients at this site, consider the
inventory configurations and schedules.
Clients collect and send inventory data to a
management point on a schedule that you
configure as a client setting. Consider the
information about the frequency of these
actions and the data you will collect from clients
when you plan for the number of management
points to deploy at each site.

243
For more information, see How to Configure
Hardware Inventory in Configuration Manager.
If you will use software metering for clients at
this site, consider the schedule for sending the
metering data.
Clients collect and send metering data to a
management point on a schedule that you
configure as a client setting. Consider the
frequency of this schedule when you plan the
number of management points to deploy at
each site.
Software Metering in Configuration Manager.
Reporting Services Points
A reporting services point is a site server that hosts a site's Reporting website. A reporting point
obtains report information from the database server of its Configuration Manager site.
Planning consideration Details
Will this site require a reporting services point? You can install a reporting services point at a
central administration site or a primary site.
However, only the reporting services point at
the top-level site of your hierarchy can provide
reports with information from all sites in your
hierarchy.
For more information, see Introduction to
Reporting in Configuration Manager.
Software Update Points
A software update point is a site system server you install on a site system that already has
Windows Server Update Services (WSUS) installed on it.
The central administration site and all primary child sites must have an active software update
point to deploy software updates. You must determine on which sites to install an Internet-based
software update point, when to configure the active software update point as a Windows network
load balancing (NLB) cluster, and when to create an active software update point at a secondary
site.
What is the maximum number of clients you will Each software update point can support up to

244
manage at this site? 25,000 clients. If there are more than 25,000
client computers assigned to the site, consider
creating a Network Load Balancing (NLB)
cluster for a group of WSUS servers, and then
use the NLB cluster as the active software
update point on the site.
Software Updates in Configuration Manager.
Is a supported version of WSUS installed on an
existing site system? What is the computer
name of the site system?
A supported version of WSUS must be installed
on the site system computer before you add the
software update point site role to the site
system.
For information about supported WSUS
configurations, see Prerequisites for Software
Updates in Configuration Manager.
Does this site support clients that are on the
Internet?
The Internet-based software update point
accepts communication from devices on the
Internet. You can only create the Internet-
based software update point when the active
software update point is not configured to
accept communication from devices on the
Internet.
For more information, see the Determine the
Software Update Point Infrastructure section
in the Planning for Software Updates in
See Also
Determine Whether to Migrate Configuration
Manager 2007 Data to System Center 2012
In System Center 2012 Configuration Manager, the built-in migration functionality replaces in-
place upgrades of existing Configuration Manager infrastructure by providing a process that

245
transfers data from active Configuration Manager 2007 sites. Migration can transfer most data
from Configuration Manager 2007. If you do not migrate Configuration Manager 2007 to
System Center 2012 Configuration Manager, or if you migrate data and want to maintain objects
that migration does not migrate, you must re-create non-migrated objects in the new
Configuration Manager hierarchy.
Because of the design changes introduced in System Center 2012 Configuration Manager, you
cannot upgrade existing Configuration Manager 2007 infrastructure with one exception. Migration
does support the upgrade of qualifying Configuration Manager 2007 distribution points to
System Center 2012 Configuration Manager distribution points. This includes the upgrade of a
Configuration Manager 2007 secondary site that is co-located with a distribution point.
If you upgrade a distribution point, the content on the distribution point computer is retained, and
converted to the new System Center 2012 Configuration Manager format. Then the site system
role is removed from the Configuration Manager 2007 hierarchy and the distribution point and site
system server are added as a distribution point to the System Center 2012
Configuration Manager primary or secondary site of your choice. When a distribution point on a
Configuration Manager 2007 secondary site upgrades, the secondary site is uninstalled and
removed from the Configuration Manager 2007 hierarchy. The result is a System Center 2012
Configuration Manager distribution point with all migrated content converted to the single instance
store.
For more information about migrating from Configuration Manager 2007 to System Center 2012
Configuration Manager, see Migrating from Configuration Manager 2007 to System Center 2012
See Also
Determine Whether to Extend the Active
Directory Schema for Configuration Manager
When you extend the Active Directory schema for System Center 2012 Configuration Manager,
you can publish site information to Active Directory Domain Services. Extending the Active
Directory schema is optional for Configuration Manager. However, by extending the schema you
can use all Configuration Manager features and functionality with the least amount of
administrative overhead.
If you decide to extend the Active Directory schema, you can do so before or after you run
Configuration Manager Setup.

246
Considerations for Extending the Active Directory
Schema for Configuration Manager
The Active Directory schema extensions for System Center 2012 Configuration Manager are
unchanged from those used by Configuration Manager 2007. If you extended the schema for
Configuration Manager 2007, you do not need to extend the schema again for
Extending the Active Directory schema is a forest-wide action and can only be done one time per
forest. Extending the schema is an irreversible action and must be done by a user who is a
member of the Schema Admins Group or who has been delegated sufficient permissions to
modify the schema. If you decide to extend the Active Directory schema, you can extend it before
or after setup.
Four actions are required to successfully enable Configuration Manager clients to query Active
Directory Domain Services to locate site resources:
 Extend the Active Directory schema.
 Create the System Management container.
 Set security permissions on the System Management container.
 Enable Active Directory publishing for the Configuration Manager site.
For information about extending the schema, creating the System Management container, and on
setting security permissions on the container, see Prepare Active Directory for Configuration
Manager in the Prepare the Windows Environment for Configuration Manager topic. For
information about enabling publishing for Configuration Manager sites, see Planning for
Publishing of Site Data to Active Directory Domain Services.
The following table identifies Configuration Manager functions that use an extended Active
Directory schema, and if there are workarounds if you cannot extend the schema.
Functionality Active Directory Details
Client computer installation
and site assignment
Optional When a new Configuration
Manager client installs, the client
can search Active Directory
Domain Services for installation
properties. If you do not extend the
schema, you must use one of the
following workarounds to provide
configuration details that
computers require to install:
 Use client push installation.
Before you use client
installation method, make sure
that all prerequisites are met.
For more information, see the

247
section “Installation Method
Dependencies” in Prerequisites
for Computer Clients.
 Install clients manually and
provide client installation
properties by using CCMSetup
installation command-line
properties. This must include
the following:
 Specify a management
point or source path from
which the computer can
download the installation
files by using the
CCMSetup property
/mp:=<management point
name computer name> or
/source:<path to client
source files> on the
CCMSetup command line
during client installation.
 Specify a list of initial
management points for the
client to use so that it can
assign to the site and then
download client policy and
site settings. Use the
CCMSetup Client.msi
property SMSMP to do
this.
 Publish the management point
in DNS or WINS and configure
clients to use this service
location method.
Port configuration for client-to-
server communication
Optional When a client installs, it is
configured with port information. If
you later change the client-to-
server communication port for a
site, a client can obtain this new
port setting from Active Directory
Domain Services. If you do not
extend the schema, you must use
one of the following workarounds

248
to provide this new port
configuration to existing clients:
 Reinstall clients and configure
them to use the new port
information.
 Deploy a script to clients to
update the port information. If
clients cannot communicate
with a site because of the port
change, you must deploy this
script externally to
Configuration Manager. For
example, you could use Group
Policy.
Network Access Protection Required Configuration Manager publishes
health state references to Active
Directory Domain Services so that
the System Health Validator point
can validate a client’s statement of
health.
Content deployment scenarios Optional When you create content at one
site and then deploy that content to
another site in the hierarchy, the
receiving site must be able to verify
the signature of the signed content
data. This requires access to the
public key of the source site where
you create this data.
When you extend the Active
Directory schema for Configuration
Manager, a site’s public key is
made available to all sites in the
hierarchy. If you do not extend the
Active Directory schema, you can
use the hierarchy maintenance
tool, preinst.exe, to exchange the
secure key information between
sites.
For example, if you plan to create
content at a primary site and
deploy that content to a secondary

249
site below a different primary site,
you must either extend the Active
Directory schema to enable the
secondary site to obtain the source
primary sites public key, or use
preinst.exe to share keys between
the two sites directly.
Attributes and Classes Added by the
Configuration Manager Schema Extensions
When extending the schema for Configuration Manager, several classes and attributes are added
that any Configuration Manager site in the Active Directory forest can use. Because the global
catalog is replicated throughout the forest, consider the network traffic that might be generated. In
Windows 2000 forests, extending the schema causes a full synchronization of the whole global
catalog. For Windows 2003 forests, Windows 2008 forests, and Windows 2008 R2 forests, only
the newly added attributes are replicated. Plan to extend the schema during a time when the
replication traffic does not adversely affect other network-dependent processes.
When you extend the Active Directory schema for System Center 2012 Configuration Manager,
the following attributes and classes are added to Active Directory Domain Services:
 Attributes:
 cn=mS-SMS-Assignment-Site-Code
 cn=mS-SMS-Capabilities
 cn=MS-SMS-Default-MP
 cn=mS-SMS-Device-Management-Point
 cn=mS-SMS-Health-State
 cn=MS-SMS-MP-Address
 cn=MS-SMS-MP-Name
 cn=MS-SMS-Ranged-IP-High
 cn=MS-SMS-Ranged-IP-Low
 cn=MS-SMS-Roaming-Boundaries
 cn=MS-SMS-Site-Boundaries
 cn=MS-SMS-Site-Code
 cn=mS-SMS-Source-Forest
 cn=mS-SMS-Version
 Classes:
 cn=MS-SMS-Management-Point
 cn=MS-SMS-Roaming-Boundary-Range

250
 cn=MS-SMS-Server-Locator-Point
 cn=MS-SMS-Site
The Active Directory schema extensions might include attributes and classes that are
carried forward from previous versions of the product but not used by
Microsoft System Center 2012 Configuration Manager. For example:
 Attribute: cn=MS-SMS-Site-Boundaries
 Class: cn=MS-SMS-Server-Locator-Point
To ensure these lists are current for your version of System Center 2012 Configuration Manager,
review the ConfigMgr_ad_schema.LDF file that is located in theSMSSETUPBINx64 folder of
the System Center 2012 Configuration Manager installation media.
See Also
Planning for Sites and Hierarchies in
Before you deploy System Center 2012 Configuration Manager in a production environment, plan
the design of your sites and site hierarchy. During the planning phase, identify the number and
type of sites, and the location where you plan to deploy them. Plan for each site and identify
where to install site system roles at each site.
Ensure that your plan considers future server hardware changes in addition to current
hardware requirements.
You can deploy Configuration Manager as a single stand-alone primary site, or as multiple sites
in a hierarchy. When you plan your initial deployment, consider a design that can expand for the
future growth that your organization might require. Planning for expansion is an important step
because the changes in System Center 2012 Configuration Manager from previous versions of
the product mean that Configuration Manager can now support more clients with fewer sites.
Configuration Manager does not support moving a site server between domains. If you
must move a site server, you must uninstall Configuration Manager from the server,
move the server to the new domain, and then install a new Configuration Manager site.
You cannot successfully restore the original site to a server that has been moved to a
new domain.
Use the following sections in this topic to help you to implement a hierarchy design:
Note
Tip
Important

251
 Planning a Hierarchy of Sites in Configuration Manager
 About Site Types in Configuration Manager
 Determine Whether to Install a Central Administration Site
 Determine Whether to Install a Primary Site
 Determine Whether to Install a Secondary Site
 Determine Whether to Install a Site or Use Content Management Options
 Planning for Client and Server Operating System Languages in Configuration Manager
 About Language Packs
 Planning for Server Language Packs
 Planning for Client Language Packs
 Best Practices for Managing Language Packs
 Planning for the Configuration Manager Console
 About the Read-Only Console
 Planning for Multiple Administrative Users and Global Data Replication in Configuration
Manager
 About Multiple Edits to Global Data in Configuration Manager
 About Data Access From the Configuration Manager Console
The information in this section also appears in the Getting Started with System Center
System Center 2012 Configuration Manager introduces the central administration site and some
changes to primary and secondary sites. The following tables summaries these sites and how
they compare to sites in Configuration Manager 2007.
Manager 2007
Central administration site The central administration
site coordinates intersite data
replication across the
hierarchy by using
database replication. It also
enables the administration of
hierarchy-wide configurations
for client agents, discovery,
and other operations.
Use this site for all
Although this is the site at the top
of the hierarchy in
System Center 2012
Configuration Manager, it has the
following differences from a
central site in Configuration
Manager 2007:
 Does not process data
submitted by clients, except
for the Heartbeat Discovery
data record.
Note

252
Manager 2007
administration and reporting
for the hierarchy.
 Does not accept client
assignments.
 Does not support all site
system roles.
replication
Primary site Manages clients in well
connected networks.
Primary sites in
System Center 2012
following differences from primary
sites in Configuration Manager
2007:
 Additional primary sites allow
the hierarchy to support more
clients.
 Cannot be tiered below other
primary sites.
 No longer used as a boundary
for client agent settings or
security.
replication.
Secondary site Controls content distribution
for clients in remote locations
across links that have limited
network bandwidth.
Secondary sites in
System Center 2012
following differences from
secondary sites in Configuration
Manager 2007:
 SQL Server is required and
SQL Server Express will be
installed during site installation
if required.
automatically deployed during
the site installation.
 Secondary sites can send
content distribution to other
secondary sites.

253
Manager 2007
replication.
Planning a Hierarchy of Sites in Configuration
Manager
When you plan for a Configuration Manager hierarchy, consider your network and computing
environment and identify your business requirements. You can then plan to implement
Configuration Manager by using the minimal number of servers and the least amount of
administration overhead to meet your organization’s goals.
System Center 2012 Configuration Manager provides an in-box solution for automated migration
from Configuration Manager 2007. However, it does not support in-place upgrades from earlier
versions of Configuration Manager or interoperability with earlier versions with the following two
exceptions. The first exception is that during the time that you are actively migrating from
Configuration Manager 2007 to System Center 2012 Configuration Manager, you can share
Configuration Manager 2007 distribution points with System Center 2012 Configuration Manager
making the content on these distribution points accessible to System Center 2012
Configuration Manager clients. The second exception is that you can upgrade Configuration
Manager 2007 secondary sites to be System Center 2012 Configuration Manager distribution
points.
To maintain the investment in your current Configuration Manager 2007 infrastructure, you must
install System Center 2012 Configuration Manager as a new hierarchy, and then migrate
Configuration Manager 2007 data and clients to System Center 2012 Configuration Manager.
This side-by-side implementation provides an opportunity to redesign and simplify your hierarchy
by using fewer site servers.
For more information about migration, see Migrating from Configuration Manager 2007 to System
Center 2012 Configuration Manager.
About Site Types in Configuration Manager
Your Configuration Manager deployment consists of either a hierarchy of sites or a stand-alone
site. A hierarchy consists of multiple sites, each with one or more site system servers. A stand-
alone site also consists of one or more site system servers. Site system servers extend the
functionality of Configuration Manager. For example, you might install a site system at a site to
support software deployment or to manage mobile devices. To successfully plan your hierarchy of
sites and identify the best network and geographical locations to place site servers, ensure that
you review the information about each site type and the alternatives to sites offered by site
systems you use for content deployment.
Use the following table to help you plan the type of sites that you might require in your hierarchy.

254
Server Purpose More information
Central administration site The recommended location for
all administration and reporting
for the hierarchy.
 SQL Server is required.
 Does not process client
data.
 Does not support client
assignment.
 Not all site system roles
are available.
replication.
Primary site A required site that manages
clients in well connected
networks. All clients are
assigned to a primary site.
 SQL Server is required.
 Additional primary sites
provide support for a
higher number of clients.
 Cannot be tiered below
other primary sites.
replication.
Secondary site Manages clients in remote
locations where network
bandwidth control is required.
 SQL Server Express or a
full instance of SQL Server
is required. If neither is
installed when the site is
installed, SQL Server
Express is automatically
installed.
automatically deployed
when the site is installed.
 Secondary sites must be
direct child sites below a
primary site, but can be
configured to send content
to other secondary sites.
replication.
When you plan a Configuration Manager hierarchy, consider the following:
 You can schedule and throttle network traffic when you distribute deployment content to
distribution points. Therefore, you can use a distribution point instead of a site for some
remote network locations.

255
 Discovery data records (DDRs) for unknown resources transfer by using file-based replication
from a primary site to the central administration site for processing. Because discovery can
create a large number of DDRs, plan where to place your central administration site and
consider at which sites discovery operations will run to minimize the transfer of DDRs across
low-bandwidth networks. DDRs for known resources are processed at the first primary site to
receive them and do not transfer by using file-based replication to the central administration
site. Instead, after being processed at the primary site, the discovery information replicates to
other sites by using database replication.
 Role-based administration provides a central administrative security model for the hierarchy,
and you do not have to install sites to provide a security boundary. Instead, use security
scopes, security roles, and collections to define what administrative users can see and
manage in the hierarchy.
 Alerts in the Configuration Manager console provide state-based information for operations
throughout the hierarchy.
Use the following sections to help you determine whether to install Configuration Manager sites
and site systems.
Determine Whether to Install a Central Administration Site
Install a central administration site if you plan to install multiple primary sites. Use a central
administration site to configure hierarchy-wide settings and to monitor all sites and objects in the
hierarchy. This site type does not manage clients directly but it does coordinate inter-site data
replication, which includes the configuration of sites and clients throughout the hierarchy.
Use the following information to help you plan for a central administration site:
The central administration site is the top-level site in a hierarchy.
When you configure a hierarchy that has more than one primary site, you must install a central
administration site, and it must be the first site that you install.
The central administration site supports only primary sites as child sites.
The central administration site cannot have clients assigned to it.
The central administration site does not support all site system roles. For more information, see
Planning Where to Install Sites System Roles in the Hierarchy.
You can manage all clients in the hierarchy and perform site management tasks for any primary
site when you use a Configuration Manager console that is connected to the central
The central administration site is the only place where you can see site data from all sites. This
data includes information such as inventory data and status messages.
You can configure discovery operations throughout the hierarchy from the central administration
site by assigning discovery methods to run at individual sites.
You can manage security throughout the hierarchy by assigning different security roles, security
scopes, and collections to different administrative users. These configurations apply at each
site in the hierarchy.

256
You can configure addresses that control communication between sites in the hierarchy. This
includes settings that manage the schedule and bandwidth in for transferring file-based data
between sites.
Determine Whether to Install a Primary Site
Use primary sites to manage clients.
Consider installing a primary site for any of the following reasons:
 To manage clients directly.
 To increase the number of clients to manage. Each primary site can support up to 100,000
clients.
 To provide a local point of connectivity for administration.
 To meet organizational management requirements. For example, you might install a primary
site at a remote location to manage the transfer of deployment content across a low-
bandwidth network.
Use the following information to help you plan for primary sites:
 A primary site can be a stand-alone primary site or a member of a hierarchy.
 A primary site only supports a central administration site as a parent site.
 A primary site only supports secondary sites as child sites and can support one or more
secondary child sites.
 A primary site cannot change its parent site relationship after installation.
 Primary sites are responsible for processing all client data from their assigned clients.
 When a primary site is installed, it automatically configures database replication with its
designated central administration site.
 Primary sites use database replication to communicate directly to their central administration
site.
 You can install typically used site system roles when you install a primary site. For a list of
site system roles that are supported on primary sites, see Planning Where to Install Sites
System Roles in the Hierarchy.
Determine Whether to Install a Secondary Site
Use secondary sites to manage the transfer of deployment content and client data across low-
bandwidth networks.
You manage a secondary site from a central administration site or the secondary site’s parent
primary site. Secondary sites must be attached to a primary site, and you cannot move them to a
different parent site without uninstalling them, and then re-installing them as a child site below the
new primary site. You can route content between peer secondary sites to help manage the file-
based replication of deployment content. To transfer client data to a primary site, the secondary
site uses file-based replication. However, a secondary site also uses database replication to
communicate with its parent primary site.
Consider installing a secondary site if any of the following conditions apply:

257
 You do not require a local administrative user for the site.
 You have to manage the transfer of deployment content to sites lower in the hierarchy.
 You have to manage client information that is sent to sites higher in the hierarchy.
If you do not want to install a secondary site and you have clients in remote locations, consider
using Windows BranchCache or distribution points that are enabled for bandwidth control and
scheduling. You can use these content management options with or without secondary sites, and
they can help you to reduce the number of sites and servers that you have to install. For
information about content management options in Configuration Manager, see Determine
Whether to Install a Site or Use Content Management Options.
Use the following details to help you plan for secondary sites:
 Secondary sites automatically install SQL Server Express during site installation if a local
instance of SQL Server is not available.
 Secondary site installation is initiated from the Configuration Manager console when it is
connected to the central administration site or a primary site.
 When a secondary site is installed, it automatically configures database replication with its
parent primary site.
 Secondary sites use database replication to communicate directly to their parent primary site
and to obtain a subset of the shared Configuration Manager database.
 Secondary sites support the routing of file-based content to other secondary sites that have a
common parent primary site.
 Secondary site installations automatically deploy a management point and distribution point
that are located on the secondary site server.
Determine Whether to Install a Site or Use Content Management Options
If you have clients in remote network locations, consider using one or more content management
options instead of a primary or secondary site. You can often remove the requirement for another
site when you use Windows BranchCache, configure distribution points for bandwidth control, or
manually copy content to distribution points (prestage content).
Consider deploying a distribution point instead of installing another site if any of the following
conditions apply:
 Your network bandwidth is sufficient for client computers at the remote location to
communicate with a management point to download client policy, and send inventory,
reporting status, and discovery information.
 Background Intelligent Transfer Service (BITS) does not provide sufficient bandwidth control
for your network requirements.
For more information about content management options in Configuration Manager, see
Introduction to Content Management in Configuration Manager.

258
Planning for Client and Server Operating System
Languages in Configuration Manager
System Center 2012 Configuration Manager supports the display of information in multiple
languages. By default, the Configuration Manager user interface displays in English although
objects that an administrative user creates display in the Configuration Manager console and on
the client in the language that is used to create them. In addition, you can install server and client
language packs to enable the user interface to display in a language that matches the
preferences of the user.
Use the information in the following sections to help you plan for language support by installing
language packs. For information about how to manage language packs, see the Manage
Language Packs at Configuration Manager Sites section in the Manage Site and Hierarchy
Configurations topic.
The following items are new or have changed for language support since Configuration Manager
2007:
 You no longer install site servers by using source files designed for a specific language.
Additionally, you no longer install International Client Packs to support different languages on
the client. Instead, you can choose to install only the server and client languages that you
want to support.
 Available client and server language packs are included with the Configuration Manager
installation media in the LanguagePack folder, and updates are available to download
with the prerequisite files.
 You can add client and server language packs to a site when you install the site, and you
can modify the language packs in use after the site installs.
 You can install multiple languages at each site, and only need to install the languages that
you use:
 Each site supports multiple languages for Configuration Manager consoles.
 At each site you can install individual client language packs, adding support for only the
client languages that you want to support.
 When you install support for a language that matches the display language of a computer,
Configuration Manager consoles and the client user interface that run on that computer
display information in that language.
 When you install support for a language that matches the language preference that is in use
by the web browser of a computer, connections to web-based information, including the
Application Catalog or SQL Server Reporting Services, display in that language.
Note

259
About Language Packs
You add support for server and client language packs at the central administration site and at
primary sites to enable Configuration Manager to display built-in text in a language that matches
the user’s preference. Secondary sites automatically support the same client languages as their
parent primary sites. For a list of supported languages, see the Supported Operating System
Languages section in the Technical Reference for Language Packs in Configuration Manager
topic.
 Use server language packs for the Configuration Manager console and for site system roles
such as the reporting services point.
 Use client language packs for Configuration Manager clients and the Application Catalog.
Language packs use the following language preferences to display information:
 The display language of a computer applies to the Configuration Manager console, client
notifications, and Software Center.
 The display preference within a web browser applies to viewing reports and the Application
Catalog.
Even when language packs are installed, data created by an administrative user is not
affected by using language packs.
When you run Setup, Configuration Manager copies the available languages from the
LanguagePack folder on the Configuration Manager source media to the location that you
specify for prerequisite downloads. If the source media is not accessible, Configuration Manager
downloads language packs as part of the prerequisite files download. Additionally, any files that
are missing or that have updates are also downloaded with the prerequisite files. Then, during
Setup, you can select to add one or more of the available server and client language packs to the
site.
If you do not install language packs when you install a site server, you can add them later by
running Setup on the site server. You must run Setup from the Start menu or by opening
Setup.exe from the installation path, and then choose to modify the site’s configuration. When
you change the supported languages for a site Configuration Manager takes the following
actions:
Language pack type Action
Server language pack  The site runs a site reset and reinstalls all
site system roles at the site. For information
about a site reset, see the Perform a Site
Reset section in the Manage Site and
Hierarchy Configurations topic.
 The language files are copied to the
ConsoleSetup folder.
Client language pack  The site runs a site reset and reinstalls all
Note

260
Language pack type Action
site system roles at the site. For information
about a site reset, see the Perform a Site
Reset section in the Manage Site and
Hierarchy Configurations topic.
 When you modify client languages at the
top-tier site (central administration site or
stand-alone primary site), the site modifies
the client installation package, and updates
this package on each distribution point in
the hierarchy.
 When you modify client languages at a
primary site, the site updates the Client
folder on the site server and on
management points in that site.
 The site copies updated files to each
management point, and if you modify
support for mobile device clients, it also
updates the files on the enrollment proxy
point.
Planning for Server Language Packs
Add support for a server language to a site to enable Configuration Manager consoles and
reporting services points to display information in the supported language. You can install multiple
server language packs at each site in your hierarchy.
Each server language pack that a site supports is added to the Configuration Manager console
installation source files on that site server. Before a Configuration Manager console can display
information in a supported language, you must add the language pack to the site and install the
Configuration Manager console from source files that include that language.
Reporting services points automatically update to support the display of information in the
language packs that you install at a site.
Planning for Client Language Packs
Configuration Manager supports client languages for device clients and mobile device clients:
 When a Configuration Manager client installs on a device, it adds support for each client
language packs that is included with the client installation files.
 When a Configuration Manager client installs on a mobile device, it adds support for all
languages at the same time.

261
You can add support for client languages when you install a site, or by rerunning Setup on the
site server computer after a site installs. Before a client can display information in a supported
language, you must add support for the language to the client’s site, and install the client from
source files that include that language. You must add support for the client language packs
before you install the client.
When a site adds support for a client language pack, it updates the client installation files. The set
of client installation files that the site updates depends on the site’s location in the hierarchy:
 The top-tier site of a hierarchy manages the client installation package. This package is
automatically distributed to each distribution point in the hierarchy. By default, when a client
installs, it uses this package for the client installation source files.
The top-tier site can be a central administration site, or a stand-alone primary site.
 Primary sites manage the client upgrade package and update the supported languages in the
Client folder on the site server and on management points in that site. Clients use the
installation source files from their primary site when the client installation process cannot
access the client installation package on a distribution point, or when the client installation
command-line property /source is used to specify the these files.
When you use a central administration site, ensure that a client installs the client
language packs you expect by adding support for each language pack to the central
administration site and to each primary site.
When you change the supported client languages at a top-tier site, allow time for the client
installation package to replicate to distribution points in your hierarchy. You can monitor the
redistribution of the package to distribution points by using the Content Status node in the
Monitoring workspace of the Configuration Manager console. For more information, see the
Monitor Content section in the Operations and Maintenance for Content Management in
Alternately, you can monitor progress by viewing status messages for the redistribution of the
package:
 The client installation package name is Configuration Manager Client Package.
 Distribution points generate a status message with Message ID 2330 when the package
successfully updates on that distribution point.
After a new site server installs with support for client language packs, or after an existing site
server updates the distribution points with the language pack changes, you can install new clients
or reinstall existing clients on computers to add support for supported client language packs.
Configuration Manager does not support reinstalling the mobile device client without first
wiping the mobile device. Therefore, if you plan to support non-English mobile devices,
enable support for mobile device client languages before you install the Configuration
Manager mobile device client.
Note
Tip
Important

262
When the Configuration Manager client installs on a new computer, CCMSetup modifies the MSI
command line to add support for each language pack that is included with the client installation
source files. To update an existing client with new language packs, you must upgrade or reinstall
the client.
For example, you can modify the languages supported on a computer when you redeploy the
client software by using client push installation or software deployment.
The following table lists the client upgrade and installation methods that are not supported for
managing the language pack support for a previously installed client.
Method Details
Repairing An MSI repair action reuses the MSI command
line last used to install the client, as stored in
the registry of the client computer. This
command line will not reference new client
language packs.
Automatic client upgrade This type of upgrade fails because automatic
upgrades are based on a change of client
version. New language packs do not change
the client version.
Software update-based client installation Software update points rely on a change of
client version to install the client. New language
packs do not change the client version.
For information about how clients access source files for installation, see How to Install Clients on
Computers in Configuration Manager.
For information about client installation properties, see About Client Installation Properties in
Best Practices for Managing Language Packs
Use the following best practices information to help you use language packs in
Install languages at the time you install a site
When you modify the language packs that are supported at the top-tier site of a hierarchy, the site
initiates an update of the client installation package on each distribution point in the hierarchy,
reinstalls applicable site system roles, and performs a site reset. Additionally, you must reinstall
clients before they can use new language packs that you add to their site.

263
When you add support for client language packs to your central
administration site, also add these client language packs to each primary
site
When you modify the client language packs at a site, the client installation files that update
depend on the site’s location in the hierarchy. When a client installs, it might use the client
installation package that is managed by the top-tier site of the hierarchy, or it can fall back to
using source files from the management point in the client’s assigned site when it cannot access
the client installation package on a distribution point.
Planning for the Configuration Manager Console
Administrative users use the Configuration Manager console to manage the Configuration
Manager environment. Each Configuration Manager console connects to either a central
administration site, or a primary site. After the initial connection is made, the Configuration
Manager console can connect to other sites. However, you cannot connect a Configuration
Manager console to a secondary site.
To connect to a different site when you use the Configuration Manager console, on the
Application Menu, select Connect to a New Site, and then specify the name of the site server.
You can also specify a connection to a specific site when you open a new instance of the
Configuration Manager console. To do so, you must specify the site server name as part of the
command line to open the Configuration Manager console. For example, to connect to a site that
runs on Server1, at the command prompt, type
%path%microsoft.configurationmanagement.exe Server1.
Configuration Manager does not limit the number of simultaneous Configuration Manager console
connections to a primary site or central administration site. When you connect to the central
administration site, you can view and configure data for all sites in the hierarchy. If you have a
central administration site but connect the Configuration Manager console directly to a primary
site, you can view and manage Configuration Manager data from this connection, but you cannot
see data from other primary sites or from the secondary sites of other primary sites. However, if
you do not have a central administration site because your hierarchy has a stand-alone primary
site, you can use the Configuration Manager console to access all the data in your hierarchy.
When you manage objects or clients by using a Configuration Manager console that is
connected to a child primary site in a hierarchy with other primary sites, the changes you
make replicate throughout the hierarchy to other primary sites, even though you cannot
see data from those other primary sites.
When you connect a Configuration Manager console to an evaluation installation of
Configuration Manager, the title bar of the console displays the number of days that
remain before the evaluation installation expires. The number of days does not
automatically refresh and only updates when you make a new connection to a site. After
Important
Note

264
the evaluation period ends, the Configuration Manager console connects as a read-only
console.
About the Read-Only Console
When you connect a Configuration Manager console to a primary site, there are certain
conditions that result in the Configuration Manager console connecting as a read-only console.
The read-only console lets you view objects and configuration settings but prevents you from
making any changes that could be lost when the primary site completes initialization or is
synchronized with the central administration site after replication issues are resolved.
Read-only consoles are established for the following reasons:
 You connect to a primary site before it completes the Configuration Manager site installation.
 You connect to a primary site that has intersite replication problems.
 You connect to a primary site during a site restoration of that site.
 You connect to a primary site when that site is initializing global data.
After the primary site is fully initialized, or replication issues between that site and the central
administration site are resolved, you must close, and then reconnect the Configuration Manager
console to establish a normal session where you can manage objects and configurations.
A Configuration Manager console that connects to an evaluation installation of
Configuration Manager after the evaluation period of 180 days ends will connect as a
read-only console.
Planning for Multiple Administrative Users and
Global Data Replication in Configuration Manager
Use the following sections to help you plan for multiple administrative users who access objects
and configuration settings that are shared between sites. This data is referred to as global data,
and it is available throughout the hierarchy.
About Multiple Edits to Global Data in Configuration Manager
Because different administrative users at one or more sites can attempt to manage the same
object at the same time, Configuration Manager prevents one administrative user from editing an
object if another administrative user in the hierarchy is currently editing the same object. When an
object you want to manage is already in use, you have the option to view the object as a read-
only instance, or to retry to obtain ownership of the object. If you retry to obtain ownership and the
object is no longer in use by another administrative user, you are granted ownership and can edit
the object. Do not confuse the read-only status for an object you want to manage with the read-
only Configuration Manager console. Unlike the read-only console, this is an object-specific
Note

265
condition that is temporary and based on the individual object’s current availability. This condition
is not related to the status of the site to which your Configuration Manager console connects.
Configuration Manager also resolves edits to an object when those edits are made at different
sites when one of the sites is unable to replicate data. This scenario might occur if a network link
is disconnected. In this scenario, the first edit to an object that replicates to the central
administration site takes precedence over a later edit from the primary site that was unable to
replicate the data.
About Data Access From the Configuration Manager Console
Use role-based administration to define the objects in the hierarchy that administrative users can
see in the Configuration Manager console and the permissions that they have for those objects.
Use a combination of security roles, security scopes, and collections to help manage access to
data throughout the hierarchy for each administrative user. For more information, see Planning
for Security in Configuration Manager.
See Also
Planning for Publishing of Site Data to Active
Directory Domain Services
If you extend the Active Directory schema for System Center 2012 Configuration Manager, you
can publish Configuration Manager sites to Active Directory Domain Services so that Active
Directory computers can securely retrieve site information from a trusted source. Although
publishing site information to Active Directory Domain Services is not required for basic
Configuration Manager functionality, this configuration can reduce administrative overhead.
When you extend the Active Directory schema for Configuration Manager and a site is configured
to publish to Active Directory Domain Services, Configuration Manager clients can automatically
find management points through Active Directory publishing using an LDAP query to a global
catalog server. If you do not extend the Active Directory schema for Configuration Manager,
management points cannot be published to Active Directory Domain Services and clients must
have an alternative mechanism to locate their default management point. For information about
service location by clients, see the Planning for Service Location by Clients section in the
Planning for Communications in Configuration Manager topic.
The following are prerequisites you must configure before a Configuration Manager site can
publish site data to Active Directory Domain Services:

266
 You must extend the Active Directory schema in each forest where you will publish site data.
For more information, see Determine Whether to Extend the Active Directory Schema for
 You must configure Active Directory Forests for use with Configuration Manager, and enable
publishing to the forests you want to use. For information, see the About Active Directory
Forest Discovery section in the Planning for Discovery in Configuration Manager topic.
 You must enable publishing at each site that will publish its data to Active Directory Domain
Services. For information, see Configuring Sites to Publish to Active Directory Domain
Services.
See Also
Manager
System Center 2012 Configuration Manager discovery identifies computer and user resources
that you can manage by using Configuration Manager. It can also discover the network
infrastructure in your environment. Discovery creates a discovery data record (DDR) for each
discovered object and stores this information in the Configuration Manager database.
When discovery of a resource is successful, discovery puts information about the resource in a
file that is referred to as a discovery data record (DDR). DDRs are in turn processed by site
servers and entered into the Configuration Manager database where they are then replicated by
database-replication with all sites. The replication makes discovery data available at each site in
the hierarchy, regardless of where it was discovered or processed.
You can use discovery information to create custom queries and collections that logically group
resources for management tasks such as the assignment of custom client settings and software
deployments. Computers must be discovered before you can use client push installation to install
the Configuration Manager client on devices.
Use the following sections to help you plan for discovery in Configuration Manager:
 Discovery Methods in Configuration Manager
 Decide Which Discovery Methods to Use
 About Active Directory System, User, and Group Discovery Methods
 Shared Discovery Options
 Active Directory System Discovery
 Active Directory User Discovery
 Active Directory Group Discovery
 About Active Directory Forest Discovery
 About Delta Discovery

267
 About Heartbeat Discovery
 About Network Discovery
 About Discovery Data Records
 Decide Where to Run Discovery
 Best Practices for Discovery
System Center 2012 Configuration Manager introduces the following changes for discovery:
 Each discovery data record is processed and entered into the database one time only, at a
primary site or central administration site, and then the discovery data record is deleted
without additional processing.
 Discovery information entered into the database at one site is shared to each site in the
hierarchy by using Configuration Manager database replication.
 Active Directory Forest Discovery is a new discovery method that can discover subnets and
Active Directory sites, and can add them as boundaries for your hierarchy.
 Active Directory System Group Discovery has been removed.
 Active Directory Security Group Discovery is renamed to Active Directory Group Discovery
and discovers the group memberships of resources.
 Active Directory System Discovery and Active Directory Group Discovery support options to
filter out stale computer records from discovery.
 Active Directory System, User, and Group Discovery support Active Directory Delta
Discovery. Delta Discovery is improved from Configuration Manager 2007 R3 and can now
detect when computers or users are added or removed from a group.
Discovery Methods in Configuration Manager
Before you enable discovery methods for Configuration Manager, ensure you understand what
each method can discover. Because discovery can generate a large volume of network traffic,
and the resultant DDRs can result in a significant use of CPU resources during processing, plan
to use only those discovery methods that you require to meet your goals. You could use only one
or two discovery methods to be successful, and you can always enable additional methods in a
controlled manner to extend the level of discovery in your environment.
Use the following table to help you plan for each of the six configurable discovery methods.
Note

268
Discovery method Enabled by default Accounts that run
discovery
More information
Active Directory
Forest Discovery
No Active Directory
Forest Discovery
Account, or the
computer account of
the site server
 Can discover Active
Directory sites and
subnets, and then
create Configuration
Manager boundaries
for each site and
subnet from the
forests that you
have configured for
discovery.
 Supports a user-
defined account to
discover resources
for each forest.
 Can publish to the
Active Directory
Domain Services of
a forest when
publishing to that
forest is enabled,
and the specified
account has
permissions to that
forest.
Active Directory
System Discovery
No Active Directory
System Discovery
Account, or the
computer account of
the site server
 Discovers
computers from the
specified locations in
Active Directory
Domain Services.
Active Directory User
Discovery
No Active Directory User
Discovery Account, or
the computer account
of the site server
 Discovers user
accounts from the
Active Directory
Domain Services.
Active Directory
Group Discovery
No Active Directory
Group Discovery
Account, or the
computer account of
the site server
 Discovers local,
global, and universal
security groups, the
membership within
these groups, and
the membership
within distribution

269
Discovery method Enabled by default Accounts that run
discovery
More information
groups from the
Active directory
Domain Services.
Distribution groups
are not discovered
as group resources.
Heartbeat Discovery Yes Computer account of
the client
 Used by active
Configuration
Manager clients to
update their
discovery records in
the database.
 Heartbeat Discovery
can force discovery
of a computer as a
new resource
record, or can
repopulate the
database record of a
computer that was
deleted from the
database.
Network Discovery No Computer account of
the site server
 Searches your
network
infrastructure for
network devices that
have an IP address.
 Can discover
devices that might
not be found by
other discovery
methods. This
includes printers,
routers, and bridges.
All configurable discovery methods support a schedule for when discovery runs. With the
exception of Heartbeat Discovery, you can configure each method to search specific locations for
resources to add to the Configuration Manager database. After discovery runs, you can change
the locations that a discovery method searches. These new locations are searched during the
next discovery run. However, the next run of the discovery method is not limited to the new
locations and always attempts to discover information from all current configured locations.

270
Heartbeat Discovery is the only discovery method that is enabled by default. To help maintain the
database record of Configuration Manager clients, do not disable Heartbeat Discovery.
In addition to these discovery methods, Configuration Manager also uses a process named
Server Discovery (SMS_WINNT_SERVER_DISCOVERY_AGENT). This discovery method
creates resource records for computers that are site systems, such as a computer that is
configured as a management point. This method of discovery runs daily and is not configurable.
Decide Which Discovery Methods to Use
To discover potential Configuration Manager client computers or user resources, you must enable
the appropriate discovery methods. You can use different combinations of discovery methods to
locate different resources and to discover additional information about those resources. The
discovery methods that you use determine the type of resources that are discovered and which
Configuration Manager services and agents are used in the discovery process. They also
determine the type of information about resources that you can discover.
Discover Computers
When you want to discover computers, you can use Active Directory System Discovery or
Network Discovery.
As an example, if you want to discover resources that can install the Configuration Manager client
before you use client push installation, you might run Active Directory System Discovery.
Alternately you could run Network Discovery and use its options to discover the operating system
of resources (required to later use client push installation). However, by using Active Directory
System Discovery, you not only discover the resource, but discover basic information and can
discover extended information about it from Active Directory Domain Services. This information
might be useful in building complex queries and collections to use for the assignment of client
settings or content deployment. Network Discovery, on the other hand, provides you with
information about your network topology that you are not able to acquire with other discovery
methods, but Network Discovery does not provide you any information about your Active
Directory environment.
It is also possible to use only Heartbeat Discovery to force the discovery of clients that you
installed by methods other than client push installation. However, unlike other discovery methods,
Heartbeat Discovery cannot discover computers that do not have an active Configuration
Manager client, and returns a limited set of information. It is intended to maintain an existing
database record and not to be the basis of that record. Information submitted by Heartbeat
Discovery might not be sufficient to build complex queries or collections.
If you use Active Directory Group Discovery to discover the membership of a specified group, you
can discover limited system or computer information. This does not replace a full discovery of
computers but can provide basic information. This basic information is insufficient for client push
installation.
Discover Users
When you want to discover information about users, you can use Active Directory User
Discovery. Similar to Active Directory System Discovery, this method discovers users from Active

271
Directory and includes basic information in addition to extended Active Directory information. You
can use this information to build complex queries and collections similar to those for computers.
Discover Group Information
When you want to discover information about groups and group memberships, use Active
Directory Group Discovery. This discovery method creates resource records for security groups.
You can use this method to search a specific Active Directory group to identify the members of
that group in addition to any nested groups within that group. You can also use this method to
search an Active Directory location for groups, and recursively search each child container of that
location in Active Directory Domain Services.
This discovery method can also search the membership of distribution groups. This can identify
the group relationships of both users and computers.
When you discover a group, you can also discover limited information about its members. This
does not replace Active Directory System or User Discovery and is usually insufficient to build
complex queries and collections or serve as the bases of a client push installation.
Discover Infrastructure
There are two methods that you can use to discover network infrastructure, Active Directory
Forest Discovery and Network Discovery.
You can use Active Directory Forest Discovery to search an Active Directory forest for information
about subnets and Active Directory site configurations. These configurations can then be
automatically entered into Configuration Manager as boundary locations.
When you want to discover your network topology, use Network Discovery. While other discovery
methods return information related to Active Directory Domain Services and can identify the
current network location of a client, they do not provide infrastructure information based on the
subnets and router topology of your network.
About Active Directory System, User, and Group
Discovery Methods
This section contains information about the following discovery methods:
The information in this section does not apply to Active Directory Forest Discovery.
These three discovery methods are similar in configuration and operation, and can discover
computers, users, and information about group memberships of resources that are stored in
Active Directory Domain Services. The discovery process is managed by a discovery agent that
runs on the site server at each site where discovery is configured to run. You can configure each
of these discovery methods to search one or more Active Directory locations as location
instances in the local forest or remote forests.
Note

272
When discovery searches an untrusted forest for resources, the discovery agent must be able to
resolve the following to be successful:
 To discover a computer resource with Active Directory System Discovery, the discovery
agent must be able to resolve the FQDN of the resource. If it cannot resolve the FQDN, it will
then attempt to resolve the resource by its NetBIOS name.
 To discovery user or group resource with Active Directory User Discovery or Active Directory
Group Discovery, the discovery agent must be able to resolve the FQDN of the domain
controller name you specify for the Active Directory location.
For each location instance that you specify, you can configure individual search options such as
enabling a recursive search of the locations Active Directory child containers. You can also
configure a unique account to use when it searches that location instance. This provides flexibility
in configuring a discovery method at one site to search multiple Active Directory locations across
multiple forests, without having to configure a single account that has permissions to all locations.
When each of these three discovery methods run at a specific site, the Configuration Manager
site server at that site contacts the nearest domain controller in the specified Active Directory
forest to locate Active Directory resources. The domain and forest can be in any supported Active
Directory mode, and the account that you assign to each location instance must have Read
access permission to the specified Active Directory locations. Discovery searches the specified
locations for objects and then attempts to collect information about those objects. A DDR is
created when sufficient information about a resource can be identified. The required information
varies depending on the discovery method that is being used.
If you configure the same discovery method to run at different Configuration Manager sites to
take advantage of querying local Active Directory servers, you can configure each site with a
unique set of discovery options. Because discovery data is shared with each site in the hierarchy,
avoid overlap between these configurations to efficiently discover each resource one time. For
smaller environments, you might consider running each discovery method at only one single site
in your hierarchy to reduce administrative overhead and the potential for multiple discovery
actions to rediscover the same resources. When you minimize the number of sites that run
discovery you can reduce the overall network bandwidth that is being used by discovery, and
reduce the overall number of DDRs that are created and must be processed by your site servers.
Many of the discovery method configurations are self-explanatory. Use the following sections for
more information about the discovery options that might require additional information before you
configure them.
Shared Discovery Options
The following table identifies configuration options that are available on multiple Active Directory
Discovery methods.
Key: √ = Supported Ø = Unsupported

273
Discovery option Active
Directory
System
Discovery
Active
Directory User
Discovery
Active
Directory
Group
Discovery
Details
Delta Discovery √ √ √ Delta Discovery is an
option available for each
Active Directory discovery
method except Active
Directory Forest
Discovery. Configuration
Manager can use Delta
Discovery to search Active
Directory Domain
Services (AD DS) for
specific attributes that
have changed after the
last full discovery cycle of
the discovery method.
You can configure a short
interval for Delta
Discovery to search for
new resources because
discovering only new
resources does not affect
the performance of the
site server as much as a
full discovery cycle does.
Delta Discovery can
detect the following new
resource types:
 Computer objects
 User objects
 Security group objects
 System group objects
Delta Discovery cannot
detect when a resource
has been deleted from
AD DS. You must run a
full discovery cycle to
detect this change.
DDRs for objects that

274
Directory
System
Discovery
Active
Directory User
Discovery
Active
Directory
Group
Discovery
Details
Delta Discovery discovers
are processed similarly to
the DDRs that are created
by a full discovery cycle.
You configure Delta
Discovery on the Polling
Schedule tab in the
properties for each
discovery method.
Filter stale
computer
records by
domain logon
√ Ø √ You can configure
discovery to exclude
discovery of stale
computer records based
on the last domain logon
of the computer. When
this option is enabled,
Active Directory System
Discovery evaluates each
computer it identifies.
Active Directory Group
computer that is a
member of a group that is
discovered.
Use of this option requires
the following:
 Computers must be
configured to update
the
lastLogonTimeStam
p attribute in AD DS.
 The Active Directory
domain functional
level is set to
Windows Server 2003
or later.
When configuring the time
after the last logon,

275
Directory
System
Discovery
Active
Directory User
Discovery
Active
Directory
Group
Discovery
Details
consider the interval for
replication between
domain controllers.
You configure filtering on
the Option tab in both
Discovery Properties
and Active Directory
Group Discovery
Properties dialog boxes
by selecting the option
Only discover
computers that have
logged on to a domain
in a given period of time.
Warning
When you
configure both of
the stale record
filters on the same
discovery method,
computers that
meet the criteria
of either filter are
excluded from
discovery.
Filter stale
records by
computer
password
√ Ø √ You can configure
discovery to exclude
discovery of stale
computer records based
on the last computer
account password update
by the computer. When
this option is enabled,
computer it identifies.

276
Directory
System
Discovery
Active
Directory User
Discovery
Active
Directory
Group
Discovery
Details
Active Directory Group
computer that is a
member of a group that is
discovered.
Use of this option requires
the following:
 Computers must be
configured to update
the pwdLastSet
attribute in AD DS.
When configuring this
option, consider the
interval for updates to this
attribute in addition to the
replication interval
between domain
controllers.
You configure filtering on
the Option tab in both
Group Discovery
Properties dialog boxes
by selecting the option
Only discover
computers that have
updated their computer
account password in a
given period of time.
Warning
When you
configure both of
the stale record
filters on the same
discovery method,

277
Directory
System
Discovery
Active
Directory User
Discovery
Active
Directory
Group
Discovery
Details
computers that
meet the criteria
of either filter are
excluded from
discovery.
Search
customized
Active Directory
attributes
√ √ Ø Each discovery method
supports a unique list of
attributes that can be
discovered.
You configure Active
Directory customized
attributes on the Active
Directory Attributes tab
in both the Active
Directory System
User Discovery
Properties dialog boxes.
Active Directory System Discovery
Use Configuration Manager Active Directory System Discovery to search the specified Active
Directory Domain Services (AD DS) locations for computer resources that can be used to create
collections and queries. You can then install the client to discovered computers by using client
push installation. To successfully create a discovery data record (DDR) for a computer, Active
Directory System Discovery must be able to identify the computer account and then successfully
resolve the computer name to an IP address.
By default, Active Directory System Discovery discovers basic information about the computer
including the following:
 Computer name
 Operating system and version
 Active Directory container name
 IP address
 Active Directory site
 Last Logon Timestamp

278
In addition to the basic information, you can configure the discovery of extended attributes from
Active Directory Domain Services.
You can view the default list of object attributes returned by Active Directory System Discovery,
and configure additional attributes to be discovered in the Active Directory System Discovery
Properties dialog box on the Active Directory Attributes tab.
For more information about how to configure this discovery method, see Configure Active
Directory Discovery in Configuration Manager.
Active Directory System Discovery actions are recorded in the file adsysdis.log in the
<InstallationPath>LOGS folder on the site server.
Active Directory User Discovery
Use Configuration Manager Active Directory User Discovery to search Active Directory Domain
Services (AD DS) to identify user accounts and associated attributes.
You can view the default list of object attributes returned by Active Directory User Discovery, and
configure additional attributes to be discovered in the Active Directory User Discovery
Properties dialog box on the Active Directory Attributes tab.
By default, Active Directory User Discovery discovers basic information about the user account
including the following:
 User name
 Unique user name (includes domain name)
 Domain
 Active Directory container names
In addition to the basic information, you can configure the discovery of extended attributes from
Active Directory Domain Services.
Active Directory User Discovery actions are recorded in the file adusrdis.log in the
Active Directory Group Discovery
Use Configuration Manager Active Directory Group Discovery to search Active Directory Domain
Services (AD DS) to identify the group memberships of computers and users.
This discovery method searches a discovery scope that you configure, and then identifies the
group memberships of resources in that discovery scope. By default, only security groups are
discovered. However, you can discover the membership of distribution groups when you select
the checkbox for the option Discover the membership of distribution groups on the Option
tab in the Active Directory Group Discovery Properties dialog box.
Use Active Directory Group Discovery to discover the following information:
 Groups

279
 Membership of Groups
 Limited information about a groups member computers and users, even when those
computers and users have not previously been discovered by another discovery method
This discovery method is intended to identify groups and the group relationships of members of
groups. This method of discovery does not support the extended Active Directory attributes that
can be identified by using Active Directory System Discovery or Active Directory User Discovery.
Because this discovery method is not optimized to discover computer and user resources,
consider running this discovery method after you have run Active Directory System Discovery and
Active Directory User Discovery. This is because this discovery method creates a full DDR for
groups, but only a limited DDR for computers and users that are members of groups.
You can configure the following discovery scopes that control how Active Directory Group
Discovery searches for information:
 Location: Use a location if you want to search one or more Active Directory containers. This
scope option supports a recursive search of the specified Active Directory containers that
also searches each child container under the container you specify. This process continues
until no more child containers are found.
 Groups: Use groups if you want to search one or more specific Active Directory groups. You
can configure the Active Directory Domain to use the default domain and forest, or limit the
search to an individual domain controller. Additionally, you can specify one or more groups to
search. If you do not specify at least one group, all groups found in the specified Active
Directory Domain location are searched.
When you configure a discovery scope, select only the groups that you must discover.
This is because Active Directory Group Discovery attempts to discover each member of
each group in the discovery scope. Discovery of large groups can require extensive use
of bandwidth and Active Directory resources.
You have to run either Active Directory System Discovery or Active Directory User
Discovery to create collections that are based on extended Active Directory attributes and
to ensure accurate discovery results for computers and users.
Active Directory Group Discovery actions are recorded in the file adsgdis.log in the
About Active Directory Forest Discovery
Use Configuration Manager Active Directory Forest Discovery to discover IP subnets and Active
Directory sites and to add them to Configuration Manager as boundaries.
Caution
Note

280
Unlike other discovery methods, Active Directory Forest Discovery does not discover resources
that you can manage. Instead, this method discovers Active Directory network locations and can
convert those locations into boundaries for use throughout your hierarchy.
Use Active Directory Forest Discovery to do the following:
 Discover IP subnets in an Active Directory forest
 Discover Active Directory sites in an Active Directory forest
 Add the IP subnets and Active Directory sites that are discovered as boundaries in
 Publish to the Active Directory Domain Services of a forest when publishing to that forest is
enabled, and the specified Active Directory Forest Account has permissions to that forest
Manage Active Directory Forest Discovery in the Configuration Manager console from the
following nodes under Hierarchy Configuration in the Administration workspace:
 Discovery Methods: Here you can enable Active Directory Forest Discovery to run at the
top-level site of your hierarchy. You can also specify a simple schedule to run discovery, and
configure it to automatically create boundaries from the IP subnets and Active Directory sites
that it discovers. Active Directory Forest Discovery cannot be run at a child primary site or at
a secondary site.
This discovery method does not support Delta Discovery.
 Active Directory Forests: Here you configure the additional Active Directory forests that you
want to discover, specify the account to use as the Active Directory Forest Account for each
forest, and configure publishing to each forest. Additionally, you can monitor the discovery
process and add IP subnets and Active Directory sites to Configuration Manager as
boundaries and members of boundary groups.
When publishing is enabled for a forest and that forests schema is extended for Configuration
Manager, the following information is published for each site that is enabled to publish to that
Active Directory forest:
 SMS-Site-<site code>
 SMS-MP-<site code>-<site system server name>
 SMS-SLP-<site code>-<site system server name>
 SMS-<site code>-<Active Directory site name or subnet>
Secondary sites always use the secondary site server computer account to publish to
Active Directory. If you want secondary sites to publish to Active Directory, ensure the
secondary site server computer account has permissions to publish to Active Directory. A
secondary site cannot publish data to an untrusted forest.
To configure publishing for Active Directory forests for each site in your hierarchy,
connect your Configuration Manager console to the top-level site of your hierarchy. The
Note
Note
Tip

281
Publishing tab in an Active Directory site Properties dialog box can only display the
current site, and its child sites.
When you clear the option to publish a site to an Active Directory forest, all previously
published information for that site, including available site system roles, is removed from
the Active Directory of that forest.
Active Directory Forest Discovery runs on the local Active Directory forest, each trusted forest,
and each additional forest that you configure in the Active Directory Forests node of the
Configuration Manager console.
Active Directory Forest Discovery actions are recorded in the following logs:
 All actions, with the exception actions related to publishing, are recorded in the
ADForestDisc.Log file in the <InstallationPath>Logs folder on the site server.
 Active Directory Forest Discovery publishing actions are recorded in the hman.log and
sitecomp.log in the <InstallationPath>Logs folder on the site server.
About Delta Discovery
Delta Discovery is not a full discovery method in Configuration Manager, but an option available
for the Active Directory System, User, and Group discovery methods. Delta Discovery can identify
most changes to a previously discovered resource in Active Directory and use fewer resources
than a full discovery cycle.
When you enable Delta Discovery for a discovery method, the discovery method searches Active
Directory Domain Services (AD DS) for specific attributes that have changed after the discovery
method’s last full discovery cycle. These changes are submitted to the Configuration Manager
database to update the resources discovery record.
By default, Delta Discovery runs on a five minute cycle. This is because it uses fewer resources
during discovery than a full discovery cycle, and does not affect the performance of the site
server as much as a full discovery cycle would. When you use Delta Discovery, consider reducing
the frequency of the full discovery cycle for that discovery method.
Delta Discovery can detect changes on Active Directory objects. The following are the most
common changes that Delta Discovery detects:
 New computers or users added to Active Directory
 Changes to basic computer and user information
 New computers or users that are added to a group
 Computers or users that are removed from a group
 Changes to System group objects
Although Delta Discovery can detect new resources, and changes to group membership, it
cannot detect when a resource has been deleted from AD DS.
DDRs for objects that Delta Discovery discovers are processed similarly to the DDRs that are
created by a full discovery cycle.
Caution

282
You configure Delta Discovery on the Polling Schedule tab in the properties for each discovery
method.
About Heartbeat Discovery
Heartbeat Discovery differs from other Configuration Manager discovery methods. It is enabled
by default and runs on each computer client to create a discovery data record (DDR). For mobile
device clients, this DDR is created by the management point that is being used by the mobile
device client.
Heartbeat Discovery runs either on a schedule configured for all clients in the hierarchy, or if
manually invoked, on a specific client by running the Discovery Data Collection Cycle on the
Action tab in a client’s Configuration Manager program. When Heartbeat Discovery runs, it
creates a discovery data record (DDR) that contains the client’s current information including
network location, NetBIOS name, and operational status details. It is a small file, about 1KB,
which is copied to a management point, and then processed by a primary site. The submission of
a Heartbeat Discovery DDR can maintain an active client’s record in the database, and also force
discovery of an active client that might have been removed from the database, or that has been
manually installed and not discovered by another discovery method.
Heartbeat Discovery is the only discovery method that provides details about the client installation
status by updating a system resource client attribute that has the value Yes. To send the
Heartbeat Discovery record, the client computer must be able to contact a management point.
The default schedule for Heartbeat Discovery is set to every 7 days. If you change the heartbeat
discovery interval, ensure that it runs more frequently than the site maintenance task Delete
Aged Discovery Data, which deletes inactive client records from the site database. You can
configure the Delete Aged Discovery Data task only for primary sites.
Even when Heartbeat Discovery is disabled, DDRs are still created and submitted for
active mobile device clients. This ensures that the Delete Aged Discovery Data task
does not affect active mobile devices. When the Delete Aged Discovery Data task
deletes a database record for a mobile device, it also revokes the device certificate and
blocks the mobile device from connecting to management points.
Heartbeat Discovery actions are logged in the following locations:
 For computer clients ,Heartbeat Discovery actions are recorded on the client in the
InventoryAgent.log in the %Windir%CCMLogs folder.
 For mobile device clients, Heartbeat Discovery actions are recorded in the DMPRP.log in the
%Program Files%CCMLogs folder of the management point that the mobile device client
uses.
About Network Discovery
Use Configuration Manager Network Discovery to discover the topology of your network and
devices on your network.
Note

283
Network Discovery searches your network for IP-enabled resources by querying servers that run
a Microsoft implementation of DHCP, Address Resolution Protocol (ARP) caches in routers,
SNMP-enabled devices and Active Directory domains.
To successfully discover a resource, Network Discovery must identify the IP address and the
subnet mask of the resource. Because different types of devices can connect to the network,
Network Discovery can discover resources that cannot support the Configuration Manager client
software. For example, devices that can be discovered but not managed include printers and
routers.
Network Discovery can return several attributes as part of the discovery record it creates. This
includes the following:
 NetBIOS name
 IP addresses
 Resource domain
 System roles
 SNMP community name
 MAC addresses
To use Network Discovery, you must specify the level of discovery to run. You also configure one
or more discovery mechanisms that enable Network Discovery to query for network segments or
devices. You can also configure settings that help control discovery actions on the network.
Finally, you define one or more schedules for when Network Discovery runs.
Complex networks and low bandwidth connections can cause Network Discovery to run
slowly and generate significant network traffic. As a best practice, run Network Discovery
only when the other discovery methods cannot find the resources that you have to
discover. For example, use Network Discovery if you must discover workgroup
computers. Workgroup computers are not discovered by other discovery methods.
When discovery identifies an IP-addressable object and can determine the objects subnet mask,
it creates a discovery data record (DDR) for that object.
Network Discovery activity is recorded in the Netdisc.log in <InstallationPath>Logs on the site
server that runs discovery.
Levels of Network Discovery
When you configure Network Discovery, you specify one of three levels of discovery:
Level of discovery Details
Topology This level discovers routers and subnets but
does not identify a subnet mask for objects.
Topology and client In addition to topology, this level discovers
potential clients such as computers, and
Note

284
Level of discovery Details
resources such as printers and routers. This
level of discovery attempts to identify the
subnet mask of objects it finds.
Topology, client, and client operating system In addition to topology and potential clients, this
level attempts to discover the computer
operating system name and version. This level
uses Windows Browser and Windows
Networking calls.
With each incremental level, Network Discovery increases its activity and network bandwidth
usage. Consider the network traffic that can be generated before you enable all aspects of
Network Discovery.
For example, when you first use Network Discovery, you might start with only the topology level
to identify your network infrastructure. Then, you could reconfigure Network Discovery to discover
objects and their device operating systems. You could also configure settings that limit Network
Discovery to a specific range of network segments to discover objects in network locations that
you require and avoid unnecessary network traffic and discovery of objects from edge routers or
from outside your network.
Network Discovery Options
To enable Network Discovery to search for IP-addressable devices, you must configure one or
more options that specify how to query for devices. The options are listed in the following table.
Option Details Requirements
Domains Specify each domain that you
want Network Discovery to query.
Network Discovery can discover
any computer that you can view
from your site server when you
browse the network. Network
Discovery retrieves the IP address
and then uses an Internet Control
Message Protocol echo request to
ping each device that it finds. The
ping command helps determine
which computers are currently
active.
The site server that runs
discovery must have
permissions to read the domain
controllers in each specified
domain.
Note
To discover computers
form the local domain,
you must enable the
Computer Browser
service on at least one
computer that is located
on the same subnet as
the site server that runs

285
Network Discovery.
SNMP Devices Specify each SNMP device that
you want Network Discovery to
query.
Network Discovery retrieves the
ipNetToMediaTable value from any
SNMP device that responds to the
query. This value returns arrays of
IP addresses that are client
computers or other resources
such as printers, routers, or other
IP-addressable devices.
To query a device, you must
specify the IP Address or
NetBIOS name of the device.
You must configure Network
Discovery to use the community
name of the device, or the
device rejects the SNMP-based
query.
DHCP Specify each DHCP server that
you want Network Discovery to
query.
Network Discovery can query both
32-bit and 64-bit DHCP servers for
a list of devices that are registered
with each server.
Network Discovery retrieves
information by using remote
procedure calls to the database on
the DHCP server.
When Network Discovery
enumerates a DHCP server, it
does not always discover static IP
addresses. Network Discovery
does not find IP addresses that
are part of an excluded range of
IP addresses on the DHCP server,
and does not discover IP
addresses that are reserved for
manual assignment.
Note
Network Discovery
supports only DHCP
servers that run the
Microsoft implementation
of DHCP.
For Network Discovery to
successfully query a DHCP
server, the computer account of
the server that runs discovery
must be a member of the
DHCP Users group on the
DHCP server.
For example, this level of
access exists when one of the
following is true:
 The specified DHCP server
is the DHCP server of the
server that runs discovery.
 The computer that runs
discovery and the DHCP
server are in the same
domain.
 A two-way trust exists
between the computer that
runs discovery and the
DHCP server.
 The site server is a member
of the DHCP users group.

286
Important
To successfully configure
a DHCP server in Network
Discovery, your
environment must support
IPv4. You cannot
configure Network
Discovery to use a DHCP
server in a native IPv6
environment.
Network Discovery runs in the context of the computer account of the site server that
runs discovery. If the computer account does not have permissions to an untrusted
domain, both the Domain and DHCP server configurations can fail to discover resources.
Limiting Network Discovery
When Network Discovery queries an SNMP device on the edge of you network, it can identify
information about subnets and SNMP devices that are outside your immediate network. You can
limit Network Discovery by configuring the SNMP devices that discovery can communicate with,
and by specifying the network segments to query.
Use the following configurations to limit the scope of Network Discovery:
Configuration Details
Subnets Configure the subnets that Network Discovery queries when it uses the
SNMP and DHCP options. Only the enabled subnets are searched by
these two options.
For example, a DHCP request can return devices from locations across
your whole network. If you want to only discover devices on a specific
subnet, specify and enable that specific subnet on the Subnets tab in
the Network Discovery Properties dialog box. When you specify and
enable subnets, you limit future DHCP and SNMP discovery operations
to those subnets.
Note
Subnet configurations do not limit the objects that the Domains
discovery option discovers.
SNMP Community To enable Network Discovery to successfully query a SNMP device,
Note

287
names configure Network Discovery with the community name of the device.
 If Network Discovery is not configured by using the community
name of the SNMP device, the device rejects the query.
Maximum hops When you configure the maximum number of router hops, you limit the
number of network segments and routers that Network Discovery can
query by using SNMP.
 The number of hops that you configure limits the number of
additional devices and network segments that Network Discovery
can query.
For example, a topology-only discovery with 0 (zero) router hops
discovers the subnet on which the originating server resides, and
includes any routers on that subnet.
The following diagram shows what a topology-only Network Discovery
finds when it runs on Server 1 with 0 router hops specified: subnet D
and Router 1.
The following diagram shows what a topology and client Network
Discovery finds when it runs on Server 1 with 0 router hops specified:
subnet D and Router 1, and all potential clients on subnet D.
To get a better idea of how additional router hops can increase the
amount of network resources that are discovered, consider the following
network:

288
Running a topology-only Network Discovery from Server 1 with one
router hop discovers the following:
 Router 1 and subnet 10.1.10.0 (found with zero hops).
 Subnets 10.1.20.0 and 10.1.30.0, subnet A, and Router 2 (found on
the first hop).
Warning
Each increase to the number of router hops can significantly
increase the number of discoverable resources and increase
the network bandwidth that Network Discovery uses.
Discovery Data Records Created by Network Discovery
When Network Discovery discovers an object, it creates a discovery data record (DDR) for that
object. For Network Discovery to discover an object, it must identify the object IP address and
then identify its subnet mask. If Network Discovery cannot determine the subnet mask of an
object, it does not create a DDR.
Network Discovery uses the following methods to identify the subnet mask of an object:
Method Details Limitation
Router ARP cache Network Discovery queries the
ARP cache of a router to find
subnet information.
Typically, data in a router ARP
cache has a short time-to-live.
When Network Discovery
queries the ARP cache, the ARP
cache might no longer contain
information about the requested
object.

289
Method Details Limitation
DHCP Network Discovery queries
each DHCP server that you
specify to discover the devices
for which the DHCP server has
provided a lease.
Network Discovery supports only
DHCP servers that run the
Microsoft implementation of
DHCP.
SNMP Device Network Discovery can directly
query a SNMP device.
For Network Discovery to query
a device, the device must have a
local SNMP agent installed. You
must also configure Network
Discovery to use the community
name that is being used by the
SNMP agent.
Configuration Manager processes DDRs that are created by Network Discovery just as it
processes DDRs that are created by other discovery methods.
About Discovery Data Records
Discovery data records (DDRs) are files created by a discovery method that contain information
about a resource you can manage in Configuration Manager. DDRs contain information about
computers, users and in some cases, network infrastructure. They are processed at primary sites
or at central administration sites. After the resource information in the DDR is entered into the
database, the DDR is deleted and the information replicates as global data to all sites in the
hierarchy.
The site at which a DDR is processed depends on the information it contains:
 DDRs for newly discovered resources that are not in the database are processed at the top-
level site of the hierarchy. The top-level site creates a new resource record in the database
and assigns it a unique identifier. DDRs transfer by file-based replication until they reach the
top-level site.
 DDRs for previously discovered objects are processed at primary sites. Child primary sites do
not transfer DDRs to the central administration site when the DDR contains information about
a resource that is already in the database.
 Secondary site do not process discovery data records and always transfer them by file-based
replication to their parent primary site.
DDR files are identified by the .ddr extension, and have a typical size of about 1 KB.
Decide Where to Run Discovery
When you plan to use discovery in Configuration Manager, you must consider where to run each
discovery method.

290
After Configuration Manager adds discovery data to a database, it is quickly shared between all
sites in the hierarchy. Because there is no benefit to discovering the same information at multiple
sites in your hierarchy, consider configuring a single instance of each discovery method that you
use to run at a single site instead of running multiple instances of a single method at different
sites.
However, periodically it might help assign the same discovery method to run at multiple sites,
each with a separate configuration and schedule. This is because at each site, all configurations
for a single discovery method are evaluated every time that discovery method runs. If you do
configure multiple instances of a single discovery method to run at different sites, plan the
configuration of each carefully to avoid having two or more discovery processes discover the
same resources. Discovering the same locations and resources at multiple sites can consume
additional network bandwidth and create duplicate DDRs for resources that add no value and
must still be processed by your site servers.
The following table identifies at which sites you can configure the different discovery methods.
Discovery method Supported locations
Active Directory Forest Discovery  Central administration site
 Primary Site
Active Directory Group Discovery  Primary site
Active Directory System Discovery  Primary site
Active Directory User Discovery  Primary site
Heartbeat Discovery
1
 Primary site
Network Discovery  Primary site
 Secondary site
1
Secondary sites cannot configure Heartbeat Discovery but can receive the Heartbeat DDR from
a client.
When secondary sites run Network Discovery, or receive Heartbeat Discovery DDRs, they
transfer the DDR by file-based replication to their parent primary site. This is because only
primary sites and central administration sites can process discovery data records (DDRs). For
more information about how DDRs are processed, see About Discovery Data Records in this
topic.
Consider the following when you plan where to run discovery:
 When you use an Active Directory Discovery method for systems, users, or groups:
 Run discovery at a site that has a fast network connection to your domain controllers.
 Consider the Active Directory replication topology to ensure discovery can access the
latest information.
 Consider the scope of the discovery configuration and limit discovery to only those Active
Directory locations and groups that you have to discover.

291
 If you use Network Discovery:
 Use a limited initial configuration to identify your network topography.
 After you identify your network topography, configure Network Discovery to run at specific
sites that are central to the network areas that you want to more fully discover.
 Because Heartbeat Discovery does not run at a specific site, you do not have to consider it in
general planning for where to run discovery.
 Because each site server and network environment is different, limit your initial discovery
configurations and closely monitor each site server for its ability to process the discovery data
that is generated.
Best Practices for Discovery
Use the following best practices information to help you use discovery in System Center 2012
Run Active Directory System Discovery and Active Directory
User Discovery before you run Active Directory Group Discovery
When Active Directory Group Discovery identifies a previously undiscovered user or computer as
a member of a group, it attempts to discover basic details for the user or computer. Because
Active Directory Group Discovery is not optimized for this type of discovery, this process can
cause Active Directory Group Discovery to run slow. Additionally, Active Directory Group
Discovery identifies only the basic details about users and computers is discovers, and does not
create a complete user or computer discovery record. When you run Active Directory System
Discovery and Active Directory User Discovery, the additional Active Directory attributes for each
object type are available, and as a result, Active Directory Group Discovery runs more efficiently.
When you configure Active Directory Group Discovery, only
specify groups that you use with Configuration Manager
To help control the use of resources by Active Directory Group Discovery, specific only those
groups that you use with Configuration Manager. This is because Active Directory Group
Discovery recursively searches each group it discovers for users, computers, and nested groups.
The search of each nested group can expand the scope of Active Directory Group Discovery and
reduce performance. Additionally, when you configure delta discovery for Active Directory Group
Discovery, the discovery method monitors each group for changes. This further reduces
performance when the method must search unnecessary groups.
Configure discovery methods with a longer interval between full
discovery, and a more frequent period of delta discovery
Because delta discovery uses fewer resources than a full discovery cycle, and can identify new or
modified resources in Active Directory, when you use delta discovery you can reduce the
frequency of full discovery cycles to run one per week or less. Delta discovery for Active Directory

292
System Discovery, Active Directory User Discovery and Active Directory Group Discovery
identifies almost all the changes of Active Directory objects and can maintain accurate discovery
data for resources.
Run Active Directory Discovery methods at primary site that has
a network location that is closest to your Active Directory
domain controller
To improve the performance of Active Directory discovery, it is recommended to run discover at a
primary site that has a fast network connection to your domain controllers. If you run the same
Active Directory discovery method at multiple sites, it is recommended to configure each
discovery method to avoid overlap. Unlike past versions of Configuration Manager, discovery
data is shared between sites. Therefore, it is not necessary to discovery the same information at
multiple sites. For more information, see Decide Where to Run Discovery.
See Also
Planning for Client Settings in Configuration
Manager
Use client settings in System Center 2012 Configuration Manager to configure user and device
settings for the hierarchy. Client settings include configuration options such as the hardware
inventory and schedule, and the polling schedule for client policy.
All Configuration Manager clients in the hierarchy use the Default Client Settings that are
automatically created when you install Configuration Manager. However, you can modify the
default client settings and you can create custom client settings to override the default client
settings for specific users or devices.
When you create a set of custom client settings, you must assign it to one or more collections for
the settings to be applied to the collection members. If you apply multiple sets of custom client
settings to the same user or device, you can control the order in which these settings are applied
according to the order that you specify. Custom device or user settings with an Order value of 1
are always processed last and will override any other configurations. The Default Client Settings
has a permanent order of 10,000, which ensures it is always applied before any custom settings
are applied. When there is a conflict of settings, the client setting that was applied last (with the
lower order value) overrides any previous settings. You can view the resultant client settings for a
user or a device by using the System Center 2012 Configuration Manager reports.
You can create custom client settings at the central administration site or from any primary site in
the hierarchy. Custom settings replicate to all sites in the hierarchy.

293
For information about how to configure client settings, see How to Configure Client Settings in
In Configuration Manager 2007, client agent settings are configured on a per-site basis and you
cannot configure these settings for the whole hierarchy. In System Center 2012
Configuration Manager, client agent settings and other client settings are grouped into centrally
configurable client settings objects that are applied at the hierarchy. To view and configure these,
modify the default client settings. If you need additional flexibility for groups of users or
computers, configure custom client settings and assign them to collections. For example, you can
configure remote control to be available only on specified collections of computers.
See Also
Manager
System Center 2012 Configuration Manager uses site system roles to support operations at each
site. Computers that host the Configuration Manager site are named site servers, and computers
that host the other site system roles are named site system servers. The site server is also a site
system server.
Site system servers within the same site communicate with each other by using server message
block (SMB), HTTP, or HTTPS, depending on the site configuration selections that you make.
Because these communications are unmanaged and can occur at any time without network
bandwidth control, review your available network bandwidth before you install site system servers
and configure the site system roles.
At each site, you can install available site system roles on the site server or install one or more
site system roles on another site system server. Configuration Manager does not limit the number
of site system roles that you can run on a single site system server. However, Configuration
Manager does not support site system roles from different sites on the same site system server.
Additionally, Configuration Manager supports some site system roles only at specific sites in a
hierarchy, and some site system roles have other limitations as to where and when you can install
them.
Use the following sections to help you plan for site systems:
Note

294
 Site System Roles in Configuration Manager
 Planning Where to Install Sites System Roles in the Hierarchy
 Planning for Database Servers in Configuration Manager
 Planning for the SMS Provider in Configuration Manager
 Planning for Custom Websites with Configuration Manager
Site System Roles in Configuration Manager
When you install a site, several site system roles automatically are installed on the servers that
you specify during Setup. After a site is installed, you can install additional site system roles on
those servers or on additional computers that you decide to use as site system servers. The
following sections identify the default site system roles and the optional site system roles that are
available in Configuration Manager.
Default Site System Roles
When you install a Configuration Manager site, several default site system roles are automatically
installed for the site. These site system roles are required for the core operation of each site and
although some default site system roles can be moved to other servers, they cannot be removed
from the site. Additionally, some default site system roles are installed on additional site system
servers when you install optional site system roles.
The default site system roles are described in the following table.
Site system role Description
Configuration Manager site server The site server role is automatically installed on
the server from which you run Configuration
Manager Setup when you install a central
administration site or primary site. When you
install a secondary site, the site server role is
installed on the server that you specify as the
secondary site server.
Configuration Manager site system Site systems are computers that provide
Configuration Manager functionality to a site.
Each site system hosts one or more site system
roles. Most site system roles are optional, and
you install them only if you have to use them for
specific management tasks. Other site system
roles are automatically installed on a site
system and cannot be configured.
This role is assigned during Configuration
Manager site installation or when you add an

295
optional site system role to another server.
Configuration Manager component site system
role
Any site system that runs the SMS Executive
service also installs the component site system
role.
This role is required to support other roles, such
as a management point, and it is installed and
removed with the other site system roles.
This role is always assigned to the site server
when you install Configuration Manager.
Configuration Manager site database server The site database server is a computer that
runs a supported version of Microsoft
SQL Server, and it stores information for
Configuration Manager sites, such as discovery
data, hardware and software inventory data,
and configuration and status information.
Each site in the Configuration Manager
hierarchy contains a site database and a server
that is assigned the site database server role.
You can install SQL Server on the site server,
or you can reduce the CPU usage of the site
server when you install SQL Server on a
computer other than the site server. Secondary
sites can use SQL Server Express instead of a
full SQL Server installation.
The site database can be installed on the
default instance of SQL Server or on a named
instance on a single computer that is running
SQL Server. It can be installed on a named
instance on a SQL Server cluster.
Typically, a site system server supports site
systems roles from a single Configuration
Manager site only; however, you can use
different instances of SQL Server on clustered
or non-clustered servers running SQL Server to
host the database for different Configuration
Manager sites. For this configuration, you must
configure each instance of SQL Server to use
different ports.
This role is installed when you install

296
SMS Provider The SMS Provider is the interface between the
Configuration Manager console and the site
database. This role is installed when you install
a central administration site or primary site.
Secondary sites do not install the
SMS Provider. You can install the
SMS Provider on the site server, the site
database server (unless the site database is
hosted on a clustered instance of SQL Server),
or on another computer. You can also move the
SMS Provider to another computer after the site
is installed, or install multiple SMS Providers on
additional computers. To move or install
additional SMS Providers for a site, run
Configuration Manager Setup, select the option
Perform site maintenance or reset the Site,
click Next , and then on the Site Maintenance
page, select the option Modify SMS Provider
configuration.
Note
The SMS Provider is only supported on
computers that are in the same domain
as the site server.
Optional Site System Roles
Optional site system roles are site system roles that are not required for the core operation of a
Configuration Manager site. However, by default, the management point and distribution point,
which are optional site system roles, are installed on the site server when you install a primary or
secondary site. Although these two site system roles are not required for the core operation of the
site, you must have at least one management point to support clients at those locations. After you
install a site, you can move the default location of the management point or distribution point to
another server, install additional instances of each site system role, and install other optional site
system roles to meet your business requirements.
The optional site system roles are described in the following table.
Application Catalog web service point A site system role that provides software

297
information to the Application Catalog website
from the Software Library.
Application Catalog website point A site system role that provides users with a list
of available software from the Application
Catalog.
Asset Intelligence synchronization point A site system role that connects to
System Center Online to download Asset
Intelligence catalog information and upload
uncategorized titles so that they can be
considered for future inclusion in the catalog.
This site system role can only be installed on
the central administration site or a stand-alone
primary site. For more information about
planning for Asset Intelligence, see
Prerequisites for Asset Intelligence in
Distribution point A site system role that contains source files for
clients to download, such as application
content, software packages, software updates,
operating system images, and boot images.
You can control content distribution by using
bandwidth, throttling, and scheduling options.
For more information, see Planning for Content
Fallback status point A site system role that helps you monitor client
installation and identify the clients that are
unmanaged because they cannot communicate
with their management point.
Management point A site system role that provides policy and
service location information to clients and
receives configuration data from clients.
You must install at least one management point
at each primary site that manages clients, and
at each secondary site where you want to
provide a local point of contact for clients to
obtain computer and user polices.

298
Endpoint Protection point A site system role that Configuration Manager
uses to accept the Endpoint Protection license
terms and to configure the default membership
for Microsoft Active Protection Service.
Enrollment point A site system role that uses PKI certificates to
complete mobile device enrollment and to
provision Intel AMT-based computers.
Enrollment proxy point A site system role that manages enrollment
requests from mobile devices so that can be
managed by Configuration Manager.
This role provides Configuration Manager full
management of mobile devices. To manage
mobile devices that Configuration Manager
cannot enroll but that connect to Microsoft
Exchange Server, use the Exchange Server
connector.
Out of band service point A site system role that provisions and
configures Intel AMT-based computers for out
of band management.
Reporting services point A site system role that integrates with
SQL Server Reporting Services to create and
manage reports for Configuration Manager. For
more information, see Planning for Reporting in
Software update point A site system role that integrates with
Windows Server Update Services (WSUS) to
provide software updates to Configuration
Manager clients. For more information, see
Planning for Software Updates in Configuration
Manager.
State migration point A site system role that stores user state data
when a computer is migrated to a new
operating system. For more information about
storing user state when you deploy an
operating system, see How to Manage the User
State in Configuration Manager.

299
System Health Validator point A site system role that validates Configuration
Manager Network Access Protection (NAP)
policies. It must be installed on a NAP health
policy server.
Planning Where to Install Sites System Roles in
the Hierarchy
Before you install site system roles, identify the site types that can or cannot support specific site
system roles, and how many instances of each site system role you can install at a site or across
a hierarchy.
You can install some site system roles at only the top-level site in a hierarchy. A top-level site can
be a central administration site of a multi-primary site hierarchy or a stand-alone primary site if
your hierarchy consists of a single primary site with one or more secondary child sites.
Additionally, some site system roles support only a single instance per hierarchy. However, most
site system roles support multiple instances across the hierarchy and at individual sites.
Site System Role Placement in the Hierarchy
Use the following table to identify the site system roles that you can install at each type of site in a
System Center 2012 Configuration Manager hierarchy, and whether the site system role provides
functionality for its site only, or for the entire hierarchy. You can install any supported site system
role on the site server computer or on a remote site system server at a central administration site
or primary site. At a secondary site, only the distribution point is supported on a remote site
system server.
Site system role Central
administration
site
Child
primary site
Stand-alone
primary site
Secondary
site
Site-specific
or hierarchy-
wide option
Application
Catalog web
service point
No Yes Yes No Hierarchy
Application
Catalog website
point
Asset Intelligence
synchronization
Yes No Yes No Hierarchy

300
Site system role Central
administration
site
Child
primary site
Stand-alone
primary site
Secondary
site
Site-specific
or hierarchy-
wide option
point
1
Distribution
point
2, 5
No Yes Yes Yes Site
Fallback status
point
Management
point
2, 3, 5
No Yes Yes Yes Site
Endpoint
Protection point
Yes No Yes No Hierarchy
Enrollment point No Yes Yes No Site
Enrollment proxy
point
No Yes Yes No Site
Out of band
service point
No Yes Yes No Site
Reporting services
point
Yes Yes Yes No Hierarchy
Software update
point
4, 5
Yes Yes Yes Yes Site
State migration
point
5
No Yes Yes Yes Site
System Health
Validator point
Yes Yes Yes No Hierarchy
1
Configuration Manager supports only a single instance of this site system role in a hierarchy.
2
By default, when you install a secondary site, a management point and a distribution point are
installed on the secondary site server.
3
This role is required to support clients in Configuration Manager. Secondary sites do not support
more than one management point and this management point cannot support mobile devices that
are enrolled by Configuration Manager. For more information about the site system roles that
support clients in Configuration Manager, see Determine the Site System Roles for Client
Deployment in Configuration Manager.
4
When your hierarchy contains a central administration site, install a software update point at this
site that synchronizes with Windows Server Update Services (WSUS) before you install a
software update point at any child primary site. When you install software update points at a child

301
primary site, configure it to synchronize with the software update point at the central
5
At a secondary site, all site system roles must be located on the site server computer. The only
exception is the distribution point. Secondary sites support installing distribution points on the site
server computer and on remote computers.
Considerations for Placement of Site System Roles
Use the following table to help you decide where to install the site system roles.
Site system role Considerations
Application Catalog website point When the Application Catalog supports client
computers on the Internet, as a security best
practice, install the Application Catalog website
point in a perimeter network and the Application
Catalog web service point on the intranet.
Asset Intelligence synchronization point Configuration Manager supports a single
instance of this site system role in a hierarchy
and only at the top-level site in the hierarchy.
Endpoint Protection point Configuration Manager supports a single
instance of this site system role in a hierarchy
and only at the top-level site in the hierarchy.
Enrollment point If a user enrolls mobile devices by using
Configuration Manager and their Active
Directory account is in a forest that is untrusted
by the site server's forest, you must install an
enrollment point in the user’s forest so that the
user can be authenticated.
Enrollment proxy point When you support mobile devices on the
Internet, as a security best practice, install the
enrollment proxy point in a perimeter network
and the enrollment point on the intranet.
Fallback status point Although you can install more than one fallback
status point in a primary site, clients can be
assigned to only one fallback status point and
this assignment occurs during client installation:
 If you install clients by using client push
installation, the first fallback status point
that is installed for the site is automatically
assigned to clients.

302
Site system role Considerations
 If you have two fallback status points in the
site so that one fallback status point
accepts client connections from the Internet
(for example, it is in a perimeter network),
and the other fallback status point accepts
client connections on the intranet only,
assign the Internet-based clients to the
Internet-based fallback status point.
Out of band service point Install this site system to support out of band
management for Intel AMT-based computers.
In Configuration Manager, this site system must
be installed in a primary site that also contains
the enrollment point.
The out of band service point cannot provision
AMT-based computers in a different forest.
Software update point Install this site system in the central
administration site to synchronize with Windows
Server Update Services and in all primary sites
that use the Software Updates feature. Also
consider installing a software update point in
secondary sites when data transfer across the
network is slow.
State migration point Install this site system role in either a primary
site or a secondary site. Consider installing a
state migration point in secondary sites when
data transfer across the network is slow.
Reporting services point Install this site system role in the central
administration site and at any primary site.
Note
A reporting services point installed in a
primary site rather than a central
administration site can display data
from that primary site only.
Distribution point Install this site system role in primary sites and
secondary sites to distribute software to clients
by using Background Intelligent Transfer
Service (BITS), Windows BranchCache,
multicast for operating system deployment, and
streaming for application virtualization.

303
Planning for Database Servers in Configuration
Manager
The site database server is a computer that runs a supported version of Microsoft SQL Server
that stores information for Configuration Manager sites. Each site in a System Center 2012
Configuration Manager hierarchy contains a site database and a server that is assigned the site
database server role. For central administration sites and primary sites, you can install
SQL Server on the site server, or you can install SQL Server on a computer other than the site
server. For secondary sites, you can use SQL Server Express instead of a full SQL Server
installation; however, the database server must be co-located with the site server.
You can install the site database on the default instance of SQL Server, a named instance on a
single computer running SQL Server, or on a named instance on a clustered instance of
SQL Server.
Typically, a site system server supports site system roles from only a single Configuration
Manager site; however, you can use different instances of SQL Server, on clustered or non-
clustered servers running SQL Server, to host a database from different Configuration Manager
sites. To support databases from different sites, you must configure each instance of SQL Server
to use unique ports for communication.
SQL Server Configurations for Database Servers
To successfully configure a SQL Server installation for use as a Configuration Manager site
database server, ensure that the following required SQL Server configurations are specified.
Also, be familiar with the optional configurations and planning for service principal names (SPNs),
database server location planning, and how to modify the database configuration after a site has
completed installation.
Prerequisites for Database Servers
Before you specify a computer to host the site database for any site, ensure that it meets the
prerequisites for database servers. Before installing SQL Server, you must be familiar with the
Configurations for the SQL Server Site Database section of the Supported Configurations for
Database Server Locations
At a central administration site and at primary sites, you can co-locate the database server on the
site server, or place it on a remote server. At secondary sites, the database server is always co-
located on the secondary site server.
If you use a remote database server computer, ensure the intervening network connection is a
high-availability, high-bandwidth network connection. This is because the site server and some

304
site system roles must constantly communicate with the SQL Server that is hosting the site
database.
Consider the following when you select a remote database server location:
 The amount of bandwidth required for communications to the database server depends upon
a combination of many different site and client configurations; therefore, the actual bandwidth
required cannot be adequately predicted.
 Each computer that runs the SMS Provider and that connects to the site database increases
network bandwidth requirements.
 The computer that runs SQL Server must be located in a domain that has a two-way trust
with the site server and all computers running the SMS Provider.
 You cannot use a clustered SQL Server for the site database server when the site database
is co-located with the site server.
SQL Server Service Principal Names
A Service Principal Name (SPN) for the Configuration Manager site database server must be
registered in Active Directory Domain Services for the SQL Server service account. The
registered SPN lets SQL clients identify and authenticate the service by using Kerberos
authentication.
When you configure SQL Server to use the local system account to run SQL Server services, the
SPN is automatically created in Active Directory Domain Services. When a local domain user
account is in use, you must manually register the SPN for the account. Without registering the
SPN for the SQL Server service account, SQL clients and other site systems are not able to
perform Kerberos authentication, and communication to the database might fail.
Running the SQL Server service by using the local system account of the computer
running SQL Server is not a SQL Server best practice. For the most secure operation of
SQL Server site database servers, configure a low-rights domain user account to run the
SQL Server service.
For information about how to register the SPN when you use a domain user account, see How to
Manage the SPN for SQL Server Site Database Servers in this documentation library.
About Modifying the Database Configuration
After you install a site, you can manage the configuration of the site database and site database
server by running Setup on a central administration site server or primary site server. It is not
supported to manage the database configuration for a secondary site.
For more information about modifying the site database configuration, see Modify the Site
Database Configuration in this documentation library.
Important

305
About Modifying the Database Server Alert Threshold
By default, Configuration Manager generates alerts when free disk space on a site database
server is low. The defaults are set to generate a warning when there is 10 GB or less of free disk
space, and a critical alert when there is 5 GB or less of free disk space. You can modify these
values or disable alerts for each site.
To change these settings:
1. In the Administration workspace, expand Site Configuration, and then click Sites.
2. Select the site that you want to configure and open that site’s Properties.
3. In the site’s Properties dialog box, select the Alert tab, and then edit the settings.
4. Click OK to close the site properties dialog box.
Planning for the SMS Provider in Configuration
Manager
The SMS Provider is a Windows Management Instrumentation (WMI) provider that assigns read
and write access to the Configuration Manager database at a site. The SMS Admins group
provides access to the SMS Provider and Configuration Manager automatically creates this
security group on the site server and on each SMS Provider computer. You must have at least
one SMS Provider in each central administration site and primary site. These sites also support
the installation of additional SMS Providers. Secondary sites do not install the SMS Provider.
The Configuration Manager console, Resource Explorer, tools, and custom scripts use the
SMS Provider so that Configuration Manager administrative users can access information that is
stored in the database. The SMS Provider does not interact with Configuration Manager clients.
The SMS Provider helps enforce Configuration Manager security. It returns only the information
that the administrative user who is running the Configuration Manager console is authorized to
view.
When each computer that holds an SMS Provider for a site is offline, Configuration
Manager consoles cannot connect to that site’s database.
Use the following sections in this topic to plan for the SMS Provider. For information about how to
manage the SMS Provider, see Manage the SMS Provider Configuration for a Site.
SMS Provider Prerequisites
Before you install the SMS Provider on a computer, ensure that the computer meets the following
prerequisites:
 The computer must be in a domain that has a two-way trust with the site server and the site
database site systems.
 The computer cannot have a site system role from a different site.
 The computer cannot have an SMS Provider from any site.
Important

306
 The computer must run an operating system that is supported for a site server.
 The computer must have at least 650 MB of free disk space to support the Windows
Automated Installation Kit (Windows AIK) components that are installed with the
SMS Provider. For more information about Windows AIK and the SMS Provider, see the
Windows Automated Installation Kit Requirements for the SMS Provider section in this topic.
About SMS Provider Locations
When you install a site, the installation automatically installs the first SMS Provider for the site.
You can specify any of the following supported locations for the SMS Provider:
 The site server computer
 The site database computer
 A server-class computer that does not hold an SMS Provider, or a site system role from a
different site
Each SMS Provider supports simultaneous connections from multiple requests. The only
limitations on these connections are the number of server connections that are available on the
SMS Provider computer, and the available resources on the SMS Provider computer to service
the connection requests.
After a site is installed, you can run Setup on the site server again to change the location of an
existing SMS Provider, or to install additional SMS Providers at that site. You can install only one
SMS Provider on a computer, and a computer cannot install an SMS Provider from more than
one site.
Use the following table to identify the advantages and disadvantages of installing an
SMS Provider on each supported location.
Location Advantages Disadvantages
Configuration Manager site
server
 The SMS Provider does not
use the system resources
of the site database
computer.
 This location can provide
better performance than an
SMS Provider located on a
computer other than the site
server or site database
computer.
 The SMS Provider uses
system and network
resources that could be
dedicated to site server
operations.
SQL Server that is hosting the
site database
 The SMS Provider does not
use site system resources
on the site server.
 This location can provide
the best performance of the
three locations, if sufficient
 The SMS Provider uses
system and network
resources that could be
dedicated to site database
operations.
 This location is not an

307
Location Advantages Disadvantages
server resources are
available.
option when the site
database is hosted on a
clustered instance of
SQL Server.
Computer other than the site
server or site database
computer
 SMS Provider does not use
site server or site database
computer resources.
 This type of location lets
you deploy additional
SMS Providers to provide
high availability for
connections.
 The SMS Provider
performance might be
reduced due to the
additional network traffic
that is required to
coordinate with the site
server and the site
database computer.
 This server must be
always accessible to the
site database computer
and all computers with the
console installed.
 This location can use
system resources that
would otherwise be
dedicated to other
services.
To view the locations of each SMS Provider that is installed at a site, view the General tab of the
site Properties dialog box.
About SMS Provider Languages
The SMS Provider operates independently of the display language of the computer where it is
installed.
When an administrative user or Configuration Manager process requests data by using the
SMS Provider, the SMS Provider attempts to return that data in a format that matches the
operating system language of the requesting computer. The SMS Provider does not translate
information from one language to another. Instead, when data is returned for display in the
Configuration Manager console, the display language of the data depends on the source of the
object and type of storage.
When data for an object is stored in the database, the languages that will be available depend on
the following:
 Objects that Configuration Manager creates are stored in the database by using support for
multiple languages. The object is stored by using the languages that are configured at the
site where the object is created when you run Setup. These objects are displayed in the

308
Configuration Manager console in the display language of the requesting computer, when
that language is available for the object. If the object cannot be displayed in the display
language of the requesting computer, it is displayed in the default language, which is English.
 Objects that an administrative user creates are stored in the database by using the language
that was used to create the object. These objects display in the Configuration Manager
console in this same language. They cannot be translated by the SMS Provider and do not
have multiple language options.
About Multiple SMS Providers
After a site completes installation, you can install additional SMS Providers for the site. To install
additional SMS Providers, run Configuration Manager Setup on the site server. Consider
installing additional SMS Providers when any of the following is true:
 You will have a large number of administrative users that run a Configuration Manager
console and connect to a site at the same time.
 You will use the Configuration Manager SDK, or other products, that might introduce frequent
calls to the SMS Provider.
 You want to ensure high availability for the SMS Provider.
When multiple SMS Providers are installed at a site and a connection request is made, the site
non-deterministically assigns each new connection request to use an installed SMS Provider. You
cannot specify the SMS Provider location to use with a specific connection session.
Consider the advantages and disadvantages of each SMS Provider location and balance
these considerations with the information that you cannot control which SMS Provider will
be used for each new connection.
For example, when you first connect a Configuration Manager console to a site, the site assigns
the connection to use a specific SMS Provider. This SMS Provider remains in use by the
Configuration Manager console until the session ends. If the session ends because the
SMS Provider computer becomes unavailable on the network, when you reconnect the
Configuration Manager console the site will non-deterministically assign an SMS Provider
computer to the new connection session. It is possible to be assigned to same SMS Provider
computer that is not available. If this occurs, you can attempt to reconnect the Configuration
Manager console until an available SMS Provider computer is assigned.
About the SMS Admins Group
You use the SMS Admins group to provide administrative users access to the SMS Provider. The
group is automatically created on the site server when the site installs, and on each computer that
installs an SMS Provider. Additional information about the SMS Admins group:
 When the computer is a member server, the SMS Admins group is created as a local group.
 When the computer is a domain controller, the SMS Admins group is created as a domain
local group.
Note

309
 When the SMS Provider is uninstalled from a computer, the SMS Admins group is not
removed from the computer.
Before a user can make a successful connection to an SMS Provider, their user account must be
a member of the SMS Admins group. Each administrative user that you configure in the
Configuration Manager console is automatically added to the SMS Admins group on each site
server and to each SMS Provider computer in the hierarchy. When you delete an administrative
user from the Configuration Manager console, that user is removed from the SMS Admins group
on each site server and on each SMS Provider computer in the hierarchy.
After a user makes a successful connection to the SMS Provider, role-based administration
determines what Configuration Manager resources that user can access or manage.
You can view and configure SMS Admins group rights and permissions by using the WMI Control
MMC snap-in. By default, Everyone has Execute Methods, Provider Write, and Enable
Account permissions. After a user connects to the SMS Provider, that user is granted access to
data in the site database based on their role-based administrative security rights as defined in the
Configuration Manager console. The SMS Admins group is explicitly granted Enable Account
and Remote Enable on the RootSMS namespace.
Each administrative user who uses a remote Configuration Manager console requires
Remote Activation DCOM permissions on the site server computer and on the
SMS Provider computer. Although you can grant these rights to any user or group, as
best practice, grant them to the SMS Admins group to simplify administration. For more
information, see the Configure DCOM Permissions for Remote Configuration Manager
Console Connections section in the Manage Site and Hierarchy Configurations topic.
About the SMS Provider Namespace
The structure of the SMS Provider is defined by the WMI schema. Schema namespaces describe
the location of Configuration Manager data within the SMS Provider schema. The following table
contains some of the common namespaces that are used by the SMS Provider.
Namespace Description
RootSMSsite_<site code> The SMS Provider, which is extensively used
by the Configuration Manager console,
Resource Explorer, Configuration Manager
tools, and scripts.
RootSMSSMS_ProviderLocation Provides the location of the SMS Provider
computers for a site.
RootCIMv2 Location inventoried for WMI namespace
information during hardware and software
inventory.
Note

310
Namespace Description
RootCCM Configuration Manager client configuration
policies and client data.
rootCIMv2SMS Location of inventory reporting classes that are
collected by the inventory client agent. These
settings are compiled by clients during
computer policy evaluation and are based on
the client settings configuration for the
computer.
Windows Automated Installation Kit Requirements for the SMS
Provider
The Windows Automated Installation Kit (Windows AIK) installs as a component of the
SMS Provider, which enables you to use operating system deployment task functions by using
When you manage operating system deployments, the Windows AIK allows the SMS Provider to
complete various tasks, which include the following:
 View WIM file details
 Add driver files to existing boot images
 Create boot .ISO files
The Windows AIK installation can require up to 650 MB of free disk space on each computer that
installs the SMS Provider. This high disk space requirement accommodates the installation of
Windows PE boot images.
Planning for Custom Websites with Configuration
Manager
Configuration Manager site system roles that require Microsoft Internet Information Services (IIS)
also require a website to host the site system services. By default, site systems use the IIS
website named Default Web Site on a site system server. However, you can use a custom
website that has the name of SMSWEB. This option might be appropriate if you must run other
web applications on the same server and their settings are either incompatible with Configuration
Manager, or you want the additional resilience of using a separate website. In this scenario, these
other applications continue to use the default IIS website, and Configuration Manager operations
use the custom website.
Important

311
When you run other applications on a Configuration Manager site system, you increase
the attack surface on that site system. As a security best practice, dedicate a server for
the Configuration Manager site systems that require IIS.
You can use custom websites on all primary sites. When you use a custom website at a site, all
client communications within the site are directed to use the custom website named SMSWEB on
each site system instead of the default website on IIS. Additionally, site system roles that use IIS
but do not accept client connections, such as the reporting services point, also use the SMSWEB
website instead of the default website. For more information about which site systems require IIS,
see Supported Configurations for Configuration Manager.
Before you configure a Configuration Manager site to use a custom website, you must manually
create the custom website in IIS on each site system server that requires Internet Information
Services (IIS) at that site. Because secondary sites are automatically configured to use a custom
website when you enable this option on the parent site, you must also create a custom website in
IIS on each secondary site system server that requires IIS.
If you enable custom websites for one site, consider using custom websites for all sites in your
hierarchy to ensure that clients can successfully roam within the hierarchy.
When you select or clear the check box to use a custom website for a site, the following
site system roles that are installed on each site system server in the site are
automatically uninstall and reinstalled:
 Software update point
 Fallback status point
 State migration point
Site System Roles That Can Use Custom Websites
The following Configuration Manager site system roles require IIS and use the default or custom
website on the site system server:
 Enrollment point
 Enrollment proxy point
Note

312
Custom Website Ports
When you create a custom website, you must assign port numbers to the custom website that
differ from the port numbers that the default website uses. The default website and the custom
website cannot run at the same time if both sites are configured to use the same TCP/IP ports.
After the site system roles are reinstalled, verify that the TCP/IP ports configured in IIS for the
custom website match the client request ports for the site.
For information about how to configure ports for client communication, see How to Configure
Client Communication Port Numbers in Configuration Manager.
Switching Between Default Websites and Custom Websites
Although you can select or clear the check box to use a custom website at any time, if possible,
configure this option as soon as the site is installed to minimize any disruptions to service
continuity. When you make this site configuration change, plan for the site system roles that are
automatically uninstalled and reinstalled with the new website and port configuration. You must
also plan to manually uninstall and reinstall any site system roles that are not automatically
reinstalled to use the new website and port configuration.
When you change from using the default website to use a custom website, Configuration
Manager does not automatically remove the old virtual directories. If you want to remove the files
that Configuration Manager used, you must manually delete the virtual directories that were
created under the default website.
If you change the site option to use a custom website, clients that are assigned to the site must
be configured to use the client request port that matches the new website port. For information
about how to configure ports for client communication, see How to Configure Client
Communication Port Numbers in Configuration Manager.
How to Create the Custom Website in Internet Information
Services (IIS)
To use a custom website for a site, you must perform the following actions before you enable the
option to use a custom website in Configuration Manager:
 Create the custom web site in IIS for each site system server that requires IIS in the primary
site and any child secondary sites.
 Name the custom website SMSWEB.
 Configure the custom website to respond to the same port that you configure for
Configuration Manager client communication.
When you change from using the default website and use a custom website,
Configuration Manager adds the client request ports that are configured on the default
website to the custom website. Configuration Manager does not remove these ports from
the default website, and the ports are listed for both the default and custom website. IIS
Important

313
cannot start both websites when they are configured to operate on the same TCP/IP
ports, and clients cannot contact the management point.
Use the information in the following procedures to help you configure the custom websites in IIS.
The following procedures are for Internet Information Services (IIS) 7.0 on Windows
Server 2008 R2. If you cannot use these procedures because your server has a different
operating system version, refer to the IIS documentation for your operating system
version.
1. On the computer that runs the Configuration Manager site system, click Start, click
Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the Internet Information Services (IIS) Manager console, in the Connections pane,
right-click the Sites node to select Add Web Site.
3. In the Add Web Site dialog box, enter SMSWEB in the Site name box.
Important
SMSWEB is the required name for Configuration Manager custom websites.
4. In the Physical path box, specify the physical path to use for the website folder.
5. Specify the protocol and custom port for this website.
 After you create the website, you can edit it to add additional website bindings for
additional protocols.
 When you configure the HTTPS protocol, you must specify a SSL certificate before
you can save the configuration.
6. Click OK to create the custom website.
1. In the Internet Information Services (IIS) Manager, edit the Bindings of the IIS website
that has the duplicate ports (Default Web Site). Remove the ports that match the ports
that are assigned to the custom website (SMSWEB).
2. Start the website (SMSWEB).
3. Restart the SMS_SITE_COMPONENT_MANAGER service on the site server.
See Also
Note
To create a custom website in Internet Information Services (IIS)
Remove the custom website ports from the default website in Internet Information
Services (IIS)

314
Content management in System Center 2012 Configuration Manager provides the tools for you to
manage content files for applications, packages, software updates, and operating system
deployment. Configuration Manager uses distribution points to store files required for software to
run on client computers. These distribution points function as distribution centers for the content
files and let users download and run the software. Clients must have access to at least one
distribution point from which they can download the files.
Use the following sections in this topic to help you plan how to manage content in your
Configuration Manager hierarchy:
 Plan for Distribution Points
 Distribution Point Configurations
 Planning for Preferred Distribution Points and Fallback
 Content Source Location
 Network Connection Speed to the Content Source Location
 On-Demand Content Distribution
 Content Source Location Scenarios
 Planning for BranchCache Support
 Network Bandwidth Considerations for Distribution Points
Planning for Scheduling and Throttling
Determine Whether To Prestage Content
 Determine the Distribution Point Infrastructure
 Plan for Distribution Point Groups
For information about the dependencies and supported configurations for content
management, see Prerequisites for Content Management in Configuration Manager.
Plan for Distribution Points
When you plan for distribution points in your hierarchy, determine what distribution point attributes
you must have in your environment, how to distribute the network and system load on the
distribution point, and determine the distribution point infrastructure.
Distribution Point Configurations
Distribution points can have a number of different configurations. The following table describes
the possible configurations.
Note

315
Distribution point configuration Descriptions
Preferred distribution point You assign boundary groups to distribution
points. The distribution points are preferred for
clients that are within the boundary group for
the distribution point, and the client uses
preferred distribution points as the source
location for content. When the content is not
available on a preferred distribution point, the
client uses another distribution point for the
content source location. You can configure a
distribution point to let clients not in the
boundary groups use it as a fallback location for
content.
PXE Enable the PXE option on a distribution point to
enable operating system deployment for
Configuration Manager clients. The PXE option
must be configured to respond to PXE boot
requests that Configuration Manager clients on
the network make and then interact with the
Configuration Manager infrastructure to
determine the appropriate installation actions to
take.
Important
You can enable PXE only on a server
that has Windows Deployment
Services installed. When you enable
PXE, Configuration Manager installs
Windows Deployment Services on the
distribution point site system if it is not
already installed.
Multicast Enable the multicast option on a distribution
point to use multicast when you distribute
operating systems.
Important
You can enable multicast only on a
server that has Windows Deployment
Services installed. When you enable
multicast, Configuration Manager
installs Windows Deployment Services
on the distribution point site system if it

316
Distribution point configuration Descriptions
is not already installed.
Support for mobile devices You must configure the distribution point to
accept HTTPS communications to support
mobile devices.
Support for Internet-based clients You must configure the distribution point to
accept HTTPS communications to support
Internet-based clients.
Application Virtualization Although there are no configuration
requirements for the distribution point to enable
streaming of virtual applications to clients, there
are application management prerequisites that
you must consider. For more information, see
Prerequisites for Application Management in
Planning for Preferred Distribution Points and Fallback
When you create a distribution point, you have the option to assign boundary groups to the
distribution point. The distribution points are preferred for clients that are within a boundary group
that is assigned to the distribution point.
Content Source Location
When you deploy software to a client, the client sends a content request to a management point,
the management point sends a list of the preferred distribution points to the client, and the client
uses one of the preferred distribution points on the list as the source location for content. When
the content is not available on a preferred distribution point, the management point sends a list to
the client with distribution points that have the content available. The client uses one of the
distribution points for the content source location.
In the distribution point properties and in the properties for a deployment type or package, you
can configure whether to enable clients to use a fallback source location for content. When a
preferred distribution point does not have the content and the fallback settings are not enabled,
the client fails to download the content, and the software deployment fails.
Network Connection Speed to the Content Source Location
You can configure the network connection speed of each distribution point in an assigned
boundary group. Clients use this value when they connect to the distribution point. By default, the
network connection speed is configured as Fast, but it can also be configured as Slow. When the
client uses a distribution point that is not preferred, the connection to the distribution point is

317
automatically considered as slow. The network connection speed helps determine whether a
client can download content from a distribution point. You can configure the deployment behavior
for each network connection speed in the deployment properties for the specific software that you
are deploying. You can choose to never install software when the network connection is
considered slow, download and install the software, and so on.
On-Demand Content Distribution
You can select the Distribute the content for this package to preferred distribution points
property for an application or package to enable on-demand content distribution to preferred
distribution points. When enabled, the management point creates a trigger for Distribution
Manager to distribute the content to all preferred distribution points in the list when a client
requests the content for the package and the content is not available on any preferred distribution
points. Depending on the scenario, the client might wait for the content to be available on a
preferred distribution point, or it might download the content from a distribution point that is
configured to enable a fallback location for content source.
Content Source Location Scenarios
When you deploy software to clients, the content source location that the client uses depends on
the following settings:
 Allow fallback source location for content: This distribution point property enables clients
to fall back and use the distribution point as the source location for content when the content
is not available on a preferred distribution point.
 Deployment properties for network connection speed: The deployment properties for
network speed are configured as a property for deployed objects, such as application
deployment types, software updates, and task sequence deployments. There are different
settings for the different deployment objects, but the properties can configure whether to
download and install the software content when the network connection speed is configured
as slow.
 Distribute the content for this package to preferred distribution points: When you select
this application deployment type or package property, you enable on-demand content
distribution to preferred distribution points.
The following table provides scenarios for different content location and fallback scenarios.
Scenario: Scenario 1 Scenario 2 Scenario 3
Fallback configuration
and deployment
behavior for slow
network:
Allow Fallback
Not enabled
Deployment behavior
for slow network
Any configuration
Allow Fallback
Enabled
Deployment behavior
for slow network
Do not download
Deployment -
Fallback option:
Enabled
Deployment behavior
for slow network
Download and install

318
content content
Distribution points are
online and meet the
following criteria:
 Content is
available on a
preferred
distribution point.
 Content is
available on a
fallback
distribution point.
 The package
configuration for
on-demand
package
distribution is not
relevant in this
scenario.
The client sends a
content request to the
management point.
A content location list
is returned to the client
from the management
point with the
preferred distribution
points that contain the
content.
The client downloads
the content from a
point on the list.
The client sends a
management point.
The client includes a
flag with the request
that indicates fallback
distribution points are
allowed.
from the management
point with the
points and fallback
distribution points that
contain the content.
the content from a
point on the list.
The client sends a
management point.
flag with the request to
indicate that fallback
allowed.
from the management
point with the
points and fallback
contain the content.
the content from a
point on the list.
online and meet the
following criteria:
 Content is not
available on a
preferred
distribution point.
 Content is
available on a
fallback
distribution point.
 The package is
not configured for
on-demand
package
distribution.
The client sends a
management point.
from the management
point with the
points that have the
content. There are no
points in the list.
The client fails with the
message Content is
The client sends a
management point.
allowed.
from the management
point with the
points and fallback
The client sends a
management point.
allowed.
from the management
point with the
points and fallback

319
not available and
goes into retry mode.
A new content request
is started every hour.
have the content.
There are no preferred
have the content, but
at least one fallback
distribution point has
the content.
The content is not
downloaded because
the deployment
property for when the
client is using a
fallback distribution
point is set to Do not
download. The client
fails with the message
Content is not
available and goes
into retry mode. The
client makes a new
content request every
hour.
have the content.
distribution point that
has the content.
The content is
downloaded from a
point on the list
because the
deployment property
for when the client is
using a fallback
distribution point is set
to Download and
install the content.
online and meet the
following criteria:
 Content is not
available on a
preferred
distribution point.
 Content is
available on a
fallback
distribution point.
 The package is
configured for on-
demand package
distribution.
The client sends a
management point.
from the management
point with the
content. There are no
content.
The client fails with the
message Content is
The client sends a
management point.
allowed.
from the management
point with the
points and fallback
have the content.
The client sends a
management point.
allowed.
from the management
point with the
points and fallback
have the content.

320
not available and
goes into retry mode.
A new content request
is made every hour.
The management
point creates a trigger
for Distribution
Manager to distribute
the content to all
points for the client
that made the content
request.
Distribution Manager
distributes the content
to all preferred
A content request is
initiated by the client to
the management point
every hour.
from the management
point with the
content (in most cases
the content is
distributed to the
points within the hour).
the content from a
has the content.
The content is not
downloaded because
the deployment
property for when the
client is using a
point is set to Do not
download. The client
fails with the message
Content is not
available and goes
into retry mode. The
client makes a new
content request every
hour.
The management
for Distribution
the content to all
request.
to all preferred
A content request is
initiated by the client to
has the content.
The content is
downloaded from a
point on the list
because the
deployment property
for when the client is
using a fallback
distribution point is set
to Download and
install the content.
The management
for Distribution
the content to all
request.
to all preferred

321
point on the list.
the management
point.
from the management
point with the
content (typically the
content is distributed
to the preferred
distribution points
within the hour).
the content from a
point on the list.
Planning for BranchCache Support
Windows BranchCache has been integrated in Configuration Manager. You can configure the
BranchCache settings on software deployments. When all the requirements for BranchCache are
met, this feature enables clients at remote locations to obtain content from local clients that have
a current cache of the content. For example, when the first BranchCache-enabled client computer
requests content from a distribution point that is running Windows Server 2008 R2 and that has
also been configured as a BranchCache server, the client computer downloads the content and
caches it. This content is then made available for clients on the same subnet that request this
same content, and these clients also cache the content. In this way, subsequent clients on the
same subnet do not have to download content from the distribution point, and the content is
distributed across multiple clients for future transfers. For more information about BranchCache
support in Configuration Manager, see the BranchCache Feature Support section in the
Supported Configurations for Configuration Manager topic.
Network Bandwidth Considerations for Distribution Points
To help you plan for the distribution point infrastructure in your hierarchy, consider the network
bandwidth used for the content management process and what you can do to reduce the network
bandwidth that is used.

322
When you create a package, change the source path for the content, or update content on the
distribution point, the files are copied from the source path to the content library on the site
server. Then, the content is copied from the content library on the site server to the content library
on the distribution points. When content source files are updated, and the source files have
already been distributed, Configuration Manager retrieves only the new or updated files, and then
sends them to the distribution point. Scheduling and throttling controls can be configured for site-
to-site communication and for communication between a site server and a remote distribution
point. When network bandwidth between the site server and remote distribution point is limited
even after you configure the schedule and throttling settings, you might consider prestaging the
content on the distribution point.
Planning for Scheduling and Throttling
In Configuration Manager, you can configure a schedule and set specific throttling settings on
remote distribution points that determine when and how content distribution is performed. Each
remote distribution point can have different configurations that help address network bandwidth
limitations from the site server to the remote distribution point. The controls used for scheduling
and throttling to the remote distribution point are similar to the settings for a standard sender
address, but in this case, the settings are used by a new component called Package Transfer
Manager. Package Transfer Manager distributes content from a site server (primary site or
secondary site) to a distribution point that is installed on a site system. The throttling settings are
configured on the Rate Limits tab, and the scheduling settings are configured on the Schedule
tab for a distribution point that is not on a site server.
The Rate Limits and Schedule tabs are displayed only in the properties for distribution
points that are not installed on a site server.
For more information about configuring scheduling and throttling settings for a remote distribution
point, see the Modify the Distribution Point Configuration Settings section in the Configuring
Content Management in Configuration Manager topic.
Determine Whether To Prestage Content
Consider prestaging content for applications and packages in the following scenarios:
 Limited network bandwidth from the site server to distribution point: When scheduling
and throttling do not satisfy your concerns about distributing content over the network to a
remote distribution point, consider prestaging the content on the distribution point. Each
distribution point has the Enable this distribution point for prestaged content setting that
you can configure in the distribution point properties. When you enable this option, the
distribution point is identified as a prestaged distribution point, and you can choose how to
manage the content on a per-package basis.
The following settings are available in the properties for an application, package, driver
package, boot image, operating system installer, and image, and let you configure how
content distribution is managed on remote distribution points that are identified as prestaged:
Warning

323
 Automatically download content when packages are assigned to distribution
points: Use this option when you have smaller packages where the scheduling and
throttling settings provide enough control for content distribution.
 Download only content changes to the distribution point: Use this option when you
have an initial package that is possibly large, but you expect future updates to the content
in the package to be generally smaller. For example, you might prestage Microsoft
Office 2010 because the initial package size is over 700 MB and too large to send over
the network. However, content updates to this package might be less than 10 MB and
acceptable to distribute over the network. Another example might be driver packages
where the initial package size is large, but incremental driver additions to the package
might be small.
 Manually copy the content in this package to the distribution point: Use this option
for when you have large packages, with content such as an operating system, and never
want to use the network to distribute the content to the distribution point. When you select
this option, you must prestage the content on the distribution point.
The preceding options are applicable on a per-package basis and are only used
when a distribution point is identified as prestaged. Distribution points that have not
been identified as prestaged ignore these settings, and content always is distributed
over the network from the site server to the distribution points.
 Restore the content library on a site server: When a site server fails, information about
packages and applications contained in the content library is restored to the site database as
part of the restore process, but the content library files are not restored as part of the
process. If you do not have a file system backup to restore the content library, you can create
a prestaged content file from another site that contains the packages and applications that
you have to have, and then extract the prestaged content file on the recovered site server.
For more information about site server backup and recovery, see the Planning for Backup
and Recovery section in the Planning for Site Operations in Configuration Manager topic.
For more information about prestaging content files, see the Prestage Content section in the
Operations and Maintenance for Content Management in Configuration Manager topic.
Determine the Distribution Point Infrastructure
At least one distribution point is required at each site in the Configuration Manager hierarchy. By
default, a primary site server is configured as a distribution point. However, assign this role to a
remote site system and remove it from the site server if possible. This role assignment reduces
the resource requirements and improves performance on the site server, and also assists in load
balancing. The distribution point site system role is automatically configured on the secondary site
server when it is installed. However, the distribution point site system role is not required at
secondary sites. Clients connect to distribution points at the parent primary site if one is not
available at the secondary site. As you configure your distribution points with assigned boundary
groups, consider the physical location and network connection speed between the distribution
point and site server
Warning

324
Consider the following to help you determine the appropriate number of distribution points to
install at a site:
 The number of clients that might access the distribution point
 The configuration of the distribution point, such as PXE and multicast
 The network bandwidth that is available between clients and distribution points
 The size of the content that clients retrieve from the distribution point
 The setting for BranchCache, when enabled, lets clients at remote locations obtain content
from local clients.
For more information about creating and configuring distribution points, see the Install and
Configure the Distribution Point section in the Configuring Content Management in Configuration
Manager topic.
Plan for Distribution Point Groups
Distribution point groups provide a logical grouping of distribution points for content distribution.
When you distribute content to a distribution point group, all distribution points that are members
of the distribution point group receive the content. If you add a distribution point to the distribution
point group after an initial content distribution, the content is automatically distributed to the new
distribution point member. You can add one or more distribution points from any site in the
Configuration Manager hierarchy to the distribution point group. You can also add the distribution
point to more than one distribution point group, to manage and monitor content from a central
location for distribution points that span multiple sites.
You can also add a collection to distribution point groups, which creates an association, and then
distribute content to the collection. When you distribute content to a collection, the content is
assigned to all distribution point groups that are associated with the collection. The content is
then distributed to all distribution points that are members of those distribution point groups.
There are no restrictions on the number of distribution point groups that can be associated with a
collection or the number of collections that can be associated with a distribution point group. If
you add a collection to a distribution point group, the distribution point group does not
automatically receive content previously distributed to the associated collection. However, the
distribution point group receives all new content that is distributed to the collection.
After you distribute content to a collection, and then associate the collection to a new
distribution point group, you must redistribute the content to the collection before the
content is distributed to the new distribution point group.
For more information about creating and configuring distribution point groups, see the Create and
Configure Distribution Point Groups section in the Configuring Content Management in
Note

325
Supplemental Planning Topics for Content
Management
Use the following topics to help you plan for content management in Configuration Manager:
 Prerequisites for Content Management in Configuration Manager
 Best Practices for Content Management in Configuration Manager
See Also
Planning for Boundaries and Boundary
Groups in Configuration Manager
In System Center 2012 Configuration Manager, a boundary is a network location on the intranet
that can contain one or more devices that you want to manage. Boundaries can be an IP subnet,
Active Directory site name, IPv6 Prefix, or an IP address range, and the hierarchy can include
any combination of these boundary types. To use a boundary, you must add the boundary to one
or more boundary groups. Boundary groups are collections of boundaries. By using boundary
groups, clients on the intranet can find an assigned site and locate content when they have to
install software, such as applications, software updates, and operating system images.
When clients are on the Internet, or they are configured as Internet-only clients, they do not use
boundary information. These clients cannot use automatic site assignment and always download
content from any distribution point in their assigned site when the distribution point is configured
to allow client connections from the Internet.
The following items are new or have changed for boundaries since Configuration Manager 2007:
 Boundaries are no longer site specific, but defined once for the hierarchy, and they are
available at all sites in the hierarchy.
 Each boundary must be a member of a boundary group before a device on that boundary can
identify an assigned site, or a content server such as a distribution point.
 You no longer configure the network connection speed of each boundary. Instead, in a
boundary group you specify the network connection speed for each site system server
associated to the boundary group as a content location server.
Note

326
Boundaries
Each boundary represents a network location in System Center 2012 Configuration Manager, and
it is available from every site in your hierarchy. A boundary does not enable you to manage
clients at the network location. To manage a client, the boundary must be a member of a
boundary group.
Boundary Groups
Use boundary groups to manage your network locations. You must assign boundaries to
boundary groups before you can use the boundary group. Boundary groups have the following
functions:
 They enable clients to find a primary site for client assignment (automatic site assignment).
 They can provide clients with a list of available site systems that have content after you
associate the distribution point and state migration point site system servers with the
boundary group.
To support site assignment, you must configure the boundary group to specify an assigned site
for clients to use during automatic site assignment. To support content location, you must specify
one or more site systems. You can only specify site systems with the distribution point or state
migration point site system role. Both the site assignment and content location configurations are
optional for boundary groups.
When you plan for boundary groups, consider creating one set of boundary groups for content
location and a second set of boundary groups for automatic site assignment. This separation can
help you avoid overlapping boundaries for site assignment. When you have overlapping
boundaries and use automatic site assignment, the site to which a client is assigned, might be to
is nondeterministic.
The following sections contain information to consider when you configure boundary groups.
Site Assignment
You can configure each boundary group with an assigned site for clients. Clients join the
assigned site of a boundary group that contains the client’s current network location. When a
boundary is added to multiple boundary groups that have different assigned sites, clients will
nondeterministically select one of the sites. System Center 2012 Configuration Manager does not
support this overlapping boundary configuration for site assignment.
If you make a change to the site assignment configuration of a boundary group, only new site
assignment actions are affected. Clients that have previously been assigned to a site, do not re-
evaluate their site assignment based on changes to the configuration of a boundary group.
For more information about client site assignment, see How to Assign Clients to a Site in

327
Content Location
You can associate one or more distribution points and one or more state migration points with
each boundary group. You can also associate a distribution point or state migration point with
multiple boundary groups.
During software distribution, clients request a location for deployment content. Configuration
Manager sends the client a list of distribution points that are associated with each boundary group
that includes the current network location of the client.
During operating system deployment, clients request a location to send or receive their state
migration information. Configuration Manager sends the client a list of state migration points that
are associated with each boundary group that includes the current network location of the client.
This behavior enables the client to select the nearest server from which to transfer the content or
state migration information.
Overlapping Boundaries
System Center 2012 Configuration Manager supports overlapping boundary configurations for
content location.
When a client requests content, and the client network location belongs to multiple boundary
groups, Configuration Manager sends the client a list of all distribution points that have the
content.
When a client requests a server to send or receive its state migration information, and the client
network location belongs to multiple boundary groups, Configuration Manager sends the client a
list of all state migration points that are associated with a boundary group that includes the
current network location of the client.
This behavior enables the client to select the nearest server from which to transfer the content or
state migration information.
Network Connection Speed
You can configure the network connection speed of each distribution point in a boundary group.
Clients use this value when they connect to the distribution point. By default, the network
connection speed is configured as Fast, but it can also be configured as Slow. The network
connection speed and the deployment configuration determine whether a client can download
content from a distribution point when the client is in an associated boundary group.
See Also

328
Planning for Security in Configuration
Manager
This topic appears in the Site Administration for System Center 2012 Configuration
Manager guide and in the Security and Privacy for System Center 2012 Configuration
Manager guide.
Use the following information to help you plan for security in Microsoft System Center 2012
 Planning for Certificates (Self-Signed and PKI)
 Planning for PKI Certificate Revocation
 Planning for the PKI Trusted Root Certificates and the Certificate Issuers List
 Planning for PKI Client Certificate Selection
 Planning a Transition Strategy for PKI Certificates and Internet-Based Client
Management
 Planning for the Trusted Root Key
 Planning for Signing and Encryption
 Planning for Role-Based Administration
In addition to these sections, see Security and Privacy for Site Administration in Configuration
Manager.
For additional information about how Configuration Manager uses certificates and cryptographic
controls, see Technical Reference for Cryptographic Controls Used in Configuration Manager.
Planning for Certificates (Self-Signed and PKI)
Configuration Manager uses a combination of self-signed certificates and public key infrastructure
(PKI) certificates.
As a security best practice, use PKI certificates whenever possible. For more information about
the PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager.
When Configuration Manager requests the PKI certificates, such as during enrollment for mobile
devices and AMT provisioning, you must use Active Directory Domain Services and an enterprise
certification authority. For all other PKI certificates, you must deploy and manage them
independently from Configuration Manager.
PKI certificates are also required when client computers connect to Internet-based site systems,
and they are recommended to be used when clients connect to site systems that run Internet
Information Services (IIS). For more information about client communication, see Planning for
Client Communication in Configuration Manager.
When you use a PKI, you can also use IPsec to help secure the server-to-server communication
between site systems in a site and between sites, and for any other scenario when you transfer
Note

329
data between computers. You must configure and implement IPsec independently from
Configuration Manager can automatically generate self-signed certificates when PKI certificates
are not available, and some certificates in Configuration Manager are always self-signed. In most
cases, Configuration Manager automatically manages the self-signed certificates, and you do not
have to take additional action. One possible exception is the site server signing certificate. The
site server signing certificate is always self-signed, and it ensures that the client policies that
clients download from the management point were sent from the site server and were not
tampered with.
Planning for the Site Server Signing Certificate (Self-Signed)
Clients can securely obtain a copy of the site server signing certificate from Active Directory
Domain Services and from client push installation. If clients cannot obtain a copy of the site
server signing certificate by using one of these mechanisms, as a security best practice, install a
copy of the site server signing certificate when you install the client. This is especially important if
the client’s first communication with the site is from the Internet, because the management point
is connected to an untrusted network and therefore, vulnerable to attack. If you do not take this
additional step, clients automatically download a copy of the site server signing certificate from
the management point.
Scenarios when clients cannot securely obtain a copy of the site server certificate include the
following:
 You do not install the client by using client push, and any of the following conditions is true:
 The Active Directory schema is not extended for Configuration Manager.
 The client’s site is not published to Active Directory Domain Services.
 The client is from an untrusted forest or a workgroup.
 You install the client when it is on the Internet.
Use the following procedure to install clients together with a copy of the site server signing
certificate.
1. Locate the site server signing certificate on the client’s primary site server. The certificate
is stored in the SMS certificate store and has the Subject name Site Server and the
friendly name Site Server Signing Certificate.
2. Export the certificate without the private key, store the file securely, and only access it
from a secured channel (for example, by using SMB signing or IPsec).
3. Install the client by using the Client.msi property SMSSIGNCERT= <Full path and file
name> with CCMSetup.exe.
To install clients with a copy of the site server signing certificate

330
Planning for PKI Certificate Revocation
When you use PKI certificates with Configuration Manager, plan for how and whether clients and
servers will use a certificate revocation list (CRL) to verify the certificate on the connecting
computer. The certificate revocation list (CRL) is a file that is created and signed by a certification
authority (CA) and contains a list of certificates that it has issued, but revoked. Certificates can be
revoked by a CA administrator, for example, if an issued certificate is known or suspected to be
compromised.
Because the location of the CRL is added to a certificate when it is issued by a CA,
ensure that you plan for the CRL before you deploy any PKI certificates that
Configuration Manager will use.
By default, IIS always checks the CRL for client certificates, and you cannot change this
configuration in Configuration Manager. By default, Configuration Manager clients always check
the CRL for site systems; however, you can disable this setting by specifying a site property and
by specifying a CCMSetup property. When you manage Intel AMT-based computers out of band,
you can also enable CRL checking for the out of band service point and for computers that run
the Out of Band Management console.
If computers use certificate revocation checking but they cannot locate the CRL, they behave as if
all certificates in the certification chain are revoked because their absence from the list cannot be
verified. In this scenario, all connections that require certificates and use a CRL fail.
Checking the CRL every time that a certificate is used offers more security against using a
certificate that has been revoked, but it introduces a connection delay and additional processing
on the client. You are more likely to require this additional security check when clients are on the
Internet or on an untrusted network.
Consult your PKI administrators before you decide whether Configuration Manager clients must
check the CRL, and then consider keeping this option enabled in Configuration Manager when
both of the following conditions are true:
 Your PKI infrastructure supports a CRL, and it is published where all Configuration Manager
clients can locate it. Remember that this might include clients on the Internet if you are using
Internet-based client management, and clients in untrusted forests.
 The requirement to check the CRL for each connection to a site system configured to use a
PKI certificate is larger than the requirement for faster connections and efficient processing
on the client, and is also larger than the risk of clients failing to connect to servers if they
cannot locate the CRL.
Planning for the PKI Trusted Root Certificates and the Certificate
Issuers List
If your IIS site systems use PKI client certificates for client authentication over HTTP or for client
authentication and encryption over HTTPS, you might have to import root CA certificates as a site
property. The two scenarios are as follows:
Important

331
 You deploy operating systems by using Configuration Manager, and the management points
only accept HTTPS client connections.
 You use PKI client certificates that do not chain to a root certification authority (CA) certificate
that is trusted by management points.
When you issue client PKI certificates from the same CA hierarchy that issues the
server certificates that you use for management points, you do not have to specify
this root CA certificate. However, if you use multiple CA hierarchies and you are not
sure whether they trust each other, import the root CA for the clients’ CA hierarchy.
If you must import root CA certificates for Configuration Manager, export them from the issuing
CA or from the client computer. If you export the certificate from the issuing CA that is also the
root CA, ensure that the private key is not exported. Store the exported certificate file in a secured
location to prevent tampering. You must be able to access the file when you configure the site, so
that if you access the file over the network, ensure that the communication is protected from
tampering by using SMB signing or IPsec.
If any of the root CA certificates that you import are renewed, you must import the renewed
certificates.
These imported root CA certificates and the root CA certificate of each management point create
the certificate issuers list that Configuration Manager computers use in the following ways:
 When clients connect to management points, the management point verifies that the client
certificate chains to a trusted root certificate in the site’s certificate issuers list. If it does not,
the certificate is rejected, and the PKI connection fails.
 When clients select a PKI certificate, if they have a certificate issuers list, they select a
certificate that chains to a trusted root certificate in the certificate issuers list. If there is no
match, the client does not select a PKI certificate. For more information about the client
certificate process, see the Planning for PKI Client Certificate Selection section in this topic.
Independently from the site configuration, you might also have to import a root CA certificate
when you enroll mobile devices, and when you provision Intel AMT-based computers for wireless
networks.
Planning for PKI Client Certificate Selection
If your IIS site systems will use PKI client certificates for client authentication over HTTP or for
client authentication and encryption over HTTPS, plan for how clients will select the certificate to
use for Configuration Manager.
In many cases, the default configuration and behavior will be sufficient. The Configuration
Manager client filters multiple certificates by using the following criteria:
1. The certificate issuers list: The certificate chains to a root CA that is trusted by the
management point.
2. The certificate is in the default certificate store of Personal.
3. The certificate is valid, not revoked, and not expired.
Note

332
4. The certificate has client authentication capability, or it is issued to the computer name.
5. The certificate has the longest validity period.
Clients can be configured to use the certificate issuers list by using the following mechanisms:
 Is it published as Configuration Manager site information to Active Directory Domain
Services.
 Clients are installed by using client push.
 Clients download it from the management point after they are successfully assigned to their
site.
 It is specified during client installation, as a CCMSetup client.msi property of
CCMCERTISSUERS.
If clients do not have the certificate issuers list when they are first installed and are not yet
assigned to the site, they skip this check. When they do have the certificate issuers list and do not
have a PKI certificate that chains to a trusted root certificate in the certificate issuers list,
certificate selection fails, and clients do not continue with the other certificate selection criteria.
In most cases, the Configuration Manager client correctly identifies a unique and appropriate PKI
certificate to use. However, when this is not the case, instead of selecting the certificate based on
the client authentication capability, you can configure two alternative selection methods:
 A partial string match on the client certificate Subject name. This is a case-insensitive match
that is appropriate if you are using the fully qualified domain name (FQDN) of a computer in
the subject field and want the certificate selection to be based on the domain suffix, for
example contoso.com. However, you can use this selection method to identify any string of
sequential characters in the certificate Subject name that differentiate the certificate from
others in the client certificate store.
You cannot use the partial string match with the Subject Alternative Name (SAN) as a
site setting. Although you can specify a partial string match for the SAN by using
CCMSetup, it will be overwritten by the site properties in the following scenarios:
 Clients retrieve site information that is published to Active Directory Domain Services.
 Clients are installed by using client push installation.
Use a partial string match in the SAN only when you install clients manually, and
when they do not retrieve site information from Active Directory Domain Services. For
example, these conditions apply to Internet-only clients.
 A match on the client certificate Subject name attribute values or the Subject Alternative
Name (SAN) attribute values. This is a case-sensitive match that is appropriate if you are
using an X500 distinguished name or equivalent OIDs (Object Identifiers) in compliance with
RFC 3280, and you want the certificate selection to be based on the attribute values. You can
specify only the attributes and their values that you require to uniquely identify or validate the
certificate and differentiate the certificate from others in the certificate store.
The following table shows the attribute values that Configuration Manager supports for the client
certificate selection criteria.
Note

333
OID Attribute Distinguished name attribute Attribute definition
0.9.2342.19200300.100.1.25 DC Domain component
1.2.840.113549.1.9.1 E or E-mail E-mail address
2.5.4.3 CN Common name
2.5.4.4 SN Subject name
2.5.4.5 SERIALNUMBER Serial number
2.5.4.6 C Country code
2.5.4.7 L Locality
2.5.4.8 S or ST State or province name
2.5.4.9 STREET Street address
2.5.4.10 O Organization name
2.5.4.11 OU Organizational unit
2.5.4.12 T or Title Title
2.5.4.42 G or GN or GivenName Given name
2.5.4.43 I or Initials Initials
2.5.29.17 (no value) Subject Alternative Name
If more than one appropriate certificate is located after the selection criteria is applied, you can
override the default configuration to select the certificate with the longest validity period and
instead, specify that no certificate is selected. In this scenario, the client will not be able to
communicate with IIS site systems by using a PKI certificate. The client sends an error message
to its assigned fallback status point to alert you to the certificate selection failure so that you can
modify or refine your certificate selection criteria. The client behavior then depends on whether
the failed connection was over HTTPS or HTTP:
 If the failed connection was over HTTPS: The client tries to make a connection over HTTP
and uses the client self-signed certificate.
 If the failed connection was over HTTP: The client tries to make another connection over
HTTP by using the self-signed client certificate.
To help identify a unique PKI client certificate, you can also specify a custom store, other than the
default of Personal in the Computer store. However, you must create this store independently
from Configuration Manager and must be able to deploy certificates to this custom store and
renew them before the validity period expires.

334
Planning a Transition Strategy for PKI Certificates and Internet-
Based Client Management
The flexible configuration options in Configuration Manager let you gradually transition clients and
the site to use PKI certificates to help secure client endpoints. PKI certificates provide better
security and enable clients to be managed when they are on the Internet.
Because of the number of configuration options and choices in Configuration Manager, there is
no single way to transition a site so that all clients use HTTPS connections. However, you can
follow these steps as guidance:
1. Install the Configuration Manager site and configure it so that site systems accept client
connections over HTTPS and HTTP.
2. Configure the Client Computer Communication tab in the site properties so that the Site
System Settings is HTTP or HTTPS, and select the Use PKI client certificate (client
authentication capability) when available check box. Configure any other settings from this
tab that you require. For more information, see the Configure Settings for Client PKI
Certificates section in the Configuring Security for Configuration Manager topic.
3. Pilot a PKI rollout for client certificates. For an example deployment, see the Deploying the
Client Certificate for Computers section in the Step-by-Step Example Deployment of the PKI
Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.
4. Install clients by using the client push installation method. For more information, see the How
to Install Configuration Manager Clients by Using Client Push section in the How to Install
Clients on Computers in Configuration Manager topic.
5. Monitor client deployment and status by using the reports and information in the
Configuration Manager console. For more information, see How to Monitor Database
Replication and SQL Server Status for Database Replication.
6. Track how many clients are using a client PKI certificate by viewing the Client Certificate
column in the Assets and Compliance workspace, Devices node.
You can also deploy the Configuration Manager HTTPS Readiness Assessment Tool
(cmHttpsReadiness.exe) to computers and use the reports to view how many computers
can use a client PKI certificate with Configuration Manager.
When the Configuration Manager client installs on client computers, the
cmHttpsReadiness.exe tool is installed in the %windir%CCM folder. When you run
this tool on clients, you can specify the following options:
 /Store:<name>
 /Issuers:<list>
 /Criteria:<criteria>
 /SelectFirstCert
These options map to the CCMCERTSTORE, CCMCERTISSUERS, CCMCERTSEL,
and CCMFIRSTCERT Client.msi properties, respectively. For more information about
these options, see About Client Installation Properties in Configuration Manager.
Note

335
7. When you are confident that a sufficient number of clients are successfully using their client
PKI certificate for authentication over HTTP, do the following:
a. Deploy a PKI web server certificate to a member server that will run an additional
management point for the site, and configure that certificate in IIS. For more information,
see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the
Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager:
Windows Server 2008 Certification Authority topic.
b. Install the management point role on this server and configure the Client connections
option in the management point properties for HTTPS.
8. Monitor and verify that clients that have a PKI certificate use the new management point by
using HTTPS. You can use IIS logging or performance counters to verify this.
9. Reconfigure other site system roles to use HTTPS client connections. If you want to manage
clients on the Internet, ensure that site systems have an Internet FQDN and configure
individual management points and distribution points to accept client connections from the
Internet.
Before you configure site system roles to accept connections from the Internet,
review the planning information and prerequisites for Internet-based client
management. For more information, see the Planning for Internet-Based Client
Management section in the Planning for Communications in Configuration Manager
topic.
10. Extend the PKI certificate rollout for clients and for site systems that run IIS, and configure
the site system roles for HTTPS client connections and Internet connections, as required.
11. For the highest security: When you are confident that all clients are using a client PKI
certificate for authentication and encryption, change the site properties to use HTTPS only.
When you follow this plan to gradually introduce PKI certificates, first for authentication only over
HTTP, and then for authentication and encryption over HTTPS, you reduce the risk that clients
will become unmanaged. In addition, you will benefit from the highest security that Configuration
Manager supports.
Planning for the Trusted Root Key
The Configuration Manager trusted root key provides a mechanism for Configuration Manager
clients to verify that site systems belong to their hierarchy. Every site server generates a site
exchange key to communicate with other sites. The site exchange key from the top-level site in
the hierarchy is called the trusted root key.
The function of the trusted root key in Configuration Manager resembles a root certificate in a
public key infrastructure in that anything signed by the private key of the trusted root key is
trusted further down the hierarchy. For example, by signing the management point certificate with
the private key of the trusted root key pair, and by making a copy of the public key of the trusted
root key pair available to the clients, clients can differentiate between management points that are
Important

336
in their hierarchy and management points that are not in their hierarchy. Clients use WMI to store
a copy of the trusted root key in the namespace rootccmlocationservices.
Clients can automatically retrieve the public copy of the trusted root key by using two
mechanisms:
 The Active Directory schema is extended for Configuration Manager, the site is published to
Active Directory Domain Services, and clients can retrieve this site information from a global
catalog server.
 Clients are installed by using client push.
If clients cannot retrieve the trusted root key by using one of these mechanisms, they trust the
trusted root key that is provided by the first management point that they communicate with. In this
scenario, a client might be misdirected to an attacker’s management point where it would receive
policy from the rogue management point. This would likely be the action of a sophisticated
attacker and might occur only in a limited time before the client retrieves the trusted root key from
a valid management point. However, to reduce this risk of an attacker misdirecting clients to a
rogue management point, you can pre-provision the clients by using the trusted root key.
Use the following procedures to pre-provision and verify the trusted root key for a Configuration
Manager client:
 Pre-provision a client by using the trusted root key by using a file.
 Pre-provision a client by using the trusted root key without using a file.
 Verify the trusted root key on a client.
You do not have to pre-provision client by using the trusted root key if they can obtain this
from Active Directory Domain Services or they are installed by using client push. In
addition, you do not have to pre-provision clients when they use HTTPS communication
to management points because trust is established by using the PKI certificates.
You can remove the trusted root key from a client by using the Client.msi property
RESETKEYINFORMATION = TRUE with CCMSetup.exe. To replace the trusted root key,
reinstall the client together with the new trusted root key, for example, by using client push, or by
specifying the Client.msi SMSPublicRootKey property by using CCMSetup.exe.
1. In a text editor, open the file <Configuration Manager directory>binmobileclient.tcf.
2. Locate the entry SMSPublicRootKey=, copy the key from that line, and close the file
without any changes.
3. Create a new text file and paste the key information that you copied from the
mobileclient.tcf file.
4. Save the file and place it somewhere where all computers can access it, but the file is
secured to prevent tampering.
5. Install the client by using any installation method that accepts Client.msi properties, and
specify the Client.msi property SMSROOTKEYPATH=<Full path and file name>.
Note
To pre-provision a client with the trusted root key by using a file

337
1. In a text editor, open the file <Configuration Manager directory>binmobileclient.tcf.
2. Locate the entry SMSPublicRootKey=, note the key from that line or copy it to the
Clipboard, and then close the file without any changes.
3. Install the client by using any installation method that accepts Client.msi properties, and
specify the Client.msi property SMSPublicRootKey=<key>, where <key> is the string
that you copied from mobileclient.tcf.
1. On the Start menu, click Run, and then type Wbemtest.
2. In the Windows Management Instrumentation Tester dialog box, click Connect.
3. In the Connect dialog box, in the Namespace box, type rootccmlocationservices,
and then click Connect.
4. In the Windows Management Instrumentation Tester dialog box, in the
IWbemServices section, click Enum Classes.
5. In the Superclass Info dialog box, select Recursive, and then click OK.
6. The Query Result window, scroll to the end of the list, and then double-click
TrustedRootKey ().
7. In the Object editor for TrustedRootKey dialog box, click Instances.
8. In the new Query Result window that displays the instances of TrustedRootKey,
double-click TrustedRootKey=@
9. In the Object editor for TrustedRootKey=@ dialog box, in the Properties section, scroll
down to TrustedRootKey CIM_STRING. The string in the right column is the trusted root
key. Verify that it matches the SMSPublicRootKey value in the file <Configuration
Manager directory>binmobileclient.tcf.
Planning for Signing and Encryption
When you use PKI certificates for all client communications, you do not have to plan for signing
and encryption to help secure client data communication. However, if you configure any site
systems that run IIS to allow HTTP client connections, you must decide how to help secure the
client communication for the site.
To help protect the data that clients send to management points, you can require it to be signed.
In addition, you can require that all signed data from clients that use HTTP is signed by using the
SHA-256 algorithm. Although this is a more secure setting, do not enable this option unless all
clients support SHA-256. Many operating systems natively support SHA-256, but older operating
systems might require an update or hotfix. For example, computers that run
Windows Server 2003 SP2 must install a hotfix that is referenced in the KB article 938397.
Whereas signing helps protect the data from tampering, encryption helps protect the data from
information disclosure. You can enable 3DES encryption for the inventory data and state
To pre-provision a client with the trusted root key without using a file
To verify the trusted root key on a client

338
messages that clients send to management points in the site. You do not have to install any
updates on clients to support this option, but consider the additional CPU usage that will be
required on clients and the management point to perform the encryption and decryption.
Planning for Role-Based Administration
Role-based administration lets you design and implement administrative security for the
System Center 2012 Configuration Manager hierarchy by using any or all of the following:
 Security roles
 Collections
 Security scopes
These settings combine to define an administrative scope for an administrative user. The
administrative scope controls the objects that an administrative user can view in the Configuration
Manager console and the permissions that user has on those objects. Role-based administration
configurations replicate to each site in the hierarchy as global data, and then are applied to all
administrative connections.
Intersite replication delays can prevent a site from receiving changes for role-based
administration. For information about how to monitor intersite database replication, see
the How to Monitor Database Replication and SQL Server Status for Database
Replication section in the Monitor Configuration Manager Sites and Hierarchy topic.
Planning for Security Roles
Use security roles to grant security permissions to administrative users. Security roles are groups
of security permissions that you assign to administrative users so that they can perform their
administrative tasks. These security permissions define the administrative actions that an
administrative user can perform and the permissions that are granted for particular object types.
As a security best practice, assign the security roles that provide the least permissions.
System Center 2012 Configuration Manager has several built-in security roles to support typical
groupings of administrative tasks, and you can create your own custom security roles to support
your specific business requirements. Examples of the built-in security roles:
 Full Administrator: This security role grants all permissions in Configuration Manager.
 Asset Analyst: This security role allows administrative users to view data collected by using
Asset Intelligence, software inventory, hardware inventory, and software metering.
Administrative users can create metering rules and Asset Intelligence categories, families,
and labels.
 Software Update Manager: This security role grants permissions to define and deploy
software updates. Administrative users who are associated with this role can create
collections, software update groups, deployments, templates, and enable software updates
for Network Access Protection (NAP).
Important

339
You can view the list of built-in security roles and custom security roles you create,
including their descriptions, in the Configuration Manager console. To do so, in the
Administration workspace, expand Security, and select Security Roles.
Each security role has specific permissions for different object types. For example, the
Application Administrator security role has the following permissions for applications: Approve,
Create, Delete, Modify, Modify Folders, Move Objects, Read/Deploy, Set Security Scope.
You cannot change the permissions for the built-in security roles, but you can copy the role, make
changes, and then save these changes as a new custom security role. You can also import
security roles that you have exported from another hierarchy (for example, from a test network).
Review the security roles and their permissions to determine whether you will use the built-in
security roles or you have to create your own custom security roles.
Use the following steps to help you plan for security roles:
1. Identify the tasks that the administrative users perform in System Center 2012
Configuration Manager. These tasks might relate to one or more groups of management
tasks, such as deploying applications and packages, deploying operating systems and
settings for compliance, configuring sites and security, auditing, remotely controlling
computers, and collecting inventory data.
2. Map these administrative tasks to one or more of the built-in security roles.
3. If some of the administrative users perform the tasks of multiple security roles, assign the
multiple security roles to these administrative users instead of in creating a new security role
that combines the tasks.
4. If the tasks that you identified do not map to the built-in security roles, create and test new
security roles.
Planning for Collections
Collections specify the user and computer resources that an administrative user can view or
manage. For example, for administrative users to deploy applications or to run remote control,
they must be assigned to a security role that grants access to a collection that contains these
resources. You can select collections of users or devices.
For more information about collections, see Introduction to Collections in Configuration Manager.
Before you configure role-based administration, check whether you have to create new
collections for any of the following reasons:
 Functional organization. For example, separate collections of servers and workstations.
 Geographic alignment. For example, separate collections for North America and Europe.
 Security requirements and business processes. For example, separate collections for
production and test computers.
 Organization alignment. For example, separate collections for each business unit.
Tip

340
Planning for Security Scopes
Use security scopes to provide administrative users with access to securable objects. Security
scopes are a named set of securable objects that are assigned to administrator users as a group.
All securable objects must be assigned to one or more security scopes. Configuration Manager
has two built-in security scopes:
 All: This built-in security scope grants access to all scopes. You cannot assign objects to this
security scope.
 Default: This built-in security scope is used for all objects, by default. When you first install
System Center 2012 Configuration Manager, all objects are assigned to this security scope.
If you want to restrict the objects that administrative users can see and manage, you must create
and use your own custom security scopes. Security scopes do not support a hierarchical
structure and cannot be nested. Security scopes can contain one or more object types, which
include the following:
 Alert subscriptions
 Antimalware policies
 Applications
 Boot images
 Boundary groups
 Configuration items
 Custom client settings
 Distribution points and distribution point groups
 Driver packages
 Global conditions
 Migration jobs
 Operating system images
 Operating system installation packages
 Packages
 Queries
 Sites
 Software metering rules
 Software update groups
 Software updates packages
 Task sequence packages
 Windows CE device setting items and packages
There are also some objects that you cannot include in security scopes because they are only
secured by security roles. Administrative access to these cannot be limited to a subset of the
available objects. For example, you might have an administrative user who creates boundary
groups that are used for a specific site. Because the boundary object does not support security
scopes, you cannot assign this user a security scope that provides access to only the boundaries

341
that might be associated with that site. Because a boundary object cannot be associated to a
security scope, when you assign a security role that includes access to boundary objects to a
user, that user can access every boundary in the hierarchy.
Objects that are not limited by security scopes include the following:
 Active Directory forests
 Administrative users
 Alerts
 Boundaries
 Computer associations
 Default client settings
 Deployment templates
 Device drivers
 Exchange Server connector
 Migration site-to-site mappings
 Mobile device enrollment profiles
 Security roles
 Security scopes
 Site addresses
 Site system roles
 Software titles
 Software updates
 Status messages
 User device affinities
Create security scopes when you have to limit access to separate instances of objects. For
example:
 You have a group of administrative users who must be able to see production applications
and not test applications. Create one security scope for production applications and another
for the test applications.
 Different administrative users require different access for some instances of an object type.
For example, one group of administrative users requires Read permission to specific
software update groups, and another group of administrative users requires Modify and
Delete permissions for other software update groups. Create different security scopes for
these software update groups.
See Also

342
Planning for Communications in
Before you install System Center 2012 Configuration Manager, plan for the network
communications between different sites in a hierarchy, between different site system servers in a
site, and between clients and site system servers. These communications might be contained in a
single domain, or they might span multiple Active Directory forests. You might also have to plan
for communications to manage clients on the Internet.
Use the following sections in this topic to help you plan for communications in Configuration
Manager.
 Planning for Intersite Communications in Configuration Manager
 Planning for Intrasite Communications in Configuration Manager
 Planning for Client Communication in Configuration Manager
 Planning for Communications Across Forests in Configuration Manager
 Planning for Internet-Based Client Management
 Planning for Network Bandwidth in Configuration Manager
The following items are new or have changed for site communication since Configuration
Manager 2007:
 Site-to-site communication now uses database replication in addition to file-based replication
for many site-to-site data transfers, including configurations and settings.
 The Configuration Manager 2007 concept of mixed-mode or native-mode sites to define how
clients communicate to site systems in the site has been replaced by site system roles that
can independently support HTTP or HTTPS client communications.
 To help support client computers in other forests, Configuration Manager can discover
computers in these forests and publish site information to these forests.
 The server locator point is no longer used, and the functionality of this site system role is
moved to the management point.
 Internet-based client management now supports the following:
 User policies when the Internet-based management point can authenticate the user by
using Windows authentication (Kerberos or NTLM).
 Simple task sequences, such as scripts. Operating system deployment on the Internet
remains unsupported.
 Internet-based clients on the Internet first try to download any required software updates
from Microsoft Update, rather than from an Internet-based distribution point in their
Note

343
assigned site. Only if this fails, will they then try to download the required software
updates from an Internet-based distribution point.
Planning for Intersite Communications in
In a Configuration Manager hierarchy, each site communicates with its parent site and its direct
child sites by using two data transfer methods: file-based replication and database replication.
Secondary sites not only communicate to their parent primary sites by using both data transfer
methods, but can also communicate with other secondary sites by using file-based replication to
route content to remote network locations.
Configuration Manager uses file-based replication and database replication to transfer different
types of information between sites.
File-Based Replication
Configuration Manager uses file-based replication to transfer file-based data between sites in
your hierarchy. This data includes content such as applications and packages that you want to
deploy to distribution points in child sites, and unprocessed discovery data records that are
transferred to parent sites where they are processed.
File-based communication between sites uses the Server Message Block (SMB) protocol by
using TCP/IP port 445. You can specify configurations that include bandwidth throttling and pulse
mode to control the amount of data transferred across the network, and schedules to control
when to send data across the network.
To transfer file-based data, Configuration Manager uses an address and a sender to connect to
the SMS_SITE share on the destination site server.
Addresses and Senders
Configuration Manager uses an address and a sender to transfer file-based data between sites in
a hierarchy. The following table provides information about addresses and senders.
Object More information
Address Each address identifies a destination site to
which file-based data can transfer. Each site
supports a single address to a specific
destination site.
Configuration Manager supports the following
configurations for addresses:
 Site Address Account: This account is
used to connect to the destination site and
to write data to that site’s SMS_SITE share.

344
Data written to this share is processed by
the receiving site. By default, when a site is
added to the hierarchy, Configuration
Manager assigns the site server’s computer
account at the new site and its parent site
as the Site Address Account. This
account is added to the destination site’s
SMS_SiteToSiteConnection_<Sitecode>
group which is a local group on the
computer that grants access to the
SMS_SITE share. You can change this
account to be a Windows user account. If
you change the account, ensure you add
the new account to the destination site’s
SMS_SiteToSiteConnection_<Sitecode>
group.
Note
Secondary sites always use the
computer account of the secondary
site server as the Site Address
Account.
 Schedule: You can configure each address
that uses a schedule to restrict the type of
data and time when data can transfer to the
destination site.
 Rate Limits: You can configure rate limits
for an address to control the network
bandwidth that is being used when
transferring data to the destination site:
 Use Pulse mode to specify the size of
the data blocks that are sent to the
destination site. You can also specify a
time delay between sending each data
block. Use this option when you must
send data across a very low bandwidth
network connection to the destination
site. For example, you might have
constraints to send 1 KB of data every
five seconds, but not 1 KB every three
seconds, regardless of the speed of the
link or its usage at a given time.
 Use Limited to maximum transfer
rates by hour to have a site send data

345
to a destination site by using only the
percentage of time that you specify.
When you use this option,
identify the network’s available
bandwidth, but instead divides the time
it can send data into slices of time.
Then data is sent in a short block of
time, which is followed by blocks of
time when data is not sent. For
example, if the maximum rate is set to
50%, Configuration Manager transmits
data for an amount of time followed by
an equal period of time when no data is
sent. The actual size amount of data, or
size of the data block, is not managed.
Instead, only the amount of time during
which data is sent is managed.
Caution
By default, a site can use up to
three concurrent sendings to
transfer data to a destination
site. When you enable rate
limits for an address, the
concurrent sendings for
sending data to that site are
limited to one. This applies
even when the Limit available
bandwidth (%) is set to 100%.
When using the default settings
for the sender, this reduces the
transfer rate to the destination
site to be one third of the
default capacity.
 You can configure an address between two
secondary sites to route file-based content
between those sites.
To manage an address in the Administration
workspace, expand the Hierarchy
Configuration node, and select Addresses.
Sender Each site has one sender. The sender

346
manages the network connection from one site
to a destination site, and can be used to
establish connections to multiple sites at the
same time. To connect to a site, the sender
uses the address for the site to identify the
account to use to establish the network
connection, and then to write data to the
destination site’s SMS_SITE share.
By default, the sender writes data to a
destination site by using multiple concurrent
sendings. Each concurrent sending can
transfer a different file-based object to the
destination site. By default, when the sender
begins to send an object, the sender continues
to write blocks of data for the object until the
entire object is sent. After all the data for the
object has been sent, a new object can begin to
send.
You can configure the following settings for a
sender:
 Maximum concurrent sendings: By
default, each site is configured to use five
concurrent sendings, with three available
for use when it sends to any one
destination site. When you increase this
number you can increase the throughput of
data between sites, but also increase the
demand for network bandwidth between
sites.
 Retry settings: By default, each site is
configured to retry a connection two times
with a one minute delay between
connection attempts. You can modify the
number of connection attempts the site
makes, and how long to wait between those
attempts.
To manage the sender for a site in the
Administration workspace, expand the
Hierarchy Configuration node, and expand
Sites, and then click Properties for the site that
you want to manage. Click the Sender tab to

347
change the sender configuration.
Database Replication
Configuration Manager database replication uses SQL Server to transfer data and merge
changes that are made in a site database with the information stored in the database at other
sites in the hierarchy. This enables all sites to share the same information. Database replication is
automatically configured by all Configuration Manager sites. When you install a site to a
hierarchy, database replication automatically configures between the new site and its designated
parent site. When the site installation finishes, database replication automatically starts.
When you install a new site in a hierarchy, Configuration Manager creates a generic database at
the new site. Next, the parent site creates a snapshot of the relevant data in its database that is at
the new site, and transfers that snapshot by using file-based replication to the new site. The new
site then uses a SQL Server bulk copy program (BCP) to load the information into its local copy of
the Configuration Manager database. After the snapshot loads, each site conducts database
replication with the other site.
To replicate data between sites, Configuration Manager uses a database replication service. The
database replication service uses SQL Server change tracking to monitor the local site database
for changes and then replicates those changes to other sites by using a SQL Server Service
Broker. By default, this process uses the TCP/IP port 4022.
To replicate data by database replication, Configuration Manager groups different data into
distinct groups. Each group can have a separate, fixed replication schedule. For example, a
configuration change to a role-based administration configuration replicates quickly to other sites
to ensure that these changes are enforced as soon as possible. Meanwhile a lower priority
configuration change, such as a request to install a new secondary site, replicates with less
urgency and takes several minutes for the new site request to reach the destination primary site.
Configuration Manager database replication is configured automatically and does not
support configuration of replication groups or replication schedules.
Configuration Manager classifies the data that it replicates by database replication as either
global data or site data. A third data type that is named local data, does not replicate to other
sites. Local data includes information that is not required by other sites.
Global Data
Global data refers to administrator-created objects that replicate to all sites throughout the
hierarchy, although secondary sites receive only a subset of global data, as global proxy data.
Examples of global data include software deployments, software updates, collections, and role-
Note

348
based administration security scopes. Administrators can create global data at central
administration sites and primary sites.
Site Data
Site data refers to operational information that Configuration Manager primary sites and the
clients that report to primary sites create. Site data replicates to the central administration site but
not to other primary sites. Examples of site data include hardware inventory data, status
messages, alerts, and the results from query-based collections. Site data is only viewable at the
central administration site and the primary site where the data originates. You can modify site
data only at the primary site where it was created.
All site data replicates to the central administration site; therefore the central administration site
can perform administration and reporting for the whole hierarchy.
Planning for Intrasite Communications in
Each Configuration Manager site contains a site server and can have one or more additional site
system servers that host site system roles. Configuration Manager requires each site system
server to be a member of an Active Directory domain. Configuration Manager does not support a
change of the computer name or the domain membership while the computer remains a site
system.
When Configuration Manager site systems or components communicate across the network to
other site systems or Configuration Manager components in the site, they use either server
message block (SMB), HTTP, or HTTPS. The communication method depends on how you
choose to configure the site. With the exception of communication from the site server to a
distribution point, these server-to-server communications in a site can occur at any time and do
not use mechanisms to control the network bandwidth. Because you cannot control the
communication between site systems, ensure that you install site system servers in locations that
have well connected and fast networks.
You can use the following options to help you manage the transfer of content from the site server
to distribution points:
 Configure the distribution point for network bandwidth control and scheduling. These controls
resemble the configurations used by intersite addresses, and you can often use this
configuration instead of installing another Configuration Manager site when the transfer of
content to remote network locations is your main bandwidth consideration.
 You can install a distribution point as a prestaged distribution point. A prestaged distribution
point lets you use content that is manually put on the distribution point server and removes
the requirement to transfer content files across the network.
For more information about network bandwidth considerations, see Network Bandwidth
Considerations for Distribution Points in Planning for Content Management in Configuration
Manager.

349
Planning for Client Communication in
Client communication in Configuration Manager includes client-to-site-system communications
and service location inquiries. By using service location inquiries, Configuration Manager clients
can identify the site system servers to use.
Planning for Client Communication to Site Systems
Configuration Manager clients initiate communication to site system roles that provide services to
clients. This includes management points from which clients download client policy, and
distribution points from which clients download content. To communicate with a site system role,
the client must first locate a site system role that is configured to support the protocol (HTTPS or
HTTP) that the client can use. By default, clients use the most secure method available to them.
Therefore, a client that is configured to use a PKI certificate attempts to locate and communicate
with a site system role by using HTTPS before it communicates with a site system role that uses
HTTP.
For a Configuration Manager client to use HTTPS, you must have a public key infrastructure
(PKI) and must install PKI certificates on clients and servers. The client requires a certificate that
has client authentication capability for mutual authentication with the site system server. For
information about how to use certificates, see PKI Certificate Requirements for Configuration
Manager.
When you deploy a site system role that uses Internet Information Services (IIS) and supports
communication from clients that include management points, an Application Catalog website
point, a state migration point, or distribution points, you must specify whether clients connect to
the site system by using HTTP or HTTPS. If you use HTTP, you must also consider signing and
encryption choices. For more information, see Planning for Signing and Encryption.
You can also configure the site system to use an intranet fully qualified domain name (FQDN)
and an Internet FQDN. When you configure an Internet FQDN, you can then configure the site
system role to accept client connections from the Internet. You can configure support for client
connections from the Internet only, or clients connections from the intranet and Internet.
You can deploy multiple instances of a site system role in a site and separate instances of that
site system role support different communication settings. For example, in a single site, you can
have one management point that accepts HTTPS client communication and another
management point that accepts HTTP client communication. You can use one site to manage
clients across different network locations that use different communication protocols and security
settings.
Planning for Client Approval
When clients use a PKI certificate to authenticate themselves to a management point,
Configuration Manager knows that the client is trusted because the trust is established by using

350
PKI. When you do not use PKI to establish this trust, Configuration Manager uses a process
named client approval to register this trust.
By default, Configuration Manager uses the computer account of the device and Kerberos
authentication to verify that the device is trusted. By using this default setting, you must manually
verify that any client that is displayed as Not Approved in the Configuration Manager console is
a trusted device, and then approve it to be managed by Configuration Manager. This scenario
applies to computers that are in untrusted forests and in workgroups. It also applies if the
Kerberos authentication failed for any reason.
Although Configuration Manager has a configuration option to automatically approve all clients,
do not use this configuration unless Configuration Manager is running in a secured test
environment. You can also select a configuration option to always manually approve clients.
The approval setting is for all devices in the hierarchy, and you can manually approve clients from
anywhere in the hierarchy.
Although some management functions might work for clients that are not approved,
Configuration Manager does not support the management of these devices.
Planning for Service Location by Clients
Service location is how Configuration Manager clients find sites, site information, and site system
roles that they can communicate with. For example, for clients to successfully download client
policy, they must first locate a management point from their site that uses the same protocol as
they use.
Service location is independent from name resolution, which maps a computer name to an IP
address. Name resolution is performed by DNS or WINS. However, DNS and WINS can also be
used for service location.
Clients search for a management point by using the following options in the order specified:
1. Management point
2. Active Directory Domain Services
3. DNS
4. WINS
Planning for Service Location from Management Points
When you install a Configuration Manager client, you can use the /MP option to indicate the
management point for the client installation process to download the client installation files. You
can use the SMSMP= option to identify the initial management point that the client first
communicates with. When a client communicates successfully with a management point from its
assigned site, it downloads the current list of available management points and stores this
information locally in WMI for future use. After the initial list of management points is built, the
client updates the list every 25 hours, and when it receives a new IP address, and when the client
CCMEXEC service starts.
Note

351
During the installation of the client, the client builds a lookup list of management points (also
known as an MP list) that include the management points that you specify during client
installation, and management points that the client can identify from Active Directory Domain
Services. A site must have one or more management points installed, and the site must publish to
Active Directory Domain Services before the client can discover the site’s management points
from Active Directory Domain Services. Management points that are found in Active Directory
Domain Services must match the client’s assigned site code and client version. The client ignores
management points that are published by Configuration Manager 2007. If you did not specify a
management point to the client during client installation, and if you have not extended the Active
Directory schema, the client checks DNS and WINS for management points to add to its lookup
list.
When a client is a member of more than one boundary group that is configured for site
assignment, the management point lookup list is determined by a union of all of the
boundaries that are associated to each of those boundary groups.
After the client builds its list of management points, it sorts the list into different priorities. When
the client supports a client PKI certificate, the client uses a management point that supports
HTTPS communication and puts HTTPS-capable management points first in the list, as preferred
management points. The client then tries to contact a preferred management point before it uses
a management point that is not preferred. The order of all equivalent management points is not
set and only the relative priority is set. This order of equivalent management points can reset
every time that the client updates its management point lookup list. Therefore, a client that has
three HTTPS capable management points available to it might contact any of the three HTTPS
management points during each new connection attempt. If the client cannot reach the first
management point, it retries several times. If it continues to fail, it tries additional management
points until communications are established, or there are no more management points on its list.
For information about how to install Configuration Manager clients, and how to use command-line
parameters to specify management points and the protocol that a client uses to contact site
system roles, see How to Install Clients on Computers in Configuration Manager.
If the client cannot contact a management point from its lookup list, it tries to use an alternative
service location method.
Planning for Service Location from Active Directory Domain Services
Intranet clients use Active Directory Domain Services as their primary method of service location.
Examples of site information include the location of available site system roles and their
capabilities, and the security information that is required by client computers to establish trusted
connections with site system servers in the site. Configuration Manager clients can use Active
Directory Domain Services for service location when all the following conditions are true:
 The Active Directory schema is extended for Configuration Manager 2007 or
 Configuration Manager sites publish to Active Directory Domain Services.
Note

352
 The Active Directory forest is enabled for publishing in Configuration Manager.
 The client computer is a member of an Active Directory domain and can access a global
catalog server.
If any one of these conditions cannot be met, you can configure alternative service location
methods. Alternatives include DNS, WINS, and a management point that is specified during client
installation.
Planning for Service Location by Using DNS Publishing
If you cannot publish site information to Active Directory Domain Services, consider publishing
management points to DNS. You can publish this site system role for clients on the intranet.
Determine Whether to Publish Management Points to DNS
When you publish Configuration Manager management points to DNS, this configuration adds a
service location resource record (SRV RR) in the DNS zone of the site system server that hosts
the management point. Ensure that you have a corresponding host entry for the site system
server. Consider publishing to DNS when any of the following conditions are true:
The Active Directory Domain Services schema is not extended to support Configuration Manager.
Clients on the intranet are located in a forest that is not enabled for Configuration Manager
publishing.
Clients are on workgroup computers, and they are not configured for Internet-only client
management.
Publishing service location records for management points in DNS is applicable only to
management points that accept client connections from the intranet.
Client Discovery of Management Points from DNS
For clients to find a management point in DNS, you must assign the clients to a specific site
instead of using automatic site assignment. Additionally, you must configure a client property that
specifies the domain suffix of the management point.
Clients on the intranet use this domain suffix to query DNS for management points for their
assigned site. When more than one management point for the site is published to DNS, a client
selects the first management point that matches its own communication setting for HTTPS or
HTTP. A client that can use HTTPS always selects a management point that is configured for
HTTPS if one is available.
For more information about how to configure the DNS suffix client property, see How to Configure
Client Computers to Find Management Points by using DNS Publishing in Configuration
Manager.
Publish Management Points to DNS
To publish management points to DNS, the following two conditions must be true:
Important

353
 Your DNS servers support service location resource records, by using a version of BIND that
is at least 8.1.2.
 The specified intranet FQDNs in Configuration Manager have host entries (for example, A
records) in DNS.
When your DNS servers support automatic updates, you can configure System Center 2012
Configuration Manager to automatically publish management points on the intranet to DNS, or
you can manually publish these records to DNS. When management points are published to
DNS, their intranet FQDN and port number are published in the service location (SRV) record.
When your DNS servers do not support automatic updates but do support service location
records, you can manually publish management points to DNS. To accomplish this, you must
manually specify the service location resource record (SRV RR) in DNS.
Configuration Manager supports RFC 2782 for service location records, which have the following
format:
_Service._Proto.Name TTL Class SRV Priority Weight Port Target
To publish a management point to Configuration Manager, specify the following values:
 _Service: Enter _mssms_mp_<sitecode>, where <sitecode> is the management point's site
code.
 ._Proto: Specify ._tcp.
 .Name: Enter the DNS suffix of the management point, for example contoso.com.
 TTL: Enter 14400, which is four hours.
 Class: Specify IN (in compliance with RFC 1035).
 Priority: This field is not used by Configuration Manager.
 Weight: This field is not used by Configuration Manager.
 Port: Enter the port number that the management point uses, for example 80 for HTTP and
443 for HTTPS.
If the management point accepts HTTP and HTTPS client connections, you must
create two SRV records. In one record, specify the HTTP port number; in the other,
specify the HTTPS port number.
 Target: Enter the intranet FQDN that is specified for the site system that is configured with
the management point site role.
If you use Windows Server DNS, you can use the following procedure to enter this DNS record
for intranet management points. If you use a different implementation for DNS, use the
information in this section about the field values and consult that DNS documentation to adapt
this procedure.
1. In the Configuration Manager console, specify the intranet FQDNs of site systems.
2. In the DNS management console, select the DNS zone for the management point
computer.
Note
To manually publish management points to DNS on Windows Server

354
3. Verify that there is a host record (A or AAA) for the intranet FQDN of the site system. If
this record does not exist, create it.
4. By using the New Other Records option, click Service Location (SRV) in the Resource
Record Type dialog box, click Create Record, enter the following information, and then
click Done:
 Domain: If necessary, enter the DNS suffix of the management point, for example
contoso.com.
 Service: Type _mssms_mp_<sitecode>, where <sitecode> is the management
point's site code.
 Protocol: Type _tcp.
 Priority: This field is not used by Configuration Manager.
 Weight: This field is not used by Configuration Manager.
 Port: Enter the port number that the management point uses, for example 80 for
HTTP and 443 for HTTPS.
Note
If the management point accepts HTTP and HTTPS client connections, you
must create two SRV records. In one record, specify the HTTP port number;
in the other, specify the HTTPS port number.
 Host offering this service: Enter the intranet fully qualified domain name that is
specified for the site system that is configured with the management point site role.
Repeat these steps for each management point on the intranet that you want to publish to
DNS.
Planning for Service Location by Using WINS
The first management point in the primary site that is configured to accept HTTP client
connections is automatically published to WINS. When other service location mechanisms fail,
clients can find an initial management point by checking WINS. When they connect to this
management point, they download a list of other management points. This behavior means that
clients can indirectly locate all management points from WINS and use them for subsequent
connections.
For example, you might prefer clients to use HTTPS when they connect to management points on
the intranet, because this configuration provides improved security. You configure all
management points but one to accept only HTTPS client connections. The one management
point that accepts HTTP client connections is used only when clients first connect to the site.
If you do not want clients to find an HTTP management point in WINS, configure clients with the
CCMSetup.exe Client.msi property SMSDIRECTORYLOOKUP=NOWINS.

355
Planning How to Wake Up Clients
Configuration Manager supports two wake on local area network (LAN) technologies to wake up
computers in sleep mode when you want to install required software, such as software updates
and applications: traditional wake-up packets and AMT power-on commands.
As a security best practice, use AMT power on commands when this is possible. Because this
technology uses PKI certificates to help secure the communication, it is more secure than
sending wake-up packets. However, to use AMT power on commands, the computers must be
Intel AMT-based computers that are provisioned for AMT. For more information about how
Configuration Manager can manage AMT-based computers, see Introduction to Out of Band
If you want to wake up computers for scheduled software installation, you must configure each
primary site for one of the three options:
 Use AMT power on commands if the computer supports this technology; otherwise use wake-
up packets
 Use AMT power on commands only.
 Use wake-up packets only.
Use the following table for more information about the differences between the two Wake-on-LAN
(WOL) technologies for this scenario.
Technology Advantage Disadvantage
Traditional wake-up packets Does not require any additional
site system roles in the site.
Supported by many network
adapters.
UDP wake-up packets are quick
to send and process.
Does not require a PKI
infrastructure.
Does not require any changes
to Active Directory Domain
Services.
Supported on workgroup
computers, computers from
another Active Directory forest,
and computers in the same
Active Directory forest but using
a noncontiguous namespace.
Less secure solution than AMT
power on commands because
it does not use authentication
or encryption. If subnet-
directed broadcast
transmissions are used for the
wake-up packets, this has the
security risk of smurf attacks.
Might require manual
configuration on each
computer for BIOS settings
and adapter configuration.
No confirmation that computers
are woken up.
Wake-up transmissions as
multiple User Datagram
Protocol (UDP) packets can
unnecessarily saturate
available network bandwidth.
Cannot wake up computers

356
interactively.
Cannot return computers to
sleep state.
Management features are
restricted to waking up
computers only.
AMT power on commands More secure solution than
traditional wake-up packets
because it provides
authentication and encryption by
using standard industry security
protocols. It can also integrate
with an existing PKI
deployment, and the security
controls can be managed
independently from the product.
Supports automatic centralized
setup and configuration (AMT
provisioning).
Established transport session
for a more reliable connection
and auditable connection.
Computers can be woken up
interactively (and restarted).
Computers can be powered
down interactively.
Additional management
capabilities, which include the
following:
 Restarting a nonfunctioning
computer and booting from
a locally connected device
or known good boot image
file.
 Re-imaging a computer by
booting from a boot image
file that is located on the
network or by using a PXE
server.
 Reconfiguring the BIOS
Requires that the site has an
out of band service point and
enrollment point.
Supported only on computers
that have the Intel vPro chip
set and a supported version of
Intel Active Management
Technology (Intel AMT)
firmware. For more information
about which AMT versions are
supported, see Supported
Configurations for
The transport session requires
more time to establish, higher
processing on the server, and
an increase in data transferred.
Requires a PKI deployment
and specific certificates.
Requires an Active Directory
container that is created and
configured for publishing AMT-
based computers.
Cannot support workgroup
computers, computers from
another Active Directory forest,
or computers from the same
Active Directory forest but that
use a noncontiguous
namespace.
Requires changes to DNS and
DHCP to support AMT
provisioning.

357
settings on a selected
computer and bypassing the
BIOS password if this is
supported by the BIOS
manufacturer.
 Booting to a command-
based operating system to
run commands, repair tools,
or diagnostic applications
(for example, upgrading the
firmware or running a disk
repair tool).
Choose how to wake up computers based on whether you can support the AMT power on
commands and whether the computers assigned to the site support the Wake-on-LAN
technology. Also consider the advantages and disadvantages of both technologies that are listed
in the previous table. For example, wake-up packets are less reliable and are not secured, but
power on commands take longer to establish and require more processing on the site system
server that is configured with the out of band service point.
Because of the additional overhead involved in establishing, maintaining, and ending an
out of band management session to AMT-based computers, conduct your own tests so
that you can accurately judge how long it takes to wake up multiple computers by using
AMT power on commands in your environment (for example, across slow WAN links to
computers in secondary sites). This knowledge helps you determine whether waking up
multiple computers for scheduled activities by using AMT power on commands is
practical when you have many computers to wake up in a short amount of time.
If you decide to use traditional wake-up packets, you must also decide whether to use subnet-
directed broadcast packets, or unicast packets, and what UDP port number to use. By default,
traditional wake-up packets are transmitted by using UDP port 9, but to help increase security,
you can select an alternative port for the site if this alternative port is supported by intervening
routers and firewalls.
For Traditional Wake-up Packets: Choose Between Unicast and Subnet-
Directed Broadcast for Wake-on-LAN
If you chose to wake up computers by sending traditional wake-up packets, you must decide
whether to transmit unicast packets or subnet-direct broadcast packets. Use the following table to
help you determine which transmission method to choose.
Important

358
Transmission method Advantage Disadvantage
Unicast More secure solution than
subnet-directed broadcasts
because the packet is sent
directly to a computer instead
of to all computers on a subnet.
Might not require
reconfiguration of routers (you
might have to configure the
ARP cache).
Consumes less network
bandwidth than subnet-directed
broadcast transmissions.
Supported with IPv4 and IPv6.
Wake-up packets do not find
destination computers that
have changed their subnet
address after the last hardware
inventory schedule.
Switches might have to be
configured to forward UDP
packets.
Some network adapters might
not respond to wake-up
packets in all sleep states
when they use unicast as the
transmission method.
Subnet-Directed Broadcast Higher success rate than
unicast if you have computers
that frequently change their IP
address in the same subnet.
No switch reconfiguration is
required.
High compatibility rate with
computer adapters for all sleep
states, because subnet-
directed broadcasts were the
original transmission method
for sending wake-up packets.
Less secure solution than
using unicast because an
attacker could send continuous
streams of ICMP echo
requests from a falsified source
address to the directed
broadcast address. This
causes all of the hosts to reply
to that source address. If
routers are configured to allow
subnet-directed broadcasts,
the additional configuration is
recommended for security
reasons:
 Configure routers to allow
only IP-directed broadcasts
from the Configuration
Manager site server, by
using a specified UDP port
number.
 Configure Configuration
Manager to use the
specified non-default port
number.
Might require reconfiguration of
all intervening routers to enable
subnet-directed broadcasts.

359
Transmission method Advantage Disadvantage
Consumes more network
bandwidth than unicast
transmissions.
Supported with IPv4 only; IPv6
is not supported.
There are security risks associated with subnet-directed broadcasts: An attacker could
send continuous streams of Internet Control Message Protocol (ICMP) echo requests
from a falsified source address to the directed broadcast address, which cause all the
hosts to reply to that source address. This type of denial of service attack is commonly
called a smurf attack and is typically mitigated by not enabling subnet-directed
broadcasts.
Planning for Communications Across Forests in
System Center 2012 Configuration Manager supports sites and hierarchies that span Active
Directory forests.
Configuration Manager also supports domain computers that are not in the same Active Directory
forest as the site server, and computers that are in workgroups:
 To support domain computers in a forest that is not trusted by your site server’s forest, you
can install site system roles in that untrusted forest, with the option to publish site information
to the client’s Active Directory forest. Or, you can manage these computers as if they are
workgroup computers. When you install site system servers in the client’s forest, the client-to-
server communication is kept within the client’s forest and Configuration Manager can
authenticate the computer by using Kerberos. When you publish site information to the
client’s forest, clients benefit from retrieving site information, such as a list of available
management points, from their Active Directory forest rather than downloading this
information from their assigned management point.
If you want to manage devices that are on the Internet, you can install Internet-based
site system roles in your perimeter network when the site system servers are in an
Active Directory forest. This scenario does not require a two-way trust between the
perimeter network and the site server’s forest.
 To support computers in a workgroup, you must manually approve these computers if they
use HTTP client connections to site system roles because Configuration Manager cannot
authenticate these computers by using Kerberos. In addition, you must configure the Network
Access Account so that these computers can retrieve content from distribution points.
Because these clients cannot retrieve site information from Active Directory Domain Services,
Warning
Note

360
you must provide an alternative mechanism for them to find management points. You can
use DNS publishing, or WINS, or directly assign a management point.
For information about client approval and how clients find management points, see the
Planning for Client Communication in Configuration Manager section in this topic.
For information about how to configure the Network Access Account, see the Configure the
Network Access Account section in the Configuring Content Management in Configuration
Manager topic.
For information about how to install clients on workgroup computers, see the How to Install
Configuration Manager Clients on Workgroup Computers section in the How to Install Clients
on Computers in Configuration Manager topic.
Configuration Manager supports the Exchange Server connector in a different forest from the site
server. To support this scenario, ensure that name resolution works across the forests (for
example, configure DNS forwards), and specify the intranet FQDN of the Exchange Server when
you configure the Exchange Server connector. For more information, see How to Manage Mobile
Devices by Using the Exchange Server Connector in Configuration Manager.
When your Configuration Manager design spans multiple Active Directory domains and forests,
use the additional information in the following table to help you plan for the following types of
communication.
Scenario Details More information
Communication
between sites in a
hierarchy that spans
forests:
 Requires a two-
way forest trust,
which supports
Kerberos
authentication
that Configuration
Manager
requires.
supports installing a child
site in a remote forest that
has the required two-way
trust with the forest of the
parent site. For example:
You can place a secondary
site in a different forest
from its primary parent site
so long as the required
trust exists. If you do not
have a two-way forest trust
which supports Kerberos
authentication, then
does not support the child
site in the remote forest.
Note
A child site can be
primary site (where
the central
When a two-way forest trust exists,
Configuration Manager does not require
any additional configuration steps.
By default, when you install a new site as a
child of another site, Configuration
Manager configures the following:
 An intersite file-based replication
address at each site that uses the site
server computer account. Configuration
Manager adds the computer account of
each computer to the
SMS_SiteToSiteConnection_<siteco
de> group on the destination computer.
 Database replication between the
SQL Server at each site.
The following configurations must also be
set:
 Intervening firewalls and network
devices must allow the network packets
that Configuration Manager requires.
 Name resolution must work between

361
administration site
is the parent site),
or a secondary
site.
Intersite communication in
uses database replication
and file-based transfers.
When you install a site, you
must specify an account to
install the site on the
designated server. This
account also establishes
and maintains
communication between
sites.
After the site successfully
installs and initiates file-
based transfers and
database replication, you
do not have to configure
anything else for
communication to the site.
how to install a site, see
the Install a Site Server
section in the Install Sites
and Create a Hierarchy for
topic.
the forests.
 To install a site or site system role, you
must specify an account that has local
administrator permissions on the
specified computer.
Communication in a
site that spans
forests:
 Does not require
a two-way forest
trust.
To support clients primary
sites support the
installation of each site
system role on computers
in other forests.
Note
Two exceptions
are the out of band
service point and
the Application
The management point and enrollment
point site system roles connect to the site
database. By default, when these site
system roles are installed, Configuration
Manager configures the computer account
of the new site system server as the
connection account and adds the account
to the appropriate SQL Server database
role. When you install these site system
roles in an untrusted domain, you must

362
Catalog web
service point. Each
must be installed in
the same forest as
the site server.
When the site system role
accepts connections from
the Internet, as a security
best practice, install these
site system roles in an
untrusted forest (for
example, in a perimeter
network) so that the forest
boundary provides
protection for the site
server.
When you specify a
computer to be a site
system server, you must
specify the Site System
Installation Account. This
account must have local
administrative credentials
to connect to, and then
install site system roles on
the specified computer.
When you install a site
system role in an untrusted
forest, you must select the
site system option Require
the site server to initiate
connections to this site
system. This configuration
enables the site server to
establish connections to
the site system server to
transfer data. This prevents
the site system server that
is in the untrusted location
from initiating contact with
the site server that is inside
configure the site system role connection
account to enable the site system role to
obtain information from the database.
If you configure a domain user account for
these connection accounts, ensure that the
account has appropriate access to the
SQL Server database at that site:
 Management point: Management
Point Database Connection Account
 Enrollment point: Enrollment Point
Connection Account
Consider the following additional
information when you plan for site system
roles in other forests:
 If you run a Windows Firewall,
configure the applicable firewall profiles
to pass communications between the
site database server and computers
that are installed with remote site
system roles. For information about
firewall profiles, see Understanding
Firewall Profiles.
 When the Internet-based management
point trusts the forest that contains the
user accounts, user policies are
supported. When no trust exists, only
computer policies are supported.

363
your trusted network.
These connections use the
Site System Installation
Account that you use to
install the site system
server.
Communication
between clients and
site system roles
when the clients are
not in the same Active
Directory forest as
their site server.
supports the following
scenarios for clients that
are not in the same forest
as their site’s site server:
 There is a two-way
forest trust between
the forest of the client
and the forest of the
site server
 The site system role
server is located in the
same forest as the
client
 The client is on a
domain computer that
does not have a two-
way forest trust with
the site server and site
system roles are not
installed in the client's
forest
 The client is on a
workgroup computer
Note
Configuration
Manager cannot
manage AMT-
based computers
out of band when
these computers
are in a different
forest from the site
server.
Clients on a domain computer can use
Active Directory Domain Services for
service location when their site is published
to their Active Directory Forest.
To publish site information to another
Active Directory forest, you must first
specify the forest and then enable
publishing to that forest in the Active
Directory Forests node of the
Administration workspace. Additionally,
you must enable each site to publish its
data to Active Directory Domain Services.
This configuration enables clients in that
forest to retrieve site information and find
management points. For clients that cannot
use Active Directory Domain Services for
service location, you can use DNS, WINS,
or the client’s assigned management point.

364
Planning for Internet-Based Client Management
Internet-based client management lets you manage Configuration Manager clients when they are
not connected to your company network but have a standard Internet connection. This
arrangement has several advantages that include the reduced costs of not having to run virtual
private networks (VPNs) and being able to deploy software updates in a timelier manner.
Because of the higher security requirements of managing client computers on a public network,
Internet-based client management requires that clients and the site system servers that the
clients connect to use PKI certificates. This ensures that connections are authenticated by an
independent authority, and that data to and from these site systems are encrypted by using
Secure Sockets Layer (SSL).
Use the following sections to help you plan for Internet-based client management.
Features that Are Not Supported on the Internet
Not all client management functionality is appropriate for the Internet; therefore they are not
supported when clients are managed on the Internet. The features that are not supported for
Internet management typically rely on Active Directory Domain Services or are not appropriate for
a public network, such as network discovery and Wake-on-LAN (WOL).
The following features are not supported when clients are managed on the Internet:
 Client deployment over the Internet, such as client push and software update-based client
deployment. Instead, use manual client installation.
 Auto-site assignment,
 Network Access Protection (NAP).
 Wake-on-LAN.
 Operating system deployment. However, you can deploy task sequences that do not deploy
an operating system; for example, task sequences that run scripts and maintenance tasks on
clients.
 Remote control.
 Out of band management.
 Software deployment to users unless the Internet-based management point can authenticate
the user in Active Directory Domain Services by using Windows authentication (Kerberos or
NTLM). This is possible when the Internet-based management point trusts the forest where
the user account resides.
Additionally, Internet-based client management does not support roaming. Roaming enables
clients to always find the closest distribution points to download content. Clients that are
managed on the Internet communicate with site systems from their assigned site when these site
systems are configured to use an Internet FQDN and the site system roles allow client
connections from the Internet. Clients non-deterministically select one of the Internet-based site
systems, regardless of bandwidth or physical location.
Note

365
New in System Center 2012 Configuration Manager, when you have a software update
point that is configured to accept connections from the Internet, Configuration Manager
Internet-based clients on the Internet always scan against this software update point, to
determine which software updates are required. However, when these clients are on the
Internet, they first try to download the software updates from Microsoft Update, rather
than from an Internet-based distribution point. Only if this fails, will they then try to
download the required software updates from an Internet-based distribution point. Clients
that are not configured for Internet-based client management never try to download the
software updates from Microsoft Update, but always use Configuration Manager
Planning for Internet-Based Site Systems
The following site system roles in a primary site support client connections from the Internet:
 Software update point (with and without a network load balancing cluster)
All site systems must reside in an Active Directory domain. However, you can install site systems
for Internet-based client management in an untrusted forest. This scenario might be appropriate
for a perimeter network that requires high security. Although there is no requirement to have a
trust between the two forests, when the forest that contains the Internet–based site systems
trusts the forest that contains the user accounts, this configuration supports user-based policies
for devices on the Internet when you enable the Client Policy client setting Enable user policy
requests from Internet clients. For example, the following configurations illustrate when
Internet-based client management supports user policies for devices on the Internet:
 The Internet-based management point is in the perimeter network where a read-only domain
controller resides to authenticate the user and an intervening firewall allows Active Directory
packets.
 The user account is in Forest A (the intranet) and the Internet-based management point is in
Forest B (the perimeter network). Forest B trusts Forest A, and an intervening firewall allows
the authentication packets.
 The user account and the Internet-based management point are in Forest A (the intranet).
The management point is published to the Internet by using a web proxy server.
If Kerberos authentication fails, NTLM authentication is then automatically tried.
As the previous example shows, you can place Internet-based site systems in the intranet when
they are published to the Internet by using a web proxy server, such as ISA Server and Forefront
Threat Management Gateway. These site systems can be configured for client connection from
the Internet only, or client connections from the Internet and intranet. When you use a web proxy
Note

366
server, you can configure it for Secure Sockets Layer (SSL) bridging to SSL (more secure) or
SSL tunneling:
 SSL bridging to SSL:
The recommended configuration when you use proxy web servers for Internet-based client
management is SSL bridging to SSL, which uses SSL termination with authentication. Client
computers must be authenticated by using computer authentication, and mobile device
legacy clients are authenticated by using user authentication. Mobile devices that are
enrolled by Configuration Manager do not support SSL bridging.
The benefit of SSL termination at the proxy web server is that packets from the Internet are
subject to inspection before they are forwarded to the internal network. The proxy web server
authenticates the connection from the client, terminates it, and then opens a new
authenticated connection to the Internet-based site systems. When Configuration Manager
clients use a proxy web server, the client identity (client GUID) is securely contained in the
packet payload so that the management point does not consider the proxy web server to be
the client. Bridging is not supported in Configuration Manager with HTTP to HTTPS, or from
HTTPS to HTTP.
 Tunneling:
If your proxy web server cannot support the requirements for SSL bridging, or you want to
configure Internet support for mobile devices that are enrolled by Configuration Manager,
SSL tunneling is also supported. It is a less secure option because the SSL packets from the
Internet are forwarded to the site systems without SSL termination, so they cannot be
inspected for malicious content. When you use SSL tunneling, there are no certificate
requirements for the proxy web server.
Planning for Internet-Based Clients
You must decide whether the client computers that will be managed over the Internet will be
configured for management on the intranet and the Internet, or for Internet-only client
management. You can only configure the client management option during the installation of a
client computer. If you change your mind later, you must reinstall the client.
You do not have to restrict the configuration of Internet-only client management to the
Internet and you can also use it on the intranet.
Clients that are configured for Internet-only client management only communicate with the site
systems that are configured for client connections from the Internet. This configuration would be
appropriate for computers that you know never connect to your company intranet, for example,
point of sale computers in remote locations. It might also be appropriate when you want to restrict
client communication to HTTPS only (for example, to support firewall and restricted security
policies), and when you install Internet-based site systems in a perimeter network and you want
to manage these servers by using the Configuration Manager client.
When you want to manage workgroup clients on the Internet, you must install them as Internet-
only.
Tip

367
Mobile device clients are automatically configured as Internet-only when they are
configured to use an Internet-based management point.
Other client computers can be configured for Internet and intranet client management. They can
automatically switch between Internet-based client management and intranet client management
when they detect a change of network. If these clients can find and connect to a management
point that is configured for client connections on the intranet, these clients are managed as
intranet clients that have full Configuration Manager management functionality. If the clients
cannot find or connect to a management point that is configured for client connections on the
intranet, they attempt to connect to an Internet-based management point, and if this is successful,
these clients are then managed by the Internet-based site systems in their assigned site.
The benefit in automatic switching between Internet-based client management and intranet client
management is that client computers can automatically use all Configuration Manager features
whenever they are connected to the intranet and continue to be managed for essential
management functions when they are on the Internet. Additionally, a download that began on the
Internet can seamlessly resume on the intranet, and vice versa.
Prerequisites for Internet-Based Client Management
Internet-based client management in Configuration Manager has the following external
dependencies:
Dependency More information
Clients that will be managed on the Internet
must have an Internet connection.
Configuration Manager uses existing Internet
Service Provider (ISP) connections to the
Internet, which can be either permanent or
temporary connections. Client mobile devices
must have a direct Internet connection, but
client computers can have either a direct
Internet connection or connect by using a proxy
web server.
Site systems that support Internet-based client
management must have connectivity to the
Internet and must be in an Active Directory
domain.
The Internet-based site systems do not require
a trust relationship with the Active Directory
forest of the site server. However, when the
Internet-based management point can
authenticate the user by using Windows
authentication, user policies are supported. If
Windows authentication fails, only computer
policies are supported.
Note
To support user policies, you also must
Note

368
set to True the two Client Policy client
settings:
 Enable user policy polling on clients
 Enable user policy requests from
Internet clients
An Internet-based Application Catalog website
point also requires Windows authentication to
authenticate users when their computer is on
the Internet. This requirement is independent
from user policies.
You must have a supporting public key
infrastructure (PKI) that can deploy and
manage the certificates that the clients require
and that are managed on the Internet and the
Internet-based site system servers.
For more information about the PKI certificates,
see PKI Certificate Requirements for
The following infrastructure services must be
configured to support Internet-based client
management:
 Public DNS servers: The Internet fully
qualified domain name (FQDN) of site
systems that support Internet-based client
management must be registered as host
entries on public DNS servers.
 Intervening firewalls or proxy servers:
These network devices must allow the
client communication that is associated
with Internet-based site systems.
Client communication requirements:
 Support HTTP 1.1
 Allow HTTP content type of multipart MIME
attachment (multipart/mixed and
application/octet-stream)
 Allow the following verbs for the Internet-
based management point:
 HEAD
 CCM_POST
 BITS_POST
 GET
 PROPFIND
based distribution point:
 HEAD
 GET
 PROPFIND
based fallback status point:
 POST
based Application Catalog website point:
 POST

369
 GET
 Allow the following HTTP headers for the
Internet-based management point:
 Range:
 CCMClientID:
 CCMClientIDSignature:
 CCMClientTimestamp:
 CCMClientTimestampsSignature:
 Allow the following HTTP header for the
Internet-based distribution point:
 Range:
For configuration information to support these
requirements, refer to your firewall or proxy
server documentation.
For similar communication requirements when
you use the software update point for client
connections from the Internet, see the
documentation for Windows Server Update
Services (WSUS). For example, for WSUS on
Windows Server 2003, see Appendix D:
Security Settings, the deployment appendix for
security settings.
Planning for Network Bandwidth in Configuration
Manager
System Center 2012 Configuration Manager offers several methods to control the network
bandwidth that is used by communications between sites, site system servers, and clients.
However, not all communication on the network can be managed. Use the following sections to
help you understand the methods that you can use to control network bandwidth and to design
your site hierarchy.
When you design the hierarchy and address structure for Configuration Manager, consider the
amount of network data that will be transferred from intersite and intrasite communications.
Addresses in Configuration Manager are only used for intersite communications and are
not used for intrasite communications between site servers and site systems.
Note

370
Controlling Network Bandwidth Usage Between Sites
During file-based data transfers, Configuration Manager uses all of the available network
bandwidth when it sends data between sites. You can control this process by configuring the
sender that the address uses to increase or decrease site-to-site sending threads. A sending
thread is used to transfer one file at a time. Each additional thread can cause additional files to be
transferred at the same time, which results in larger bandwidth use. To configure the number of
threads to use for site-to-site transfers, configure the Maximum concurrent sendings on the
Sender tab of the sites properties.
To control network bandwidth usage between sites, schedule when Configuration Manager can
use an address to a specific site. You can control the amount of network bandwidth to use, the
size of data blocks, and the frequency for sending the data blocks. Additional configurations can
limit data transfers based on the priority of the data type. For each site in the hierarchy, you can
set schedules and rate limits for that site to use when transferring data by configuring the
properties of the Address for each destination site.
When you configure rate limits to restrict the bandwidth use on a specific address,
Configuration Manager can only use a single thread to transfer data to that destination
site. Use of rate limits for an address overrides the use of multiple threads per site that
are configured in the Maximum concurrent sendings.
When you configure network bandwidth controls, you should also remain aware of the potential
for data latency. If site communications have been throttled or configured to only transfer data
after regular business hours, administrators at either the parent site or child site might not be able
to view certain data until the intersite communication has occurred. For example, if an important
software update package is being sent to distribution points that are located at child sites, the
package might not be available at those sites until all pending intersite communication is
completed. Pending communication might include delivery of a package that is very large and
that has not yet completed its transfer.
For more settings for Addresses and Senders, see the sub-section Addresses and Senders in
the Planning for Intersite Communications in Configuration Manager section earlier in this topic.
Controlling Network Bandwidth Usage Between Site System
Servers
Within a site, communication between site systems uses server message blocks (SMB), can
occur at any time, and does not support a mechanism to control network bandwidth. However,
when you configure the site server to use rate limits and schedules to control the transfer of data
over the network to a distribution point, you can manage the transfer of content from the site
server to distribution points with controls similar to those for site-to-site file-based transfers.
Important

371
Controlling Network Bandwidth Usage Between Clients and Site
System Servers
Clients regularly communicate with different site system servers. For example, they communicate
with a site system server that runs a management point when they have to check for a client
policy, and communicate with a site system server that runs a distribution point when they have to
download content to install an application or software update. The frequency of these connections
and the amount of data that is transferred over the network to or from a client depends on the
schedules and configurations that you specify as client settings.
Typically, client policy requests use low network bandwidth. The network bandwidth might be high
when clients access content for deployments or send information such as hardware inventory
data to the site.
You can specify client settings that control the frequency of client-initiated network
communications. Additionally, you can configure how clients access deployment content, for
example, by using Background Intelligent Transfer Service (BITS). To use BITS to download
content, the client and the distribution point must be configured to use BITS. If the client is
configured to use BITS, but the distribution point is not, the client uses SMB to transfer the
content.
For information about client settings in Configuration Manager, see Planning for Client Settings in
See Also
Planning for Site Operations in Configuration
Manager
Use the information in the following sections to help you plan for site operations.
 Planning for Backup and Recovery
 Planning for Client Management
 Planning for Maintenance Tasks for Configuration Manager
 Planning for Alerts
Planning for Backup and Recovery
Enterprise solutions such as Configuration Manager must prepare for loss of critical data by
planning for both backup and recovery operations. For Configuration Manager sites, this
preparation ensures that sites and hierarchies are recovered with the least data loss and in the
quickest possible time.

372
A Configuration Manager site contains a large amount of data, which is mostly stored in the site
database. To ensure that you are correctly backing up your sites, schedule the Backup Site
Server maintenance task for the central administration site and each primary site in your
hierarchy. The Backup Site Server maintenance task creates a complete backup snapshot of
your site and contains all the data necessary to perform recovery operations. You can also use
your own method for backing up the site database. For example, you can create a site database
backup as part of a SQL Server maintenance plan.
Depending on your Configuration Manager hierarchy, the requirement to back up a site to avoid
data loss varies. For example, consider the following scenarios:
 Central administration site with child primary sites: When you have a Configuration
Manager hierarchy, the site can likely be recovered even when you do not have a site
backup. Because database replication is used in the hierarchy, the data required for recovery
can be retrieved from another site in the hierarchy. The benefit of restoring a site by using a
backup is that only changes to the data since the last backup have to be retrieved from
another site, which reduces the amount of data transferred over your network.
 Stand-alone primary site: When you have a stand-alone primary site (no central
administration site), you must have a Configuration Manager backup to avoid data loss.
 Secondary sites: There is no backup and recovery support for secondary sites. You must
reinstall the secondary site when it fails.
For more information about how to configure site backup or recover a site, see Backup and
Recovery in Configuration Manager.
What’s New in Backup and Recovery
The following table lists features that are new or that have changed for backup and recovery
since Configuration Manager 2007.
Feature Description
Recovery integrated with System Center 2012
Configuration Manager Setup
Configuration Manager 2007 used the Site
Repair Wizard to recover sites. In
System Center 2012 Configuration Manager,
recovery is integrated in the Configuration
Manager Setup Wizard.
Support for multiple recovery options You have the following options when running
recovery in System Center 2012
Site Server
 Recover the site server from a backup.
Note

373
Feature Description
 Reinstall the site server.
Site Database
 Recover the site database from a backup.
 Create a new site database.
 Use a site database that been manually
recovered.
 Skip database recovery.
Recovery uses data replication to minimize
data loss
database replication uses SQL Server to
transfer data and merge changes made to .the
database of a site with the information stored in
the database at other sites in the hierarchy.
This enables all sites to share the same
information.
Recovery in System Center 2012
Configuration Manager uses database
replication to retrieve global data that the failed
site created before it failed. This process
minimizes data loss even when no backup is
available.
Recovery by using a Setup script You can start an unattended site recovery by
configuring an unattended installation script
and then using the Setup command /script
option.
Volume Shadow Copy Service
The Backup Site Server maintenance task uses the Volume Shadow copy Service (VSS) to
create the backup snapshot. VSS is essentially a framework which facilitates communication
between applications, storage subsystems, and storage management applications (including
backup applications) to define point-in-time copies of storage data. These point-in-time copies, or
shadow copies, of site server and site database information are used to back up and restore
Configuration Manager sites. By using VSS shadow copies, the Backup Site Server maintenance
task can minimize off-line times for site servers. VSS must be running for the Backup Site Server
maintenance task to finish successfully.
What Gets Backed Up
The Backup Site Server maintenance task includes the following information in the backup set:

374
 The Configuration Manager site database files
The Backup Site Server maintenance task does not support configuring an NTFS file
system junction point to store the site database files.
 The following Configuration Manager installation folders:
 <ConfigMgrInstallationPath>bin
 <ConfigMgrInstallationPath>inboxes
 <ConfigMgrInstallationPath>Logs
 <ConfigMgrInstallationPath>Data
 <ConfigMgrInstallationPath>srvacct
 The ..HKEY_LOCAL_MACHINESoftwareMicrosoftSMS registry key.
What Does Not Get Backed Up
The Backup Site Server maintenance task creates a backup set that includes everything you
need to restore your site server to a functional state. There are some Configuration Manager
items not included in the site backup that you might want to back up outside of the normal
process. The following sections provide information about items not backed up as part of the
backup task.
For more information about supplemental backup tasks, see the Supplemental Backup
Tasks section in the Backup and Recovery in Configuration Manager topic.
Configuration Manager Site Systems
Some Configuration Manager site systems contain site data that is easily recreated if the site fails
and are not backed up during the site backup process. For example, you do not have to backup
data from site systems such as distribution points and management points. The site server can
easily reinstall these site systems if they fail.
Custom Reporting Services Reports
When you create custom Configuration Manager reports in SQL Server Reporting Services, there
are several items on the Reporting Services server that you must add to your backup set to
recover the reports in the event of a failure on the server running Reporting Services.
Content Files
The content library in Configuration Manager is the location where all content files are stored for
software updates, applications, operating system deployment, and so on. The content library is
located on the site server and each distribution point. The Backup Site Server maintenance task
does not include a backup of the content library or the package source files. When a site server
Note
Warning

375
fails, the information about the content library files is restored to the site database, but you must
restore the content library and package source files on the site server.
SQL Server Master Database
You do not have to back up the SQL Server master database. The Backup Site Server
maintenance task backs up all of the required information for restoring the site database to
SQL Server as part of the backup process. The original SQL Server master database is not
required for restoring the site database on a new server that is hosting the SQL Server database.
Configuration Manager Log Files
The Backup Site Server maintenance task backs up logs located in the
<ConfigMgrInstallationPath>Logs folder, but some System Center 2012 Configuration Manager
site systems write logs in other locations and are not backed up by the Backup Site Server
maintenance task. Plan an alternative method to back up these log files, if it is required.
Configuration Manager Clients
System Center 2012 Configuration Manager clients are not backed up as part of the site backup
process for the following reasons:
 To correctly back up a Configuration Manager client, the client services must be stopped.
However, there is no reliable way to stop and start the client services. Stopping and starting
the client services can potentially corrupt the data on the hard disk of the client or in the
backup snapshot.
 Clients are too numerous. It is neither practical nor beneficial to back up and restore the
clients assigned to a site.
 The effect of losing client data is relatively small.
System Center Updates Publisher
When you use System Center Updates Publisher to create custom software updates, the updates
are stored in the Updates Publisher database. Though many of these custom software updates
might have been published to Windows Server Update Services, you typically want to have a
backup of the Updates Publisher database that contains the source for the custom updates.
Maintenance Mode Support
When the Backup Site Server maintenance task performs a site backup, critical site services
must be stopped including:
 SMS Executive service (SMS_Executive)
 SMS Site Component Manager service (SMS_Site_Component_Manager)
If the Configuration Manager site server or site database server is being monitored by the
monitoring agent on the System Center Operations Manager client, the backup process might
generate false stop service alerts when critical Configuration Manager services are stopped for

376
backup. To avoid this problem, configure the entire backup process to be monitored as a single
transaction that is managed by using Operations Manager maintenance mode state
management.
Planning for Client Management
Use the following links to help you plan for client management:
 Planning for Hardware Inventory in Configuration Manager
 Prerequisites for Asset Intelligence in Configuration Manager
 Planning for Power Management in Configuration Manager
 Planning for Remote Control in Configuration Manager
 Planning for Software Metering in Configuration Manager
 Planning for Out of Band Management in Configuration Manager
 Planning for Compliance Settings in Configuration Manager
 Planning for Endpoint Protection in Configuration Manager
 Planning for Software Updates in Configuration Manager
 Planning How to Deploy Operating Systems in Configuration Manager
Planning for Maintenance Tasks for Configuration
Manager
System Center 2012 Configuration Manager sites and hierarchies require regular maintenance
and monitoring to provide services effectively and continuously. Regular maintenance ensures
that the hardware, software, and the Configuration Manager database continue to function
correctly and efficiently. Optimal performance greatly reduces the risk of failure.
While your Configuration Manager site and hierarchy perform the tasks that you schedule and
configure, site components continually add data to the Configuration Manager database. As the
amount of data grows, database performance and the free storage space in the database decline.
You can configure site maintenance tasks to remove aged data that you no longer require.
Configuration Manager provides predefined maintenance tasks that you can use to maintain the
health of the Configuration Manager database. Not all maintenance tasks are available at each
site, by default, several are enabled while some are not, and all support a schedule that you can
configure for when to run.
Most maintenance tasks periodically remove out-of-date data from the Configuration Manager
database. Reducing the size of the database by removing unnecessary data improves the
performance and the integrity of the database, which increases the efficiency of the site and
hierarchy. Other tasks, such as Rebuild Indexes, help maintain the database efficiency, while
some, such as the Backup Site Server task, help you prepare for disaster recovery.
Important

377
When you plan the schedule of any task that deletes data, consider the use of that data
across the hierarchy. When a task that deletes data runs at a site, the information is
removed from the Configuration Manager database, and this change replicates to all sites
in the hierarchy. This can affect other tasks that rely on that data. For example, at the
central administration site, you might configure Discovery to run one time per month to
identify non-client computers, and plan to install the Configuration Manager client to
these computers within two weeks of their discovery. However, at one site in the
hierarchy, an administrator configures the Delete Aged Discovery Data task to run every
seven days with a result that seven days after non-client computers are discovered, they
are deleted from the Configuration Manager database. Back at the central administration
site, you prepare to push install the Configuration Manager client to these new computers
on day 10. However, because the Delete Aged Discovery Data task has recently run and
deleted data that is seven days or older, the recently discovered computers are no longer
available in the database.
After you install a Configuration Manager site, review the available maintenance tasks and enable
those tasks that your operations require. Review the default schedule of each task, and when
necessary, modify the schedule to fine-tune the maintenance task to fit your hierarchy and
environment. Although the default schedule of each task should suit most environments, monitor
the performance of your sites and database and expect to fine-tune tasks to increase your
deployments’ efficiency. Plan to periodically review the site and database performance and to
reconfigure maintenance tasks and their schedules to maintain that efficiency.
When to Perform Common Maintenance Tasks
To maintain your site, consider performing regular maintenance on a daily, weekly, and for some
tasks, a more periodic schedule. Common maintenance can include both the built-in maintenance
tasks and other tasks such as account maintenance to maintain compliance with your company
policies.
Performing regular maintenance is important to ensure correct site operations. Maintain a
maintenance log to document dates that maintenance was conducted, by whom, and any
maintenance-related comments about the task conducted.
Use the following information as a guide to help you plan when to perform different maintenance
tasks. Use these lists as a starting point, and add any additional tasks you might require.
Daily Tasks
The following are maintenance tasks you might consider performing on a daily basis:
 Verify that predefined maintenance tasks that are scheduled to run daily are running
successfully.
 Check the Configuration Manager database status.
 Check site server status.
 Check Configuration Manager site system inboxes for file backlogs.
 Check site systems status.
 Check the operating system event logs on site systems.

378
 Check the SQL Server error log on the site database computer.
 Check system performance.
 Check Configuration Manager alerts.
Weekly Tasks
The following are maintenance tasks you might consider performing on a weekly basis:
 Verify that predefined maintenance tasks scheduled to run weekly are running successfully.
 Delete unnecessary files from site systems.
 Produce and distribute end-user reports if required.
 Back up application, security, and system event logs and clear them.
 Check the site database size and verify that there is enough available disk space on the site
database server so that the site database can grow.
 Perform SQL Server database maintenance on the site database according to your
SQL Server maintenance plan.
 Check available disk space on all site systems.
 Run disk defragmentation tools on all site systems.
Periodic Tasks
Some tasks do not have to be performed during daily or weekly maintenance, but are important to
ensure overall site health, and security and disaster recovery plans are up-to-date. The following
are maintenance tasks that you might consider performing on a more periodic basis than the daily
or weekly tasks:
 Change accounts and passwords, if it is necessary, according to your security plan.
 Review the maintenance plan to verify that scheduled maintenance tasks are scheduled
correctly and effectively depending on configured site settings.
 Review the Configuration Manager hierarchy design for any required changes.
 Check network performance to ensure changes have not been made that affect site
operations.
 Verify that Active Directory settings affecting site operations have not changed. For example,
verify that subnets assigned to Active Directory sites that are used as boundaries for
Configuration Manager site have not changed.
 Review your disaster recovery plan for any required changes.
 Perform a site recovery according to the disaster recovery plan in a test lab by using a
backup copy of the most recent backup created by the Backup Site Server maintenance task.
 Check hardware for any errors or for available hardware updates.
 Check the overall health of the site.
About the Built-In Maintenance Tasks
The following table lists the available maintenance tasks, at which site each task is available, and
basic details about the task. For more information about each task and its available
configurations, view the maintenance task Properties in the Configuration Manager console.

379
Key: √ = By default, enabled Ø = By default, not enabled
Maintenance
task
Central
administration
site
Primary site Secondary site More information
Backup Site
Server
√ Ø Not available Use this task to prepare for
recovery of critical data by
creating a backup of the
critical information that you
have to restore a site and
database.
For more information, see
Backup and Recovery in
Check
Application Title
with Inventory
Information
√ √ Not available Use this task to maintain
consistency between
software titles reported in
software inventory and
software titles in the Asset
Intelligence catalog.
Introduction to Asset
Intelligence in Configuration
Manager.
Clear Install
Flag
Not available Ø Not available Use this task to remove the
installed flag for clients that
do not submit a Heartbeat
Discovery record during the
Client Rediscovery period.
The installed flag prevents
automatic client push
installation to a computer
that might have an active
client.
How to Prevent the Client
Software from Installing on
Specific Computers in

380
Maintenance
task
Central
administration
site
Delete Aged
Application
Request Data
Not available √ Not available Use this task to delete aged
application requests from
the database.
application requests, see
Introduction to Application
Management in
Delete Aged
Client
Operations
√ √ Not available Use this task to delete aged
data for Endpoint Protection
client operations from the
database. This data includes
requests that an
administrative user made for
clients to run a scan or
download updated
definitions.
managing Endpoint
Manager, see How to
Manage Antimalware
Policies and Firewall
Settings for Endpoint
Manager.
Delete Aged
Collected Files
information about collected
files from the database. This
task also deletes the
collected files from the site
server folder structure at the
selected site. By default, the
five most recent copies of
collected files are stored on
the site server in the
Inboxessinv.boxFileCol

381
Maintenance
task
Central
administration
site
directory.
Planning for Software
Manager.
Delete Aged
Computer
Association
Data
Operating System
Deployment computer
association data from the
database. This information is
used as part of completing
user state restores. For
more information about
computer associations, see
Managing User State.
Delete Aged
Delete
Detection Data
√ √ √ Use this task to delete aged
data from the database that
has been created by
Extraction Views. By default,
Extraction Views are
disabled and can only be
enabled by use of the
Configuration Manager SDK.
Unless Extraction Views are
enabled, there is no data for
this task to delete.
Delete Aged
Device Wipe
Record
data about mobile device
wipe actions from the
database.
For information about
managing mobile devices,
see Determine How to
Manage Mobile Devices in
Delete Aged
Devices
data about mobile devices

382
Maintenance
task
Central
administration
site
Managed by the
Exchange
Server
Connector
that are managed by using
the Exchange Server
connector from the
database.
How to Manage Mobile
Devices by Using the
Exchange Server Connector
Delete Aged
Discovery Data
discovery data from the
database. This data can
include records resulting
from heartbeat discovery,
network discovery, and
Active Directory Domain
Services discovery methods
(System, User, and Group).
When this task runs at one
site, it removes the data
from the database at all sites
in the hierarchy.
Discovery, see Planning for
Discovery in Configuration
Manager.
Delete Aged
Endpoint
Protection
Health Status
History Data
status information for
Endpoint Protection from the
database.
Endpoint Protection status
information, see How to
Monitor Endpoint Protection
Delete Aged
Enrolled
data about mobile devices

383
Maintenance
task
Central
administration
site
Devices that have enrolled at a site
but that have reported any
information to the site for a
specified time from the
database.
For information about mobile
device enrollment, see
Determine How to Manage
Mobile Devices in
Delete Aged
Inventory
History
Not available √ Not available Use this task to delete
inventory data that has been
stored longer than a
database.
inventory history, see How
to Use Resource Explorer to
View Hardware Inventory in
Delete Aged
Log Data
log data that is used for
troubleshooting from the
database. This data is not
related to Configuration
Manager component
operations.
Important
By default, this task
runs every 30 days.
However, when you
use SQL Server
Express at a
secondary site,
configure this task to
run every day at that
secondary site.

384
Maintenance
task
Central
administration
site
Delete Aged
Replication
Tracking Data
1
data about database
replication between
Configuration Manager sites
from the database.
the How to Monitor
Database Replication and
SQL Server Status for
Database Replication
section in the Monitor
and Hierarchy topic.
Delete Aged
Software
Metering Data
data for software metering
that has been stored longer
than a specified time from
the database.
Maintenance Tasks for
Software Metering in
Delete Aged
Software
Metering
Summary Data
summary data for software
metering that has been
stored longer than a
database.
Delete Aged
Status
Messages
√ √ Not available Use this task to delete aged
status message data as
configured in status filter
rules from the database.
For information, see Monitor

385
Maintenance
task
Central
administration
site
System Status for
Configuration Manager the
section in the topic Monitor
and Hierarchy.
Delete Aged
Threat Data
Endpoint Protection threat
data that has been stored
longer than a specified time
from the database.
Endpoint Protection, see
Endpoint Protection in
Delete Aged
User Device
Affinity Data
User Device Affinity data
from the database.
How to Manage User Device
Affinity in Configuration
Manager.
Delete Inactive
Client Discovery
Data
Not available Ø Not available Use this task to delete
discovery data for inactive
clients from the database.
Clients are marked as
inactive when the client is
flagged as obsolete and by
configurations made for
Client status. This task
operates only on resources
that are Configuration
Manager clients. It is
different than the Delete
Aged Discovery Data task
which deletes any aged
discovery data record. When
this task runs at a site, it
removes the data from the

386
Maintenance
task
Central
administration
site
database at all sites in a
hierarchy.
Important
When enabled,
run at an interval
greater than the
Heartbeat
Discovery
schedule. This
enables active
clients to send a
Heartbeat Discovery
record to mark their
client record as
active so this task
does not delete
them.
How to Configure Client
Status in Configuration
Manager.
Delete Obsolete
Alerts
√ √ Not available Use this task to delete
expired alerts that have
been stored longer than a
database.
Planning for Alerts.
Delete Obsolete
Client Discovery
Data
Not available Ø Not available Use this task to delete
obsolete client records from
the database. A record that
is marked as obsolete has
usually been replaced by a
newer record for the same
client. The newer record
becomes the client’s current

387
Maintenance
task
Central
administration
site
record.
Important
When enabled,
run at an interval
greater than the
Heartbeat Discovery
schedule. This
enables the client to
send a Heartbeat
Discovery record
that sets the
obsolete status
correctly.
Discovery, see Planning for
Discovery in Configuration
Manager.
Delete Obsolete
Forest
Discovery Sites
and Subnets
√ √ √ Use this task to delete data
about Active Directory sites,
subnets, and domains that
have not been discovered by
the Active Directory Forest
Discovery method in the last
30 days. This removes the
discovery data but does not
affect boundaries created
from this discovery data.
Planning for Discovery in
Delete Unused
Application
Revisions
Not available √ Not available Use this task to delete
application revisions that are
no longer referenced.
How to Manage Application
Revisions in Configuration

388
Maintenance
task
Central
administration
site
Manager.
Evaluate
Collection
Members
Not available √ Not available Use this task to change how
often collection membership
is incrementally evaluated.
Incremental evaluation
updates a collection
membership with only new
or changed resources.
How to Manage Collections
Evaluate
Provisioned
AMT Computer
Certificates
Not available √ Not available Use this task to check the
validity period of the
certificates issued to AMT-
based computers.
For more information see,
How to Manage AMT
Provisioning Information in
Monitor Keys √ √ Not available Use this task to monitor the
integrity of the Configuration
Manager database primary
keys. A primary key is a
column or combination of
columns that uniquely
identify one row and
distinguish it from any other
row in a Microsoft
SQL Server database table.
Rebuild Indexes Ø Ø Ø Use this task to rebuild the
database indexes. An index
is a database structure that
is created on a database
table to speed up data
retrieval. For example,
searching an indexed

389
Maintenance
task
Central
administration
site
column is often much faster
than searching a column
that is not indexed.
To improve performance,
database indexes are
frequently updated to remain
synchronized with the
constantly changing data
stored in the database. This
task creates indexes on
database columns that are
at least 50 percent unique,
drops indexes on columns
that are less than 50 percent
unique, and rebuilds all
existing indexes that meet
the data uniqueness criteria.
Summarize
Installed
Software Data
Not available √ Not available Use this task to summarize
the data for installed
software from multiple
records into one general
record. Data summarization
can compress the amount of
data stored in the
database.
Planning for Software
Manager.
Summarize
Software
Metering File
Usage Data
the data from multiple
records for software
metering file usage into one
general record. Data
summarization can
compress the amount of

390
Maintenance
task
Central
administration
site
data stored in the
database.
You can use this task with
the Summarize Software
Metering Monthly Usage
Data task to summarize
software metering data, and
to conserve disk space in
database.
Summarize
Software
Metering
Monthly Usage
Data
the data from multiple
records for software
metering monthly usage into
one general record. Data
summarization can
compress the amount of
data stored in the
database.
You can use this task with
the Summarize Software
Metering File Usage Data
task to summarize software
metering data, and to
conserve space in the
database.
Update √ √ Not available Use this task to synchronize

391
Maintenance
task
Central
administration
site
Application
Catalog Tables
the Application Catalog
website database cache with
the latest application
information.
Configuring the Application
Catalog and Software
Center in Configuration
Manager.
1
When you change the configuration of this maintenance task, the configuration applies to each
applicable site in the hierarchy.
Planning for Alerts
System Center 2012 Configuration Manager generates alerts that you can use to monitor the
status of objects as they perform a task. Alerts can indicate a completed task, an interim status of
a task, or the failure of a task.
Alerts are listed in several places in the Configuration Manager console. A complete list of alerts
is provided in the Monitoring workspace in the Alerts node. The most recent active alerts are
displayed in the Overview of the workspace that they are associated with. For example, select
Assets and Compliance to see a list of the most recent alerts listed in the Assets and
Compliance Overview. The list of the most recent alerts is updated whenever a new alert is
generated or the state of an alert has changed for that workspace.
For more information about managing alerts, see Configuring Alerts in Configuration Manager.
For more information about what you can do when an alert is generated, see Monitor Alerts in
See Also

392
Planning for High Availability with
System Center 2012 Configuration Manager sites, hierarchy of sites, and Configuration Manager
clients can each take advantage of options that maintain a high level of available service. These
include the following:
 Sites support multiple instances of site system servers that provide important services to
clients.
 Central administration sites and primary sites support the backup of the site database. The
site database contains all the configurations for sites and clients, and it is shared between
sites in a hierarchy that contain a central administration site.
 Built-in site recovery options can reduce server downtime and include advanced options that
simplify recovery when you have a hierarchy with a central administration site.
 Clients can automatically remediate typical issues without administrative intervention.
 Sites generate alerts about clients that fail to submit recent data, which alerts administrators
to potential problems.
 Configuration Manager provides several built-in reports that enable administrators to identify
problems and trends before they become problems for server or client operations.
Configuration Manager does not provide a real-time service and you must expect it to operate
with some data latency. Therefore, it is unusual for most scenarios that involve a temporary
interruption of service to become a critical problem. When you have configured your sites and
hierarchies with high availability in mind, downtime can be minimized, autonomy of operations
maintained, and a high level of service provided.
For example, Configuration Manager clients typically operate autonomously by using known
schedules and configurations for operations, and schedules to submit data to the site for
processing. When clients cannot contact the site, they cache data to be submitted until they can
contact the site. Additionally, clients that cannot contact the site continue to operate by using the
last known schedules and cached information, such as a previously downloaded application that
they must run or install, until they can contact the site and receive new policies. The site monitors
its site systems and clients for periodic status updates, and can generate alerts when these fail to
register. Built-in reports provide insight to ongoing operations as well as historical operations and
trends. Finally, Configuration Manager supports state-based messages that provide near real-
time information for ongoing operations.
Use the information in the following sections to help you understand the options to deploy
Configuration Manager in a highly available configuration.
 High Availability for Configuration Manager Clients
 High Availability for Configuration Manager Sites
 Details for Sites and Site System Roles that are Highly Available
 Details for Sites and Site System Roles that are not Highly Available

393
High Availability for Configuration Manager
Clients
The following table provides information about the operations of Configuration Manager clients
that promote high availability.
Feature More information
Client operations are autonomous Configuration Manager client autonomy
includes the following:
 Clients do not require continuous contact
with any specific site system servers. They
use known configurations to perform
preconfigured actions on a schedule.
 Clients can use any available instance of a
site system role that provides services to
clients, and they will attempt to contact
known servers until an available server is
located.
 Clients can run inventory, software
deployments, and similar scheduled actions
independent of direct contact with site
system servers.
 Clients that are configured to use a fallback
status point can submit details to the
fallback status point when they cannot
communicate with a management point.
Clients can repair themselves Clients automatically remediate most typical
issues without direct administrative
intervention:
 Periodically, clients self-evaluate their
status and take action to remediate typical
problems by using a local cache of
remediation steps and source files for
repairs.
 When a client fails to submit status
information to its site, the site can generate
an alert. Administrative users that receive
these alerts can take immediate action to
restore the normal operation of the client.
Clients cache information to use in the future When a client communicates with a
management point, the client can obtain and
cache the following information:

394
 Client settings.
 Client schedules.
 Information about software deployments
and a download of the software the client is
scheduled to install, when the deployment
is configured for this action.
When a client cannot contact a management
point the following actions are taken:
 Clients locally cache the status, state, and
client information they report to the site,
and transfer this data after they establish
contact with a management point.
Client can submit status to a fallback status
point
When you configure a client to use a fallback
status point, you provide an additional point of
contact for the client to submit important details
about its operation:
 Clients that are configured to use a fallback
status point continue to send status about
their operations to that site system role
even when the client cannot communicate
with a management point.
Central management of client data and client
identity
The site database rather than the individual
client retains important information about each
client’s identity, and associates that data to a
specific computer, or user. This has the
following results:
 The client source files on a computer can
be uninstalled and reinstalled without
affecting the historical records that are
associated with the computer where the
client is installed.
 Failure of a client computer does not affect
the integrity of the information that is stored
in the database. This information can
remain available for reporting.
High Availability for Configuration Manager Sites
At each site, you deploy site system roles to provide the services that you want clients to use at
that site. The site database contains the configuration information for the site and for all clients.

395
Use one or more of the available options to provide for high availability of the site database, and
the recovery of the site and site database if needed.
The following table provides information about the available options for Configuration Manager
sites that support high availability.
Option More information
Use a SQL Server cluster to host the site
database
When you use a SQL Server cluster for the
database at a central administration site or
primary site, you use the fail-over support built
into SQL Server.
Secondary sites cannot use a SQL Server
cluster, and do not support backup or
restoration of their site database. You recover a
secondary site by reinstalling the secondary
site from its parent primary site.
Deploy a hierarchy of sites with a central
administration site, and one or more child
primary sites
This configuration can provide fault tolerance
when your sites manage overlapping segments
of your network. In addition, this configuration
offers an additional recovery option to use the
information in the shared database available at
another site, to rebuild the site database at the
recovered site. You can use this option to
replace a failed or unavailable backup of the
failed sites database.
Create regular backups at central
administration sites and primary sites
When you create and test a regular site
backup, you can ensure that you have the data
necessary to recover a site, and the experience
to recover a site in the minimal amount of time.
Install multiple instances of site system roles When you install multiple instances of critical
site system roles such as the management
point and distribution point, you provide
redundant points of contact for clients in the
event that a specific site system server is off-
line.
Install multiple instances of the SMS Provider
at a site
The SMS Provider provides the point of
administrative contact for one or more
Configuration Manager consoles. When you
install multiple SMS Providers, you can provide

396
Option More information
redundancy for contact points to administer
your site and hierarchy.
Details for Sites and Site System Roles that are Highly Available
The following table provides information about features available at sites, and the site system
roles that are part of a high availability configuration.
Redundancy for important site system roles You can install multiple instances of the
following site system roles to provide important
services to clients:
 System Health Validator point
You can install multiple instance of the following
site system role to provide redundancy for
reporting on sites and clients:
 Reporting services point
You can install the following site system role on
a Windows Network Load Balancing (NLB)
cluster to provide failover support:
Built-in site backup Configuration Manager includes a built-in
backup task to help you back up your site and
critical information on a regular schedule.
Additionally, the Configuration Manager Setup
wizard supports site restoration actions to help
you restore a site to operations.
Publishing to Active Directory Domain Services
and DNS
You can configure each site to publish data
about site system servers and services to
Active Directory Domain Services and to DNS.
This enables clients to identify the most
accessible server on the network, and to
identify when new site system servers that can

397
provide important services, such as
management points, are available.
SMS Providers and Configuration Manager
consoles
Configuration Manager supports installing
multiple SMS Providers, each on a separate
computer, to ensure multiple access points for
Configuration Manager consoles. This ensures
that if one SMS Provider computer is offline,
you maintain the ability to view and reconfigure
Configuration Manager sites and clients.
When a Configuration Manager console
connects to a site, it connects to an instance of
the SMS Provider at that site. The instance of
the SMS Provider is selected
nondeterministically. If the selected
SMS Provider is not available, you have the
following options:
 Reconnect the console to the site. Each
new connection request is
nondeterministically assigned an instance
of the SMS Provider and it is possible that
the new connection will be assigned an
available instance.
 Connect the console to a different
Configuration Manager site and manage
the configuration from that connection. This
introduces a slight delay of configuration
changes of no more than a few minutes.
After the SMS Provider for the site is on-
line, you can reconnect your Configuration
Manager console directly to the site that
you want to manage.
You can install the Configuration Manager
console on multiple computers for use by
administrative users. Each SMS Provider
supports connections from multiple
Configuration Manager consoles.
Management point Install multiple management points at each
primary site, and enable the sites to publish site
data to your Active Directory infrastructure, and
to DNS.
Multiple management points help to load-

398
balance the use of any single management
point by multiple clients. In addition, you can
install one or more database replicas for
management points to decrease the CPU-
intensive operations of the management point,
and to increase the availability of this critical
site system role.
You can install only one management point in a
secondary site, which must be located on the
secondary site server. If this management point
is unavailable, clients can fall back to using a
management point in their assigned site.
Note
Mobile devices that are enrolled by
Configuration Manager can connect to
only one management point in a
primary site. The management point is
assigned by Configuration Manager to
the mobile device during enrollment
and then does not change. When you
install multiple management points and
enable more than one for mobile
devices, the management point that is
assigned to a mobile device client is
non-deterministic.
If the management point that a mobile
device client uses becomes
unavailable, you must resolve the
problem with this management point or
wipe the mobile device and re-enroll
the mobile device so that it can assign
to an operational management point
that is enabled for mobile devices.
Distribution point Install multiple distribution points, and deploy
content to multiple distribution points. You can
configure overlapping boundary groups for
content location to ensure that clients on each
subnet can access a deployment from two or
more distribution points. Finally, consider
configuring one or more distribution points as

399
fallback locations for content.
For more information about fallback locations
for content, see the Planning for Preferred
Distribution Points and Fallback section in the
Application Catalog web service point and
Application Catalog website point
You can install multiple instances of each site
system role, and for best performance, deploy
one of each on the same site system computer.
Each Application Catalog site system role
provides the same information as other
instances of that site system role regardless of
the location of this site server role in the
hierarchy. Therefore, when a client makes a
request for the Application Catalog and you
have configured the Default Application
Catalog website point device client setting for
Automatically detect, the client can be
directed to an available instance, with
preference given to local Application Catalog
site system servers, based on the current
network location of the client.
For more information about this client setting
and how automatic detection works, see the
Computer Agent client setting section in the
About Client Settings in Configuration Manager
topic.
Details for Sites and Site System Roles that are not Highly
Available
Several site systems do not support multiple instances at a site or in the hierarchy.
Use the information in the following table to help you plan if these site systems go off-line.
Site system server More information
Site server (site) Configuration Manager does not support the
installation of the site server for each site on a
Windows Server cluster or NLB cluster.
The following information can help you prepare

400
for when a site server fails or is not operational:
 Use the built-in backup task to regularly
create a backup of the site. In a test
environment, regularly practice restoring
sites from a backup.
 Deploy multiple Configuration Manager
primary sites in a hierarchy with a central
administration site to create redundancy. If
you experience a site failure, consider
using Windows group policy or logon
scripts to reassign clients to a functional
site.
 If you have a hierarchy with a central
administration site, you can recover the
central administration site or a child primary
site by using the option to recover a site
database from another site in your
hierarchy.
 Secondary sites cannot be restored, and
must be reinstalled.
Asset Intelligence synchronization point
(hierarchy)
This site system role is not considered mission
critical and provides optional functionality in
Configuration Manager. If this site system goes
offline, use one of the following options:
 Resolve the reason for the site system to
be off-line.
 Uninstall the role from the current server,
and install the role on a new server.
Endpoint Protection point (hierarchy) This site system role is not considered mission
be off-line.
Enrollment point (site) This site system role is not considered mission

401
be off-line.
Enrollment proxy point (site) This site system role is not considered mission
Configuration Manager. However, you can
install multiple instances of this site system role
at a site, and at multiple sites in the hierarchy. If
this site system goes offline, use one of the
following options:
be off-line.
When you have more than one enrollment
proxy server in a site, use a DNS alias for the
server name. When you use this configuration,
DNS round robin provides some fault tolerance
and load balancing for when users enroll their
mobile devices. For more information, see How
to Install Clients on Mobile Devices and Enroll
Them by Using Configuration Manager.
Fallback status point (site or hierarchy) This site system role is not considered mission
be off-line.
Because clients are assigned the fallback
status point during client installation, you
will need to modify existing clients to use
the new site system server.
Out of band service point (site) This site system role is not considered mission

402
be off-line.
See Also
Example Scenarios for Planning a Simplified
Hierarchy with Configuration Manager
The following scenarios provide examples of how you can implement System Center 2012
Configuration Manager to solve typical business requirements and simplify your overall hierarchy
design.
Scenario 1: Remote Office Optimization
The remote office optimization scenario demonstrates an implementation of System Center 2012
Configuration Manager that reduces the administrative overhead required for managing
information flow across the network.
Current Situation
The customer has a simple Configuration Manager 2007 hierarchy of one primary site with two
secondary sites that include a warehouse and a remote district office location. The customer has
5,015 clients across four locations as shown in the following table.
Location Site type Deployment details Connection to
headquarters
Headquarters Primary  3,000 clients
 Two standard
distribution points,
one management
point, and one
software update
point
Not Applicable
Warehouse Secondary  500 clients
 One standard
Slow Network

403
Location Site type Deployment details Connection to
headquarters
distribution point
District Office Secondary  1,500 clients
 One standard
distribution point,
one proxy
management point,
and one software
update point
Slow Network
Sales Office None  15 clients
 Use of Windows
BranchCache
Well Connected
Business Requirements
The System Center 2012 Configuration Manager hierarchy must support the following business
requirements:
Business requirement Configuration Manager Information
The data transferred over the network must not
use excessive bandwidth.
Slow network connections must support
bandwidth control.
Minimize the number of servers used. Install the minimum number of site system
servers possible.
Produce reports that provide current
information about devices.
Clients must regularly submit their hardware
inventory data, status messages, and discovery
information.
Deploy applications, software updates, and
operating system deployments on a daily basis.
Content must be available to clients, including
large packages for operating system images.
Planning Decisions
Design of the System Center 2012 Configuration Manager hierarchy includes the following
planning considerations:
Challenges Options and considerations
The transfer of deployment content from the
primary site to remote locations represents the
Content transmission to remote locations can
be managed by:

404
largest effect to the network and must be
managed.
 Distribution points enabled for bandwidth
control
 Prestage for distribution points
 Windows BranchCache
 A local site to manage the network
bandwidth used during site-to-site transfers
The flow of client information from large
numbers of clients can slow down network.
Each remote location must be evaluated for
network capacity, balancing the client settings,
the number of clients at the location, and the
available network bandwidth. Options include
the following:
 A local primary or secondary site to
manage the network bandwidth during site-
to-site transfers.
 No site at the location allowing clients to
transfer their data unmanaged across the
network to an assigned primary site.
Steps Taken
After evaluation of requirements and options, client locations, and available network bandwidth,
the following decisions are made:
Decision Details
A stand-alone primary site is deployed at the
Headquarters location.
A System Center 2012 Configuration Manager
primary site replaces the existing primary site
as there are no administrative or content
management benefits gained by the use of a
central administration site for this environment.
 A primary site can support up to 100,000
clients.
 There is no planned expansion that could
require additional primary sites to manage
large numbers of clients across slow
network connections.
A distribution point enabled for bandwidth The effect of client information flowing up from
the warehouse location will not overwhelm the

405
Decision Details
control is deployed to the warehouse location. available network bandwidth. In place of a
secondary site, the location’s needs can be met
by the use of a distribution point enabled for
bandwidth control deployed from the primary
site to manage the downward flow of
deployment content. This decision does not
reduce the number of servers in use but does
remove the requirement to manage an
additional site.
 The current client activity is not sufficient to
require management of upward-flowing
client data.
 Only downward-flowing content requires
management to avoid effect to the slow
network connection.
 In the future, the distribution point can be
replaced by a secondary site that can
manage network traffic in both directions if
it is needed.
A secondary site is deployed to the District
Office Location.
After evaluation of the effect from the local
clients, it is decided that a secondary site with
the same configuration previously used will be
required.
 1,500 clients generate enough client
information to exceed the available network
connection to the primary site.
 A primary site is not required as there is no
administrative benefit to be provided by a
primary site, and the hierarchy’s combined
client total is easily handled by the primary
site at the Headquarters location.
The use of Windows BranchCache is
maintained at the Sales Office location. Because this location services only 15 clients
and has a fast network connection to the
Headquarters location, the current use of
Windows BranchCache as a content

406
Decision Details
deployment solution remains the best option.
Business Benefits
By using a single distribution point that is enabled for bandwidth control to replace a secondary
site and its distribution point, the customer meets the business requirement for managing content
across slow networks. Additionally, this change decreases the administrative workload and the
time it takes for the site to receive client information.
Scenario 2: Infrastructure Reduction and
Management of Client Settings
The infrastructure reduction and client settings scenario demonstrates an implementation of
System Center 2012 Configuration Manager that reduces infrastructure in use while continuing to
manage clients with customized client settings.
Current Situation
In this example, a company manages 25,000 clients across two physical locations by using a
single Configuration Manager 2007 hierarchy that consists of one central site and three primary
child sites. The central site and one primary site are located in Chicago, and two primary sites are
located in London. The primary sites at each geographic location reside on the same physical
network and have well-connected network links. However, there is limited bandwidth between
Chicago and London.
Current deployment details:
Location Type of site Deployment details
Chicago Headquarters Primary – central site 19,200 clients that are
configured for the company’s
standard configuration for client
agent settings.
Chicago Headquarters Primary – child of central 300 clients on computers used
by people in the Human
Resources division. The site is
configured for a custom remote
control client agent setting.
London Offices Primary – child of central 5,000 desktop clients that are
configured for the company’s

407
Location Type of site Deployment details
standard configuration of client
agent settings.
London Offices Primary – child of central 500 server clients that are
configured for a custom
hardware inventory client agent
setting.
Business Requirements
The Configuration Manager hierarchy must meet the following business requirements:
Business requirements Configuration Manager information
Maintain centralized management of the
hierarchy in Chicago.
Central administration from Chicago requires
that content and client information is sent over
the network for the 5,500 clients in London.
Assign a standard client configuration to all
clients unless specific business requirements
dictate otherwise.
The standard configuration for client settings
must be available for all clients.
Employees in the human resource division
must not have the Remote Control client agent
enabled on their computers.
These custom client settings must be assigned
to the computers that are used by the
employees in the human resource division.
Servers that are located in London must run
hardware inventory no more than once a
month.
These custom client settings must be assigned
to the clients on servers in London.
Control the network bandwidth when
transferring data between Chicago and London.
The slow network connection requires
bandwidth control.
Minimize the number of servers. Avoid installing site system servers where
possible to reduce administrative tasks and
infrastructure costs.
Planning Decisions
The System Center 2012 Configuration Manager hierarchy design includes the following planning
considerations:

408
Central administration in Chicago. Options for this requirement include the
following:
 Deploy a stand-alone primary site in
Chicago to manage clients at both network
locations:
 The amount of client information from
London that must be transferred over
the slow network must be carefully
assessed.
 Deploy a primary site at each location, and
a central administration site in Chicago:
 Central administration sites cannot
have clients assigned to them.
 Central administration sites are
required if there are two or more
primary sites in the hierarchy.
The transfer of content from Chicago to London
will consume a lot of network bandwidth and
this data transfer must be controlled.
The transfer of content down the hierarchy can
be managed by the following methods:
 Distribution points that are enabled for
bandwidth control.
 Windows BranchCache.
 A London site that is configured to manage
the network bandwidth for site-to-site
transfers.
The requirement to manage the network
bandwidth when client information is sent from
London.
Assess the London location for the available
network bandwidth and how this will be reduced
by the data that is generated by the 5,500
clients. Options include the following:
 Allow clients to transfer their data
unmanaged across the network to an
assigned primary site at Chicago.
 Deploy a secondary site or primary site in
London to manage the network bandwidth
during site-to-site transfers to Chicago.
A standard set of client settings must be
available at all locations.
A default set of Client Agent Settings are
specified for the hierarchy.
Two groups that contain employees from
Human Resources and servers in London,
require client settings that are different than the
Collections are used to assign custom client
settings.

409
standard configuration.
Steps Taken
After an evaluation of the business requirements, the network structure, and the requirements for
client settings, a central administration site is deployed in Chicago with one child primary site in
Chicago and one child primary site in London. The following table explains these design choices.
Decision Details
A central administration site is deployed in
Chicago.
 This meets the centralized administration
requirement by providing a centralized
location for reporting and hierarchy-wide
configurations.
 Because the central administration site has
access to all client and site data in the
hierarchy and is a direct parent of both
primary sites, it is ideally located to host the
content for all locations.
One primary site is required in Chicago.  A primary site is required to manage clients
at the Chicago location because the central
administration site cannot have clients
assigned to it.
 A local primary site is required to locally
manage the 14,800 clients.
 Sites in System Center 2012
Configuration Manager are not used to
configure client settings, which allows all
clients at a location to be assigned to the
same site.
One primary site is deployed in London.  Site to site address configurations can
control the network bandwidth when
transferring content from the central
administration site in Chicago.
 Sites in System Center 2012
Configuration Manager are not used to
configure client settings, which allows all
clients at a location to be assigned to the
same site.
 A local primary site is deployed to manage
the 5,500 local clients so that the clients do
not send their information and client policy

410
Decision Details
requests across the network to Chicago. A
primary site ensures that future growth in
London can be managed with the hierarchy
design they implement today.
Note
The decision to deploy a primary
site or secondary site can include
consideration of the following:
 Assessing the available hardware for a
site server
 The current number of clients at a
location
 Expectations for additional clients in the
future
 Political reasons
 Local point of administrative contact
A standard configuration for client settings is
applied to each client in the hierarchy.
 Default Client Agent Settings are
configured and applied to every client in the
hierarchy, which results in a consistent
configuration for every client.
A collection is created to contain the user
accounts for the employees that work in the
Human Resource division. This collection is
configured to update regularly so that new
accounts can be added to the collection soon
after they are created.
 This collection is configured with custom
client settings that disable Remote Control.
These settings modify the hierarchy-wide
defaults and provide the collection
members with the customized client
settings that are required for Human
Resource employees.
 Because this collection is dynamically
updated, new employees in Human
Resources automatically receive the
customized client settings.
 Because collections are shared with all
sites, these customizations are applied to
Human Resource employees at any
location in the hierarchy without having to
consider which site their computer is
assigned to.
A collection is configured to contain the servers
located in London.
 This collection is configured with custom
client settings, so that the servers are
configured with custom settings for

411
Decision Details
hardware inventory.
Business Benefits
By using custom client settings in System Center 2012 Configuration Manager, the business
requirements are met as follows:
 The infrastructure requirements are reduced by removing sites that were used only to provide
custom client settings to subsets of clients.
 Administration is simplified because the central administration site applies a standard
configuration for client settings to all clients in the hierarchy.
 Two collections of clients are configured for the required customized client settings.
 Network bandwidth is controlled when transferring data between Chicago and London.
See Also
Configuring Sites and Hierarchies in
Configuration Topics
 Prepare the Windows Environment for Configuration Manager
 Install Sites and Create a Hierarchy for Configuration Manager
 Configure Sites and the Hierarchy in Configuration Manager
 Install and Configure Site System Roles for Configuration Manager
 Configure Database Replicas for Management Points
 Migrate Data from Configuration Manager 2007 to Configuration Manager

412
Prepare the Windows Environment for
Use the information in the following sections to help you configure your Windows environment to
support System Center 2012 Configuration Manager.
 Prepare Active Directory for Configuration Manager
 Extend the Active Directory Schema
 Create the System Management Container
 Set Security Permissions on the System Management Container
 Configure Windows-Based Servers for Configuration Manager Site System Roles
 Remote Differential Compression
 Internet Information Services (IIS)
 Request Filtering for IIS
Prepare Active Directory for Configuration
Manager
When you extend the Active Directory schema, this action is a forest-wide configuration that you
must do one time per forest. Extending the schema is an irreversible action and must be done by
a user who is a member of the Schema Admins Group or who has been delegated sufficient
permissions to modify the schema. If you decide to extend the Active Directory schema, you can
extend it before or after Setup. For information to help you decide whether to extend the Active
Directory schema, see Determine Whether to Extend the Active Directory Schema for
If the Active Directory schema was extended with the Configuration Manager 2007
schema extensions, you do not have to extend the schema for System Center 2012
Configuration Manager. The Active Directory schema extensions are unchanged from
Three actions are required to successfully enable Configuration Manager clients to query Active
Directory Domain Services to locate site resources:
 Extend the Active Directory schema.
 Create the System Management container.
 Set security permissions on the System Management container.
Tip

413
Extend the Active Directory Schema
Configuration Manager supports two methods to extend the Active Directory schema. The first is
to use the extadsch.exe utility. The second is to use the LDIFDE utility to import the schema
extension information by using the ConfigMgr_ad_schema.ldf file.
Before you extend your Active Directory schema, test the schema extensions for conflicts
with your current Active Directory schema. For information about how to test the Active
Directory schema extensions, see Testing for Active Directory Schema Extension
Conflicts in the Active Directory Domain Services documentation.
Extend the Active Directory Schema by Using ExtADSch.exe
You can extend the Active Directory schema by running the extadsch.exe file located in the
SMSSETUPBINX64 folder on the Configuration Manager installation media. The extadsch.exe
file does not display output when it runs but does provide feedback when you run it from a
command console as a command line. When extadsch.exe runs, it generates a log file in the root
of the system drive named extadsch.log, which indicates whether the schema update completed
successfully or any problems that were encountered while extending the schema.
In addition to generating a log file, the extadsch.exe program displays results in the
console window when it is run from the command line.
The following are limitations to using extadsch.exe:
 Extadsch.exe is not supported when run on a Windows 2000–based computers. To extend
the Active Directory schema from a Windows 2000–based computer, use the
ConfigMgr_ad_schema.ldf.
 To enable the extadsch.log to be created when you run extadsch.exe on a Windows Vista
computer, you must be logged onto the computer with an account that has local administrator
permissions.
1. Create a backup of the schema master domain controller’s system state.
2. Ensure that you are logged on to the schema master domain controller with an account
that is a member of the Schema Admins security group.
Important
You must be logged on as a member of the Schema Admins security group in
order to successfully extend the schema. Running the extadsch.exe file by using
the Run As command to attempt to extend the schema using alternate
credentials will fail.
3. Run extadsch.exe, located at SMSSETUPBINX64 on the installation media, to add the
new classes and attributes to the Active Directory schema.
Note
Tip
To extend the Active Directory schema by using Extadsch.exe

414
4. Verify that the schema extension was successful by reviewing the extadsch.log located
in the root of the system drive.
5. If the schema extension procedure was unsuccessful, restore the schema master's
previous system state from the backup created in step 1.
Note
To restore the system state on a Windows domain controller, the system must be
restarted in Directory Services Restore Mode. For more information about
Directory Services Restore Mode, see Restart the Domain Controller in Directory
Services Restore Mode Locally.
Extend the Active Directory Schema by Using an LDIF File
You can use the LDIFDE command-line utility to import directory objects into Active Directory
Domain Services by using LDAP Data Interchange Format (LDIF) files.
For greater visibility of the changes being made to the Active Directory schema than the
extadsch.exe utility provides, you can use the LDIFDE utility to import schema extension
information by using the ConfigMgr_ad_schema.ldf file located in the SMSSETUPBINX64
folder on the Configuration Manager installation media.
The ConfigMgr_ad_schema.ldf file is unchanged from the version provided with
1. Create a backup of the schema master domain controller’s system state.
2. Open the ConfigMgr_ad_schema.ldf file, located in the SMSSETUPBINX64 directory
of the Configuration Manager installation media and edit the file to define the Active
Directory root domain to extend. All instances of the text DC=x in the file must be
replaced with the full name of the domain to extend.
For example, if the full name of the domain to extend is named widgets.microsoft.com,
change all instances of DC=x in the file to DC=widgets, DC=microsoft, DC=com.
3. Use the LDIFDE command-line utility to import the contents of the
ConfigMgr_ad_schema.ldf file into Active Directory Domain Services.
For example, the following command line will import the schema extensions into Active
Directory Domain Services, turn on verbose logging, and create a log file during the
import process:
ldifde –i –f ConfigMgr_ad_schema.ldf –v –j <location to store log file>
4. To verify that the schema extension was successful, you can review the log file created
by the command line used in step 3.
5. If the schema extension procedure was unsuccessful, restore the schema master's
previous system state from the backup created in step 1.
Note
To extend the Active Directory schema by using the ConfigMgr_ad_schema.ldf file

415
Note
To restore the system state on a Windows domain controller, the system must be
restarted in Directory Services Restore Mode. For more information about
Directory Services Restore Mode, see Restart the Domain Controller in Directory
Services Restore Mode Locally.
Create the System Management Container
Configuration Manager does not automatically create the System Management container in
Active Directory Domain Services when the schema is extended. The container must be created
one time for each domain that includes a Configuration Manager primary site server or secondary
site server that publishes site information to Active Directory Domain Services
You can grant the site servers computer account Full Control permission to the System
container in Active Directory Domain Services, which results in the site server
automatically creating the System Management container when site information is first
published to Active Directory Domain Services. However, it is more secure to manually
create the System Management container.
Use ADSI Edit to create the System Management container in Active Directory Domain Services.
For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc) in the
Active Directory Domain Services documentation.
1. Log on as an account that has the Create All Child Objects permission on the System
container in Active Directory Domain Services.
2. Run ADSI Edit, and connect to the domain in which the site server resides.
3. Expand Domain <computer fully qualified domain name>, expand <distinguished name>,
right-click CN=System, click New, and then click Object.
4. In the Create Object dialog box, select Container, and then click Next.
5. In the Value box, type System Management, and then click Next.
6. Click Finish to complete the procedure.
Set Security Permissions on the System Management Container
After you have created the System Management container in Active Directory Domain Services,
you must grant the site server's computer account the permissions that are required to publish
site information to the container.
The primary site server computer account must be granted Full Control permissions to
the System Management container and all its child objects. If you have secondary sites,
Tip
To manually create the System Management container
Important

416
the secondary site server computer account must also be granted Full Control
permissions to the System Management container and all its child objects.
You can grant the necessary permissions by using the Active Directory Users and Computers
administrative tool or the Active Directory Service Interfaces Editor (ADSI Edit). For more
information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc).
The following procedures are provided as examples of how to configure Windows Server
2008 R2 computers. If you are using a different operating system version, please refer to
that operating systems documentation for information on how to make similar
configurations.
1. Click Start, click Run, and then enter dsa.msc to open the Active Directory Users and
Computers administrative tool.
2. Click View, and then click Advanced Features.
3. Expand the System container, right-click System Management, and then click
Properties.
4. In the System Management Properties dialog box, click the Security tab, and then click
Add to add the site server computer account. Grant the account Full Control
permissions.
5. Click Advanced, select the site server’s computer account, and then click Edit.
6. In the Apply to list, select This object and all descendant objects.
7. Click OK and then close the Active Directory Users and Computers administrative tool to
complete the procedure.
1. Click Start, click Run, and enter adsiedit.msc to open the ADSIEdit console.
2. If necessary, connect to the site server's domain.
3. In the console pane, expand the site server's domain, expand DC=<server
distinguished name>, and then expand CN=System. Right-click CN=System
Management, and then click Properties.
4. In the CN=System Management Properties dialog box, click the Security tab, and then
click Add to add the site server computer account. Grant the account Full Control
permissions.
5. Click Advanced, select the site server’s computer account, and then click Edit.
6. In the Apply onto list, select This object and all descendant objects.
7. Click OK to close the ADSIEdit console and complete the procedure.
Note
To apply permissions to the System Management container by using the Active
Directory Users and Computers administrative tool
To apply permissions to the System Management container by using the ADSI Edit
console

417
Configure Windows-Based Servers for
Configuration Manager Site System Roles
Before you can use a Windows Server with System Center 2012 Configuration Manager, you
must ensure the computer is configured to support Configuration Manager operations. Use the
information in the following sections to configure Windows servers for Configuration Manager. For
more information about site system role prerequisites, see the Prerequisites for Site System
Roles section in the Supported Configurations for Configuration Manager topic.
The procedures in the following sections are provided as examples of how to configure
Windows Server 2008 or Windows Server 2008 R2 computers. If you are using a
different operating system version, please refer to that operating systems documentation
for information on how to make similar configurations.
Remote Differential Compression
Site servers and distribution points require Remote Differential Compression (RDC) to generate
package signatures and perform signature comparison. If RDC is not enabled, you must enable it
on these site system servers. By default, RDC is not enabled on Windows Server 2008 or
Windows Server 2008 R2.
Use the following procedure as an example of how to enable Remote Differential Compression on
Windows Server 2008 and Windows Server 2008 R2 computers. If you have a different operating
system version, refer to your operating system documentation for the equivalent procedure.
1. On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start /
All Programs / Administrative Tools / Server Manager to start Server Manager. In
Server Manager, select the Features node and click Add Features to start the Add
Features Wizard.
2. On the Select Features page, select Remote Differential Compression, and then click
Next.
3. Complete the wizard and close Server Manager to complete the configuration.
Internet Information Services (IIS)
Several site system roles require Internet Information Services (IIS). If IIS is not already enabled,
you must enable it on site system servers before you install a site system role that requires IIS. In
addition to the site system server, the following site systems roles require IIS:
Note
To configure Remote Differential Compression for Windows Server 2008 or

418
The minimum version of IIS that Configuration Manager requires is the default version that is
supplied with the operating system of the server that runs the site system.
For example, when you enable IIS on a Windows Server 2008 computer that you plan to use as a
distribution point, IIS 7.0 is installed. You can also install IIS 7.5. If you enable IIS on a Windows 7
computer for a distribution point, IIS 7.5 is automatically installed. You cannot use IIS version 7.0
for distribution point that runs Windows 7.
Use the following procedure as an example of how to install IIS on a Windows Server 2008 or
Windows Server 2008 R2 computer. If you have a different operating system version, refer to
your operating system documentation for the equivalent procedure.
1. On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start /
All Programs / Administrative Tools / Server Manager to start Server Manager. In
Server Manager, select the Features node and click Add Features to start the Add
Features Wizard.
2. On the Select Features page of the Add Features Wizard, install any additional features
that are required to support the site system roles you install on this computer. For
example, to add BITS Server Extensions:
 For Windows Server 2008, select the BITS Server Extensions check box. For
Windows Server 2008 R2, select the Background Intelligent Transfer Services
(BITS) check box. When prompted, click Add Required Role Services to add the
dependent components, including the Web Server (IIS) role, and then click Next.
Tip
If you are configuring computer that will be a site server or distribution point,
ensure the check box for Remote Differential Compression is selected.
3. On the Web Server (IIS) page of the Add Features Wizard, click Next.
4. On the Select Role Services page of the Add Features Wizard install any additional role
services that are required to support the site system roles you install on this computer.
For example, to add ASP.NET and Windows Authentication:
 For Application Development, select the ASP.NET check box and, when prompted,
click Add Required Role Services to add the dependent components.
 For Security, select the Windows Authentication check box.
5. In the Management Tools node, for IIS 6 Management Compatibility, ensure that both
the IIS 6 Metabase Compatibility and IIS 6 WMI Compatibility check boxes are
To install Internet Information Services (IIS) on Windows Server 2008 and Windows
Server 2008 R2 computers

419
selected, and then click Next.
6. On the Confirmation page, click Install, complete the wizard, and close Server Manager
to complete the configuration.
Request Filtering for IIS
By default, IIS blocks several file name extensions and folder locations from access by HTTP or
HTTPS communication. If your package source files contain extensions that are blocked in IIS,
you must configure the requestFiltering section in the applicationHost.config file on distribution
point computers.
The following file name extensions are used by Configuration Manager for packages and
applications. Allow the following file name extensions on distribution points:
 .PCK
 .PKG
 .STA
 .TAR
For example, you might have source files for a software deployment that include a folder named
bin, or that contain a file with the . mdb file name extension. By default, IIS request filtering
blocks access to these elements. When you use the default IIS configuration on a distribution
point, clients that use BITS fail to download this software deployment from the distribution point.
In this scenario, the clients indicate that they are waiting for content. To enable the clients to
download this content by using BITS, on each applicable distribution point, edit the
requestFiltering section of the applicationHost.config file to allow access to the files and folders
in the software deployment.
Modifications to the requestFiltering section apply to all websites on that server. This
configuration increases the attack surface of the computer. The security best practice is
to run Configuration Manager on a dedicated web server. If you must run other
applications on the web server, use a custom website for Configuration Manager. For
information about custom websites, see the Planning for Custom Websites with
Configuration Manager section in Planning for Site Systems in Configuration Manager.
Use the following procedure as an example of how to modify requestFiltering on a
Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating
system version, refer to your operating system documentation for the equivalent procedure.
1. On the distribution point computer, open the applicationHost.config file located in the
%Windir%System32InetsrvConfig directory.
2. Search for the <requestFiltering> section.
3. Determine the file name extensions and folder names that you will have in the packages
on this distribution point. For each extension and folder name that you require, perform
Important
To configure request filtering for IIS on distribution points

420
the following steps:
 If it is listed as a fileExtension element, set the value for allowed to true.
For example, if your content contains a file with an .mdb extension, change the line
<add fileExtension=".mdb" allowed="false" /> to <add fileExtension=".mdb"
allowed="true" />.
Allow only the file name extensions required for your content.
 If it is listed as a <hiddenSegments> element, delete the entry that matches the file
name extension or folder name from the file.
For example, if your content contains a folder with the label of bin, remove the line
<add segment=”bin” /> from the file.
4. Save and close the applicationHost.config file to complete the configuration.
See Also
Configuring Sites and Hierarchies in Configuration Manager
Install Sites and Create a Hierarchy for
You can use the Setup Wizard in System Center 2012 Configuration Manager to install and
uninstall sites, create a Configuration Manager hierarchy, recover a site, and perform site
maintenance. Use the following sections in this topic to help you to install sites, create a
hierarchy, and learn more about the Setup options.
 What’s New in Configuration Manager
 Things to Consider Before You Run Setup
 Pre-Installation Applications
 Manual Steps to Prepare for Site Server Installation
 System Center 2012 Configuration Manager Setup Wizard
 Install a Configuration Manager Console
 Manage Configuration Manager Console Languages
 Install a Site Server
 Install a Central Administration Site
 Install a Primary Site Server
 Install a Secondary Site
 Upgrade an Evaluation Installation to a Full Installation
 Using Command-Line Options with Setup

421
 Configuration Manager Unattended Setup
 Decommission Sites and Hierarchies
 Configuration Manager Site Naming
The following options in Setup for site installation are new or have changed since Configuration
Manager 2007.
 Central Administration Site
The top-level Configuration Manager 2007 site in a multi-primary site hierarchy was known as
a central site. In System Center 2012 Configuration Manager the central site is replaced by
the central administration site. The central administration site is not a primary site at the top
of the hierarchy, but rather a site that is used for reporting and to facilitate communication
between primary sites in the hierarchy. A central administration site supports a limited
selection of site system roles and does not directly support clients or process client data.
 Installation of Site System Roles
The following site system roles can be installed and configured for a primary site during
Setup:
You can install the site system roles locally on the site server or on a different computer. After
installation, you can use the Configuration Manager console to install addition site system
roles.
 No Secondary Site Installation Option
Secondary sites can only be installed from the Configuration Manager console. For more
information about installing a secondary site, see the Install a Secondary Site section in the
topic.
 Optional Configuration Manager Console Installation
You can choose to install the Configuration Manager console during Setup or install the
console after Setup by using the Configuration Manager console installer (consolesetup.exe).
 Server and client language selections
You are no longer required to install your site servers using source files for a specific
language or install International Client Packs when you want to support different languages
on the client. From Setup, you can choose the server and client languages that are supported
in your Configuration Manager hierarchy. Configuration Manager uses the display language
of the server or client computer when you have configured support for the language. English
Note

422
is the default language used when Configuration Manager does not support the display
language of the server or client computer.
You cannot select specific languages for mobile device clients. Instead, you must
enable all available client languages or use English only.
 Unattended installation script is automatically created
Setup automatically creates the unattended installation script when you confirm the settings
on the Summary page of the wizard. The unattended installation script contains the settings
that you choose in the wizard. You can modify the script to install other sites in your
hierarchy. Setup creates the script in %TEMP%ConfigMgrAutoSave.ini.
 Database Replication
When you have more than one System Center 2012 Configuration Manager site in your
hierarchy, Configuration Manager uses database replication to transfer data and merge
changes made to a site’s database with the information stored in the database at other sites
in the hierarchy. This enables all sites to share the same information. When you have a
primary site without any other sites, database replication is not used. Database replication is
enabled when you install a primary site that reports to a central administration site or when
you connect a secondary site to a primary site.
Setup Downloader (SetupDL.exe) is a stand-alone application that downloads the files
required by Setup. You can manually run Setup Downloader or Setup can run it during site
installation. You can see the progress of files being downloaded and verified, and only the
required files are downloaded (missing files and files that have been updated). For more
information about Setup Downloader, see the Setup Downloader section in this topic.
readiness for a specific site system role. In addition to the site server, site database server,
and provider computer, the Prerequisite Checker now checks management point and
distribution point site systems. You can run Prerequisite Checker manually or Setup runs it
automatically as part of site installation. For more information about the Prerequisite Checker,
see the Prerequisite Checker section in this topic.
Things to Consider Before You Run Setup
There are many things that you must consider before you run Setup and install your site. Base
your System Center 2012 Configuration Manager hierarchy design on careful planning for your
network infrastructure, business requirements, budget limitations, and so on. Ideally, read the
entire Planning for Configuration Manager Sites and Hierarchy section in the Site Administration
for System Center 2012 Configuration Manager guide, but the following list provides several
important planning steps from the guide that you must consider before you run Setup.
Warning

423
Installing System Center 2012 Configuration Manager in your production environment
without thorough planning is unlikely to result in a fully functional site that meets your
business needs and security requirements.
Item Description More information
Network infrastructure and
Business requirements
Identify your network
infrastructure and how it
influences your Configuration
Manager hierarchy, and what
your business requirements
are for using Configuration
Manager
Identify Your Network and
Business Requirements to
Plan a Configuration Manager
Hierarchy
Supported Configurations Verify that your servers meet
the supported configurations
for installing Configuration
Manager.
Supported Configurations for
PKI Certificates Review the public key
infrastructure (PKI) certificates
that you might require for your
Configuration Manager site
system servers and clients.
PKI Certificate Requirements
for Configuration Manager
Site Hierarchy Determine whether to install a
central administration site,
child primary site, or stand-
alone primary site. When you
create a hierarchy, you must
install the central
administration site first.
Planning for Sites and
Hierarchies in Configuration
Manager
Windows Environment Prepare the Windows
environment for site server
and site system installation.
Prepare the Windows
Environment for Configuration
Manager
Site Database Plan for and configure your
site database server.
Planning for Database Servers
Important

424
Pre-Installation Applications
There are two applications, Setup Downloader and Prerequisite Checker, that you can optionally
run before you install the site, which download updated files for Setup and verify server readiness
for the site server or site system server.
Setup Downloader
Configuration Manager Setup Downloader is a stand-alone application that verifies and
downloads required prerequisite redistributables, language packs, and the latest product updates
for Setup. When you install a Configuration Manager site, you can specify a folder that contains
required files or Setup can automatically start the Setup Downloader to download the latest files
from the Internet. You might choose to run Setup Downloader before you run Setup and store the
files on a network shared folder or removable hard drive. This is necessary when the planned site
server computer does not have Internet access or a firewall prevents the files from downloading.
After you download the latest files, you can use the same path to the download folder to install
multiple sites. When you install sites, always verify that the path to the download folder contains
the most recent version of the files.
You can open Setup Downloader and specify a path to the folder that will host the downloaded
files, or you can run Setup Downloader from a command prompt and specify command-line
options. Use the following procedures to start Setup Downloader and download the latest
Configuration Manager files that are required by Setup.
1. On a computer that has Internet access, open Windows Explorer, and browse to
<ConfigMgrInstallationMedia>SMSSETUPBINX64.
2. Double-click setupdl.exe. The Setup Downloader opens.
3. Specify the path for the folder that will host the updated installation files, and then click
Download. Setup Downloader verifies the files that are currently in the download folder
and downloads only the files that are missing or newer than the existing files. Setup
Downloader creates subfolders for the downloaded languages. Setup Downloader will
create the folder when it does not exist.
Security
To run the Setup Downloader application, you must have Full Control NTFS file
system permissions to the download folder.
4. View the ConfigMgrSetup.log file in the root of the C drive to review the download results.
1. Open a command prompt and browse to
2. Type setupdl.exe to open Setup Downloader. Optionally, you can use the following
command-line options:
To start Setup Downloader from Windows Explorer
To start Setup Downloader from a command prompt

425
 /VERIFY: Use this option to verify the files in the download folder, which include
language files. Review the ConfigMgrSetup.log file in the root of the C drive for a list
of files that are outdated. No files are downloaded when you use this option.
 /VERIFYLANG: Use this option to verify the language files in the download folder.
Review the ConfigMgrSetup.log file in the root of the C drive for a list of language
files that are outdated.
 /LANG: Use this option to download only the language files to the download folder.
 /NOUI: Use this option to start Setup Downloader without displaying the user
interface. When you use this option, you must specify the download path as part of
the command-line.
 <DownloadPath>: You can specify the path to the download folder to automatically
start the verification or download process. You must specify the download path when
you use the /NOUI option. When you do not specify a download path, you must
specify the path when Setup Downloader opens. Setup Downloader will create the
folder when it does not exist.
Security
To run the Setup Downloader application, you must have Full Control NTFS
file system permissions to the download folder.
Usage examples:
 setupdl MyServerMyShareConfigMgrUpdates
Setup Downloader starts, verifies the files in the
MyServerMyShareConfigMgrUpdates folder, and downloads only the files that are
missing or newer than the existing files.
 setupdl /VERIFY c:ConfigMgrUpdates
Setup Downloader starts and verifies the files in the c:ConfigMgrUpdates folder.
 setupdl /NOUI c:ConfigMgrUpdates
Setup Downloader starts, verifies the files in the
MyServerMyShareConfigMgrUpdates folder, and downloads only the files that are
missing or newer than the existing files.
 setupdl /LANG c:ConfigMgrUpdates
Setup Downloader starts, verifies the language files in the c:ConfigMgrUpdates
folder, and downloads only the language files that are missing or newer than the
existing files.
 setupdl /VERIFY
Setup Downloader starts, you must specify the path to the download folder, and after
you click Verify, Setup Downloader verifies the files in the download folder.
3. View the ConfigMgrSetup.log file in the root of the C drive to review the download results.

426
Prerequisite Checker
readiness for a site server or specific site system roles. Before site installation, Setup runs the
Prerequisite Checker. You might choose to manually run the Prerequisite Checker on potential
site servers or site systems to verify server readiness. This allows you to remediate any issues
that you find before you run Setup. When you run Prerequisite Checker without command-line
options, the local computer is scanned for an existing site server and only the checks that are
applicable to the site are run. If no existing sites are detected, all prerequisite rules are run. You
can run Prerequisite Checker from a command prompt and specify specific command-line options
to perform only checks associated with the site server or site systems specified in the command-
line. When you specify another server to check, you must have Administrator rights on the server
for Prerequisite Checker to complete the checks. For more information about the prerequisite
checks that are performed by Prerequisite Checker, see Technical Reference for the Prerequisite
Checker in Configuration Manager.
Use the following procedures to run Prerequisite Checker on site servers or site system servers.
1. In Windows Explorer, browse to one of the following locations:
 <ConfigMgrInstallationMedia>SMSSETUPBINX64.
 <ConfigMgrInstallationPath>SMSSETUPBINX64.
2. Copy the following files to the destination folder on the other computer:
 prereqchk.exe
 prereqcore.dll
 basesql.dll
 basesvr.dll
 baseutil.dll
1. In Windows Explorer, browse to <ConfigMgrInstallationMedia>SMSSETUPBINX64 or
<ConfigMgrInstallationPath>SMSSETUPBINX64.
2. Open prereqchk.exe to start Prerequisite Checker.
Prerequisite Checker detects existing sites, and if found, will perform checks for upgrade
readiness. If no sites are found, all checks are performed. The Site Type column
provides information about the site server or site system for which the rule is associated.
<ConfigMgrInstallationMedia>SMSSETUPBINX64 or
To move Prerequisite Checker files to another computer
To start Prerequisite Checker and run default checks
To start Prerequisite Checker from a command prompt and run all checks

427
2. Type prereqchk.exe /LOCAL to open Prerequisite Checker and run all prerequisite
checks on the server.
2. Type prereqchk.exe and choose from the following command-line options to check
requirements for a primary site installation.
Command-Line Option Required? Description
/NOUI No Use this option to start
without displaying the
user interface. You must
specify this option before
any other option in the
command-line.
/PRI Yes Verifies that the local
computer meets the
primary site.
/SQL <FQDN of SQL Server> Yes Verifies that the specified
computer meets the
requirements for SQL
Server to host the
site database.
/SDK <FQDN of SMS Provider> Yes Verifies that the specified
computer meets the
requirements for the SMS
Provider.
/JOIN <FQDN of central
administration site>
No Verifies that the local
computer meets the
requirements for
connecting to the central
administration server.
/MP <FQDN of management
point>
No Verifies that the specified
computer meets the
To start Prerequisite Checker from a command prompt and run primary site checks

428
management point site
system role. This option
is only supported when
you use the /PRI option.
/DP <FQDN of distribution point> No Verifies that the specified
computer meets the
distribution point site
system role. This option
is only supported when
you use the /PRI option.
/Ssbport No Verifies that a firewall
exception is in effect to
allow communication for
the SQL Server Service
Broker (SSB) port. The
default is port number is
4022.
InstallDir
<ConfigMgrInstallationPath>
No Verifies minimum disk
space on requirements
for site installation.
Usage examples (optional options are displayed in brackets):
 prereqchk.exe [/NOUI] /PRI /SQL <FQDN of SQL Server> /SDK <FQDN of SMS
Provider> [/JOIN <FQDN of central administration site>] [/MP <FQDN of
management point>] [/DP <FQDN of distribution point>]
When you run the command-line, unless you use the NOUI option, Prerequisite Checker
opens and starts scanning the specified servers using prerequisite checks applicable to
the specified command-line options. Prerequisite Checker creates a list in the
Prerequisite result section for any problems found.
3. Click an item on the list for details about how to resolve the problem. You must resolve all
items in the list that have an Error status before you install the site server, site system, or
Configuration Manager console. You can also open the ConfigMgrPrereq.log file in the
root of the C drive to review the prerequisite checker results.
To start Prerequisite Checker from a command prompt and run central administration
site checks

429
requirements for a central administration site installation.
command-line.
/CAS Yes Verifies that the local
computer meets the
central administration
site.
/SQL <FQDN of SQL Server> Yes Verifies that the specified
computer meets the
requirements for SQL
Server to host the
site database.
/SDK <FQDN of SMS Provider> Yes Verifies that the specified
computer meets the
requirements for the SMS
Provider.
allow communication on
the SSB port. The default
is port number is 4022.
InstallDir
 prereqchk.exe /CAS /SQL <FQDN of SQL Server> /SDK <FQDN of SMS Provider>
/Ssbport 4022
 prereqchk.exe /NOUI /CAS /SQL <FQDN of SQL Server> /SDK <FQDN of SMS

430
Provider>
1. On the primary site server from which you will install the secondary site, open a
command prompt and browse to <ConfigMgrInstallationMedia>SMSSETUPBINX64 or
requirements for a secondary site installation on a remote server.
command-line.
/SEC <FQDN of secondary site
server>
Yes Verifies that the specified
computer meets the
secondary site.
/INSTALLSQLEXPRESS No Verifies that SQL Express
can be installed on the
specified computer.
the SQL Server Service
Broker (SSB) port. The
default is port number is
4022.
To start Prerequisite Checker from a command prompt from a primary site and run
secondary site checks

431
/Sqlport No Verifies that a firewall
the SQL Server service
port and that the port is
not in use by another
SQL Server named
instance. The default port
is 1433.
InstallDir
SourceDir No Verifies that the computer
account of the secondary
site can access the folder
hosting the source files
for Setup.
 prereqchk.exe /SEC /Ssbport 4022 /SourceDir <Source Folder Path>
 prereqchk.exe [/NOUI] /SEC <FQDN of secondary site> [/INSTALLSQLEXPRESS]
1. On the primary site server from which you will install the secondary site, open a
command prompt and browse to <ConfigMgrInstallationMedia>SMSSETUPBINX64 or
2. Type prereqchk.exe /Adminui to check requirements for Configuration Manager console
installation on the local computer.
When you run the command-line, Prerequisite Checker opens and starts scanning the
specified servers using prerequisite checks applicable to the specified command-line
To start Prerequisite Checker from a command prompt and run Configuration Manager
console checks

432
options. Prerequisite Checker creates a list in the Prerequisite result section for any
problems found.
Manual Steps to Prepare for Site Server
Installation
Before you install a site server on a computer, consider the following manual steps to prepare for
site server installation.
Manual step Description
Install the latest security updates on the site
server computer.
Use Windows Update to install the latest
security updates on the site server computer.
Install the hotfix described in KB2552033 on
site servers that run Windows Server 2008 R2.
The hotfix described in KB2552033 must be
installed on site servers that run Windows
Server 2008 R2 when client push installation is
enabled.
System Center 2012 Configuration Manager Setup
Wizard
When you run Setup, the local computer is scanned for an existing site server and provides only
the options that are applicable, based on the scan results. The options that are available in Setup
also differ when you run Setup from installation media, the Configuration Manager DVD or a
network shared folder, or if you run Setup from the Start menu or by opening Setup.exe from the
installation path on an existing site server. The Configuration Manager Setup Wizard provides the
following options to install, upgrade, or uninstall a site:
 Install a Configuration Manager primary site server: When you choose to install a new
primary site, you can manually configure the site settings in the wizard or allow Setup to
configure the site with a default installation path, to use a local installation of SQL Server with
the default instance for the site database, to install a management point on the site server,
and install a distribution point on the site server.
You must start Setup from installation media to select this option.
 Install a Configuration Manager central administration site: The central administration
site is used for reporting and to coordinate communication between primary sites in the
Note

433
hierarchy. There is only one central administration site in a Configuration Manager hierarchy
and the central administration site must be the first site installed.
 Upgrade an existing Configuration Manager installation: Choose this option to upgrade
an existing version of System Center 2012 Configuration Manager.
 Uninstall a Configuration Manager site server: When an existing site is detected on the
local computer, and the version of the site is the same version as Setup, you have the option
to uninstall the site server. You can start Setup from either the installation media or from the
local site server to select this option.
For more information about site maintenance and site reset options available in Setup,
see Manage Site and Hierarchy Configurations.
Install a Configuration Manager Console
Administrative users use the Configuration Manager console to manage the Configuration
Manager environment. Each Configuration Manager console connects to either a central
administration site or a primary site. After the initial connection is made, the Configuration
Manager console can connect to other sites. However, you cannot connect a Configuration
Manager console to a secondary site.
The objects displayed for the user running the console are dependent upon the rights
assigned to the user. For more information about role-based administration, see the
Planning for Role-Based Administration section in the Planning for Security in
The Configuration Manager console opens on the
You can install the Configuration Manager console during site server installation in the Setup
Wizard, or run the stand-alone application.
Use the following procedure to install a Configuration Manager console by using the stand-alone
application.
1. Verify that the administrative user who will run the Configuration Manager console
application has the following security rights:
 Local Administrator rights on the computer on which the console will run.
 Read rights to the location for the Configuration Manager console installation files.
Note
Note
Note
Note
To install a Configuration Manager console

434
2. Browse to one of the following locations:
 From the Configuration Manager source media, browse to
<ConfigMgrSourceFiles>smssetupbinI386.
 On the site server, browse to
<ConfigMgrSiteServerInstallationPath>toolsConsoleSetup.
Important
As a best practice, initiate the Configuration Manager console installation from a
site server rather than the System Center 2012 Configuration Manager
installation media. The site server installation method copies the Configuration
Manager console installation files and the supported language packs for the site
to the toolsConsoleSetup subfolder. If you install the Configuration Manager
console from the System Center 2012 Configuration Manager installation media,
this installation method always installs the English version, regardless of the
supported languages on the site server or the language settings for the operating
system running on the computer. Optionally, you can copy the ConsoleSetup
folder to an alternate location to start the installation.
3. Double-click consolesetup.exe. The Configuration Manager Console Setup Wizard
opens.
Important
Always install the Configuration Manager console by using ConsoleSetup.exe.
The Configuration Manager console Setup can be initiated by running the
AdminConsole.msi, but there are no prerequisite or dependency checks and the
installation will likely not install correctly.
4. On the opening page, click Next.
5. On the Site Server page, specify the FQDN of the site server for which the Configuration
Manager console will connect, and then click Next.
6. On the Installation Folder page, specify the installation folder for the Configuration
Manager console, and then click Next. . The folder path must not contain trailing spaces
or Unicode characters.
7. On the Customer Experience Improvement Program page, choose whether to join the
Customer Experience Improvement Program, and then click Next.
8. On the Ready to Install page, click Install to install the Configuration Manager console.
1. On the server from which you will install the Configuration Manager console, open a
command prompt and browse to one of the following locations:
 <ConfigMgrSiteServerInstallationPath>toolsConsoleSetup
 <ConfigMgrInstallationMedia>SMSSETUPBINI386
Important
When you run install a Configuration Manager console from a command prompt,
To install a Configuration Manager console from a command prompt

435
it always installs the English version regardless of the language setting for the
operating system running on the computer. To install the Configuration Manager
console in another language, you must use the previous procedure to install it.
2. Type consolesetup.exe and choose from the following command-line options.
Command-Line Option Description
/q Use this option to install the Configuration
Manager console unattended. The
EnableSQM and DefaultSiteServerName
options are required when you use this
option.
/uninstall Use this option to uninstall the
Configuration Manager console. You must
specify this option first when used with the
/q option.
LangPackDir Use this option to specify the path to the
folder that contains the language files.
You can download the language files by
using Setup Downloader. If you do not use
this option, Setup will look for the
language folder in the current folder. If the
language folder is not found, Setup
continues to install English only. For more
information about Setup Downloader, see
Setup Downloader in this topic.
TargetDir Use this option to specify the installation
folder to install the Configuration Manager
console. This option is required when
used with the /q option.
EnableSQM Use this option to specify whether to join
the Customer Experience Improvement
Program (CEIP). Use a value of 1 to join
the Customer Experience Improvement
Program, and a value of 0 to not join the
program. This option is required when
used with the /q option.
DefaultSiteServerName Use this option to specify the FQDN of the
site server to which the console will
connect when it opens. This option is
required when used with the /q option.

436
Usage examples:
consolesetup.exe /q TargetDir=D:Program FilesConfigMgr EnableSQM=1
DefaultSiteServerName=MyServer.Contoso.com
consolesetup.exe /q LangPackDir=C:DownloadsConfigMgr TargetDir=D:Program
FilesConfigMgr Console EnableSQM=1 DefaultSiteServerName=MyServer.Contoso.com
consolesetup.exe /uninstall /q
Manage Configuration Manager Console Languages
During site server installation, the Configuration Manager console installation files, as well as
supported language packs for the site, are copied to the
<ConfigMgrInstallationPath>toolsConsoleSetup subfolder on the site server. When you start the
Configuration Manager console installation from this folder on the site server, the Configuration
Manager console and supported language pack files are copied to the computer. When a
language pack is available for the current language setting on the computer, the Configuration
Manager console opens in that language. If the associated language pack is not available for the
Configuration Manager console, the console opens in English. For example, consider a scenario
where you install the Configuration Manager console from a site server that supports English,
German, and French. If you open the Configuration Manager console on a computer with a
configured language setting of French, the console opens in French. If you open the
Configuration Manager console on a computer with a configured language of Japanese, the
console opens in English because the Japanese language pack is not available.
Each time the Configuration Manager console opens, it determines the configured language
settings for the computer, verifies whether an associated language pack is available for the
Configuration Manager console, and then opens the console by using the appropriate language
pack. When you want to open the Configuration Manager console in English regardless of the
configured language settings on the computer, you must manually remove or rename the
language pack files on the computer.
Use the following procedures to start the Configuration Manager console in English regardless of
the configured locale setting on the computer.
1. In Windows Explorer, browse to
<ConfigMgrInstallationPath>toolsConsoleSetupLanguagePack.
2. Rename the .MSP and .MST files. For example, you could change <filename>.MSP to
<filename>.MSP.disabled.
3. Install the Configuration Manager console on the computer.
Important
When new server languages are configured for the site server, the .MSP and
To install an English-only version of the Configuration Manager console on computers

437
.MST files are recopied to the LanguagePack folder and you must repeat this
procedure to install new Configuration Manager consoles in only English.
1. On the computer running the Configuration Manager console, close the Configuration
Manager console.
2. In Windows Explorer, browse to <ConsoleInstallationPath>bin on the Configuration
Manager console computer.
3. Rename the appropriate language folder for the language configured on the computer.
For example, if the language settings for the computer were set for German, you could
rename the de folder to de.disabled.
4. To open the Configuration Manager console in the language configured for the computer,
rename the folder to the original name. For example, rename de.disabled to de.
Install a Site Server
Your Configuration Manager deployment will consist of either a hierarchy of sites or a stand-alone
site. A hierarchy consists of multiple sites, each with one or more site system servers. A stand-
alone site also consists of one or more site system servers. Site system servers extend the
functionality of Configuration Manager, for example you might install a site system at a site to
support software update deployment or to manage mobile devices. To successfully plan your
hierarchy of sites and identify the best network and geographical locations to place site servers,
make sure that you review the information about each site type and the alternatives to sites
offered by content deployment related site systems. For more information, see the Planning a
Hierarchy of Sites in Configuration Manager section in the Planning for Sites and Hierarchies in
You must have a forest trust to support any Configuration Manager sites that are located in other
Active Directory forests. When you install a Configuration Manager site in a trusted forest,
Configuration Manager does not require any additional configuration steps. However, make sure
that any intervening firewalls and network devices do not block the network packets that
Configuration Manager requires, that name resolution is working between the forests, and that
you use an account that has sufficient permissions to install the site. For more information, see
the Planning for Communications Across Forests in Configuration Manager section in the
Planning for Communications in Configuration Manager topic.
Configuration Manager central administration site and primary site installation requires SQL
Server to be installed before you run Setup. You can install SQL Server on a secondary site
server before you run Setup or allow Setup to install SQL Server Express as part of the
secondary site installation. For more information about supported SQL Server versions for site
installation, see the SQL Server Site Database Configurations section in the Supported
To temporarily disable a console language on an existing Configuration Manager
console installation

438
To set up a new site in Configuration Manager, you can use either the Configuration Manager
Setup Wizard, or perform an unattended installation by using the scripted installation method.
When you use the Configuration Manager Setup Wizard, you can install a primary site server or
central administration site. You install a secondary site from the Configuration Manager console.
For more information about the command-line options available for Setup, see the Using
Command-Line Options with Setup section in this topic.
For more information about running Setup by using an unattended script, see the Configuration
Manager Unattended Setup section in this topic.
After Setup completes, you cannot change the program files installation directory, site
code or site description for the site. To change the installation directory, site code, or site
name, you must uninstall the site and then re-install the site using the new values.
Use the following sections to help you install a site by using the Setup Wizard.
Install a Central Administration Site
Use a central administration site to configure hierarchy-wide settings and to monitor all sites and
objects in the hierarchy. You must install the central administration site before you install primary
site that is connected to the Configuration Manager hierarchy. If you install a primary site before
you install the central administration site, the only way to connect the primary site to the
Configuration Manager hierarchy is to uninstall the primary site, install the central administration
site, and then reinstall the primary site and connect it to the central administration site during
Setup.
Use the following procedure to install a central administration site.
1. Verify that the administrative user who runs Setup has the following security rights:
 Local Administrator rights on the central administration site server.
 Local Administrator rights on the site database server for the central administration
site, when the site database server is not installed on the site server.
2. On the central administration site computer, open Windows Explorer and browse to
3. Double-click Setup.exe. The Configuration Manager Setup Wizard opens.
4. On the Before You Begin page, click Next.
5. On the Getting Started page, select Install a Configuration Manager central
administration site, and then click Next.
6. On the Product Key page, choose whether to install Configuration Manager as an
evaluation or a full installation. Enter your product key for the full installation of
Configuration Manager. Click Next.
If you install Configuration Manager as an evaluation, after 180 days the Configuration
Manager console becomes read-only until you activate the product with a product key
Important
To install a central administration site

439
from the Site Maintenance page in Setup.
7. On the Microsoft Software License Terms page, read and accept the license terms,
and then click Next.
8. On the Prerequisite Licenses page, read and accept the license terms for the
prerequisite software, and then click Next. Setup downloads and automatically installs
the software on site systems or clients when required. You must select all check boxes
before you can continue to the next page.
9. On the Prerequisite Downloads page, specify whether Setup must download the latest
prerequisite redistributables, language packs, and the latest product updates from the
Internet or use previously downloaded files, and then click Next. If you previously
downloaded the files using Setup Downloader, select Use previously downloaded files
and specify the download folder. For information about Setup Downloader, see the Setup
Downloader section in this topic.
Note
When you use previously downloaded files, verify that the path to the download
folder contains the most recent version of the files.
10. On the Server Language Selection page, select the languages that will be available for
the Configuration Manager console and for reports, and then click Next. English is
selected by default and cannot be removed.
11. On the Client Language Selection page, select the languages that will be available to
client computers, specify whether to enable all client languages for mobile device clients,
and then click Next. English is selected by default and cannot be removed.
12. On the Site and Installation Settings page, specify the site code and site name for the
site. For more information about site code naming, including best practices and
limitations, see the Configuration Manager Site Naming section in this topic.
13. Specify the installation folder and whether Setup will install the Configuration Manager
console on the local computer, and then click Next. . The folder path must not contain
trailing spaces or Unicode characters.
Warning
You cannot change the installation folder after Setup completes. Verify that the
disk drive has enough disk space before you continue.
14. On the Database Information page, specify the information for the site database server
and the SQL Server Service Broker (SSB) port to be used by the SQL Server, and then
click Next. You must specify a valid port that is not in use by another site or service, and
that is not blocked by firewall restrictions.
Important
When you configure the site database to use the default instance of SQL Server,
you must configure the SQL Server service port to use TCP port 1433, the
default port.
Note
Typically, the Service Broker is configured to use TCP port 4022, but other ports

440
are supported.
15. On the SMS Provider Settings page, specify the FQDN for the server that will host the
SMS Provider, and then click Next. You can configure additional SMS providers for the
site after the initial installation.
16. On the Customer Experience Improvement Program Configuration page, choose
whether to participate, and then click Next.
17. On the Settings Summary page, review the setting and verify that they are accurate.
Click Next to start the Prerequisite Checker to verify server readiness for the central
administration site server.
18. On the Prerequisite Installation Check page, if there are no problems listed, click Next
to install the central administration. When Prerequisite Checker finds a problem, click an
item on the list for details about how to resolve the problem. You must resolve all items in
the list that have an Error status before you continue Setup. After you resolve the issue,
click Run Check to restart prerequisite checking. You can open the ConfigMgrPrereq.log
file in the root of the C drive to review the prerequisite checker results. For a complete list
of installation prerequisite rules and descriptions, see Technical Reference for the
Prerequisite Checker in Configuration Manager.
19. On the Installation page, Setup displays the overall installation status. When Setup
completes the core site server installation, you can close the wizard. Site configuration
continues in the background.
Note
You can connect a Configuration Manager console to the central administration
site before the site installation completes, but the console will connect to the site
by using a read-only console. The read-only console allows you to view objects
and configuration settings but prevents you from introducing any change that
could be lost when the site installation completes.
Install a Primary Site Server
During Setup, you must choose whether to join the primary site to an existing central
administration site or install it as a stand-alone primary site.
When you create a Configuration Manager hierarchy, you must install the central
administration site first.
When you install a new primary site in your production environment, manually configure the
installation options in the wizard. Typically, you will only choose the Use typical installation
options for a stand-alone primary site option to install a stand-alone primary site in your test
environment. When you select this option, Setup automatically configures the site as a stand-
alone primary site, uses a default installation path, a local installation of SQL Server with the
default instance for the site database, a local management point, a local distribution point, and
configures the site with English and the display language of the operating system on the primary
site server if it matches one of the languages supported by Configuration Manager.
Important

441
Use one of the following procedures to install a primary site.
1. Verify the user that runs Setup has the following security rights:
 Local Administrator rights on the remote site database server for the central
administration site, if it is remote.
 Sysadmin rights on the site database of the central administration site.
 Local Administrator rights on the primary site computer.
 Local Administrator rights on the remote site database server for the primary site, if it
is remote.
 User name associated with the Infrastructure Administrator or Full Administrator
security role on the central administration site.
Note
Setup automatically configures the-sender address to use the computer account
for the primary site server. This account must have Read, Write, Execute, and
Delete NTFS file system permissions on the SMSInboxesDespoolr.boxReceive
folder on the central administration site server. Also, your security policy must
allow the account Access this computer from the network rights on the central
administration site. After Setup completes, you can change the account to a
Windows user account if required. For example, you must change the account to
a Windows user account if your central administration site is in a different forest.
For more information about communication requirements across forests, see
Planning for Communications Across Forests in Configuration Manager.
2. On the new primary site computer, open Windows Explorer and browse to
5. On the Getting Started page select Install a Configuration Manager primary site,
verify that Use typical installation options for a stand-alone primary site is not
Manager console becomes read-only until you activate the product from the Site
Maintenance page in Setup.
To install a primary site that joins an existing Configuration Manager hierarchy

442
9. On the Prerequisite Downloads page, specify whether Setup will download the latest
Note
console on the local computer, and then click Next. The folder path must not contain
Warning
disk drive has enough disk space before proceeding.
14. On the Primary Site Installation page, select Join the primary site to an existing
hierarchy, specify the FQDN for the central administration site, and then click Next.
Setup verifies that the primary site server has access to the central administration site
server, and that the site code for the central administration site can be retrieved by using
the security credentials of the user running Setup.
that is not blocked by firewall restrictions. Typically, the Service Broker is configured to
use TCP port 4022, but other ports are supported.
Important
default port.

443
17. On the Client Computer Communication Settings page, choose whether to configure
all site systems to accept only HTTPS communication from clients or for the
communication method to be configured for each site system role, and then click Next.
When you select All site system roles accept only HTTPS communication from
clients, the client computer must have a valid PKI certificate for client authentication.
When you select Configure the communication method on each site system role,
you can choose Clients will use HTTPS when they have a valid PKI certificate and
HTTPS-enabled site roles are available. This ensures that the client will select a site
system configured for HTTPS if is available. For more information about PKI certificate
requirements, see PKI Certificate Requirements for Configuration Manager.
18. On the Site System Roles page, choose whether to install a management point or
distribution point. When selected for installation, enter the FQDN for site system and
choose the client connection method. Click Next. If you selected All site system roles
accept only HTTPS communication from clients on the previous page, the client
connection settings are automatically configured for HTTPS and cannot be changed
unless you go back and change the setting.
Note
The site system installation account is automatically configured to use the
primary site’s computer account to install the site system role. If you need to use
an alternate installation account for remote site systems, you should not select
the roles in the Setup wizard and install them later from the Configuration
Manager console.
Click Next to start the Prerequisite Checker to verify server readiness for the primary site
server and specified site system roles.
to install the primary site and site system roles that you selected. When Prerequisite
Checker finds a problem, click an item on the list for details about how to resolve the
problem. You must resolve all items in the list that have an Error status before you
continue Setup. After you resolve the issue, click Run Check to restart prerequisite
checking. You can open the ConfigMgrPrereq.log file in the root of the C drive to review
the prerequisite checker results. For a complete list of installation prerequisite rules and
descriptions, see Technical Reference for the Prerequisite Checker in Configuration
Manager.
completes the core site server and site system installation, you can close the wizard. Site
configuration continues in the background.
Note
You can connect a Configuration Manager console to a primary site before the

444
site installation completes, but the console will connect to the site by using a
read-only console. The read-only console allows you to view objects and
configuration settings but prevents you from introducing any change that could
be lost when the site installation completes.
is remote.
2. On the new primary site computer, open Windows Explorer and browse to
5. On the Getting Started page select Install a Configuration Manager primary site,
verify that Use typical installation options for a stand-alone primary site is not
Manager console becomes read-only until you activate the product with a product key
from the Site Maintenance page in Setup.
9. On the Prerequisite Downloads page, specify whether Setup will download the latest
Note
To install a stand-alone primary site

445
console on the local computer, and then click Next. The folder path must not contain
Warning
disk drive has enough disk space before proceeding.
Important
If you selected Use typical installation options for a stand-alone primary
site, skip to step 17 - the Customer Experience Improvement Program
Configuration page.
14. On the Primary Site Installation page, select Install the primary site as a stand-alone
site, and then click Next. Click Yes to confirm that you want to install the site as a stand-
alone site.
Important
You cannot join the stand-alone primary site to a central administration site after
Setup completes.
that is not blocked by firewall restrictions. Typically, the Service Broker is configured to
use TCP port 4022, but other ports are supported.
Important
default port.
17. On Client Communication Settings page, choose whether to configure all site systems
to accept only HTTPS communication from clients or for the communication method to be
configured for each site system role, and then click Next. When you select to All site
system roles accept only HTTPS communication from clients, client computer must
have a valid PKI certificate for client authentication. For more information about PKI
certificate requirements, see PKI Certificate Requirements for Configuration Manager.
18. On the Site System Roles page, choose whether to install a management point or

446
distribution point. When selected for installation, enter the FQDN for site system and
choose the client connection method. Click Next. When you selected All site system
roles accept only HTTPS communication from clients on the previous page, the client
connection settings are automatically configured for HTTPS and cannot be changed
unless you go back and change the setting.
Note
The site system installation account is automatically configured to use the
primary site’s computer account to install the site system role. If you need to use
an alternate installation account for remote site systems, you should not select
the roles in the Setup wizard and install them later from the Configuration
Manager console.
Click Next to start the Prerequisite Checker to verify server readiness for the primary site
server and site system roles.
to install the primary site and site system roles. When Prerequisite Checker finds a
problem, click an item on the list for details about how to resolve the problem. You must
resolve all items in the list that have an Error status before you continue Setup. After you
resolve the issue, click Run Check to restart prerequisite checking. You can open the
ConfigMgrPrereq.log file in the root of the C drive to review the prerequisite checker
results. For a complete list of installation prerequisite rules and descriptions, see
Technical Reference for the Prerequisite Checker in Configuration Manager.
completes the core site server and site system installation, you can close the wizard. Site
configuration continues in the background.
Note
You can connect a Configuration Manager console to the primary site before the
site installation completes, but the console will connect to the site by using a
read-only console. The read-only console allows you to view objects and
configuration settings but prevents you from introducing any change that could
be lost when the site installation completes.
Install a Secondary Site
Use secondary sites to manage the transfer of deployment content and client data across low
bandwidth networks. You manage a secondary site from a central administration site or the
secondary site’s parent primary site, and they are frequently used in locations that do not have a
local administrator. After a secondary site is attached to a primary site, you cannot move it to a
different parent site without uninstalling it and then reinstalling it at the new site.

447
The secondary site requires SQL Server for its site database. Setup automatically installs SQL
Server Express during site installation if a local instance of SQL Server is not available. During
the secondary site installation, Setup configures database replication with its parent primary site,
and automatically installs the management point and distribution point site system roles on the
secondary site.
For more information about supported versions of SQL Server for secondary sites, see
the SQL Server Site Database Configurations section in the Supported Configurations for
Setup automatically configures the secondary site to use the client communication ports
configured at the parent primary site.
Use the following procedure to create a secondary site.
 Local Administrator rights on the secondary site computer.
is remote.
 Infrastructure Administrator or Full Administrator security role on the parent primary
site.
 Sysadmin rights on the site database of the secondary site.
2. In the Configuration Manager console, click Administration.
4. On the Home tab, in the Site group, click Create Secondary Site. The Create
Secondary Site Wizard opens.
5. On the Before You Begin page, confirm that the primary site listed is the site in which
you want this secondary site to be a child, and then click Next.
6. On the General page, specify the following settings:
 Site code: Specify a site code for the secondary site. For more information about site
code naming, including best practices and limitations, see the Configuration Manager
Site Naming section in this topic.
 Site server name: Specify the FQDN for the secondary site server. Verify that the
server meets the requirements for secondary site installation. For more information
about supported configurations, see Supported Configurations for Configuration
Manager.
 Site name: Specify a name for the secondary site.
 Installation folder: Specify the installation folder to create on the secondary site
server.
Click Next.
Note
Note
To create a secondary site

448
Important
You can click Summary to use the default settings in the wizard and go straight
to the Summary page. Use this option only when you are familiar with the
settings in this wizard. Boundary groups are not associated with the distribution
point when you use the default settings. As a result, clients will not use the
distribution point that is installed on this secondary site as a content source
location. For more information about boundary groups, see the Create and
Configure Boundary Groups for Configuration Manager section in the Configuring
Boundaries and Boundary Groups in Configuration Manager topic.
7. On the Installation Source Files page, specify the location for the installation files for
the secondary site, and then click Next. You can copy the files from the parent site to the
secondary site, use the source files from a network location, or use source files that are
already available locally on the secondary site server.
When you choose the Use the source files at the following network location or Use
the source files at the following location on the secondary site computer options,
the location must contain the Redist subfolder with the prerequisite redistributables,
language packs, and the latest product updates for Setup. Use Setup Downloader to
download the required files to the Redist folder before you install the secondary site.
Secondary site installation will fail if the files are not available in the Redist subfolder. For
more information about Setup Downloader, see Setup Downloader in this topic.
Note
The folder or share name that you choose for the Setup installation source files
must use only ASCII characters.
Security
The computer account for the secondary site must have Read NTFS file and
share permissions to the Setup source folder and share. Avoid using
administrative network shares (for example, C$ and D$) because they require
the secondary site computer account to be an administrator on the remote
computer.
8. On the SQL Server Settings page, specify whether the secondary site will use SQL
Server Express or an existing SQL Server instance for the site database, and then
configure the associated settings.
Important
default port.
Install and configure a local copy of SQL Express on the secondary site computer
 SQL Server Service port: Specify the SQL Server service port for SQL Server
Express to use. The service port is typically configured to use TCP port 1433, but you
can configure another port.

449
 SQL Server Broker port: Specify the SQL Server Service Broker (SSB) port for SQL
Server Express to use. The Service Broker is typically configured to use TCP port
4022, but you can configure a different port. You must specify a valid port that is not
in use by another site or service, and that is not blocked by firewall restrictions.
Use an existing SQL Server instance
 SQL Server FQDN: Review the FQDN for the SQL Server computer. You must use a
local SQL Server to host the secondary site database and cannot modify this setting.
 SQL Server instance: Specify the SQL Server instance to use as the secondary site
database. Leave this option blank to use the default instance.
 ConfigMgr site database name: Specify the name to use for the secondary site
database.
 SQL Server Broker port: Specify the SQL Server Service Broker (SSB) port to be
used by SQL Server. You must specify a valid port that is not in use by another site
or service, and that is not blocked by firewall restrictions.
Note
Setup does not validate the information that you enter on this page until it
starts the installation. Before you continue, verify these settings.
Click Next.
9. On the Distribution Point page, configure the general distribution point settings.
 Install and configure IIS if required by Configuration Manager: Select this setting
to let Configuration Manager install and configure Internet Information Services (IIS)
on the server if it is not already installed. IIS must be installed on all distribution
points. If IIS is not installed on the server and you do not select this setting, you must
install IIS before the distribution point can be installed successfully.
 Configure how client devices communicate with the distribution point. There are
advantages and disadvantages for using HTTP and HTTPS. For more information,
see Security Best Practices for Content Management section in the Security and
Privacy for Content Management in Configuration Manager topic.
Important
You must select HTTPS when the parent primary site is configured to
communicate only by using HTTPS.
For more information about client communication to the distribution point and other
site systems, see the Planning for Client Communications in Configuration Manager
section in the Planning for Communications in Configuration Manager topic.
 Allow clients to connect anonymously: This setting specifies whether the
distribution point will allow anonymous connections from Configuration Manager
clients to the content library.
Warning
When you deploy a Windows Installer application on a Configuration

450
Manager client, Configuration Manager downloads the file to the local cache
on the client and the files are eventually removed after the installation
completes. The Configuration Manager client updates the Windows Installer
source list for the installed Windows Installer applications with the content
path for the content library on associated distribution points. Later, if you start
the repair action from Add/Remove Programs on a Configuration Manager
client running Windows XP, MSIExec attempts to access the content path by
using an anonymous user. You must select the Allow clients to connect
anonymously setting or the repair fails for clients running Windows XP. For
all other operating systems, the client connects to the distribution point by
using the logged on user account.
 Create a self-signed certificate or import a public key infrastructure (PKI) client
certificate for the distribution point. The certificate has the following purposes:
 It authenticates the distribution point to a management point before the
distribution point sends status messages.
 When you select Enable PXE support for clients check box on the PXE
Settings page, the certificate is sent to computers that perform a PXE boot so
that they can connect to a management point during the deployment of the
operating system.
When all your management points in the site are configured for HTTP, create a self-
signed certificate. When your management points are configured for HTTPS, import a
PKI client certificate.
To import the certificate, browse to a Public Key Cryptography Standard (PKCS #12)
file that contains a PKI certificate with the following requirements for Configuration
Manager:
 Intended use must include client authentication.
 The private key must be enabled to be exported.
Note
There are no specific requirements for the certificate subject or subject
alternative name (SAN), and you can use the same certificate for multiple
For more information about the certificate requirements, see PKI Certificate
Requirements for Configuration Manager.
For an example deployment of this certificate, see the Deploying the Client Certificate
for Distribution Points section in the Step-by-Step Example Deployment of the PKI
Certificates for Configuration Manager: Windows Server 2008 Certification Authority
topic.
 Enable this distribution point for prestaged content: Select this setting to enable
the distribution point for prestaged content. When this setting is selected, you can
configure distribution behavior when you distribute content. You can choose whether
you always want to prestage the content on the distribution point, prestage the initial
content for the package, but use the normal content distribution process when there

451
are updates to the content, or always use the normal content distribution process for
the content in the package.
10. On the Drive Settings page, specify the drive settings for the distribution point. You can
configure up to two disk drives for the content library and two disk drives for the package
share, although Configuration Manager can use additional drives when the first two reach
the configured drive space reserve. The drive settings page configures the priority for the
disk drives and the amount of free disk space to remain on each disk drive.
 Drive space reserve (MB): The value that you configure for this setting determines
the amount of free space on a drive before Configuration Manager chooses a
different drive and continues the copy process to that drive. Content files can span
multiple drives.
 Content Locations: Specify the content locations for the content library and package
share. Configuration Manager will copy content to the primary content location until
the amount of free space reaches the value specified for Drive space reserve (MB).
By default the content locations are set to Automatic and the primary content
location will be set to the disk drive that has the most disk space at installation and
the secondary location assigned the disk drive that has the second most free disk
space. When the primary and secondary drives reach the drive space reserve,
Configuration Manager will select another available drive with the most free disk
space and continue the copy process.
11. On the Content Validation page, specify whether to validate the integrity of content files
on the distribution point. When you enable content validation on a schedule,
Configuration Manager initiates the process at the scheduled time, and all content on the
distribution point is verified. You can also configure the content validation priority. To view
the results of the content validation process, click the Monitoring workspace, expand
Distribution Status, and click the Content Status node. The content for each package
type (for example, Application, Software Update Package, and Boot Image) is displayed.
12. On the Boundary Groups page, manage the boundary groups for which this distribution
point is assigned. During content deployment, clients must be in a boundary group
associated with the distribution point to use it as a source location for content. You can
select the Allow fallback source location for content option to allow clients outside
these boundary groups to fallback and use the distribution point as a source location for
content when no preferred distribution points are available. For more information about
preferred distribution points, see the Planning for Preferred Distribution Points and
Fallback section in the Planning for Content Management in Configuration Manager topic.
13. On the Summary page, verify the settings, and then click Next to install the secondary
site.
14. On the Completion page, click Close to exit the wizard.

452
Upgrade an Evaluation Installation to a Full
Installation
If you install Configuration Manager as an evaluation, after 180 days the Configuration Manager
console becomes read-only until you activate the product from the Site Maintenance page in
Setup.
When you connect a Configuration Manager console to an evaluation installation of
Configuration Manager, the title bar of the console displays the number of days that
remain before the evaluation installation expires. The number of days does not
automatically refresh and only updates when you make a new connection to a site.
Use the following procedure to upgrade an evaluation installation to a full installation.
1. On the site server, click the Start button, click All Programs, click Microsoft System
Center 2012, click Configuration Manager, and then click Configuration Manager
Setup.
Important
When you run Setup from installation media, site maintenance options are not
available.
3. On the Getting Started page, select Perform site maintenance or reset the Site, and
then click Next.
4. On the Site Maintenance page, select Convert from Evaluation to Full Product
Version, enter a valid product key, and then click Next.
6. On the Configuration page, click Close to complete the wizard.
Note
When you have a Configuration Manager console connected to the site when
you upgrade the site to the full installation, the title bar might indicate that the site
is still an evaluation version until you reconnect the console to the site.
Using Command-Line Options with Setup
There are many options available when you run Configuration Manager Setup from a command
line. These options can be used to start a scripted installation or upgrade, test a site's ability to be
upgraded, perform a site reset, manage installed languages, and so on.
Note
To upgrade an evaluation installation to a full installation

453
The following table provides a list of command-line options for Setup. For information about how
to use Setup script files to perform unattended installations, see the Configuration Manager
Unattended Setup section in this topic.
/NODISKCHECK Use this option to disable the verification of disk
space requirements during prerequisite
checking.
/DEINSTALL Use this option to uninstall the site. You must
run Setup from the site server computer.
/NOUSERINPUT Use this option to disable user input during
Setup, but display the Setup Wizard interface.
This option must be used in conjunction with
the /SCRIPT option and the unattend file must
provide all required options or Setup will fail.
/RESETSITE Use this option to perform a site reset that
resets the database and service accounts for
the site. You must run Setup from
<ConfigMgrInstallationPath>BINX64 on the
site server. For more information about the site
reset, see the Perform a Site Reset section in
the Manage Site and Hierarchy Configurations
topic.
/TESTDBUPGRADE
<InstanceNameDatabaseName>
Use this option to perform a test on a backup of
the site database to ensure that it is capable of
an upgrade. It is not supported to run this
command-line option on your production site
database. You must provide the instance name
and database name for the site database.
When you specify only the database name,
Setup uses the default instance name.
/SCRIPT <SetupScriptPath> Use this option to perform unattended
installations. A setup initialization file is required
when you use the /SCRIPT option. For more
information about how to run Setup unattended,
see the Configuration Manager Unattended
Setup section in this topic.
SDKINST <FQDN> Use this option to install the SMS Provider on
the specified computer. You must provide the
FQDN for the SMS Provider computer. For

454
more information about the SMS Provider, see
the Site System Roles in Configuration
Manager section in the Planning for Site
Systems in Configuration Manager topic.
SDKDEINST <FQDN> Use this option to uninstall the SMS Provider on
the specified computer. You must provide the
FQDN for the SMS Provider computer.
MANAGELANGS <SetupScriptPath> Use this option to manage the languages that
are installed at the selected site. You must run
Setup from
<ConfigMgrInstallationPath>BINX64 on the
site server and provide the location for the
script file that contains the language settings.
For more information about the language
options available in the Setup script file, see the
Unattended Setup Script File Keys section in
this topic.
Configuration Manager Unattended Setup
To perform an unattended installation for a new Configuration Manager central administration site
or primary site, you can create an unattended installation script and use Setup with the /script
command option. The script provides the same type of information that the Setup Wizard prompts
for, except that there are no default settings. All values must be specified for the setup keys that
apply to the type of installation you are using.
You can run Configuration Manager Setup unattended by using an initialization file with the /script
Setup command-line option. Unattended setup is supported for new installations of a
Configuration Manager central administration site, primary site, and Configuration Manager
console. To use the /script setup command-line option, you must create an initialization file and
specify the initialization file name after the /script setup command-line option. The name of the file
is unimportant as long as it has the .ini file name extension. When you reference the setup
initialization file from the command line, you must provide the full path to the file. For example, if
your setup initialization file is named setup.ini, and it is stored in the C:setup folder, your
command line would be:
setup /script c:setupsetup.ini.
Security

455
You must have Administrator rights to run Setup. When you run Setup with the
unattended script, start the Command Prompt in an Administrator context by using Run
as administrator.
The script contains section names, key names, and values. Required section key names vary
depending on the installation type that you are scripting. The order of the keys within sections,
and the order of sections within the file, is not important. The keys are not case sensitive. When
you provide values for keys, the name of the key must be followed by an equals sign (=) and the
value for the key.
Unattended Setup Script File Keys
To run Setup unattended, you must specify the /SCRIPT command-line option and configure the
Setup script file with required keys and values. You must configure the following 4 sections in the
script file to install or configure a site: Identification, Options, SQLConfigOptions, and
HierarchyOptions. To recover a site, you must use the following sections of the script file:
Identification and Recovery. For more information about for backup and recovery, see the
Unattended Site Recovery Script File Keys section in the Backup and Recovery in Configuration
Manager topic.
Use the following sections to help you to create your script for unattended Setup. The tables list
the available setup script keys, their corresponding values, whether they are required, which type
of installation they are used for, and a short description for the key.
Install a Central Administration Site Unattended
Use the following section to install a central administration site by using an unattended Setup
script file.
Section Key Name Requir
ed
Values Description
Identification Action Yes InstallCAS Installs a
central
administration
site
Options ProductID Yes xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
Eval
The
Configuration
Manager
installation
product key,
including the
dashes. Enter
Eval can

456
ed
Values Description
install the
evaluation
version of
Configuration
Manager.
SiteCode Yes <SiteCode> Three alpha-
numeric
characters
that uniquely
identifies the
site in your
hierarchy. For
more
information
about site
code
restrictions,
see
Configuration
Manager Site
Naming.
SiteName Yes <SiteName> Description for
this site.
SMSInstallDir Yes <ConfigMgrInstallationPath> Specifies the
installation
folder for the
Configuration
Manager
program files.
SDKServer Yes <FQDN of SMS Provider> Specifies the
FQDN for the
server that will
host the
SMS Provider.
You can
configure
additional
SMS

457
ed
Values Description
Providers for
the site after
the initial
installation.
For more
information
about the
SMS Provider,
see the Site
System
Roles in
Configuratio
n Manager
section in the
Planning for
Site Systems
in
Configuration
Manager
topic.
PrerequisiteComp Yes 0 or 1
0 = download
1 = already downloaded
Specifies
whether Setup
prerequisite
files have
already been
downloaded.
For example,
if you use a
value of 0,
Setup will
download the
files.
PrerequisitePath Yes <PathToSetupPrerequisiteFiles> Specifies the
path to the
Setup
prerequisite
files.
Depending on
the
PrerequisiteC

458
ed
Values Description
omp value,
Setup uses
this path to
store
downloaded
files or to
locate
previously
downloaded
files.
AdminConsole Yes 0 or 1
0 = do not install
1 = install
Specifies
whether to
install the
Configuration
Manager
console.
JoinCEIP Yes 0 or 1
0 = do not join
1 = join
Specifies
whether to join
the Customer
Experience
Improvement
Program.
AddServerLanguag
es
Yes DEU, FRA, RUS, CHS, or JPN Specifies the
server
languages
that will be
available for
the
Configuration
Manager
console,
reports, and
Configuration
Manager
objects.
English is
available by
default.

459
ed
Values Description
AddClientLanguage
s
Yes DEU, FRA, RUS, CHS, JPN,
ESN, CHT, KOR, CSY, DAN,
NLD, FIN, ELL, HUN, ITA, NOR,
PLK, PTB, PTG, SVE, or TRK
Specifies the
languages
that will be
available to
client
computers.
English is
available by
default.
DeleteServerLangu
ages
Yes DEU, FRA, RUS, CHS, or JPN Specifies the
languages to
remove that
will no longer
be available
for the
Configuration
Manager
console,
reports, and
Configuration
Manager
objects.
English is
available by
default and
cannot be
removed.
DeleteClientLangua
ges
ESN, CHT, KOR, CSY, DAN,
NLD, FIN, ELL, HUN, ITA, NOR,
PLK, PTB, PTG, SVE, or TRK
Specifies the
languages to
remove and
that will no
longer be
available to
client
computers.
English is
available by
default and
cannot be

460
ed
Values Description
removed.
MobileDeviceLangu
age
Yes 0 or 1
0 = do not install
1 = install
Specifies
whether the
mobile device
client
languages are
installed.
SQLConfigOpti
ons
SQLServerName Yes <SQLServerName> The name of
the server, or
clustered
instance
name, running
SQL Server
that will host
the site
database.
DatabaseName Yes <SiteDatabaseName>
or
<InstanceName><SiteDatabas
eName>
The name of
the SQL
Server
database to
create or use
to install the
central
administration
site database.
Important
You
must
specif
y the
instan
ce
name
and
site
datab
ase
name

461
ed
Values Description
if you
do not
use
the
defaul
t
instan
ce.
When
you
config
ure
the
site
datab
ase to
use
the
defaul
t
instan
ce of
SQL
Serve
r, you
must
config
ure
the
SQL
Serve
r
servic
e port
to use
TCP
port
1433,
the
defaul

462
ed
Values Description
t port.
SQLSSBPort No <SSBPortNumber> Specify the
SQL Server
Service
Broker (SSB)
port used by
SQL Server.
Typically, SSB
is configured
to use TCP
port 4022, but
other ports are
supported.
Install a Primary Site Unattended
Use the following section to install a primary site by using an unattended Setup script file.
Section Key Name Requi
red
Values Description
Identification Action Yes InstallPrimarySite Installs a
primary site
Options ProductID Yes xxxxx-xxxxx-xxxxx-xxxxx-
xxxxx
Eval
The
Configuration
Manager
installation
product key,
including the
dashes. Enter
Eval can
install the
evaluation
version of
Configuration
Manager.
SiteCode Yes <SiteCode> Three alpha-
numeric
characters

463
red
Values Description
that uniquely
identifies the
site in your
hierarchy. For
more
information
about site
code
restrictions,
see
Configuration
Manager Site
Naming.
SiteName Yes <SiteName> Description for
this site.
SMSInstallDir Yes <ConfigMgrInstallationPath> Specifies the
installation
folder for the
Configuration
Manager
program files.
SDKServer Yes <FQDN of SMS Provider> Specifies the
FQDN for the
server that will
host the SMS
Provider.
You can
configure
additional
SMS
Providers for
the site after
the initial
installation.
For more
information
about the
SMS Provider,
see the Site

464
red
Values Description
System
Roles in
Configuratio
n Manager
section in the
Planning for
Site Systems
in
Configuration
Manager
topic.
PrerequisiteComp Yes 0 or 1
0 = downloaded
1 = already downloaded
Specifies
whether or not
Setup
prerequisite
files have
already been
downloaded.
For example,
if you use a
value of 0,
Setup will
download the
files.
PrerequisitePath Yes <PathToSetupPrerequisiteFil
es>
Specifies the
path to the
Setup
prerequisite
files.
Depending on
the
PrerequisiteC
omp value,
Setup uses
this path to
store
downloaded
files or to
locate
previously

465
red
Values Description
downloaded
files.
AdminConsole Yes 0 or 1
0 = do not install
1 = install
Specifies
whether to
install the
Configuration
Manager
console.
JoinCEIP Yes 0 or 1
0 = do not join
1 = join
Specifies
whether to join
the Customer
Experience
Improvement
Program.
RoleCommunication
Protocol
Yes EnforceHTTP or
HTTPorHTTPS
Specifies
whether to
configure all
site systems
to accept only
HTTPS
communicatio
n from clients
or for the
communicatio
n method to
be configured
for each site
system role.
When you
select to
EnforceHTTP
, client
computer
must have a
valid PKI
certificate for
client
authentication.
For more

466
red
Values Description
information
about PKI
certificate
requirements,
see PKI
Certificate
Requirements
for
Configuration
Manager.
ClientsUsePKICertif
icate
Yes 0 or 1
0 = do not use
1 = use
Specifies
whether
clients will use
a client PKI
certificate to
communicate
with site
system roles.
For more
information
about PKI
certificate
requirements,
see PKI
Certificate
Requirements
for
Configuration
Manager.
AddServerLanguag
es
Yes DEU, FRA, RUS, CHS, or
JPN
Specifies the
server
languages
that will be
available for
the
Configuration
Manager
console,
reports, and
Configuration

467
red
Values Description
Manager
objects.
English is
available by
default.
AddClientLanguage
s
ESN, CHT, KOR, CSY,
DAN, NLD, FIN, ELL, HUN,
ITA, NOR, PLK, PTB, PTG,
SVE, or TRK
Specifies the
languages
that will be
available to
client
computers.
English is
available by
default.
DeleteServerLangu
ages
Yes DEU, FRA, RUS, CHS, or
JPN
Specifies the
languages to
remove that
will no longer
be available
for the
Configuration
Manager
console,
reports, and
Configuration
Manager
objects.
English is
available by
default and
cannot be
removed.
DeleteClientLangua
ges
ESN, CHT, KOR, CSY,
DAN, NLD, FIN, ELL, HUN,
ITA, NOR, PLK, PTB, PTG,
SVE, or TRK
Specifies the
languages to
remove and
that will no
longer be
available to
client

468
red
Values Description
computers.
English is
available by
default and
cannot be
removed.
MobileDeviceLangu
age
Yes 0 or 1
0 = do not install
1 = install
Specifies
whether the
mobile device
client
languages are
installed.
SQLConfigOptions SQLServerName Yes <SQLServerName> The name of
the server, or
clustered
instance
name, running
SQL Server
that will host
the site
database.
DatabaseName Yes <SiteDatabaseName>
or
<InstanceName><SiteDatab
aseName>
The name of
the SQL
Server
database to
create or use
to install the
primary site
database.
Important
You
must
specif
y the
instan
ce
name
and

469
red
Values Description
site
datab
ase
name
if you
do not
use
the
defaul
t
instan
ce.
When
you
config
ure
the
site
datab
ase to
use
the
defaul
t
instan
ce of
SQL
Serve
r, you
must
config
ure
the
SQL
Serve
r
servic
e port
to use
TCP

470
red
Values Description
port
1433,
the
defaul
t port.
SQLSSBPort No <SSBPortNumber> Specify the
SQL Server
Service
Broker (SSB)
port used by
SQL Server.
Typically, SSB
is configured
to use TCP
port 4022, but
other ports are
supported.
HierarchyExpansio
nOption
CCARSiteServer No <SiteCodeForCentralAdmini
strationSite>
Specifies the
central
administration
site that a
primary site
will attach to
when it joins
the
Configuration
Manager
hierarchy. You
must specify
the central
administration
site during
Setup. After
Setup
complete, you
cannot join a
stand-alone
primary site to
a central
administration

471
red
Values Description
site.
CASRetryInterval No <Interval> Specifies the
retry interval
(in minutes) to
attempt a
connection to
the central
administration
site after the
connection
fails. For
example, if the
connection to
the central
administration
site fails, the
primary site
waits the
number of
minutes that
you specify for
CASRetryInter
val, and then
re-attempts
the
connection.
WaitForCASTimeou
t
No <Timeout> Specifies the
maximum
timeout value
(in minutes)
for a primary
site to connect
to the central
administration
site. For
example, if a
primary site
fails to
connect to a
central

472
red
Values Description
administration
site, the
primary site
retries the
connection to
the central
administration
site based on
the
CASRetryInter
val until the
WaitForCASTi
meout period
is reached.
You can
specify a
value of 0 to
100.
Decommission Sites and Hierarchies
To decommission hierarchies, start at the bottom of the hierarchy and move upward. Remove
secondary sites attached to primary sites, primary sites from the central administration site, and
then the central administration site itself. Use the information in this section to remove individual
sites or decommission a hierarchy of sites.
Remove a Secondary Site from a Hierarchy
You cannot move or reassign secondary sites to a new parent primary site. To remove a
secondary site from a hierarchy, it must be deleted from its direct parent site. Use the Delete
Secondary Site Wizard from the Configuration Manager console to remove the secondary site.
When you remove a secondary site, you must choose whether to delete or uninstall the
secondary site:
 Uninstall the secondary site: Use this option to remove a functional secondary site that is
accessible from the network. This option uninstalls Configuration Manager from the
secondary site server, and then deletes all information about the site and its resources from
the Configuration Manager hierarchy.
 Delete the secondary site: Use this option if one of the following is true:
 A secondary site failed to install.

473
 The secondary site continues to display in the Configuration Manager console after you
uninstall it.
This option deletes all information about the site and its resources from the Configuration
Manager hierarchy, but leaves Configuration Manager installed on the secondary site server.
 Local Administrator rights on the secondary site computer.
is remote.
 Infrastructure Administrator or Full Administrator security role on the parent primary
site.
 Sysadmin rights on the site database of the secondary site.
4. Select the secondary site server to remove.
5. On the Home tab, in the Site group, click Delete.
6. On the General page, select whether to uninstall or delete the secondary site, and then
click Next.
7. On the Summary page, verify the settings, and then click Next.
8. On the Completion page, click Close to exit the wizard.
Uninstall a Primary Site
You can run Configuration Manager Setup to uninstall a primary site that does not have an
associated secondary site. Before you uninstall a primary site, consider the following:
 When Configuration Manager clients are within the boundaries configured at the site, and the
primary site is part of a Configuration Manager hierarchy, consider adding the boundaries to
a different primary site in the hierarchy before you uninstall the primary site.
 When the primary site server is no longer available, you must use the Hierarchy Maintenance
Tool at the central administration site to delete the primary site from the site database. For
more information, see Technical Reference for the Hierarchy Maintenance Tool (Preinst.exe)
Use the following procedure to uninstall a primary site.
 Local Administrator rights on the remote site database server for the central
administration site, if it is remote.
To uninstall or delete a secondary site
To uninstall a primary site

474
 Sysadmin rights on the site database of the central administration site.
is remote.
 User name associated with the Infrastructure Administrator or Full Administrator
security role on the central administration site.
2. Start Configuration Manager Setup on the primary site server by using one of the
following methods:
 Click Configuration Manager Setup from the Start menu.
 Open Setup.exe from <ConfigMgrInstallationMedia>SMSSETUPBINX64.
 Open Setup.exe from <ConfigMgrInstallationPath>SMSSETUPBINX64.
4. On the Getting Started page select Uninstall a Configuration Manager site, and then
click Next.
5. On the Uninstall the Configuration Manager Site, specify whether to remove the site
database from the primary site server and whether to remove the Configuration Manager
console. By default, Setup removes both items.
Important
When there is a secondary site attached to the primary site, you must remove the
secondary site before you can uninstall the primary site.
6. Click Yes to confirm to uninstall the Configuration Manager primary site.
Uninstall the Central Administration Site
You can run Configuration Manager Setup to uninstall a central administration site with no child
primary sites. Use the following procedure to uninstall the central administration site.
1. Verify that the administrative user who runs Setup has the following security rights:
 Local Administrator rights on the site database server for the central administration
site, when the site database server is not installed on the site server.
2. Start Configuration Manager Setup on the central administration site server by using one
of the following methods:
 Click Configuration Manager Setup from the Start menu.
 Open Setup.exe from <ConfigMgrInstallationMedia>SMSSETUPBINX64.
 Open Setup.exe from <ConfigMgrInstallationPath>SMSSETUPBINX64.
4. On the Getting Started page select Uninstall a Configuration Manager site, and then
click Next.
To uninstall a central administration site

475
5. On the Uninstall the Configuration Manager Site, specify whether to remove the site
database from the central administration site server and whether to remove the
Configuration Manager console. By default, Setup removes both items.
Important
When there is a primary site attached to the central administration site, you must
uninstall the primary site before you can uninstall the central administration site.
6. Click Yes to confirm to uninstall the Configuration Manager central administration site.
Configuration Manager Site Naming
Site codes and site names are used to identify and manage the sites in a Configuration Manager
hierarchy. In the Configuration Manager console, the site code and site name are displayed in the
<site code> - <site name> format. Every site code that you use in your Configuration Manager
hierarchy must be unique. If the Active Directory schema is extended for Configuration Manager,
and sites are publishing data, the site codes used within an Active Directory forest must be
unique even if they are being used in a different Configuration Manager hierarchy or if they have
been used in previous Configuration Manager installations. Be sure to carefully plan your site
codes and site names before you deploy your Configuration Manager hierarchy.
Specify a Site Code and Site Name
During Configuration Manager Setup, you are prompted for a site code and site name for the
central administration site, and each primary and secondary site installation. The site code must
uniquely identify each Configuration Manager site in the hierarchy. Because the site code is used
in folder names, never use Microsoft Windows reserved names for the site code, such as AUX,
CON, NUL, or PRN.
Configuration Manager Setup does not verify that the site code that you specify is not
already in use.
To enter the site code for a site during Configuration Manager Setup, you must enter three
alphanumeric characters. Only the letters A through Z, numbers 0 through 9, or combinations of
the two are allowed when specifying site codes. The sequence of letters or numbers has no effect
on the communication between sites. For example, it is not necessary to name a primary site
ABC and a secondary site DEF.
The site name is a friendly name identifier for the site. Use only the standard characters A
through Z, a through z, 0 through 9, and the hyphen (-) in site names.
Changing the site code or site name after installation is not supported.
Note
Important

476
Re-Using Site Codes
Site codes cannot be used more than one time in a Configuration Manager hierarchy for a central
administration site or primary sites. If you reuse a site code, you run the risk of having object ID
conflicts in your Configuration Manager hierarchy. You can reuse the site code for a secondary
site if is no longer in use in your Configuration Manager hierarchy or in the Active Directory forest.
See Also
Configuring Sites and Hierarchies in Configuration Manager
Configure Sites and the Hierarchy in
After you install a Configuration Manager site, you might need to customize several features and
configurations for use by your organization. Use this topic to help you configure settings that are
used at individual sites and by the hierarchy.
In most situations you will not need to configure the following options in any specific order.
However, some build upon each other, such as boundaries and boundary groups.
Several of these configurations have default values you can use without configuration changes, at
least temporarily. Others, such as boundary groups and distribution point groups, require you to
configure them before you can use them.
Plan to review these configurations over the lifecycle of your Configuration Manager deployment
and to adjust them to meet changing business requirements or evolving network configurations.
Use the information in the following sections of this topic to help you manage these
configurations:
Site and Hierarchy Configuration Topics
 Configuring Security for Configuration Manager
 Configuring Discovery in Configuration Manager
 Configuring Sites to Publish to Active Directory Domain Services
 Configuring Settings for Client Management in Configuration Manager
 Configuring Distribution Point Groups in Configuration Manager
 Configuring Boundaries and Boundary Groups in Configuration Manager
 Configuring Alerts in Configuration Manager
 Configuring Site Components in Configuration Manager

477
Configuring Security for Configuration
Manager
This topic appears in the Site Administration for System Center 2012 Configuration
Manager guide and in the Security and Privacy for System Center 2012 Configuration
Manager guide.
Use the information in this topic to help you configure the following security-related options:
 Configure Settings for Client PKI Certificates
 Configure Signing and Encryption
 Configure Role-Based Administration
 Manage Accounts that Are Used by Configuration Manager
Configure Settings for Client PKI Certificates
If you want to use public key infrastructure (PKI) certificates for client connections to site systems
that use Internet Information Services (IIS), use the following procedure to configure settings for
these certificates.
2. In the Administration workspace, expand Site Configuration, click Sites, and then click
the primary site to configure.
3. On the Home tab, in the Properties group, click Properties, and then click the Client
Computer Communication tab.
4. Click HTTPS only when you want clients that are assigned to the site to always use a
client PKI certificate when they connect to site systems that use IIS. Or, click HTTPS or
HTTP when you do not require clients to use PKI certificates.
5. If you selected HTTPS or HTTP, click Use client PKI certificate (client authentication
capability) when available when you want to use a client PKI certificate for HTTP
connections. The client uses this certificate instead of a self-signed certificate to
authenticate itself to site systems. This option is automatically selected if you select
HTTPS only.
Note
Note
To configure client PKI certificate settings

478
When clients are detected to be on the Internet, or they are configured for
Internet-only client management, they always use a client PKI certificate.
6. Click Modify to configure your chosen client selection method for when more than one
valid PKI client certificate is available on a client, and then click OK.
Note
For more information about the client certificate selection method, see Planning
for PKI Client Certificate Selection.
7. Select or clear the check box for clients to check the Certificate Revocation list (CRL).
Note
For more information about CRL checking for clients, see Planning for PKI
Certificate Revocation.
8. If you must specify trusted root certification authority (CA) certificates for clients, click
Set, import the root CA certificate files, and then click OK.
Note
For more information about this setting, see Planning for the PKI Trusted Root
Certificates.
9. Click OK to close the properties dialog box for the site.
Repeat this procedure for all primary sites in the hierarchy.
Configure Signing and Encryption
Configure the most secure signing and encryption settings for site systems that all clients in the
site can support. These settings are especially important when you let clients communicate with
site systems by using self-signed certificates over HTTP.
2. In the Administration workspace, expand Site Configuration, click Sites, and then click
3. On the Home tab, in the Properties group, click Properties, and then click the Signing
and Encryption tab.
4. Configure the signing and encryption options that you want, and then click OK.
Warning
Do not select Require SHA-256 without first verifying that all clients that might be
assigned to the site can support this hash algorithm, or they have a valid PKI
client authentication certificate. You might have to install updates or hotfixes on
clients to support SHA-256. For example, computers that run
Windows Server 2003 SP2 must install a hotfix that is referenced in the KB
article 938397.
To configure signing and encryption for a site

479
If you select this option and clients cannot support SHA-256 and use self-signed
certificates, Configuration Manager rejects them. In this scenario, the
SMS_MP_CONTROL_MANAGER component logs the message ID 5443.
5. Click OK to close the Properties dialog box for the site.
Configure Role-Based Administration
Use the information in this section to help you configure role-based administration in
Configuration Manager. Role-based administration combines security roles, security scopes, and
assigned collections to define the administrative scope for each administrative user. An
administrative scope includes the objects that an administrative user can view in the
Configuration Manager console, and the tasks related to those objects that the administrative
user has permission to perform. Role-based administration configurations are applied at each site
in a hierarchy.
The information in the following procedures can help you create and configure role-based
administration and related security settings.
 Create Custom Security Roles
 Configure Security Roles
 Configure Security Scopes for an Object
 Configure Collections to Manage Security
 Create a New Administrative User
 Modify the Administrative Scope of an Administrative User
Role-based administration uses security roles, security scopes, and collections. These
combine to define an administrative scope for each administrative user. Your own
administrative scope defines the objects and settings that you can assign when you
configure role-based administration for another administrative user.
Create Custom Security Roles
Configuration Manager provides several built-in security roles. If you require additional security
roles, you can create a custom security role by creating a copy of an existing security role, and
then modifying the copy. You might create a custom security role to grant administrative users the
additional security permissions they require that are not included in a currently assigned security
role. By using a custom security role, you can grant them only the permissions they require, and
avoid assigning a security role that grants more permissions than they require.
Use the following procedure to create a new security role by using an existing security role as a
template.
Important

480
2. In the Administration workspace, expand Security, and then click Security Roles.
Use one of the following processes to create the new security role:
 To create a new custom security role, perform the following actions:
i. Select an existing security role to use as the source for the new security role.
ii. On the Home tab, in the Security Role group, click Copy. This creates a copy of
the source security role.
iii. In the Copy Security Role wizard, specify a Name for the new custom security
role.
iv. In Security operation assignments, expand each Security Operations node to
display the available actions.
v. To change the setting for a security operation, click the down arrow in the Value
column, and then select either Yes or No.
Caution
When you configure a custom security role, ensure not to grant
permissions that are not required by administrative users that are
associated with the new security role. For example, the Modify value for
the Security Roles security operation grants administrative users
permission to edit any accessible security role, even if they are not
associated with that security role.
vi. After you configure the permissions, click OK to save the new security role.
 To import a security role that was exported from another System Center 2012
Configuration Manager hierarchy, perform the following actions:
i. On the Home tab, in the Create group, click Import Security Role.
ii. Specify the .xml file that contains the security role configuration that you want to
import, and click Open to complete the procedure and save the security role.
Note
After you import a security role, you can edit the security role properties
to change the object permissions that are associated with the security
role.
Configure Security Roles
The groups of security permissions that are defined for a security role are called security
operation assignments. Security operation assignments represent a combination of object types
and actions that are available for each object type. You can modify which security operations are
available for any custom security role, but you cannot modify the built-in security roles that
Configuration Manager provides.
To create custom security roles

481
Use the following procedure to modify the security operations for a security role.
2. In the Administration workspace, expand Security, and then click Security Roles.
3. Select the custom security role that you want to modify.
4. On the Home tab, in the Properties group, click Properties.
5. Click the Permissions tab.
6. In Security operation assignments, expand each Security Operations node to display
the available actions.
7. To change the setting for a security operation, click the down arrow in the Value column,
and then select either Yes or No.
Caution
When you configure a custom security role, ensure not to grant permissions that
are not required by administrative users that are associated with the new security
role. For example, the Modify value for the Security Roles security operation
grants administrative users permission to edit any accessible security role, even
if they are not associated with that security role.
8. When you have finished configuring security operation assignments, click OK to save the
new security role.
Configure Security Scopes for an Object
You manage the association of a security scope for an object from the object and not from the
security scope. The only direct configurations that security scopes support are changes to its
name and description. To change the name and description of a security scope when you view
the security scope properties, you must have the Modify permission for the Security Scopes
securable object.
When you create a new object in Configuration Manager, the new object is associated with each
security scope that is associated with the security roles of the account that is used to create the
object when those security roles provide the Create permission, or Set Security Scope
permission. Only after the object is created, can you change the security scopes it is associated
with.
For example, you are assigned a security role that grants you permission to create a new
boundary group. When you create a new boundary group, you have no option to which you can
assign specific security scopes. Instead, the security scopes available from the security roles you
are associated with are automatically assigned to the new boundary group. After you save the
new boundary group, you can edit the security scopes associated with the new boundary group.
Use the following procedure to configure the security scopes assigned to an object.
To modify security roles
To configure security scopes for an object

482
1. In the Configuration Manager console, select an object that supports assignment to a
security scope.
2. On the Home tab, in the Classify group, click Set Security Scopes.
3. In the Set Security Scopes dialog box, select or clear the security scopes that this object
is associated with. Each object that supports security scopes must be assigned to at least
one security scope.
4. Click OK to save the assigned security scopes.
Note
When you create a new object, you can assign the object to multiple security
scopes. To modify the number of security scopes associated with the object, you
must change this assignment after the object is created.
Configure Collections to Manage Security
There are no procedures to configure collections for role-based administration. Collections do not
have a role-based administration configuration; instead, you assign collections to an
administrative user when you configure the administrative user. The collection security operations
that are enabled in the users assigned security roles determine the permissions an administrative
user has for collections and collection resources (collection members).
When an administrative user has permissions to a collection, they also have permissions to
collections that are limited to that collection. For example, your organization uses a collection
named All Desktops, and there exist a collection named All North America Desktops that is
limited to the All Desktops collection. If an administrative user has permissions to All Desktops,
they also have those same permissions to the All North America Desktops collection. In addition,
an administrative user cannot use the Delete or Modify permission on collection that is directly
assigned to them, but can use these permissions on the collections that are limited to that
collection. Using the previous example, the administrative user can delete or modify the All North
America Desktops collection, but cannot delete or modify the All Desktops collection.
Create a New Administrative User
To grant individuals or members of a security group access to manage Configuration Manager,
create an administrative user in Configuration Manager and specify the Windows account of the
User or User Group. Each administrative user in Configuration Manager must be assigned at
least one security role and one security scope. You can also assign collections to limit the
administrative scope of the administrative user.
Use the following procedures to create new administrative users.
2. In the Administration workspace, expand Security, and then click Administrative
Users.
To create a new administrative user

483
3. On the Home tab, in the Create group, click Add User or Group.
4. Click Browse and then select the user account or group to use for this new
administrative user.
Note
For console-based administration, only domain users or security groups can be
specified as an administrative user.
5. For Associated security roles, click Add to open a list of the available security roles,
select the check box for one or more security roles, and then click OK.
6. Select one of the following two options to define the securable object behavior for the
new user:
 All securable objects that are relevant to their associated security roles: This
option associates the administrative user with the All security scope and the root
level, built-in collections for All Systems, and All Users and User Groups. The
security roles assigned to the user define access to objects. New objects that this
administrative user creates are assigned to the Default security scope.
 Only securable objects in specified security scopes or collections: By default,
this option associates the administrative user with the Default security scope and the
All Systems and All Users and User Groups collections. However, the actual
security scopes and collections are limited to those that are associated with the
account that you used to create the new administrative user. This option supports the
addition or removal of security scopes and collections to customize the administrative
scope of the administrative user.
Important
The preceding options associate each assigned security scope and collection to
each security role assigned to the administrative user. A third option, Only
securable objects as determined by the security roles of the administrative
user, can be used to associate individual security roles to specific security
scopes and collections. This third option is available after you create the new
administrative user, when you modify the administrative user.
7. Depending on your selection in step 6, take the following action:
 If you selected All securable objects that are relevant to their associated
security roles, click OK to complete this procedure.
 If you selected Only securable objects in specified security scopes or
collections, you can click Add to select additional collections and security scopes, or
select one or more objects in the list, and then click Remove to remove them. Click
OK to complete this procedure.
Modify the Administrative Scope of an Administrative User
You can modify the administrative scope of an administrative user by adding or removing security
roles, security scopes, and collections that are associated with the user. Each administrative user
must be associated with at least one security role and one security scope. You might have to

484
assign one or more collections to the administrative scope of the user. Most security roles interact
with collections and do not function correctly without an assigned collection.
When you modify an administrative user, you can change the behavior for how securable objects
are associated with the assigned security roles. The three behaviors that you can select are as
follows:
 All securable objects that are relevant to their associated security roles: This option
associates the administrative user with the All scope and the root level built-in collections for
All Systems, and All Users and User Groups. The security roles that are assigned to the
user define access to objects.
 Only securable objects in specified security scopes or collections: This option
associates the administrative user to the same security scopes and collections that are
associated to the account you use to configure the administrative user. This option supports
the addition or removal of security roles and collections to customize the administrative scope
of the administrative user.
 Only securable objects as determined by the security roles of the administrative user:
This option lets you create specific associations between individual security roles and specific
security scopes and collections for the user.
This option is available only when you modify the properties of an administrative
user.
The current configuration for the securable object behavior changes the process that you use to
assign additional security roles. Use the following procedures that are based on the different
options for securable objects to help you manage an administrative user.
Use the following procedure to view and manage the configuration for securable objects for an
administrative user:
Users.
3. Select the administrative user that you want to modify.
5. Click the Security Scopes tab to view the current configuration for securable objects for
this administrative user.
6. To modify the securable object behavior, select a new option for securable object
behavior. After you change this configuration, reference the appropriate procedure for
further guidance to configure security scopes and collections, and security roles for this
7. Click OK to complete the procedure.
Use the following procedure to modify an administrative user that has the securable object
behavior set to All securable objects that are relevant to their associated security roles:
Note
To view and manage the securable object behavior for an administrative user

485
Users.
5. Click the Security Scopes tab to confirm that the administrative user is configured for All
securable objects that are relevant to their associated security roles.
6. To modify the assigned security roles, click the Security Roles tab.
 To assign additional security roles to this administrative user, click Add, select the
check box for each additional security role that you want to assign, and then click
OK.
 To remove security roles, select one or more security roles from the list, and then
click Remove.
7. To modify the securable object behavior, click the Security Scopes tab and select a new
option for the securable object behavior. After you change this configuration, reference
the appropriate procedure for further guidance to configure security scopes and
collections, and security roles for this administrative user.
Note
When the securable object behavior is set to All securable objects that are
relevant to their associated security roles, you cannot add or remove specific
security scopes and collections.
8. Click OK to complete this procedure.
behavior set to Only securable objects in specified security scopes or collections.
Users.
5. Click the Security Scopes tab to confirm that the user is configured for Only securable
objects in specified security scopes or collections.
 To assign additional security roles to this user, click Add, select the check box for
each additional security role that you want to assign, and then click OK.
click Remove.
Option: All securable objects that are relevant to their associated security roles
Option: Only securable objects in specified security scopes or collections

486
7. To modify the security scopes and collections associated with security roles, click the
Security Scopes tab.
 To associate new security scopes or collections with all security roles that are
assigned to this administrative user, click Add and select one of the four options. If
you select Security Scope or Collection, select the check box for one or more
objects to complete that selection, and then click OK.
 To remove a security scope or collection, select the object, and then click Remove.
behavior set to Only securable objects as determined by the security roles of the
Users.
5. Click the Security Scopes tab to confirm that the administrative user is configured for
Only securable objects in specified security scopes or collections.
 To assign additional security roles to this administrative user, click Add. On the Add
Security Role dialog box, select one or more available security roles, click Add, and
select an object type to associate with the selected security roles. If you select
Security Scope or Collection, select the check box for one or more objects to
complete that selection, and then click OK.
Note
You must configure at least one security scope before the selected security
roles can be assigned to the administrative user. When you select multiple
security roles, each security scope and collection that you configure is
associated with each of the selected security roles.
click Remove.
7. To modify the security scopes and collections associated with a specific security role,
click the Security Scopes tab, select the security role, and then click Edit.
 To associate new objects with this security role, click Add, and select an object type
to associate with the selected security roles. If you select Security Scope or
Collection, select the check box for one or more objects to complete that selection,
and then click OK.
Note
Option: Only securable objects as determined by the security roles of the administrative
user

487
You must configure at least a one security scope.
 To remove a security scope or collection that is associated with this security role,
select the object, and then click Remove.
 When you have finished modifying the associated objects, click OK.
Caution
When a security role grants administrative users the collection deployment
permission, those administrative users can distribute objects from any security
scope for which they have object read permissions, even if that security scope is
associated with a different security role.
Manage Accounts that Are Used by
Configuration Manager supports Windows accounts for many different tasks and uses.
Use the following procedure to view which accounts are configured for different tasks, and to
manage the password that Configuration Manager uses for each account.
2. In the Administration workspace, expand Security, and then click Accounts to view the
accounts that are configured for Configuration Manager.
3. To change the password for an account that is configured for Configuration Manager,
select the account.
5. Click Set to open the Windows User Account dialog box and specify the new password
for Configuration Manager to use for the account.
Note
The password that you specify must match the password that is specified for the
account in Active Directory Users and Computers.
6. Click OK to complete the procedure.
See Also
Configure Sites and the Hierarchy in Configuration Manager
To manage accounts that are used by Configuration Manager

488
Configuring Discovery in Configuration
Manager
Discovery identifies computer and user resources that you can manage by using Configuration
Manager, and it also discovers network infrastructure in your environment. Use the information in
the following sections to help you configure discovery in System Center 2012
 How to Enable a Discovery Method
 Configure Heartbeat Discovery
 Configure Active Directory Discovery for Computers, Users, or Groups
 Configure Active Directory Forest Discovery
 Configure Network Discovery
 About Configuring Network Discovery
 How to Configure Network Discovery
 How to Verify that Network Discovery Has Finished
How to Enable a Discovery Method
With the exception of the Heartbeat Discovery method, you must enable all configurable
discovery methods in Configuration Manager before they can discover resources on a network.
You can also disable each method by using the same procedure you use to enable it.
In addition to enabling a discovery method, you might have to configure it to successfully discover
resources in your environment.
Heartbeat Discovery is enabled when you install a Configuration Manager primary site
and does not have to be enabled. Keep Heartbeat Discovery enabled as this method
ensures that the discovery data records (DDRs) for devices are up-to-date. For more
information about Heartbeat discovery, see About Heartbeat Discovery.
2. In the Administration workspace, expand Hierarchy Configuration, and click
Discovery Methods.
3. Select the discovery method for the site where you want to enable discovery.
4. On the Home tab, in the Properties group, click Properties, and then on the General
tab, select the Enable <discovery method> check box.
Note
If this check box is already selected, you can disable the discovery method by
Note
To enable a discovery method

489
clearing the check box.
5. Click OK to save the configuration.
Configure Active Directory Discovery for
Computers, Users, or Groups
Use the information in the following sections to configure discovery of computers, users, or
groups, by using one of the following discovery methods:
The information in this section does not apply to Active Directory Forest Discovery.
While each of these discovery methods is independent of the others, they share similar options.
For more information about these configuration options, see About Active Directory Discovery for
Systems, Users, and Groups.
The Active Directory polling by each of these discovery methods can generate significant
network traffic. Consider scheduling each discovery method to run at a time when this
network traffic does not adversely affect business uses of your network.
Use the following procedures to configure each discovery method.
2. In the Administration workspace, expand Hierarchy Configuration, and then click
Discovery Methods.
3. Select the method for the site where you want to configure discovery.
5. On the General tab, select the check box to enable discovery, or you can configure
discovery now, and then return to enable discovery later.
6. Click the New icon to specify a new Active Directory container, and in the Active
Directory Container dialog box, complete the following configurations:
a. Specify one or more locations to search.
b. For each location, specify options that modify the search behavior.
c. For each location, specify the account to use as the Active Directory Discovery
Account.
Tip
For each location that you specify, you can configure a set of discovery
Note
Warning
To configure Active Directory System Discovery

490
options and a unique Active Directory Discovery Account.
d. Click OK to save the Active Directory container configuration.
7. On the Polling Schedule tab, configure both the full discovery polling schedule and delta
discovery.
8. Optionally, on the Active Directory Attributes tab, you can configure additional Active
Directory attributes for computers that you want to discover. The default object attributes
are also listed.
9. Optionally, on the Option tab, you can configure options to filter out, or exclude, stale
computer records from discovery.
10. When you are have finished configuring Active Directory System Discovery for this site,
click OK to save the configuration.
Discovery Methods.
3. Select the Active Directory User Discovery method for the site where you want to
configure discovery.
discovery now, and return to enable discovery later.
6. Click the New icon to specify a new Active Directory container, and in the Active
Directory Container dialog box, complete the following configurations:
a. Specify one or more locations to search.
b. For each location, specify options that modify the search behavior.
c. For each location, specify the account to use as the Active Directory Discovery
Account.
Note
For each location that you specify, you can configure a unique set of
discovery options and a unique Active Directory Discovery Account.
d. Click OK to save the Active Directory container configuration.
discovery.
8. Optionally, on the Active Directory Attributes tab, you can configure additional Active
Directory attributes for computers that you want to discover. The default object attributes
are also listed.
9. When you are have finished configuring Active Directory User Discovery for this site, click
OK to save the configuration.
To configure Active Directory User Discovery
To configure Active Directory Group Discovery

491
Discovery Methods.
3. Select the Active Directory Group Discovery method for the site where you want to
6. Click Add to configure a discovery scope, select either Groups or Location, and
complete the following configurations in the Add Groups, or Add Active Directory
Location dialog box:
a. Specify a Name for this discovery scope.
b. Specify an Active Directory Domain or Location to search:
 If you selected Groups, specify one or more Active Directory groups to be
discovered.
 If you selected Location, specify an Active Directory container as a location to
be discovered. You can also enable a recursive search of Active Directory child
containers for this location.
c. Specify the Active Directory Group Discovery Account that is used to search this
discovery scope.
d. Click OK to save the discovery scope configuration.
7. Repeat step 6 for each additional discovery scope that you want to define.
discovery.
9. Optionally, on the Option tab, you can configure options to filter out, or exclude, stale
computer records from discovery, and to discover the membership of distribution groups.
Note
By default, Active Directory Group Discovery discovers only the membership of
security groups.
10. When you have finished configuring Active Directory Group Discovery for this site, click
OK to save the configuration.
Configure Active Directory Forest Discovery
To complete the configuration of Active Directory Forest Discovery, you must configure settings in
two locations:
 In the Discovery Methods node, you can enable this discovery method, set a polling
schedule, and select whether discovery automatically creates boundaries for the Active
Directory sites and subnets that it discovers.
 In the Active Directory Forests node, you can add forests that you want to discover, enable
discovery of Active Directory sites and subnets in that forest, configure settings that enable

492
Configuration Manager sites to publish their site information to the forest, and assign an
account to use as the Active Directory Forest Account for each forest.
Use the following procedures to enable Active Directory Forest discovery, and to configure
individual forests for use with Active Directory Forest Discovery.
Discovery Methods.
3. Select the Active Directory Forest Discovery method for the site where you want to
6. Specify options to create site boundaries for discovered locations.
7. Specify a schedule for when discovery runs.
8. When you complete the configuration of Active Directory Forest Discovery for this site,
click OK to save the configuration.
2. In the Administration workspace, click Active Directory Forests. If Active Directory
Forest Discovery has previously run, you see each discovered forest in the results pane.
The local forest and any trusted forests are discovered when Active Directory Forest
Discovery runs. Only untrusted forests must be manually added.
 To configure a previously discovered forest, select the forest in the results pane, and
then on the Home tab, in the Properties group, click Properties to open the forest
properties. Continue with step 3.
 To configure a new forest that is not listed, on the Home tab, in the Create group,
click Add Forest to open the Add Forests dialog box. Continue with step 3.
3. On the General tab, complete configurations for the forest that you want to discover and
specify the Active Directory Forest Account.
Note
Active Directory Forest Discovery requires a global account to discover and
publish to untrusted forests. If you do not use the computer account of the site
server, you can only select a global account.
4. If you plan to allow sites to publish site data to this forest, on the Publishing tab,
complete configurations for publishing to this forest.
Note
If you enable sites to publish to a forest, you must extend the Active Directory
To enable Active Directory Forest Discovery
To configure a forest for Active Directory Forest Discovery

493
schema of that forest for Configuration Manager, and the Active Directory Forest
Account must have Full Control permissions to the System container in that
forest.
5. When you complete the configuration of this forest for use with Active Directory Forest
Discovery, click OK to save the configuration.
Configure Heartbeat Discovery
By default, Heartbeat Discovery is enabled when you install a Configuration Manager primary
site. As a result, you only have to configure the schedule for how often clients send the Heartbeat
Discovery data record (DDRs) to a management point.
Although Heartbeat Discovery is enabled by default, if it is disabled, you can re-enable it like any
other discovery method. For more information, see How to Enable a Discovery Method.
If both client push installation and the site maintenance task for Clear Install Flag are
enabled at the same site, set the schedule of Heartbeat Discovery to be less than the
Client Rediscovery period of the Clear Install Flag site maintenance task. For more
information about site maintenance tasks, see Configure Maintenance Tasks for
Configuration Manager Sites.
Discovery Methods.
3. Select Heartbeat Discovery for the site where you want to configure Heartbeat
Discovery.
5. Configure the frequency with which clients submit a Heartbeat discovery data records
(DDRs), and then click OK to save the configuration.
Configure Network Discovery
Use the information in the following sections to help you configure Network Discovery.
About Configuring Network Discovery
Before you configure Network Discovery, you must understand the following:
 Available levels of Network Discovery
 Available Network Discovery options
 Limiting Network Discovery on the network
Note
To configure the Heartbeat Discovery schedule

494
For more information, see the section About Network Discovery in the Planning for Discovery in
The following sections provide information about common configurations for Network Discovery.
You can configure one or more of these configurations for use during the same discovery run. If
you use multiple configurations, you must plan for the interactions that can affect the discovery
results.
For example, you might want to discover all SNMP devices that use a specific SNMP Community
name. Additionally, for the same discovery run, you might disable discovery on a specific subnet.
When discovery runs, Network Discovery does not discover the SNMP devices with the specified
community name on the subnet that you have disabled.
Determine your Network Topology
You can use a topology-only discovery to map your network. This kind of discovery does not
discover potential clients. The topology-only Network Discovery relies on SNMP.
When mapping your network topology, you must configure the Maximum hops on the SNMP tab
in the Network Discovery Properties dialog box. Just a few hops can help control the network
bandwidth that is used when discovery runs. As you discover more of your network, you can
increase the number of hops to gain a better understanding of your network topology.
After you understand your network topology, you can configure additional properties for Network
Discovery to discover potential clients and their operating systems while you are using available
configurations to limit the network segments that Network Discovery can search.
Limit Searches by Using Subnets
You can configure Network Discovery to search specific subnets during a discovery run. By
default, Network Discovery searches the subnet of the server that runs discovery. Any additional
subnets that you configure and enable apply only to Simple Network Management Protocol
(SNMP) and Dynamic Host Configuration Protocol (DHCP) search options. When Network
Discovery searches domains, it is not limited by configurations for subnets.
If you specify one or more subnets on the Subnets tab in the Network Discovery Properties
dialog box, only the subnets that are marked as Enabled are searched.
When you disable a subnet, it is excluded from discovery, and the following conditions apply:
 SNMP-based queries do not run on the subnet
 DHCP servers do not reply with a list of resources located on the subnet
 Domain-based queries can discover resources that are located on the subnet
Search a Specific Domain
You can configure Network Discovery to search a specific domain or set of domains during a
discovery run. By default, Network Discovery searches the local domain of the server that runs
discovery.

495
If you specify one or more domains on the Domains tab in the Network Discovery Properties
dialog box, only the domains that are marked as Enabled are searched.
When you disable a domain, it is excluded from discovery, and the following conditions apply:
 Network Discovery does not query domain controllers in that domain
 SNMP-based queries can still run on subnets in the domain
 DHCP servers can still reply with a list of resources located in the domain
Limit Searches by Using SNMP Community Names
You configure Network Discovery to search a specific SNMP community or set of communities
during a discovery run. By default, the community name of public is configured for use.
Network Discovery uses community names to gain access to routers that are SNMP devices. A
router can supply Network Discovery with information about other routers and subnets that are
linked to the first router.
SNMP community names resemble passwords. Network Discovery can get information
only from an SNMP device for which you have specified a community name. Each SNMP
device can have its own community name, but often the same community name is shared
among several devices. Additionally, most SNMP devices have a default community
name of public. However, some organizations delete the public community name from
their devices as a security precaution.
If multiple SNMP communities are displayed on the SNMP tab in the Network Discovery
Properties dialog box, Network Discovery searches them in the order in which they are
displayed. To help minimize network traffic that is generated by attempts to contact a device by
using different names, ensure that the most frequently used names are at the top of the list.
In addition to using the SNMP Community name, you can specify the IP address or
resolvable name of a specific SNMP device. You configure the IP address or resolvable
name for a specific device on SNMP Devices tab in the Network Discovery Properties
dialog box.
Search a Specific DHCP Server
You can configure Network Discovery to use a specific DHCP server or multiple servers to
discover DHCP clients during a discovery run.
Network Discovery searches each DHCP server that you specify on the DHCP tab in the
Network Discovery Properties dialog box. If the server that is running discovery leases its IP
address from a DHCP server, you can configure discovery to search that DHCP server by
selecting the Include the DHCP server that the site server is configured to use check box.
Note
Note
Note

496
To successfully configure a DHCP server in Network Discovery, your environment must
support IPv4. You cannot configure Network Discovery to use a DHCP server in a native
IPv6 environment.
How to Configure Network Discovery
Use the following procedures to first discover only your network topology, and then to configure
Network Discovery to discover potential clients by using one or more of the available Network
Discovery options.
Discovery Methods.
3. Select Network Discovery for the site where you want to run Network Discovery.
 On the General tab, select the Enable network discovery check box, and then
select Topology from the Type of discovery options.
 On the Subnets tab, select the Search local subnets check box.
Tip
If you know the specific subnets that constitute your network, you can clear the Search local
subnets check box and use the New icon to add the specific subnets that you want to
search. For large networks, it is often best to search only one or two subnets at a time to
minimize the use of network bandwidth.
 On the Domains tab, select the Search local domain check box.
 On the SNMP tab, use the Maximum hops drop-down list to specify how many
router hops Network Discovery can take in mapping your topology.
Tip
When you first map your network topology, configure just a few router hops
to minimize the use of network bandwidth.
5. On the Schedule tab, click the New icon to set a schedule for running Network
Discovery.
Note
You cannot assign a different discovery configuration to separate Network
Discovery schedules. Each time Network Discovery runs, it uses the current
discovery configuration.
6. Click OK to accept the configurations. Network Discovery runs at the scheduled time.
To determine your network topology
To configure Network Discovery

497
Discovery Methods.
3. Select Network Discovery for the site where you want to run Network Discovery.
5. On the General tab, select the Enable network discovery check box, and then select
the type of discovery that you want to run from the Type of discovery options.
6. To configure discovery to search subnets, click the Subnets tab, and on the Subnets
tab, configure one or more of the following options:
 To run discovery on subnets that are local to the computer that runs discovery, select
the Search local subnets check box.
 To search a specific subnet, the subnet must be listed in Subnets to search, and
have a Search value of Enabled:
i. If the subnet is not listed, click the New icon . In the New Subnet Assignment dialog box,
enter the Subnet and Mask information, and then click OK. By default, a new subnet is
enabled for search.
ii. To change the Search value for a listed subnet, select the subnet, and then click
the Toggle icon to toggle the value between Disabled and Enabled.
7. To configure discovery to search domains, click the Domains tab, and on the Domains
tab, configure one or more of the following options:
 To run discovery on the domain of the computer that runs discovery, select the
Search local domain check box.
 To search a specific domain, the domain must be listed in Domains and have a
Search value of Enabled:
i. If the domain is not listed, click the New icon , and in the Domain Properties dialog box,
enter the Domain information, and then click OK. By default, a new domain is enabled for
search.
ii. To change the Search value for a listed domain, select the domain, and then
click the Toggle icon to toggle the value between Disabled and Enabled.
8. To configure discovery to search specific SNMP community names for SNMP devices,
click the SNMP tab, and on the SNMP tab, configure one or more of the following
options:
 To add an SNMP community name to the list of SNMP Community names, click the New
icon , and in the New SNMP Community Name dialog box, specify the Name of the
SNMP community, and then click OK.
 To remove an SNMP community name, select the community name, and then click the
Delete icon .
 To adjust the search order of SNMP community names, select a community name, and then
click the Move Item Up icon , or the Move Item Down icon . When discovery runs,
community names are searched in a top-to-bottom order.
Note

498
Network Discovery uses SNMP community names to gain access to routers
that are SNMP devices. A router can inform Network Discovery about other
routers and subnets linked to the first router.
 SNMP community names resemble passwords.
 Network Discovery can get information only from an SNMP device for which you
have specified a community name.
 Each SNMP device can have its own community name, but often the same
community name is shared among several devices
 Most SNMP devices have a default community name of Public which can be
used if you do not know any other community names. However, some
organizations delete the Public community name from their devices as a security
precaution.
9. To configure the maximum number of router hops for use by SNMP searches, click the
SNMP tab, and on the SNMP tab, select the number of hops from the Maximum hops
drop-down list.
10. To configure SNMP Devices, click the SNMP Devices tab, and on the SNMP tab, if the
device is not listed, click the New icon . In the New SNMP Device dialog box, specify the
IP address or device name of the SNMP device, and then click OK.
Note
If you specify a device name, Configuration Manager must be able to resolve the
NetBIOS name to an IP address.
11. To configure discovery to query specific DHCP servers for DHCP clients, click the DHCP
tab, and on the DHCP tab, configure one or more of the following options:
 To query the DHCP server on the computer that is running discovery, select the
Always use the site server’s DHCP server check box.
Note
To use this option, the server must lease its IP address from a DHCP server
and cannot use a static IP address.
 To query a specific DHCP server, click the New icon , and in the New DHCP Server
dialog box, specify the IP address or server name of the DHCP server, and then click OK.
Note
If you specify a server name, Configuration Manager must be able to resolve
the NetBIOS name to an IP address.
12. To configure when discovery runs, click the Schedule tab, and on the Schedule tab, click the
New icon to set a schedule for running Network Discovery.
You can configure multiple schedules for Network Discovery that include multiple
recurring schedules and multiple schedules that have no recurrence.
Note
If multiple schedules are displayed on the Schedule tab at the same time, all
schedules result in a run of Network Discovery as it is configured at the time

499
indicated in the schedule. This is also true for recurring schedules.
13. Click OK to save your configurations.
How to Verify that Network Discovery Has Finished
The time that Network Discovery requires to complete can vary depending on a variety of factors.
These factors can include one or more of the following:
 The size of your network
 The topology of your network
 The maximum number of hops that are configured to find routers in the network
 The type of discovery that is being run
Because Network Discovery does not create messages to alert you when discovery has finished,
you can use the following procedure to verify when discovery has finished.
1. In the Configuration Manager console, click Monitoring.
2. In the Monitoring workspace, expand System Status, and then click Status Message
Queries.
3. Select All Status Messages.
4. On the Home tab, in the Status Message Queries group, click Show Messages.
5. Select the Select date and time drop-down list and select a value that includes how long
ago the discovery started, and then click OK to open the Configuration Manager Status
Message Viewer.
Tip
You can also use the Specify date and time option to select a given date and
time that you ran discovery. This option is useful when you ran Network
Discovery on a given date and want to retrieve messages from only that date.
6. To validate that Network Discovery has finished, search for a status message that has
the following details:
 Message ID: 502
 Component: SMS_NETWORK_DISCOVERY
 Description: This component stopped
If this status message is not present, Network Discovery has not finished.
7. To validate when Network Discovery started, search for a status message that has the
following details:
 Message ID: 500
 Component: SMS_NETWORK_DISCOVERY
 Description: This component started
This information verifies that Network Discovery started. If this information is not present,
To verify that Network Discovery has finished

500
reschedule Network Discovery.
See Also
Configuring Sites to Publish to Active
Directory Domain Services
Before Configuration Manager can publish site data to Active Directory Domain Services, the
Active Directory schema must be extended to create the necessary classes and attributes, the
System Management container must be created, and the primary site server’s computer account
must be granted full control of the System Management container and all of its child objects. Each
site publishes its own site-specific information to the System Management container within its
domain partition in the Active Directory schema. For information about extending the Active
Directory schema, see the Prepare Active Directory for Configuration Manager section in the
Use the following procedures to configure an Active Directory forest for publishing, and to
configure a site to publish to an Active Directory forest that is enabled for publishing.
2. In the Administration workspace, click Active Directory Forests. If Active Directory
Forest Discovery has previously run, you see each discovered forest in the results pane.
The local forest and any trusted forests are discovered when Active Directory Forest
Discovery runs. Only untrusted forests must be manually added.
 To configure a previously discovered forest, select the forest in the results pane, and
then on the Home tab, in the Properties group, click Properties to open the forest
properties. Continue with step 3.
 To configure a new forest that is not listed, on the Home tab, in the Create group,
click Add Forest to open the Add Forests dialog box. Continue with step 3.
3. On the General tab, complete configurations for the forest that you want to discover and
specify the Active Directory Forest Account.
Note
Active Directory Forest Discovery requires a global account to discover and
publish to untrusted forests. If you do not use the computer account of the site
server, you can only select a global account.
To configure Active Directory forests for publishing:

501
4. If you plan to allow sites to publish site data to this forest, on the Publishing tab,
complete configurations for publishing to this forest.
Note
If you enable sites to publish to a forest, you must extend the Active Directory
schema of that forest for Configuration Manager, and the Active Directory Forest
Account must have Full Control permissions to the System container in that
forest.
5. When you complete the configuration of this forest for use with Active Directory Forest
Discovery, click OK to save the configuration.
2. In the Administration workspace, expand Site Configuration and click Sites. Select the
site that you want to configure to have publish its site data, and then on the Home tab, in
the Properties group, click Properties.
3. On the Publishing tab of the sites properties, select the forests to which this site will
publish site data.
4. Click Ok to save the configuration.
See Also
Configuring Settings for Client Management
Use the following sections in this topic to help you configure client management settings in
 Configure Client Settings for Configuration Manager
 Configure Settings for Client Approval and Conflicting Client Records
 Configure a Fallback Site for Automatic Site Assignment
 Configure Client Communication Port Numbers
 Configure Custom Websites
 Configure Wake on LAN
 Configure Maintenance Windows
To enable a Configuration Manager site to publish site information to Active Directory
forest:

502
Configure Client Settings for Configuration
Manager
The information in this section also appears in How to Configure Client Settings in
You manage all client settings in System Center 2012 Configuration Manager from the Client
Settings node in the Administration workspace of the Configuration Manager console. Modify
the default settings when you want to configure settings for all users and devices in the hierarchy.
If you want to apply different settings to just some users or devices, create custom settings and
assign these to collections.
Use one of the following procedures to configure client settings:
How to Configure the Default Client Settings
Use the following procedure to configure the default client settings for all clients in the hierarchy.
2. In the Administration workspace, click Client Settings, and then select Default Client
Settings.
3. On the Home tab, click Properties.
4. View and configure the client settings for each group of settings in the navigation pane.
For more information about each setting, see About Client Settings in Configuration
Manager.
5. Click OK to close the Default Client Settings dialog box.
How to Create and Deploy Custom Client Settings
Use the following procedure to configure and deploy custom settings for a selected collection of
users or devices. When you deploy these custom settings, they override the default client
settings.
Before you begin this procedure, ensure that you have a collection that contains the
users or devices that require these custom client settings.
2. In the Administration workspace, click Client Settings.
3. On the Home tab, in the Create group, click Create Custom Client Settings, and then
Note
To configure the default client settings
Note
To configure and assign custom client settings

503
click one of the following options depending on whether you want to create custom client
settings for devices or for users:
 Create Custom Client Device Settings
 Create Custom Client User Settings
4. In the Create Custom Client Device Settings or Create Custom Client User Settings
dialog box, specify a unique name for the custom settings, and an optional description.
5. Select one or more of the available check boxes that display a group of settings.
6. Click the first group settings from the navigation pane, and then view and configure the
available custom settings. Repeat this process for any remaining group settings. For
information about each client setting, see About Client Settings in Configuration Manager.
7. Click OK to close the Create Custom Client Device Settings or Create Custom Client
User Settings dialog box.
8. Select the custom client setting that you have just created. On the Home tab, in the
Client Settings group, click Deploy.
9. In the Select Collection dialog box, select the collection that contains the devices or
users to be configured with the custom settings, and then click OK. You can verify the
assigned collection if you click the Assignments tab in the details pane.
10. View the order of the custom client setting that you have just created. When you have
multiple custom client settings, they are applied according to their order number. If there
are any conflicts, the setting that has the lowest order number overrides the other
settings. To change the order number, in the Home tab, in the Client Settings group,
click Move Item Up or Move Item Down.
Configure Settings for Client Approval and
Conflicting Client Records
Specify settings for client approval and conflicting client records to help Configuration Manager
securely identify clients. These settings apply to the hierarchy for all clients.
Configure approval for when clients do not use a PKI certificate for client authentication.
Configure settings for conflicting records for when Configuration Manager detects duplicate
hardware IDs and cannot resolve the conflict. Configuration Manager uses the hardware ID to
attempt to identify clients that might be duplicates and alert you to the conflicting records. For
example, if you reinstall a computer, the hardware ID would be the same but the GUID used by
Configuration Manager might be changed. When Configuration Manager can resolve a conflict by
using Windows authentication of the computer account or a PKI certificate from a trusted source,
the conflict is automatically resolved for you. However, when Configuration Manager cannot
resolve the conflict, it uses a hierarchy setting that either automatically merges the records when
it detects duplicate hardware IDs (the default setting), or allows you to decide when to merge,
block, or create new client records. If you decide to manually manage duplicate records, you must
manually resolve the conflicting records by using the Configuration Manager console.
To configure hierarchy settings for client approval and conflicting client records

504
3. On the Home tab, in the Sites group, click Hierarchy Settings, and then click the Client
Approval and Conflicting Records tab.
4. Configure options that you require for all clients in the hierarchy, and then click OK to
close the properties dialog box.
To manually approve clients, see Managing Clients from the Devices Node.
To resolve conflicting records, see Manage Conflicting Records for Configuration Manager
Clients.
Configure a Fallback Site for Automatic Site
Assignment
You can specify a hierarchy-wide fallback site for automatic site assignment.
The fallback site is assigned to a new client that is configured to automatically discover its site
when that client is on a network boundary that is not associated with any boundary group
configured for site assignment.
2. In the Administration workspace, expand Site Configuration and select Sites.
3. On the Home tab, in the Sites group, click Hierarchy Settings.
4. On the General tab, select the checkbox for Use a fallback site, and then select a site
from the Fallback site drop-down list.
5. Click OK to save the configuration.
Configure Client Communication Port Numbers
The information in this section also appears in How to Configure Client Communication Port
Numbers in Configuration Manager
You can change the request port numbers that System Center 2012 Configuration Manager
clients use to communicate with site systems that use HTTP and HTTPS for communication. You
can also specify the site port number to use if you wake up clients by using traditional wake-up
packets.
When you specify HTTP and HTTPS request ports, you can specify both a default port number
and an alternative port number. Clients automatically try the alternative port after communication
fails with the default port. You can specify settings for HTTP and HTTPS data communication.
The default values for client request ports are 80 for HTTP traffic and 443 for HTTPS traffic.
Change them only if you do not want to use these default values. A typical scenario for using
custom ports is when you use a custom website in IIS rather than the default website. If you
To configure a fallback site for automatic site assignment

505
change the default port numbers for the default website in IIS and other applications also use the
default website, they are likely to fail.
Do not change the port numbers in Configuration Manager without understanding the
consequences. Examples:
 If you change the port numbers for the client request services as a site configuration and
existing clients are not reconfigured to use the new port numbers, these clients will become
unmanaged.
 Before you configure a nondefault port number, make sure that firewalls and all intervening
network devices can support this configuration and reconfigure them as necessary. If you will
manage clients on the Internet and change the default HTTPS port number of 443, routers
and firewalls on the Internet might block this communication.
To make sure that clients do not become unmanaged after you change the request port numbers,
clients must be configured to use the new request port numbers. When you change the request
ports on a primary site, any attached secondary sites automatically inherit the same port
configuration. Use the procedure in this topic to configure the request ports on the primary site.
When the Configuration Manager site is published to Active Directory Domain Services, new and
existing clients that can access this information will automatically be configured with their site port
settings and you do not need to take further action. Clients that cannot access this information
published to Active Directory Domain Services include workgroup clients, clients from another
Active Directory forest, clients that are configured for Internet-only, and clients that are currently
on the Internet. If you change the default port numbers after these clients have been installed,
reinstall them and install any new clients by using one of the following methods:
 Reinstall the clients by using the Client Push Installation Wizard. Client push installation
automatically configures clients with the current site port configuration. For more information
about how to use the Client Push Installation Wizard, see How to Install Configuration
Manager Clients by Using Client Push.
 Reinstall the clients by using CCMSetup.exe and the client.msi installation properties of
CCMHTTPPORT and CCMHTTPSPORT. For more information about these properties, see
How to Install Configuration Manager Clients by Using Client Push.
 Reinstall the clients by using a method that searches Active Directory Domain Services for
Configuration Manager client installation properties. For more information, see About Client
Installation Properties Published to Active Directory Domain Services in Configuration
Manager.
To reconfigure the port numbers for existing clients, you can also use the script
PORTSWITCH.VBS that is provided with the installation media in the
SMSSETUPToolsPortConfiguration folder.
For existing and new clients that are currently on the Internet, you must configure the
non-default port numbers by using the CCMSetup.exe client.msi properties of
CCMHTTPPORT and CCMHTTPSPORT.
Important
Important

506
After changing the request ports on the site, new clients that are installed by using the site-wide
client push installation method will be automatically configured with the current port numbers for
the site.
2. In the Administration workspace, expand Site Configuration, click Sites, and select
3. In the Home tab, click Properties, and then click the Ports tab.
4. Select any of the items and click the Properties icon to display the Port Detail dialog box.
5. In the Port Detail dialog box, specify the port number and description for the item, and
then click OK.
6. Select Use custom web site if you will use the custom website name of SMSWeb for
site systems that run IIS.
7. Click OK to close the properties dialog box for the site.
Configure Custom Websites
Before you configure Configuration Manager to use a custom website, review the planning
information in Planning for Custom Websites with Configuration Manager.
Most Configuration Manager site system roles automatically configure to use a custom website,
however the following site system roles require you to manually configure the custom website.
For these sites system roles, you must specify the custom website during the site system role
installation. If any of these site system roles are already installed when you enable custom
websites for the site, uninstall these site system

Serviços ebooks sc2012_config_mgr_pdf_download

Serviços ebooks sc2012_config_mgr_pdf_download

More Related Content

What's hot (17)

Viewers also liked (19)

Similar to Serviços ebooks sc2012_config_mgr_pdf_download (20)

Recently uploaded (20)

Serviços ebooks sc2012_config_mgr_pdf_download